mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 14:50:40 +02:00
Code Activity

chore: format everything

Browse source
This commit is contained in:
oddlama 2024-11-26 13:34:55 +01:00
parent deca311c68
commit 7ccd7856ee
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
162 changed files with 4750 additions and 3718 deletions
Download patch file Download diff file Expand all files Collapse all files

7
config/boot.nix
View file

@ -4,7 +4,8 @@
lib,
pkgs,
...
}: {
}:
{
config = lib.mkIf (!config.boot.isContainer) {
boot = {
initrd.systemd = {
@ -16,11 +17,11 @@
extraBin.cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup";
# Give me a usable shell please
users.root.shell = "${pkgs.bashInteractive}/bin/bash";
storePaths = ["${pkgs.bashInteractive}/bin/bash"];
storePaths = [ "${pkgs.bashInteractive}/bin/bash" ];
};
# NOTE: Add "rd.systemd.unit=rescue.target" to debug initrd
kernelParams = ["log_buf_len=16M"]; # must be {power of two}[KMG]
kernelParams = [ "log_buf_len=16M" ]; # must be {power of two}[KMG]
tmp.useTmpfs = true;
loader.timeout = lib.mkDefault 2;

3
config/default.nix
View file

@ -1,4 +1,5 @@
{inputs, ...}: {
{ inputs, ... }:
{
# Not setting this causes infinite recursion because it has a very weird default.
# The default should probably be removed upstream and only applied with mkDefault
# if hardware.nvidia.enable is true

7
config/dev/default.nix
View file

@ -15,7 +15,10 @@ lib.optionalAttrs (!minimal) {
info.enable = lib.mkForce false;
};
environment.systemPackages = [pkgs.man-pages pkgs.man-pages-posix];
environment.systemPackages = [
pkgs.man-pages
pkgs.man-pages-posix
];
environment.enableDebugInfo = true;
environment.persistence."/state".directories = [
@ -28,5 +31,5 @@ lib.optionalAttrs (!minimal) {
services.nixseparatedebuginfod.enable = true;
# For embedded development
services.udev.packages = [pkgs.stlink];
services.udev.packages = [ pkgs.stlink ];
}

14
config/dev/yubikey.nix
View file

@ -1,5 +1,13 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [yubikey-manager yubikey-personalization age-plugin-yubikey];
services.udev.packages = with pkgs; [yubikey-personalization libu2f-host];
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
yubikey-manager
yubikey-personalization
age-plugin-yubikey
];
services.udev.packages = with pkgs; [
yubikey-personalization
libu2f-host
];
services.pcscd.enable = true;
}

