mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 23:00:39 +02:00
Code Activity

refactor: split "real" modules and "config" modules

Browse source
This commit is contained in:
oddlama 2024-05-25 17:56:30 +02:00
parent 045f15239a
commit cceae6c63c
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
60 changed files with 126 additions and 113 deletions
Download patch file Download diff file Expand all files Collapse all files

30
modules/config/boot.nix
View file

@ -1,30 +0,0 @@
{
config,
lib,
pkgs,
...
}: {
config = lib.mkIf (!config.boot.isContainer) {
boot = {
initrd.systemd = {
enable = true;
emergencyAccess = config.repo.secrets.global.root.hashedPassword;
# TODO good idea? targets.emergency.wants = ["network.target" "sshd.service"];
extraBin.ip = "${pkgs.iproute2}/bin/ip";
extraBin.ping = "${pkgs.iputils}/bin/ping";
extraBin.cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup";
# Give me a usable shell please
users.root.shell = "${pkgs.bashInteractive}/bin/bash";
storePaths = ["${pkgs.bashInteractive}/bin/bash"];
};
# NOTE: Add "rd.systemd.unit=rescue.target" to debug initrd
kernelParams = ["log_buf_len=16M"]; # must be {power of two}[KMG]
tmp.useTmpfs = true;
loader.timeout = lib.mkDefault 2;
};
console.earlySetup = true;
};
}

29
modules/config/home-manager.nix
View file

@ -1,29 +0,0 @@
{
inputs,
config,
minimal,
...
}: {
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
verbose = true;
sharedModules = [
inputs.nixos-extra-modules.homeManagerModules.default
inputs.nix-index-database.hmModules.nix-index
inputs.nixvim.homeManagerModules.nixvim
inputs.wired-notify.homeManagerModules.default
{
home.stateVersion = config.system.stateVersion;
}
];
extraSpecialArgs = {
inherit inputs minimal;
};
};
# Required even when using home-manager's zsh module since the /etc/profile load order
# is partly controlled by this. See nix-community/home-manager#3681.
# TODO remove once we have nushell
programs.zsh.enable = true;
}

145
modules/config/impermanence.nix
View file

@ -1,145 +0,0 @@
{
config,
lib,
...
}: let
inherit
(lib)
attrNames
flip
isAttrs
mapAttrs
mkMerge
mkOption
optionals
types
;
in {
# Give agenix access to the hostkey independent of impermanence activation
age.identityPaths = ["/persist/etc/ssh/ssh_host_ed25519_key"];
# Expose a home manager module for each user that allows extending
# environment.persistence.${sourceDir}.users.${userName} simply by
# specifying home.persistence.${sourceDir} in home manager.
home-manager.sharedModules = [
{
options.home.persistence = mkOption {
description = "Additional persistence config for the given source path";
default = {};
type = types.attrsOf (types.submodule {
options = {
files = mkOption {
description = "Additional files to persist via NixOS impermanence.";
type = types.listOf (types.either types.attrs types.str);
default = [];
};
directories = mkOption {
description = "Additional directories to persist via NixOS impermanence.";
type = types.listOf (types.either types.attrs types.str);
default = [];
};
};
});
};
}
];
# For each user that has a home-manager config, merge the locally defined
# persistence options that we defined above.
imports = let
mkUserFiles = map (x:
{parentDirectory.mode = "700";}
// (
if isAttrs x
then x
else {file = x;}
));
mkUserDirs = map (x:
{mode = "700";}
// (
if isAttrs x
then x
else {directory = x;}
));
in [
{
environment.persistence = mkMerge (
flip map
(attrNames config.home-manager.users)
(
user: let
hmUserCfg = config.home-manager.users.${user};
in
flip mapAttrs hmUserCfg.home.persistence
(_: sourceCfg: {
users.${user} = {
files = mkUserFiles sourceCfg.files;
directories = mkUserDirs sourceCfg.directories;
};
})
)
);
}
];
# State that should be kept across reboots, but is otherwise
# NOT important information in any way that needs to be backed up.
fileSystems."/state".neededForBoot = true;
environment.persistence."/state" = {
hideMounts = true;
directories =
[
"/var/lib/systemd"
"/var/log"
"/var/spool"
#{ directory = "/tmp"; mode = "1777"; }
#{ directory = "/var/tmp"; mode = "1777"; }
]
++ optionals config.networking.wireless.iwd.enable [
{
directory = "/var/lib/iwd";
mode = "0700";
}
];
};
# State that should be kept forever, and backed up accordingly.
fileSystems."/persist".neededForBoot = true;
environment.persistence."/persist" = {
hideMounts = true;
files = [
# For ephemeral nixos-containers we cannot link the /etc/machine-id file,
# because it will be generated based on a stable container uuid.
(lib.mkIf (!config.boot.isContainer) "/etc/machine-id")
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
];
directories =
[
"/var/lib/nixos"
]
++ optionals config.security.acme.acceptTerms [
{
directory = "/var/lib/acme";
user = "acme";
group = "acme";
mode = "0755";
}
]
++ optionals config.services.printing.enable [
{
directory = "/var/lib/cups";
mode = "0700";
}
]
++ optionals config.services.postgresql.enable [
{
directory = "/var/lib/postgresql";
user = "postgres";
group = "postgres";
mode = "0700";
}
];
};
}

