diff --git a/common/flake.nix b/common/flake.nix index e131d57..9930606 100644 --- a/common/flake.nix +++ b/common/flake.nix @@ -22,9 +22,10 @@ { imports = [ ./options.nix + ./general ./boot ./users - ./general + ./programs ]; }; }; diff --git a/common/programs/default.nix b/common/programs/default.nix new file mode 100644 index 0000000..7373c72 --- /dev/null +++ b/common/programs/default.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + imports = [ + ./qFlipper.nix + ./rustDev.nix + ./uhkAgent.nix + ./tailnet.nix + ./ssh.nix + ./docker.nix + ]; +} diff --git a/common/programs/docker.nix b/common/programs/docker.nix new file mode 100644 index 0000000..104e4dd --- /dev/null +++ b/common/programs/docker.nix @@ -0,0 +1,38 @@ +{ + config, + lib, + pkgs, + ... +}: +let + ccfg = import ../config.nix; + cfg_path = [ + ccfg.custom_config_key + "programs" + "docker" + ]; + cfg = lib.attrsets.getAttrFromPath cfg_path config; + + users_cfg = config.${ccfg.custom_config_key}.users; +in +{ + options = + { } + // lib.attrsets.setAttrByPath cfg_path { + enable = lib.mkEnableOption "docker"; + }; + + config = lib.mkIf cfg.enable { + virtualisation.docker = { + enable = true; + autoPrune.enable = true; + }; + # TODO add admins? + users.extraGroups.docker.members = lib.mkIf (users_cfg.primary != null) [ users_cfg.primary ]; + environment.shellAliases = { + dockerv = "docker volume"; + dockeri = "docker image"; + dockerc = "docker container"; + }; + }; +} diff --git a/common/programs/qFlipper.nix b/common/programs/qFlipper.nix new file mode 100644 index 0000000..823ef99 --- /dev/null +++ b/common/programs/qFlipper.nix @@ -0,0 +1,33 @@ +{ + config, + lib, + pkgs, + ... +}: +let + ccfg = import ../config.nix; + cfg_path = [ + ccfg.custom_config_key + "programs" + "qFlipper" + ]; + cfg = lib.attrsets.getAttrFromPath cfg_path config; +in +{ + options = + { } + // lib.attrsets.setAttrByPath cfg_path { + enable = lib.mkEnableOption "qFlipper"; + }; + + config = lib.mkIf cfg.enable { + hardware.flipperzero.enable = true; + environment.systemPackages = with pkgs; [ qFlipper ]; + services.udev.extraRules = '' + #Flipper Zero serial port + SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="5740", ATTRS{manufacturer}=="Flipper Devices Inc.", GROUP="users", TAG+="uaccess" + #Flipper Zero DFU + SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", ATTRS{manufacturer}=="STMicroelectronics", GROUP="users", TAG+="uaccess" + ''; + }; +} diff --git a/common/programs/rustDev.nix b/common/programs/rustDev.nix new file mode 100644 index 0000000..dd226fb --- /dev/null +++ b/common/programs/rustDev.nix @@ -0,0 +1,53 @@ +{ + config, + lib, + pkgs, + ... +}: +let + ccfg = import ../config.nix; + cfg_path = [ + ccfg.custom_config_key + "programs" + "rustDev" + ]; + cfg = lib.attrsets.getAttrFromPath cfg_path config; +in +{ + options = + { } + // lib.attrsets.setAttrByPath cfg_path { + enable = lib.mkEnableOption "rust development tools"; + repl = lib.mkOption { + type = lib.types.bool; + default = true; + description = "Enable the evcxr repl for `rust` command."; + }; + # TODO? + # channel = lib.mkOption { + # type = lib.types.str; + # default = "stable"; + # description = "The Rust release channel to use (e.g., stable, beta, nightly)."; + # }; + # version = lib.mkOption { + # type = lib.types.str; + # default = "latest"; + # description = "The specific version of Rust to use. Use 'latest' for the latest stable release."; + # }; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = + with pkgs; + [ + rustup + gcc + ] + ++ (if cfg.repl then [ pkgs.evcxr ] else [ ]); + + environment.shellAliases = lib.mkIf cfg.repl { + rust = "evcxr"; + }; + }; + +} diff --git a/common/programs/ssh.nix b/common/programs/ssh.nix new file mode 100644 index 0000000..ca4bb46 --- /dev/null +++ b/common/programs/ssh.nix @@ -0,0 +1,94 @@ +{ + config, + lib, + pkgs, + ... +}: +let + ccfg = import ../config.nix; + cfg_path = [ + ccfg.custom_config_key + "programs" + "ssh" + ]; + cfg = lib.attrsets.getAttrFromPath cfg_path config; +in +{ + options = + { } + // lib.attrsets.setAttrByPath cfg_path { + enable = lib.mkEnableOption "ssh"; + sshPortOpen = lib.mkOption { + type = lib.types.bool; + default = true; + description = "Open the ssh port."; + }; + fail2Ban = lib.mkOption { + type = lib.types.bool; + default = true; + description = "Enable fail2ban."; + }; + allowRootPasswordLogin = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Allow root password login."; + }; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + openssh + autossh + ]; + + # Use fail2ban + services.fail2ban = lib.mkIf cfg.fail2Ban { + enable = true; + }; + + # Open ports in the firewall if enabled. + networking.firewall.allowedTCPPorts = lib.mkIf cfg.sshPortOpen [ + 22 # sshd + ]; + + # Enable the OpenSSH daemon. + services.openssh = { + enable = true; + settings = { + LogLevel = "VERBOSE"; + PermitRootLogin = "yes"; + PasswordAuthentication = if cfg.allowRootPasswordLogin then true else false; + }; + }; + + # Ensure SSH key pair generation for non-root users + systemd.services = lib.mapAttrs' (name: _: { + name = "generate_ssh_key_${name}"; + value = { + description = "Generate SSH key pair for ${name}"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = name; + Type = "oneshot"; + }; + script = '' + #!/run/current-system/sw/bin/bash + if [ ! -f /home/${name}/.ssh/id_ed25519 ]; then + if [ -v DRY_RUN ]; then + echo "DRY_RUN is set. Would generate SSH key for ${name}."; + else + echo "Generating SSH key for ${name}."; + mkdir -p /home/${name}/.ssh; + chmod 700 /home/${name}/.ssh; + /run/current-system/sw/bin/ssh-keygen -t ed25519 -f /home/${name}/.ssh/id_ed25519 -N ""; + fi + else + echo "SSH key already exists for ${name}."; + fi + ''; + }; + }) config.mods.common.users; + + }; + +} diff --git a/common/programs/tailnet.nix b/common/programs/tailnet.nix new file mode 100644 index 0000000..6ec5d2d --- /dev/null +++ b/common/programs/tailnet.nix @@ -0,0 +1,51 @@ +{ + config, + lib, + pkgs, + ... +}: +let + ccfg = import ../config.nix; + cfg_path = [ + ccfg.custom_config_key + "programs" + "tailnet" + ]; + cfg = lib.attrsets.getAttrFromPath cfg_path config; +in +{ + options = + { } + // lib.attrsets.setAttrByPath cfg_path { + enable = lib.mkEnableOption "rust development tools"; + useSecretsAuth = lib.mkOption { + type = lib.types.bool; + default = true; + description = "Whether to use secrets authentication for Tailscale"; + }; + useHeadscale = lib.mkOption { + type = lib.types.bool; + default = true; + description = "Whether to use headscale login server."; + }; + + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = with pkgs; [ tailscale ]; + services.tailscale = { + enable = true; + openFirewall = true; + useRoutingFeatures = "client"; + authKeyFile = lib.mkIf cfg.useSecretsAuth config.age.secrets.headscale_auth.path; + # https://tailscale.com/kb/1241/tailscale-up + extraUpFlags = lib.mkIf cfg.useHeadscale [ + "--login-server=https://headscale.joshuabell.xyz" + "--no-logs-support" + ]; + }; + networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ]; + networking.firewall.checkReversePath = "loose"; + }; + +} diff --git a/common/programs/uhkAgent.nix b/common/programs/uhkAgent.nix new file mode 100644 index 0000000..90a9c3a --- /dev/null +++ b/common/programs/uhkAgent.nix @@ -0,0 +1,31 @@ +{ + config, + lib, + pkgs, + ... +}: +let + ccfg = import ../config.nix; + cfg_path = [ + ccfg.custom_config_key + "programs" + "uhkAgent" + ]; + cfg = lib.attrsets.getAttrFromPath cfg_path config; +in +{ + options = + { } + // lib.attrsets.setAttrByPath cfg_path { + enable = lib.mkEnableOption "uhk agent (ultimate hacking keyboard)"; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + uhk-agent + uhk-udev-rules + ]; + services.udev.packages = [ pkgs.uhk-udev-rules ]; + }; + +} diff --git a/components/nix/qflipper.nix b/components/nix/qflipper.nix deleted file mode 100644 index 9bcd907..0000000 --- a/components/nix/qflipper.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ pkgs, ... }: -{ - hardware.flipperzero.enable = true; - environment.systemPackages = with pkgs; [ qFlipper ]; - - services.udev.extraRules = '' - #Flipper Zero serial port - SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="5740", ATTRS{manufacturer}=="Flipper Devices Inc.", GROUP="users", TAG+="uaccess" - #Flipper Zero DFU - SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", ATTRS{manufacturer}=="STMicroelectronics", GROUP="users", TAG+="uaccess" - ''; -} diff --git a/components/nix/rust-dev.nix b/components/nix/rust-dev.nix deleted file mode 100644 index c5af076..0000000 --- a/components/nix/rust-dev.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: - -with lib; - -let - rustChannel = config.programs.rust.channel; - rustVersion = config.programs.rust.version; -in -{ - options.components.rust = { - enable = mkOption { - type = types.bool; - default = true; - description = "Enable Rust programming language support."; - }; - - repl = mkOption { - type = types.bool; - default = true; - description = "Enable the evcxr repl for `rust` command."; - }; - - channel = mkOption { - type = types.str; - default = "stable"; - description = "The Rust release channel to use (e.g., stable, beta, nightly)."; - }; - - version = mkOption { - type = types.str; - default = "latest"; - description = "The specific version of Rust to use. Use 'latest' for the latest stable release."; - }; - }; - - config = mkIf config.components.rust.enable { - environment.systemPackages = with pkgs; [ - rustup gcc - ] ++ (if config.components.rust.repl then [ pkgs.evcxr ] else [ ]); - - environment.shellAliases = mkIf config.components.rust.repl { - rust = "evcxr"; - }; - }; -} diff --git a/components/nix/rust-repl.nix b/components/nix/rust-repl.nix deleted file mode 100644 index 2f6078d..0000000 --- a/components/nix/rust-repl.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ evcxr rustc ]; - environment.shellAliases = { - rust = "evcxr"; - }; -} diff --git a/components/nix/steam.nix b/components/nix/steam.nix deleted file mode 100644 index ced7b52..0000000 --- a/components/nix/steam.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ ... }: -{ - programs.steam.enable = true; -} diff --git a/components/nix/tailscale.nix b/components/nix/tailscale.nix deleted file mode 100644 index d19b3c7..0000000 --- a/components/nix/tailscale.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ - lib, - pkgs, - config, - ... -}: -{ - options.components.tailscale = { - useSecretsAuth = lib.mkOption { - type = lib.types.bool; - default = true; - description = "Whether to use secrets authentication for Tailscale"; - }; - useHeadscale = lib.mkOption { - type = lib.types.bool; - default = true; - description = "Whether to use headscale login server."; - }; - }; - - config = { - environment.systemPackages = with pkgs; [ tailscale ]; - services.tailscale = { - enable = true; - openFirewall = true; - useRoutingFeatures = "client"; - authKeyFile = lib.mkIf config.components.tailscale.useSecretsAuth config.age.secrets.headscale_auth.path; - # https://tailscale.com/kb/1241/tailscale-up - extraUpFlags = lib.mkIf config.components.tailscale.useHeadscale [ - "--login-server=https://headscale.joshuabell.xyz" - "--no-logs-support" - ]; - }; - networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ]; - networking.firewall.checkReversePath = "loose"; - }; -} diff --git a/components/nix/uhk-agent.nix b/components/nix/uhk-agent.nix deleted file mode 100644 index 9166afc..0000000 --- a/components/nix/uhk-agent.