255
config/graphical/default.nix
View file

@ -5,143 +5,146 @@
minimal,
pkgs,
...
}: let
inherit
(lib)
}:
let
inherit (lib)
mkIf
mkOption
types
optionalAttrs
;
in
{
options.graphical.gaming.enable = mkOption {
description = "Enables gaming on this machine and will add a lot of gaming related packages and configuration.";
default = false;
type = types.bool;
{
options.graphical.gaming.enable = mkOption {
description = "Enables gaming on this machine and will add a lot of gaming related packages and configuration.";
default = false;
type = types.bool;
};
}
// optionalAttrs (!minimal) {
imports = [
inputs.stylix.nixosModules.stylix
inputs.whisper-overlay.nixosModules.default
./fonts.nix
./steam.nix
./xserver.nix
];
config = {
# For Star Citizen. See https://github.com/starcitizen-lug/knowledge-base/wiki for more info.
boot.kernel.sysctl = mkIf config.graphical.gaming.enable {
"vm.max_map_count" = 16777216;
"fs.file-max" = 524288;
};
}
// optionalAttrs (!minimal) {
imports = [
inputs.stylix.nixosModules.stylix
inputs.whisper-overlay.nixosModules.default
./fonts.nix
./steam.nix
./xserver.nix
];
# Needed for gtk
programs.dconf.enable = true;
# Required for gnome3 pinentry
services.dbus.packages = [ pkgs.gcr ];
config = {
# For Star Citizen. See https://github.com/starcitizen-lug/knowledge-base/wiki for more info.
boot.kernel.sysctl = mkIf config.graphical.gaming.enable {
"vm.max_map_count" = 16777216;
"fs.file-max" = 524288;
};
# Needed for gtk
programs.dconf.enable = true;
# Required for gnome3 pinentry
services.dbus.packages = [pkgs.gcr];
xdg.portal = {
enable = true;
xdgOpenUsePortal = true;
config.common = {
default = ["gtk" "hyprland"];
"org.freedesktop.impl.portal.Secret" = ["gnome-keyring"];
"org.freedesktop.impl.portal.ScreenCast" = ["hyprland"];
"org.freedesktop.impl.portal.Screenshot" = ["hyprland"];
"org.freedesktop.portal.FileChooser" = ["xdg-desktop-portal-gtk"];
};
extraPortals = [
pkgs.xdg-desktop-portal-hyprland
pkgs.xdg-desktop-portal-gtk
xdg.portal = {
enable = true;
xdgOpenUsePortal = true;
config.common = {
default = [
"gtk"
"hyprland"
];
"org.freedesktop.impl.portal.Secret" = [ "gnome-keyring" ];
"org.freedesktop.impl.portal.ScreenCast" = [ "hyprland" ];
"org.freedesktop.impl.portal.Screenshot" = [ "hyprland" ];
"org.freedesktop.portal.FileChooser" = [ "xdg-desktop-portal-gtk" ];
};
extraPortals = [
pkgs.xdg-desktop-portal-hyprland
pkgs.xdg-desktop-portal-gtk
];
};
services.displayManager.enable = true;
programs.uwsm = {
enable = true;
waylandCompositors.sway = {
prettyName = "Sway";
comment = "Sway";
binPath = lib.getExe pkgs.sway;
};
services.displayManager.enable = true;
programs.uwsm = {
enable = true;
waylandCompositors.sway = {
prettyName = "Sway";
comment = "Sway";
binPath = lib.getExe pkgs.sway;
};
waylandCompositors.hyprland = {
prettyName = "Hyprland";
comment = "Hyprland";
binPath = lib.getExe pkgs.hyprland;
};
};
stylix = {
enable = true;
# I want to choose what to style myself.
autoEnable = false;
image = config.lib.stylix.pixel "base00";
polarity = "dark";
# onedark
# base16Scheme = {
# base00 = "#282c34";
# base01 = "#353b45";
# base02 = "#3e4451";
# base03 = "#545862";
# base04 = "#565c64";
# base05 = "#abb2bf";
# base06 = "#b6bdca";
# base07 = "#c8ccd4";
# base08 = "#e06c75";
# base09 = "#d19a66";
# base0A = "#e5c07b";
# base0B = "#98c379";
# base0C = "#56b6c2";
# base0D = "#61afef";
# base0E = "#c678dd";
# base0F = "#9378de";
# };
# based on decaycs-dark, normal variant
base16Scheme = {
base00 = "#101419";
base01 = "#171b20";
base02 = "#21262e";
base03 = "#242931";
base04 = "#485263";
base05 = "#b6beca";
base06 = "#dee1e6";
base07 = "#e3e6eb";
base08 = "#e05f65";
base09 = "#f9a872";
base0A = "#f1cf8a";
base0B = "#78dba9";
base0C = "#74bee9";
base0D = "#70a5eb";
base0E = "#c68aee";
base0F = "#9378de";
};
## based on decaycs-dark, bright variant
#base16Scheme = {
# base00 = "#101419";
# base01 = "#171B20";
# base02 = "#21262e";
# base03 = "#242931";
# base04 = "#485263";
# base05 = "#b6beca";
# base06 = "#dee1e6";
# base07 = "#e3e6eb";
# base08 = "#e5646a";
# base09 = "#f7b77c";
# base0A = "#f6d48f";
# base0B = "#94F7C5";
# base0C = "#79c3ee";
# base0D = "#75aaf0";
# base0E = "#cb8ff3";
# base0F = "#9d85e1";
#};
waylandCompositors.hyprland = {
prettyName = "Hyprland";
comment = "Hyprland";
binPath = lib.getExe pkgs.hyprland;
};
};
}
stylix = {
enable = true;
# I want to choose what to style myself.
autoEnable = false;
image = config.lib.stylix.pixel "base00";
polarity = "dark";
# onedark
# base16Scheme = {
# base00 = "#282c34";
# base01 = "#353b45";
# base02 = "#3e4451";
# base03 = "#545862";
# base04 = "#565c64";
# base05 = "#abb2bf";
# base06 = "#b6bdca";
# base07 = "#c8ccd4";
# base08 = "#e06c75";
# base09 = "#d19a66";
# base0A = "#e5c07b";
# base0B = "#98c379";
# base0C = "#56b6c2";
# base0D = "#61afef";
# base0E = "#c678dd";
# base0F = "#9378de";
# };
# based on decaycs-dark, normal variant
base16Scheme = {
base00 = "#101419";
base01 = "#171b20";
base02 = "#21262e";
base03 = "#242931";
base04 = "#485263";
base05 = "#b6beca";
base06 = "#dee1e6";
base07 = "#e3e6eb";
base08 = "#e05f65";
base09 = "#f9a872";
base0A = "#f1cf8a";
base0B = "#78dba9";
base0C = "#74bee9";
base0D = "#70a5eb";
base0E = "#c68aee";
base0F = "#9378de";
};
## based on decaycs-dark, bright variant
#base16Scheme = {
# base00 = "#101419";
# base01 = "#171B20";
# base02 = "#21262e";
# base03 = "#242931";
# base04 = "#485263";
# base05 = "#b6beca";
# base06 = "#dee1e6";
# base07 = "#e3e6eb";
# base08 = "#e5646a";
# base09 = "#f7b77c";
# base0A = "#f6d48f";
# base0B = "#94F7C5";
# base0C = "#79c3ee";
# base0D = "#75aaf0";
# base0E = "#cb8ff3";
# base0F = "#9d85e1";
#};
};
};
}

