nixos/modules/base-system.nix

# Settings that most of my hosts can agree on, but
# some of these settings are overriden on a per-host basis.
{
  pkgs,
  lib,
  config,
  ...
}: let
  cfg = config.settings;
  inherit (lib) mkDefault;

  highSSHPort = 38611;

  vpnInterface = config.services.tailscale.interfaceName;
  enableHydraMinion = config.services.openssh.enable;
in {
  imports = [
    ./7-days-to-die.nix
    ./grafana.nix
    ./hdparm.nix
    ./malte.nix
    ./marie.nix
    ./photoprism.nix
    ./radicale.nix
    ./restic.nix
    ./scanner.nix
    ./taskserver.nix
    ./wakeup.nix
    ./darkman.nix
  ];

  options.settings = with lib; {
    nvidiaUsed = mkEnableOption "NVIDIA graphic card usage";
    minimalGnome.enable = mkEnableOption "basic gnome stuff";
    printing.enable = mkEnableOption "the printing/printers configuration";
    ssh.openOutsideVPN = mkEnableOption "an additional ssh port outside the VPN";
  };

  config = {
    # Allow joypixels' license and unfree licenses in general
    nixpkgs.config = {
      # TODO: Fix once allowUnfree works for home-manager again
      allowUnfreePredicate = pkg: true;
      joypixels.acceptLicense = true;
    };
    # This includes the firmware, oc
    hardware.enableRedistributableFirmware = true;
    # Add certificate authority used for my servers
    security.pki.certificates = [
      (builtins.readFile ../secrets/ca.crt)
    ];

    # Use some binary caches
    nix.settings = {
      # add binary caches
      trusted-public-keys = [
        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
        "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
        "2a-emulator.cachix.org-1:ijJDEqNsMqhamxxWvqOiaCQNoYhWNw7A+gGICgAH1mE="
        "colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg="
        "nickel.cachix.org-1:ABoCOGpTJbAum7U6c+04VbjvLxG9f0gJP5kYihRRdQs="
        # Currently running hydra
        "elysia-clarki:/ioV+oXpVgxDOZJvXIWmnyL83ERT4W6eW4SDEpnRbxU="
      ];
      substituters = [
        "https://cache.nixos.org"
        "https://nixpkgs-wayland.cachix.org"
        "https://2a-emulator.cachix.org"
        "https://colmena.cachix.org"
        "https://nickel.cachix.org"
      ];
      trusted-users =
        [
          # Hand the wheel group extra nix daemon rights
          "@wheel"
          # The hydra-minion is trusted aswell
        ]
        ++ lib.optional enableHydraMinion config.users.users.hydra-minion.name;
    };

    users.users.hydra-minion = lib.mkIf enableHydraMinion {
      description = "Hydra Minion for remote building";
      isSystemUser = true;
      home = "/home/hydra-minion";
      createHome = true;
      useDefaultShell = true;
      group = config.users.groups.hydra-minion.name;
      openssh.authorizedKeys.keyFiles = [
        ../users/malte/yubikey.pub
        ../secrets/hydra-overseer.pub
      ];
    };
    users.groups.hydra-minion = lib.mkIf enableHydraMinion {};

    # Make sure that I can login over the tailscale infrastructure while increasing security
    services.openssh = {
      enable = pkgs.lib.mkDefault true;
      ports = [22 highSSHPort];
      openFirewall = false;
    };
    networking.firewall.interfaces.${vpnInterface} = {
      # Allow default port over VPN
      allowedTCPPorts = [22 highSSHPort];
    };
    # Add extra high port if requested for those outside the VPN
    networking.firewall.allowedTCPPorts = lib.optional cfg.ssh.openOutsideVPN highSSHPort;
    # Tailscale exit node seem to have a problem with strict checking
    networking.firewall.checkReversePath = "loose";
    # Add yubikey for root authentication
    users.users.root.openssh.authorizedKeys.keyFiles = [../users/malte/yubikey.pub];
    # Enable mosh for some SSH superpower
    programs.mosh.enable = pkgs.lib.mkDefault true;

