cleanup, make checks pass
Some checks are pending
use nix / build (push) Waiting to run

This commit is contained in:
Cyryl Płotnicki 2024-04-27 11:33:38 +01:00
parent c6cb14a14b
commit 635f5902aa
28 changed files with 515 additions and 443 deletions

View file

@ -36,11 +36,13 @@
];
specialArgs = {inherit inputs system;};
};
mkRaspi = pkgs: hostname:
mkRaspi = pkgs: hostname: let
system = "aarch64-linux";
in
pkgs.lib.nixosSystem {
system = "aarch64-linux";
inherit system;
modules = [(./. + "/nixos/boxes/${hostname}") sops.nixosModules.sops];
specialArgs = {inherit inputs;};
specialArgs = {inherit inputs system;};
};
mkKiosk = pkgs: system: hostname:
pkgs.lib.nixosSystem {
@ -52,12 +54,14 @@
home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.cyryl = {
imports = [./nixos/home-manager ./nixos/home-manager/linux.nix];
_module.args.inputs = inputs;
_module.args.system = system;
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
users.cyryl = {
imports = [./nixos/home-manager ./nixos/home-manager/linux.nix];
_module.args.inputs = inputs;
_module.args.system = system;
};
};
}
];
@ -86,12 +90,14 @@
{programs.nix-ld.dev.enable = true;}
home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.cyryl = {
imports = [./nixos/home-manager ./nixos/home-manager/linux.nix];
_module.args.inputs = inputs;
_module.args.system = system;
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
users.cyryl = {
imports = [./nixos/home-manager ./nixos/home-manager/linux.nix];
_module.args.inputs = inputs;
_module.args.system = system;
};
};
}
];
@ -138,12 +144,14 @@
(./. + "/nixos/boxes/form3")
home-manager.darwinModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.cyryl = {
imports = [./nixos/home-manager];
_module.args.inputs = inputs;
_module.args.system = system;
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
users.cyryl = {
imports = [./nixos/home-manager];
_module.args.inputs = inputs;
_module.args.system = system;
};
};
}
];
@ -154,7 +162,6 @@
foryog = mkWorkstation nixpkgs-nixos-unstable "x86_64-linux" "foryog";
thinky = mkWorkstation nixpkgs-stable "x86_64-linux" "thinky";
bolty = mkServer nixpkgs-stable "x86_64-linux" "bolty";
vpsfree1 = mkServer nixpkgs-stable "x86_64-linux" "vpsfree1";
cupsnet = mkServer nixpkgs-stable "aarch64-linux" "cupsnet";
mb1 = mkServer nixpkgs-stable "x86_64-linux" "mb1";
homescreen = mkRaspi nixpkgs-stable "homescreen";

View file

@ -15,10 +15,13 @@
zfs.forceImportRoot = false;
};
services.btrfs.autoScrub.enable = true;
services.zfs.autoScrub.enable = true;
services.zfs.trim.enable = true;
services = {
btrfs.autoScrub.enable = true;
zfs = {
autoScrub.enable = true;
trim.enable = true;
};
};
boot.kernelParams = ["zfs.zfs_arc_max=17179869184"];
boot.zfs.extraPools = ["data"];

View file

@ -7,13 +7,11 @@
../cli.nix
../send-logs.nix
./bolty-boot.nix
./gitea-runner.nix
./grafana.nix
./home-assistant.nix
./home-security.nix
./influxdb.nix
./logs.nix
./mastodon.nix
./nas.nix
./networking.nix
./nix-store-server.nix

