diff --git a/flake.nix b/flake.nix index 8c8fbd93..f0c7acf9 100644 --- a/flake.nix +++ b/flake.nix @@ -36,11 +36,13 @@ ]; specialArgs = {inherit inputs system;}; }; - mkRaspi = pkgs: hostname: + mkRaspi = pkgs: hostname: let + system = "aarch64-linux"; + in pkgs.lib.nixosSystem { - system = "aarch64-linux"; + inherit system; modules = [(./. + "/nixos/boxes/${hostname}") sops.nixosModules.sops]; - specialArgs = {inherit inputs;}; + specialArgs = {inherit inputs system;}; }; mkKiosk = pkgs: system: hostname: pkgs.lib.nixosSystem { @@ -52,12 +54,14 @@ home-manager.nixosModules.home-manager { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.users.cyryl = { - imports = [./nixos/home-manager ./nixos/home-manager/linux.nix]; - _module.args.inputs = inputs; - _module.args.system = system; + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + users.cyryl = { + imports = [./nixos/home-manager ./nixos/home-manager/linux.nix]; + _module.args.inputs = inputs; + _module.args.system = system; + }; }; } ]; @@ -86,12 +90,14 @@ {programs.nix-ld.dev.enable = true;} home-manager.nixosModules.home-manager { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.users.cyryl = { - imports = [./nixos/home-manager ./nixos/home-manager/linux.nix]; - _module.args.inputs = inputs; - _module.args.system = system; + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + users.cyryl = { + imports = [./nixos/home-manager ./nixos/home-manager/linux.nix]; + _module.args.inputs = inputs; + _module.args.system = system; + }; }; } ]; @@ -138,12 +144,14 @@ (./. + "/nixos/boxes/form3") home-manager.darwinModules.home-manager { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.users.cyryl = { - imports = [./nixos/home-manager]; - _module.args.inputs = inputs; - _module.args.system = system; + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + users.cyryl = { + imports = [./nixos/home-manager]; + _module.args.inputs = inputs; + _module.args.system = system; + }; }; } ]; @@ -154,7 +162,6 @@ foryog = mkWorkstation nixpkgs-nixos-unstable "x86_64-linux" "foryog"; thinky = mkWorkstation nixpkgs-stable "x86_64-linux" "thinky"; bolty = mkServer nixpkgs-stable "x86_64-linux" "bolty"; - vpsfree1 = mkServer nixpkgs-stable "x86_64-linux" "vpsfree1"; cupsnet = mkServer nixpkgs-stable "aarch64-linux" "cupsnet"; mb1 = mkServer nixpkgs-stable "x86_64-linux" "mb1"; homescreen = mkRaspi nixpkgs-stable "homescreen"; diff --git a/nixos/boxes/bolty/bolty-boot.nix b/nixos/boxes/bolty/bolty-boot.nix index 7fb161a1..2d894b76 100644 --- a/nixos/boxes/bolty/bolty-boot.nix +++ b/nixos/boxes/bolty/bolty-boot.nix @@ -15,10 +15,13 @@ zfs.forceImportRoot = false; }; - services.btrfs.autoScrub.enable = true; - services.zfs.autoScrub.enable = true; - services.zfs.trim.enable = true; - + services = { + btrfs.autoScrub.enable = true; + zfs = { + autoScrub.enable = true; + trim.enable = true; + }; + }; boot.kernelParams = ["zfs.zfs_arc_max=17179869184"]; boot.zfs.extraPools = ["data"]; diff --git a/nixos/boxes/bolty/default.nix b/nixos/boxes/bolty/default.nix index 65eff201..3c46eff0 100644 --- a/nixos/boxes/bolty/default.nix +++ b/nixos/boxes/bolty/default.nix @@ -7,13 +7,11 @@ ../cli.nix ../send-logs.nix ./bolty-boot.nix - ./gitea-runner.nix ./grafana.nix ./home-assistant.nix ./home-security.nix ./influxdb.nix ./logs.nix - ./mastodon.nix ./nas.nix ./networking.nix ./nix-store-server.nix diff --git a/nixos/boxes/bolty/home-assistant.nix b/nixos/boxes/bolty/home-assistant.nix index cd5263d0..e6e27cdf 100644 --- a/nixos/boxes/bolty/home-assistant.nix +++ b/nixos/boxes/bolty/home-assistant.nix @@ -14,49 +14,52 @@ in { imports = [../nginx.nix ./virtualisation.nix]; networking.firewall.allowedTCPPorts = [port 1883 8089]; - services.mosquitto = { - enable = true; - package = inputs.nixpkgs-nixos-unstable.legacyPackages."${system}".mosquitto; - dataDir = "/data/mosquitto"; - listeners = [ - { - port = 1883; - omitPasswordAuth = true; - users = {}; - settings = { - allow_anonymous = true; + + services = { + mosquitto = { + enable = true; + package = inputs.nixpkgs-nixos-unstable.legacyPackages."${system}".mosquitto; + dataDir = "/data/mosquitto"; + listeners = [ + { + port = 1883; + omitPasswordAuth = true; + users = {}; + settings = { + allow_anonymous = true; + }; + acl = ["topic readwrite #"]; + } + ]; + }; + zigbee2mqtt = { + enable = true; + package = inputs.nixpkgs-master.legacyPackages."