# Settings that most of my hosts can agree on, but # some of these settings are overriden on a per-host basis. { pkgs, lib, config, ... }: let cfg = config.settings; inherit (lib) mkDefault; highSSHPort = 38611; vpnInterface = config.services.tailscale.interfaceName; enableHydraMinion = config.services.openssh.enable; in { imports = [ ./7-days-to-die.nix ./grafana.nix ./hdparm.nix ./malte.nix ./marie.nix ./photoprism.nix ./radicale.nix ./restic.nix ./scanner.nix ./taskserver.nix ./wakeup.nix ./darkman.nix ]; options.settings = with lib; { nvidiaUsed = mkEnableOption "NVIDIA graphic card usage"; minimalGnome.enable = mkEnableOption "basic gnome stuff"; printing.enable = mkEnableOption "the printing/printers configuration"; ssh.openOutsideVPN = mkEnableOption "an additional ssh port outside the VPN"; }; config = { # Allow joypixels' license and unfree licenses in general nixpkgs.config = { # TODO: Fix once allowUnfree works for home-manager again allowUnfreePredicate = pkg: true; joypixels.acceptLicense = true; }; # This includes the firmware, oc hardware.enableRedistributableFirmware = true; # Add certificate authority used for my servers security.pki.certificates = [ (builtins.readFile ../secrets/ca.crt) ]; # Use some binary caches nix.settings = { # add binary caches trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" "2a-emulator.cachix.org-1:ijJDEqNsMqhamxxWvqOiaCQNoYhWNw7A+gGICgAH1mE=" "colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg=" "nickel.cachix.org-1:ABoCOGpTJbAum7U6c+04VbjvLxG9f0gJP5kYihRRdQs=" # Currently running hydra "elysia-clarki:/ioV+oXpVgxDOZJvXIWmnyL83ERT4W6eW4SDEpnRbxU=" ]; substituters = [ "https://cache.nixos.org" "https://nixpkgs-wayland.cachix.org" "https://2a-emulator.cachix.org" "https://colmena.cachix.org" "https://nickel.cachix.org" ]; trusted-users = [ # Hand the wheel group extra nix daemon rights "@wheel" # The hydra-minion is trusted aswell ] ++ lib.optional enableHydraMinion config.users.users.hydra-minion.name; }; users.users.hydra-minion = lib.mkIf enableHydraMinion { description = "Hydra Minion for remote building"; isSystemUser = true; home = "/home/hydra-minion"; createHome = true; useDefaultShell = true; group = config.users.groups.hydra-minion.name; openssh.authorizedKeys.keyFiles = [ ../users/malte/yubikey.pub ../secrets/hydra-overseer.pub ]; }; users.groups.hydra-minion = lib.mkIf enableHydraMinion {}; # Make sure that I can login over the tailscale infrastructure while increasing security services.openssh = { enable = pkgs.lib.mkDefault true; ports = [22 highSSHPort]; openFirewall = false; }; networking.firewall.interfaces.${vpnInterface} = { # Allow default port over VPN allowedTCPPorts = [22 highSSHPort]; }; # Add extra high port if requested for those outside the VPN networking.firewall.allowedTCPPorts = lib.optional cfg.ssh.openOutsideVPN highSSHPort; # Tailscale exit node seem to have a problem with strict checking networking.firewall.checkReversePath = "loose"; # Add yubikey for root authentication users.users.root.openssh.authorizedKeys.keyFiles = [../users/malte/yubikey.pub]; # Enable mosh for some SSH superpower programs.mosh.enable = pkgs.lib.mkDefault true; # Basic packages environment.systemPackages = with pkgs; [ # I might need git for rebuilding this flake on the remote machine git # Sops is for security sops # top is lacking pizzazz htop btop # An initial `tailscale up` is necessary to get the network going tailscale # I will need to have access to kakoune kakoune # I much rather use some tools other than the default fd du-dust ripgrep ]; # Language and timezone defaults time.timeZone = "Europe/Berlin"; i18n.defaultLocale = pkgs.lib.mkDefault "en_US.UTF-8"; # Use the latest kernel, this is altered on some hosts with zfs requirements boot.kernelPackages = pkgs.lib.mkDefault pkgs.linuxPackages_latest; boot.loader.timeout = pkgs.lib.mkDefault 1; # This setting is fine, on hosts with x/wayland, I'll want to increase this boot.loader.systemd-boot.configurationLimit = 10; # Network configuration with tailscale networking.useDHCP = false; # Enable tailscale! services.tailscale = { enable = true; interfaceName = "looking-glas"; }; networking.firewall.allowedUDPPorts = [config.services.tailscale.port]; # Regularly clear the store nix.gc = { automatic = true; dates = lib.mkDefault "weekly"; }; # Enable store optimiser nix.optimise = { automatic = true; dates = ["04:00"]; }; # Printing! services.printing = lib.mkIf cfg.printing.enable { enable = true; drivers = [pkgs.samsung-unified-linux-driver]; }; hardware.printers = lib.mkIf cfg.printing.enable { ensureDefaultPrinter = mkDefault "Laser-Boi"; ensurePrinters = lib.singleton { description = "The fastest Boi in town!"; deviceUri = "usb://Samsung/ML-1640%20Series?serial=144QBAHS600499T."; location = "@Home"; model = "samsung/ML-1640.ppd"; name = "Laser-Boi"; ppdOptions = { PageSize = "A4"; Resolution = "600dpi"; }; }; }; # GNOME # Don't forget to import DISPLAY into dbus variables programs.dconf.enable = mkDefault cfg.minimalGnome.enable; programs.seahorse.enable = mkDefault cfg.minimalGnome.enable; services.gnome.at-spi2-core.enable = mkDefault cfg.minimalGnome.enable; services.gnome.gnome-keyring.enable = mkDefault cfg.minimalGnome.enable; services.dbus.packages = lib.optional cfg.minimalGnome.enable [pkgs.gcr]; }; }