View file

@ -14,49 +14,52 @@ in {
imports = [../nginx.nix ./virtualisation.nix];
networking.firewall.allowedTCPPorts = [port 1883 8089];
services.mosquitto = {
enable = true;
package = inputs.nixpkgs-nixos-unstable.legacyPackages."${system}".mosquitto;
dataDir = "/data/mosquitto";
listeners = [
{
port = 1883;
omitPasswordAuth = true;
users = {};
settings = {
allow_anonymous = true;
services = {
mosquitto = {
enable = true;
package = inputs.nixpkgs-nixos-unstable.legacyPackages."${system}".mosquitto;
dataDir = "/data/mosquitto";
listeners = [
{
port = 1883;
omitPasswordAuth = true;
users = {};
settings = {
allow_anonymous = true;
};
acl = ["topic readwrite #"];
}
];
};
zigbee2mqtt = {
enable = true;
package = inputs.nixpkgs-master.legacyPackages."${system}".zigbee2mqtt;
settings = {
homeassistant = true;
permit_join = true;
availability.active.timeout = 10;
availability.passive.timeout = 90;
frontend.port = 8089;
mqtt.server = "mqtt://10.0.0.8:1883";
serial = {
port = "/dev/serial/by-id/usb-1a86_USB_Serial-if00-port0";
baudrate = 115200;
};
acl = ["topic readwrite #"];
}
];
};
services.zigbee2mqtt = {
enable = true;
package = inputs.nixpkgs-master.legacyPackages."${system}".zigbee2mqtt;
settings = {
homeassistant = true;
permit_join = true;
availability.active.timeout = 10;
availability.passive.timeout = 90;
frontend.port = 8089;
mqtt.server = "mqtt://10.0.0.8:1883";
serial = {
port = "/dev/serial/by-id/usb-1a86_USB_Serial-if00-port0";
baudrate = 115200;
};
};
};
services.nginx = {
virtualHosts = {
"bolty.raptor-carp.ts.net" = {
forceSSL = true;
enableACME = false;
locations."/" = {
proxyPass = "http://10.0.0.244:8123";
proxyWebsockets = true;
nginx = {
virtualHosts = {
"bolty.raptor-carp.ts.net" = {
forceSSL = true;
enableACME = false;
locations."/" = {
proxyPass = "http://10.0.0.244:8123";
proxyWebsockets = true;
};
sslCertificateKey = keyPath;
sslCertificate = certPath;
};
sslCertificateKey = keyPath;
sslCertificate = certPath;
};
};
};

View file

@ -6,23 +6,25 @@
...
}: {
networking.hostName = "bolty";
systemd.network.enable = true;
networking.networkmanager.enable = false;
systemd.network.netdevs."br0".netdevConfig = {
Name = "br0";
Kind = "bridge";
};
systemd.network.networks."br0" = {
name = "br0";
address = ["10.0.0.8/24"];
gateway = ["10.0.0.1"];
DHCP = "no";
dns = ["100.100.100.100" "9.9.9.9"];
};
systemd.network.networks."eth" = {
name = "enp4s0";
networkConfig.Bridge = "br0";
DHCP = "no";
systemd.network = {
enable = true;
netdevs."br0".netdevConfig = {
Name = "br0";
Kind = "bridge";
};
networks."br0" = {
name = "br0";
address = ["10.0.0.8/24"];
gateway = ["10.0.0.1"];
DHCP = "no";
dns = ["100.100.100.100" "9.9.9.9"];
};
networks."eth" = {
name = "enp4s0";
networkConfig.Bridge = "br0";
DHCP = "no";
};
};
}

View file

@ -4,20 +4,36 @@
lib,
...
}: {
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [631 6566];
networking.firewall.allowedUDPPorts = [631 6566];
services.printing = {
networking.firewall = {
enable = true;
drivers = with pkgs; [epson-escpr];
listenAddresses = ["*:631"];
defaultShared = true;
browsing = true;
allowFrom = ["all"];
extraConf = ''
ServerAlias *
DefaultEncryption Never
'';
allowedTCPPorts = [631 6566];
allowedUDPPorts = [631 6566];
};
services = {
printing = {
enable = true;
drivers = with pkgs; [epson-escpr];
listenAddresses = ["*:631"];
defaultShared = true;
browsing = true;
allowFrom = ["all"];
extraConf = ''
ServerAlias *
DefaultEncryption Never
'';
};
udev.packages = [];
saned = {
enable = true;
extraConfig = ''
100.69.222.80
10.0.24.0/24
10.0.0.1/24
foureighty
hagath
'';
};
};
hardware.printers.ensurePrinters = [
@ -37,17 +53,5 @@
snapshot = true;
};
services.udev.packages = [];
environment.systemPackages = with pkgs; [gawk];
services.saned = {
enable = true;
extraConfig = ''
100.69.222.80
10.0.24.0/24
10.0.0.1/24
foureighty
hagath
'';
};
}