${system}".zigbee2mqtt; + settings = { + homeassistant = true; + permit_join = true; + availability.active.timeout = 10; + availability.passive.timeout = 90; + frontend.port = 8089; + mqtt.server = "mqtt://10.0.0.8:1883"; + serial = { + port = "/dev/serial/by-id/usb-1a86_USB_Serial-if00-port0"; + baudrate = 115200; }; - acl = ["topic readwrite #"]; - } - ]; - }; - services.zigbee2mqtt = { - enable = true; - package = inputs.nixpkgs-master.legacyPackages."${system}".zigbee2mqtt; - settings = { - homeassistant = true; - permit_join = true; - availability.active.timeout = 10; - availability.passive.timeout = 90; - frontend.port = 8089; - mqtt.server = "mqtt://10.0.0.8:1883"; - serial = { - port = "/dev/serial/by-id/usb-1a86_USB_Serial-if00-port0"; - baudrate = 115200; }; }; - }; - services.nginx = { - virtualHosts = { - "bolty.raptor-carp.ts.net" = { - forceSSL = true; - enableACME = false; - locations."/" = { - proxyPass = "http://10.0.0.244:8123"; - proxyWebsockets = true; + nginx = { + virtualHosts = { + "bolty.raptor-carp.ts.net" = { + forceSSL = true; + enableACME = false; + locations."/" = { + proxyPass = "http://10.0.0.244:8123"; + proxyWebsockets = true; + }; + sslCertificateKey = keyPath; + sslCertificate = certPath; }; - sslCertificateKey = keyPath; - sslCertificate = certPath; }; }; }; diff --git a/nixos/boxes/bolty/networking.nix b/nixos/boxes/bolty/networking.nix index 20f1ba7b..2c2fdff8 100644 --- a/nixos/boxes/bolty/networking.nix +++ b/nixos/boxes/bolty/networking.nix @@ -6,23 +6,25 @@ ... }: { networking.hostName = "bolty"; - systemd.network.enable = true; networking.networkmanager.enable = false; - systemd.network.netdevs."br0".netdevConfig = { - Name = "br0"; - Kind = "bridge"; - }; - systemd.network.networks."br0" = { - name = "br0"; - address = ["10.0.0.8/24"]; - gateway = ["10.0.0.1"]; - DHCP = "no"; - dns = ["100.100.100.100" "9.9.9.9"]; - }; - systemd.network.networks."eth" = { - name = "enp4s0"; - networkConfig.Bridge = "br0"; - DHCP = "no"; + systemd.network = { + enable = true; + netdevs."br0".netdevConfig = { + Name = "br0"; + Kind = "bridge"; + }; + networks."br0" = { + name = "br0"; + address = ["10.0.0.8/24"]; + gateway = ["10.0.0.1"]; + DHCP = "no"; + dns = ["100.100.100.100" "9.9.9.9"]; + }; + networks."eth" = { + name = "enp4s0"; + networkConfig.Bridge = "br0"; + DHCP = "no"; + }; }; } diff --git a/nixos/boxes/bolty/print-server.nix b/nixos/boxes/bolty/print-server.nix index c87022ab..cf07ff49 100644 --- a/nixos/boxes/bolty/print-server.nix +++ b/nixos/boxes/bolty/print-server.nix @@ -4,20 +4,36 @@ lib, ... }: { - networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = [631 6566]; - networking.firewall.allowedUDPPorts = [631 6566]; - services.printing = { + networking.firewall = { enable = true; - drivers = with pkgs; [epson-escpr]; - listenAddresses = ["*:631"]; - defaultShared = true; - browsing = true; - allowFrom = ["all"]; - extraConf = '' - ServerAlias * - DefaultEncryption Never - ''; + allowedTCPPorts = [631 6566]; + allowedUDPPorts = [631 6566]; + }; + services = { + printing = { + enable = true; + drivers = with pkgs; [epson-escpr]; + listenAddresses = ["*:631"]; + defaultShared = true; + browsing = true; + allowFrom = ["all"]; + extraConf = '' + ServerAlias * + DefaultEncryption Never + ''; + }; + udev.packages = []; + + saned = { + enable = true; + extraConfig = '' + 100.69.222.80 + 10.0.24.0/24 + 10.0.0.1/24 + foureighty + hagath + ''; + }; }; hardware.printers.ensurePrinters = [ @@ -37,17 +53,5 @@ snapshot = true; }; - services.udev.packages = []; - environment.systemPackages = with pkgs; [gawk]; - services.saned = { - enable = true; - extraConfig = '' - 100.69.222.80 - 10.0.24.0/24 - 10.0.0.1/24 - foureighty - hagath - ''; - }; } diff --git a/nixos/boxes/bolty/real-hardware.nix b/nixos/boxes/bolty/real-hardware.nix index dc4ded6e..b7eb68ab 100644 --- a/nixos/boxes/bolty/real-hardware.nix +++ b/nixos/boxes/bolty/real-hardware.nix @@ -4,11 +4,13 @@ lib, ... }: { - hardware.enableRedistributableFirmware = true; - services.smartd.enable = true; - services.fstrim.enable = true; environment.systemPackages = with pkgs; [smartmontools]; - services.fwupd.enable = true; - services.thermald.enable = true; - services.haveged.enable = true; + hardware.enableRedistributableFirmware = true; + services = { + smartd.enable = true; + fstrim.enable = true; + fwupd.enable = true; + thermald.enable = true; + haveged.enable = true; + }; } diff --git