Add common hosts config

2025-04-22 22:12:45 +02:00 · 2025-04-22 22:12:45 +02:00 · 05350e1c1c
commit 05350e1c1c
parent 142b16fa9c
10 changed files with 246 additions and 94 deletions
--- a/hosts/aspi/default.nix
+++ b/hosts/aspi/default.nix
@ -20,7 +20,24 @@
  ...
 }:
 {
-  imports = [ ./hardware-configuration.nix ];
+  imports = [
    # inputs.hardware.nixosModules.common-cpu-amd # TODO something useful for me?
    ./hardware-configuration.nix
    ../common/global
    ../common/users/gabriel
    ../common/optional/peripherals.nix
    ../common/optional/greetd.nix
    ../common/optional/pipewire.nix
    ../common/optional/quietboot.nix
    ../common/optional/wireless.nix
    ../common/optional/lxd.nix
    ../common/optional/starcitizen-fixes.nix
  ];
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  boot.blacklistedKernelModules = [ "pcspkr" ]; # Disables "beep"
--- a/hosts/common/global/default.nix
+++ b/hosts/common/global/default.nix
@ -0,0 +1,67 @@
 # Common config for all hosts
 {
  inputs,
  outputs,
  ...
 }:
 {
  imports =
    [
      ./fish.nix # fish for admin
      ./locale.nix
      ./nix.nix
      ./openssh.nix
      ./podman.nix
      ./sops.nix
    ]
    ++ [
      inputs.home-manager.nixosModules.home-manager
    ]
    ++ (builtins.attrValues outputs.nixosModules);
  home-manager.useGlobalPkgs = true;
  home-manager.extraSpecialArgs = {
    inherit inputs outputs;
  };
  # Apply overlays
  nixpkgs = {
    overlays = builtins.attrValues outputs.overlays;
    config = {
      allowUnfree = true;
    };
  };
  nix.settings.auto-optimise-store = true;
  nix.settings.experimental-features = [
    "nix-command"
    "flakes"
  ];
  # Setup binary caches
  nix.settings = {
    substituters = [
      "https://nix-community.cachix.org"
      "https://cache.nixos.org/"
      "https://hyprland.cachix.org"
      "http://binarycache.julian-mutter.de"
    ];
    trusted-public-keys = [
      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
      "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
      "binarycache.julian-mutter.de:oJ67uRFwRhNPKL58CHzy3QQLv38Kx7OA1K+6xlEPu7E="
    ];
    trusted-users = [ "@wheel" ]; # needed for devenv to add custom caches
  };
  nix.gc = {
    automatic = true;
    dates = "weekly";
    options = "--delete-older-than 30d";
  };
  programs.nix-ld.enable = true;
 }
--- a/hosts/common/global/fish.nix
+++ b/hosts/common/global/fish.nix
@ -0,0 +1,10 @@
 {
  programs.fish = {
    enable = true;
    vendor = {
      completions.enable = true;
      config.enable = true;
      functions.enable = true;
    };
  };
 }
--- a/hosts/common/global/locale.nix
+++ b/hosts/common/global/locale.nix
@ -0,0 +1,16 @@
 {
  # Select internationalisation properties.
  i18n.defaultLocale = "en_US.UTF-8";
  i18n.extraLocaleSettings = {
    LC_ADDRESS = "de_DE.UTF-8";
    LC_IDENTIFICATION = "de_DE.UTF-8";
    LC_MEASUREMENT = "de_DE.UTF-8";
    LC_MONETARY = "de_DE.UTF-8";
    LC_NAME = "de_DE.UTF-8";
    LC_NUMERIC = "en_US.UTF-8";
    LC_PAPER = "de_DE.UTF-8";
    LC_TELEPHONE = "de_DE.UTF-8";
    LC_TIME = "de_DE.UTF-8";
  };
 }
--- a/hosts/common/global/nix.nix
+++ b/hosts/common/global/nix.nix
@ -0,0 +1,49 @@
 {
  lib,
  ...
 }:
 {
  nix.settings.auto-optimise-store = lib.mkDefault true;
  nix.settings.experimental-features = [
    "nix-command"
    "flakes"
    "ca-derivations"
  ];
  # warn-dirty = false;
  # Setup binary caches
  nix.settings = {
    substituters = [
      "https://nix-community.cachix.org"
      "https://cache.nixos.org/"
      "https://hyprland.cachix.org"
      "http://binarycache.julian-mutter.de"
    ];
    trusted-public-keys = [
      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
      "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
      "binarycache.julian-mutter.de:oJ67uRFwRhNPKL58CHzy3QQLv38Kx7OA1K+6xlEPu7E="
    ];
    trusted-users = [
      "root"
      "@wheel"
    ]; # needed for devenv to add custom caches
  };
  nix.gc = {
    automatic = true;
    dates = "weekly";
    # Keep the last 3 generations
    options = "--delete-older-than +3";
  };
  programs.nix-ld.enable = true;
  # TODO: is this useful?, what does it do?
  # nix.settings.flake-registry = ""; # Disable global flake registry
  # Add each flake input as a registry and nix_path
  # registry = lib.mapAttrs (_: flake: { inherit flake; }) flakeInputs;
  # nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
 }
--- a/hosts/common/global/openssh.nix
+++ b/hosts/common/global/openssh.nix
@ -0,0 +1,52 @@
 {
  outputs,
  lib,
  config,
  ...