110
modules/config/inputrc.nix
View file

@ -1,110 +0,0 @@
{
environment.etc."inputrc".text = ''
# /etc/inputrc: initialization file for readline
#
# For more information on how this file works, please see the
# INITIALIZATION FILE section of the readline(3) man page
#
# Quick dirty little note:
# To get the key sequence for binding, you can abuse bash.
# While running bash, hit CTRL+V, and then type the key sequence.
# So, typing 'ALT + left arrow' in Konsole gets you back:
# ^[[1;3D
# The readline entry to make this skip back a word will then be:
# "\e[1;3D" backward-word
#
# Customization note:
# You don't need to put all your changes in this file. You can create
# ~/.inputrc which starts off with the line:
# $include /etc/inputrc
# Then put all your own stuff after that.
#
# do not bell on tab-completion
set bell-style none
set history-size -1
set meta-flag on
set input-meta on
set convert-meta off
set output-meta on
# dont output everything on first line
set horizontal-scroll-mode off
# append slash to completed directories & symlinked directories
set mark-directories on
set mark-symlinked-directories on
# dont expand ~ in tab completion
set expand-tilde off
# instead of ringing bell, show list of ambigious completions directly, also show up to 300 items before asking
set show-all-if-ambiguous on
set completion-query-items 300
$if mode=emacs
# for linux console and RH/Debian xterm
# allow the use of the Home/End keys
"\e[1~": beginning-of-line
"\e[4~": end-of-line
# map "page up" and "page down" to search history based on current cmdline
"\e[5~": history-search-backward
"\e[6~": history-search-forward
# allow the use of the Delete/Insert keys
"\e[3~": delete-char
"\e[2~": quoted-insert
# gnome / others (escape + arrow key)
"\e[5C": forward-word
"\e[5D": backward-word
# konsole / xterm / rxvt (escape + arrow key)
"\e\e[C": forward-word
"\e\e[D": backward-word
# gnome / konsole / others (control + arrow key)
"\e[1;5C": forward-word
"\e[1;5D": backward-word
# aterm / eterm (control + arrow key)
"\eOc": forward-word
"\eOd": backward-word
# konsole (alt + arrow key)
"\e[1;3C": forward-word
"\e[1;3D": backward-word
# Chromebooks remap alt + backspace so provide alternative (alt + k)
"\ek": backward-kill-word
$if term=rxvt
"\e[8~": end-of-line
"\e[3^": kill-line
"\e[3@": backward-kill-line
$endif
# for non RH/Debian xterm, can't hurt for RH/Debian xterm
"\eOH": beginning-of-line
"\eOF": end-of-line
# for freebsd console
"\e[H": beginning-of-line
"\e[F": end-of-line
# fix Home and End for German users
"\e[7~": beginning-of-line
"\e[8~": end-of-line
# ctrl [+ shift] + del = kill line [backward]
"\e[3;5~": kill-line
"\e[3;6~": backward-kill-line
$endif
# Up and Down should search history based on current cmdline
"\e[A": history-search-backward
"\e[B": history-search-forward
'';
}

14
modules/config/issue.nix
View file

@ -1,14 +0,0 @@
{
config,
lib,
...
}: {
# IP addresses: ${"${interface} \e{halfbright}\4{${interface}}\e{reset} \e{halfbright}\6{${interface}}\e{reset}"}
environment.etc.issue.text = lib.concatStringsSep "\n" ([
''\d \t''
''This is \e{cyan}\n\e{reset} [\e{lightblue}\l\e{reset}] (\s \m \r)''
]
# Disabled for guests because of frequent redraws (-> pushed to syslog on the host)
++ lib.optional (config.node.type == "host") ''\e{halfbright}\4\e{reset} \e{halfbright}\6\e{reset}''
++ [""]);
}