5
config/graphical/fonts.nix
View file

@ -1,4 +1,5 @@
{pkgs, ...}: {
{ pkgs, ... }:
{
fonts = {
# Always prefer emojis even if the original font would provide a glyph
fontconfig.localConf = ''
@ -27,7 +28,7 @@
'';
packages = with pkgs; [
(pkgs.nerdfonts.override {fonts = ["NerdFontsSymbolsOnly"];})
(pkgs.nerdfonts.override { fonts = [ "NerdFontsSymbolsOnly" ]; })
noto-fonts
noto-fonts-cjk-sans
noto-fonts-cjk-serif

7
config/graphical/steam.nix
View file

@ -3,13 +3,14 @@
config,
pkgs,
...
}: {
}:
{
config = lib.mkIf config.graphical.gaming.enable {
programs.steam = {
enable = true;
package = pkgs.steam.override {
extraPkgs = pkgs:
with pkgs; [
extraPkgs =
pkgs: with pkgs; [
# add packages here in case any game needs them...
];
};

2
config/graphical/xserver.nix
View file

@ -6,7 +6,7 @@
desktopManager.xterm.enable = false;
autoRepeatDelay = 235;
autoRepeatInterval = 60;
videoDrivers = ["modesetting"];
videoDrivers = [ "modesetting" ];
xkb.layout = "de";
xkb.variant = "nodeadkeys";
};

11
config/hardware/bluetooth.nix
View file

@ -1,5 +1,6 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [bluetui];
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [ bluetui ];
environment.persistence."/persist".directories = [
"/var/lib/bluetooth"
];
@ -7,7 +8,7 @@
hardware.bluetooth = {
enable = true;
powerOnBoot = true;
disabledPlugins = ["sap"];
disabledPlugins = [ "sap" ];
settings = {
General = {
FastConnectable = "true";
@ -19,12 +20,12 @@
};
hardware.pulseaudio = {
package = pkgs.pulseaudio.override {bluetoothSupport = true;};
package = pkgs.pulseaudio.override { bluetoothSupport = true; };
extraConfig = ''
load-module module-bluetooth-discover
load-module module-bluetooth-policy
load-module module-switch-on-connect
'';
extraModules = with pkgs; [pulseaudio-modules-bt];
extraModules = with pkgs; [ pulseaudio-modules-bt ];
};
}

7
config/hardware/hetzner-cloud.nix
View file

@ -1,4 +1,9 @@
{
boot.initrd.availableKernelModules = ["virtio_pci" "virtio_net" "virtio_scsi" "virtio_blk"];
boot.initrd.availableKernelModules = [
"virtio_pci"
"virtio_net"
"virtio_scsi"
"virtio_blk"
];
topology.self.icon = "devices.cloud-server";
}

4
config/hardware/nvidia.nix
View file

@ -5,8 +5,8 @@
...
}:
lib.optionalAttrs (!minimal) {
boot.blacklistedKernelModules = ["nouveau"];
services.xserver.videoDrivers = lib.mkForce ["nvidia"];
boot.blacklistedKernelModules = [ "nouveau" ];
services.xserver.videoDrivers = lib.mkForce [ "nvidia" ];
hardware = {
graphics = {

