sort files

author: Christoph Cullmann <christoph@cullmann.io> 2024-07-12 20:53:57 +0200
committer: Christoph Cullmann <christoph@cullmann.io> 2024-07-12 20:53:57 +0200
commit: c5419a5d6e74d9c6ef2e9620ff2c5284eacd2aa1 (patch)
tree: 30c3fe7825a76a78cc32d4a5ac32a73d583650ef /share
parent: 0788d1aa4da22b938960aba4936b5eaf4b36b07e (diff)
3 files changed, 715 insertions, 0 deletions
diff --git a/share/common.nix b/share/common.nix
new file mode 100644
index 0000000..07f40b8
--- /dev/null
+++ b/share/common.nix
@@ -0,0 +1,519 @@
+{ config, pkgs, ... }:
+let
+  impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz";
+in
+{
+  #
+  # stuff shared between home machines
+  #
+
+  # get impermanence working & include more shared parts
+  imports = [
+      # manage persistent files
+      "${impermanence}/nixos.nix"
+
+      # our users
+      "/data/nixos/share/users.nix"
+  ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It's perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+
+  # use the latest kernel with ZFS support and enable that file system
+  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+  boot.supportedFilesystems = [ "zfs" ];
+
+  # no hibernate for ZFS systems
+  # don't check for split locks, for KVM and Co.
+  boot.kernelParams = [ "nohibernate" "split_lock_detect=off" ];
+
+  # tweak ZFS
+  boot.extraModprobeConfig = ''
+    options zfs zfs_arc_meta_limit_percent=75
+    options zfs zfs_arc_min=134217728
+    options zfs zfs_arc_max=4294967296
+    options zfs zfs_txg_timeout=30
+    options zfs zfs_vdev_scrub_min_active=1
+    options zfs zfs_vdev_scrub_max_active=1
+    options zfs zfs_vdev_sync_write_min_active=8
+    options zfs zfs_vdev_sync_write_max_active=32
+    options zfs zfs_vdev_sync_read_min_active=8
+    options zfs zfs_vdev_sync_read_max_active=32
+    options zfs zfs_vdev_async_read_min_active=8
+    options zfs zfs_vdev_async_read_max_active=32
+    options zfs zfs_vdev_async_write_min_active=8
+    options zfs zfs_vdev_async_write_max_active=32
+    options zfs zfs_vdev_def_queue_depth=128
+  '';
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # use a high resolution
+  boot.loader.systemd-boot.consoleMode = "max";
+
+  # we want to be able to do a memtest
+  boot.loader.systemd-boot.memtest86.enable = true;
+
+  # use systemd early
+  boot.initrd.systemd.enable = true;
+
+  # setup the console stuff early
+  console.earlySetup = true;
+
+  # swap to RAM
+  zramSwap.enable = true;
+
+  # root file system in RAM
+  fileSystems."/" =
+    { device = "none";
+      fsType = "tmpfs";
+      neededForBoot = true;
+      options = [ "defaults" "size=8G" "mode=755" ];
+    };
+
+  # nix store file system from encrypted ZFS
+  fileSystems."/nix" =
+    { device = "zpool/nix";
+      fsType = "zfs";
+      neededForBoot = true;
+    };
+
+  # data store file system from encrypted ZFS
+  fileSystems."/data" =
+    { device = "zpool/data";
+      fsType = "zfs";
+      neededForBoot = true;
+    };
+
+  # bind mount to have user homes
+  fileSystems."/home" =
+    { device = "/data/home";
+      fsType = "none";
+      neededForBoot = true;
+      options = [ "bind" "x-gvfs-hide" ];
+      depends = [ "/data" ];
+    };
+
+  # bind mount to have root home
+  fileSystems."/root" =
+    { device = "/data/root";
+      fsType = "none";
+      neededForBoot = true;
+      options = [ "bind" "x-gvfs-hide" ];
+      depends = [ "/data" ];
+    };
+
+  # bind mount to have NixOS configuration, different per host
+  fileSystems."/etc/nixos" =
