Compare commits

..

1 Commits

Author SHA1 Message Date
Tudor Roman cb7de30630
abandon flake-utils in favour of flake-parts 2023-12-17 16:02:08 +01:00
92 changed files with 1807 additions and 2909 deletions

View File

@ -1,14 +0,0 @@
name: Flake Check
on:
pull_request:
push:
branches: [master]
jobs:
flake-check:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Run flake check
run: nix flake check -L --show-trace

View File

@ -1,2 +0,0 @@
# https://stackoverflow.com/a/69118451
323708531114b1c15614e3769fbbf63bd1a8dc1c

3
.gitignore vendored
View File

@ -1,3 +1,2 @@
result
.direnv
.pre-commit-config.yaml
.direnv

View File

@ -26,11 +26,8 @@ Remote server:
### Any other Linux distro for sane people
The companion distro for this config is [My Build of Fedora Silverblue](https://github.com/tudurom/my-os).
It is made with [BlueBuild](https://blue-build.org). The desktop-oriented configs in this repo
are meant to be used with this Fedora build only.
1. Provision a system with the [ISO](https://github.com/tudurom/my-os/releases/tag/auto-iso).
1. Provision a machine with a "normal" Linux distro (my personal choice is Fedora).
For this, [I prepared Ansible roles and playbooks](./ansible).
2. Install Nix (my installer of choice is [nix-installer][nix-installer]).
3. Clone this repo somewhere on the machine
4. `nix run .#home-manager -- switch --flake .#tudor`

1
ansible/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.direnv

55
ansible/README.md Normal file
View File

@ -0,0 +1,55 @@
Ansible roles and playbooks
===========================
While I very much love Nix and NixOS, I think NixOS is not suitable
for a developer's day-to-day-use machine.
On my personal machine, which is now just a laptop, I want to be able
to quickly change settings and run random scripts and programs without
first adapting them, whereas on a server and/or a VM
(either a server VM, or just some tiny one for development and testing)
I do prefer having the rigurousness that NixOS provides.
For this reason, I prefer running Nix with Home Manager on top of Fedora
on my laptop. I actually use [Fedora Silverblue][fedora-silverblue], which also gives me
a very nice system base that I can version and roll-back if needed, with the advantage
of looking very much like a "normal" Linux distro. I even have automatic updates
that are applied transparently on next reboot!
[fedora-silverblue]: https://fedoraproject.org/silverblue/
I would, however, like to also manage the underlying OS in a declarative way.
I am using Ansible to achieve this.
Setup
-----
Because I don't want to litter my Silverblue install with Ansible and Python stuff,
I am running it from a container (with either [Toolbx][toolbx] or [Distrobox][distrobox]).
To make that work, I enabled the SSH daemon, added my own SSH key to `authorized_keys`,
and configured the daemon to only allow pubkey authentication.
[toolbx]: https://containertoolbx.org/
[distrobox]: https://distrobox.it/
To prepare the environment:
```sh
distrobox create ansible-box [--image whatever]
distrobox enter ansible-box
```
Running
-------
```sh
distrobox enter ansible-box
ansible-playbook playbooks/a_playbook.yml -K # the -K is short for --ask-become-pass
# or even shorter
distrobox enter ansible-box -- ansible-playbook playbooks/a_playbook.yml -K
```
To lint, run `ansible-lint` (installation left as an exercise to the reader), or:
```sh
nix flake check # this builds EVERYTHING, it will take a while
```

4
ansible/ansible.cfg Normal file
View File

@ -0,0 +1,4 @@
[defaults]
roles_path = ./roles
inventory = ./hosts.yml
pipelining = true

View File

@ -0,0 +1,4 @@
---
collections:
- name: community.general
version: '>=8.0.0,<9.0.0'

5
ansible/hosts.yml Normal file
View File

@ -0,0 +1,5 @@
---
ungrouped:
hosts:
pepper:
ansible_host: localhost

View File

@ -0,0 +1,13 @@
---
- name: Setup my laptop
hosts: pepper
roles:
- sshd_no_passwords
- auto_updates
- nix_installer
- distrobox
- tailscale
- one_password
- sway_fixes
- flatpaks
- codecs

View File

@ -0,0 +1,6 @@
---
- name: Reload rpm-ostree
become: true
changed_when: true
ansible.builtin.command:
cmd: /usr/bin/rpm-ostree reload