a/nixos/boxes/bolty/tailscale-cert.nix b/nixos/boxes/bolty/tailscale-cert.nix index 4fbc6a17..793ac4bd 100644 --- a/nixos/boxes/bolty/tailscale-cert.nix +++ b/nixos/boxes/bolty/tailscale-cert.nix @@ -12,43 +12,44 @@ in { imports = []; - systemd.services.tailscale-cert-make-path = { - script = '' - mkdir -p ${basePath} - ''; - serviceConfig = {Type = "oneshot";}; - before = ["tailscale-cert.service"]; - wantedBy = ["multi-user.target"]; - }; - - systemd.services.tailscale-cert = { - after = ["network.target" "network-online.target" "tailscaled.service"]; - wants = ["tailscaled.service"]; - wantedBy = ["multi-user.target"]; - - path = with pkgs; [tailscale]; - - serviceConfig = { - Type = "oneshot"; - UMask = 22; - StateDirectoryMode = 750; - ProtectSystem = "strict"; - ReadWritePaths = ["${basePath}"]; - PrivateTmp = true; - WorkingDirectory = "${basePath}"; - NoNewPrivileges = true; - PrivateDevices = true; - ProtectClock = true; - ProtectHome = true; - ProtectHostname = true; - StateDirectory = ["${basePath}"]; + systemd.services = { + tailscale-cert-make-path = { + script = '' + mkdir -p ${basePath} + ''; + serviceConfig = {Type = "oneshot";}; + before = ["tailscale-cert.service"]; + wantedBy = ["multi-user.target"]; }; - script = '' - tailscale cert --cert-file ${certPath} --key-file ${keyPath} ${fqdn} - ''; - }; + tailscale-cert = { + after = ["network.target" "network-online.target" "tailscaled.service"]; + wants = ["tailscaled.service"]; + wantedBy = ["multi-user.target"]; + path = with pkgs; [tailscale]; + + serviceConfig = { + Type = "oneshot"; + UMask = 22; + StateDirectoryMode = 750; + ProtectSystem = "strict"; + ReadWritePaths = ["${basePath}"]; + PrivateTmp = true; + WorkingDirectory = "${basePath}"; + NoNewPrivileges = true; + PrivateDevices = true; + ProtectClock = true; + ProtectHome = true; + ProtectHostname = true; + StateDirectory = ["${basePath}"]; + }; + + script = '' + tailscale cert --cert-file ${certPath} --key-file ${keyPath} ${fqdn} + ''; + }; + }; systemd.timers.tailscale-renew = { wantedBy = ["timers.target"]; description = "Renew tailscale server cert"; diff --git a/nixos/boxes/cupsnet/boot.nix b/nixos/boxes/cupsnet/boot.nix index c8049267..f5f754f8 100644 --- a/nixos/boxes/cupsnet/boot.nix +++ b/nixos/boxes/cupsnet/boot.nix @@ -5,12 +5,14 @@ lib, ... }: { - boot.kernelPackages = pkgs.linuxPackages_latest; - boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "virtio_scsi" "ahci" "usbhid" "sr_mod"]; + boot = { + kernelPackages = pkgs.linuxPackages_latest; + initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "virtio_scsi" "ahci" "usbhid" "sr_mod"]; - boot.loader.grub = { - devices = ["/dev/vda"]; - efiSupport = true; - efiInstallAsRemovable = true; + loader.grub = { + devices = ["/dev/vda"]; + efiSupport = true; + efiInstallAsRemovable = true; + }; }; } diff --git a/nixos/boxes/form3/default.nix b/nixos/boxes/form3/default.nix index 1eea23b4..6bd26cfd 100644 --- a/nixos/boxes/form3/default.nix +++ b/nixos/boxes/form3/default.nix @@ -51,16 +51,18 @@ in { home-manager.users.cyryl = {...}: { imports = []; home.packages = with pkgs; [awscli kubectl cargo-update]; - programs.git.userEmail = lib.mkForce "cyryl.plotnicki@form3.tech"; - programs.git.extraConfig = { - user.signingkey = "6441B1BC81F8FB1561C9AFF5534222210FE423ED"; - commit.gpgsign = true; - "url \"git@github.com:\"".insteadOf = "https://github.com/"; + programs = { + git.userEmail = lib.mkForce "cyryl.plotnicki@form3.tech"; + git.extraConfig = { + user.signingkey = "6441B1BC81F8FB1561C9AFF5534222210FE423ED"; + commit.gpgsign = true; + "url \"git@github.com:\"".insteadOf = "https://github.com/"; + }; + gpg.enable = true; + gpg.homedir = "/Users/cyryl/.gnupg"; + zsh.loginExtra = '' + eval "$(/opt/homebrew/bin/brew shellenv)" + ''; }; - programs.gpg.enable = true; - programs.gpg.homedir = "/Users/cyryl/.gnupg"; - programs.zsh.loginExtra = '' - eval "$(/opt/homebrew/bin/brew shellenv)" - ''; }; } diff --git a/nixos/boxes/foryog/default.nix b/nixos/boxes/foryog/default.nix index 2f2c38e3..0687f7e3 100644 --- a/nixos/boxes/foryog/default.nix +++ b/nixos/boxes/foryog/default.nix @@ -26,12 +26,15 @@ services.restic.backups.home-to-b2 = { repository = lib.mkForce "b2:cyplo-restic-foureighty:/"; }; - boot.kernelParams = ["initcall_debug" ''dyndbg="file suspend.c +p"'' "no_console_suspend"]; - boot.tmp.cleanOnBoot = true; - boot.binfmt.emulatedSystems = ["aarch64-linux"]; - boot.plymouth = { - enable = true; - logo = ./boot.png; + + boot = { + kernelParams = ["initcall_debug" ''dyndbg="file suspend.c +p"'' "no_console_suspend"]; + tmp.cleanOnBoot = true; + binfmt.emulatedSystems = ["aarch64-linux"]; + plymouth = { + enable = true; + logo = ./boot.png; + }; }; zramSwap = { @@ -42,13 +45,15 @@ time.timeZone = "Europe/London"; - hardware.trackpoint.enable = true; - hardware.keyboard.qmk.enable = true; + hardware = { + trackpoint.enable = true; + keyboard.qmk.enable = true; + opengl.extraPackages = with pkgs; [libva]; + }; + services.udev.packages = [pkgs.qmk-udev-rules]; programs.ccache.enable = true; - hardware.opengl.extraPackages = with pkgs; [libva]; programs.steam.enable = true; - nixpkgs.config.allowUnfree = true; home-manager.users.cyryl = {...}: { imports = [ diff --git a/nixos/boxes/foureighty/default.nix b/nixos/boxes/foureighty/default.nix index f265a9f1..b59c2045 100644 --- a/nixos/boxes/foureighty/default.nix +++ b/nixos/boxes/foureighty/default.nix @@ -45,25 +45,28 @@ device = "0000:00:02.0"; }; hardware.trackpoint.enable = true; - services.hardware.bolt.enable = true; + services = { + hardware.bolt.enable = true; - services.xserver = { - libinput = { - enable = true; - touchpad = { - tapping = true; - naturalScrolling = false; - middleEmulation = false; - disableWhileTyping = true; - buttonMapping = "1 0 3 4 5 6 7 8 9 10"; - }; - mouse = { - middleEmulation = false; - buttonMapping = "1 0 3 4 5 6 7 8 9 10"; + xserver = { + libinput = { + enable = true; + touchpad = { + tapping = true; + naturalScrolling = false; + middleEmulation = false; + disableWhileTyping = true; + buttonMapping = "1 0 3 4 5 6 7 8 9 10"; + }; + mouse = { + middleEmulation = false; + buttonMapping = "1 0 3 4 5 6 7 8 9 10"; + }; }; }; + fprintd = {enable = true;}; }; - services.fprintd = {enable = true;}; + programs.ccache.enable = true; hardware.opengl.extraPackages = with pkgs; [libva]; programs.steam.enable = true; diff --git a/nixos/boxes/foureighty/hardware-configuration.nix b/nixos/boxes/foureighty/hardware-configuration.nix index a3986d72..add0d8cd 100644 --- a/nixos/boxes/foureighty/hardware-configuration.nix +++ b/nixos/boxes/foureighty/hardware-configuration.nix @@ -13,9 +13,11 @@ availableKernelModules = ["xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod"]; }; - loader.systemd-boot.enable = true; - loader.efi.canTouchEfiVariables = true; - loader.efi.efiSysMountPoint = "/boot/efi"; + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + efi.efiSysMountPoint = "/boot/efi"; + }; }; boot.initrd.secrets = {"/crypto_keyfile.bin" = null;}; diff --git a/nixos/boxes/homescreen/default.nix b/nixos/boxes/homescreen/default.nix index 6b0b612a..c062e87c 100644 --- a/nixos/boxes/homescreen/default.nix +++ b/nixos/boxes/homescreen/default.nix @@ -11,40 +11,43 @@ hostName = "homescreen"; networkmanager = {enable = true;}; }; - hardware.enableRedistributableFirmware = true; environment.systemPackages = with pkgs; [neovim htop btop atop]; - services.fail2ban.enable = true; + hardware = { + raspberry-pi."4".fkms-3d.enable = true; - services.openssh = { - enable = true; - permitRootLogin = "prohibit-password"; - passwordAuthentication = false; + enableRedistributableFirmware = true; + deviceTree.filter = lib.mkForce "*rpi-*.dtb"; }; + services = { + fail2ban.enable = true; - hardware.raspberry-pi."4".fkms-3d.enable = true; - - hardware.deviceTree.filter = lib.mkForce "*rpi-*.dtb"; - - services.xserver = { - enable = true; - displayManager = { - lightdm.enable = true; - autoLogin.enable = true; - autoLogin.user = "kiosk"; + openssh = { + enable = true; + permitRootLogin = "prohibit-password"; + passwordAuthentication = false; + }; + xserver = { + enable = true; + displayManager = { + lightdm.enable = true; + autoLogin.enable = true; + autoLogin.user = "kiosk"; + }; + desktopManager.gnome.enable = true; + libinput.enable = true; }; - desktopManager.gnome.enable = true; - libinput.enable = true; }; users = { mutableUsers = false; users.kiosk = {isNormalUser = true;}; + extraUsers.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEo4R+6J3h6Ix3xWpOMdU7Es1/YxFchHw0c+kcCOJxFb cyryl@foureighty" + ]; }; - users.extraUsers.