2022-01-14 12:41:06 +01:00
|
|
|
# Settings that most of my hosts can agree on, but
|
|
|
|
|
# some of these settings are overriden on a per-host basis.
|
|
|
|
|
{
|
2022-03-23 13:10:18 +01:00
|
|
|
pkgs,
|
|
|
|
|
lib,
|
|
|
|
|
config,
|
2023-08-27 13:52:40 +02:00
|
|
|
inputs,
|
2022-03-23 13:10:18 +01:00
|
|
|
...
|
2022-04-13 08:50:12 +02:00
|
|
|
}: let
|
|
|
|
|
cfg = config.settings;
|
2022-05-30 18:35:52 +02:00
|
|
|
inherit (lib) mkDefault;
|
2022-05-19 01:31:32 +02:00
|
|
|
|
|
|
|
|
highSSHPort = 38611;
|
|
|
|
|
|
|
|
|
|
vpnInterface = config.services.tailscale.interfaceName;
|
2022-05-23 15:59:42 +02:00
|
|
|
enableHydraMinion = config.services.openssh.enable;
|
2022-04-13 08:50:12 +02:00
|
|
|
in {
|
2022-02-19 16:01:47 +01:00
|
|
|
imports = [
|
|
|
|
|
./7-days-to-die.nix
|
2022-03-15 15:22:22 +01:00
|
|
|
./hdparm.nix
|
2022-03-23 13:10:18 +01:00
|
|
|
./malte.nix
|
|
|
|
|
./marie.nix
|
2023-08-16 23:11:56 +02:00
|
|
|
./deck.nix
|
2022-04-15 18:41:20 +02:00
|
|
|
./radicale.nix
|
|
|
|
|
./restic.nix
|
2022-03-29 13:26:19 +02:00
|
|
|
./taskserver.nix
|
2022-04-15 18:41:20 +02:00
|
|
|
./wakeup.nix
|
2022-05-08 21:41:26 +02:00
|
|
|
./darkman.nix
|
2023-10-30 00:31:58 +01:00
|
|
|
./state.nix
|
2022-02-19 16:01:47 +01:00
|
|
|
];
|
2022-01-18 16:33:18 +01:00
|
|
|
|
2022-03-12 23:23:53 +01:00
|
|
|
options.settings = with lib; {
|
2022-04-13 08:50:12 +02:00
|
|
|
nvidiaUsed = mkEnableOption "NVIDIA graphic card usage";
|
|
|
|
|
minimalGnome.enable = mkEnableOption "basic gnome stuff";
|
2022-05-19 01:31:32 +02:00
|
|
|
ssh.openOutsideVPN = mkEnableOption "an additional ssh port outside the VPN";
|
2022-08-22 16:08:53 +02:00
|
|
|
batteryStuff.enable = mkEnableOption "battery-related things";
|
2023-04-14 12:05:55 +02:00
|
|
|
hiDPI.enable = mkEnableOption "High-DPI display";
|
2022-03-12 23:23:53 +01:00
|
|
|
};
|
|
|
|
|
|
2022-01-18 16:33:18 +01:00
|
|
|
config = {
|
|
|
|
|
# Allow joypixels' license and unfree licenses in general
|
|
|
|
|
nixpkgs.config = {
|
2022-05-07 10:32:05 +02:00
|
|
|
# TODO: Fix once allowUnfree works for home-manager again
|
2023-04-19 02:10:55 +02:00
|
|
|
allowUnfreePredicate = _: true;
|
2022-01-18 16:33:18 +01:00
|
|
|
joypixels.acceptLicense = true;
|
|
|
|
|
};
|
2023-10-30 00:31:58 +01:00
|
|
|
# Some overlays
|
|
|
|
|
nixpkgs.overlays = [
|
|
|
|
|
(_: super: {
|
2023-10-30 14:33:03 +01:00
|
|
|
darkman = super.callPackage ../pkgs/darkman.nix {};
|
|
|
|
|
"2i-emulator" = super.callPackage ../pkgs/2i-emulator.nix {};
|
|
|
|
|
boilr = super.callPackage ../pkgs/boilr.nix {};
|
2023-10-30 00:31:58 +01:00
|
|
|
# Add fonts
|
2023-10-30 14:33:03 +01:00
|
|
|
hackNerdLigatures = super.callPackage ../pkgs/hack.nix {};
|
2023-10-30 00:31:58 +01:00
|
|
|
})
|
|
|
|
|
];
|
2022-01-18 16:33:18 +01:00
|
|
|
# This includes the firmware, oc
|
|
|
|
|
hardware.enableRedistributableFirmware = true;
|
2022-04-18 19:45:06 +02:00
|
|
|
# Add certificate authority used for my servers
|
|
|
|
|
security.pki.certificates = [
|
|
|
|
|
(builtins.readFile ../secrets/ca.crt)
|
|
|
|
|
];
|
2022-01-18 16:33:18 +01:00
