commit a05102e91c272392ed6085e744aee5edff0f04bc Author: Simon Bruder Date: Sat Aug 22 17:44:39 2020 +0200 Initial commit diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..1d953f4 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use nix diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..6887138 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,4 @@ +*.png filter=lfs diff=lfs merge=lfs -text +*.jpg filter=lfs diff=lfs merge=lfs -text + +**/secrets/** filter=git-crypt diff=git-crypt diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..bc27100 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +/result +/*.qcow2 diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..600fd1f --- /dev/null +++ b/LICENSE @@ -0,0 +1,19 @@ +Copyright 2020 Simon Bruder + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is furnished to do +so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..61dc948 --- /dev/null +++ b/README.md @@ -0,0 +1,96 @@ +# NixOS configuration + +## How to install + +This guide describes how to install this configuration (or any NixOS +configuration) with GPT and legacy (BIOS) boot. + +Create the partition table (enter the indented lines in the repl). + + sudo parted /dev/sdX + mktable GPT + mkpart primary 1MiB 2MiB + mkpart primary 2MiB 500MiB + mkpart primary 500MiB 100% + set 1 bios_grub on + disk_toggle pmbr_boot + quit + +Format encrypted partition and open it + + sudo cryptsetup luksFormat /dev/sdX3 + sudo cryptsetup luksOpen /dev/sdX3 HOSTNAME-pv + +Create LVM (replace `8G` with desired swap size) + + sudo pvcreate /dev/mapper/HOSTNAME-pv + sudo vgcreate HOSTNAME-vg /dev/mapper/HOSTNAME-pv + sudo lvcreate -L 8G -n swap HOSTNAME-vg + sudo lvcreate -l '100%FREE' -n root HOSTNAME-vg + +**Hint**: If you have to reboot to the installation system later because +something went wrong and you need access to the LVM (but don’t know LVM), do +the following after opening the luks partition: `sudo vgchange -ay` + +Create filesystems + + sudo mkfs.ext2 /dev/sdX2 + sudo mkfs.ext4 -L root /dev/HOSTNAME-vg/root + sudo mkswap -L swap /dev/HOSTNAME-vg/swap + +Mount the file systems and activate swap + + sudo mount /dev/HOSTNAME-vg/root /mnt + sudo mkdir /mnt/boot + sudo mount /dev/sdX2 /mnt/boot + sudo swapon /dev/HOSTNAME-vg/swap + +Create the configuration (see [below](#how-to-add-new-device)) and copy this +repository to your new home directory (e.g. `/mnt/home/simon/nixos`). + +Add a symlink as the global configuration + + sudo mkdir -p /mnt/etc/nixos/ + sudo ln -s /mnt/home/simon/nixos/machines/nunotaba/configuration.nix /mnt/etc/nixos/configuration.nix + +Generate hardware configuration and link it to the installation system +(required because of absolute paths) + + sudo nixos-generate-config --root /mnt/ + sudo ln -s /mnt/etc/nixos/hardware-configuration.nix /etc/nixos/hardware-configuration.nix + +Install NixOS and reboot (if you do not have another machine, omit +`--no-root-passwd`) + + sudo nixos-install --no-root-passwd + sudo reboot + +**Hint**: If you need to reboot to the installation system because something +didn’t work, first open the luks partition like in the setup script, run `sudo +vgchange -ay` to scan for LVM VGs and then mount the other filesystems like in +the script. + +SSH into the machine (or login locally if you set a root password), fix the +`configuration.nix` symlink, set a user password and clone the dotfiles + + ssh root@machine + rm /etc/nixos/configuration.nix + ln -s /home/simon/nixos/machines/nunotaba/configuration.nix /etc/nixos/configuration.nix + passwd simon + ^D + ssh simon@machine + # press “q” to get rid of zsh-newuser-install + git clone https://github.com/andsens/homeshick.git $HOME/.homesick/repos/homeshick + source $HOME/.homesick/repos/homeshick/homeshick.sh + homeshick clone https://git.sbruder.de/simon/dotfiles + +## How to add new device + + * Copy the config from the device that is similar to the new one + * Import profiles/modules you want + * Change settings in `configuration.nix` + * Change secrets + +## License + +[MIT License](LICENSE) diff --git a/machines/nunotaba/README.md b/machines/nunotaba/README.md new file mode 100644 index 0000000..0d56e75 --- /dev/null +++ b/machines/nunotaba/README.md @@ -0,0 +1,21 @@ +# nunotaba + +## Hardware + +ThinkPad T440 with mods to make it acceptable: + + * Touchpad is changed for the T450’s, which has physical mouse buttons (I + fucked up during the installation and the touchpad part does not work, so it + does not need to be disabled in software). + * Screen has a resolution of 1920×1080 and has an IPS panel + +It is used standalone or in on a docking station that connects it to an +external mouse, keyboard and monitor (Dell U2410). + +## Purpose + +It is my daily driver so it does everything (except server stuff obviously). + +## Name + +Shinobu Nunotaba is a student/scientist from *A Certain Scientific Railgun* diff --git a/machines/nunotaba/configuration.nix b/machines/nunotaba/configuration.nix new file mode 100644 index 0000000..cdf6a3a --- /dev/null +++ b/machines/nunotaba/configuration.nix @@ -0,0 +1,28 @@ +{ config, pkgs, ... }: + +{ + imports = + [ + /etc/nixos/hardware-configuration.nix + ../../modules/restic.nix + ../../profiles/base.nix + ../../profiles/dev.nix + ../../profiles/gui.nix + ../../users/simon/base.nix + ]; + + boot.loader.grub.device = "/dev/disk/by-id/ata-ST500LM021-1KJ152_W623YDGB"; + + boot.initrd.luks.devices = { + root = { + name = "root"; + device = "/dev/disk/by-uuid/4ecfca75-4dbb-4ba3-b1cd-7adf744c9446"; + preLVM = true; + allowDiscards = true; + }; + }; + + networking.hostName = "nunotaba"; + + networking.wireguard.interfaces.wg-home.ips = [ "10.80.0.4/24" ]; +} diff --git a/modules/base.nix b/modules/base.nix new file mode 100644 index 0000000..f06e692 --- /dev/null +++ b/modules/base.nix @@ -0,0 +1,60 @@ +{ config, lib, pkgs, ... }: + +{ + # Essential system tools + environment.systemPackages = with pkgs; [ + git + git-crypt # used to store secrets in configuration + git-lfs # not so essential, but required to clone config + htop + (unstable.neovim.override { vimAlias = true; }) # FIXME unstable is for python-msgpack 1.0; use stable once python-msgpack 1.0 is in stable + tmux + ]; + + # Clean temporary files on boot + boot.cleanTmpDir = true; + + # Disable firewall + networking.firewall.enable = lib.mkDefault false; + + # Set zsh as default shell + programs.zsh.enable = true; + users.defaultUserShell = pkgs.zsh; + + # Sane swapping + boot.kernel.sysctl."vm.swapiness" = 10; + + # Store logs persistently + services.journald.extraConfig = "Storage = persistent"; + + # Hard drive monitoring + services.smartd.enable = true; + # Network monitoring + services.vnstat.enable = true; + + # Authentication/Encryption agents + programs.gnupg.agent.enable = true; + programs.ssh.startAgent = true; + + # NixOS version + system.stateVersion = "20.03"; + + nixpkgs.config = { + # Explicitly allow unfree packages (rule of thumb: assets ok, code not ok) + allowUnfreePredicate = ( + pkg: builtins.elem (lib.getName pkg) [ + "corefonts" + "vista-fonts" + ] + ); + # Add unstable channel + packageOverrides = pkgs: { + unstable = import (builtins.fetchTarball "https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz") { + config = config.nixpkgs.config; + }; + nur = import (builtins.fetchTarball "https://github.com/nix-community/NUR/archive/master.tar.gz") { + inherit pkgs; + }; + }; + }; +} diff --git a/modules/cli-tools.nix b/modules/cli-tools.nix new file mode 100644 index 0000000..6f83e96 --- /dev/null +++ b/modules/cli-tools.nix @@ -0,0 +1,104 @@ +{ pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + # top like tools + bmon # network monitor + gotop # fancy top + iotop # top for io + mtr # interactive traceroute + + # batch processing/automation + jq # sed for json + parallel # parallel batch processing + yq # sed for yaml + + # unix tools on steroids + curlie # better httpie (easier curl) + exa # better ls + fd # better find + ripgrep # better grep + + # file tools + dos2unix # convert CRLF (dos) or CR (classic mac) line endings to LF (unix) + fdupes # find duplicate files + file # file type + hexyl # user friendly hex file viewer + hyperfine # cli benchmarking + megatools # cli for mega.nz + minio-client # client for s3 compatible storage systems + mktorrent # bittorrent seed file generator + rclone # rsync for cloud storage + rename # sed for filenames + restic # backup tool + rsync # incremental file transfer + tokei # fast cloc + xdelta # binary diff + + # file format tools + p7zip # 7z cli + pdftk # pdf multitool + sqlite # cli for sqlite databses + upx # executable packer + + # network tools + dnsutils # dig + gatling # high performance web serve + iperf + iperf2 # bandwidth measurement tool + sshfs # mount remote host + vnstat # client for vnstatd + whois # whois client + + # system tools + libva-utils # vainfo + ncdu # interactive du + reptyr # move process to current terminal + smartmontools # hard drive monitoring + + # clients + drone-cli # client for drone ci + hcloud # cli for Hetzner Cloud + libnotify # notify-send + + # function eye candy + fzf # fuzzy finder + pv # monitor progress in pipe + starship # zsh prompt + + # end user programs + apacheHttpd # for htpasswd + libqalculate # flexible calculator for humans + scrcpy # stream/control android phones over adb + taskwarrior # todo list manager + + # passwords + pass-wayland #passExtensions.pass-otp # password manager (FIXME: otp collides with main) + pwgen + pwgen-secure # password generator + unstable.xkcdpass # memorable password generator + + # misc + toilet # free figlet + python38Packages.ipython # better python repl (useful for one-liners) + + # vim + neovim-remote # controlling another neovim process + universal-ctags # ctags + + # direnv + direnv # per-directory environment + nix-direnv # per-directory environment for nix + + # git + gitAndTools.git-annex + gitAndTools.git-annex-remote-rclone # git for non source files + gitAndTools.pre-commit # pre-commit hook for git + ]; + + programs.adb.enable = true; + + environment.pathsToLink = [ + "/share/nix-direnv" + ]; +} diff --git a/modules/communication.nix b/modules/communication.nix new file mode 100644 index 0000000..7f8855c --- /dev/null +++ b/modules/communication.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + (mumble.override { pulseSupport = true; }) # VoIP group chat + claws-mail # email client that looks ugly but just works + ]; +} diff --git a/modules/creative.nix b/modules/creative.nix new file mode 100644 index 0000000..ab53334 --- /dev/null +++ b/modules/creative.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + blender # 3d animation + darktable # photo development + gimp + gimpPlugins.gmic # bitmap editor + krita # drawing + openscad # parametric/procedural 3d modelling + unstable.inkscape # vector graphics editor + ]; +} diff --git a/modules/cups.nix b/modules/cups.nix new file mode 100644 index 0000000..4610bde --- /dev/null +++ b/modules/cups.nix @@ -0,0 +1,5 @@ +{ ... }: + +{ + services.printing.enable = true; +} diff --git a/modules/dev/default.nix b/modules/dev/default.nix new file mode 100644 index 0000000..323be3e --- /dev/null +++ b/modules/dev/default.nix @@ -0,0 +1,7 @@ +{ pkgs, ... }: + +{ + imports = [ + ./rust.nix + ]; +} diff --git a/modules/dev/rust.nix b/modules/dev/rust.nix