18
modules/config/net.nix
View file

@ -1,18 +0,0 @@
{
config,
lib,
...
}: {
systemd.network.enable = true;
networking = {
useDHCP = lib.mkForce false;
useNetworkd = true;
dhcpcd.enable = false;
# Rename known network interfaces from local secrets
renameInterfacesByMac =
lib.mapAttrs (_: v: v.mac)
(config.repo.secrets.local.networking.interfaces or {});
};
}

58
modules/config/nftables.nix
View file

@ -1,58 +0,0 @@
{
config,
lib,
...
}: {
networking.nftables = {
stopRuleset = lib.mkDefault ''
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state invalid drop
ct state {established, related} accept
iifname lo accept
meta l4proto ipv6-icmp accept
meta l4proto icmp accept
tcp dport ${toString (lib.head config.services.openssh.ports)} accept
}
chain forward {
type filter hook forward priority filter; policy drop;
}
chain output {
type filter hook output priority filter; policy accept;
}
}
'';
firewall = {
enable = true;
localZoneName = "local";
snippets = {
nnf-common.enable = false;
nnf-conntrack.enable = true;
nnf-drop.enable = true;
nnf-loopback.enable = true;
nnf-ssh.enable = true;
nnf-icmp = {
enable = true;
ipv6Types = ["echo-request" "destination-unreachable" "packet-too-big" "time-exceeded" "parameter-problem" "nd-router-advert" "nd-neighbor-solicit" "nd-neighbor-advert"];
ipv4Types = ["echo-request" "destination-unreachable" "router-advertisement" "time-exceeded" "parameter-problem"];
};
};
rules.untrusted-to-local = {
from = ["untrusted"];
to = ["local"];
inherit
(config.networking.firewall)
allowedTCPPorts
allowedTCPPortRanges
allowedUDPPorts
allowedUDPPortRanges
;
};
};
};
}

54
modules/config/nix.nix
View file

@ -1,54 +0,0 @@
{
inputs,
pkgs,
...
}: {
environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" ''
assert builtins.trace "This is a dummy config, please deploy via the flake!" false;
{ }
'';
nix = {
settings = {
auto-optimise-store = true;
allowed-users = ["@wheel"];
trusted-users = ["root"];
substituters = [
"https://cache.nixos.org"
"https://nix-community.cachix.org"
];
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
};
daemonCPUSchedPolicy = "batch";
daemonIOSchedPriority = 5;
distributedBuilds = true;
extraOptions = ''
builders-use-substitutes = true
experimental-features = nix-command flakes
flake-registry = /etc/nix/registry.json
'';
nixPath = ["nixpkgs=/run/current-system/nixpkgs"];
optimise.automatic = true;
gc = {
automatic = true;
dates = "monthly";
options = "--delete-older-than 90d";
};
# Define global flakes for this system
registry = rec {
nixpkgs.flake = inputs.nixpkgs;
p = nixpkgs;
templates.flake = inputs.templates;
};
};
system = {
extraSystemBuilderCmds = ''
ln -sv ${inputs.nixpkgs} $out/nixpkgs
'';
stateVersion = "23.11";
};
}