|
|
|
|
2023-09-10 21:33:56 +02:00
|
|
|
system.nixos.label = let
|
|
|
|
|
rev =
|
|
|
|
|
if builtins.hasAttr "dirtyShortRev" inputs.self
|
|
|
|
|
then inputs.self.dirtyShortRev
|
|
|
|
|
else inputs.self.shortRev;
|
|
|
|
|
in
|
|
|
|
|
(builtins.concatStringsSep "-" (builtins.sort (x: y: x < y) config.system.nixos.tags)) + config.system.nixos.version + "-SHA:${rev}";
|
2023-08-27 13:52:40 +02:00
|
|
|
|
2022-03-23 13:10:18 +01:00
|
|
|
# Use some binary caches
|
|
|
|
|
nix.settings = {
|
|
|
|
|
# add binary caches
|
|
|
|
|
trusted-public-keys = [
|
|
|
|
|
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
|
|
|
|
|
"nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
|
|
|
|
|
"colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg="
|
2022-10-30 10:15:33 +01:00
|
|
|
"cache.home:/ioV+oXpVgxDOZJvXIWmnyL83ERT4W6eW4SDEpnRbxU="
|
2022-12-22 12:33:49 +01:00
|
|
|
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
|
2022-03-23 13:10:18 +01:00
|
|
|
];
|
|
|
|
|
substituters = [
|
|
|
|
|
"https://cache.nixos.org"
|
|
|
|
|
"https://nixpkgs-wayland.cachix.org"
|
|
|
|
|
"https://colmena.cachix.org"
|
2022-12-22 12:33:49 +01:00
|
|
|
"https://hyprland.cachix.org"
|
2022-03-23 13:10:18 +01:00
|
|
|
];
|
2022-05-23 15:59:42 +02:00
|
|
|
trusted-users =
|
|
|
|
|
[
|
|
|
|
|
# Hand the wheel group extra nix daemon rights
|
|
|
|
|
"@wheel"
|
|
|
|
|
# The hydra-minion is trusted aswell
|
|
|
|
|
]
|
|
|
|
|
++ lib.optional enableHydraMinion config.users.users.hydra-minion.name;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
users.users.hydra-minion = lib.mkIf enableHydraMinion {
|
|
|
|
|
description = "Hydra Minion for remote building";
|
|
|
|
|
isSystemUser = true;
|
|
|
|
|
home = "/home/hydra-minion";
|
|
|
|
|
createHome = true;
|
|
|
|
|
useDefaultShell = true;
|
|
|
|
|
group = config.users.groups.hydra-minion.name;
|
|
|
|
|
openssh.authorizedKeys.keyFiles = [
|
|
|
|
|
../users/malte/yubikey.pub
|
|
|
|
|
../secrets/hydra-overseer.pub
|
2022-04-07 22:19:59 +02:00
|
|
|
];
|
2022-03-23 13:10:18 +01:00
|
|
|
};
|
2022-05-23 15:59:42 +02:00
|
|
|
users.groups.hydra-minion = lib.mkIf enableHydraMinion {};
|
2022-03-23 13:10:18 +01:00
|
|
|
|
2022-05-19 01:31:32 +02:00
|
|
|
# Make sure that I can login over the tailscale infrastructure while increasing security
|
|
|
|
|
services.openssh = {
|
|
|
|
|
enable = pkgs.lib.mkDefault true;
|
2022-05-23 15:52:27 +02:00
|
|
|
ports = [22 highSSHPort];
|
2022-05-19 01:31:32 +02:00
|
|
|
openFirewall = false;
|
2022-01-18 16:33:18 +01:00
|
|
|
};
|
2022-06-12 08:32:56 +02:00
|
|
|
networking.firewall.interfaces.${vpnInterface} = {
|
|
|
|
|
# Allow default port over VPN
|
|
|
|
|
allowedTCPPorts = [22 highSSHPort];
|
|
|
|
|
};
|
2022-05-19 01:31:32 +02:00
|
|
|
# Add extra high port if requested for those outside the VPN
|
|
|
|
|
networking.firewall.allowedTCPPorts = lib.optional cfg.ssh.openOutsideVPN highSSHPort;
|
2022-05-23 15:51:50 +02:00
|
|
|
# Tailscale exit node seem to have a problem with strict checking
|
|
|
|
|
networking.firewall.checkReversePath = "loose";
|