View File

@ -0,0 +1,16 @@
---
- name: Enable rpm-ostree automatic update staging
become: true
ansible.builtin.lineinfile:
path: /etc/rpm-ostreed.conf
regexp: '^#?AutomaticUpdatePolicy='
line: 'AutomaticUpdatePolicy=stage'
register: auto_updates_policy_conf
notify: Reload rpm-ostree
- name: Enable and start rpm-ostreed-automatic timer
become: true
ansible.builtin.systemd_service:
name: rpm-ostreed-automatic.timer
state: started
enabled: true

View File

@ -0,0 +1,3 @@
---
dependencies:
- role: rpmfusion

View File

@ -0,0 +1,28 @@
---
- name: Get package facts
ansible.builtin.package_facts:
- name: Install hardware codecs
become: true
community.general.rpm_ostree_pkg:
name: intel-media-driver
state: present
- name: Install software codecs
become: true
when: '"ffmpeg" not in ansible_facts.packages'
changed_when: true
ansible.builtin.command: >-
/usr/bin/rpm-ostree override
remove
mesa-va-drivers
libavcodec-free
libavfilter-free
libavformat-free
libavutil-free
libpostproc-free
libswresample-free
libswscale-free
--install ffmpeg
--install mesa-va-drivers-freeworld

View File

@ -0,0 +1,6 @@
---
- name: Install distrobox
become: true
community.general.rpm_ostree_pkg:
name: distrobox
state: present

View File

@ -0,0 +1,46 @@
---
- name: Setup user flathub flatpak repo
community.general.flatpak_remote:
method: user
enabled: true
name: flathub
state: present
flatpakrepo_url: 'https://dl.flathub.org/repo/flathub.flatpakrepo'
- name: Setup user fedora flatpak repo
community.general.flatpak_remote:
method: user
enabled: true
name: fedora
state: present
flatpakrepo_url: 'oci+https://registry.fedoraproject.org'
- name: Install various apps from flathub
community.general.flatpak:
method: user
state: present
remote: flathub
name:
- com.raggesilver.BlackBox
- org.telegram.desktop
- com.discordapp.Discord
- org.videolan.VLC
- io.github.flattool.Warehouse
- com.spotify.Client
- com.google.Chrome # for work...
- org.gnome.Solanum
- org.signal.Signal
- name: Install various apps from fedora flatpak repo
community.general.flatpak:
method: user
state: present
remote: fedora
name:
- com.github.tchx84.Flatseal
- org.gimp.GIMP
- ca.desrt.dconf-editor
- org.mozilla.Thunderbird
- org.gnome.NautilusPreviewer
- org.pulseaudio.pavucontrol
- org.libreoffice.LibreOffice

View File

@ -0,0 +1,19 @@
---
- name: Check if nix is installer
ansible.builtin.stat:
path: /nix
register: nix_installer_nix_stat
- name: Install Nix
when: 'not nix_installer_nix_stat.stat.exists'
block:
- name: Download Nix installer
ansible.builtin.get_url:
url: 'https://install.determinate.systems/nix/nix-installer-{{ ansible_architecture }}-linux'
dest: '/tmp/nix-installer'
mode: '0755'
- name: Run Nix installer
become: true
changed_when: true
ansible.builtin.command:
cmd: '/tmp/nix-installer install --explain --no-confirm'

View File

@ -0,0 +1,7 @@
[1password]
name="1Password Stable Channel"
baseurl=https://downloads.1password.com/linux/rpm/stable/$basearch
enabled=1
gpgcheck=1
#repo_gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/1password.asc

View File

@ -0,0 +1,23 @@
---
- name: Get package facts
ansible.builtin.package_facts:
- name: Download 1password repo key
become: true
ansible.builtin.get_url:
url: 'https://downloads.1password.com/linux/keys/1password.asc'
dest: '/etc/pki/rpm-gpg/1password.asc'
mode: '0644'
- name: Install 1password repo
become: true
ansible.builtin.copy:
src: '1password.repo'
dest: /etc/yum.repos.d/1password.repo
mode: '0644'
- name: Install 1Password
become: true
community.general.rpm_ostree_pkg:
name: '1password'
state: present

View File

@ -0,0 +1,2 @@
---
one_password_rpm_url: 'https://downloads.1password.com/linux/rpm/stable/x86_64/1password-latest.rpm'

