From c5419a5d6e74d9c6ef2e9620ff2c5284eacd2aa1 Mon Sep 17 00:00:00 2001 From: Christoph Cullmann Date: Fri, 12 Jul 2024 20:53:57 +0200 Subject: sort files --- share/common.nix | 519 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ share/home.nix | 127 ++++++++++++++ share/users.nix | 69 ++++++++ 3 files changed, 715 insertions(+) create mode 100644 share/common.nix create mode 100644 share/home.nix create mode 100644 share/users.nix (limited to 'share') diff --git a/share/common.nix b/share/common.nix new file mode 100644 index 0000000..07f40b8 --- /dev/null +++ b/share/common.nix @@ -0,0 +1,519 @@ +{ config, pkgs, ... }: +let + impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz"; +in +{ + # + # stuff shared between home machines + # + + # get impermanence working & include more shared parts + imports = [ + # manage persistent files + "${impermanence}/nixos.nix" + + # our users + "/data/nixos/share/users.nix" + ]; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It's perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? + + # use the latest kernel with ZFS support and enable that file system + boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + boot.supportedFilesystems = [ "zfs" ]; + + # no hibernate for ZFS systems + # don't check for split locks, for KVM and Co. + boot.kernelParams = [ "nohibernate" "split_lock_detect=off" ]; + + # tweak ZFS + boot.extraModprobeConfig = '' + options zfs zfs_arc_meta_limit_percent=75 + options zfs zfs_arc_min=134217728 + options zfs zfs_arc_max=4294967296 + options zfs zfs_txg_timeout=30 + options zfs zfs_vdev_scrub_min_active=1 + options zfs zfs_vdev_scrub_max_active=1 + options zfs zfs_vdev_sync_write_min_active=8 + options zfs zfs_vdev_sync_write_max_active=32 + options zfs zfs_vdev_sync_read_min_active=8 + options zfs zfs_vdev_sync_read_max_active=32 + options zfs zfs_vdev_async_read_min_active=8 + options zfs zfs_vdev_async_read_max_active=32 + options zfs zfs_vdev_async_write_min_active=8 + options zfs zfs_vdev_async_write_max_active=32 + options zfs zfs_vdev_def_queue_depth=128 + ''; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # use a high resolution + boot.loader.systemd-boot.consoleMode = "max"; + + # we want to be able to do a memtest + boot.loader.systemd-boot.memtest86.enable = true; + + # use systemd early + boot.initrd.systemd.enable = true; + + # setup the console stuff early + console.earlySetup = true; + + # swap to RAM + zramSwap.enable = true; + + # root file system in RAM + fileSystems."/" = + { device = "none"; + fsType = "tmpfs"; + neededForBoot = true; + options = [ "defaults" "size=8G" "mode=755" ]; + }; + + # nix store file system from encrypted ZFS + fileSystems."/nix" = + { device = "zpool/nix"; + fsType = "zfs"; + neededForBoot = true; + }; + + # data store file system from encrypted ZFS + fileSystems."/data" = + { device = "zpool/data"; + fsType = "zfs"; + neededForBoot = true; + }; + + # bind mount to have user homes + fileSystems."/home" = + { device = "/data/home"; + fsType = "none"; + neededForBoot = true; + options = [ "bind" "x-gvfs-hide" ]; + depends = [ "/data" ]; + }; + + # bind mount to have root home + fileSystems."/root" = + { device = "/data/root"; + fsType = "none"; + neededForBoot = true; + options = [ "bind" "x-gvfs-hide" ]; + depends = [ "/data" ]; + }; + + # bind mount to have NixOS configuration, different per host + fileSystems."