ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Getting more idomatic nix modules setup... will tackle users dir later

Browse source
This commit is contained in:
RingOfStorms (Josh) 2024-10-10 15:21:39 -05:00
parent 6316fffeb1
commit 913cff0ffa
41 changed files with 675 additions and 498 deletions
Download patch file Download diff file Expand all files Collapse all files

10
flake.nix
View file

@ -79,6 +79,7 @@
inherit user; inherit user;
nixpkgs = joe_nixpkgs; nixpkgs = joe_nixpkgs;
home-manager = joe_home-manager; home-manager = joe_home-manager;
allowUnfree = true;
}; };
} }
{ {
@ -90,6 +91,7 @@
inherit user; inherit user;
nixpkgs = gpdPocket3_nixpkgs; nixpkgs = gpdPocket3_nixpkgs;
home-manager = gpdPocket3_home-manager; home-manager = gpdPocket3_home-manager;
allowUnfree = true;
}; };
} }
{ {
@ -107,6 +109,7 @@
}; };
nixpkgs = h002_nixpkgs; nixpkgs = h002_nixpkgs;
home-manager = h002_home-manager; home-manager = h002_home-manager;
allowUnfree = true;
}; };
} }
]; ];
@ -127,14 +130,15 @@
// { // {
"${nixConfig.name}" = "${nixConfig.name}" =
let let
lib = nixConfig.settings.nixpkgs.lib; settings = nixConfig.settings;
lib = settings.nixpkgs.lib;
ylib = nypkgs.legacyPackages.${nixConfig.opts.system}.lib; ylib = nypkgs.legacyPackages.${nixConfig.opts.system}.lib;
in in
(lib.nixosSystem { (lib.nixosSystem {
modules = modules =
[ [
./hosts/_common/configuration.nix
cosmic.nixosModules.default cosmic.nixosModules.default
./hosts/configuration.nix
] ]
++ ylib.umport { ++ ylib.umport {
path = lib.fileset.maybeMissing ./modules; path = lib.fileset.maybeMissing ./modules;
@ -144,7 +148,7 @@
inherit ylib; inherit ylib;
settings = settings =
directories directories
// nixConfig.settings // settings
// { // {
system = nixConfig.opts // { system = nixConfig.opts // {
hostname = nixConfig.name; hostname = nixConfig.name;

7
hosts/_common/components/audio.nix
View file

@ -1,7 +0,0 @@
{ pkgs, ... }:
{
# Enable sound.
hardware.pulseaudio.enable = true;
hardware.pulseaudio.package = pkgs.pulseaudioFull;
environment.systemPackages = [ pkgs.pavucontrol ];
}

10
hosts/_common/components/caps_to_escape_in_tty.nix
View file

@ -1,10 +0,0 @@
{ pkgs, ... }:
{
# I want this globally even for root so doing it outside of home manager
services.xserver.xkb.options = "caps:escape";
console = {
earlySetup = true;
packages = with pkgs; [ terminus_font ];
useXkbConfig = true; # use xkb.options in tty. (caps -> escape)
};
}

12
hosts/_common/components/cosmic.nix
View file

@ -1,12 +0,0 @@
{ cosmic, ... }:
{
nix.settings = {
substituters = [ "https://cosmic.cachix.org/" ];
trusted-public-keys = [ "cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE=" ];
};
imports = [ cosmic.nixosModules.default ];
services.desktopManager.cosmic.enable = true;
services.displayManager.cosmic-greeter.enable = true;
}

10
hosts/_common/components/docker.nix
View file

@ -1,10 +0,0 @@
{ settings, ... }:
{
virtualisation.docker.enable = true;
users.extraGroups.docker.members = [ settings.user.username ];
environment.shellAliases = {
dockerv = "docker volume";
dockeri = "docker image";
dockerc = "docker container";
};
}

7
hosts/_common/components/font_jetbrainsmono.nix
View file

@ -1,7 +0,0 @@
{ pkgs, ... }:
{
fonts.packages = with pkgs; [
(nerdfonts.override { fonts = [ "JetBrainsMono" ]; })
];
}