View File

@ -0,0 +1,31 @@
---
- name: Get package facts
ansible.builtin.package_facts:
- name: Install RPMFusion Repo
when: '"rpmfusion-free-release" not in ansible_facts.packages'
block:
- name: Enable RPMFusion Repo
become: true
community.general.rpm_ostree_pkg:
name:
- 'https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-{{ ansible_distribution_major_version }}.noarch.rpm'
- 'https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-{{ ansible_distribution_major_version }}.noarch.rpm'
state: present
- name: Apply trick to make upgrading RPMFusion easier
block:
- name: Set orig_pkg variable
ansible.builtin.set_fact:
rpmfusion_orig_pkg: '{{ ansible_facts.packages["rpmfusion-free-release"][0] }}'
- name: Do the trick
become: true
changed_when: true
ansible.builtin.command:
cmd: >-
/usr/bin/rpm-ostree update
--uninstall rpmfusion-free-release-{{ rpmfusion_orig_pkg.version }}-{{ rpmfusion_orig_pkg.release }}.noarch
--uninstall rpmfusion-nonfree-release-{{ rpmfusion_orig_pkg.version }}-{{ rpmfusion_orig_pkg.release }}.noarch
--install rpmfusion-free-release
--install rpmfusion-nonfree-release

View File

@ -0,0 +1,5 @@
---
- name: Reload SSHD
ansible.builtin.systemd_service:
name: sshd.service
state: reloaded

View File

@ -0,0 +1,9 @@
---
- name: Disable SSHD password authentication
become: true
ansible.builtin.copy:
dest: /etc/ssh/sshd_config.d/80-no-passwords.conf
mode: '0600'
content: >
PasswordAuthentication no
notify: Reload SSHD

View File

@ -0,0 +1,5 @@
[Desktop Entry]
Name=sway
Exec=/home/tudor/.nix-profile/bin/sway
Type=Application
DesktopNames=sway

View File

@ -0,0 +1,24 @@
---
- name: Install packages
become: true
community.general.rpm_ostree_pkg:
name:
- swaylock # for PAM config to be installed
- polkit-gnome
state: present
- name: Install sway Wayland session
block:
- name: Create wayland-sessions dir
become: true
ansible.builtin.file:
path: /usr/local/share/wayland-sessions
state: directory
mode: "0755"
- name: Copy session file
become: true
ansible.builtin.copy:
src: sway.desktop
dest: /usr/local/share/wayland-sessions/sway.desktop
mode: "0444"

View File

@ -0,0 +1,20 @@
---
- name: Add tailscale repo
become: true
ansible.builtin.get_url:
url: 'https://pkgs.tailscale.com/stable/fedora/tailscale.repo'
dest: '/etc/yum.repos.d/tailscale.repo'
mode: '0644'
- name: Install tailscale
become: true
community.general.rpm_ostree_pkg:
name: tailscale
state: present
- name: Start and enable systemd service
become: true
ansible.builtin.systemd_service:
name: tailscaled.service
enabled: true
state: started

View File

@ -3,12 +3,11 @@
let
lock = builtins.fromJSON (builtins.readFile ./flake.lock);
in
fetchTarball {
url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
sha256 = lock.nodes.flake-compat.locked.narHash;
}
fetchTarball {
url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
sha256 = lock.nodes.flake-compat.locked.narHash;
}
)
{
src = ./.;
})
.defaultNix
}).defaultNix

