diff options
Diffstat (limited to 'parts')
114 files changed, 4011 insertions, 27 deletions
diff --git a/parts/default.nix b/parts/default.nix index fd41d6b..ac7bc08 100644 --- a/parts/default.nix +++ b/parts/default.nix @@ -1,8 +1,11 @@ -_: { +{ imports = [ - ./dev.nix ./lib + ./modules ./overlays + ./systems + ./users + ./dev.nix ]; systems = [ diff --git a/parts/dev.nix b/parts/dev.nix index 1ecb17e..0ca95aa 100644 --- a/parts/dev.nix +++ b/parts/dev.nix @@ -1,4 +1,12 @@ -{lib, ...}: { +{ + lib, + inputs, + ... +}: { + imports = [ + inputs.pre-commit.flakeModule + ]; + perSystem = { pkgs, config, diff --git a/parts/lib/configs.nix b/parts/lib/configs.nix index a3c20a6..5392d9b 100644 --- a/parts/lib/configs.nix +++ b/parts/lib/configs.nix @@ -1,11 +1,6 @@ -{ - inputs, - self, - ... -}: let - inherit (builtins) attrNames mapAttrs; +{inputs, ...}: let + inherit (builtins) mapAttrs; inherit (inputs) nixpkgs hm; - inherit (nixpkgs.lib) genAttrs optional; mkSystemCfg = name: { profile, @@ -16,7 +11,7 @@ profile.builder { inherit specialArgs system; modules = - [../../hosts/${name}] + [../systems/${name}] ++ ( if modules == profile.modules then modules @@ -25,8 +20,8 @@ }; mkHMCfg = name: { - pkgs ? import nixpkgs {system = "x86_64-linux";}, - extraSpecialArgs ? inputs, + pkgs ? nixpkgs.legacyPackages."x86_64-linux", + extraSpecialArgs ? {inherit inputs;}, modules ? [], }: hm.lib.homeManagerConfiguration { @@ -34,23 +29,16 @@ modules = [ - self.homeManagerModules.${name} - ../../users/${name}/home.nix + ../users/${name}/home.nix { _module.args.osConfig = {}; programs.home-manager.enable = true; } ] - ++ optional pkgs.stdenv.isDarwin ../../users/${name}/darwin.nix ++ modules; }; in { - inherit mkHMCfg mkSystemCfg; - mapHMUsers = mapAttrs mkHMCfg; - mapSystems = mapAttrs mkSystemCfg; - - genHMModules = users: - genAttrs (attrNames users) (name: import ../../users/${name}/module.nix); + mapHMUsers = mapAttrs mkHMCfg; } diff --git a/parts/lib/default.nix b/parts/lib/default.nix index 5f99521..c499eec 100644 --- a/parts/lib/default.nix +++ b/parts/lib/default.nix @@ -1,6 +1,8 @@ -{withSystem, ...} @ args: { +args: { flake.lib = { configs = import ./configs.nix args; - utils = import ./utils ({inherit withSystem;} // args); + utils = { + nginx = import ./utils/nginx.nix args; + }; }; } diff --git a/parts/lib/utils/default.nix b/parts/lib/utils/default.nix deleted file mode 100644 index ad91841..0000000 --- a/parts/lib/utils/default.nix +++ /dev/null @@ -1,3 +0,0 @@ -args: { - nginx = import ./nginx.nix args; -} diff --git a/parts/modules/darwin/base/default.nix b/parts/modules/darwin/base/default.nix new file mode 100644 index 0000000..42c0335 --- /dev/null +++ b/parts/modules/darwin/base/default.nix @@ -0,0 +1,32 @@ +{ + config, + lib, + ... +}: let + cfg = config.base; + inherit (lib) mkDefault mkEnableOption mkIf; +in { + options.base.enable = mkEnableOption "base darwin module"; + + imports = [ + ../../shared + ./nix.nix + ./packages.nix + ]; + + config = mkIf cfg.enable { + base = { + defaultPackages.enable = mkDefault true; + defaultLocale.enable = mkDefault true; + documentation.enable = mkDefault true; + nix-settings.enable = mkDefault true; + }; + + programs = { + bash.enable = true; + zsh.enable = true; + }; + + services.nix-daemon.enable = true; + }; +} diff --git a/parts/modules/darwin/base/nix.nix b/parts/modules/darwin/base/nix.nix new file mode 100644 index 0000000..c853650 --- /dev/null +++ b/parts/modules/darwin/base/nix.nix @@ -0,0 +1,18 @@ +{ + config, + lib, + inputs, + ... +}: let + inherit (builtins) attrNames map; + inherit (lib) mkIf; + cfg = config.base.nix-settings; + + channelPath = i: "${inputs.