2020-12-05 14:18:57 +01:00
|
|
|
|
{ config, lib, pkgs, ... }:
|
2021-04-09 11:34:49 +02:00
|
|
|
|
|
2020-12-05 14:18:57 +01:00
|
|
|
|
{
|
|
|
|
|
# Options that affect multiple modules
|
|
|
|
|
options.sbruder = {
|
2021-01-20 16:23:18 +01:00
|
|
|
|
full = lib.mkOption {
|
|
|
|
|
type = lib.types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
Whether to build the full system. If disabled, the system closure will
|
|
|
|
|
be smaller, but some features will not be available.
|
|
|
|
|
'';
|
|
|
|
|
default = true;
|
|
|
|
|
};
|
2021-09-08 20:01:15 +02:00
|
|
|
|
trusted = (lib.mkEnableOption "the trusted status of this machine (i.e. encrypted root)") // { default = true; };
|
2020-12-05 15:44:58 +01:00
|
|
|
|
gui.enable = lib.mkEnableOption "gui";
|
2020-12-05 14:18:57 +01:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# All modules are imported but non-essential modules are activated by
|
|
|
|
|
# configuration options
|
|
|
|
|
imports = [
|
2021-01-31 19:47:54 +01:00
|
|
|
|
../pkgs/modules.nix
|
2020-12-05 14:18:57 +01:00
|
|
|
|
./cups.nix
|
|
|
|
|
./docker.nix
|
|
|
|
|
./fonts.nix
|
2021-08-06 18:55:10 +02:00
|
|
|
|
./games.nix
|
2020-12-05 14:18:57 +01:00
|
|
|
|
./grub.nix
|
2021-01-01 12:32:55 +01:00
|
|
|
|
./gui.nix
|
2021-01-07 13:39:25 +01:00
|
|
|
|
./initrd-ssh.nix
|
2020-12-05 14:18:57 +01:00
|
|
|
|
./locales.nix
|
2022-02-08 19:06:58 +01:00
|
|
|
|
./logitech.nix
|
2021-02-06 12:16:05 +01:00
|
|
|
|
./mailserver.nix
|
2022-05-14 17:50:11 +02:00
|
|
|
|
./media-mount.nix
|
2020-12-31 15:44:24 +01:00
|
|
|
|
./media-proxy.nix
|
2021-05-31 23:02:11 +02:00
|
|
|
|
./mullvad
|
2020-12-05 14:18:57 +01:00
|
|
|
|
./network-manager.nix
|
2021-02-15 12:09:55 +01:00
|
|
|
|
./nginx-interactive-index
|
2021-03-05 15:57:21 +01:00
|
|
|
|
./nginx.nix
|
2021-04-09 11:34:49 +02:00
|
|
|
|
./nix.nix
|
2020-12-05 14:18:57 +01:00
|
|
|
|
./office.nix
|
|
|
|
|
./prometheus/node_exporter.nix
|
2020-12-05 16:42:49 +01:00
|
|
|
|
./pubkeys.nix
|
2021-07-10 12:44:09 +02:00
|
|
|
|
./pipewire.nix
|
2022-03-18 22:14:09 +01:00
|
|
|
|
./qbittorrent
|
2021-02-28 12:21:04 +01:00
|
|
|
|
./restic
|
2021-01-06 13:09:29 +01:00
|
|
|
|
./secrets.nix
|
2020-12-05 14:18:57 +01:00
|
|
|
|
./ssh.nix
|
2022-07-01 08:51:54 +02:00
|
|
|
|
./syncthing.nix
|
2020-12-05 14:18:57 +01:00
|
|
|
|
./tools.nix
|
|
|
|
|
./udev.nix
|
2021-01-03 16:28:35 +01:00
|
|
|
|
./unfree.nix
|
2020-12-05 14:39:36 +01:00
|
|
|
|
./wireguard
|
2020-12-05 14:18:57 +01:00
|
|
|
|
];
|
|
|
|
|
|
2021-02-05 15:36:51 +01:00
|
|
|
|
config = lib.mkMerge [
|
|
|
|
|
{
|
|
|
|
|
# Essential system tools
|
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
|
|
|
git
|
|
|
|
|
git-crypt # used to store secrets in configuration
|
|
|
|
|
git-lfs # not so essential, but required to clone config
|
|
|
|
|
htop
|
|
|
|
|
tmux
|
|
|
|
|
vim
|
2020-12-12 16:15:43 +01:00
|
|
|
|
];
|
2020-12-05 14:18:57 +01:00
|
|
|
|
|
2021-02-05 15:36:51 +01:00
|
|
|
|
# Clean temporary files on boot
|
|
|
|
|
boot.cleanTmpDir = true;
|
|
|
|
|
|
2022-03-26 12:37:11 +01:00