20
hosts/_common/components/gnome_wayland.nix
View file

@ -1,20 +0,0 @@
{ pkgs, ... }:
{
services.xserver = {
enable = true;
displayManager.gdm = {
enable = true;
autoSuspend = false;
wayland = true;
};
desktopManager.gnome.enable = true;
};
services.gnome.core-utilities.enable = false;
environment.systemPackages = with pkgs; [
gnome.dconf-editor
# wayland clipboard in terminal
wl-clipboard
];
environment.sessionVariables.NIXOS_OZONE_WL = "1";
}

18
hosts/_common/components/gnome_xorg.nix
View file

@ -1,18 +0,0 @@
{ pkgs, ... }:
{
services.xserver = {
enable = true;
displayManager.gdm = {
enable = true;
autoSuspend = false;
wayland = false;
};
desktopManager.gnome.enable = true;
};
services.gnome.core-utilities.enable = false;
environment.systemPackages = with pkgs; [
gnome.dconf-editor
xclip
];
}

51
hosts/_common/components/nebula.nix
View file

@ -1,51 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
nebula
traceroute # for debugging
];
networking.firewall.allowedUDPPorts = [ 4242 ];
systemd.services."nebula" = {
description = "Nebula VPN service";
wants = [ "basic.target" ];
after = [
"basic.target"
"network.target"
];
before = [ "sshd.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "notify";
Restart = "always";
RestartSec = 1;
ExecStart = "${pkgs.nebula}/bin/nebula -config /etc/nebula/config.yml";
UMask = "0027";
CapabilityBoundingSet = "CAP_NET_ADMIN";
AmbientCapabilities = "CAP_NET_ADMIN";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = false; # needs access to /dev/net/tun (below)
DeviceAllow = "/dev/net/tun rw";
DevicePolicy = "closed";
PrivateTmp = true;
PrivateUsers = false; # CapabilityBoundingSet needs to apply to the host namespace
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictNamespaces = true;
RestrictSUIDSGID = true;
};
unitConfig = {
StartLimitIntervalSec = 5;
StartLimitBurst = 3;
};
};
}

7
hosts/_common/components/neovim.nix
View file

@ -1,7 +0,0 @@
{ settings, ringofstorms-nvim, ... }:
{
environment.systemPackages = [
ringofstorms-nvim.packages.${settings.system.system}.neovim
];
}

21
hosts/_common/components/plasma_wayland.nix
View file

@ -1,21 +0,0 @@
{ pkgs, ... }:
{
services.xserver = {
enable = true;
displayManager.gdm = {
enable = true;
autoSuspend = false;
wayland = true;
};
displayManager.defaultSession = "plasma";
displayManager.sddm.wayland.enable = true;
desktopManager.plasma6 = {
enable = true;
};
};
environment.systemPackages = with pkgs; [
xclip
];
}

19
hosts/_common/components/plasma_xorg.nix
View file

@ -1,19 +0,0 @@
{ pkgs, ... }:
{
services.xserver = {
enable = true;
displayManager.gdm = {
enable = true;
autoSuspend = false;
wayland = false;
};
displayManager.defaultSession = "plasmax11";
desktopManager.plasma6 = {
enable = true;
};
};
environment.systemPackages = with pkgs; [
xclip
];
}

21
hosts/_common/components/ssh.nix
View file

@ -1,21 +0,0 @@
{ ... }:
{
# Use fail2ban
services.fail2ban = {
enable = true;
};
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [
22 # sshd
];
# Enable the OpenSSH daemon.
services.openssh = {
enable = true;
settings = {
LogLevel = "VERBOSE";
PermitRootLogin = "yes";
};
};
}

29
hosts/_common/components/stormd.nix
View file

@ -1,29 +0,0 @@
{ pkgs, ... }:
{
# environment.systemPackages = with pkgs; [
# ];
# TODO make a derivation for stormd binary and get it properlly in the store. This is super janky and the binary just has to exist there right now.
# networking.firewall.allowedUDPPorts = [ 4242 ];
systemd.services."stormd" = {
description = "Stormd service";
wants = [ "basic.target" ];
after = [
"basic.target"
"network.target"
];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "notify";
Restart = "always";
RestartSec = 1;
ExecStart = "/etc/stormd/stormd daemon";
};
unitConfig = {
StartLimitIntervalSec = 5;
StartLimitBurst = 3;
};
};
}