View file

@ -4,11 +4,13 @@
lib,
...
}: {
hardware.enableRedistributableFirmware = true;
services.smartd.enable = true;
services.fstrim.enable = true;
environment.systemPackages = with pkgs; [smartmontools];
services.fwupd.enable = true;
services.thermald.enable = true;
services.haveged.enable = true;
hardware.enableRedistributableFirmware = true;
services = {
smartd.enable = true;
fstrim.enable = true;
fwupd.enable = true;
thermald.enable = true;
haveged.enable = true;
};
}

View file

@ -12,43 +12,44 @@
in {
imports = [];
systemd.services.tailscale-cert-make-path = {
script = ''
mkdir -p ${basePath}
'';
serviceConfig = {Type = "oneshot";};
before = ["tailscale-cert.service"];
wantedBy = ["multi-user.target"];
};
systemd.services.tailscale-cert = {
after = ["network.target" "network-online.target" "tailscaled.service"];
wants = ["tailscaled.service"];
wantedBy = ["multi-user.target"];
path = with pkgs; [tailscale];
serviceConfig = {
Type = "oneshot";
UMask = 22;
StateDirectoryMode = 750;
ProtectSystem = "strict";
ReadWritePaths = ["${basePath}"];
PrivateTmp = true;
WorkingDirectory = "${basePath}";
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
StateDirectory = ["${basePath}"];
systemd.services = {
tailscale-cert-make-path = {
script = ''
mkdir -p ${basePath}
'';
serviceConfig = {Type = "oneshot";};
before = ["tailscale-cert.service"];
wantedBy = ["multi-user.target"];
};
script = ''
tailscale cert --cert-file ${certPath} --key-file ${keyPath} ${fqdn}
'';
};
tailscale-cert = {
after = ["network.target" "network-online.target" "tailscaled.service"];
wants = ["tailscaled.service"];
wantedBy = ["multi-user.target"];
path = with pkgs; [tailscale];
serviceConfig = {
Type = "oneshot";
UMask = 22;
StateDirectoryMode = 750;
ProtectSystem = "strict";
ReadWritePaths = ["${basePath}"];
PrivateTmp = true;
WorkingDirectory = "${basePath}";
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
StateDirectory = ["${basePath}"];
};
script = ''
tailscale cert --cert-file ${certPath} --key-file ${keyPath} ${fqdn}
'';
};
};
systemd.timers.tailscale-renew = {
wantedBy = ["timers.target"];
description = "Renew tailscale server cert";

View file

@ -5,12 +5,14 @@
lib,
...
}: {
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "virtio_scsi" "ahci" "usbhid" "sr_mod"];
boot = {
kernelPackages = pkgs.linuxPackages_latest;
initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "virtio_scsi" "ahci" "usbhid" "sr_mod"];
boot.loader.grub = {
devices = ["/dev/vda"];
efiSupport = true;
efiInstallAsRemovable = true;
loader.grub = {
devices = ["/dev/vda"];
efiSupport = true;
efiInstallAsRemovable = true;
};
};
}