    # Basic packages
    environment.systemPackages = with pkgs; [
      # I might need git for rebuilding this flake on the remote machine
      git
      # Sops is for security
      sops
      # top is lacking pizzazz
      htop
      btop
      # An initial `tailscale up` is necessary to get the network going
      tailscale
      # I will need to have access to kakoune
      kakoune
      # I much rather use some tools other than the default
      fd
      du-dust
      ripgrep
    ];

    # Language and timezone defaults
    time.timeZone = "Europe/Berlin";
    i18n.defaultLocale = pkgs.lib.mkDefault "en_US.UTF-8";

    # Use the latest kernel, this is altered on some hosts with zfs requirements
    boot.kernelPackages = pkgs.lib.mkDefault pkgs.linuxPackages_latest;
    boot.loader.timeout = pkgs.lib.mkDefault 1;
    # This setting is fine, on hosts with x/wayland, I'll want to increase this
    boot.loader.systemd-boot.configurationLimit = 10;

    # Network configuration with tailscale
    networking.useDHCP = false;
    # Enable tailscale!
    services.tailscale = {
      enable = true;
      interfaceName = "looking-glas";
    };
    networking.firewall.allowedUDPPorts = [config.services.tailscale.port];

    # Regularly clear the store
    nix.gc = {
      automatic = true;
      dates = lib.mkDefault "weekly";
    };

    # Enable store optimiser
    nix.optimise = {
      automatic = true;
      dates = ["04:00"];
    };

    # Printing!
    services.printing = lib.mkIf cfg.printing.enable {
      enable = true;
      drivers = [pkgs.samsung-unified-linux-driver];
    };
    hardware.printers = lib.mkIf cfg.printing.enable {
      ensureDefaultPrinter = mkDefault "Laser-Boi";
      ensurePrinters = lib.singleton {
        description = "The fastest Boi in town!";
        deviceUri = "usb://Samsung/ML-1640%20Series?serial=144QBAHS600499T.";
        location = "@Home";
        model = "samsung/ML-1640.ppd";
        name = "Laser-Boi";
        ppdOptions = {
          PageSize = "A4";
          Resolution = "600dpi";
        };
      };
    };

    # GNOME
    # Don't forget to import DISPLAY into dbus variables
    programs.dconf.enable = mkDefault cfg.minimalGnome.enable;
    programs.seahorse.enable = mkDefault cfg.minimalGnome.enable;
    services.gnome.at-spi2-core.enable = mkDefault cfg.minimalGnome.enable;
    services.gnome.gnome-keyring.enable = mkDefault cfg.minimalGnome.enable;
    services.dbus.packages = lib.optional cfg.minimalGnome.enable [pkgs.gcr];
  };
}
[module/base-system] Extract into module 2022-01-14 12:41:06 +01:00			`# Settings that most of my hosts can agree on, but`
			`# some of these settings are overriden on a per-host basis.`
			`{`
[*] Redo flake.nix, use utils-plus, new formatter 2022-03-23 13:10:18 +01:00			`pkgs,`
			`lib,`
			`config,`
			`...`
[modules/base-system,host/helix-texta] Enable minimal gnome 2022-04-13 08:50:12 +02:00			`}: let`
			`cfg = config.settings;`
[*] Apply statix fixes 2022-05-30 18:35:52 +02:00			`inherit (lib) mkDefault;`
[module/base-system] Harden system Move SSH port, utilize VPN. 2022-05-19 01:31:32 +02:00
			`highSSHPort = 38611;`