15
hosts/_common/components/systemd_boot.nix
View file

@ -1,15 +0,0 @@
{ ... }:
{
# Use the systemd-boot EFI boot loader.
boot.loader = {
systemd-boot = {
enable = true;
consoleMode = "keep";
};
timeout = 5;
efi = {
canTouchEfiVariables = true;
};
};
}

147
hosts/_common/configuration.nix
View file

@ -1,147 +0,0 @@
{
lib,
pkgs,
settings,
...
}:
let
defaultLocal = "en_US.UTF-8";
in
{
imports = [
# Secrets management
./ragenix.nix
# Include the results of the hardware scan.
(/${settings.hostsDir}/${settings.system.hostname}/hardware-configuration.nix)
# Include the specific machine's config.
(/${settings.hostsDir}/${settings.system.hostname}/configuration.nix)
];
# Enable flakes
nix.settings.experimental-features = [
"nix-command"
"flakes"
];
# allow mounting ntfs filesystems
boot.supportedFilesystems = [ "ntfs" ];
# Fallback quickly if substituters are not available.
nix.settings.connect-timeout = 5;
nix.settings.download-attempts = 3;
# The default at 10 is rarely enough.
nix.settings.log-lines = 50;
# Avoid disk full issues
nix.settings.max-free = (3000 * 1024 * 1024);
nix.settings.min-free = (1000 * 1024 * 1024);
# Avoid copying unnecessary stuff over SSH
nix.settings.builders-use-substitutes = true;
# Slower but mroe robust during crash TODO enable once we upgrade nix
# nix.settings.fsync-store-paths = true;
# nix.settings.fsync-metadata = true;
nix.settings.auto-optimise-store = true;
# ==========
# Common
# ==========
networking = {
hostName = settings.system.hostname;
extraHosts = ''
127.0.0.1 local.belljm.com
127.0.0.1 n0.local.belljm.com
127.0.0.1 n1.local.belljm.com
127.0.0.1 n2.local.belljm.com
127.0.0.1 n3.local.belljm.com
127.0.0.1 n4.local.belljm.com
'';
# Use nftables not iptables
nftables.enable = true;
firewall.enable = true;
};
# TODO do I want this dynamic at all? Roaming?
time.timeZone = "America/Chicago";
# nix helper
programs.nh = {
enable = true;
clean.enable = true;
clean.extraArgs = "--keep 3";
# TODO this may need to be defined higher up if it is ever different for a machine...
flake = "/home/${settings.user.username}/.config/nixos-config";
};
# Select internationalization properties.
i18n.defaultLocale = defaultLocal;
i18n.extraLocaleSettings = {
LC_ADDRESS = defaultLocal;
LC_IDENTIFICATION = defaultLocal;
LC_MEASUREMENT = defaultLocal;
LC_MONETARY = defaultLocal;
LC_NAME = defaultLocal;
LC_NUMERIC = defaultLocal;
LC_PAPER = defaultLocal;
LC_TELEPHONE = defaultLocal;
LC_TIME = defaultLocal;
};
# Some basics
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
# Basics
vim
wget
curl
fastfetch
bat
htop
unzip
git
fzf
ripgrep
lsof
killall
hdparm
speedtest-cli
# TODO keep in common or move to specific machines, I want this for my pocket 3 video KDM module but I use ffmpeg on most machines anyways?
ffmpeg-full
];
environment.shellAliases = {
n = "nvim";
nn = "nvim --headless '+SessionDelete' +qa > /dev/null 2>&1 && nvim";
bat = "bat --theme Coldark-Dark";
cat = "bat --pager=never -p";
# TODO this may not be needed now that I am using `nh` clean mode (see /hosts/_common/configuration.nix#programs.nh)
nix-boot-clean = "find '/boot/loader/entries' -type f ! -name 'windows.conf' | head -n -4 | xargs -I {} rm {}; nix store gc; nixos-rebuild boot; echo; df";
# general unix
date_compact = "date +'%Y%m%d'";
date_short = "date +'%Y-%m-%d'";
ls = "ls --color -Ga";
ll = "ls --color -Gal";
lss = "du --max-depth=0 -h * 2>/dev/null";
psg = "ps aux | head -n 1 && ps aux | grep -v 'grep' | grep";
cl = "clear";
# git
stash = "git stash";
pop = "git stash pop";
branch = "git checkout -b";
status = "git status";
diff = "git diff";
branches = "git branch -a";
gcam = "git commit -a -m";
stashes = "git stash list";
# ripgrep
rg = "rg --no-ignore";
rgf = "rg --files 2>/dev/null | rg";
# Neofetch is dead
neofetch = "fastfetch";
};
environment.shellInit = builtins.readFile ./shellInit.sh;
system.stateVersion = "23.11";
}