View file

@ -51,16 +51,18 @@ in {
home-manager.users.cyryl = {...}: {
imports = [];
home.packages = with pkgs; [awscli kubectl cargo-update];
programs.git.userEmail = lib.mkForce "cyryl.plotnicki@form3.tech";
programs.git.extraConfig = {
user.signingkey = "6441B1BC81F8FB1561C9AFF5534222210FE423ED";
commit.gpgsign = true;
"url \"git@github.com:\"".insteadOf = "https://github.com/";
programs = {
git.userEmail = lib.mkForce "cyryl.plotnicki@form3.tech";
git.extraConfig = {
user.signingkey = "6441B1BC81F8FB1561C9AFF5534222210FE423ED";
commit.gpgsign = true;
"url \"git@github.com:\"".insteadOf = "https://github.com/";
};
gpg.enable = true;
gpg.homedir = "/Users/cyryl/.gnupg";
zsh.loginExtra = ''
eval "$(/opt/homebrew/bin/brew shellenv)"
'';
};
programs.gpg.enable = true;
programs.gpg.homedir = "/Users/cyryl/.gnupg";
programs.zsh.loginExtra = ''
eval "$(/opt/homebrew/bin/brew shellenv)"
'';
};
}

View file

@ -26,12 +26,15 @@
services.restic.backups.home-to-b2 = {
repository = lib.mkForce "b2:cyplo-restic-foureighty:/";
};
boot.kernelParams = ["initcall_debug" ''dyndbg="file suspend.c +p"'' "no_console_suspend"];
boot.tmp.cleanOnBoot = true;
boot.binfmt.emulatedSystems = ["aarch64-linux"];
boot.plymouth = {
enable = true;
logo = ./boot.png;
boot = {
kernelParams = ["initcall_debug" ''dyndbg="file suspend.c +p"'' "no_console_suspend"];
tmp.cleanOnBoot = true;
binfmt.emulatedSystems = ["aarch64-linux"];
plymouth = {
enable = true;
logo = ./boot.png;
};
};
zramSwap = {
@ -42,13 +45,15 @@
time.timeZone = "Europe/London";
hardware.trackpoint.enable = true;
hardware.keyboard.qmk.enable = true;
hardware = {
trackpoint.enable = true;
keyboard.qmk.enable = true;
opengl.extraPackages = with pkgs; [libva];
};
services.udev.packages = [pkgs.qmk-udev-rules];
programs.ccache.enable = true;
hardware.opengl.extraPackages = with pkgs; [libva];
programs.steam.enable = true;
nixpkgs.config.allowUnfree = true;
home-manager.users.cyryl = {...}: {
imports = [

View file

@ -45,25 +45,28 @@
device = "0000:00:02.0";
};
hardware.trackpoint.enable = true;
services.hardware.bolt.enable = true;
services = {
hardware.bolt.enable = true;
services.xserver = {
libinput = {
enable = true;
touchpad = {
tapping = true;
naturalScrolling = false;
middleEmulation = false;
disableWhileTyping = true;
buttonMapping = "1 0 3 4 5 6 7 8 9 10";
};
mouse = {
middleEmulation = false;
buttonMapping = "1 0 3 4 5 6 7 8 9 10";
xserver = {
libinput = {
enable = true;
touchpad = {
tapping = true;
naturalScrolling = false;
middleEmulation = false;
disableWhileTyping = true;
buttonMapping = "1 0 3 4 5 6 7 8 9 10";
};
mouse = {
middleEmulation = false;
buttonMapping = "1 0 3 4 5 6 7 8 9 10";
};
};
};
fprintd = {enable = true;};
};
services.fprintd = {enable = true;};
programs.ccache.enable = true;
hardware.opengl.extraPackages = with pkgs; [libva];
programs.steam.enable = true;

View file

@ -13,9 +13,11 @@
availableKernelModules = ["xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod"];
};
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
loader.efi.efiSysMountPoint = "/boot/efi";
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
efi.efiSysMountPoint = "/boot/efi";
};
};
boot.initrd.secrets = {"/crypto_keyfile.bin" = null;};