70
modules/config/resolved.nix
View file

@ -1,70 +0,0 @@
{
config,
lib,
...
}: {
services.resolved = {
enable = true;
dnssec = "allow-downgrade";
fallbackDns = [
"1.1.1.1"
"2606:4700:4700::1111"
"8.8.8.8"
"2001:4860:4860::8844"
];
llmnr = "false";
extraConfig = ''
Domains=~.
MulticastDNS=true
'';
};
system.nssDatabases.hosts = lib.mkMerge [
(lib.mkBefore ["mdns_minimal [NOTFOUND=return]"])
(lib.mkAfter ["mdns"])
];
# Open port 5353 for any interfaces that have MulticastDNS enabled
networking.nftables.firewall = let
# Determine all networks that have MulticastDNS enabled
networksWithMulticast =
lib.filter
(n: config.systemd.network.networks.${n}.networkConfig.MulticastDNS or false)
(lib.attrNames config.systemd.network.networks);
# Determine all known mac addresses and the corresponding link name
# based on the renameInterfacesByMac option.
knownMacs =
lib.mapAttrs'
(k: v: lib.nameValuePair v k)
config.networking.renameInterfacesByMac;
# A helper that returns the link name for the given mac address,
# or null if it doesn't exist or the given mac was null.
linkNameFor = mac:
if mac == null
then null
else knownMacs.${mac} or null;
# Calls the given function for each network that has MulticastDNS enabled,
# and collects all non-null values.
mapNetworks = f: lib.filter (v: v != null) (map f networksWithMulticast);
# All interfaces on which MulticastDNS is used
mdnsInterfaces = lib.unique (
# For each network that is matched by MAC, lookup the link name
# and if map the definition name to the link name.
mapNetworks (x: linkNameFor (config.systemd.network.networks.${x}.matchConfig.MACAddress or null))
# For each network that is matched by name, map the definition
# name to the link name.
++ mapNetworks (x: config.systemd.network.networks.${x}.matchConfig.Name or null)
);
in
lib.mkIf (mdnsInterfaces != []) {
zones.mdns.interfaces = mdnsInterfaces;
rules.mdns-to-local = {
from = ["mdns"];
to = ["local"];
allowedUDPPorts = [5353];
};
};
}

59
modules/config/secrets.nix
View file

@ -1,59 +0,0 @@
{
config,
inputs,
lib,
...
}: {
# Define local repo secrets
repo.secretFiles = let
local = config.node.secretsDir + "/local.nix.age";
in
{
global = ../../secrets/global.nix.age;
}
// lib.optionalAttrs (lib.pathExists local) {inherit local;};
# Setup secret rekeying parameters
age.rekey = {
inherit
(inputs.self.secretsConfig)
masterIdentities
extraEncryptionPubkeys
;
hostPubkey = config.node.secretsDir + "/host.pub";
storageMode = "local";
generatedSecretsDir = inputs.self.outPath + "/secrets/generated/${config.node.name}";
localStorageDir = inputs.self.outPath + "/secrets/rekeyed/${config.node.name}";
};
age.generators.basic-auth = {
pkgs,
lib,
decrypt,
deps,
...
}:
lib.flip lib.concatMapStrings deps ({
name,
host,
file,
}: ''
echo " -> Aggregating "${lib.escapeShellArg host}":"${lib.escapeShellArg name}"" >&2
${decrypt} ${lib.escapeShellArg file} \
| ${pkgs.apacheHttpd}/bin/htpasswd -niBC 12 ${lib.escapeShellArg host}"+"${lib.escapeShellArg name} \
|| die "Failure while aggregating basic auth hashes"
'');
# Just before switching, remove the agenix directory if it exists.
# This can happen when a secret is used in the initrd because it will
# then be copied to the initramfs under the same path. This materializes
# /run/agenix as a directory which will cause issues when the actual system tries
# to create a link called /run/agenix. Agenix should probably fail in this case,
# but doesn't and instead puts the generation link into the existing directory.
# TODO See https://github.com/ryantm/agenix/pull/187.
system.activationScripts = lib.mkIf (config.age.secrets != {}) {
removeAgenixLink.text = "[[ ! -L /run/agenix ]] && [[ -d /run/agenix ]] && rm -rf /run/agenix";
agenixNewGeneration.deps = ["removeAgenixLink"];
};
}

21
modules/config/ssh.nix
View file

@ -1,21 +0,0 @@
{lib, ...}: {
services.openssh = {
enable = true;
# In containers, this is true by default, but we don't want that
# because we rely on ssh key generation for agenix
startWhenNeeded = lib.mkForce false;
authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
sftpServerExecutable = "internal-sftp";
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "yes";
};
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
}

15
modules/config/system.nix
View file

@ -1,15 +0,0 @@
{
lib,
pkgs,
...
}: {
# Disable sudo which is entierly unnecessary.
security.sudo.enable = false;
time.timeZone = lib.mkDefault "Europe/Berlin";
i18n.defaultLocale = "C.UTF-8";
console.keyMap = "de-latin1-nodeadkeys";
# Install the kitty terminfo package for all systems.
environment.systemPackages = [pkgs.kitty.terminfo];
}