71
hosts/configuration.nix Normal file
View file

@ -0,0 +1,71 @@
{
settings,
...
}:
let
defaultLocal = "en_US.UTF-8";
in
{
imports = [
# Secrets management
./ragenix.nix
# Include the results of the hardware scan.
(/${settings.hostsDir}/${settings.system.hostname}/hardware-configuration.nix)
# Include the specific machine's config.
(/${settings.hostsDir}/${settings.system.hostname}/configuration.nix)
];
# Enable flakes
nix.settings.experimental-features = [
"nix-command"
"flakes"
];
# allow mounting ntfs filesystems
boot.supportedFilesystems = [ "ntfs" ];
# Fallback quickly if substituters are not available.
nix.settings.connect-timeout = 5;
nix.settings.download-attempts = 3;
# The default at 10 is rarely enough.
nix.settings.log-lines = 50;
# Avoid disk full issues
nix.settings.max-free = (3000 * 1024 * 1024);
nix.settings.min-free = (1000 * 1024 * 1024);
# Avoid copying unnecessary stuff over SSH
nix.settings.builders-use-substitutes = true;
# Slower but mroe robust during crash TODO enable once we upgrade nix
# nix.settings.fsync-store-paths = true;
# nix.settings.fsync-metadata = true;
nix.settings.auto-optimise-store = true;
# nix helper
programs.nh = {
enable = true;
clean.enable = true;
clean.extraArgs = "--keep 3";
# TODO this may need to be defined higher up if it is ever different for a machine...
flake = "/home/${settings.user.username}/.config/nixos-config";
};
# TODO do I want this dynamic at all? Roaming?
time.timeZone = "America/Chicago";
# Select internationalization properties.
i18n.defaultLocale = defaultLocal;
i18n.extraLocaleSettings = {
LC_ADDRESS = defaultLocal;
LC_IDENTIFICATION = defaultLocal;
LC_MEASUREMENT = defaultLocal;
LC_MONETARY = defaultLocal;
LC_NAME = defaultLocal;
LC_NUMERIC = defaultLocal;
LC_PAPER = defaultLocal;
LC_TELEPHONE = defaultLocal;
LC_TIME = defaultLocal;
};
# Some basics
nixpkgs.config.allowUnfree = settings.allowUnfree;
system.stateVersion = "23.11";
}

25
hosts/gpdPocket3/configuration.nix
View file

@ -7,18 +7,6 @@
}: }:
{ {
imports = [ imports = [
# Common components this machine uses
(settings.hostsDir + "/_common/components/neovim.nix")
(settings.hostsDir + "/_common/components/systemd_boot.nix")
(settings.hostsDir + "/_common/components/ssh.nix")
(settings.hostsDir + "/_common/components/caps_to_escape_in_tty.nix")
(settings.hostsDir + "/_common/components/font_jetbrainsmono.nix")
# (settings.hostsDir + "/_common/components/audio.nix")
(settings.hostsDir + "/_common/components/home_manager.nix")
# (settings.hostsDir + "/_common/components/gnome_wayland.nix")
# (settings.hostsDir + "/_common/components/cosmic.nix")
(settings.hostsDir + "/_common/components/docker.nix")
(settings.hostsDir + "/_common/components/nebula.nix")
# Users this machine has # Users this machine has
(settings.usersDir + "/root/configuration.nix") (settings.usersDir + "/root/configuration.nix")
(settings.usersDir + "/josh/configuration.nix") (settings.usersDir + "/josh/configuration.nix")
@ -27,7 +15,18 @@
# ./stupid-keyboard-2.nix # ./stupid-keyboard-2.nix
]; ];
mods.de_cosmic.enable = true; # My custom modules
mods = {
boot_systemd.enable = true;
shell_common.enable = true;
de_cosmic.enable = true;
neovim.enable = true;
tty_caps_esc.enable = true;
docker.enable = true;
fonts.enable = true;
nebula.enable = true;
ssh.enable = true;
};
# machine specific configuration # machine specific configuration
# ============================== # ==============================