8
config/hardware/odroid-n2plus.nix
View file

@ -1,4 +1,5 @@
{inputs, ...}: {
{ inputs, ... }:
{
imports = [
inputs.nixos-hardware.nixosModules.common-pc-ssd
];
@ -22,5 +23,8 @@
"drm"
"display_connector"
];
boot.kernelParams = ["console=ttyAML0,115200n8" "console=tty0"];
boot.kernelParams = [
"console=ttyAML0,115200n8"
"console=tty0"
];
}

5
config/hardware/physical.nix
View file

@ -4,7 +4,8 @@
lib,
minimal,
...
}: {
}:
{
hardware = {
enableRedistributableFirmware = true;
enableAllFirmware = true;
@ -13,6 +14,6 @@
services = lib.mkIf (!minimal) {
fwupd.enable = true;
smartd.enable = true;
thermald.enable = builtins.elem config.nixpkgs.hostPlatform.system ["x86_64-linux"];
thermald.enable = builtins.elem config.nixpkgs.hostPlatform.system [ "x86_64-linux" ];
};
}

5
config/home-manager.nix
View file

@ -3,7 +3,8 @@
config,
minimal,
...
}: {
}:
{
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
@ -37,5 +38,5 @@
# But still link all completions from all packages so they
# can be found by zsh
environment.pathsToLink = ["/share/zsh"];
environment.pathsToLink = [ "/share/zsh" ];
}

101
config/impermanence.nix
View file

@ -2,9 +2,9 @@
config,
lib,
...
}: let
inherit
(lib)
}:
let
inherit (lib)
attrNames
flip
isAttrs
@ -14,9 +14,10 @@
optionals
types
;
in {
in
{
# Give agenix access to the hostkey independent of impermanence activation
age.identityPaths = ["/persist/etc/ssh/ssh_host_ed25519_key"];
age.identityPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ];
# Expose a home manager module for each user that allows extending
# environment.persistence.${sourceDir}.users.${userName} simply by
@ -25,63 +26,57 @@ in {
{
options.home.persistence = mkOption {
description = "Additional persistence config for the given source path";
default = {};
type = types.attrsOf (types.submodule {
options = {
files = mkOption {
description = "Additional files to persist via NixOS impermanence.";
type = types.listOf (types.either types.attrs types.str);
default = [];
};
default = { };
type = types.attrsOf (
types.submodule {
options = {
files = mkOption {
description = "Additional files to persist via NixOS impermanence.";
type = types.listOf (types.either types.attrs types.str);
default = [ ];
};
directories = mkOption {
description = "Additional directories to persist via NixOS impermanence.";
type = types.listOf (types.either types.attrs types.str);
default = [];
directories = mkOption {
description = "Additional directories to persist via NixOS impermanence.";
type = types.listOf (types.either types.attrs types.str);
default = [ ];
};
};
};
});
}
);
};
}
];
# For each user that has a home-manager config, merge the locally defined
# persistence options that we defined above.
imports = let
mkUserFiles = map (x:
{parentDirectory.mode = "700";}
// (
if isAttrs x
then x
else {file = x;}
));
mkUserDirs = map (x:
{mode = "700";}
// (
if isAttrs x
then x
else {directory = x;}
));
in [
{
environment.persistence = mkMerge (
flip map
(attrNames config.home-manager.users)
(
user: let
hmUserCfg = config.home-manager.users.${user};
in
flip mapAttrs hmUserCfg.home.persistence
(_: sourceCfg: {
users.${user} = {
files = mkUserFiles sourceCfg.files;
directories = mkUserDirs sourceCfg.directories;
};
})
)
imports =
let
mkUserFiles = map (
x: { parentDirectory.mode = "700"; } // (if isAttrs x then x else { file = x; })
);
}
];
mkUserDirs = map (x: { mode = "700"; } // (if isAttrs x then x else { directory = x; }));
in
[
{
environment.persistence = mkMerge (
flip map (attrNames config.home-manager.users) (
user:
let
hmUserCfg = config.home-manager.users.${user};
in
flip mapAttrs hmUserCfg.home.persistence (
_: sourceCfg: {
users.${user} = {
files = mkUserFiles sourceCfg.files;
directories = mkUserDirs sourceCfg.directories;
};
}
)
)
);
}
];
# State that should be kept across reboots, but is otherwise
# NOT important information in any way that needs to be backed up.