3
modules/config/topology.nix
View file

@ -1,3 +0,0 @@
{config, ...}: {
topology.id = config.node.name;
}

38
modules/config/users.nix
View file

@ -1,38 +0,0 @@
{
users.mutableUsers = false;
users.deterministicIds = let
uidGid = id: {
uid = id;
gid = id;
};
in {
systemd-oom = uidGid 999;
systemd-coredump = uidGid 998;
sshd = uidGid 997;
nscd = uidGid 996;
polkituser = uidGid 995;
microvm = uidGid 994;
promtail = uidGid 993;
grafana = uidGid 992;
acme = uidGid 991;
kanidm = uidGid 990;
loki = uidGid 989;
vaultwarden = uidGid 988;
oauth2-proxy = uidGid 987;
influxdb2 = uidGid 986;
telegraf = uidGid 985;
rtkit = uidGid 984;
git = uidGid 983;
redis-paperless = uidGid 982;
nixseparatedebuginfod = uidGid 981;
msr = uidGid 980;
fwupd-refresh = uidGid 979;
radicale = uidGid 978;
podman = uidGid 977;
maddy = uidGid 976;
minecraft = uidGid 975;
stalwart-mail = uidGid 974;
netbird-home = uidGid 973;
};
}

34
modules/default.nix
View file

@ -1,37 +1,10 @@
{inputs, ...}: {
{
disabledModules = [
"services/security/kanidm.nix"
"services/networking/netbird.nix"
];
imports = [
inputs.agenix-rekey.nixosModules.default
inputs.agenix.nixosModules.default
inputs.disko.nixosModules.disko
inputs.elewrap.nixosModules.default
inputs.home-manager.nixosModules.default
inputs.impermanence.nixosModules.impermanence
inputs.nix-topology.nixosModules.default
inputs.nixos-extra-modules.nixosModules.default
inputs.nixos-nftables-firewall.nixosModules.default
../users/root
./config/boot.nix
./config/home-manager.nix
./config/impermanence.nix
./config/inputrc.nix
./config/issue.nix
./config/net.nix
./config/nftables.nix
./config/nix.nix
./config/resolved.nix
./config/secrets.nix
./config/ssh.nix
./config/system.nix
./config/topology.nix
./config/users.nix
./acme-wildcard.nix
./backups.nix
./deterministic-ids.nix
@ -45,9 +18,4 @@
./secrets.nix
./telegraf.nix
];
nixpkgs.overlays = [
inputs.nixvim.overlays.default
inputs.wired-notify.overlays.default
];
}

32
modules/optional/dev/default.nix
View file

@ -1,32 +0,0 @@
{
pkgs,
lib,
minimal,
...
}:
lib.optionalAttrs (!minimal) {
imports = [
./documentation.nix
./embedded.nix
./yubikey.nix
];
environment.systemPackages = [pkgs.man-pages pkgs.man-pages-posix];
environment.enableDebugInfo = true;
# Add the agenix-rekey sandbox path permanently to avoid adding myself to trusted-users
nix.settings.extra-sandbox-paths = ["/var/tmp/agenix-rekey"];
environment.persistence."/state".directories = [
{
directory = "/var/tmp/agenix-rekey";
mode = "1777";
}
{
directory = "/var/tmp/nix-import-encrypted"; # Decrypted repo-secrets can be kept
mode = "1777";
}
];
services.nixseparatedebuginfod.enable = true;
}

12
modules/optional/dev/documentation.nix
View file

@ -1,12 +0,0 @@
{
lib,
pkgs,
...
}: {
environment.systemPackages = with pkgs; [man-pages];
documentation = {
dev.enable = true;
man.enable = true;
info.enable = lib.mkForce false;
};
}

3
modules/optional/dev/embedded.nix
View file

@ -1,3 +0,0 @@
{pkgs, ...}: {
services.udev.packages = [pkgs.stlink];
}

5
modules/optional/dev/yubikey.nix
View file

@ -1,5 +0,0 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [yubikey-manager yubikey-personalization age-plugin-yubikey];
services.udev.packages = with pkgs; [yubikey-personalization libu2f-host];
services.pcscd.enable = true;
}