File diff suppressed because it is too large Load Diff

315
flake.nix
View File

@ -1,20 +1,12 @@
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
unstable.url = "github:nixos/nixpkgs/nixos-unstable";
flake-parts = {
url = "github:hercules-ci/flake-parts";
inputs.nixpkgs-lib.follows = "nixpkgs";
};
haumea = {
url = "github:nix-community/haumea/v0.2.2";
inputs.nixpkgs.follows = "nixpkgs";
};
pre-commit-hooks = {
url = "github:cachix/pre-commit-hooks.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
deploy-rs = {
url = "github:serokell/deploy-rs";
@ -29,27 +21,22 @@
};
home-manager = {
url = "github:nix-community/home-manager/release-23.11";
url = "github:rycee/home-manager/release-23.05";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager-unstable = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "unstable";
};
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
# nix-alien = {
# url = "github:thiagokokada/nix-alien";
# inputs.nixpkgs.follows = "nixpkgs";
# };
flake-compat = {
url = "github:edolstra/flake-compat";
flake = false;
};
niri = {
url = "github:sodiboo/niri-flake";
inputs.nixpkgs.follows = "unstable";
};
nixos-wsl = {
url = "github:nix-community/NixOS-WSL";
inputs.nixpkgs.follows = "nixpkgs";
@ -62,188 +49,188 @@
hypr-contrib = {
url = "github:hyprwm/contrib";
inputs.nixpkgs.follows = "nixpkgs";
};
yarr-nix = {
url = "git+https://git.tudorr.ro/tudor/yarr-nix.git";
inputs.nixpkgs.follows = "nixpkgs";
};
co-work.url = "git+ssh://git@github.com/tudurom/co-work.git";
site.url = "github:tudurom/site";
blog.url = "github:tudurom/blog";
};
outputs = inputs @ {
self,
haumea,
pre-commit-hooks,
nixpkgs,
unstable,
deploy-rs,
flake-parts,
home-manager,
home-manager-unstable,
...
}: let
systems = ["x86_64-linux" "aarch64-linux"];
vars = {
stateVersion = "23.11";
};
specialArgs = {
inherit vars;
flake = {
inherit self inputs;
outputs = inputs@{ self, nixpkgs, deploy-rs, unstable, flake-parts, ... }:
let
vars = {
stateVersion = "22.05";
username = "tudor";
};
};
deployPkgs = with nixpkgs.lib; listToAttrs (map (system: nameValuePair system (self.lib.deploy.mkPkgs system)) systems);
in
flake-parts.lib.mkFlake {inherit inputs;} {
inherit systems;
mkPkgs = pkgs: system: import pkgs {
inherit system;
config.allowUnfree = true;
overlays = [
inputs.hypr-contrib.overlays.default
inputs.nixgl.overlays.default
inputs.agenix.overlays.default
inputs.yarr-nix.overlays.default
(final: prev: {
tudor.site = inputs.site.packages.${system}.site;
tudor.blog = inputs.blog.packages.${system}.blog;
tudor.pong = inputs.co-work.packages.${system}.pong;
unstable = import inputs.unstable { inherit system; config.allowUnfree = true; };
home-manager = inputs.home-manager.packages.${system}.home-manager;
})
];
};
flake = {
lib = haumea.lib.load {
src = ./lib;
inputs = {
inherit nixpkgs inputs;
mkHmDependencies = system: [
inputs.agenix.homeManagerModules.default
];
mkNixOSModules = name: system: [
{
nixpkgs.pkgs = mkPkgs nixpkgs system;
_module.args.nixpkgs = nixpkgs;
_module.args.self = self;
_module.args.inputs = inputs;
_module.args.configName = name;
_module.args.vars = vars;
}
inputs.agenix.nixosModules.default
{
environment.systemPackages = [ inputs.agenix.packages.${system}.default ];
# enable ssh host key generation
services.openssh.enable = true;
}
inputs.home-manager.nixosModules.home-manager
inputs.nixos-wsl.nixosModules.wsl
inputs.yarr-nix.nixosModules.default
{
home-manager = {
useGlobalPkgs = true;
useUserPackages = false;
extraSpecialArgs = { inherit inputs vars; configName = name; };
sharedModules = mkHmDependencies system;
};
};
}
./hosts/${name}
];
nixosConfigurations = let
mkNixOSSystem = name: system: let
modules = [
inputs.agenix.nixosModules.default
{
environment.systemPackages = [inputs.agenix.packages.${system}.default];
# enable ssh host key generation
services.openssh.enable = true;
}
mkNixOSSystem = name: system: nixpkgs.lib.nixosSystem {
inherit system;
modules = mkNixOSModules name system;
};
inputs.home-manager.nixosModules.home-manager
{
home-manager = {
useGlobalPkgs = true;
useUserPackages = false;
extraSpecialArgs = specialArgs;
sharedModules = self.lib.hm-modules;
};
}
./hosts/${name}
];
in
nixpkgs.lib.nixosSystem {
pkgs = self.lib.nixpkgs.mkPkgs {inherit system;};
inherit system modules specialArgs;
mkNonNixOSEnvironment = name: user: system: inputs.home-manager.lib.homeManagerConfiguration {
pkgs = mkPkgs nixpkgs system;
extraSpecialArgs = {inherit inputs vars; configName = "normal-linux"; };
modules = (mkHmDependencies system) ++ [