			`vpnInterface = config.services.tailscale.interfaceName;`
[host/elysia-clarki] Experiment with hydra minions 2022-05-23 15:59:42 +02:00			`enableHydraMinion = config.services.openssh.enable;`
[modules/base-system,host/helix-texta] Enable minimal gnome 2022-04-13 08:50:12 +02:00			`in {`
[MODULES] Streamline some of the modules 2022-02-19 16:01:47 +01:00			`imports = [`
			`./7-days-to-die.nix`
			`./grafana.nix`
[module/hdparm,host/murex-pecten] Configure HDDs on boot 2022-03-15 15:22:22 +01:00			`./hdparm.nix`
[*] Redo flake.nix, use utils-plus, new formatter 2022-03-23 13:10:18 +01:00			`./malte.nix`
			`./marie.nix`
[modules/scanner] Fix backend scanner issues Scanning works now and does not need a rebuild of libreoffice and wine. 2022-04-15 18:41:20 +02:00			`./photoprism.nix`
			`./radicale.nix`
			`./restic.nix`
			`./scanner.nix`
[module/taskserver,user/malte] Basic task syncing capabilities Needs further work, especially regarding reproduceability 2022-03-29 13:26:19 +02:00			`./taskserver.nix`
[modules/scanner] Fix backend scanner issues Scanning works now and does not need a rebuild of libreoffice and wine. 2022-04-15 18:41:20 +02:00			`./wakeup.nix`
[user/malte,module/base-system] Initial dark/light-mode 2022-05-08 21:41:26 +02:00			`./darkman.nix`
[MODULES] Streamline some of the modules 2022-02-19 16:01:47 +01:00			`];`
[module/photoprism] Get to a working state Now running on elysia-clarki. 2022-01-18 16:33:18 +01:00
[host/murex-pecten] Switch to sway, adapt config 2022-03-12 23:23:53 +01:00			`options.settings = with lib; {`
[modules/base-system,host/helix-texta] Enable minimal gnome 2022-04-13 08:50:12 +02:00			`nvidiaUsed = mkEnableOption "NVIDIA graphic card usage";`
			`minimalGnome.enable = mkEnableOption "basic gnome stuff";`
[module/base-system] Add/enable printing configuration 2022-05-18 17:01:03 +02:00			`printing.enable = mkEnableOption "the printing/printers configuration";`
[module/base-system] Harden system Move SSH port, utilize VPN. 2022-05-19 01:31:32 +02:00			`ssh.openOutsideVPN = mkEnableOption "an additional ssh port outside the VPN";`
[host/murex-pecten] Switch to sway, adapt config 2022-03-12 23:23:53 +01:00			`};`

[module/photoprism] Get to a working state Now running on elysia-clarki. 2022-01-18 16:33:18 +01:00			`config = {`
			`# Allow joypixels' license and unfree licenses in general`
			`nixpkgs.config = {`
[module/base-system] Remove enableAllFirmware 2022-05-07 10:32:05 +02:00			`# TODO: Fix once allowUnfree works for home-manager again`
			`allowUnfreePredicate = pkg: true;`
[module/photoprism] Get to a working state Now running on elysia-clarki. 2022-01-18 16:33:18 +01:00			`joypixels.acceptLicense = true;`
			`};`
			`# This includes the firmware, oc`
			`hardware.enableRedistributableFirmware = true;`
[host/elysia-clarki] Enable nginx for photoprism 2022-04-18 19:45:06 +02:00			`# Add certificate authority used for my servers`
			`security.pki.certificates = [`
			`(builtins.readFile ../secrets/ca.crt)`
			`];`
[module/photoprism] Get to a working state Now running on elysia-clarki. 2022-01-18 16:33:18 +01:00
[*] Redo flake.nix, use utils-plus, new formatter 2022-03-23 13:10:18 +01:00			`# Use some binary caches`
			`nix.settings = {`
			`# add binary caches`
			`trusted-public-keys = [`
			`"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="`
			`"nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="`
			`"2a-emulator.cachix.org-1:ijJDEqNsMqhamxxWvqOiaCQNoYhWNw7A+gGICgAH1mE="`
			`"colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg="`
[flake] Add nickel input 2022-03-24 08:55:34 +01:00			`"nickel.cachix.org-1:ABoCOGpTJbAum7U6c+04VbjvLxG9f0gJP5kYihRRdQs="`
[module/hydra] Create and run on elysia-clarki Also add initial hydraJobs to the flake 2022-03-25 18:46:53 +01:00			`# Currently running hydra`
[host/elysia-clarki] Experiment with nix-serve 2022-04-07 22:12:54 +02:00			`"elysia-clarki:/ioV+oXpVgxDOZJvXIWmnyL83ERT4W6eW4SDEpnRbxU="`
[*] Redo flake.nix, use utils-plus, new formatter 2022-03-23 13:10:18 +01:00			`];`
			`substituters = [`
			`"https://cache.nixos.org"`
			`"https://nixpkgs-wayland.cachix.org"`
			`"https://2a-emulator.cachix.org"`
			`"https://colmena.cachix.org"`
[flake] Add nickel input 2022-03-24 08:55:34 +01:00			`"https://nickel.cachix.org"`
[*] Redo flake.nix, use utils-plus, new formatter 2022-03-23 13:10:18 +01:00			`];`
[host/elysia-clarki] Experiment with hydra minions 2022-05-23 15:59:42 +02:00			`trusted-users =`
			`[`
			`# Hand the wheel group extra nix daemon rights`
			`"@wheel"`
			`# The hydra-minion is trusted aswell`
			`]`
			`++ lib.optional enableHydraMinion config.users.users.hydra-minion.name;`
			`};`