126
modules/optional/graphical/default.nix
View file

@ -1,126 +0,0 @@
{
config,
inputs,
lib,
minimal,
pkgs,
...
}: let
inherit
(lib)
mkIf
mkOption
types
optionalAttrs
;
in
{
options.graphical.gaming.enable = mkOption {
description = "Enables gaming on this machine and will add a lot of gaming related packages and configuration.";
default = false;
type = types.bool;
};
}
// optionalAttrs (!minimal) {
imports = [
inputs.stylix.nixosModules.stylix
./fonts.nix
./steam.nix
./wayland.nix
./xserver.nix
];
config = {
# For Star Citizen. See https://github.com/starcitizen-lug/knowledge-base/wiki for more info.
boot.kernel.sysctl = mkIf config.graphical.gaming.enable {
"vm.max_map_count" = 16777216;
"fs.file-max" = 524288;
};
# Needed for gtk
programs.dconf.enable = true;
# Required for gnome3 pinentry
services.dbus.packages = [pkgs.gcr];
xdg.portal = {
enable = true;
xdgOpenUsePortal = true;
config.common = {
default = ["gtk"];
"org.freedesktop.impl.portal.Secret" = [
"gnome-keyring"
];
};
extraPortals = [pkgs.xdg-desktop-portal-gtk];
};
stylix = {
# I want to choose what to style myself.
autoEnable = false;
image = config.lib.stylix.pixel "base00";
polarity = "dark";
# onedark
# base16Scheme = {
# base00 = "#282c34";
# base01 = "#353b45";
# base02 = "#3e4451";
# base03 = "#545862";
# base04 = "#565c64";
# base05 = "#abb2bf";
# base06 = "#b6bdca";
# base07 = "#c8ccd4";
# base08 = "#e06c75";
# base09 = "#d19a66";
# base0A = "#e5c07b";
# base0B = "#98c379";
# base0C = "#56b6c2";
# base0D = "#61afef";
# base0E = "#c678dd";
# base0F = "#9378de";
# };
# based on decaycs-dark, normal variant
base16Scheme = {
base00 = "#101419";
base01 = "#171b20";
base02 = "#21262e";
base03 = "#242931";
base04 = "#485263";
base05 = "#b6beca";
base06 = "#dee1e6";
base07 = "#e3e6eb";
base08 = "#e05f65";
base09 = "#f9a872";
base0A = "#f1cf8a";
base0B = "#78dba9";
base0C = "#74bee9";
base0D = "#70a5eb";
base0E = "#c68aee";
base0F = "#9378de";
};
## based on decaycs-dark, bright variant
#base16Scheme = {
# base00 = "#101419";
# base01 = "#171B20";
# base02 = "#21262e";
# base03 = "#242931";
# base04 = "#485263";
# base05 = "#b6beca";
# base06 = "#dee1e6";
# base07 = "#e3e6eb";
# base08 = "#e5646a";
# base09 = "#f7b77c";
# base0A = "#f6d48f";
# base0B = "#94F7C5";
# base0C = "#79c3ee";
# base0D = "#75aaf0";
# base0E = "#cb8ff3";
# base0F = "#9d85e1";
#};
};
};
}

62
modules/optional/graphical/fonts.nix
View file

@ -1,62 +0,0 @@
{pkgs, ...}: {
fonts = {
# Always prefer emojis even if the original font would provide a glyph
fontconfig.localConf = ''
<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig>
<alias binding="weak">
<family>monospace</family>
<prefer>
<family>emoji</family>
</prefer>
</alias>
<alias binding="weak">
<family>sans-serif</family>
<prefer>
<family>emoji</family>
</prefer>
</alias>
<alias binding="weak">
<family>serif</family>
<prefer>
<family>emoji</family>
</prefer>
</alias>
</fontconfig>
'';
packages = with pkgs; [
(pkgs.nerdfonts.override {fonts = ["NerdFontsSymbolsOnly"];})
noto-fonts
noto-fonts-cjk-sans
noto-fonts-cjk-serif
noto-fonts-emoji
noto-fonts-extra
];
};
stylix.fonts = {
serif = {
package = pkgs.dejavu_fonts;
name = "IBM Plex Serif";
};
sansSerif = {
package = pkgs.segoe-ui-ttf;
name = "Segoe UI";
};
monospace = {
# No need for patched nerd fonts, kitty can pick up on them automatically,
# and ideally every program should do that: https://sw.kovidgoyal.net/kitty/faq/#kitty-is-not-able-to-use-my-favorite-font
package = pkgs.jetbrains-mono;
name = "JetBrains Mono";
};
emoji = {
package = pkgs.segoe-ui-ttf;
name = "Segoe UI Emoji";
};
};
}