${i}.outPath}"; + + mapInputs = fn: map fn (attrNames inputs); +in { + config = mkIf cfg.enable { + nix.nixPath = mapInputs (i: "${i}=${channelPath i}"); + }; +} diff --git a/parts/modules/darwin/base/packages.nix b/parts/modules/darwin/base/packages.nix new file mode 100644 index 0000000..97fb77c --- /dev/null +++ b/parts/modules/darwin/base/packages.nix @@ -0,0 +1,12 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.defaultPackages; + inherit (lib) mkIf; +in { + config = mkIf cfg.enable { + programs.vim.enable = true; + }; +} diff --git a/parts/modules/darwin/default.nix b/parts/modules/darwin/default.nix new file mode 100644 index 0000000..ed9c7e1 --- /dev/null +++ b/parts/modules/darwin/default.nix @@ -0,0 +1,6 @@ +_: { + imports = [ + ./base + ./desktop + ]; +} diff --git a/parts/modules/darwin/desktop/default.nix b/parts/modules/darwin/desktop/default.nix new file mode 100644 index 0000000..1f71642 --- /dev/null +++ b/parts/modules/darwin/desktop/default.nix @@ -0,0 +1,27 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.desktop; + inherit (lib) mkDefault mkEnableOption mkIf; +in { + options.desktop = { + enable = mkEnableOption "enable desktop darwin support"; + gpg.enable = mkEnableOption "enable gpg"; + }; + + imports = [ + ./homebrew.nix + ]; + + config = mkIf cfg.enable { + fonts.fonts = with pkgs; + mkDefault [ + (nerdfonts.override {fonts = ["FiraCode"];}) + ]; + + programs.gnupg.agent.enable = cfg.gpg.enable; + }; +} diff --git a/parts/modules/darwin/desktop/homebrew.nix b/parts/modules/darwin/desktop/homebrew.nix new file mode 100644 index 0000000..4a58ae9 --- /dev/null +++ b/parts/modules/darwin/desktop/homebrew.nix @@ -0,0 +1,37 @@ +{ + config, + lib, + ... +}: let + cfg = config.desktop.homebrew; + inherit (lib) mkDefault mkEnableOption mkIf; +in { + options.desktop.homebrew.enable = mkEnableOption "enable homebrew support"; + + config = mkIf cfg.enable { + homebrew = { + enable = mkDefault true; + caskArgs.require_sha = true; + onActivation = mkDefault { + autoUpdate = true; + cleanup = "uninstall"; + upgrade = true; + }; + + casks = let + # thanks @nekowinston :p + skipSha = name: { + inherit name; + args = {require_sha = false;}; + }; + noQuarantine = name: { + inherit name; + args = {no_quarantine = true;}; + }; + in [ + "firefox" + (lib.recursiveUpdate (noQuarantine "chromium") (skipSha "chromium")) + ]; + }; + }; +} diff --git a/parts/modules/default.nix b/parts/modules/default.nix new file mode 100644 index 0000000..4b3dddb --- /dev/null +++ b/parts/modules/default.nix @@ -0,0 +1,6 @@ +{ + flake = { + nixosModules.default = import ../modules/nixos; + darwinModules.default = import ../modules/darwin; + }; +} diff --git a/parts/modules/nixos/base/default.nix b/parts/modules/nixos/base/default.nix new file mode 100644 index 0000000..ed0fb23 --- /dev/null +++ b/parts/modules/nixos/base/default.nix @@ -0,0 +1,34 @@ +{ + config, + lib, + ... +}: let + cfg = config.base; + inherit (lib) mkDefault mkEnableOption mkIf; +in { + options.base.enable = mkEnableOption "base nixos module"; + + imports = [ + ../../shared + ./documentation.nix + ./locale.nix + ./network.nix + ./nix.nix + ./packages.nix + ./root.nix + ./security.nix + ./systemd.nix + ./upgrade-diff.nix + ]; + + config = mkIf cfg.enable { + base = { + defaultPackages.enable = mkDefault true; + defaultLocale.enable = mkDefault true; + defaultRoot.enable = mkDefault true; + documentation.enable = mkDefault true; + networking.enable = mkDefault true; + nix-settings.enable = mkDefault true; + }; + }; +} diff --git a/parts/modules/nixos/base/documentation.nix b/parts/modules/nixos/base/documentation.nix new file mode 100644 index 