{
_module.args.nixpkgs = nixpkgs;
_module.args.inputs = inputs;
_module.args.vars = vars;
}
{
home = {
homeDirectory = "/home/${user}";
username = user;
sessionVariables = {
GIT_SSH = "/usr/bin/ssh";
};
};
in {
"ceres" = mkNixOSSystem "ceres" "x86_64-linux";
"wsl2" = mkNixOSSystem "wsl2" "x86_64-linux";
};
homeConfigurations = let
mkHomeConfiguration = name: user: system: let
stablePkgs = self.lib.nixpkgs.mkPkgs {inherit system;};
hm = inputs.home-manager;
in
mkHomeConfiguration' hm stablePkgs name user;
programs.bash.profileExtra = ''
. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
'';
}
(./users + "/${name}")
];
};
mkHomeConfigurationUnstable = name: user: system: let
unstablePkgs = self.lib.nixpkgs.mkPkgs {
inherit system;
nixpkgsVersion = unstable;
mkDeployPkgs = system: import nixpkgs {
inherit system;
overlays = [
deploy-rs.overlay
(self: super: {
deploy-rs = {
inherit (nixpkgs.legacyPackages."${system}") deploy-rs;
lib = super.deploy-rs.lib;
};
hm = inputs.home-manager-unstable;
in
mkHomeConfiguration' hm unstablePkgs name user;
})
];
};
in flake-parts.lib.mkFlake { inherit inputs; } {
systems = [ "x86_64-linux" "aarch64-linux" ];
flake = {
nixosConfigurations."ceres" = mkNixOSSystem "ceres" "x86_64-linux";
nixosConfigurations."wsl2" = mkNixOSSystem "wsl2" "x86_64-linux";
mkHomeConfiguration' = hm: pkgs: name: user:
hm.lib.homeManagerConfiguration {
inherit pkgs;
packages."x86_64-linux"."tudor" = self.homeConfigurations."tudor".activationPackage;
packages."x86_64-linux"."tudor@pepper-penguin" = self.homeConfigurations."tudor@pepper-penguin".activationPackage;
extraSpecialArgs = specialArgs;
modules =
self.lib.hm-modules
++ [
{
home = {
homeDirectory = "/home/${user}";
username = user;
sessionVariables = {
GIT_SSH = "/usr/bin/ssh";
};
};
homeConfigurations."tudor" = mkNonNixOSEnvironment "tudor" "tudor" "x86_64-linux";
homeConfigurations."tudor@pepper-penguin" = mkNonNixOSEnvironment "tudor@pepper-penguin" "tudor" "x86_64-linux";
programs.bash.profileExtra = ''
. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
'';
nix.package = pkgs.nix;
}
(./users + "/${name}")
];
};
in {
"tudor" = mkHomeConfiguration "tudor" "tudor" "x86_64-linux";
"tudor@pepper-penguin" = mkHomeConfigurationUnstable "tudor@pepper-penguin" "tudor" "x86_64-linux";
};
deploy.nodes."ceres" = let
cfg = self.nixosConfigurations."ceres";
in {
deploy.nodes."ceres" = {
hostname = "ceres.lamb-monitor.ts.net";
profiles.system = {
user = "root";
path = deployPkgs.${cfg.pkgs.system}.deploy-rs.lib.activate.nixos cfg;
sshUser = "root";
path = (mkDeployPkgs "x86_64-linux").deploy-rs.lib.activate.nixos self.nixosConfigurations."ceres";
};
};
checks."x86_64-linux" = deployPkgs."x86_64-linux".deploy-rs.lib.deployChecks self.deploy;
};
perSystem = {
pkgs,
system,
self',
...
}: {
perSystem = {config, pkgs, system, ... }: let
deployPkgs = import nixpkgs {
inherit system;
overlays = [
deploy-rs.overlay
(final: prev: {
deploy-rs = { inherit (pkgs) deploy-rs; lib = prev.deploy-rs.lib; };
})
];
};
in {
_module.args.pkgs = mkPkgs nixpkgs system;
apps.deploy-rs = {
type = "app";
program = "${deployPkgs.deploy-rs.deploy-rs}/bin/deploy";
};
packages.default = pkgs.nix;
packages.home-manager = pkgs.home-manager;
packages.nixos-rebuild = pkgs.nixos-rebuild;
packages.home-manager = inputs.home-manager.packages.${system}.default;
packages.home-manager-unstable = inputs.home-manager-unstable.packages.${system}.default;
packages.agenix = inputs.agenix.packages.${system}.default;
packages.deploy-rs = deployPkgs.${system}.deploy-rs.deploy-rs;
packages.agenix = pkgs.agenix;
devShells.default = pkgs.mkShell {
shellHook =
self'.checks.pre-commit-check.shellHook
+ ''
/usr/bin/env git config blame.ignoreRevsFile .git-blame-ignore-revs
'';
buildInputs = with pkgs; [
self'.packages.home-manager
self'.packages.home-manager-unstable
self'.packages.nixos-rebuild
self'.packages.agenix
self'.packages.deploy-rs
nix
home-manager
nixos-rebuild
agenix
deployPkgs.deploy-rs.deploy-rs
nil
alejandra
statix
deadnix
];
};
checks = {
pre-commit-check = pre-commit-hooks.lib.${system}.run {
checks = (deployPkgs.deploy-rs.lib.deployChecks self.deploy) // {
ansible-lint = pkgs.stdenvNoCC.mkDerivation {
name = "run-ansible-lint";
src = ./.;
hooks = {
alejandra.enable = true;
statix.enable = true;
deadnix.enable = true;
};
dontBuild = true;
doCheck = true;
buildInputs = with pkgs; [ ansible-lint git ];
checkPhase = ''
cd ./ansible
env "HOME=$TMPDIR" ansible-lint --offline
'';
installPhase = ''
mkdir "$out"
'';
};
};
};