 }:
 let
  hosts = lib.attrNames outputs.nixosConfigurations;
 in
 {
  services.openssh = {
    enable = true;
    settings = {
      # Harden
      PasswordAuthentication = false;
      PermitRootLogin = "no";
      # TODO: what does this d
      # Let WAYLAND_DISPLAY be forwarded
      AcceptEnv = "WAYLAND_DISPLAY";
      X11Forwarding = true;
    };
    hostKeys = [
      {
        path = "/etc/ssh/ssh_host_ed25519_key";
        type = "ed25519";
      }
    ];
  };
  # TODO: is automatic known hosts file even necessary?
  # programs.ssh = {
  #   # Each hosts public key
  #   knownHosts = lib.genAttrs hosts (hostname: {
  #     publicKeyFile = ../../${hostname}/ssh_host_ed25519_key.pub;
  #     extraHostNames =
  #       [
  #         "${hostname}.m7.rs"
  #       ]
  #       ++
  #         # Alias for localhost if it's the same host
  #         (lib.optional (hostname == config.networking.hostName) "localhost")
  #       # Alias to m7.rs and git.m7.rs if it's alcyone
  #       ++ (lib.optionals (hostname == "alcyone") [
  #         "m7.rs"
  #         "git.m7.rs"
  #       ]);
  #   });
  # };
 }
--- a/hosts/common/global/podman.nix
+++ b/hosts/common/global/podman.nix
@ -0,0 +1,12 @@
 { config, ... }:
 let
  dockerEnabled = config.virtualisation.docker.enable;
 in
 {
  virtualisation.podman = {
    enable = true;
    dockerCompat = !dockerEnabled;
    dockerSocket.enable = !dockerEnabled;
    defaultNetwork.settings.dns_enabled = true;
  };
 }
--- a/hosts/common/global/sops.nix
+++ b/hosts/common/global/sops.nix
@ -0,0 +1,22 @@
 {
  inputs,
  config,
  ...
 }:
 let
  isEd25519 = k: k.type == "ed25519";
  getKeyPath = k: k.path;
  keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
 in
 {
  imports = [ inputs.sops-nix.nixosModules.sops ];
  sops.age = {
    sshKeyPaths = map getKeyPath keys;
    # TODO: remove? only rely on ssh or pgp keys (e.g. ubikey like misterio is using!!!)
    keyFile = "/home/julian/.config/sops/age/keys.txt";
    # Generate key if none of the above worked. With this, building will still work, just without secrets
    generateKey = true;
  };
 }
--- a/modules/nixos/locales/default.nix
+++ b/modules/nixos/locales/default.nix
@ -1,47 +0,0 @@
 {
  # Snowfall Lib provides a customized `lib` instance with access to your flake's library
  # as well as the libraries available from your flake's inputs.
  lib,
  # An instance of `pkgs` with your overlays and packages applied is also available.
  pkgs,
  # You also have access to your flake's inputs.
  inputs,
  # Additional metadata is provided by Snowfall Lib.
  namespace, # The namespace used for your flake, defaulting to "internal" if not set.
  system, # The system architecture for this host (eg. `x86_64-linux`).
  target, # The Snowfall Lib target for this system (eg. `x86_64-iso`).
  format, # A normalized name for the system target (eg. `iso`).
  virtual, # A boolean to determine whether this system is a virtual target using nixos-generators.
  systems, # An attribute map of your defined hosts.
  # All other arguments come from the module system.
  config,
  ...
 }:
 let
  cfg = config.modules.locales;
 in
 {
  options.modules.locales = {
    enable = lib.mkOption { default = false; };
  };
  config = lib.mkIf cfg.enable {
    # Select internationalisation properties.
    i18n.defaultLocale = "en_US.UTF-8";
    i18n.extraLocaleSettings = {
      LC_ADDRESS = "de_DE.UTF-8";
      LC_IDENTIFICATION = "de_DE.UTF-8";
      LC_MEASUREMENT = "de_DE.UTF-8";
      LC_MONETARY = "de_DE.UTF-8";
      LC_NAME = "de_DE.UTF-8";
      LC_NUMERIC = "en_US.UTF-8";
      LC_PAPER = "de_DE.UTF-8";
      LC_TELEPHONE = "de_DE.UTF-8";
      LC_TIME = "de_DE.UTF-8";
    };
  };
 }
--- a/modules/nixos/sops/default.nix
+++ b/modules/nixos/sops/default.nix
@ -1,46 +0,0 @@
 {
  # Snowfall Lib provides a customized `lib` instance with access to your flake's library
  # as well as the libraries available from your flake's inputs.
  lib,
  # An instance of `pkgs` with your overlays and packages applied is also available.
  pkgs,
  # You also have access to your flake's inputs.
  inputs,
  # Additional metadata is provided by Snowfall Lib.
  namespace, # The namespace used for your flake, defaulting to "internal" if not set.
  system, # The system architecture for this host (eg. `x86_64-linux`).
  target, # The Snowfall Lib target for this system (eg. `x86_64-iso`).
  format, # A normalized name for the system target (eg. `iso`).
  virtual, # A boolean to determine whether this system is a virtual target using nixos-generators.
  systems, # An attribute map of your defined hosts.
  # All other arguments come from the module system.
  config,
  ...
 }:
 let
  cfg = config.modules.sops;
 in
 {
  options.modules.sops = {
    enable = lib.mkOption { default = false; };
  };
  config = lib.mkIf cfg.enable {
    sops.defaultSopsFile = ../../../secrets/secrets.yaml;
    sops.defaultSopsFormat = "yaml";
    # Automatically generate age key from ssh key
    sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    # This is using an age key that is expected to already be in the filesystem
    sops.age.keyFile = "/home/julian/.config/sops/age/keys.txt";
    # Generate key if none of the above worked. With this, building will still work, just without secrets
    sops.age.generateKey = true;
    # List of defined secrets
    # They all become files linked inside the "/run/secrets/" directory
  };
 }