22
hosts/h002/configuration.nix
View file

@ -5,14 +5,6 @@
}: }:
{ {
imports = [ imports = [
# Common components this machine uses
(settings.hostsDir + "/_common/components/neovim.nix")
(settings.hostsDir + "/_common/components/ssh.nix")
(settings.hostsDir + "/_common/components/caps_to_escape_in_tty.nix")
(settings.hostsDir + "/_common/components/audio.nix")
(settings.hostsDir + "/_common/components/home_manager.nix")
(settings.hostsDir + "/_common/components/docker.nix")
(settings.hostsDir + "/_common/components/nebula.nix")
# Users this machine has # Users this machine has
(settings.usersDir + "/root/configuration.nix") (settings.usersDir + "/root/configuration.nix")
(settings.usersDir + "/luser/configuration.nix") (settings.usersDir + "/luser/configuration.nix")
@ -20,9 +12,17 @@
# (settings.hostsDir + "/h002/nixserver.nix") # (settings.hostsDir + "/h002/nixserver.nix")
]; ];
boot.loader.grub = { # My custom modules
enable = true; mods = {
device = "/dev/sdb"; boot_grub = true;
shell_common.enable = true;
de_gnome_xorg.enable = true;
audio_pulse.enable = true;
neovim.enable = true;
tty_caps_esc.enable = true;
docker.enable = true;
nebula.enable = true;
ssh.enable = true;
}; };
# machine specific configuration # machine specific configuration

27
hosts/joe/configuration.nix
View file

@ -6,24 +6,25 @@
}: }:
{ {
imports = [ imports = [
# Common components this machine uses
(settings.hostsDir + "/_common/components/neovim.nix")
(settings.hostsDir + "/_common/components/systemd_boot.nix")
(settings.hostsDir + "/_common/components/ssh.nix")
(settings.hostsDir + "/_common/components/caps_to_escape_in_tty.nix")
(settings.hostsDir + "/_common/components/font_jetbrainsmono.nix")
(settings.hostsDir + "/_common/components/audio.nix")
(settings.hostsDir + "/_common/components/home_manager.nix")
(settings.hostsDir + "/_common/components/gnome_xorg.nix")
(settings.hostsDir + "/_common/components/docker.nix")
# (settings.hostsDir + "/_common/components/stormd.nix") TODO figure out why this is failing
(settings.hostsDir + "/_common/components/nebula.nix")
# Users this machine has # Users this machine has
(settings.usersDir + "/root/configuration.nix") (settings.usersDir + "/root/configuration.nix")
(settings.usersDir + "/josh/configuration.nix") (settings.usersDir + "/josh/configuration.nix")
]; ];
# test # My custom modules
mods = {
boot_systemd.enable = true;
shell_common.enable = true;
de_gnome_xorg.enable = true;
audio_pulse.enable = true;
neovim.enable = true;
tty_caps_esc.enable = true;
docker.enable = true;
fonts.enable = true;
nebula.enable = true;
ssh.enable = true;
# storage.enable = true; # TODO figure out why this is failing
};
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
5173 # test 5173 # test

2
hosts/_common/ragenix.nix → hosts/ragenix.nix
View file

@ -6,8 +6,6 @@
ragenix, ragenix,
... ...
}: }:
let
in
# TODO auto import secret files here # TODO auto import secret files here
# secretsFile = (settings.secretsDir + /secrets.nix); # secretsFile = (settings.secretsDir + /secrets.nix);
{ {

23
modules/_template.nix Normal file
View file

@ -0,0 +1,23 @@
{
config,
lib,
pkgs,
settings,
...
}:
with lib;
let
name = "NAME";
cfg = config.mods.${name};
in
{
options = {
mods.${name} = {
enable = mkEnableOption (lib.mdDoc "Enable ${name}");
};
};
config = mkIf cfg.enable {
# TODO
};
}

25
modules/audio_pulse.nix Normal file
View file

@ -0,0 +1,25 @@
{
config,
lib,
pkgs,
...
}:
with lib;
let
name = "audio_pulse";
cfg = config.mods.${name};
in
{
options = {
mods.${name} = {
enable = mkEnableOption (lib.mdDoc "Enable ${name}");
};
};
config = mkIf cfg.enable {
# Enable sound.
hardware.pulseaudio.enable = true;
hardware.pulseaudio.package = pkgs.pulseaudioFull;
environment.systemPackages = [ pkgs.pavucontrol ];
};
}