View File

@ -1,8 +1,6 @@
{ config, lib, pkgs, nixpkgs, self, inputs, vars, ... }:
{
flake,
vars,
...
}: {
imports = [
../../modules/nixos
];
@ -31,7 +29,13 @@
};
users.mutableUsers = false;
users.users.${vars.username} = {
isNormalUser = true;
extraGroups = [ "wheel" "scanner" "lp" ];
uid = 1000;
home = "/home/${vars.username}";
};
system.stateVersion = vars.stateVersion;
system.configurationRevision = flake.self.rev or "dirty";
system.configurationRevision = self.rev or "dirty";
}

View File

@ -1,45 +1,27 @@
{ config, pkgs, lib, vars, ...}:
{
config,
pkgs,
...
}: {
imports = [
../_all
./hardware.nix
];
nix.settings.trusted-users = ["tudor"];
imports = [ ../_all ./hardware.nix ];
systemModules.basePackages.enable = true;
systemModules.services = {
dyndns.enable = true;
ssh.enable = true;
ssh.enableMosh = true;
web = {
nginx.enable = true;
cgit.enable = false;
forgejo = {
enable = true;
actions = {
enable = true;
host = "100.81.169.93";
cachePort = 8088;
};
};
site = {
enable = false;
webRootUser = "tudor";
};
gitea.enable = true;
site.enable = true;
yarr.enable = true;
};
ipforward.enable = true;
tailscale.enable = true;
pong.enable = true;
};
i18n.defaultLocale = "en_US.UTF-8";
time.timeZone = "Europe/Bucharest";
boot.supportedFilesystems = ["zfs"];
boot.supportedFilesystems = [ "zfs" ];
boot.loader.grub = {
enable = true;
@ -47,9 +29,10 @@
};
networking = {
useDHCP = true;
hostName = "ceres";
useDHCP = false;
hostId = "23247628"; # for zfs
interfaces.enp0s25.useDHCP = true;
firewall.enable = true;
@ -60,34 +43,19 @@
};
age.secrets = {
tudor-password.file = ../../secrets/ceres/tudor-password.age;
yarr-credentials.file = ../../secrets/ceres/yarr-credentials.age;
dedyn.file = ../../secrets/ceres/dedyn.age;
};
users.users.tudor = {
isNormalUser = true;
extraGroups = ["wheel"];
uid = 1000;
home = "/home/tudor";
hashedPasswordFile = config.age.secrets.tudor-password.path;
openssh.authorizedKeys.keys = [
(builtins.readFile ../../id_ed25519.pub)
];
};
virtualisation = {
podman = {
enable = true;
extraPackages = [pkgs.zfs];
tudor-password = {
file = ../../secrets/ceres/tudor-password.age;
};
yarr-credentials = {
file = ../../secrets/ceres/yarr-credentials.age;
};
};
virtualisation.containers.storage.settings = {
storage.driver = "zfs";
storage.graphroot = "/var/lib/containers/storage";
storage.runroot = "/run/containers/storage";
storage.options.zfs.fsname = "rpool/podman";
users.users.${vars.username} = {
passwordFile = config.age.secrets.tudor-password.path;
openssh.authorizedKeys.keys = [
(builtins.readFile ../../id_ed25519.pub)
];
};
security.sudo.wheelNeedsPassword = false;