new file mode 100644 index 0000000..4f19a54 --- /dev/null +++ b/modules/dev/rust.nix @@ -0,0 +1,7 @@ +{ pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + rustup + ]; +} diff --git a/modules/docker.nix b/modules/docker.nix new file mode 100644 index 0000000..35a2fc9 --- /dev/null +++ b/modules/docker.nix @@ -0,0 +1,33 @@ +{ config, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + docker-compose + docker-ls + ]; + + virtualisation.docker = { + enable = true; + logDriver = "journald"; + extraOptions = builtins.concatStringsSep " " [ + "--ipv6" + "--fixed-cidr-v6=fd00:d0ce:d0ce:d0ce::/64" + ]; + }; + + docker-containers.ipv6nat = { + image = "robbertkl/ipv6nat"; + volumes = [ + "/var/run/docker.sock:/var/run/docker.sock:ro" + ]; + extraDockerOptions = [ + "--network=host" + "--cap-drop=ALL" + "--cap-add=NET_ADMIN" + "--cap-add=NET_RAW" + "--cap-add=SYS_MODULE" + ]; + }; + + environment.etc."modules-load.d/ipv6nat.conf".text = "ip6_tables\n"; +} diff --git a/modules/fonts.nix b/modules/fonts.nix new file mode 100644 index 0000000..1a65bca --- /dev/null +++ b/modules/fonts.nix @@ -0,0 +1,24 @@ +{ pkgs, ... }: + +{ + fonts = { + fonts = with pkgs; [ + corefonts # good ol’ microsoft fonts + google-fonts # google font collection (free) + (unstable.nerdfonts.override { fonts = [ "Iosevka" ]; }) + #roboto # standalone roboto has awful kerning + unstable.source-han-sans + unstable.source-han-serif # CJK fonts + vistafonts # newer microsoft fonts + ]; + + enableDefaultFonts = true; + enableFontDir = true; + + fontconfig.defaultFonts = { + monospace = [ "Iosevka Nerd Font" "Source Han Sans" ]; + sansSerif = [ "Roboto" "Source Han Sans" ]; + serif = [ "Georgia" "Source Han Serif" ]; + }; + }; +} diff --git a/modules/grub.nix b/modules/grub.nix new file mode 100644 index 0000000..7abff8c --- /dev/null +++ b/modules/grub.nix @@ -0,0 +1,10 @@ +{ lib, ... }: + +{ + boot.loader.grub.enable = lib.mkDefault true; + boot.loader.grub.version = 2; + boot.loader.grub.gfxmodeBios = "1920x1080,1024x768,auto"; + boot.loader.grub.gfxpayloadBios = "keep"; + boot.loader.grub.memtest86.enable = true; + boot.loader.timeout = 2; +} diff --git a/modules/gui-tools.nix b/modules/gui-tools.nix new file mode 100644 index 0000000..a7c6f5f --- /dev/null +++ b/modules/gui-tools.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + anki # flashcard SRS + unstable.antimicroX # gamepad to keyboard/mouse mapping + filezilla # ftp client + gparted # gui for parted + xfce.thunar # graphical file manager + qalculate-gtk # flexible calculator + wxhexeditor # hex editor + ]; +} diff --git a/modules/locales.nix b/modules/locales.nix new file mode 100644 index 0000000..408a405 --- /dev/null +++ b/modules/locales.nix @@ -0,0 +1,13 @@ +{ ... }: + +{ + i18n.defaultLocale = "en_GB.UTF-8"; + console.keyMap = "de"; + + time.timeZone = "Europe/Berlin"; + + location = { + latitude = 49.52; + longitude = 10.17; + }; +} diff --git a/modules/media.nix b/modules/media.nix new file mode 100644 index 0000000..b66923e --- /dev/null +++ b/modules/media.nix @@ -0,0 +1,42 @@ +{ pkgs, gui ? false, ... }: + +{ + environment.systemPackages = with pkgs; [ + # Audio + abcde # cd ripper + shntool # split audio with cue + sidplayfp # SID chiptune player + sox # “Swiss Army knife of audio manipulation” + + # Audio + Video + mediainfo # show information about media files + youtube-dl # universal video downloader + + # Images + exiftool # manipulate EXIF meta data + jpegoptim # lossless jpeg optimiser + libwebp # tools for webp image format + optipng # lossless png optimiser + pngcrush + pngquant # lossy png optimisers + + # Literature + mupdf # document (pdf) viewer and tools + ] ++ ( + if gui then [ + # Audio + picard # musicbrainz tagger + + # Audio + Video + mkvtoolnix # matroska (de-)muxing + mpv # media player + + # Literature + calibre # ebook library + zathura # plugin based document viewer + ] else [ + # Packages only installed when gui is disabled + mkvtoolnix-cli # matroska (de-)muxing + ] + ); +} diff --git a/modules/mpd.nix b/modules/mpd.nix new file mode 100644 index 0000000..f5a791f --- /dev/null +++ b/modules/mpd.nix @@ -0,0 +1,54 @@ +{ pkgs, ... }: + +let + mpdConf = pkgs.writeText "mpd.conf" '' + music_directory "~/Music" + playlist_directory "~/.mpd/playlists" + db_file "~/.mpd/tag_cache" + state_file "~/.mpd/state" + sticker_file "~/.mpd/sticker.sql" + + bind_to_address "127.0.0.1" + zeroconf_enabled "no" + + restore_paused "yes" + replaygain "track" + auto_update "yes" + + audio_output { + type "pulse" + name "pulse" + } + + audio_output { + type "fifo" + name "fifo" + path "~/.mpd/fifo" + format "44100:16:2" + } + ''; +in +{ + imports = [ + ./pulseaudio.nix + ]; + + systemd.user.services.mpd = { + after = [ "network.target" "sound.target" ]; + description = "Music Player Daemon"; + + wantedBy = [ "default.target" ]; + partOf = [ "default.target" ]; + + serviceConfig = { + ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon ${mpdConf}"; + Type = "notify"; + ExecStartPre = ''${pkgs.bash}/bin/bash -c "${pkgs.coreutils}/bin/mkdir -p ~/Music ~/.mpd/playlists"''; + }; + }; + + environment.systemPackages = with pkgs; [ + mpc_cli + (pkgs.ncmpcpp.override { visualizerSupport = true; taglibSupport = false; }) + ]; +} diff --git a/modules/network-manager.nix b/modules/network-manager.nix new file mode 100644 index 0000000..fd91b03 --- /dev/null +++ b/modules/network-manager.nix @@ -0,0 +1,7 @@ +{ ... }: + +{ + networking.networkmanager = { + enable = true; + }; +} diff --git a/modules/office.nix b/modules/office.nix new file mode 100644 index 0000000..b57dd47 --- /dev/null +++ b/modules/office.nix @@ -0,0 +1,19 @@ +{ pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + aspellDicts.de + hunspellDicts.de-de # dictionary + gscan2pdf # scanning tool + jameica # application framework (used for hibiscus online banking) + khal # calendar + khard # address book + libreoffice # office suite + pdfsam-basic # pdf multitool + vdirsyncerStable # dav sync client + xournalpp # notebook + xsane # scanning tool + ]; + + hardware.sane.enable = true; +} diff --git a/modules/prometheus/node_exporter.nix b/modules/prometheus/node_exporter.nix new file mode 100644 index 0000000..f87168b --- /dev/null +++ b/modules/prometheus/node_exporter.nix @@ -0,0 +1,17 @@ +{ config, ... }: + +let + vpnNetRanges = config.networking.wireguard.interfaces.wg-home.ips; + vpnNetRange = builtins.elemAt vpnNetRanges 0; + vpnAddress = builtins.elemAt (builtins.split "/" vpnNetRange) 0; +in +{ + imports = [ + ../wireguard/home.nix + ]; + + services.prometheus.exporters.node = { + enable = true; + listenAddress = vpnAddress; + }; +} diff --git a/modules/pubkeys.nix b/modules/pubkeys.nix new file mode 100644 index 0000000..70d58d8 --- /dev/null +++ b/modules/pubkeys.nix @@ -0,0 +1,3 @@ +{ + "simon@kipf" = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCs0igb6TTxPkKEQ96pk/NEqqWvQH/miJEBAEe1bzHlo5n5ThnGYvVPadfHIwq1ix0IdAfyWoG8duaKVDJAUAFBtegRO7vRBYBYR04V8DE8n66MgDbbLDuu7Kbm4JWMUNg43KwJDzZtSvEKjyh5/u/TT59D1F+toxMfet++jNG03mFa6ANhMTjghbkFHj3eyuiXA/SxZLorhkCFW6Tri3u5FFLGpjaom1dZ5PAcic0+ZOECpgEwTj8FpOzmldjsu8gFxdPYGrqfA1dOxL3OQ6/rB0LfHjwrN9i3DrZzG+RfJxZbgO4/RLQz2sHYM6S6d1MtCcXThozCXSbmpdNdwdPp"; +} diff --git a/modules/pulseaudio.nix b/modules/pulseaudio.nix new file mode 100644 index 0000000..c42abb3 --- /dev/null +++ b/modules/pulseaudio.