+    { device = "/data/nixos/${config.networking.hostName}";
+      fsType = "none";
+      neededForBoot = true;
+      options = [ "bind" "x-gvfs-hide" ];
+      depends = [ "/data" ];
+    };
+
+  # keep some stuff persistent
+  environment.persistence."/nix/persistent" = {
+    hideMounts = true;
+    directories = [
+      # tmp dir, don't fill our tmpfs root with that
+      { directory = "/tmp"; user = "root"; group = "root"; mode = "1777"; }
+
+      # systemd timers
+      { directory = "/var/lib/systemd/timers"; user = "root"; group = "root"; mode = "u=rwx,g=rx,o=rx"; }
+
+      # alsa state for persistent sound settings
+      { directory = "/var/lib/alsa"; user = "root"; group = "root"; mode = "u=rwx,g=rx,o=rx"; }
+
+      # NetworkManager connections
+      { directory = "/etc/NetworkManager"; user = "root"; group = "root"; mode = "u=rwx,g=rx,o=rx"; }
+      { directory = "/var/lib/NetworkManager"; user = "root"; group = "root"; mode = "u=rwx,g=rx,o=rx"; }
+    ];
+  };
+
+  # kill the tmp content on reboots, we mount that to /nix/persistent to avoid memory fill-up
+  boot.tmp.cleanOnBoot = true;
+
+  # ensure our data is not rotting
+  services.zfs.autoScrub = {
+    enable = true;
+    interval = "weekly";
+  };
+
+  # trim the stuff, we use SSDs
+  services.zfs.trim.enable = true;
+
+  # enable fast dbus
+  services.dbus.implementation = "broker";
+
+  # allow all firmware
+  hardware.enableAllFirmware = true;
+
+  # use NetworkManager, works well for WiFi, too
+  networking.networkmanager.enable = true;
+
+  # ensure firewall is up, allow ssh in
+  networking.firewall.enable = true;
+  networking.firewall.allowedTCPPorts = [ 22 ];
+
+  # OpenSSH daemon config
+  services.openssh = {
+    # enable with public key only auth, start on demand only
+    enable = true;
+    startWhenNeeded = true;
+    settings.PasswordAuthentication = false;
+    settings.KbdInteractiveAuthentication = false;
+
+    # only ed25519 keys, make them persistent
+    hostKeys = [{
+      path = "/nix/persistent/ssh_host_ed25519_key";
+      type = "ed25519";
+    }];
+
+    # only safe ciphers & Co.
+    settings.Ciphers = [ "aes256-gcm@openssh.com" ];
+    settings.KexAlgorithms = [ "sntrup761x25519-sha512@openssh.com" ];
+    settings.Macs = [ "hmac-sha2-512-etm@openssh.com" ];
+  };
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  # default locale is English US
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  # use German stuff for sorting/date/....
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "de_DE.UTF-8";
+    LC_IDENTIFICATION = "de_DE.UTF-8";
+    LC_MEASUREMENT = "de_DE.UTF-8";
+    LC_MONETARY = "de_DE.UTF-8";
+    LC_NAME = "de_DE.UTF-8";
+    LC_NUMERIC = "de_DE.UTF-8";
+    LC_PAPER = "de_DE.UTF-8";
+    LC_TELEPHONE = "de_DE.UTF-8";
+    LC_TIME = "de_DE.UTF-8";
+  };
+
+  # allow to have all locales
+  i18n.supportedLocales = [ "all" ];
+
+  # use X11/wayland layout for console, too
+  console.useXkbConfig = true;
+
+  # enable greetd & the KDE Plasma Desktop Environment
+  services.desktopManager.plasma6.enable = true;
+  services.greetd = {
+    enable = true;
+    settings = {
+      default_session = {
+        command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd '${pkgs.kdePackages.plasma-workspace}/libexec/plasma-dbus-run-session-if-needed ${pkgs.kdePackages.plasma-workspace}/bin/startplasma-wayland'";
+      };
+    };
+  };
+
+  # enable sound with PipeWire
+  sound.enable = true;
+  hardware.pulseaudio.enable = false;
+  services.pipewire = {