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ uhk-agent uhk-udev-rules ]; - - services.udev.packages = [ pkgs.uhk-udev-rules ]; -} diff --git a/hosts/lio/flake.lock b/hosts/lio/flake.lock index 84c1296..45c70f5 100644 --- a/hosts/lio/flake.lock +++ b/hosts/lio/flake.lock @@ -96,7 +96,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-anAVUUAUV6r9kepJRMPQX9bUNZfkXgsWwZ4/pDlvuWM=", + "narHash": "sha256-m8fxD1m9NkoFI10VdK3Mc/dd4ECFs5IApuIor9Yr+FI=", "path": "../../common", "type": "path" }, @@ -299,11 +299,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1739757849, - "narHash": "sha256-Gs076ot1YuAAsYVcyidLKUMIc4ooOaRGO0PqTY7sBzA=", + "lastModified": 1742234739, + "narHash": "sha256-zFL6zsf/5OztR1NSNQF33dvS1fL/BzVUjabZq4qrtY4=", "owner": "rycee", "repo": "home-manager", - "rev": "9d3d080aec2a35e05a15cedd281c2384767c2cfe", + "rev": "f6af7280a3390e65c2ad8fd059cdc303426cbd59", "type": "github" }, "original": { @@ -461,11 +461,11 @@ "xdph": "xdph" }, "locked": { - "lastModified": 1742223160, - "narHash": "sha256-lExsJAtqhTITVBRuRoWklddFekm5CO+nrS2sxG4rsIA=", + "lastModified": 1742261820, + "narHash": "sha256-KYriCbjqEh+NWJOuRFEut4hIdIVtqPIhYWSGRKRooOU=", "owner": "hyprwm", "repo": "Hyprland", - "rev": "011d7ccb91081ff99f184564ea38d1b9e543a99c", + "rev": "ec4bea7901bdb1f36d33354c02e36d7e03b1ac1e", "type": "github" }, "original": { @@ -664,11 +664,11 @@ }, "mod_common": { "locked": { - "lastModified": 1742225898, - "narHash": "sha256-c4dLwf8WhC5Qc7Z+jjPFcLFNvEFI0aBrkNhKWnuSg3E=", + "lastModified": 1742269254, + "narHash": "sha256-G+ZJAzU5gqXib98pb7Vhq56IVknxqhFScC3kARS3Qgk=", "ref": "mod_common", - "rev": "75cbb43b5341f60fa9453b0167684573d727261d", - "revCount": 21, + "rev": "e3e6d8473dbd3d5ef98c421b6b7f203f1cbff6f3", + "revCount": 22, "type": "git", "url": "https://git.joshuabell.xyz/dotfiles" }, diff --git a/hosts/lio/flake.nix b/hosts/lio/flake.nix index 2229985..645367f 100644 --- a/hosts/lio/flake.nix +++ b/hosts/lio/flake.nix @@ -20,6 +20,7 @@ outputs = { nixpkgs, + common, ... }@inputs: let @@ -47,18 +48,19 @@ ( { config, pkgs, ... }: { - imports = [ - ../../components/nix/rust-dev.nix - ../../components/nix/qflipper.nix - ../../components/nix/steam.nix - ../../components/nix/tailscale.nix - ]; - ringofstorms_common = { systemName = configuration_name; boot.systemd.enable = true; general = { - # NOTE bunch of defaults in here I dont need to change + disableRemoteBuildsOnLio = true; + }; + programs = { + qFlipper.enable = true; + rustDev.enable = true; + uhkAgent.enable = true; + tailnet.enable = true; + ssh.enable = true; + docker.enable = true; }; users = { # Users are all normal users and default password is password1 @@ -92,10 +94,14 @@ }; }; + programs = { + steam.enable = true; + }; + environment.systemPackages = with pkgs; [ lua qdirstat - qflipper + # qflipper steam ]; @@ -108,14 +114,10 @@ mods = { common = { - disableRemoteBuildsOnLio = true; - systemName = configuration_name; - allowUnfree = true; - primaryUser = "josh"; - docker = true; zsh = true; - users = { - }; + # still used somewhere... + systemName = configuration_name; + primaryUser = "josh"; }; home_manager = { users = {