31
modules/boot/grub.nix Normal file
View file

@ -0,0 +1,31 @@
{
config,
lib,
...
}:
with lib;
let
name = "boot_grub";
cfg = config.mods.${name};
in
{
options = {
mods.${name} = {
enable = mkEnableOption (lib.mdDoc "Enable ${name}");
device = mkDefaultOption {
type = types.str;
default = "/dev/sda";
description = ''
The device to install GRUB on.
'';
};
};
};
config = mkIf cfg.enable {
boot.loader.grub = {
enable = true;
device = cfg.device;
};
};
}

31
modules/boot/systemd.nix Normal file
View file

@ -0,0 +1,31 @@
{
config,
lib,
...
}:
with lib;
let
name = "boot_systemd";
cfg = config.mods.${name};
in
{
options = {
mods.${name} = {
enable = mkEnableOption (lib.mdDoc "Enable ${name}");
};
};
config = mkIf cfg.enable {
# Use the systemd-boot EFI boot loader.
boot.loader = {
systemd-boot = {
enable = true;
consoleMode = "keep";
};
timeout = 5;
efi = {
canTouchEfiVariables = true;
};
};
};
}

0
modules/de_cosmic.nix → modules/de/cosmic.nix
View file

37
modules/de/gnome_wayland.nix Normal file
View file

@ -0,0 +1,37 @@
{
config,
lib,
pkgs,
...
}:
with lib;
let
name = "de_gnome_wayland";
cfg = config.mods.${name};
in
{
options = {
mods.${name} = {
enable = mkEnableOption (lib.mdDoc "Enable GNOME with wayland desktop environment");
};
};
config = mkIf cfg.enable {
services.xserver = {
enable = true;
displayManager.gdm = {
enable = true;
autoSuspend = false;
wayland = true;
};
desktopManager.gnome.enable = true;
};
services.gnome.core-utilities.enable = false;
environment.systemPackages = with pkgs; [
gnome.dconf-editor
# wayland clipboard in terminal
wl-clipboard
];
environment.sessionVariables.NIXOS_OZONE_WL = "1";
};
}

35
modules/de/gnome_xorg.nix Normal file
View file

@ -0,0 +1,35 @@
{
config,
lib,
pkgs,
...
}:
with lib;
let
name = "de_gnome_xorg";
cfg = config.mods.${name};
in
{
options = {
mods.${name} = {
enable = mkEnableOption "Enable GNOME with wayland desktop environment";
};
};
config = mkIf cfg.enable {
services.xserver = {
enable = true;
displayManager.gdm = {
enable = true;
autoSuspend = false;
wayland = false;
};
desktopManager.gnome.enable = true;
};
services.gnome.core-utilities.enable = false;
environment.systemPackages = with pkgs; [
gnome.dconf-editor
xclip
];
};
}

21
modules/de_gnome_wayland.nix
View file

@ -1,21 +0,0 @@
{
config,
lib,
...
}:
with lib;
let
name = "de_gnome_wayland";
cfg = config.my_modules.${name};
in
{
options = {
my_modules.${name} = {
enable = mkEnableOption (lib.mdDoc "Enable GNOME with wayland desktop environment");
};
};
config = mkIf cfg.enable {
# TODO
};
}

22
modules/de_gnome_xorg.nix
View file

@ -1,22 +0,0 @@
{
config,
lib,
...
}:
with lib;
let
name = "de_gnome_xorg";
cfg = config.my_modules.${name};
in
{
options = {
my_modules.${name} = {
enable = mkEnableOption "Enable GNOME with wayland desktop environment";
};
};
config = mkIf cfg.enable {
# TODO
};
}

28
modules/docker.nix Normal file
View file

@ -0,0 +1,28 @@
{
config,
lib,
settings,
...
}:
with lib;
let
name = "docker";
cfg = config.mods.${name};
in
{
options = {
mods.${name} = {
enable = mkEnableOption (lib.mdDoc "Enable ${name}");
};
};
config = mkIf cfg.enable {
virtualisation.docker.enable = true;
users.extraGroups.docker.members = [ settings.user.username ];
environment.shellAliases = {
dockerv = "docker volume";
dockeri = "docker image";
dockerc = "docker container";
};
};
}