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEo4R+6J3h6Ix3xWpOMdU7Es1/YxFchHw0c+kcCOJxFb cyryl@foureighty" - ]; + fileSystems = { "/" = { device = "/dev/disk/by-label/NIXOS_SD"; @@ -57,6 +60,7 @@ options = ["nofail" "noauto"]; }; }; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; security.allowUserNamespaces = true; diff --git a/nixos/boxes/skinnyv/default.nix b/nixos/boxes/skinnyv/default.nix index 206ae996..d233bfda 100644 --- a/nixos/boxes/skinnyv/default.nix +++ b/nixos/boxes/skinnyv/default.nix @@ -19,11 +19,14 @@ ../../zsh ]; - boot.kernelPackages = pkgs.linuxPackages_latest; - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - time.timeZone = "Europe/London"; - + boot = { + kernelPackages = pkgs.linuxPackages_latest; + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + time.timeZone = "Europe/London"; + }; services.thermald.enable = true; home-manager.users.cyryl = {...}: { imports = [../../home-manager/programs/kitty.nix]; diff --git a/nixos/common-hardware.nix b/nixos/common-hardware.nix index 4c8ff096..1694ccc8 100644 --- a/nixos/common-hardware.nix +++ b/nixos/common-hardware.nix @@ -1,110 +1,113 @@ -{ config, pkgs, nixpkgs-nixos-unstable-and-unfree, lib, ... }: { - boot.kernelModules = [ "fuse" ]; - services.smartd.enable = true; +{ + config, + pkgs, + nixpkgs-nixos-unstable-and-unfree, + lib, + ... +}: { + boot.kernelModules = ["fuse"]; sound.enable = true; networking.networkmanager = { enable = true; - dispatcherScripts = [{ - source = pkgs.writeText "upHook" '' - enable_disable_wifi () - { - result=$(nmcli dev | grep "ethernet" | grep -w "connected") - if [ -n "$result" ]; then - nmcli radio wifi off - else - nmcli radio wifi on + dispatcherScripts = [ + { + source = pkgs.writeText "upHook" '' + enable_disable_wifi () + { + result=$(nmcli dev | grep "ethernet" | grep -w "connected") + if [ -n "$result" ]; then + nmcli radio wifi off + else + nmcli radio wifi on + fi + } + + if [ "$2" = "up" ]; then + enable_disable_wifi fi - } - if [ "$2" = "up" ]; then - enable_disable_wifi - fi - - if [ "$2" = "down" ]; then - enable_disable_wifi - fi - ''; - type = "basic"; - }]; + if [ "$2" = "down" ]; then + enable_disable_wifi + fi + ''; + type = "basic"; + } + ]; }; - hardware.enableRedistributableFirmware = true; - hardware.cpu.intel.updateMicrocode = true; - - hardware.bluetooth = { - enable = true; - package = pkgs.bluez; - settings = { General = { Enable = "Source,Sink,Media,Socket"; }; }; - }; - - hardware.pulseaudio.enable = false; security.rtkit.enable = true; - services.pipewire = { - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - extraConfig.pipewire."92-low-latency" = { - context.properties = { - default.clock.rate = 48000; - default.clock.quantum = 32; - default.clock.min-quantum = 32; - default.clock.max-quantum = 32; - }; + + services = { + smartd.enable = true; + pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + }; + printing = { + enable = true; + drivers = with pkgs; [ + epson-escpr + nixpkgs-nixos-unstable-and-unfree.samsung-unified-linux-driver + gutenprint + ]; + extraConf = '' + Option pdftops-renderer hybrid + ''; + }; + + udev.packages = []; + }; + + environment.systemPackages = with pkgs; [ghostscript poppler]; + + hardware = { + enableRedistributableFirmware = true; + cpu.intel.updateMicrocode = true; + + bluetooth = { + enable = true; + package = pkgs.bluez; + settings = {General = {Enable = "Source,Sink,Media,Socket";};}; + }; + + pulseaudio.enable = false; + printers.ensurePrinters = [ + { + description = "Epson XP-540 via bolty"; + name = "epson_xp540_via_bolty"; + deviceUri = "ipp://bolty:631/printers/epson_xp540"; + model = "epson-inkjet-printer-escpr/Epson-XP-540_Series-epson-escpr-en.ppd"; + ppdOptions = { + PageSize = "A4"; + Duplex = "DuplexNoTumble"; + }; + } + { + description = "Samsung SCX-4623 Series"; + name = "samsung-SCX-4623"; + deviceUri = "usb://Samsung/SCX-4623%20Series?serial=Z2TYBFFZC01007W&interface=1"; + model = "samsung/SCX-4623FW.ppd"; + ppdOptions = { + PageSize = "A4"; + Duplex = "DuplexNoTumble"; + }; + } + ]; + + sane = { + enable = true; + snapshot = true; + extraBackends = with pkgs; [ + nixpkgs-nixos-unstable-and-unfree.samsung-unified-linux-driver + sane-airscan + gawk + ]; }; }; - - environment.systemPackages = with pkgs; [ ghostscript poppler ]; - services.printing = { - enable = true; - drivers = with pkgs; [ - epson-escpr - nixpkgs-nixos-unstable-and-unfree.samsung-unified-linux-driver - gutenprint - ]; - extraConf = '' - Option pdftops-renderer hybrid - ''; - }; - - hardware.printers.ensurePrinters = [ - { - description = "Epson XP-540 via bolty"; - name = "epson_xp540_via_bolty"; - deviceUri = "ipp://bolty:631/printers/epson_xp540"; - model = - "epson-inkjet-printer-escpr/Epson-XP-540_Series-epson-escpr-en.ppd"; - ppdOptions = { - PageSize = "A4"; - Duplex = "DuplexNoTumble"; - }; - } - { - description = "Samsung SCX-4623 Series"; - name = "samsung-SCX-4623"; - deviceUri = - "usb://Samsung/SCX-4623%20Series?serial=Z2TYBFFZC01007W&interface=1"; - model = "samsung/SCX-4623FW.ppd"; - ppdOptions = { - PageSize = "A4"; - Duplex = "DuplexNoTumble"; - }; - } - ]; - - services.udev.packages = [ ]; - hardware.sane = { - enable = true; - snapshot = true; - extraBackends = with pkgs; [ - nixpkgs-nixos-unstable-and-unfree.samsung-unified-linux-driver - sane-airscan - gawk - ]; - }; - powerManagement = { enable = lib.mkForce true; resumeCommands = '' diff --git a/nixos/common.nix b/nixos/common.nix index 99b16c00..b1e1b1ae 100644 --- a/nixos/common.nix +++ b/nixos/common.nix @@ -20,6 +20,7 @@ in { boot.supportedFilesystems = ["ntfs"]; environment.enableDebugInfo = true; + nixpkgs.config.allowUnfree = true; environment.systemPackages = with pkgs; [ ccache curl diff --git a/nixos/distributed-builds.nix b/nixos/distributed-builds.nix index ed0aa7f1..f16a2d00 100644 --- a/nixos/distributed-builds.nix +++ b/nixos/distributed-builds.nix @@ -3,23 +3,25 @@ pkgs, ... }: { - nix.buildMachines = [ - { - hostName = "bolty"; - sshUser = "nix-builder"; - sshKey = "/home/cyryl/.ssh/id_ed25519"; - systems = ["i686-linux" "x86_64-linux" "aarch64-linux"]; - maxJobs = 2; - speedFactor = 1; - supportedFeatures = ["kvm" "big-parallel"]; - mandatoryFeatures = []; - } - ]; + nix = { + buildMachines = [ + { + hostName = "bolty"; + sshUser = "nix-builder"; + sshKey = "/home/cyryl/.ssh/id_ed25519"; + systems = ["i686-linux" "x86_64-linux" "aarch64-linux"]; + maxJobs = 2; + speedFactor = 1; + supportedFeatures = ["kvm" "big-parallel"]; + mandatoryFeatures = []; + } + ]; - nix.extraOptions = '' - builders-use-substitutes = true - ''; - nix.distributedBuilds = true; - nix.settings.substituters = ["https://cache.nixos.org/" "ssh://nix-ssh@bolty.raptor-carp.ts.net"]; - nix.settings.trusted-public-keys = ["cyplodev-store-key:a/+PEufePs7giWqYyRqy+TgUKLMbY+RQuJQu2aUjdl8="]; + extraOptions = '' + builders-use-substitutes = true + ''; + distributedBuilds = true; + settings.substituters = ["https://cache.nixos.org/" "ssh://nix-ssh@bolty.raptor-carp.ts.net"]; + settings.trusted-public-keys = ["cyplodev-store-key:a/+PEufePs7giWqYyRqy+TgUKLMbY+RQuJQu2aUjdl8="]; + }; } diff --git a/nixos/git/home.nix b/nixos/git/home.nix index 08d47e7e..fa7e5c36 100644 --- a/nixos/git/home.nix +++ b/nixos/git/home.nix @@ -20,9 +20,11 @@ colour.ui = true; core.fsmonitor = true; credential = {helper = "cache";}; - diff.algorithm = "histogram"; - diff.renameLimit = 2048; - diff.renames = "copy"; + diff = { + algorithm = "histogram"; + renameLimit = 2048; + renames = "copy"; + }; help.autocorrect = 1; init.defaultBranch = "main"; merge.renamelimit = 8192; diff --git a/nixos/gui/default.nix b/nixos/gui/default.nix index 165b3f49..0de36648 100644 --- a/nixos/gui/default.nix +++ b/nixos/gui/default.nix @@ -22,9 +22,11 @@ imports = []; - programs.chromium.enable = true; - programs.firefox.enable = true; - programs.sioyek.enable = true; + programs = { + chromium.enable = true; + firefox.enable = true; + sioyek.enable = true; + }; home.packages = (with pkgs; with pkgs.gnome3; diff --git a/nixos/gui/vscode/home.nix b/nixos/gui/vscode/home.nix index f5fca804..5f69b1a6 100644 --- a/nixos/gui/vscode/home.nix +++ b/nixos/gui/vscode/home.nix @@ -7,9 +7,11 @@ programs.vscode = { enable = true; userSettings = { - editor.fontFamily = "'Berkeley Mono', 'Droid Sans Mono', 'monospace', monospace"; - editor.formatOnType = true; - editor.fontSize = 16; + editr = { + fontFamily = "'Berkeley Mono', 'Droid Sans Mono', 'monospace', monospace"; + formatOnType = true; + fontSize = 16; + }; files.autoSave = "onFocusChange"; rust-analyzer.checkOnSave.command = "clippy"; platformio-ide = { diff --git a/nixos/home-manager/default.nix b/nixos/home-manager/default.nix index adc6bc93..aca07f0d 100644 --- a/nixos/home-manager/default.nix +++ b/nixos/home-manager/default.nix @@ -7,19 +7,20 @@ }: let username = "cyryl"; in { - home.sessionVariables = { - LC_ALL = "en_GB.UTF-8"; - LANG = "en_GB.UTF-8"; - PASSWORD_STORE_ENABLE_EXTENSIONS = "true"; + home = { + inherit username; + sessionVariables = { + LC_ALL = "en_GB.UTF-8"; + LANG = "en_GB.UTF-8"; + PASSWORD_STORE_ENABLE_EXTENSIONS = "true"; + }; + + packages = with pkgs; []; + + homeDirectory = lib.mkDefault "/home/${username}"; + stateVersion = "23.11"; }; - news.display = "show"; - - home.packages = with pkgs; []; - - home.username = username; - home.homeDirectory = lib.mkDefault "/home/${username}"; - home.stateVersion = "23.11"; programs.home-manager.enable = true; imports = [ diff --git a/nixos/home-manager/links.nix b/nixos/home-manager/links.nix index 5e305358..64f717b5 100644 --- a/nixos/home-manager/links.nix +++ b/nixos/home-manager/links.nix @@ -3,18 +3,20 @@ pkgs, ... }: { - home.file.".config/nixpkgs/config.nix".source = ../shell-config.nix; - home.file.".gdbinit".text = '' - set auto-load python-scripts on - add-auto-load-safe-path /home/cyryl/dev/dotfiles/.gdbinit - set auto-load safe-path / - source /home/cyryl/dev/dotfiles/.gdbinit - ''; - home.file.".gdbinit.d/dashboard".text = '' - dashboard -layout breakpoints source expressions stack threads variables - dashboard variables -style compact 0 - dashboard source -style height 24 - dashboard stack -style compact 1 - dashboard stack -style limit 3 - ''; + home.file = { + ".config/nixpkgs/config.nix".source = ../shell-config.nix; + ".gdbinit".text = '' + set auto-load python-scripts on + add-auto-load-safe-path /home/cyryl/dev/dotfiles/.gdbinit + set auto-load safe-path / + source /home/cyryl/dev/dotfiles/.gdbinit + ''; + ".gdbinit.d/dashboard".text = '' + dashboard -layout breakpoints source expressions stack threads variables + dashboard variables -style compact 0 + dashboard source -style height 24 + dashboard stack -style compact 1 + dashboard stack -style limit 3 + ''; + }; } diff --git a/nixos/i3/default.nix b/nixos/i3/default.nix index 33ac2414..b2b6ca53 100644 --- a/nixos/i3/default.nix +++ b/nixos/i3/default.nix @@ -44,10 +44,13 @@ fractalart.enable = true; colord.enable = true; - xserver.windowManager.i3.enable = true; - xserver.displayManager.sddm = { + xserver = { enable = true; - enableHidpi = true; + windowManager.i3.enable = true; + displayManager.sddm = { + enable = true; + enableHidpi = true; + }; }; }; home-manager.users.cyryl = {...}: { diff --git a/nixos/security.nix b/nixos/security.nix index a4540ee8..a18d235b 100644 --- a/nixos/security.nix +++ b/nixos/security.nix @@ -9,83 +9,89 @@ nix.settings.allowed-users = ["@users"]; - security.apparmor.enable = true; - security.apparmor.killUnconfinedConfinables = true; - security.forcePageTableIsolation = true; - security.lockKernelModules = false; - security.protectKernelImage = true; - security.virtualisation.flushL1DataCache = "always"; + security = { + apparmor.enable = true; + apparmor.killUnconfinedConfinables = true; + forcePageTableIsolation = true; + lockKernelModules = false; + protectKernelImage = true; + virtualisation.flushL1DataCache = "always"; + }; sops.age = { keyFile = "/var/lib/sops-nix/key.txt"; generateKey = true; }; - boot.kernelParams = ["slub_debug=FZP" "page_poison=1" "page_alloc.shuffle=1"]; + boot = { + kernelParams = ["slub_debug=FZP" "page_poison=1" "page_alloc.shuffle=1"]; - boot.blacklistedKernelModules = [ - # Obscure network protocols - "ax25" - "netrom" - "rose" + blacklistedKernelModules = [ + # Obscure network protocols + "ax25" + "netrom" + "rose" - # Old or rare or insufficiently audited filesystems - "adfs" - "affs" - "bfs" - "befs" - "cramfs" - "efs" - "erofs" - "exofs" - "freevxfs" - "f2fs" - "hfs" - "hpfs" - "jfs" - "minix" - "nilfs2" - "omfs" - "qnx4" - "qnx6" - "sysv" - "ufs" - ]; + # Old or rare or insufficiently audited filesystems + "adfs" + "affs" + "bfs" + "befs" + "cramfs" + "efs" + "erofs" + "exofs" + "freevxfs" + "f2fs" + "hfs" + "hpfs" + "jfs" + "minix" + "nilfs2" + "omfs" + "qnx4" + "qnx6" + "sysv" + "ufs" + ]; - # Restrict ptrace() usage to processes with a pre-defined relationship - # (e.g., parent/child) - boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 500 1; + kernel.sysctl = { + # Restrict ptrace() usage to processes with a pre-defined relationship + # (e.g., parent/child) + "kernel.yama.ptrace_scope" = lib.mkOverride 500 1; - # Hide kptrs even for processes with CAP_SYSLOG - boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2; + # Hide kptrs even for processes with CAP_SYSLOG + "kernel.kptr_restrict" = lib.mkOverride 500 2; - # Disable bpf() JIT (to eliminate spray attacks) - boot.kernel.sysctl."net.core.bpf_jit_enable" = false; + # Disable