diff --git a/hosts/aspi/default.nix b/hosts/aspi/default.nix index fc7fda6..51592c1 100644 --- a/hosts/aspi/default.nix +++ b/hosts/aspi/default.nix @@ -20,7 +20,24 @@ ... }: { - imports = [ ./hardware-configuration.nix ]; + imports = [ + # inputs.hardware.nixosModules.common-cpu-amd # TODO something useful for me? + + ./hardware-configuration.nix + + ../common/global + ../common/users/gabriel + + ../common/optional/peripherals.nix + ../common/optional/greetd.nix + ../common/optional/pipewire.nix + ../common/optional/quietboot.nix + ../common/optional/wireless.nix + ../common/optional/lxd.nix + + ../common/optional/starcitizen-fixes.nix + + ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; boot.blacklistedKernelModules = [ "pcspkr" ]; # Disables "beep" diff --git a/hosts/common/global/default.nix b/hosts/common/global/default.nix new file mode 100644 index 0000000..f8a8661 --- /dev/null +++ b/hosts/common/global/default.nix @@ -0,0 +1,67 @@ +# Common config for all hosts + +{ + inputs, + outputs, + ... +}: +{ + imports = + [ + ./fish.nix # fish for admin + ./locale.nix + ./nix.nix + ./openssh.nix + ./podman.nix + ./sops.nix + ] + ++ [ + inputs.home-manager.nixosModules.home-manager + ] + ++ (builtins.attrValues outputs.nixosModules); + + home-manager.useGlobalPkgs = true; + home-manager.extraSpecialArgs = { + inherit inputs outputs; + }; + + # Apply overlays + nixpkgs = { + overlays = builtins.attrValues outputs.overlays; + config = { + allowUnfree = true; + }; + }; + + nix.settings.auto-optimise-store = true; + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; + + # Setup binary caches + nix.settings = { + substituters = [ + "https://nix-community.cachix.org" + "https://cache.nixos.org/" + "https://hyprland.cachix.org" + "http://binarycache.julian-mutter.de" + ]; + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc=" + "binarycache.julian-mutter.de:oJ67uRFwRhNPKL58CHzy3QQLv38Kx7OA1K+6xlEPu7E=" + ]; + + trusted-users = [ "@wheel" ]; # needed for devenv to add custom caches + }; + + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + + programs.nix-ld.enable = true; + +} diff --git a/hosts/common/global/fish.nix b/hosts/common/global/fish.nix new file mode 100644 index 0000000..e53f255 --- /dev/null +++ b/hosts/common/global/fish.nix @@ -0,0 +1,10 @@ +{ + programs.fish = { + enable = true; + vendor = { + completions.enable = true; + config.enable = true; + functions.enable = true; + }; + }; +} diff --git a/hosts/common/global/locale.nix b/hosts/common/global/locale.nix new file mode 100644 index 0000000..3bd97af --- /dev/null +++ b/hosts/common/global/locale.nix @@ -0,0 +1,16 @@ +{ + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "de_DE.UTF-8"; + LC_IDENTIFICATION = "de_DE.UTF-8"; + LC_MEASUREMENT = "de_DE.UTF-8"; + LC_MONETARY = "de_DE.UTF-8"; + LC_NAME = "de_DE.UTF-8"; + LC_NUMERIC = "en_US.UTF-8"; + LC_PAPER = "de_DE.UTF-8"; + LC_TELEPHONE = "de_DE.UTF-8"; + LC_TIME = "de_DE.UTF-8"; + }; +} diff --git a/hosts/common/global/nix.nix b/hosts/common/global/nix.nix new file mode 100644 index 0000000..b3f309a --- /dev/null +++ b/hosts/common/global/nix.nix @@ -0,0 +1,49 @@ +{ + lib, + ... +}: +{ + nix.settings.auto-optimise-store = lib.mkDefault true; + nix.settings.experimental-features = [ + "nix-command" + "flakes" + "ca-derivations" + ]; + # warn-dirty = false; + + # Setup binary caches + nix.settings = { + substituters = [ + "https://nix-community.cachix.org" + "https://cache.nixos.org/" + "https://hyprland.cachix.org" + "http://binarycache.julian-mutter.de" + ]; + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc=" + "binarycache.julian-mutter.de:oJ67uRFwRhNPKL58CHzy3QQLv38Kx7OA1K+6xlEPu7E=" + ]; + + trusted-users = [ + "root" + "@wheel" + ]; # needed for devenv to add custom caches + }; + + nix.gc = { + automatic = true; + dates = "weekly"; + # Keep the last 3 generations + options = "--delete-older-than +3"; + }; + + programs.nix-ld.enable = true; + + # TODO: is this useful?, what does it do? + # nix.settings.flake-registry = ""; # Disable global flake registry + # Add each flake input as a registry and nix_path + # registry = lib.mapAttrs (_: flake: { inherit flake; }) flakeInputs; + # nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs; + +} diff --git a/hosts/common/global/openssh.nix b/hosts/common/global/openssh.nix new file mode 100644 index 0000000..0ba6cc8 --- /dev/null +++ b/hosts/common/global/openssh.nix @@ -0,0 +1,52 @@ +{ + outputs, + lib, + config, + ... +}: +let + hosts = lib.attrNames outputs.nixosConfigurations; +in +{ + services.openssh = { + enable = true; + settings = { + # Harden + PasswordAuthentication = false; + PermitRootLogin = "no"; + + # TODO: what does this d + # Let WAYLAND_DISPLAY be forwarded + AcceptEnv = "WAYLAND_DISPLAY"; + X11Forwarding = true; + }; + + hostKeys = [ + { + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + }; + + # TODO: is automatic known hosts file even necessary? + # programs.ssh = { + # # Each hosts public key + # knownHosts = lib.genAttrs hosts (hostname: { + # publicKeyFile = ../../${hostname}/ssh_host_ed25519_key.pub; + # extraHostNames = + # [ + # "${hostname}.m7.rs" + # ] + # ++ + # # Alias for localhost if it's the same host + # (lib.optional (hostname == config.networking.hostName) "localhost") + # # Alias to m7.rs and git.m7.rs if it's alcyone + # ++ (lib.optionals (hostname == "alcyone") [ + # "m7.rs" + # "git.m7.rs" + # ]); + # }); + # }; + +} diff --git a/hosts/common/global/podman.nix b/hosts/common/global/podman.nix new file mode 100644 index 0000000..a29151b --- /dev/null +++ b/hosts/common/global/podman.nix @@ -0,0 +1,12 @@ +{ config, ... }: +let + dockerEnabled = config.virtualisation.docker.enable; +in +{ + virtualisation.podman = { + enable = true; + dockerCompat = !dockerEnabled; + dockerSocket.enable = !dockerEnabled; + defaultNetwork.settings.dns_enabled = true; + }; +} diff --git a/hosts/common/global/sops.nix b/hosts/common/global/sops.nix new file mode 100644 index 0000000..e34ed01 --- /dev/null +++ b/hosts/common/global/sops.nix @@ -0,0 +1,22 @@ +{ + inputs, + config, + ... +}: +let + isEd25519 = k: k.type == "ed25519"; + getKeyPath = k: k.path; + keys = builtins.filter isEd25519 config.services.openssh.hostKeys; +in +{ + imports = [ inputs.sops-nix.nixosModules.sops ]; + + sops.age = { + sshKeyPaths = map getKeyPath keys; + + # TODO: remove? only rely on ssh or pgp keys (e.g. ubikey like misterio is using!!!) + keyFile = "/home/julian/.config/sops/age/keys.txt"; + # Generate key if none of the above worked. With this, building will still work, just without secrets + generateKey = true; + }; +} diff --git a/modules/nixos/locales/default.nix b/modules/nixos/locales/default.nix deleted file mode 100644 index 9c93d9a..0000000 --- a/modules/nixos/locales/default.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ - # Snowfall Lib provides a customized `lib` instance with access to your flake's library - # as well as the libraries available from your flake's inputs. - lib, - # An instance of `pkgs` with your overlays and packages applied is also available. - pkgs, - # You also have access to your flake's inputs. - inputs, - - # Additional metadata is provided by Snowfall Lib. - namespace, # The namespace used for your flake, defaulting to "internal" if not set. - system, # The system architecture for this host (eg. `x86_64-linux`). - target, # The Snowfall Lib target for this system (eg. `x86_64-iso`). - format, # A normalized name for the system target (eg. `iso`). - virtual, # A boolean to determine whether this system is a virtual target using nixos-generators. - systems, # An attribute map of your defined hosts. - - # All other arguments come from the module system. - config, - ... -}: - -let - cfg = config.modules.locales; -in -{ - options.modules.locales = { - enable = lib.mkOption { default = false; }; - }; - - config = lib.mkIf cfg.enable { - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - i18n.extraLocaleSettings = { - LC_ADDRESS = "de_DE.UTF-8"; - LC_IDENTIFICATION = "de_DE.UTF-8"; - LC_MEASUREMENT = "de_DE.UTF-8"; - LC_MONETARY = "de_DE.UTF-8"; - LC_NAME = "de_DE.UTF-8"; - LC_NUMERIC = "en_US.UTF-8"; - LC_PAPER = "de_DE.UTF-8"; - LC_TELEPHONE = "de_DE.UTF-8"; - LC_TIME = "de_DE.UTF-8"; - }; - }; -} diff --git a/modules/nixos/sops/default.nix b/modules/nixos/sops/default.nix deleted file mode 100644 index 12c4898..0000000 --- a/modules/nixos/sops/default.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ - # Snowfall Lib provides a customized `lib` instance with access to your flake's library - # as well as the libraries available from your flake's inputs. - lib, - # An instance of `pkgs` with your overlays and packages applied is also available. - pkgs, - # You also have access to your flake's inputs. - inputs, - - # Additional metadata is provided by Snowfall Lib. - namespace, # The namespace used for your flake, defaulting to "internal" if not set. - system, # The system architecture for this host (eg. `x86_64-linux`). - target, # The Snowfall Lib target for this system (eg. `x86_64-iso`). - format, # A normalized name for the system target (eg. `iso`). - virtual, # A boolean to determine whether this system is a virtual target using nixos-generators. - systems, # An attribute map of your defined hosts. - - # All other arguments come from the module system. - config, - ... -}: - -let - cfg = config.modules.sops; -in -{ - options.modules.sops = { - enable = lib.mkOption { default = false; }; - }; - - config = lib.mkIf cfg.enable { - sops.defaultSopsFile = ../../../secrets/secrets.yaml; - sops.defaultSopsFormat = "yaml"; - - # Automatically generate age key from ssh key - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - # This is using an age key that is expected to already be in the filesystem - sops.age.keyFile = "/home/julian/.config/sops/age/keys.txt"; - # Generate key if none of the above worked. With this, building will still work, just without secrets - sops.age.generateKey = true; - - # List of defined secrets - # They all become files linked inside the "/run/secrets/" directory - - }; -}