25
modules/fonts.nix Normal file
View file

@ -0,0 +1,25 @@
{
config,
lib,
pkgs,
settings,
...
}:
with lib;
let
name = "fonts";
cfg = config.mods.${name};
in
{
options = {
mods.${name} = {
enable = mkEnableOption (lib.mdDoc "Enable ${name}");
};
};
config = mkIf cfg.enable {
fonts.packages = with pkgs; [
(nerdfonts.override { fonts = [ "JetBrainsMono" ]; })
];
};
}

0
hosts/_common/components/home_manager.nix → modules/home_manager.nix
View file

70
modules/nebula.nix Normal file
View file

@ -0,0 +1,70 @@
{
config,
lib,
pkgs,
...
}:
with lib;
let
name = "nebula";
cfg = config.mods.${name};
in
{
options = {
mods.${name} = {
enable = mkEnableOption (lib.mdDoc "Enable ${name}");
};
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
nebula
traceroute # for debugging
];
networking.firewall.allowedUDPPorts = [ 4242 ];
systemd.services."nebula" = {
description = "Nebula VPN service";
wants = [ "basic.target" ];
after = [
"basic.target"
"network.target"
];
before = [ "sshd.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "notify";
Restart = "always";
RestartSec = 1;
ExecStart = "${pkgs.nebula}/bin/nebula -config /etc/nebula/config.yml";
UMask = "0027";
CapabilityBoundingSet = "CAP_NET_ADMIN";
AmbientCapabilities = "CAP_NET_ADMIN";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = false; # needs access to /dev/net/tun (below)
DeviceAllow = "/dev/net/tun rw";
DevicePolicy = "closed";
PrivateTmp = true;
PrivateUsers = false; # CapabilityBoundingSet needs to apply to the host namespace
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictNamespaces = true;
RestrictSUIDSGID = true;
};
unitConfig = {
StartLimitIntervalSec = 5;
StartLimitBurst = 3;
};
};
};
}

25
modules/neovim.nix Normal file
View file

@ -0,0 +1,25 @@
{
config,
lib,
settings,
ringofstorms-nvim,
...
}:
with lib;
let
name = "neovim";
cfg = config.mods.${name};
in
{
options = {
mods.${name} = {
enable = mkEnableOption (lib.mdDoc "Enable ${name}");
};
};
config = mkIf cfg.enable {
environment.systemPackages = [
ringofstorms-nvim.packages.${settings.system.system}.neovim
];
};
}

90
modules/shell/common.nix Normal file
View file

@ -0,0 +1,90 @@
{
config,
lib,
pkgs,
settings,
...
}:
with lib;
let
name = "shell_common";
cfg = config.mods.${name};
in
{
options = {
mods.${name} = {
enable = mkEnableOption (lib.mdDoc "Enable ${name}");
};
};
config = mkIf cfg.enable {
networking = {
hostName = settings.system.hostname;
extraHosts = ''
127.0.0.1 local.belljm.com
127.0.0.1 n0.local.belljm.com
127.0.0.1 n1.local.belljm.com
127.0.0.1 n2.local.belljm.com
127.0.0.1 n3.local.belljm.com
127.0.0.1 n4.local.belljm.com
'';
# Use nftables not iptables
nftables.enable = true;
firewall.enable = true;
};
environment.systemPackages = with pkgs; [
# Basics
vim
nano
wget
curl
fastfetch
bat
htop
unzip
git
fzf
ripgrep
lsof
killall
hdparm
speedtest-cli
ffmpeg-full
];
environment.shellAliases = {
n = "nvim";
nn = "nvim --headless '+SessionDelete' +qa > /dev/null 2>&1 && nvim";
bat = "bat --theme Coldark-Dark";
cat = "bat --pager=never -p";
# TODO this may not be needed now that I am using `nh` clean mode (see /hosts/_common/configuration.nix#programs.nh)
nix-boot-clean = "find '/boot/loader/entries' -type f ! -name 'windows.conf' | head -n -4 | xargs -I {} rm {}; nix store gc; nixos-rebuild boot; echo; df";
# general unix
date_compact = "date +'%Y%m%d'";
date_short = "date +'%Y-%m-%d'";
ls = "ls --color -Ga";
ll = "ls --color -Gal";
lss = "du --max-depth=0 -h * 2>/dev/null";
psg = "ps aux | head -n 1 && ps aux | grep -v 'grep' | grep";
cl = "clear";
# git
stash = "git stash";
pop = "git stash pop";
branch = "git checkout -b";
status = "git status";
diff = "git diff";
branches = "git branch -a";
gcam = "git commit -a -m";
stashes = "git stash list";
# ripgrep
rg = "rg --no-ignore";
rgf = "rg --files 2>/dev/null | rg";
};
environment.shellInit = builtins.readFile ./common.sh;
};
}