18
modules/optional/graphical/steam.nix
View file

@ -1,18 +0,0 @@
{
lib,
config,
pkgs,
...
}: {
config = lib.mkIf config.graphical.gaming.enable {
programs.steam = {
enable = true;
package = pkgs.steam.override {
extraPkgs = pkgs:
with pkgs; [
# add packages here in case any game needs them...
];
};
};
};
}

6
modules/optional/graphical/wayland.nix
View file

@ -1,6 +0,0 @@
{
xdg.portal = {
wlr.enable = true;
config.sway.default = ["wlr"];
};
}

34
modules/optional/graphical/xserver.nix
View file

@ -1,34 +0,0 @@
{
services.xserver = {
enable = true;
dpi = 96;
displayManager.startx.enable = true;
desktopManager.xterm.enable = false;
autoRepeatDelay = 235;
autoRepeatInterval = 60;
videoDrivers = ["modesetting"];
xkb.layout = "de";
xkb.variant = "nodeadkeys";
};
services.libinput = {
enable = true;
mouse = {
accelProfile = "flat";
accelSpeed = "0";
middleEmulation = false;
};
# touchpad = {
# accelProfile = "flat";
# accelSpeed = "0.5";
# naturalScrolling = true;
# disableWhileTyping = true;
# };
};
services.autorandr.enable = true;
# Enable for Xorg debugging
# services.xserver.modules = lib.mkBefore [(pkgs.enableDebugging pkgs.xorg.xorgserver).out];
# environment.etc."X11/xinit/xserverrc".source = lib.mkForce (pkgs.writeShellScript "xserverrc" ''
# exec ${pkgs.enableDebugging pkgs.xorg.xorgserver}/bin/X ${toString config.services.xserver.displayManager.xserverArgs} "$@"
# '');
}

30
modules/optional/hardware/bluetooth.nix
View file

@ -1,30 +0,0 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [bluetuith];
environment.persistence."/persist".directories = [
"/var/lib/bluetooth"
];
hardware.bluetooth = {
enable = true;
powerOnBoot = true;
disabledPlugins = ["sap"];
settings = {
General = {
FastConnectable = "true";
JustWorksRepairing = "always";
MultiProfile = "multiple";
Enable = "Source,Sink,Media,Socket";
};
};
};
hardware.pulseaudio = {
package = pkgs.pulseaudio.override {bluetoothSupport = true;};
extraConfig = ''
load-module module-bluetooth-discover
load-module module-bluetooth-policy
load-module module-switch-on-connect
'';
extraModules = with pkgs; [pulseaudio-modules-bt];
};
}

4
modules/optional/hardware/hetzner-cloud.nix
View file

@ -1,4 +0,0 @@
{
boot.initrd.availableKernelModules = ["virtio_pci" "virtio_net" "virtio_scsi" "virtio_blk"];
topology.self.icon = "devices.cloud-server";
}

3
modules/optional/hardware/intel.nix
View file

@ -1,3 +0,0 @@
{
powerManagement.cpuFreqGovernor = "powersave";
}

29
modules/optional/hardware/nvidia.nix
View file

@ -1,29 +0,0 @@
{
lib,
minimal,
pkgs,
...
}:
lib.optionalAttrs (!minimal) {
boot.blacklistedKernelModules = ["nouveau"];
services.xserver.videoDrivers = lib.mkForce ["nvidia"];
hardware = {
nvidia = {
modesetting.enable = true;
nvidiaPersistenced = true;
nvidiaSettings = true;
open = true;
powerManagement.enable = true;
};
opengl = {
enable = true;
driSupport = true;
driSupport32Bit = true;
extraPackages = with pkgs; [
vaapiVdpau
nvidia-vaapi-driver
];
};
};
}

27
modules/optional/hardware/odroid-n2plus.nix
View file

@ -1,27 +0,0 @@
{inputs, ...}: {
imports = [
inputs.nixos-hardware.nixosModules.common-pc-ssd
./physical.nix
];
boot.initrd.availableKernelModules = [
"usbhid"
"usb_storage"
# Ethernet
"dwmac_generic"
"dwmac_meson8b"
"cfg80211"
# HDMI
"snd_soc_meson_g12a_tohdmitx"
"snd_soc_meson_g12a_toacodec"
"mdio_mux_meson_g12a"
"dw_hdmi"
"meson_vdec"
"meson_dw_hdmi"
"meson_drm"
"meson_rng"
"drm"
"display_connector"
];
boot.kernelParams = ["console=ttyAML0,115200n8" "console=tty0"];
}

