Simon Bruder
4a8a7e0a4f
Since I currently do not have access to sayuri, sayuri’s migration is not done yet. The host keys and wg-home-private-key secret still have to be added.
157 lines
4.4 KiB
Nix
157 lines
4.4 KiB
Nix
{ config, lib, pkgs, ... }:
|
||
let
|
||
# Taken from https://nixos.wiki/wiki/Overlays
|
||
overlaysCompat = pkgs.writeTextFile {
|
||
name = "overlays-compat";
|
||
destination = "/overlays.nix";
|
||
text = ''
|
||
self: super:
|
||
with super.lib;
|
||
let
|
||
# Load the system config and get the `nixpkgs.overlays` option
|
||
overlays = (import <nixpkgs/nixos> { }).config.nixpkgs.overlays;
|
||
in
|
||
# Apply all overlays to the input of the current "main" overlay
|
||
foldl' (flip extends) (_: super) overlays self
|
||
'';
|
||
};
|
||
in
|
||
{
|
||
# Options that affect multiple modules
|
||
options.sbruder = {
|
||
full = lib.mkOption {
|
||
type = lib.types.bool;
|
||
description = ''
|
||
Whether to build the full system. If disabled, the system closure will
|
||
be smaller, but some features will not be available.
|
||
'';
|
||
default = true;
|
||
};
|
||
gui.enable = lib.mkEnableOption "gui";
|
||
games.enable = lib.mkEnableOption "games";
|
||
};
|
||
|
||
# All modules are imported but non-essential modules are activated by
|
||
# configuration options
|
||
imports = [
|
||
../pkgs/modules.nix
|
||
./cups.nix
|
||
./docker.nix
|
||
./fonts.nix
|
||
./grub.nix
|
||
./gui.nix
|
||
./initrd-ssh.nix
|
||
./libvirt.nix
|
||
./locales.nix
|
||
./mailserver.nix
|
||
./media-proxy.nix
|
||
./network-manager.nix
|
||
./nginx-interactive-index
|
||
./nginx.nix
|
||
./office.nix
|
||
./prometheus/node_exporter.nix
|
||
./pubkeys.nix
|
||
./pulseaudio.nix
|
||
./restic
|
||
./secrets.nix
|
||
./ssh.nix
|
||
./tools.nix
|
||
./udev.nix
|
||
./unfree.nix
|
||
./wireguard
|
||
|
||
"${(import ../nix/sources.nix).sops-nix}/modules/sops"
|
||
];
|
||
|
||
config = lib.mkMerge [
|
||
{
|
||
# Essential system tools
|
||
environment.systemPackages = with pkgs; [
|
||
git
|
||
git-crypt # used to store secrets in configuration
|
||
git-lfs # not so essential, but required to clone config
|
||
htop
|
||
tmux
|
||
vim
|
||
];
|
||
|
||
# Clean temporary files on boot
|
||
boot.cleanTmpDir = true;
|
||
|
||
# Set zsh as default shell
|
||
programs.zsh.enable = true;
|
||
users.defaultUserShell = pkgs.zsh;
|
||
environment.etc."zshrc.local".source = "${pkgs.grml-zsh-config}/etc/zsh/zshrc";
|
||
|
||
# command-not-found does not work without channels
|
||
programs.command-not-found.enable = false;
|
||
|
||
# Hard drive monitoring
|
||
services.smartd.enable = lib.mkDefault true;
|
||
# Network monitoring
|
||
services.vnstat.enable = true;
|
||
|
||
# Authentication/Encryption agents
|
||
programs.gnupg.agent.enable = true;
|
||
programs.ssh.startAgent = true;
|
||
|
||
# When this is set to true (default), routing everything through a
|
||
# wireguard tunnel does not work.
|
||
networking.firewall.checkReversePath = false;
|
||
|
||
# Open ports for quick tests
|
||
networking.firewall = {
|
||
allowedTCPPortRanges = lib.singleton { from = 9990; to = 9999; };
|
||
allowedUDPPortRanges = lib.singleton { from = 9990; to = 9999; };
|
||
};
|
||
|
||
nix = {
|
||
nixPath = [
|
||
"/var/src" # pinned nixpkgs and configuration
|
||
"nixpkgs=/var/src/nixpkgs" # for nix run
|
||
"nixpkgs-overlays=${overlaysCompat}"
|
||
];
|
||
# Make sudoers trusted nix users
|
||
trustedUsers = [ "@wheel" ];
|
||
|
||
# On-the-fly optimisation of nix store
|
||
autoOptimiseStore = true;
|
||
# Keep output of derivations with gc root
|
||
extraOptions = lib.optionalString config.sbruder.full ''
|
||
keep-outputs = true
|
||
keep-derivations = true
|
||
'';
|
||
|
||
# Make nix build in background less noticeable
|
||
daemonIONiceLevel = 5; # 0-7
|
||
};
|
||
systemd.services.nix-daemon.serviceConfig.CPUSchedulingPolicy = "batch";
|
||
|
||
nixpkgs.overlays = [
|
||
(import ../pkgs)
|
||
(final: prev: {
|
||
unstable = import (import ../nix/sources.nix).nixpkgs-unstable {
|
||
config = config.nixpkgs.config;
|
||
overlays = config.nixpkgs.overlays;
|
||
};
|
||
})
|
||
];
|
||
|
||
# Globally set Let’s Encrypt requirements
|
||
security.acme = {
|
||
acceptTerms = true;
|
||
email = "security@sbruder.de";
|
||
};
|
||
}
|
||
(lib.mkIf (!config.sbruder.full) {
|
||
# Adapted from nixpkgs/nixos/modules/profiles/minimal.nix
|
||
i18n.supportedLocales = map
|
||
(locale: locale + "/UTF-8")
|
||
((lib.singleton config.i18n.defaultLocale)
|
||
++ (lib.attrValues config.i18n.extraLocaleSettings));
|
||
|
||
documentation.enable = lib.mkDefault false;
|
||
})
|
||
];
|
||
}
|