6
config/installer.nix
View file

@ -3,7 +3,8 @@
lib,
pkgs,
...
}: let
}:
let
disko-script = pkgs.writeShellScriptBin "disko-script" "${config.system.build.diskoScript}";
disko-mount = pkgs.writeShellScriptBin "disko-mount" "${config.system.build.mountScript}";
disko-format = pkgs.writeShellScriptBin "disko-format" "${config.system.build.formatScript}";
@ -30,7 +31,8 @@
install-system
];
};
in {
in
{
options.system.build.installFromLive = lib.mkOption {
type = lib.types.package;
description = ''

9
config/issue.nix
View file

@ -2,13 +2,16 @@
config,
lib,
...
}: {
}:
{
# IP addresses: ${"${interface} \e{halfbright}\4{${interface}}\e{reset} \e{halfbright}\6{${interface}}\e{reset}"}
environment.etc.issue.text = lib.concatStringsSep "\n" ([
environment.etc.issue.text = lib.concatStringsSep "\n" (
[
''\d \t''
''This is \e{cyan}\n\e{reset} [\e{lightblue}\l\e{reset}] (\s \m \r)''
]
# Disabled for guests because of frequent redraws (-> pushed to syslog on the host)
++ lib.optional (config.node.type == "host") ''\e{halfbright}\4\e{reset} \e{halfbright}\6\e{reset}''
++ [""]);
++ [ "" ]
);
}

9
config/net.nix
View file

@ -2,7 +2,8 @@
config,
lib,
...
}: {
}:
{
systemd.network.enable = true;
networking = {
@ -11,8 +12,8 @@
dhcpcd.enable = false;
# Rename known network interfaces from local secrets
renameInterfacesByMac =
lib.mapAttrs (_: v: v.mac)
(config.repo.secrets.local.networking.interfaces or {});
renameInterfacesByMac = lib.mapAttrs (_: v: v.mac) (
config.repo.secrets.local.networking.interfaces or { }
);
};
}

29
config/nftables.nix
View file

@ -2,7 +2,8 @@
config,
lib,
...
}: {
}:
{
networking.nftables = {
stopRuleset = lib.mkDefault ''
table inet filter {
@ -36,17 +37,31 @@
nnf-ssh.enable = true;
nnf-icmp = {
enable = true;
ipv6Types = ["echo-request" "destination-unreachable" "packet-too-big" "time-exceeded" "parameter-problem" "nd-router-advert" "nd-neighbor-solicit" "nd-neighbor-advert"];
ipv4Types = ["echo-request" "destination-unreachable" "router-advertisement" "time-exceeded" "parameter-problem"];
ipv6Types = [
"echo-request"
"destination-unreachable"
"packet-too-big"
"time-exceeded"
"parameter-problem"
"nd-router-advert"
"nd-neighbor-solicit"
"nd-neighbor-advert"
];
ipv4Types = [
"echo-request"
"destination-unreachable"
"router-advertisement"
"time-exceeded"
"parameter-problem"
];
};
};
rules.untrusted-to-local = {
from = ["untrusted"];
to = ["local"];
from = [ "untrusted" ];
to = [ "local" ];
inherit
(config.networking.firewall)
inherit (config.networking.firewall)
allowedTCPPorts
allowedTCPPortRanges
allowedUDPPorts

9
config/nix.nix
View file

@ -2,7 +2,8 @@
inputs,
pkgs,
...
}: {
}:
{
environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" ''
assert builtins.trace "This is a dummy config, please deploy via the flake!" false;
{ }
@ -11,8 +12,8 @@
nix = {
settings = {
auto-optimise-store = true;
allowed-users = ["@wheel"];
trusted-users = ["root"];
allowed-users = [ "@wheel" ];
trusted-users = [ "root" ];
substituters = [
"https://cache.nixos.org"
"https://nix-community.cachix.org"
@ -30,7 +31,7 @@
experimental-features = nix-command flakes
flake-registry = /etc/nix/registry.json
'';
nixPath = ["nixpkgs=/run/current-system/nixpkgs"];
nixPath = [ "nixpkgs=/run/current-system/nixpkgs" ];
optimise.automatic = true;
gc = {
automatic = true;

5
config/optional/sound.nix
View file

@ -32,5 +32,8 @@ lib.optionalAttrs (!minimal) {
];
};
environment.systemPackages = with pkgs; [pulseaudio pulsemixer];
environment.systemPackages = with pkgs; [
pulseaudio
pulsemixer
];
}