			`users.users.hydra-minion = lib.mkIf enableHydraMinion {`
			`description = "Hydra Minion for remote building";`
			`isSystemUser = true;`
			`home = "/home/hydra-minion";`
			`createHome = true;`
			`useDefaultShell = true;`
			`group = config.users.groups.hydra-minion.name;`
			`openssh.authorizedKeys.keyFiles = [`
			`../users/malte/yubikey.pub`
			`../secrets/hydra-overseer.pub`
[module/base-system] Set wheel group as trusted users 2022-04-07 22:19:59 +02:00			`];`
[*] Redo flake.nix, use utils-plus, new formatter 2022-03-23 13:10:18 +01:00			`};`
[host/elysia-clarki] Experiment with hydra minions 2022-05-23 15:59:42 +02:00			`users.groups.hydra-minion = lib.mkIf enableHydraMinion {};`
[*] Redo flake.nix, use utils-plus, new formatter 2022-03-23 13:10:18 +01:00
[module/base-system] Harden system Move SSH port, utilize VPN. 2022-05-19 01:31:32 +02:00			`# Make sure that I can login over the tailscale infrastructure while increasing security`
			`services.openssh = {`
			`enable = pkgs.lib.mkDefault true;`
Formatting 2022-05-23 15:52:27 +02:00			`ports = [22 highSSHPort];`
[module/base-system] Harden system Move SSH port, utilize VPN. 2022-05-19 01:31:32 +02:00			`openFirewall = false;`
[module/photoprism] Get to a working state Now running on elysia-clarki. 2022-01-18 16:33:18 +01:00			`};`
Format 2022-06-12 08:32:56 +02:00			`networking.firewall.interfaces.${vpnInterface} = {`
			`# Allow default port over VPN`
			`allowedTCPPorts = [22 highSSHPort];`
			`};`
[module/base-system] Harden system Move SSH port, utilize VPN. 2022-05-19 01:31:32 +02:00			`# Add extra high port if requested for those outside the VPN`
			`networking.firewall.allowedTCPPorts = lib.optional cfg.ssh.openOutsideVPN highSSHPort;`
[module/base-system] Loosen firewall checking for tailscale 2022-05-23 15:51:50 +02:00			`# Tailscale exit node seem to have a problem with strict checking`
			`networking.firewall.checkReversePath = "loose";`
[module/base-system] Harden system Move SSH port, utilize VPN. 2022-05-19 01:31:32 +02:00			`# Add yubikey for root authentication`
			`users.users.root.openssh.authorizedKeys.keyFiles = [../users/malte/yubikey.pub];`
[module/photoprism] Get to a working state Now running on elysia-clarki. 2022-01-18 16:33:18 +01:00			`# Enable mosh for some SSH superpower`
			`programs.mosh.enable = pkgs.lib.mkDefault true;`

			`# Basic packages`
			`environment.systemPackages = with pkgs; [`
			`# I might need git for rebuilding this flake on the remote machine`
			`git`
			`# Sops is for security`
			`sops`
			`# top is lacking pizzazz`
			`htop`
[module/base-system] Add btop! 2022-05-27 20:26:11 +02:00			`btop`
[module/photoprism] Get to a working state Now running on elysia-clarki. 2022-01-18 16:33:18 +01:00			# An initial `tailscale up` is necessary to get the network going
			`tailscale`
[user/malte] [module/base] Yeet neovim 2022-02-15 13:24:57 +01:00			`# I will need to have access to kakoune`
			`kakoune`
			`# I much rather use some tools other than the default`
Formatting 2022-02-15 14:58:39 +01:00			`fd`
			`du-dust`
			`ripgrep`
[module/photoprism] Get to a working state Now running on elysia-clarki. 2022-01-18 16:33:18 +01:00			`];`