bpf() JIT (to eliminate spray attacks) + "net.core.bpf_jit_enable" = false; - # Disable ftrace debugging - boot.kernel.sysctl."kernel.ftrace_enabled" = false; + # Disable ftrace debugging + "kernel.ftrace_enabled" = false; - # Enable strict reverse path filtering (that is, do not attempt to route - # packets that "obviously" do not belong to the iface's network; dropped - # packets are logged as martians). - boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true; - boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1"; - boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true; - boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1"; + # Enable strict reverse path filtering (that is, do not attempt to route + # packets that "obviously" do not belong to the iface's network; dropped + # packets are logged as martians). + "net.ipv4.conf.all.log_martians" = true; + "net.ipv4.conf.all.rp_filter" = "1"; + "net.ipv4.conf.default.log_martians" = true; + "net.ipv4.conf.default.rp_filter" = "1"; - # Ignore broadcast ICMP (mitigate SMURF) - boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = true; + # Ignore broadcast ICMP (mitigate SMURF) + "net.ipv4.icmp_echo_ignore_broadcasts" = true; - # Ignore incoming ICMP redirects (note: default is needed to ensure that the - # setting is applied to interfaces added after the sysctls are set) - boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = false; - boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = false; - boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = false; - boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = false; - boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = false; - boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = false; + # Ignore incoming ICMP redirects (note: default is needed to ensure that the + # setting is applied to interfaces added after the sysctls are set) + "net.ipv4.conf.all.accept_redirects" = false; + "net.ipv4.conf.all.secure_redirects" = false; + "net.ipv4.conf.default.accept_redirects" = false; + "net.ipv4.conf.default.secure_redirects" = false; + "net.ipv6.conf.all.accept_redirects" = false; + "net.ipv6.conf.default.accept_redirects" = false; - # Ignore outgoing ICMP redirects (this is ipv4 only) - boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false; - boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false; + # Ignore outgoing ICMP redirects (this is ipv4 only) + "net.ipv4.conf.all.send_redirects" = false; + "net.ipv4.conf.default.send_redirects" = false; + }; + }; } diff --git a/nixos/server-security.nix b/nixos/server-security.nix index e8252e1a..5bb4e848 100644 --- a/nixos/server-security.nix +++ b/nixos/server-security.nix @@ -30,7 +30,9 @@ in { openssh.authorizedKeys.keys = authorizedKeys; }; - nix.settings.trusted-users = ["root" "nix-builder"]; - nix.sshServe.enable = true; - nix.sshServe.keys = authorizedKeys; + nix = { + settings.trusted-users = ["root" "nix-builder"]; + sshServe.enable = true; + sshServe.keys = authorizedKeys; + }; } diff --git a/nixos/sway/default.nix b/nixos/sway/default.nix index 33d77946..91a2a901 100644 --- a/nixos/sway/default.nix +++ b/nixos/sway/default.nix @@ -52,10 +52,12 @@ in { gsettings-desktop-schemas lxappearance ]; - file.".config/wofi/style.css".source = ../../.config/wofi/style.css; - file.".config/waybar/config".source = ../../.config/waybar/config; - file.".config/waybar/style.css".source = - ../../.config/waybar/style.css; + file = { + ".config/wofi/style.css".source = ../../.config/wofi/style.css; + ".config/waybar/config".source = ../../.config/waybar/config; + ".config/waybar/style.css".source = + ../../.config/waybar/style.css; + }; }; services.udiskie.enable = true; xsession.preferStatusNotifierItems = true; diff --git a/nixos/vim/home.nix b/nixos/vim/home.nix index c6ce06ab..01d9e179 100644 --- a/nixos/vim/home.nix +++ b/nixos/vim/home.nix @@ -11,12 +11,15 @@ cocPackage = unstablePackages.vimPlugins.coc-nvim; nvimPackage = unstablePackages.neovim-unwrapped; in { - home.file.".vimrc".source = ../../.vimrc; - home.packages = with pkgs; [ripgrep]; - home.sessionVariables = { - EDITOR = "vim"; - VISUAL = "vim"; + home = { + file.".vimrc".source = ../../.vimrc; + packages = with pkgs; [ripgrep]; + sessionVariables = { + EDITOR = "vim"; + VISUAL = "vim"; + }; }; + programs.zsh.sessionVariables = { EDITOR = "vim"; VISUAL = "vim";