/etc/nixos" = + { device = "/data/nixos/${config.networking.hostName}"; + fsType = "none"; + neededForBoot = true; + options = [ "bind" "x-gvfs-hide" ]; + depends = [ "/data" ]; + }; + + # keep some stuff persistent + environment.persistence."/nix/persistent" = { + hideMounts = true; + directories = [ + # tmp dir, don't fill our tmpfs root with that + { directory = "/tmp"; user = "root"; group = "root"; mode = "1777"; } + + # systemd timers + { directory = "/var/lib/systemd/timers"; user = "root"; group = "root"; mode = "u=rwx,g=rx,o=rx"; } + + # alsa state for persistent sound settings + { directory = "/var/lib/alsa"; user = "root"; group = "root"; mode = "u=rwx,g=rx,o=rx"; } + + # NetworkManager connections + { directory = "/etc/NetworkManager"; user = "root"; group = "root"; mode = "u=rwx,g=rx,o=rx"; } + { directory = "/var/lib/NetworkManager"; user = "root"; group = "root"; mode = "u=rwx,g=rx,o=rx"; } + ]; + }; + + # kill the tmp content on reboots, we mount that to /nix/persistent to avoid memory fill-up + boot.tmp.cleanOnBoot = true; + + # ensure our data is not rotting + services.zfs.autoScrub = { + enable = true; + interval = "weekly"; + }; + + # trim the stuff, we use SSDs + services.zfs.trim.enable = true; + + # enable fast dbus + services.dbus.implementation = "broker"; + + # allow all firmware + hardware.enableAllFirmware = true; + + # use NetworkManager, works well for WiFi, too + networking.networkmanager.enable = true; + + # ensure firewall is up, allow ssh in + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ 22 ]; + + # OpenSSH daemon config + services.openssh = { + # enable with public key only auth, start on demand only + enable = true; + startWhenNeeded = true; + settings.PasswordAuthentication = false; + settings.KbdInteractiveAuthentication = false; + + # only ed25519 keys, make them persistent + hostKeys = [{ + path = "/nix/persistent/ssh_host_ed25519_key"; + type = "ed25519"; + }]; + + # only safe ciphers & Co. + settings.Ciphers = [ "aes256-gcm@openssh.com" ]; + settings.KexAlgorithms = [ "sntrup761x25519-sha512@openssh.com" ]; + settings.Macs = [ "hmac-sha2-512-etm@openssh.com" ]; + }; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # default locale is English US + i18n.defaultLocale = "en_US.UTF-8"; + + # use German stuff for sorting/date/.... + i18n.extraLocaleSettings = { + LC_ADDRESS = "de_DE.UTF-8"; + LC_IDENTIFICATION = "de_DE.UTF-8"; + LC_MEASUREMENT = "de_DE.UTF-8"; + LC_MONETARY = "de_DE.UTF-8"; + LC_NAME = "de_DE.UTF-8"; + LC_NUMERIC = "de_DE.UTF-8"; + LC_PAPER = "de_DE.UTF-8"; + LC_TELEPHONE = "de_DE.UTF-8"; + LC_TIME = "de_DE.UTF-8"; + }; + + # allow to have all locales + i18n.supportedLocales = [ "all" ]; + + # use X11/wayland layout for console, too + console.useXkbConfig = true; + + # enable greetd & the KDE Plasma Desktop Environment + services.desktopManager.plasma6.enable = true; + services.greetd = { + enable = true; + settings = { + default_session = { + command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd '${pkgs.kdePackages.plasma-workspace}/libexec/plasma-dbus-run-session-if-needed ${pkgs.kdePackages.plasma-workspace}/bin/startplasma-wayland'"; + }; + }; + }; + + # enable sound with PipeWire + sound.enable = true; + hardware.pulseaudio.enable = false; + services.pipewire = { + enable = true; + alsa = { + enable = true; + support32Bit = true; + }; + pulse.enable = true; + }; + + # allow realtime + security.rtkit.enable = true; + + # package manager config + nix = { + # auto optimize the store + settings.auto-optimise-store = true; + + # cleanup the store from time to time + gc = { + automatic = true; + dates = "daily"; + options = "--delete-older-than 7d"; + }; + + # enable new stuff + settings.experimental-features = "nix-command flakes"; + + # https://github.com/nix-community/nix-direnv + extraOptions = '' + keep-outputs = true + keep-derivations = true + ''; + }; + + # auto update + system.autoUpgrade = { + enable = true; + allowReboot = false; + }; + + # avoid suspend ever to be triggered, ZFS dislikes that + systemd.targets.sleep.enable = false; + systemd.targets.suspend.enable = false; + systemd.targets.hibernate.enable = false; + systemd.targets.hybrid-sleep.enable = false; + + # save power + powerManagement.enable = true; + services.thermald.enable = true; + + # allow unfree packages + nixpkgs.config.allowUnfree = true; + + # we want DRM support + nixpkgs.config.chromium.enableWideVine = true; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + pkgs.kdePackages.ark + aspellDicts.de + aspellDicts.en + bitwise + borgbackup + btop + calibre + chromium + clinfo + config.boot.kernelPackages.perf + delta + duf + efibootmgr + emacs + f2 + fdupes + ffmpeg + file + fzf + pkgs.kdePackages.filelight + gimp + gitFull + glxinfo + go + gorilla-bin + gptfdisk + heaptrack + hotspot + hugo + hunspellDicts.de_DE + hunspellDicts.en_US + inetutils + inkscape + pkgs.kdePackages.kate + pkgs.kdePackages.kcachegrind + pkgs.kdePackages.kcalc + keychain + pkgs.kdePackages.kmail + pkgs.kdePackages.konsole + krita + lazygit + libjxl + libreoffice + libva-utils + lsof + mailutils + mc + micro + pkgs.kdePackages.neochat + nixos-install-tools + nmap + nvme-cli + procmail + okteta + pkgs.kdePackages.okular + p7zip + parted + pciutils + pdftk + procs + pulseaudio + pwgen + qmk + ripgrep + scc + ssh-audit + sysstat + tcl + texlive.combined.scheme-small + tigervnc + tk + tldr + pkgs.kdePackages.tokodon + unrar + unzip + usbutils + valgrind + vlc + vscodium + vulkan-tools + wayland-utils + zoxide + zsh + ]; + + # run browsers in a sandbox + programs.firejail = { + enable = true; + + wrappedBinaries = { + chromium = { + executable = "${pkgs.lib.getBin pkgs.chromium}/bin/chromium"; + profile = "${pkgs.firejail}/etc/firejail/chromium.profile"; + }; + + firefox = { + executable = "${pkgs.lib.getBin pkgs.firefox}/bin/firefox"; + profile = "${pkgs.firejail}/etc/firejail/firefox.profile"; + }; + + signal-desktop = { + executable = "${pkgs.signal-desktop}/bin/signal-desktop"; + profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile"; + }; + }; + }; + + # chromium needs programs.firefox.enable here and systemPackages entry to have icon and work + programs.chromium.enable = true; + + # firefox needs programs.firefox.enable here but no systemPackages entry to have icon and work + programs.firefox.enable = true; + + # Flatpak to sandbox Steam, Bottles and Co. + # + # flatpak remote-add --if-not-exists --user flathub https://dl.flathub.org/repo/flathub.flatpakrepo + # flatpak install --user flathub com.usebottles.bottles + # flatpak install --user flathub com.valvesoftware.Steam + # flatpak update --user + # + services.flatpak.enable = true; + + # allow keyboard configure tools to work + hardware.keyboard.qmk.enable = true; + + # add ~/bin to PATH + environment.homeBinInPath = true; + + # more fonts for all users + fonts = { + # default fonts + enableDefaultPackages = true; + + # more fonts + packages = with pkgs; [ + # add patched fonts for editor & terminal + (nerdfonts.override { fonts = [ "Iosevka" "IosevkaTerm" ]; }) + + # unicode capable