nixos-config/modules/default.nix

184 lines
5.3 KiB
Nix
Raw Normal View History

# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, options, pkgs, ... }:
2020-12-05 14:18:57 +01:00
{
# Options that affect multiple modules
options.sbruder = {
full = lib.mkOption {
type = lib.types.bool;
description = ''
Whether to build the full system. If disabled, the system closure will
be smaller, but some features will not be available.
'';
default = true;
};
trusted = (lib.mkEnableOption "the trusted status of this machine (i.e. encrypted root)") // { default = true; };
gui.enable = lib.mkEnableOption "gui";
machine = {
isVm = lib.mkOption {
type = lib.types.bool;
description = "Whether this machine is a virtual machine.";
default = false;
};
};
2020-12-05 14:18:57 +01:00
};
# All modules are imported but non-essential modules are activated by
# configuration options
imports = [
../pkgs/modules.nix
2022-07-24 18:06:54 +02:00
./ausweisapp.nix
2023-10-23 23:23:37 +02:00
./authoritative-dns.nix
2020-12-05 14:18:57 +01:00
./cups.nix
./docker.nix
2023-01-22 16:33:50 +01:00
./fancontrol.nix
./flatpak.nix
2020-12-05 14:18:57 +01:00
./fonts.nix
2021-08-06 18:55:10 +02:00
./games.nix
2020-12-05 14:18:57 +01:00
./grub.nix
2021-01-01 12:32:55 +01:00
./gui.nix
./infovhost.nix
2021-01-07 13:39:25 +01:00
./initrd-ssh.nix
2020-12-05 14:18:57 +01:00
./locales.nix
2022-02-08 19:06:58 +01:00
./logitech.nix
./mailserver
2022-05-14 17:50:11 +02:00
./media-mount.nix
./media-proxy.nix
./mullvad
2020-12-05 14:18:57 +01:00
./network-manager.nix
2021-02-15 12:09:55 +01:00
./nginx-interactive-index
2021-03-05 15:57:21 +01:00
./nginx.nix
2023-12-20 16:53:42 +01:00
./nitrokey.nix
./nix.nix
2020-12-05 14:18:57 +01:00
./office.nix
2022-07-04 10:30:29 +02:00
./pipewire.nix
2020-12-05 14:18:57 +01:00
./prometheus/node_exporter.nix
2020-12-05 16:42:49 +01:00
./pubkeys.nix
2022-03-18 22:14:09 +01:00
./qbittorrent
./restic
2021-01-06 13:09:29 +01:00
./secrets.nix
2020-12-05 14:18:57 +01:00
./ssh.nix
./static-webserver.nix
2022-07-01 08:51:54 +02:00
./syncthing.nix
./tmux.nix
2020-12-05 14:18:57 +01:00
./tools.nix
./udev.nix
./unfree.nix
2020-12-05 14:39:36 +01:00
./wireguard
2024-01-27 17:22:53 +01:00
./wkd
2020-12-05 14:18:57 +01:00
];
config = lib.mkMerge [
{
# Essential system tools
environment.systemPackages = with pkgs; [
git
git-crypt # used to store secrets in configuration
git-lfs # not so essential, but required to clone config
htop
tmux
vim
2020-12-12 16:15:43 +01:00
];
2020-12-05 14:18:57 +01:00
# Clean temporary files on boot
2023-05-30 11:43:59 +02:00
boot.tmp.cleanOnBoot = true;
# Set zsh as default shell with reasonable default config for all users
programs.zsh = {
enable = true;
loginShellInit = ''
# do not glob # (conflicts with nix flakes)
disable -p '#'
'';
histSize = 100000;
};
users.defaultUserShell = pkgs.zsh;
2021-02-14 13:29:51 +01:00
environment.etc."zshrc.local".source = "${pkgs.grml-zsh-config}/etc/zsh/zshrc";
# command-not-found does not work without channels
programs.command-not-found.enable = false;
# Network monitoring
services.vnstat.enable = true;
2023-10-15 17:07:16 +02:00
environment.etc."vnstat.conf".text = ''
UseUTC=1
'';
2021-09-10 18:01:52 +02:00
# Support for exotic file systems
boot.supportedFilesystems = lib.optional config.sbruder.full "ntfs";
programs.ssh.startAgent = lib.mkDefault (!config.sbruder.gui.enable);
# When this is set to true (default), routing everything through a
# wireguard tunnel does not work.
networking.firewall.checkReversePath = false;
2021-03-29 22:26:10 +02:00
# Open ports for quick tests
networking.firewall = {
allowedTCPPortRanges = lib.singleton { from = 9990; to = 9999; };
allowedUDPPortRanges = lib.singleton { from = 9990; to = 9999; };
};
2023-10-07 13:50:18 +02:00
# Use nftables by default,
# but allow it to be easily disabled on by-machine basis.
networking.nftables.enable = lib.mkDefault true;
# Globally set Lets Encrypt requirements
security.acme = {
acceptTerms = true;
2022-05-31 14:37:22 +02:00
defaults = {
email = "security@sbruder.de";
};
};
2021-04-25 09:50:03 +02:00
system.activationScripts.diff = ''
2023-05-30 11:41:55 +02:00
[ -L /run/current-system ] && ${config.nix.package}/bin/nix \
2021-04-25 09:50:03 +02:00
--experimental-features 'nix-command' \
store \
diff-closures /run/current-system "$systemConfig"
'';
# Allow users to set allow_other for fuse mounts
programs.fuse.userAllowOther = true;
i18n.supportedLocales = (options.i18n.supportedLocales.default) ++ (lib.optionals config.sbruder.full [
"de_DE.UTF-8/UTF-8"
]);
services.resolved = {
# Set systemd-resolveds fallback to Quad9 (instead of cloudflare/google)
fallbackDns = [ "9.9.9.9" "149.112.112.112" "2620:fe::fe" "2620:fe::9" ];
# Allow resolving single lable hostnames (e.g., hostnames on the local network)
llmnr = "false";
# resolved does not automatically append the search domain (for whatever reason)
extraConfig = ''
ResolveUnicastSingleLabel=yes
Cache=no-negative
'';
};
}
(lib.mkIf (!config.sbruder.machine.isVm) {
# Hard drive monitoring
services.smartd.enable = lib.mkDefault true;
# Firmware updates
services.fwupd.enable = lib.mkDefault true;
2021-08-04 16:52:11 +02:00
})
(lib.mkIf (!config.sbruder.full) {
documentation.enable = lib.mkDefault false;
})
(lib.mkIf (config.services.resolved.enable) {
# With NixOSs default database order for hosts,
# resolving the FQDN with hostname -f always returns “localhost”
# when resolved is enabled.
# This changes the priority of the files database,
# which fixes this.
# This workaround was taken from
# https://github.com/NixOS/nixpkgs/issues/132646#issuecomment-1782684381
system.nssDatabases.hosts = lib.mkOrder 500 [ "files" ];
})
];
2020-12-05 14:18:57 +01:00
}