+    enable = true;
+    alsa = {
+      enable = true;
+      support32Bit = true;
+    };
+    pulse.enable = true;
+  };
+
+  # allow realtime
+  security.rtkit.enable = true;
+
+  # package manager config
+  nix = {
+    # auto optimize the store
+    settings.auto-optimise-store = true;
+
+    # cleanup the store from time to time
+    gc = {
+      automatic = true;
+      dates = "daily";
+      options = "--delete-older-than 7d";
+    };
+
+    # enable new stuff
+    settings.experimental-features = "nix-command flakes";
+
+    # https://github.com/nix-community/nix-direnv
+    extraOptions = ''
+      keep-outputs = true
+      keep-derivations = true
+    '';
+  };
+
+  # auto update
+  system.autoUpgrade = {
+    enable = true;
+    allowReboot = false;
+  };
+
+  # avoid suspend ever to be triggered, ZFS dislikes that
+  systemd.targets.sleep.enable = false;
+  systemd.targets.suspend.enable = false;
+  systemd.targets.hibernate.enable = false;
+  systemd.targets.hybrid-sleep.enable = false;
+
+  # save power
+  powerManagement.enable = true;
+  services.thermald.enable = true;
+
+  # allow unfree packages
+  nixpkgs.config.allowUnfree = true;
+
+  # we want DRM support
+  nixpkgs.config.chromium.enableWideVine = true;
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    pkgs.kdePackages.ark
+    aspellDicts.de
+    aspellDicts.en
+    bitwise
+    borgbackup
+    btop
+    calibre
+    chromium
+    clinfo
+    config.boot.kernelPackages.perf
+    delta
+    duf
+    efibootmgr
+    emacs
+    f2
+    fdupes
+    ffmpeg
+    file
+    fzf
+    pkgs.kdePackages.filelight
+    gimp
+    gitFull
+    glxinfo
+    go
+    gorilla-bin
+    gptfdisk
+    heaptrack
+    hotspot
+    hugo
+    hunspellDicts.de_DE
+    hunspellDicts.en_US
+    inetutils
+    inkscape
+    pkgs.kdePackages.kate
+    pkgs.kdePackages.kcachegrind
+    pkgs.kdePackages.kcalc
+    keychain
+    pkgs.kdePackages.kmail
+    pkgs.kdePackages.konsole
+    krita
+    lazygit
+    libjxl
+    libreoffice
+    libva-utils
+    lsof
+    mailutils
+    mc
+    micro
+    pkgs.kdePackages.neochat
+    nixos-install-tools
+    nmap
+    nvme-cli
+    procmail
+    okteta
+    pkgs.kdePackages.okular
+    p7zip
+    parted
+    pciutils
+    pdftk
+    procs
+    pulseaudio
+    pwgen
+    qmk
+    ripgrep
+    scc
+    ssh-audit
+    sysstat
+    tcl
+    texlive.combined.scheme-small
+    tigervnc
+    tk
+    tldr
+    pkgs.kdePackages.tokodon
+    unrar
+    unzip
+    usbutils
+    valgrind
+    vlc
+    vscodium
+    vulkan-tools
+    wayland-utils
+    zoxide
+    zsh
+  ];
+
+  # run browsers in a sandbox
+  programs.firejail = {
+    enable = true;
+
+    wrappedBinaries = {
+      chromium = {
+        executable = "${pkgs.lib.getBin pkgs.chromium}/bin/chromium";
+        profile = "${pkgs.firejail}/etc/firejail/chromium.profile";
+      };
+
+      firefox = {
+        executable = "${pkgs.lib.getBin pkgs.firefox}/bin/firefox";
+        profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
+      };
+
+      signal-desktop = {
+        executable = "${pkgs.signal-desktop}/bin/signal-desktop";
+        profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile";
+      };
+    };
+  };
+
+  # chromium needs programs.firefox.enable here and systemPackages entry to have icon and work
+  programs.chromium.enable = true;
+
+  # firefox needs programs.firefox.enable here but no systemPackages entry to have icon and work
+  programs.firefox.enable = true;
+
+  # Flatpak to sandbox Steam, Bottles and Co.