			`# Language and timezone defaults`
			`time.timeZone = "Europe/Berlin";`
			`i18n.defaultLocale = pkgs.lib.mkDefault "en_US.UTF-8";`

			`# Use the latest kernel, this is altered on some hosts with zfs requirements`
			`boot.kernelPackages = pkgs.lib.mkDefault pkgs.linuxPackages_latest;`
			`boot.loader.timeout = pkgs.lib.mkDefault 1;`
			`# This setting is fine, on hosts with x/wayland, I'll want to increase this`
			`boot.loader.systemd-boot.configurationLimit = 10;`

			`# Network configuration with tailscale`
			`networking.useDHCP = false;`
			`# Enable tailscale!`
			`services.tailscale = {`
			`enable = true;`
			`interfaceName = "looking-glas";`
			`};`
[*] Redo flake.nix, use utils-plus, new formatter 2022-03-23 13:10:18 +01:00			`networking.firewall.allowedUDPPorts = [config.services.tailscale.port];`
[module/base-system] Enable gc and store optimizations for all 2022-03-24 08:56:05 +01:00
[modules/base-system] Make nix garbage collection less aggressive 2022-03-30 12:13:21 +02:00			`# Regularly clear the store`
[module/base-system] Enable gc and store optimizations for all 2022-03-24 08:56:05 +01:00			`nix.gc = {`
			`automatic = true;`
[modules/base-system] Make nix garbage collection less aggressive 2022-03-30 12:13:21 +02:00			`dates = lib.mkDefault "weekly";`
[module/base-system] Enable gc and store optimizations for all 2022-03-24 08:56:05 +01:00			`};`
[modules/base-system,host/helix-texta] Enable minimal gnome 2022-04-13 08:50:12 +02:00
[module/base-system] Enable gc and store optimizations for all 2022-03-24 08:56:05 +01:00			`# Enable store optimiser`
			`nix.optimise = {`
			`automatic = true;`
			`dates = ["04:00"];`
			`};`
[modules/base-system,host/helix-texta] Enable minimal gnome 2022-04-13 08:50:12 +02:00
[module/base-system] Add/enable printing configuration 2022-05-18 17:01:03 +02:00			`# Printing!`
			`services.printing = lib.mkIf cfg.printing.enable {`
			`enable = true;`
Formatting 2022-05-19 01:38:29 +02:00			`drivers = [pkgs.samsung-unified-linux-driver];`
[module/base-system] Add/enable printing configuration 2022-05-18 17:01:03 +02:00			`};`
			`hardware.printers = lib.mkIf cfg.printing.enable {`
[faunus-ater] Prepare printing server setup 2022-06-13 10:25:36 +02:00			`ensureDefaultPrinter = mkDefault "Laser-Boi";`
[module/base-system] Add/enable printing configuration 2022-05-18 17:01:03 +02:00			`ensurePrinters = lib.singleton {`
			`description = "The fastest Boi in town!";`
			`deviceUri = "usb://Samsung/ML-1640%20Series?serial=144QBAHS600499T.";`
			`location = "@Home";`
			`model = "samsung/ML-1640.ppd";`
			`name = "Laser-Boi";`
			`ppdOptions = {`
			`PageSize = "A4";`
			`Resolution = "600dpi";`
			`};`
			`};`
			`};`

[modules/base-system,host/helix-texta] Enable minimal gnome 2022-04-13 08:50:12 +02:00			`# GNOME`
			`# Don't forget to import DISPLAY into dbus variables`
			`programs.dconf.enable = mkDefault cfg.minimalGnome.enable;`
			`programs.seahorse.enable = mkDefault cfg.minimalGnome.enable;`
			`services.gnome.at-spi2-core.enable = mkDefault cfg.minimalGnome.enable;`
			`services.gnome.gnome-keyring.enable = mkDefault cfg.minimalGnome.enable;`
			`services.dbus.packages = lib.optional cfg.minimalGnome.enable [pkgs.gcr];`
[module/photoprism] Get to a working state Now running on elysia-clarki. 2022-01-18 16:33:18 +01:00			`};`
[module/base-system] Extract into module 2022-01-14 12:41:06 +01:00			`}`