View File

@ -1,47 +1,32 @@
{ config, pkgs, lib, ...}:
{
pkgs,
lib,
flake,
...
}: {
imports = with flake.inputs.nixos-hardware.nixosModules; [
common-pc
common-pc-hdd
common-cpu-intel
common-cpu-intel-cpu-only
];
boot.initrd.availableKernelModules = [ "ata_generic" "uhci_hcd" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
hardware.enableRedistributableFirmware = true;
fileSystems."/" =
{ device = "rpool/root/nixos";
fsType = "zfs";
};
boot.initrd.availableKernelModules = ["ata_generic" "uhci_hcd" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
fileSystems."/nix" =
{ device = "rpool/nix";
fsType = "zfs";
neededForBoot = true;
};
fileSystems."/" = {
device = "rpool/root/nixos";
fsType = "zfs";
};
fileSystems."/home" =
{ device = "rpool/home";
fsType = "zfs";
};
fileSystems."/nix" = {
device = "rpool/nix";
fsType = "zfs";
neededForBoot = true;
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/8d11e1ec-50db-4aa3-a920-788e7f88b68e";
fsType = "ext4";
};
fileSystems."/home" = {
device = "rpool/home";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/8d11e1ec-50db-4aa3-a920-788e7f88b68e";
fsType = "ext4";
};
# there's also rpool/root/podman for container storage
swapDevices = [];
swapDevices = [ ];
# High-DPI console
console.font = lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";

View File

@ -1,11 +1,6 @@
{ config, pkgs, vars, ... }:
{
config,
flake,
...
}: let
username = "tudor";
in {
imports = [../_all flake.inputs.nixos-wsl.nixosModules.wsl];
imports = [ ../_all ];
systemModules = {
basePackages.enable = true;
@ -20,7 +15,7 @@ in {
wsl = {
enable = true;
wslConf.automount.root = "/mnt";
defaultUser = username;
defaultUser = vars.username;
startMenuLaunchers = true;
nativeSystemd = true;
};
@ -31,13 +26,7 @@ in {
file = ../../secrets/wsl2/tudor-password.age;
};
users.users."${username}" = {
isNormalUser = true;
extraGroups = ["wheel"];
uid = 1000;
home = "/home/${username}";
hashedPasswordFile = config.age.secrets.tudor-password.path;
};
users.users.${vars.username}.passwordFile = config.age.secrets.tudor-password.path;
home-manager.users.tudor = ../../users + "/tudor@wsl2";
}

View File

@ -1,17 +0,0 @@
{inputs, ...}: let
inherit (inputs) nixpkgs deploy-rs;
in {
mkPkgs = system:
import nixpkgs {
inherit system;
overlays = [
deploy-rs.overlay
(_self: super: {
deploy-rs = {
inherit (nixpkgs.legacyPackages."${system}") deploy-rs;
inherit (super.deploy-rs) lib;
};
})
];
};
}

View File

@ -1,26 +0,0 @@
{...}: serviceConfig:
{
CapabilityBoundingSet = [""];
DeviceAllow = [""];
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateDevices = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_UNIX"];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = ["@system-service" "~@privileged"];
UMask = "0077";
}
// serviceConfig

View File

@ -1,4 +0,0 @@
{inputs}: [
inputs.agenix.homeManagerModules.default
inputs.niri.homeModules.config
]