2022-05-19 01:31:32 +02:00
|
|
|
# Add yubikey for root authentication
|
|
|
|
|
users.users.root.openssh.authorizedKeys.keyFiles = [../users/malte/yubikey.pub];
|
2022-01-18 16:33:18 +01:00
|
|
|
# Enable mosh for some SSH superpower
|
|
|
|
|
programs.mosh.enable = pkgs.lib.mkDefault true;
|
|
|
|
|
|
|
|
|
|
# Basic packages
|
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
|
|
|
# I might need git for rebuilding this flake on the remote machine
|
|
|
|
|
git
|
|
|
|
|
# Sops is for security
|
|
|
|
|
sops
|
|
|
|
|
# top is lacking pizzazz
|
2022-05-27 20:26:11 +02:00
|
|
|
btop
|
2022-01-18 16:33:18 +01:00
|
|
|
# An initial `tailscale up` is necessary to get the network going
|
|
|
|
|
tailscale
|
2022-09-12 16:35:17 +02:00
|
|
|
# I will need to have access to helix
|
|
|
|
|
helix
|
2022-02-15 13:24:57 +01:00
|
|
|
# I much rather use some tools other than the default
|
2022-02-15 14:58:39 +01:00
|
|
|
fd
|
|
|
|
|
du-dust
|
|
|
|
|
ripgrep
|
2022-01-18 16:33:18 +01:00
|
|
|
];
|
|
|
|
|
|
|
|
|
|
# Language and timezone defaults
|
|
|
|
|
time.timeZone = "Europe/Berlin";
|
2022-08-15 09:47:37 +02:00
|
|
|
i18n.supportedLocales = [
|
|
|
|
|
"en_US.UTF-8/UTF-8"
|
|
|
|
|
"de_DE.UTF-8/UTF-8"
|
|
|
|
|
];
|
2022-01-18 16:33:18 +01:00
|
|
|
|
|
|
|
|
# Use the latest kernel, this is altered on some hosts with zfs requirements
|
2022-12-01 16:04:39 +01:00
|
|
|
boot.kernelPackages = pkgs.lib.mkOverride 2000 pkgs.linuxPackages_latest;
|
2022-01-18 16:33:18 +01:00
|
|
|
boot.loader.timeout = pkgs.lib.mkDefault 1;
|
|
|
|
|
# This setting is fine, on hosts with x/wayland, I'll want to increase this
|
|
|
|
|
boot.loader.systemd-boot.configurationLimit = 10;
|
|
|
|
|
|
|
|
|
|
# Network configuration with tailscale
|
|
|
|
|
networking.useDHCP = false;
|
|
|
|
|
# Enable tailscale!
|
|
|
|
|
services.tailscale = {
|
|
|
|
|
enable = true;
|
|
|
|
|
interfaceName = "looking-glas";
|
|
|
|
|
};
|
2022-03-23 13:10:18 +01:00
|
|
|
networking.firewall.allowedUDPPorts = [config.services.tailscale.port];
|
2022-03-24 08:56:05 +01:00
|
|
|
|
2022-03-30 12:13:21 +02:00
|
|
|
# Regularly clear the store
|
2022-03-24 08:56:05 +01:00
|
|
|
nix.gc = {
|
|
|
|
|
automatic = true;
|
2022-03-30 12:13:21 +02:00
|
|
|
dates = lib.mkDefault "weekly";
|
2022-03-24 08:56:05 +01:00
|
|
|
};
|
2022-04-13 08:50:12 +02:00
|
|
|
|
2022-03-24 08:56:05 +01:00
|
|
|
# Enable store optimiser
|
|
|
|
|
nix.optimise = {
|
|
|
|
|
automatic = true;
|
|
|
|
|
dates = ["04:00"];
|
|
|
|
|
};
|
2022-04-13 08:50:12 +02:00
|
|
|
|
|
|
|
|
# GNOME
|
|
|
|
|
# Don't forget to import DISPLAY into dbus variables
|
|
|
|
|
programs.dconf.enable = mkDefault cfg.minimalGnome.enable;
|
|
|
|
|
programs.seahorse.enable = mkDefault cfg.minimalGnome.enable;
|
|
|
|
|
services.gnome.at-spi2-core.enable = mkDefault cfg.minimalGnome.enable;
|
|
|
|
|
services.gnome.gnome-keyring.enable = mkDefault cfg.minimalGnome.enable;
|
2023-04-13 20:53:32 +02:00
|
|
|
services.dbus.packages = lib.optional cfg.minimalGnome.enable pkgs.gcr;
|
2022-01-18 16:33:18 +01:00
|
|
|
};
|
2022-01-14 12:41:06 +01:00
|
|
|
}
|