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: + +{ + sound.enable = true; + hardware.pulseaudio.enable = true; + hardware.pulseaudio.package = pkgs.pulseaudioFull; + hardware.pulseaudio.daemon.config = { + "default-sample-format" = "s16le"; + "default-sample-rate" = "48000"; + "alternate-sample-rate" = "44100"; + "resample-method" = "soxr-hq"; + "flat-volumes" = "no"; + }; + + environment.systemPackages = with pkgs; [ + pavucontrol + ]; +} diff --git a/modules/restic.nix b/modules/restic.nix new file mode 100644 index 0000000..7e0cbee --- /dev/null +++ b/modules/restic.nix @@ -0,0 +1,66 @@ +{ pkgs, config, lib, ... }: + +let + excludes = [ + # General + "/home/*/Downloads/" + "/home/*/.cache/" + "/home/*/**/cache/" + "/home/*/.claws-mail/imapcache" + "/home/*/.local/share/Trash" + "/home/*/.local/share/nvim/" + + # Rust + "/home/*/**/target/debug/" + "/home/*/**/target/doc/" + "/home/*/**/target/release/" + "/home/*/**/target/rls/" + "/home/*/**/target/tarpaulin/" + "/home/*/**/target/wasm32-unknown-unknown/" + "/home/*/.rustup/toolchains/" + "/home/*/.cargo" + + # Python + "/home/*/.local/share/pyppeteer" + "/home/*/.local/share/virtualenvs/" + "/home/*/.platformio/" + + # Node + "/home/*/**/.local-chromium" + + # Project related + "/home/*/Music" + "/home/*/mount" + "/home/*/projects/vapoursynth/data/" + "/home/*/projects/vapoursynth/out/" + "/home/*/projects/vapoursynth/src/" + + # Docker + "/var/lib/docker/" + ]; + excludesFile = pkgs.writeText "exludes.txt" (builtins.concatStringsSep "\n" excludes); + maybePath = path: (lib.optional (builtins.pathExists path) (toString path)); +in +{ + services.restic.backups."${config.networking.hostName}-system" = { + passwordFile = toString (../machines/. + "/${config.networking.hostName}" + /secrets/restic_password); + s3CredentialsFile = toString ../secrets/s3_credentials; + repository = "s3:https://s3.eu-central-1.wasabisys.com/sbruder-restic"; + paths = lib.mkDefault ( + [] + ++ maybePath /data + ++ maybePath /home + ++ maybePath /srv + ++ maybePath /var + ); + initialize = true; + extraBackupArgs = [ + "--exclude-caches" + "--exclude-file=${excludesFile}" + ]; + timerConfig = { + OnCalendar = "20:00"; + RandomizedDelaySec = "2h"; + }; + }; +} diff --git a/modules/ssh.nix b/modules/ssh.nix new file mode 100644 index 0000000..3cb6d86 --- /dev/null +++ b/modules/ssh.nix @@ -0,0 +1,16 @@ +{ ... }: + +let + pubkeys = import ./pubkeys.nix; +in +{ + services.openssh = { + enable = true; + permitRootLogin = "yes"; + passwordAuthentication = false; + }; + + users.users.root.openssh.authorizedKeys.keys = [ + pubkeys."simon@kipf" + ]; +} diff --git a/modules/sway.nix b/modules/sway.nix new file mode 100644 index 0000000..6de637e --- /dev/null +++ b/modules/sway.nix @@ -0,0 +1,43 @@ +{ config, pkgs, ... }: + +{ + programs.sway = { + enable = true; + extraPackages = with pkgs; [ + swaylock # lockscreen + swayidle # autolock + xwayland # for legacy apps + (waybar.override { pulseSupport = true; }) # better status bar + mako # notification daemon + #kanshi # autorandr + alacritty # temrinal + unstable.dmenu-wayland # launcher + brightnessctl # control screen brightness + #redshift-wlr # natural color temperature + unstable.sway-contrib.grimshot # screenshots + ]; + extraSessionCommands = '' + export CLUTTER_BACKEND=wayland + export GDK_BACKEND=wayland + export MOZ_ENABLE_WAYLAND=1 + export QT_QPA_PLATFORM=wayland-egl + export QT_WAYLAND_DISABLE_WINDOWDECORATION=1 + export SDL_VIDEODRIVER=wayland + export _JAVA_AWT_WM_NONREPARENTING=1 + ''; + }; + + services.redshift = { + enable = true; + package = pkgs.redshift-wlr; + extraOptions = [ "-m" "wayland" ]; + temperature = { + day = 6500; + night = 3500; + }; + }; + + systemd.user.targets.graphical-session.wantedBy = [ "multi-user.target" ]; + + services.logind.lidSwitchDocked = config.services.logind.lidSwitch; +} diff --git a/modules/web.nix b/modules/web.nix new file mode 100644 index 0000000..97cabac --- /dev/null +++ b/modules/web.nix @@ -0,0 +1,10 @@ +{ pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + firefox-wayland + passff-host # host app for pass firefox extension + # Buidling chromium from source on a potato laptop is not fun + #(ungoogled-chromium.override { useOzone = true; }) + ]; +} diff --git a/modules/wireguard/home.nix b/modules/wireguard/home.nix new file mode 100644 index 0000000..5f219a9 --- /dev/null +++ b/modules/wireguard/home.nix @@ -0,0 +1,28 @@ +# Module for setting up the shared part of my home wireguard network. +# Every machine using this still has to set the `ips` for the `wg-home` +# interface and place the private key in their secrets directory as +# `wg-home_private_key` +# +# Example: +# +# networking.wireguard.interfaces.wg-home.ips = [ "10.80.0.4/24" ]; +{ config, ... }: + +{ + networking.wireguard = { + enable = true; + interfaces = { + wg-home = { + privateKeyFile = toString (../../machines/. + "/${config.networking.hostName}" + /secrets/wg-home_private_key); + peers = [ + { + allowedIPs = [ "10.80.0.0/24" ]; + publicKey = "UyZRAVTIc/RMs/J+591wrA8lHU0e8dwDJJwcpRb3xQA="; + endpoint = "87.140.16.73:51820"; # IPv6 is tunneled so legacy is preferred + persistentKeepalive = 25; + } + ]; + }; + }; + }; +} diff --git a/pre-commit-hook b/pre-commit-hook new file mode 100755 index 0000000..b7e7516 --- /dev/null +++ b/pre-commit-hook @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +nixpkgs-fmt --check . diff --git a/profiles/base.nix b/profiles/base.nix new file mode 100644 index 0000000..d329cd0 --- /dev/null +++ b/profiles/base.nix @@ -0,0 +1,14 @@ +{ ... }: + +{ + imports = + [ + ../modules/base.nix + ../modules/cli-tools.nix + ../modules/docker.nix + ../modules/grub.nix + ../modules/locales.nix + ../modules/prometheus/node_exporter.nix + ../modules/ssh.nix + ]; +} diff --git a/profiles/dev.nix b/profiles/dev.nix new file mode 100644 index 0000000..94a645a --- /dev/null +++ b/profiles/dev.nix @@ -0,0 +1,8 @@ +{ ... }: + +{ + imports = + [ + ../modules/dev + ]; +} diff --git a/profiles/gui.nix b/profiles/gui.nix new file mode 100644 index 0000000..5eadd4c --- /dev/null +++ b/profiles/gui.nix @@ -0,0 +1,19 @@ +{ pkgs, ... }: + +{ + imports = + [ + ../modules/communication.nix + ../modules/creative.nix + ../modules/cups.nix + ../modules/fonts.nix + ../modules/gui-tools.nix + (import ../modules/media.nix { inherit pkgs; gui = true; }) + ../modules/mpd.nix + ../modules/network-manager.nix + ../modules/office.nix + ../modules/pulseaudio.nix + ../modules/sway.nix + ../modules/web.nix + ]; +} diff --git a/shell.nix b/shell.nix new file mode 100644 index 0000000..f66cc9d --- /dev/null +++ b/shell.nix @@ -0,0 +1,10 @@ +{ pkgs ? import {} }: + +pkgs.mkShell { + nativeBuildInputs = with pkgs; [ + nixpkgs-fmt + ]; + buildPhase = '' + ln -f -s ../../pre-commit-hook .git/hooks/pre-commit + ''; +} diff --git a/users/simon/base.nix b/users/simon/base.nix new file mode 100644 index 0000000..7561e1b --- /dev/null +++ b/users/simon/base.nix @@ -0,0 +1,43 @@ +{ pkgs, ... }: + +let + pubkeys = import ../../modules/pubkeys.nix; +in +{ + imports = [ + (import "${builtins.fetchTarball https://github.com/rycee/home-manager/archive/master.tar.gz}/nixos") # FIXME: pin to release + ]; + + users.users.simon = { + isNormalUser = true; + extraGroups = [ + "adbusers" + "dialout" + "docker" + "lp" + "networkmanager" + "wheel" + ]; + openssh.authorizedKeys.keys = [ + pubkeys."simon@kipf" + ]; + }; + + home-manager.useUserPackages = true; + home-manager.useGlobalPkgs = true; + + home-manager.users.simon = { pkgs, ... }: { + gtk = { + enable = true; + font.name = "sans-serif 10"; + theme = { + package = pkgs.gnome-themes-extra; + name = "Adwaita"; + }; + iconTheme = { + package = pkgs.gnome3.adwaita-icon-theme; + name = "Adwaita"; + }; + }; + }; +}