View File

@ -1,29 +0,0 @@
{
self,
inputs,
nixpkgs,
...
}: {
defaultConfig = {
allowUnfree = true;
};
mkDefaultOverlays = {system}: [
(final: _prev: {
unstable = import inputs.unstable {
inherit system;
inherit (final) config;
};
})
];
mkPkgs = {
nixpkgsVersion ? nixpkgs,
system,
}:
import nixpkgsVersion {
inherit system;
config = self.defaultConfig;
overlays = self.mkDefaultOverlays {inherit system;};
};
}

View File

@ -1,4 +1,5 @@
{...}: {
{ ... }:
{
imports = [
./desktop
./shell

View File

@ -1,138 +0,0 @@
{
config,
lib,
pkgs,
...
}: let
cfg = config.homeModules.desktop.common;
inherit (config.homeModules.desktop.fonts) themeFont;
in
with lib; {
options = {
homeModules.desktop.common = {
enable = mkEnableOption "Enable common desktop settings";
nixGLPackage = mkOption {
type = types.nullOr types.package;
default = null;
description = ''
Start the Wayland compositor with a nixGL variant. Useful for Non-NixOS systems.
If null (default), sway will be started normally.
'';
};
wallpaperPath = mkOption {
description = "Path to wallpaper to apply";
type = types.path;
# https://unsplash.com/photos/ZlzWbHC86B8
default = ./wallpaper.jpg;
};
terminal = mkOption {
description = "Terminal emulator to use: foot or wezterm";
type = types.str;
default = "wezterm";
};
};
};
config = mkIf cfg.enable {
home.packages = with pkgs; [
wl-clipboard
];
systemd.user.targets.wl-session = {
Unit = {
Description = "wayland compositor session";
BindsTo = ["graphical-session.target"];
Wants = ["graphical-session-pre.target" "xdg-desktop-autostart.target"];
After = ["graphical-session-pre.target"];
Before = ["xdg-desktop-autostart.target"];
};
};
# notification daemon
services.mako.enable = true;
# clipboard manager. keeps the contents once the original program quits.
services.copyq = {
enable = true;
systemdTarget = "wl-session.target";
};
# blue light remover. adjusts the red tint based on the time of day.
services.gammastep = {
enable = true;
provider = "manual";
# https://maps.app.goo.gl/wrftdjP96bKDu5FW7
latitude = "52.36308";
longitude = "4.88372";
tray = true;
};
systemd.user.services.swayidle = {
Service = {
# hack to make calling swaylock with /usr/bin/env work
# for both NixOS and non-NixOS
# See: https://github.com/nix-community/home-manager/blob/05649393ac1f34980a5cf6a6e89de77626c9182b/modules/services/swayidle.nix#L124-L125
Environment = mkForce [
"PATH=${makeBinPath [pkgs.bash]}:/usr/bin"
];
};
};
# fuzzy-finding application launcher
programs.fuzzel = {
enable = true;
settings = {
main = {
# in case you don't see it: that's the eyes emoji,
# followed by the U+FE0F "Variation selector-6" character.
# That magic character tells the text rendering system to use
# the colour version of the emoji, instead of the outline version.
# You can also force the outline version with U+FE0E "Variation selector-5".
prompt = "\"👀 \"";
font = "${themeFont.family}:size=${builtins.toString (builtins.floor themeFont.size)},Noto Color Emoji,Noto Emoji";
};
};
};
services.swayidle = let
swaymsg = "${config.wayland.windowManager.sway.package}/bin/swaymsg";
niri = "${config.programs.niri.package}/bin/niri";
# if running nixos: make sure swaylock is enabled system-wide in the system config!
# if not: make sure you either have swaylock installed via the system package manager,
# or you have a valid PAM config for it.
# otherwise, it will not be able to unlock the screen!
swaylock = "/usr/bin/env swaylock";
swaylockCmd = "${swaylock} -c 000000 -fF";
in {
enable = true;
systemdTarget = "wl-session.target";
events = [
# make sure the screen is locked before going to sleep
{
event = "before-sleep";
command = swaylockCmd;
}
{
event = "lock";
command = swaylockCmd;
}
# stop the screen locker if loginctl says it's time to unlock
# (you can test by running loginctl unlock-session).
# regarding the sigusr1 thing, see swaylock(1).
{
event = "unlock";
command = "pkill -USR1 swaylock";
}
];
timeouts = [
{
timeout = 600;
command = "${swaymsg} \"output * power off\" || ${niri} msg action power-off-monitors";
resumeCommand = "${swaymsg} \"output * power on\" || true";
}
];
};
};
}