15
config/optional/zfs.nix
View file

@ -3,14 +3,15 @@
lib,
pkgs,
...
}: {
boot.supportedFilesystems = ["zfs"];
}:
{
boot.supportedFilesystems = [ "zfs" ];
# The root pool should never be imported forcefully.
# Failure to import is important to notice!
boot.zfs.forceImportRoot = false;
environment.systemPackages = with pkgs; [zfs];
environment.systemPackages = with pkgs; [ zfs ];
services.zfs = {
autoScrub = {
@ -28,13 +29,13 @@
};
# TODO remove once this is upstreamed
boot.initrd.systemd.services."zfs-import-rpool".after = ["cryptsetup.target"];
boot.initrd.systemd.services."zfs-import-rpool".after = [ "cryptsetup.target" ];
# After importing the rpool, rollback the root system to be empty.
boot.initrd.systemd.services.impermanence-root = {
wantedBy = ["initrd.target"];
after = ["zfs-import-rpool.service"];
before = ["sysroot.mount"];
wantedBy = [ "initrd.target" ];
after = [ "zfs-import-rpool.service" ];
before = [ "sysroot.mount" ];
unitConfig.DefaultDependencies = "no";
serviceConfig = {
Type = "oneshot";

71
config/resolved.nix
View file

@ -2,7 +2,8 @@
config,
lib,
...
}: {
}:
{
services.resolved = {
enable = true;
dnssec = "false"; # wake me up in 20 years when DNSSEC is at least partly working
@ -20,51 +21,45 @@
};
system.nssDatabases.hosts = lib.mkMerge [
(lib.mkBefore ["mdns_minimal [NOTFOUND=return]"])
(lib.mkAfter ["mdns"])
(lib.mkBefore [ "mdns_minimal [NOTFOUND=return]" ])
(lib.mkAfter [ "mdns" ])
];
# Open port 5353 for any interfaces that have MulticastDNS enabled
networking.nftables.firewall = let
# Determine all networks that have MulticastDNS enabled
networksWithMulticast =
lib.filter
(n: config.systemd.network.networks.${n}.networkConfig.MulticastDNS or false)
(lib.attrNames config.systemd.network.networks);
networking.nftables.firewall =
let
# Determine all networks that have MulticastDNS enabled
networksWithMulticast = lib.filter (
n: config.systemd.network.networks.${n}.networkConfig.MulticastDNS or false
) (lib.attrNames config.systemd.network.networks);
# Determine all known mac addresses and the corresponding link name
# based on the renameInterfacesByMac option.
knownMacs =
lib.mapAttrs'
(k: v: lib.nameValuePair v k)
config.networking.renameInterfacesByMac;
# A helper that returns the link name for the given mac address,
# or null if it doesn't exist or the given mac was null.
linkNameFor = mac:
if mac == null
then null
else knownMacs.${mac} or null;
# Determine all known mac addresses and the corresponding link name
# based on the renameInterfacesByMac option.
knownMacs = lib.mapAttrs' (k: v: lib.nameValuePair v k) config.networking.renameInterfacesByMac;
# A helper that returns the link name for the given mac address,
# or null if it doesn't exist or the given mac was null.
linkNameFor = mac: if mac == null then null else knownMacs.${mac} or null;
# Calls the given function for each network that has MulticastDNS enabled,
# and collects all non-null values.
mapNetworks = f: lib.filter (v: v != null) (map f networksWithMulticast);
# Calls the given function for each network that has MulticastDNS enabled,
# and collects all non-null values.
mapNetworks = f: lib.filter (v: v != null) (map f networksWithMulticast);
# All interfaces on which MulticastDNS is used
mdnsInterfaces = lib.unique (
# For each network that is matched by MAC, lookup the link name
# and if map the definition name to the link name.
mapNetworks (x: linkNameFor (config.systemd.network.networks.${x}.matchConfig.MACAddress or null))
# For each network that is matched by name, map the definition
# name to the link name.
++ mapNetworks (x: config.systemd.network.networks.${x}.matchConfig.Name or null)
);
in
lib.mkIf (mdnsInterfaces != []) {
# All interfaces on which MulticastDNS is used
mdnsInterfaces = lib.unique (
# For each network that is matched by MAC, lookup the link name
# and if map the definition name to the link name.
mapNetworks (x: linkNameFor (config.systemd.network.networks.${x}.matchConfig.MACAddress or null))
# For each network that is matched by name, map the definition
# name to the link name.
++ mapNetworks (x: config.systemd.network.networks.${x}.matchConfig.Name or null)
);
in
lib.mkIf (mdnsInterfaces != [ ]) {
zones.mdns.interfaces = mdnsInterfaces;
rules.mdns-to-local = {
from = ["mdns"];
to = ["local"];
allowedUDPPorts = [5353];
from = [ "mdns" ];
to = [ "local" ];
allowedUDPPorts = [ 5353 ];
};
};
}