18
modules/optional/hardware/physical.nix
View file

@ -1,18 +0,0 @@
# Configuration for actual physical machines
{
config,
lib,
minimal,
...
}: {
hardware = {
enableRedistributableFirmware = true;
enableAllFirmware = true;
};
services = lib.mkIf (!minimal) {
fwupd.enable = true;
smartd.enable = true;
thermald.enable = builtins.elem config.nixpkgs.hostPlatform.system ["x86_64-linux"];
};
}

29
modules/optional/initrd-ssh.nix
View file

@ -1,29 +0,0 @@
{
config,
pkgs,
...
}: {
age.secrets.initrd_host_ed25519_key.generator.script = "ssh-ed25519";
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
port = 4;
hostKeys = [config.age.secrets.initrd_host_ed25519_key.path];
};
# Make sure that there is always a valid initrd hostkey available that can be installed into
# the initrd. When bootstrapping a system (or re-installing), agenix cannot succeed in decrypting
# whatever is given, since the correct hostkey doesn't even exist yet. We still require
# a valid hostkey to be available so that the initrd can be generated successfully.
# The correct initrd host-key will be installed with the next update after the host is booted
# for the first time, and the secrets were rekeyed for the the new host identity.
system.activationScripts.agenixEnsureInitrdHostkey = {
text = ''
[[ -e ${config.age.secrets.initrd_host_ed25519_key.path} ]] \
|| ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${config.age.secrets.initrd_host_ed25519_key.path}
'';
deps = ["agenixInstall" "users"];
};
system.activationScripts.agenixChown.deps = ["agenixEnsureInitrdHostkey"];
}

21
modules/optional/laptop.nix
View file

@ -1,21 +0,0 @@
{
systemd.network.wait-online.anyInterface = true;
services = {
tlp.enable = true;
physlock.enable = true;
logind = {
lidSwitch = "ignore";
lidSwitchDocked = "ignore";
lidSwitchExternalPower = "ignore";
extraConfig = ''
HandlePowerKey=suspend
HandleSuspendKey=suspend
HandleHibernateKey=suspend
PowerKeyIgnoreInhibited=yes
SuspendKeyIgnoreInhibited=yes
HibernateKeyIgnoreInhibited=yes
'';
};
};
}

37
modules/optional/sound.nix
View file

@ -1,37 +0,0 @@
{
lib,
minimal,
pkgs,
...
}:
lib.optionalAttrs (!minimal) {
# Helpful utilities:
# Show pipewire devices and application overview or specifics
# > wpctl status; wpctl inspect <id>
# View real time node and device statistics
# > pw-top
# Show actual used playback stream settings
# > cat /proc/asound/card*/pcm*p/sub*/hw_params
# Compare resamplers on: https://src.infinitewave.ca/
sound.enable = false; # ALSA
hardware.pulseaudio.enable = lib.mkForce false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
jack.enable = true;
pulse.enable = true;
wireplumber.enable = true;
extraConfig.pipewire."99-allowed-rates"."context.properties"."default.clock.allowed-rates" = [
44100
48000
88200
96000
176400
192000
];
};
environment.systemPackages = with pkgs; [pulseaudio pulsemixer];
}

45
modules/optional/zfs.nix
View file

@ -1,45 +0,0 @@
{
config,
lib,
pkgs,
...
}: {
boot.supportedFilesystems = ["zfs"];
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
# The root pool should never be imported forcefully.
# Failure to import is important to notice!
boot.zfs.forceImportRoot = false;
environment.systemPackages = with pkgs; [zfs];
services.zfs = {
autoScrub = {
enable = true;
interval = "weekly";
};
trim = {
enable = true;
interval = "weekly";
};
};
services.telegraf.extraConfig.inputs = lib.mkIf config.services.telegraf.enable {
zfs.poolMetrics = true;
};
# TODO remove once this is upstreamed
boot.initrd.systemd.services."zfs-import-rpool".after = ["cryptsetup.target"];
# After importing the rpool, rollback the root system to be empty.
boot.initrd.systemd.services.impermanence-root = {
wantedBy = ["initrd.target"];
after = ["zfs-import-rpool.service"];
before = ["sysroot.mount"];
unitConfig.DefaultDependencies = "no";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.zfs}/bin/zfs rollback -r rpool/local/root@blank";
};
};
}