View file

@ -11,40 +11,43 @@
hostName = "homescreen";
networkmanager = {enable = true;};
};
hardware.enableRedistributableFirmware = true;
environment.systemPackages = with pkgs; [neovim htop btop atop];
services.fail2ban.enable = true;
hardware = {
raspberry-pi."4".fkms-3d.enable = true;
services.openssh = {
enable = true;
permitRootLogin = "prohibit-password";
passwordAuthentication = false;
enableRedistributableFirmware = true;
deviceTree.filter = lib.mkForce "*rpi-*.dtb";
};
services = {
fail2ban.enable = true;
hardware.raspberry-pi."4".fkms-3d.enable = true;
hardware.deviceTree.filter = lib.mkForce "*rpi-*.dtb";
services.xserver = {
enable = true;
displayManager = {
lightdm.enable = true;
autoLogin.enable = true;
autoLogin.user = "kiosk";
openssh = {
enable = true;
permitRootLogin = "prohibit-password";
passwordAuthentication = false;
};
xserver = {
enable = true;
displayManager = {
lightdm.enable = true;
autoLogin.enable = true;
autoLogin.user = "kiosk";
};
desktopManager.gnome.enable = true;
libinput.enable = true;
};
desktopManager.gnome.enable = true;
libinput.enable = true;
};
users = {
mutableUsers = false;
users.kiosk = {isNormalUser = true;};
extraUsers.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEo4R+6J3h6Ix3xWpOMdU7Es1/YxFchHw0c+kcCOJxFb cyryl@foureighty"
];
};
users.extraUsers.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEo4R+6J3h6Ix3xWpOMdU7Es1/YxFchHw0c+kcCOJxFb cyryl@foureighty"
];
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
@ -57,6 +60,7 @@
options = ["nofail" "noauto"];
};
};
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
security.allowUserNamespaces = true;

View file

@ -19,11 +19,14 @@
../../zsh
];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
time.timeZone = "Europe/London";
boot = {
kernelPackages = pkgs.linuxPackages_latest;
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
time.timeZone = "Europe/London";
};
services.thermald.enable = true;
home-manager.users.cyryl = {...}: {
imports = [../../home-manager/programs/kitty.nix];