+  #
+  # flatpak remote-add --if-not-exists --user flathub https://dl.flathub.org/repo/flathub.flatpakrepo
+  # flatpak install --user flathub com.usebottles.bottles
+  # flatpak install --user flathub com.valvesoftware.Steam
+  # flatpak update --user
+  #
+  services.flatpak.enable = true;
+
+  # allow keyboard configure tools to work
+  hardware.keyboard.qmk.enable = true;
+
+  # add ~/bin to PATH
+  environment.homeBinInPath = true;
+
+  # more fonts for all users
+  fonts = {
+    # default fonts
+    enableDefaultPackages = true;
+
+    # more fonts
+    packages = with pkgs; [
+      # add patched fonts for editor & terminal
+      (nerdfonts.override { fonts = [ "Iosevka" "IosevkaTerm" ]; })
+
+      # unicode capable fonts
+      babelstone-han
+      dejavu_fonts
+      ipafont
+      kochi-substitute
+      noto-fonts
+      noto-fonts-cjk
+      noto-fonts-cjk-sans
+      noto-fonts-cjk-serif
+      noto-fonts-extra
+      noto-fonts-emoji
+    ];
+
+    # tune fontconfig
+    fontconfig = {
+      # better default fonts
+      defaultFonts = {
+        monospace = ["IosevkaTerm Nerd Font Mono"];
+        sansSerif = ["Noto Sans"];
+        serif = ["Noto Serif"];
+      };
+    };
+  };
+
+  # OpenGL
+  hardware.graphics.enable = true;
+
+  # try to ensure we can use our network LaserJet
+  services.printing.enable = true;
+  services.printing.drivers = [ pkgs.hplip ];
+
+  # dconf is needed for gtk, see https://nixos.wiki/wiki/KDE
+  programs.dconf.enable = true;
+
+  # ensure machine can send mails
+  services.opensmtpd = {
+    enable = true;
+    setSendmail = true;
+    serverConfiguration = ''
+      table aliases file:/etc/mail/aliases
+      table secrets file:/etc/mail/secrets
+      listen on localhost
+      action "local" mda "procmail -f -" virtual <aliases>
+      action "relay" relay host smtps://smtp@moon.babylon2k.com auth <secrets> mail-from bot@cullmann.io
+      match for local action "local"
+      match for any action "relay"
+    '';
+  };
+  environment.etc."mail/aliases" = {
+    text = "@ christoph@cullmann.io";
+    mode = "0400";
+  };
+  environment.etc."mail/secrets" = {
+    text = builtins.readFile "/data/nixos/mail.secret";
+    mode = "0400";
+  };
+
+  # send mails on ZFS events
+  services.zfs.zed = {
+    settings = {
+      ZED_DEBUG_LOG = "/tmp/zed.debug.log";
+      ZED_EMAIL_ADDR = [ "root" ];
+      ZED_EMAIL_PROG = "/run/wrappers/bin/sendmail";
+      ZED_EMAIL_OPTS = "@ADDRESS@";
+
+      ZED_NOTIFY_INTERVAL_SECS = 3600;
+      ZED_NOTIFY_VERBOSE = true;
+
+      ZED_USE_ENCLOSURE_LEDS = true;
+      ZED_SCRUB_AFTER_RESILVER = true;
+    };
+
+    # this option does not work; will return error
+    enableMail = false;
+  };
+
+  # use ZSH per default
+  programs.zsh.enable = true;
+  environment.shells = with pkgs; [ zsh ];
+
+  # needed for the ZSH completion
+  environment.pathsToLink = [ "/share/zsh" ];
+
+  # use micro as default terminal editor
+  environment.variables.EDITOR = "micro";
+
+  # enable VirtualBox
+  virtualisation.virtualbox.host.enable = true;
+  virtualisation.virtualbox.host.enableKvm = true;
+  virtualisation.virtualbox.host.enableHardening = false;
+  virtualisation.virtualbox.host.addNetworkInterface = false;
+
+  # configure sudo
+  security.sudo.execWheelOnly = true;
+  security.sudo.extraConfig = ''
+    Defaults lecture = never
+  '';
+}
diff --git a/share/home.nix b/share/home.nix
new file mode 100644
index 0000000..482d11a
--- /dev/null
+++ b/share/home.nix
@@ -0,0 +1,127 @@
+{
+  # initial version
+  home.stateVersion = "22.11";
+
+  # ZSH with good config
+  programs.zsh = {
+    # ZSH on
+    enable = true;
+
+    # we want completion
+    enableCompletion = true;
+
+    # we want suggestions of already typed stuff
+    autosuggestion.enable = true;
+
+    # we want nice command highlighting
+    syntaxHighlighting.enable = true;
+
+    # better history
+    history = {
+      # save timestamps
+      extended = true;
+
+      # kill dupes over full history
+      ignoreAllDups = true;
+
+      # don't share history between sessions
+      share = false;
+    };
+
+    # aliases
+    shellAliases = {
+      # system build/update/cleanup
+      update = "sudo nixos-rebuild boot";
+      upgrade = "sudo nixos-rebuild boot --upgrade";
+      updatenow = "sudo nixos-rebuild switch";
+      upgradenow = "sudo nixos-rebuild switch --upgrade";