|
|
|
|
# Set zsh as default shell with reasonable default config for all users
|
|
|
|
|
programs.zsh = {
|
|
|
|
|
enable = true;
|
|
|
|
|
loginShellInit = ''
|
|
|
|
|
# do not glob # (conflicts with nix flakes)
|
|
|
|
|
disable -p '#'
|
|
|
|
|
'';
|
2022-04-28 09:32:03 +02:00
|
|
|
|
histSize = 100000;
|
2022-03-26 12:37:11 +01:00
|
|
|
|
};
|
2021-02-05 15:36:51 +01:00
|
|
|
|
users.defaultUserShell = pkgs.zsh;
|
2021-02-14 13:29:51 +01:00
|
|
|
|
environment.etc."zshrc.local".source = "${pkgs.grml-zsh-config}/etc/zsh/zshrc";
|
2021-02-05 15:36:51 +01:00
|
|
|
|
|
|
|
|
|
# command-not-found does not work without channels
|
|
|
|
|
programs.command-not-found.enable = false;
|
|
|
|
|
|
|
|
|
|
# Hard drive monitoring
|
|
|
|
|
services.smartd.enable = lib.mkDefault true;
|
|
|
|
|
# Network monitoring
|
|
|
|
|
services.vnstat.enable = true;
|
|
|
|
|
|
2021-09-10 18:01:52 +02:00
|
|
|
|
# Support for exotic file systems
|
|
|
|
|
boot.supportedFilesystems = lib.optional config.sbruder.full "ntfs";
|
|
|
|
|
|
2021-02-05 15:36:51 +01:00
|
|
|
|
# Authentication/Encryption agents
|
|
|
|
|
programs.gnupg.agent.enable = true;
|
|
|
|
|
programs.ssh.startAgent = true;
|
|
|
|
|
|
|
|
|
|
# When this is set to true (default), routing everything through a
|
|
|
|
|
# wireguard tunnel does not work.
|
|
|
|
|
networking.firewall.checkReversePath = false;
|
|
|
|
|
|
2021-03-29 22:26:10 +02:00
|
|
|
|
# Open ports for quick tests
|
|
|
|
|
networking.firewall = {
|
|
|
|
|
allowedTCPPortRanges = lib.singleton { from = 9990; to = 9999; };
|
|
|
|
|
allowedUDPPortRanges = lib.singleton { from = 9990; to = 9999; };
|
|
|
|
|
};
|
|
|
|
|
|
2021-02-05 15:36:51 +01:00
|
|
|
|
# Globally set Let’s Encrypt requirements
|
|
|
|
|
security.acme = {
|
|
|
|
|
acceptTerms = true;
|
2022-05-31 14:37:22 +02:00
|
|
|
|
defaults = {
|
|
|
|
|
email = "security@sbruder.de";
|
|
|
|
|
};
|
2021-02-05 15:36:51 +01:00
|
|
|
|
};
|
2021-04-25 09:50:03 +02:00
|
|
|
|
|
|
|
|
|
system.activationScripts.diff = ''
|
2021-12-01 17:56:35 +01:00
|
|
|
|
[ -L /run/current-system ] && ${pkgs.nixFlakes}/bin/nix \
|
2021-04-25 09:50:03 +02:00
|
|
|
|
--experimental-features 'nix-command' \
|
|
|
|
|
store \
|
|
|
|
|
diff-closures /run/current-system "$systemConfig"
|
|
|
|
|
'';
|
2022-06-15 00:45:51 +02:00
|
|
|
|
|
|
|
|
|
# Allow users to set allow_other for fuse mounts
|
|
|
|
|
programs.fuse.userAllowOther = true;
|
2021-02-05 15:36:51 +01:00
|
|
|
|
}
|
2021-08-04 16:52:11 +02:00
|
|
|
|
(lib.mkIf config.sbruder.full {
|
|
|
|
|
services.fwupd.enable = true;
|
|
|
|
|
})
|
2021-02-05 15:36:51 +01:00
|
|
|
|
(lib.mkIf (!config.sbruder.full) {
|
|
|
|
|
# Adapted from nixpkgs/nixos/modules/profiles/minimal.nix
|
|
|
|
|
i18n.supportedLocales = map
|
|
|
|
|
(locale: locale + "/UTF-8")
|
|
|
|
|
((lib.singleton config.i18n.defaultLocale)
|
|
|
|
|
++ (lib.attrValues config.i18n.extraLocaleSettings));
|
|
|
|
|
|
|
|
|
|
documentation.enable = lib.mkDefault false;
|
|
|
|
|
})
|
|
|
|
|
];
|
2020-12-05 14:18:57 +01:00
|
|
|
|
}
|