90
config/secrets.nix
View file

@ -3,17 +3,18 @@
inputs,
lib,
...
}: {
}:
{
# Define local repo secrets
repo.secretFiles = let
local = config.node.secretsDir + "/local.nix.age";
in
lib.optionalAttrs (lib.pathExists local) {inherit local;};
repo.secretFiles =
let
local = config.node.secretsDir + "/local.nix.age";
in
lib.optionalAttrs (lib.pathExists local) { inherit local; };
# Setup secret rekeying parameters
age.rekey = {
inherit
(inputs.self.secretsConfig)
inherit (inputs.self.secretsConfig)
masterIdentities
extraEncryptionPubkeys
;
@ -24,39 +25,46 @@
localStorageDir = inputs.self.outPath + "/secrets/rekeyed/${config.node.name}";
};
age.generators.basic-auth = {
pkgs,
lib,
decrypt,
deps,
...
}:
lib.flip lib.concatMapStrings deps ({
name,
host,
file,
}: ''
echo " -> Aggregating "${lib.escapeShellArg host}":"${lib.escapeShellArg name}"" >&2
${decrypt} ${lib.escapeShellArg file} \
| ${pkgs.apacheHttpd}/bin/htpasswd -niBC 12 ${lib.escapeShellArg host}"+"${lib.escapeShellArg name} \
|| die "Failure while aggregating basic auth hashes"
'');
age.generators.basic-auth =
{
pkgs,
lib,
decrypt,
deps,
...
}:
lib.flip lib.concatMapStrings deps (
{
name,
host,
file,
}:
''
echo " -> Aggregating "${lib.escapeShellArg host}":"${lib.escapeShellArg name}"" >&2
${decrypt} ${lib.escapeShellArg file} \
| ${pkgs.apacheHttpd}/bin/htpasswd -niBC 12 ${lib.escapeShellArg host}"+"${lib.escapeShellArg name} \
|| die "Failure while aggregating basic auth hashes"
''
);
age.generators.argon2id = {
pkgs,
lib,
decrypt,
deps,
...
}: let
dep = builtins.head deps;
in ''
echo " -> Deriving argon2id hash from "${lib.escapeShellArg dep.host}":"${lib.escapeShellArg dep.name}"" >&2
${decrypt} ${lib.escapeShellArg dep.file} \
| tr -d '\n' \
| ${pkgs.libargon2}/bin/argon2 "$(${pkgs.openssl}/bin/openssl rand -base64 16)" -id -e \
|| die "Failure while generating argon2id hash"
'';
age.generators.argon2id =
{
pkgs,
lib,
decrypt,
deps,
...
}:
let
dep = builtins.head deps;
in
''
echo " -> Deriving argon2id hash from "${lib.escapeShellArg dep.host}":"${lib.escapeShellArg dep.name}"" >&2
${decrypt} ${lib.escapeShellArg dep.file} \
| tr -d '\n' \
| ${pkgs.libargon2}/bin/argon2 "$(${pkgs.openssl}/bin/openssl rand -base64 16)" -id -e \
|| die "Failure while generating argon2id hash"
'';
# Just before switching, remove the agenix directory if it exists.
# This can happen when a secret is used in the initrd because it will
@ -65,8 +73,8 @@
# to create a link called /run/agenix. Agenix should probably fail in this case,
# but doesn't and instead puts the generation link into the existing directory.
# TODO See https://github.com/ryantm/agenix/pull/187.
system.activationScripts = lib.mkIf (config.age.secrets != {}) {
system.activationScripts = lib.mkIf (config.age.secrets != { }) {
removeAgenixLink.text = "[[ ! -L /run/agenix ]] && [[ -d /run/agenix ]] && rm -rf /run/agenix";
agenixNewGeneration.deps = ["removeAgenixLink"];
agenixNewGeneration.deps = [ "removeAgenixLink" ];
};
}