View file

@ -1,110 +1,113 @@
{ config, pkgs, nixpkgs-nixos-unstable-and-unfree, lib, ... }: {
boot.kernelModules = [ "fuse" ];
services.smartd.enable = true;
{
config,
pkgs,
nixpkgs-nixos-unstable-and-unfree,
lib,
...
}: {
boot.kernelModules = ["fuse"];
sound.enable = true;
networking.networkmanager = {
enable = true;
dispatcherScripts = [{
source = pkgs.writeText "upHook" ''
enable_disable_wifi ()
{
result=$(nmcli dev | grep "ethernet" | grep -w "connected")
if [ -n "$result" ]; then
nmcli radio wifi off
else
nmcli radio wifi on
dispatcherScripts = [
{
source = pkgs.writeText "upHook" ''
enable_disable_wifi ()
{
result=$(nmcli dev | grep "ethernet" | grep -w "connected")
if [ -n "$result" ]; then
nmcli radio wifi off
else
nmcli radio wifi on
fi
}
if [ "$2" = "up" ]; then
enable_disable_wifi
fi
}
if [ "$2" = "up" ]; then
enable_disable_wifi
fi
if [ "$2" = "down" ]; then
enable_disable_wifi
fi
'';
type = "basic";
}];
if [ "$2" = "down" ]; then
enable_disable_wifi
fi
'';
type = "basic";
}
];
};
hardware.enableRedistributableFirmware = true;
hardware.cpu.intel.updateMicrocode = true;
hardware.bluetooth = {
enable = true;
package = pkgs.bluez;
settings = { General = { Enable = "Source,Sink,Media,Socket"; }; };
};
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
extraConfig.pipewire."92-low-latency" = {
context.properties = {
default.clock.rate = 48000;
default.clock.quantum = 32;
default.clock.min-quantum = 32;
default.clock.max-quantum = 32;
};
services = {
smartd.enable = true;
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
printing = {
enable = true;
drivers = with pkgs; [
epson-escpr
nixpkgs-nixos-unstable-and-unfree.samsung-unified-linux-driver
gutenprint
];
extraConf = ''
Option pdftops-renderer hybrid
'';
};
udev.packages = [];
};
environment.systemPackages = with pkgs; [ghostscript poppler];
hardware = {
enableRedistributableFirmware = true;
cpu.intel.updateMicrocode = true;
bluetooth = {
enable = true;
package = pkgs.bluez;
settings = {General = {Enable = "Source,Sink,Media,Socket";};};
};
pulseaudio.enable = false;
printers.ensurePrinters = [
{
description = "Epson XP-540 via bolty";
name = "epson_xp540_via_bolty";
deviceUri = "ipp://bolty:631/printers/epson_xp540";
model = "epson-inkjet-printer-escpr/Epson-XP-540_Series-epson-escpr-en.ppd";
ppdOptions = {
PageSize = "A4";
Duplex = "DuplexNoTumble";
};
}
{
description = "Samsung SCX-4623 Series";
name = "samsung-SCX-4623";
deviceUri = "usb://Samsung/SCX-4623%20Series?serial=Z2TYBFFZC01007W&interface=1";
model = "samsung/SCX-4623FW.ppd";
ppdOptions = {
PageSize = "A4";
Duplex = "DuplexNoTumble";
};
}
];
sane = {
enable = true;
snapshot = true;
extraBackends = with pkgs; [
nixpkgs-nixos-unstable-and-unfree.samsung-unified-linux-driver
sane-airscan
gawk
];
};
};
environment.systemPackages = with pkgs; [ ghostscript poppler ];
services.printing = {
enable = true;
drivers = with pkgs; [
epson-escpr
nixpkgs-nixos-unstable-and-unfree.samsung-unified-linux-driver
gutenprint
];
extraConf = ''
Option pdftops-renderer hybrid
'';
};
hardware.printers.ensurePrinters = [
{
description = "Epson XP-540 via bolty";
name = "epson_xp540_via_bolty";
deviceUri = "ipp://bolty:631/printers/epson_xp540";
model =
"epson-inkjet-printer-escpr/Epson-XP-540_Series-epson-escpr-en.ppd";
ppdOptions = {
PageSize = "A4";
Duplex = "DuplexNoTumble";
};
}
{
description = "Samsung SCX-4623 Series";
name = "samsung-SCX-4623";
deviceUri =
"usb://Samsung/SCX-4623%20Series?serial=Z2TYBFFZC01007W&interface=1";
model = "samsung/SCX-4623FW.ppd";
ppdOptions = {
PageSize = "A4";
Duplex = "DuplexNoTumble";
};
}
];
services.udev.packages = [ ];
hardware.sane = {
enable = true;
snapshot = true;
extraBackends = with pkgs; [
nixpkgs-nixos-unstable-and-unfree.samsung-unified-linux-driver
sane-airscan
gawk
];
};
powerManagement = {
enable = lib.mkForce true;
resumeCommands = ''

View file

@ -20,6 +20,7 @@ in {
boot.supportedFilesystems = ["ntfs"];
environment.enableDebugInfo = true;
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
ccache
curl

View file

@ -3,23 +3,25 @@
pkgs,
...
}: {
nix.buildMachines = [
{
hostName = "bolty";
sshUser = "nix-builder";
sshKey = "/home/cyryl/.ssh/id_ed25519";
systems = ["i686-linux" "x86_64-linux" "aarch64-linux"];
maxJobs = 2;
speedFactor = 1;
supportedFeatures = ["kvm" "big-parallel"];
mandatoryFeatures = [];
}
];
nix = {
buildMachines = [
{
hostName = "bolty";
sshUser = "nix-builder";
sshKey = "/home/cyryl/.ssh/id_ed25519";
systems = ["i686-linux" "x86_64-linux" "aarch64-linux"];
maxJobs = 2;
speedFactor = 1;
supportedFeatures = ["kvm" "big-parallel"];
mandatoryFeatures = [];
}
];
nix.extraOptions = ''
builders-use-substitutes = true
'';
nix.distributedBuilds = true;
nix.settings.substituters = ["https://cache.nixos.org/" "ssh://nix-ssh@bolty.raptor-carp.ts.net"];
nix.settings.trusted-public-keys = ["cyplodev-store-key:a/+PEufePs7giWqYyRqy+TgUKLMbY+RQuJQu2aUjdl8="];
extraOptions = ''
builders-use-substitutes = true
'';
distributedBuilds = true;
settings.substituters = ["https://cache.nixos.org/" "ssh://nix-ssh@bolty.raptor-carp.ts.net"];
settings.trusted-public-keys = ["cyplodev-store-key:a/+PEufePs7giWqYyRqy+TgUKLMbY+RQuJQu2aUjdl8="];
};
}