fonts + babelstone-han + dejavu_fonts + ipafont + kochi-substitute + noto-fonts + noto-fonts-cjk + noto-fonts-cjk-sans + noto-fonts-cjk-serif + noto-fonts-extra + noto-fonts-emoji + ]; + + # tune fontconfig + fontconfig = { + # better default fonts + defaultFonts = { + monospace = ["IosevkaTerm Nerd Font Mono"]; + sansSerif = ["Noto Sans"]; + serif = ["Noto Serif"]; + }; + }; + }; + + # OpenGL + hardware.graphics.enable = true; + + # try to ensure we can use our network LaserJet + services.printing.enable = true; + services.printing.drivers = [ pkgs.hplip ]; + + # dconf is needed for gtk, see https://nixos.wiki/wiki/KDE + programs.dconf.enable = true; + + # ensure machine can send mails + services.opensmtpd = { + enable = true; + setSendmail = true; + serverConfiguration = '' + table aliases file:/etc/mail/aliases + table secrets file:/etc/mail/secrets + listen on localhost + action "local" mda "procmail -f -" virtual + action "relay" relay host smtps://smtp@moon.babylon2k.com auth mail-from bot@cullmann.io + match for local action "local" + match for any action "relay" + ''; + }; + environment.etc."mail/aliases" = { + text = "@ christoph@cullmann.io"; + mode = "0400"; + }; + environment.etc."mail/secrets" = { + text = builtins.readFile "/data/nixos/mail.secret"; + mode = "0400"; + }; + + # send mails on ZFS events + services.zfs.zed = { + settings = { + ZED_DEBUG_LOG = "/tmp/zed.debug.log"; + ZED_EMAIL_ADDR = [ "root" ]; + ZED_EMAIL_PROG = "/run/wrappers/bin/sendmail"; + ZED_EMAIL_OPTS = "@ADDRESS@"; + + ZED_NOTIFY_INTERVAL_SECS = 3600; + ZED_NOTIFY_VERBOSE = true; + + ZED_USE_ENCLOSURE_LEDS = true; + ZED_SCRUB_AFTER_RESILVER = true; + }; + + # this option does not work; will return error + enableMail = false; + }; + + # use ZSH per default + programs.zsh.enable = true; + environment.shells = with pkgs; [ zsh ]; + + # needed for the ZSH completion + environment.pathsToLink = [ "/share/zsh" ]; + + # use micro as default terminal editor + environment.variables.EDITOR = "micro"; + + # enable VirtualBox + virtualisation.virtualbox.host.enable = true; + virtualisation.virtualbox.host.enableKvm = true; + virtualisation.virtualbox.host.enableHardening = false; + virtualisation.virtualbox.host.addNetworkInterface = false; + + # configure sudo + security.sudo.execWheelOnly = true; + security.sudo.extraConfig = '' + Defaults lecture = never + ''; +} diff --git a/share/home.nix b/share/home.nix new file mode 100644 index 0000000..482d11a --- /dev/null +++ b/share/home.nix @@ -0,0 +1,127 @@ +{ + # initial version + home.stateVersion = "22.11"; + + # ZSH with good config + programs.zsh = { + # ZSH on + enable = true; + + # we want completion + enableCompletion = true; + + # we want suggestions of already typed stuff + autosuggestion.enable = true; + + # we want nice command highlighting + syntaxHighlighting.enable = true; + + # better history + history = { + # save timestamps + extended = true; + + # kill dupes over full history + ignoreAllDups = true; + + # don't share history between sessions + share = false; + }; + + # aliases + shellAliases = { + # system build/update/cleanup + update = "sudo nixos-rebuild boot"; + upgrade = "sudo nixos-rebuild boot --upgrade"; + updatenow = "sudo nixos-rebuild switch"; + upgradenow = "sudo nixos-rebuild switch --upgrade"; + gc = "sudo nix-collect-garbage --delete-older-than 7d"; + verify = "sudo nix --extra-experimental-features nix-command store verify --all"; + optimize = "sudo nix --extra-experimental-features