+      gc = "sudo nix-collect-garbage --delete-older-than 7d";
+      verify = "sudo nix --extra-experimental-features nix-command store verify --all";
+      optimize = "sudo nix --extra-experimental-features nix-command store optimise";
+
+      # list latest files last
+      ltr = "eza -l -s modified";
+
+      # ssh around in the local network
+      beta = "ssh beta.fritz.box";
+      betaroot = "ssh root@beta.fritz.box";
+      bsd = "ssh bsd.fritz.box";
+      bsdroot = "ssh root@bsd.fritz.box";
+      mac = "ssh mac.fritz.box";
+      macroot = "ssh root@mac.fritz.box";
+      mini = "ssh mini.fritz.box";
+      miniroot = "ssh root@mini.fritz.box";
+      neko = "ssh neko.fritz.box";
+      nekoroot = "ssh root@neko.fritz.box";
+    };
+  };
+
+  # nice prompt
+  # https://starship.rs/config/
+  # https://draculatheme.com/starship
+  programs.starship = {
+    enable = true;
+    enableZshIntegration = true;
+    settings = {
+      aws.style = "bold #ffb86c";
+      cmd_duration.style = "bold #f1fa8c";
+      directory.style = "bold #50fa7b";
+      hostname.style = "bold #ff5555";
+      git_branch.style = "bold #ff79c6";
+      git_status.style = "bold #ff5555";
+      username = {
+        format = "[$user]($style) on ";
+        style_user = "bold #bd93f9";
+      };
+      character = {
+        success_symbol = "[❯](bold #f8f8f2)";
+        error_symbol = "[❯](bold #ff5555)";
+      };
+      directory = {
+        truncation_length = 8;
+        truncate_to_repo = false;
+      };
+    };
+  };
+
+  # nice cd
+  programs.zoxide = {
+    enable = true;
+    enableZshIntegration = true;
+    options = [ "--cmd" "cd" ];
+  };
+
+  # integrate fuzzy search
+  programs.fzf = {
+    enable = true;
+    enableZshIntegration = true;
+  };
+
+  # better ls, adds la and Co. aliases, too
+  programs.eza = {
+    enable = true;
+    enableZshIntegration = true;
+  };
+
+  # better cat
+  programs.bat = {
+    enable = true;
+  };
+
+  # better find
+  programs.fd = {
+    enable = true;
+  };
+
+  # enable keychain, we use the main user key
+  programs.keychain = {
+    enable = true;
+    keys = [ "/home/cullmann/.ssh/id_ed25519" ];
+  };
+
+  # https://github.com/nix-community/nix-direnv
+  programs.direnv = {
+    enable = true;
+    nix-direnv.enable = true;
+  };
+}
diff --git a/share/users.nix b/share/users.nix
new file mode 100644
index 0000000..fde40bf
--- /dev/null
+++ b/share/users.nix
@@ -0,0 +1,69 @@
+{ config, pkgs, ... }:
+let
+  home-manager = builtins.fetchTarball "https://github.com/nix-community/home-manager/archive/master.tar.gz";
+in
+{
+  # get home manager working
+  imports = [
+      # home manager for per user config
+      "${home-manager}/nixos"
+  ];
+
+  # define the users we have on our systems
+  users = {
+    # all users and passwords are defined here
+    mutableUsers = false;
+
+    # default shell is ZSH
+    defaultUserShell = pkgs.zsh;
+
+    #
+    # administrator
+    #
+
+    users.root = {
+      # init password
+      hashedPassword = builtins.readFile "/data/nixos/password.secret";
+
+      # use fixed auth keys
+      openssh.authorizedKeys.keys = pkgs.lib.splitString "\n" (builtins.readFile "/data/nixos/authorized_keys.secret");
+    };
+
+    #
+    # my main user
+    #
+
+    users.cullmann = {
+      # hard code UID for stability over machines
+      uid = 1000;
+
+      # normal user
+      isNormalUser = true;
+
+      # it's me :P
+      description = "Christoph Cullmann";
+
+      # allow VirtualBox and sudo for my main user
+      extraGroups = [ "vboxusers" "wheel" ];
+
+      # init password
+      hashedPassword = config.users.users.root.hashedPassword;
+
+      # use fixed auth keys
+      openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
+    };
+  };
+
+  # home manager settings
+  home-manager = {
+    # let home manager install stuff to /etc/profiles
+    useUserPackages = true;
+
+    # use global pkgs
+    useGlobalPkgs = true;
+
+    # use shared home manager settings
+    users.root = import ./home.nix;
+    users.cullmann = import ./home.nix;
+  };
+}
author	Christoph Cullmann <christoph@cullmann.io>	2024-07-12 20:53:57 +0200
committer	Christoph Cullmann <christoph@cullmann.io>	2024-07-12 20:53:57 +0200
commit	c5419a5d6e74d9c6ef2e9620ff2c5284eacd2aa1 (patch)
tree	30c3fe7825a76a78cc32d4a5ac32a73d583650ef /share
parent	0788d1aa4da22b938960aba4936b5eaf4b36b07e (diff)