View file

@ -20,9 +20,11 @@
colour.ui = true;
core.fsmonitor = true;
credential = {helper = "cache";};
diff.algorithm = "histogram";
diff.renameLimit = 2048;
diff.renames = "copy";
diff = {
algorithm = "histogram";
renameLimit = 2048;
renames = "copy";
};
help.autocorrect = 1;
init.defaultBranch = "main";
merge.renamelimit = 8192;

View file

@ -22,9 +22,11 @@
imports = [];
programs.chromium.enable = true;
programs.firefox.enable = true;
programs.sioyek.enable = true;
programs = {
chromium.enable = true;
firefox.enable = true;
sioyek.enable = true;
};
home.packages =
(with pkgs;
with pkgs.gnome3;

View file

@ -7,9 +7,11 @@
programs.vscode = {
enable = true;
userSettings = {
editor.fontFamily = "'Berkeley Mono', 'Droid Sans Mono', 'monospace', monospace";
editor.formatOnType = true;
editor.fontSize = 16;
editr = {
fontFamily = "'Berkeley Mono', 'Droid Sans Mono', 'monospace', monospace";
formatOnType = true;
fontSize = 16;
};
files.autoSave = "onFocusChange";
rust-analyzer.checkOnSave.command = "clippy";
platformio-ide = {

View file

@ -7,19 +7,20 @@
}: let
username = "cyryl";
in {
home.sessionVariables = {
LC_ALL = "en_GB.UTF-8";
LANG = "en_GB.UTF-8";
PASSWORD_STORE_ENABLE_EXTENSIONS = "true";
home = {
inherit username;
sessionVariables = {
LC_ALL = "en_GB.UTF-8";
LANG = "en_GB.UTF-8";
PASSWORD_STORE_ENABLE_EXTENSIONS = "true";
};
packages = with pkgs; [];
homeDirectory = lib.mkDefault "/home/${username}";
stateVersion = "23.11";
};
news.display = "show";
home.packages = with pkgs; [];
home.username = username;
home.homeDirectory = lib.mkDefault "/home/${username}";
home.stateVersion = "23.11";
programs.home-manager.enable = true;
imports = [

View file

@ -3,18 +3,20 @@
pkgs,
...
}: {
home.file.".config/nixpkgs/config.nix".source = ../shell-config.nix;
home.file.".gdbinit".text = ''
set auto-load python-scripts on
add-auto-load-safe-path /home/cyryl/dev/dotfiles/.gdbinit
set auto-load safe-path /
source /home/cyryl/dev/dotfiles/.gdbinit
'';
home.file.".gdbinit.d/dashboard".text = ''
dashboard -layout breakpoints source expressions stack threads variables
dashboard variables -style compact 0
dashboard source -style height 24
dashboard stack -style compact 1
dashboard stack -style limit 3
'';
home.file = {
".config/nixpkgs/config.nix".source = ../shell-config.nix;
".gdbinit".text = ''
set auto-load python-scripts on
add-auto-load-safe-path /home/cyryl/dev/dotfiles/.gdbinit
set auto-load safe-path /
source /home/cyryl/dev/dotfiles/.gdbinit
'';
".gdbinit.d/dashboard".text = ''
dashboard -layout breakpoints source expressions stack threads variables
dashboard variables -style compact 0
dashboard source -style height 24
dashboard stack -style compact 1
dashboard stack -style limit 3
'';
};
}