0
hosts/_common/shellInit.sh → modules/shell/common.sh
View file

40
modules/ssh.nix Normal file
View file

@ -0,0 +1,40 @@
{
config,
lib,
pkgs,
settings,
...
}:
with lib;
let
name = "ssh";
cfg = config.mods.${name};
in
{
options = {
mods.${name} = {
enable = mkEnableOption (lib.mdDoc "Enable ${name}");
};
};
config = mkIf cfg.enable {
# Use fail2ban
services.fail2ban = {
enable = true;
};
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [
22 # sshd
];
# Enable the OpenSSH daemon.
services.openssh = {
enable = true;
settings = {
LogLevel = "VERBOSE";
PermitRootLogin = "yes";
};
};
};
}

46
modules/stormd.nix Normal file
View file

@ -0,0 +1,46 @@
{
config,
lib,
...
}:
with lib;
let
name = "stormd";
cfg = config.mods.${name};
in
{
options = {
mods.${name} = {
enable = mkEnableOption (lib.mdDoc "Enable ${name}");
};
};
config = mkIf cfg.enable {
# environment.systemPackages = with pkgs; [
# ];
# TODO make a derivation for stormd binary and get it properlly in the store. This is super janky and the binary just has to exist there right now.
# networking.firewall.allowedUDPPorts = [ 4242 ];
systemd.services."stormd" = {
description = "Stormd service";
wants = [ "basic.target" ];
after = [
"basic.target"
"network.target"
];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "notify";
Restart = "always";
RestartSec = 1;
ExecStart = "/etc/stormd/stormd daemon";
};
unitConfig = {
StartLimitIntervalSec = 5;
StartLimitBurst = 3;
};
};
};
}

28
modules/tty_caps_esc.nix Normal file
View file

@ -0,0 +1,28 @@
{
config,
lib,
pkgs,
settings,
...
}:
with lib;
let
name = "tty_caps_esc";
cfg = config.mods.${name};
in
{
options = {
mods.${name} = {
enable = mkEnableOption (lib.mdDoc "Enable ${name}");
};
};
config = mkIf cfg.enable {
services.xserver.xkb.options = "caps:escape";
console = {
earlySetup = true;
packages = with pkgs; [ terminus_font ];
useXkbConfig = true; # use xkb.options in tty. (caps -> escape)
};
};
}

45
modules/validations.nix
View file

@ -1,22 +1,29 @@
{ lib, config, ... }: { lib, config, ... }:
{ {
# config.assertions = [ config.assertions = [
# { {
# assertion = assertion =
# lib.length ( lib.length (
# lib.filter (x: x) [ lib.filter (x: x) [
# config.my_modules.de_cosmic.enable config.mods.de_cosmic.enable
# config.my_modules.de_gnome_xorg.enable config.mods.de_gnome_xorg.enable
# config.my_modules.de_gnome_wayland.enable config.mods.de_gnome_wayland.enable
# ] ]
# ) <= 1; ) <= 1;
# message = '' message = ''
# Configuration Error: Multiple desktop environments are enabled. Configuration Error: Multiple desktop environments are enabled.
# Please enable only one of the following: Please enable only one of the following:
# - my_modules.de_cosmic.enable - mods.de_cosmic.enable
# - my_modules.de_gnome_xorg.enable - mods.de_gnome_xorg.enable
# - my_modules.de_gnome_wayland.enable - mods.de_gnome_wayland.enable
# ''; '';
# } }
# ]; {
assertion = !(config.mods.de_cosmic.enable && config.mods.audio_pulse.enable);
message = ''
Configuration Error: cannot use pulse audio with cosmic.
Remove: mods.audio_pulse.enable
'';
}
];
} }