14
config/ssh.nix
View file

@ -3,7 +3,8 @@
lib,
pkgs,
...
}: {
}:
{
config = lib.mkMerge [
{
services.openssh = {
@ -12,7 +13,7 @@
# because we rely on ssh key generation for agenix. So we need
# the service to start eagerly
startWhenNeeded = lib.mkForce false;
authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
authorizedKeysFiles = lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ];
sftpServerExecutable = "internal-sftp";
settings = {
PasswordAuthentication = false;
@ -35,7 +36,7 @@
boot.initrd.network.ssh = {
enable = true;
port = 4;
hostKeys = [config.age.secrets.initrd_host_ed25519_key.path];
hostKeys = [ config.age.secrets.initrd_host_ed25519_key.path ];
};
# Make sure that there is always a valid initrd hostkey available that can be installed into
@ -49,9 +50,12 @@
[[ -e ${config.age.secrets.initrd_host_ed25519_key.path} ]] \
|| ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${config.age.secrets.initrd_host_ed25519_key.path}
'';
deps = ["agenixInstall" "users"];
deps = [
"agenixInstall"
"users"
];
};
system.activationScripts.agenixChown.deps = ["agenixEnsureInitrdHostkey"];
system.activationScripts.agenixChown.deps = [ "agenixEnsureInitrdHostkey" ];
})
];
}

5
config/system.nix
View file

@ -1,4 +1,5 @@
{pkgs, ...}: {
{ pkgs, ... }:
{
documentation.nixos.enable = false;
# Disable sudo which is entirely unnecessary.
@ -10,7 +11,7 @@
console.keyMap = "de-latin1-nodeadkeys";
# Install the kitty terminfo package for all systems.
environment.systemPackages = [pkgs.kitty.terminfo];
environment.systemPackages = [ pkgs.kitty.terminfo ];
# And a reasonable inputrc please
environment.etc."inputrc".source = ./inputrc;

3
config/topology.nix
View file

@ -1,3 +1,4 @@
{config, ...}: {
{ config, ... }:
{
topology.id = config.node.name;
}

76
config/users.nix
View file

@ -1,42 +1,44 @@
{
users.mutableUsers = false;
users.deterministicIds = let
uidGid = id: {
uid = id;
gid = id;
users.deterministicIds =
let
uidGid = id: {
uid = id;
gid = id;
};
in
{
systemd-oom = uidGid 999;
systemd-coredump = uidGid 998;
sshd = uidGid 997;
nscd = uidGid 996;
polkituser = uidGid 995;
microvm = uidGid 994;
promtail = uidGid 993;
grafana = uidGid 992;
acme = uidGid 991;
kanidm = uidGid 990;
loki = uidGid 989;
vaultwarden = uidGid 988;
oauth2-proxy = uidGid 987;
influxdb2 = uidGid 986;
telegraf = uidGid 985;
rtkit = uidGid 984;
git = uidGid 983;
redis-paperless = uidGid 982;
nixseparatedebuginfod = uidGid 981;
msr = uidGid 980;
fwupd-refresh = uidGid 979;
radicale = uidGid 978;
podman = uidGid 977;
maddy = uidGid 976;
minecraft = uidGid 975;
stalwart-mail = uidGid 974;
netbird-home = uidGid 973;
gamemode = uidGid 972;
plausible = uidGid 971;
actual = uidGid 970;
flatpak = uidGid 969;
};
in {
systemd-oom = uidGid 999;
systemd-coredump = uidGid 998;
sshd = uidGid 997;
nscd = uidGid 996;
polkituser = uidGid 995;
microvm = uidGid 994;
promtail = uidGid 993;
grafana = uidGid 992;
acme = uidGid 991;
kanidm = uidGid 990;
loki = uidGid 989;
vaultwarden = uidGid 988;
oauth2-proxy = uidGid 987;
influxdb2 = uidGid 986;
telegraf = uidGid 985;
rtkit = uidGid 984;
git = uidGid 983;
redis-paperless = uidGid 982;
nixseparatedebuginfod = uidGid 981;
msr = uidGid 980;
fwupd-refresh = uidGid 979;
radicale = uidGid 978;
podman = uidGid 977;
maddy = uidGid 976;
minecraft = uidGid 975;
stalwart-mail = uidGid 974;
netbird-home = uidGid 973;
gamemode = uidGid 972;
plausible = uidGid 971;
actual = uidGid 970;
flatpak = uidGid 969;
};
}