View file

@ -44,10 +44,13 @@
fractalart.enable = true;
colord.enable = true;
xserver.windowManager.i3.enable = true;
xserver.displayManager.sddm = {
xserver = {
enable = true;
enableHidpi = true;
windowManager.i3.enable = true;
displayManager.sddm = {
enable = true;
enableHidpi = true;
};
};
};
home-manager.users.cyryl = {...}: {

View file

@ -9,83 +9,89 @@
nix.settings.allowed-users = ["@users"];
security.apparmor.enable = true;
security.apparmor.killUnconfinedConfinables = true;
security.forcePageTableIsolation = true;
security.lockKernelModules = false;
security.protectKernelImage = true;
security.virtualisation.flushL1DataCache = "always";
security = {
apparmor.enable = true;
apparmor.killUnconfinedConfinables = true;
forcePageTableIsolation = true;
lockKernelModules = false;
protectKernelImage = true;
virtualisation.flushL1DataCache = "always";
};
sops.age = {
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
boot.kernelParams = ["slub_debug=FZP" "page_poison=1" "page_alloc.shuffle=1"];
boot = {
kernelParams = ["slub_debug=FZP" "page_poison=1" "page_alloc.shuffle=1"];
boot.blacklistedKernelModules = [
# Obscure network protocols
"ax25"
"netrom"
"rose"
blacklistedKernelModules = [
# Obscure network protocols
"ax25"
"netrom"
"rose"
# Old or rare or insufficiently audited filesystems
"adfs"
"affs"
"bfs"
"befs"
"cramfs"
"efs"
"erofs"
"exofs"
"freevxfs"
"f2fs"
"hfs"
"hpfs"
"jfs"
"minix"
"nilfs2"
"omfs"
"qnx4"
"qnx6"
"sysv"
"ufs"
];
# Old or rare or insufficiently audited filesystems
"adfs"
"affs"
"bfs"
"befs"
"cramfs"
"efs"
"erofs"
"exofs"
"freevxfs"
"f2fs"
"hfs"
"hpfs"
"jfs"
"minix"
"nilfs2"
"omfs"
"qnx4"
"qnx6"
"sysv"
"ufs"
];
# Restrict ptrace() usage to processes with a pre-defined relationship
# (e.g., parent/child)
boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 500 1;
kernel.sysctl = {
# Restrict ptrace() usage to processes with a pre-defined relationship
# (e.g., parent/child)
"kernel.yama.ptrace_scope" = lib.mkOverride 500 1;
# Hide kptrs even for processes with CAP_SYSLOG
boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2;
# Hide kptrs even for processes with CAP_SYSLOG
"kernel.kptr_restrict" = lib.mkOverride 500 2;
# Disable bpf() JIT (to eliminate spray attacks)
boot.kernel.sysctl."net.core.bpf_jit_enable" = false;
# Disable bpf() JIT (to eliminate spray attacks)
"net.core.bpf_jit_enable" = false;
# Disable ftrace debugging
boot.kernel.sysctl."kernel.ftrace_enabled" = false;
# Disable ftrace debugging
"kernel.ftrace_enabled" = false;
# Enable strict reverse path filtering (that is, do not attempt to route
# packets that "obviously" do not belong to the iface's network; dropped
# packets are logged as martians).
boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true;
boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1";
boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true;
boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1";
# Enable strict reverse path filtering (that is, do not attempt to route
# packets that "obviously" do not belong to the iface's network; dropped
# packets are logged as martians).
"net.ipv4.conf.all.log_martians" = true;
"net.ipv4.conf.all.rp_filter" = "1";
"net.ipv4.conf.default.log_martians" = true;
"net.ipv4.conf.default.rp_filter" = "1";
<