nix-command store optimise"; + + # list latest files last + ltr = "eza -l -s modified"; + + # ssh around in the local network + beta = "ssh beta.fritz.box"; + betaroot = "ssh root@beta.fritz.box"; + bsd = "ssh bsd.fritz.box"; + bsdroot = "ssh root@bsd.fritz.box"; + mac = "ssh mac.fritz.box"; + macroot = "ssh root@mac.fritz.box"; + mini = "ssh mini.fritz.box"; + miniroot = "ssh root@mini.fritz.box"; + neko = "ssh neko.fritz.box"; + nekoroot = "ssh root@neko.fritz.box"; + }; + }; + + # nice prompt + # https://starship.rs/config/ + # https://draculatheme.com/starship + programs.starship = { + enable = true; + enableZshIntegration = true; + settings = { + aws.style = "bold #ffb86c"; + cmd_duration.style = "bold #f1fa8c"; + directory.style = "bold #50fa7b"; + hostname.style = "bold #ff5555"; + git_branch.style = "bold #ff79c6"; + git_status.style = "bold #ff5555"; + username = { + format = "[$user]($style) on "; + style_user = "bold #bd93f9"; + }; + character = { + success_symbol = "[❯](bold #f8f8f2)"; + error_symbol = "[❯](bold #ff5555)"; + }; + directory = { + truncation_length = 8; + truncate_to_repo = false; + }; + }; + }; + + # nice cd + programs.zoxide = { + enable = true; + enableZshIntegration = true; + options = [ "--cmd" "cd" ]; + }; + + # integrate fuzzy search + programs.fzf = { + enable = true; + enableZshIntegration = true; + }; + + # better ls, adds la and Co. aliases, too + programs.eza = { + enable = true; + enableZshIntegration = true; + }; + + # better cat + programs.bat = { + enable = true; + }; + + # better find + programs.fd = { + enable = true; + }; + + # enable keychain, we use the main user key + programs.keychain = { + enable = true; + keys = [ "/home/cullmann/.ssh/id_ed25519" ]; + }; + + # https://github.com/nix-community/nix-direnv + programs.direnv = { + enable = true; + nix-direnv.enable = true; + }; +} diff --git a/share/users.nix b/share/users.nix new file mode 100644 index 0000000..fde40bf --- /dev/null +++ b/share/users.nix @@ -0,0 +1,69 @@ +{ config, pkgs, ... }: +let + home-manager = builtins.fetchTarball "https://github.com/nix-community/home-manager/archive/master.tar.gz"; +in +{ + # get home manager working + imports = [ + # home manager for per user config + "${home-manager}/nixos" + ]; + + # define the users we have on our systems + users = { + # all users and passwords are defined here + mutableUsers = false; + + # default shell is ZSH + defaultUserShell = pkgs.zsh; + + # + # administrator + # + + users.root = { + # init password + hashedPassword = builtins.readFile "/data/nixos/password.secret"; + + # use fixed auth keys + openssh.authorizedKeys.keys = pkgs.lib.splitString "\n" (builtins.readFile "/data/nixos/authorized_keys.secret"); + }; + + # + # my main user + # + + users.cullmann = { + # hard code UID for stability over machines + uid = 1000; + + # normal user + isNormalUser = true; + + # it's me :P + description = "Christoph Cullmann"; + + # allow VirtualBox and sudo for my main user + extraGroups = [ "vboxusers" "wheel" ]; + + # init password + hashedPassword = config.users.users.root.hashedPassword; + + # use fixed auth keys + openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; + }; + }; + + # home manager settings + home-manager = { + # let home manager install stuff to /etc/profiles + useUserPackages = true; + + # use global pkgs + useGlobalPkgs = true; + + # use shared home manager settings + users.root = import ./home.nix; + users.cullmann = import ./home.nix; + }; +} -- cgit v1.2.3