0000000..68a194f --- /dev/null +++ b/parts/modules/nixos/base/documentation.nix @@ -0,0 +1,21 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.base.documentation; + inherit (lib) mkIf; +in { + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [man-pages man-pages-posix]; + documentation = { + man = { + generateCaches = true; + man-db.enable = true; + }; + + dev.enable = true; + }; + }; +} diff --git a/parts/modules/nixos/base/locale.nix b/parts/modules/nixos/base/locale.nix new file mode 100644 index 0000000..7259ef2 --- /dev/null +++ b/parts/modules/nixos/base/locale.nix @@ -0,0 +1,18 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.defaultLocale; + inherit (lib) mkIf; +in { + config = mkIf cfg.enable { + i18n = { + supportedLocales = [ + "en_US.UTF-8/UTF-8" + ]; + + defaultLocale = "en_US.UTF-8"; + }; + }; +} diff --git a/parts/modules/nixos/base/network.nix b/parts/modules/nixos/base/network.nix new file mode 100644 index 0000000..5bc90d1 --- /dev/null +++ b/parts/modules/nixos/base/network.nix @@ -0,0 +1,26 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.networking; + inherit (lib) mkEnableOption mkIf; +in { + options.base.networking.enable = mkEnableOption "networking"; + + config = mkIf cfg.enable { + networking.networkmanager = { + enable = true; + dns = "systemd-resolved"; + }; + services.resolved = { + enable = lib.mkDefault true; + dnssec = "allow-downgrade"; + extraConfig = '' + [Resolve] + DNS=1.1.1.1 1.0.0.1 + DNSOverTLS=yes + ''; + }; + }; +} diff --git a/parts/modules/nixos/base/nix.nix b/parts/modules/nixos/base/nix.nix new file mode 100644 index 0000000..3dcac11 --- /dev/null +++ b/parts/modules/nixos/base/nix.nix @@ -0,0 +1,24 @@ +{ + config, + lib, + inputs, + ... +}: let + inherit (builtins) attrNames map; + inherit (lib) mkDefault mkIf; + cfg = config.base.nix-settings; + + channelPath = i: "/etc/nix/channels/${i}"; + + mapInputs = fn: map fn (attrNames inputs); +in { + config = mkIf cfg.enable { + nix = { + nixPath = mapInputs (i: "${i}=${channelPath i}"); + gc.dates = mkDefault "weekly"; + }; + + systemd.tmpfiles.rules = + mapInputs (i: "L+ ${channelPath i} - - - - ${inputs.${i}.outPath}"); + }; +} diff --git a/parts/modules/nixos/base/packages.nix b/parts/modules/nixos/base/packages.nix new file mode 100644 index 0000000..7390a40 --- /dev/null +++ b/parts/modules/nixos/base/packages.nix @@ -0,0 +1,15 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.defaultPackages; + inherit (lib) mkIf; +in { + config = mkIf cfg.enable { + programs = { + git.enable = true; + vim.defaultEditor = true; + }; + }; +} diff --git a/parts/modules/nixos/base/root.nix b/parts/modules/nixos/base/root.nix new file mode 100644 index 0000000..ecc5203 --- /dev/null +++ b/parts/modules/nixos/base/root.nix @@ -0,0 +1,26 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.defaultRoot; + inherit (lib) mkDefault mkEnableOption mkIf; + + # yes this is a bad way to detect which option should be used (or exists) + # but i'm lazy. please do not copy this + passwordFile = + if lib.versionAtLeast config.system.stateVersion "23.11" + then "hashedPasswordFile" + else "passwordFile"; +in { + options.base.defaultRoot.enable = mkEnableOption "default root user"; + + config = mkIf cfg.enable { + users.users.root = { + home = mkDefault "/root"; + uid = mkDefault config.ids.uids.root; + group = mkDefault "root"; + "${passwordFile}" = mkDefault config.age.secrets.rootPassword.path; + }; + }; +} diff --git a/parts/modules/nixos/base/security.nix b/parts/modules/nixos/base/security.nix new file mode 100644 index 0000000..e13d1c7 --- /dev/null +++ b/parts/modules/nixos/base/security.nix @@ -0,0 +1,27 @@ +{ + lib, + pkgs, + ... +}: let + inherit (lib) mkDefault; +in { + security = { + apparmor.enable = mkDefault true; + audit.enable = mkDefault true; + auditd.enable = mkDefault true; + polkit.enable = mkDefault true; + rtkit.enable = mkDefault true; + sudo.execWheelOnly = true; + }; + + services.dbus.apparmor = mkDefault "enabled"; + + users = { + defaultUserShell = pkgs.bash; + mutableUsers = false; + }; + + nix.settings = { + trusted-users = ["root" "@wheel"]; + }; +} diff --git a/parts/modules/nixos/base/systemd.nix b/parts/modules/nixos/base/systemd.nix new file mode 100644 index 0000000..2888c0b --- /dev/null +++ b/parts/modules/nixos/base/systemd.nix @@ -0,0 +1,7 @@ +_: { + services = { + journald.extraConfig = '' + MaxRetentionSec=1w + ''; + }; +} diff --git a/parts/modules/nixos/base/upgrade-diff.nix b/parts/modules/nixos/base/upgrade-diff.nix new file mode 100644 index 0000000..68be9af --- /dev/null +++ b/parts/modules/nixos/base/upgrade-diff.nix @@ -0,0 +1,12 @@ +{ + config, + pkgs, + ... +}: { + system.activationScripts."upgrade-diff" = { + supportsDryActivation = true; + text = '' + ${pkgs.nvd}/bin/nvd --nix-bin-dir=${config.nix.package}/bin diff /run/current-system "$systemConfig" + ''; + }; +} diff --git a/parts/modules/nixos/default.nix b/parts/modules/nixos/default.nix new file mode 100644 index 0000000..3ae2f08 --- /dev/null +++ b/parts/modules/nixos/default.nix @@ -0,0 +1,7 @@ +_: { + imports = [ + ./base + ./desktop + ./hardware + ]; +} diff --git a/parts/modules/nixos/desktop/audio.nix b/parts/modules/nixos/desktop/audio.nix new file mode 100644 index 0000000..c601563 --- /dev/null +++ b/parts/modules/nixos/desktop/audio.nix @@ -0,0 +1,23 @@ +{ + config, + lib, + ... +}: let + cfg = config.desktop.audio; + inherit (lib) mkEnableOption mkIf; +in { + options.desktop.audio.enable = mkEnableOption "audio support"; + + config = mkIf cfg.enable { + services = { + pipewire = { + enable = true; + wireplumber.enable = true; + alsa.enable = true; + jack.enable = true; + pulse.enable = true; + }; + }; + hardware.pulseaudio.enable = false; + }; +} diff --git a/parts/modules/nixos/desktop/budgie/default.nix b/parts/modules/nixos/desktop/budgie/default.nix new file mode 100644 index 0000000..4605eb1 --- /dev/null +++ b/parts/modules/nixos/desktop/budgie/default.nix @@ -0,0 +1,58 @@ +{ + config, + pkgs, + lib, + ... +}: let + cfg = config.desktop.budgie; + inherit (lib) mkEnableOption mkIf; +in { + options.desktop.budgie.enable = mkEnableOption "enable budgie"; + + config = mkIf cfg.enable { + desktop.enable = true; + + services.xserver = { + displayManager.lightdm.greeters.slick = { + theme = { + name = "Materia-dark"; + package = pkgs.materia-theme; + }; + iconTheme = { + name = "Papirus-Dark"; + package = pkgs.papirus-icon-theme; + }; + cursorTheme = { + name = "Breeze-gtk"; + package = pkgs.libsForQt5.breeze-gtk; + }; + }; + + desktopManager.budgie = { + enable = true; + extraGSettingsOverrides = '' + [org.gnome.desktop.interface:Budgie] + gtk-theme="Materia-dark" + icon-theme="Papirus-Dark" + cursor-theme="Breeze-gtk" + font-name="Noto Sans 10" + document-font-name="Noto Sans 10" + monospace-font-name="Fira Code 10" + enable-hot-corners=true + ''; + }; + }; + + environment.budgie.excludePackages = with pkgs; [ + qogir-theme + qogir-icon-theme + ]; + + environment.systemPackages = with pkgs; [ + alacritty + breeze-gtk + materia-theme + papirus-icon-theme + ]; + }; +} diff --git a/parts/modules/nixos/desktop/default.nix b/parts/modules/nixos/desktop/default.nix new file mode 100644 index 0000000..f0ab74c --- /dev/null +++ b/parts/modules/nixos/desktop/default.nix @@ -0,0 +1,41 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.desktop; + inherit (lib) mkDefault mkEnableOption mkIf; +in { + imports = [ + ./audio.nix + ./budgie + ./fonts.nix + ./gnome + ./plasma + ]; + + options.desktop.enable = mkEnableOption "desktop module"; + + config = mkIf cfg.enable { + base.enable = true; + desktop = { + audio.enable = mkDefault true; + fonts.enable = mkDefault true; + }; + + environment = { + noXlibs = lib.mkForce false; + systemPackages = with pkgs; [wl-clipboard xclip]; + }; + + programs = { + dconf.enable = true; + firefox.enable = true; + xwayland.enable = true; + }; + + services.xserver.enable = true; + xdg.portal.enable = true; + }; +} diff --git a/parts/modules/nixos/desktop/fonts.nix b/parts/modules/nixos/desktop/fonts.nix new file mode 100644 index 0000000..feedf07 --- /dev/null +++ b/parts/modules/nixos/desktop/fonts.nix @@ -0,0 +1,37 @@ +{ + config, + pkgs, + lib, + ... +}: let + cfg = config.desktop.fonts; + inherit (lib) mkEnableOption mkIf; +in { + options.desktop.fonts.enable = mkEnableOption "enable default fonts"; + + config = mkIf cfg.enable { + fonts = { + enableDefaultPackages = true; + + packages = with pkgs; [ + corefonts + fira-code + (nerdfonts.override {fonts = ["FiraCode"];}) + noto-fonts + noto-fonts-extra + noto-fonts-emoji + noto-fonts-cjk-sans + ]; + + fontconfig = { + enable = true; + defaultFonts = { + serif = ["Noto Serif"]; + sansSerif = ["Noto Sans"]; + emoji = ["Noto Color Emoji"]; + monospace = ["Fira Code"]; + }; + }; + }; + }; +} diff --git a/parts/modules/nixos/desktop/gnome/default.nix b/parts/modules/nixos/desktop/gnome/default.nix new file mode 100644 index 0000000..bfe3d20 --- /dev/null +++ b/parts/modules/nixos/desktop/gnome/default.nix @@ -0,0 +1,38 @@ +{ + config, + pkgs, + lib, + ... +}: let + cfg = config.desktop.gnome; + inherit (lib) mkEnableOption mkIf; +in { + options.desktop.gnome.enable = mkEnableOption "enable gnome"; + + config = mkIf cfg.enable { + desktop.enable = true; + + environment = { + gnome.excludePackages = with pkgs; [ + gnome-tour + ]; + + sessionVariables = { + NIXOS_OZONE_WL = "1"; + }; + + systemPackages = with pkgs; [ + adw-gtk3 + blackbox-terminal + ]; + }; + + services.xserver = { + displayManager.gdm = { + enable = true; + wayland = lib.mkForce true; + }; + desktopManager.gnome.enable = true; + }; + }; +} diff --git a/parts/modules/nixos/desktop/plasma/default.nix b/parts/modules/nixos/desktop/plasma/default.nix new file mode 100644 index 0000000..2034802 --- /dev/null +++ b/parts/modules/nixos/desktop/plasma/default.nix @@ -0,0 +1,31 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.desktop.plasma; + inherit (lib) mkEnableOption mkIf; +in { + options.desktop.plasma.enable = mkEnableOption "enable plasma"; + + config = mkIf cfg.enable { + desktop.enable = true; + + environment = { + plasma5.excludePackages = with pkgs.libsForQt5; [ + khelpcenter + plasma-browser-integration + print-manager + ]; + }; + + services.xserver = { + displayManager.sddm.enable = true; + desktopManager.plasma5 = { + enable = true; + useQtScaling = true; + }; + }; + }; +} diff --git a/parts/modules/nixos/features/tailscale.nix b/parts/modules/nixos/features/tailscale.nix new file mode 100644 index 0000000..5a00110 --- /dev/null +++ b/parts/modules/nixos/features/tailscale.nix @@ -0,0 +1,67 @@ +{ + config, + lib, + pkgs, + self, + ... +}: let + cfg = config.features.tailscale; + inherit (lib) mkDefault mkEnableOption mkIf optionalAttrs; +in { + options.features.tailscale = { + enable = mkEnableOption "enable support for tailscale"; + ssh.enable = mkEnableOption "enable support for tailscale ssh"; + }; + + config = mkIf cfg.enable { + age.secrets = let + baseDir = "${self}/parts/secrets/systems/${config.networking.hostName}"; + in + mkIf cfg.ssh.enable { + tailscaleAuthKey.file = "${baseDir}/tailscaleAuthKey.age"; + }; + + networking.firewall = + { + allowedUDPPorts = [config.services.tailscale.port]; + trustedInterfaces = ["tailscale0"]; + } + // optionalAttrs cfg.ssh.enable { + allowedTCPPorts = [22]; + }; + + services = { + tailscale.enable = mkDefault true; + }; + + # https://tailscale.com/kb/1096/nixos-minecraft/ + systemd.services = mkIf cfg.ssh.enable { + tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + after = ["network-pre.target" "tailscale.service"]; + wants = ["network-pre.target" "tailscale.service"]; + wantedBy = ["multi-user.target"]; + + serviceConfig.Type = "oneshot"; + + script = let + inherit (pkgs) tailscale jq; + in '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up --ssh \ + --auth-key "file:${config.age.secrets.tailscaleAuthKey.path}" + ''; + }; + }; + }; +} diff --git a/parts/modules/nixos/features/virtualisation.nix b/parts/modules/nixos/features/virtualisation.nix new file mode 100644 index 0000000..206a98e --- /dev/null +++ b/parts/modules/nixos/features/virtualisation.nix @@ -0,0 +1,21 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.features.virtualisation; + inherit (lib) mkEnableOption mkIf; +in { + options.features.virtualisation.enable = mkEnableOption "enable podman"; + + config.virtualisation = mkIf cfg.enable { + podman = { + enable = true; + enableNvidia = true; + extraPackages = with pkgs; [podman-compose]; + autoPrune.enable = true; + }; + oci-containers.backend = "podman"; + }; +} diff --git a/parts/modules/nixos/hardware/default.nix b/parts/modules/nixos/hardware/default.nix new file mode 100644 index 0000000..1217b5a --- /dev/null +++ b/parts/modules/nixos/hardware/default.nix @@ -0,0 +1,19 @@ +{ + config, + lib, + ... +}: let + cfg = config.hardware; + inherit (lib) mkEnableOption mkIf; +in { + options.hardware.enable = mkEnableOption "hardware module"; + + imports = [ + ./ssd.nix + ./nvidia.nix + ]; + + config = mkIf cfg.enable { + hardware.enableAllFirmware = true; + }; +} diff --git a/parts/modules/nixos/hardware/nvidia.nix b/parts/modules/nixos/hardware/nvidia.nix new file mode 100644 index 0000000..dd371f2 --- /dev/null +++ b/parts/modules/nixos/hardware/nvidia.nix @@ -0,0 +1,36 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.hardware.nvidia; + inherit (lib) mkEnableOption mkIf; +in { + options.hardware.nvidia.enable = mkEnableOption "enable nvidia support"; + + config = mkIf cfg.enable { + environment.sessionVariables = { + LIBVA_DRIVER_NAME = "vdpau"; + VDPAU_DRIVER = "nvidia"; + }; + + hardware = { + enable = true; + + nvidia = { + package = config.boot.kernelPackages.nvidiaPackages.stable; + modesetting.enable = true; + }; + + opengl = { + enable = true; + # make steam work + driSupport32Bit = true; + extraPackages = [pkgs.vaapiVdpau]; + }; + }; + + services.xserver.videoDrivers = ["nvidia"]; + }; +} diff --git a/parts/modules/nixos/hardware/ssd.nix b/parts/modules/nixos/hardware/ssd.nix new file mode 100644 index 0000000..2995d93 --- /dev/null +++ b/parts/modules/nixos/hardware/ssd.nix @@ -0,0 +1,15 @@ +{ + config, + lib, + ... +}: let + cfg = config.hardware.ssd; + inherit (lib) mkEnableOption mkIf; +in { + options.hardware.ssd.enable = mkEnableOption "ssd settings"; + + config = mkIf cfg.enable { + hardware.enable = true; + services.fstrim.enable = true; + }; +} diff --git a/parts/modules/nixos/server/acme.nix b/parts/modules/nixos/server/acme.nix new file mode 100644 index 0000000..69e02ac --- /dev/null +++ b/parts/modules/nixos/server/acme.nix @@ -0,0 +1,26 @@ +{ + config, + lib, + self, + ... +}: let + cfg = config.server.acme; + inherit (lib) mkEnableOption mkIf; +in { + options.server.acme = { + enable = mkEnableOption "acme"; + }; + + config = mkIf cfg.enable { + age.secrets.cloudflareApiKey.file = "${self}/parts/secrets/systems/${config.networking.hostName}/cloudflareApiKey.age"; + + security.acme = { + acceptTerms = true; + defaults = { + email = "[email protected]"; + dnsProvider = "cloudflare"; + credentialsFile = config.age.secrets.cloudflareApiKey.path; + }; + }; + }; +} diff --git a/parts/modules/nixos/server/default.nix b/parts/modules/nixos/server/default.nix new file mode 100644 index 0000000..acab4fc --- /dev/null +++ b/parts/modules/nixos/server/default.nix @@ -0,0 +1,47 @@ +{ + config, + lib, + pkgs, + inputs, + ... +}: let + cfg = config.server; + inherit (lib) mkDefault mkEnableOption mkIf; +in { + options.server.enable = mkEnableOption "enable server configuration"; + + imports = [ + ./acme.nix + ./secrets.nix + ./services + ]; + + config = mkIf cfg.enable { + _module.args.unstable = inputs.nixpkgs.legacyPackages.${pkgs.stdenv.hostPlatform.system}; + + base = { + enable = true; + documentation.enable = false; + defaultPackages.enable = false; + networking.enable = false; + }; + + nix = { + gc = { + dates = "*-*-1,5,9,13,17,21,25,29 00:00:00"; + options = "-d --delete-older-than 2d"; + }; + + settings.allowed-users = [config.networking.hostName]; + }; + + programs = { + git.enable = mkDefault true; + vim.defaultEditor = mkDefault true; + }; + + security = { + pam.enableSSHAgentAuth = mkDefault true; + }; + }; +} diff --git a/parts/modules/nixos/server/secrets.nix b/parts/modules/nixos/server/secrets.nix new file mode 100644 index 0000000..2dc6083 --- /dev/null +++ b/parts/modules/nixos/server/secrets.nix @@ -0,0 +1,25 @@ +{ + config, + lib, + self, + ... +}: let + cfg = config.server.secrets; + inherit (lib) mkEnableOption mkIf; +in { + options.server.secrets = { + enable = mkEnableOption "enable secret management"; + }; + + config.age = let + baseDir = "${self}/parts/secrets/systems/${config.networking.hostName}"; + in + mkIf cfg.enable { + identityPaths = ["/etc/age/key"]; + + secrets = { + rootPassword.file = "${baseDir}/rootPassword.age"; + userPassword.file = "${baseDir}/userPassword.age"; + }; + }; +} diff --git a/parts/modules/nixos/server/services/cloudflared.nix b/parts/modules/nixos/server/services/cloudflared.nix new file mode 100644 index 0000000..2bf7907 --- /dev/null +++ b/parts/modules/nixos/server/services/cloudflared.nix @@ -0,0 +1,41 @@ +{ + config, + lib, + self, + ... +}: let + cfg = config.server.services.cloudflared; + inherit (lib) mkEnableOption mkIf; +in { + options.server.services.cloudflared = { + enable = mkEnableOption "cloudflared"; + }; + + config = mkIf cfg.enable { + age.secrets.cloudflaredCreds = { + file = "${self}/parts/secrets/systems/${config.networking.hostName}/cloudflaredCreds.age"; + mode = "400"; + owner = "cloudflared"; + group = "cloudflared"; + }; + + services.cloudflared = { + enable = true; + tunnels = { + "${config.networking.hostName}-nginx" = { + default = "http_status:404"; + + ingress = let + inherit (config.services) nginx; + in + lib.genAttrs + (builtins.attrNames nginx.virtualHosts) + (_: {service = "http://localhost:${builtins.toString nginx.defaultHTTPListenPort}";}); + + originRequest.noTLSVerify = true; + credentialsFile = config.age.secrets.cloudflaredCreds.path; + }; + }; + }; + }; +} diff --git a/parts/modules/nixos/server/services/default.nix b/parts/modules/nixos/server/services/default.nix new file mode 100644 index 0000000..23f2542 --- /dev/null +++ b/parts/modules/nixos/server/services/default.nix @@ -0,0 +1,7 @@ +_: { + imports = [ + ./cloudflared.nix + ./hercules.nix + ./promtail.nix + ]; +} diff --git a/parts/modules/nixos/server/services/hercules.nix b/parts/modules/nixos/server/services/hercules.nix new file mode 100644 index 0000000..b11a133 --- /dev/null +++ b/parts/modules/nixos/server/services/hercules.nix @@ -0,0 +1,57 @@ +{ + config, + lib, + self, + unstable, + ... +}: let + cfg = config.server.services.hercules-ci; + inherit (lib) mkEnableOption mkIf; +in { + options.server.services.hercules-ci = { + enable = mkEnableOption "enable hercules-ci"; + secrets.enable = mkEnableOption "manage secrets for hercules-ci"; + }; + + config = mkIf cfg.enable { + age.secrets = let + baseDir = "${self}/parts/secrets/systems/${config.networking.hostName}"; + hercArgs = { + mode = "400"; + owner = "hercules-ci-agent"; + group = "hercules-ci-agent"; + }; + in + mkIf cfg.secrets.enable { + binaryCache = + { + file = "${baseDir}/binaryCache.age"; + } + // hercArgs; + + clusterToken = + { + file = "${baseDir}/clusterToken.age"; + } + // hercArgs; + + secretsJson = + { + file = "${baseDir}/secretsJson.age"; + } + // hercArgs; + }; + + services = { + hercules-ci-agent = { + enable = true; + package = unstable.hercules-ci-agent; + settings = { + binaryCachesPath = config.age.secrets.binaryCache.path; + clusterJoinTokenPath = config.age.secrets.clusterToken.path; + secretsJsonPath = config.age.secrets.secretsJson.path; + }; + }; + }; + }; +} diff --git a/parts/modules/nixos/server/services/promtail.nix b/parts/modules/nixos/server/services/promtail.nix new file mode 100644 index 0000000..63faf15 --- /dev/null +++ b/parts/modules/nixos/server/services/promtail.nix @@ -0,0 +1,47 @@ +{ + config, + lib, + ... +}: let + cfg = config.server.services.promtail; + inherit (lib) mkEnableOption mkIf mkOption types; +in { + options.server.services.promtail = { + enable = mkEnableOption "enable promtail"; + + clients = mkOption { + type = types.listOf types.attrs; + default = [{}]; + description = "clients for promtail"; + }; + }; + + config.services.promtail = mkIf cfg.enable { + enable = true; + configuration = { + inherit (cfg) clients; + server.disable = true; + + scrape_configs = [ + { + job_name = "journal"; + + journal = { + max_age = "12h"; + labels = { + job = "systemd-journal"; + host = "${config.networking.hostName}"; + }; + }; + + relabel_configs = [ + { + source_labels = ["__journal__systemd_unit"]; + target_label = "unit"; + } + ]; + } + ]; + }; + }; +} diff --git a/parts/modules/shared/base/default.nix b/parts/modules/shared/base/default.nix new file mode 100644 index 0000000..e18de58 --- /dev/null +++ b/parts/modules/shared/base/default.nix @@ -0,0 +1,8 @@ +_: { + imports = [ + ./documentation.nix + ./locale.nix + ./nix.nix + ./packages.nix + ]; +} diff --git a/parts/modules/shared/base/documentation.nix b/parts/modules/shared/base/documentation.nix new file mode 100644 index 0000000..ecc5813 --- /dev/null +++ b/parts/modules/shared/base/documentation.nix @@ -0,0 +1,14 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.documentation; + inherit (lib) mkEnableOption mkIf; +in { + options.base.documentation.enable = mkEnableOption "base module documentation"; + + config = mkIf cfg.enable { + documentation.man.enable = true; + }; +} diff --git a/parts/modules/shared/base/locale.nix b/parts/modules/shared/base/locale.nix new file mode 100644 index 0000000..ecae786 --- /dev/null +++ b/parts/modules/shared/base/locale.nix @@ -0,0 +1,14 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.defaultLocale; + inherit (lib) mkEnableOption mkIf; +in { + options.base.defaultLocale.enable = mkEnableOption "default locale"; + + config = mkIf cfg.enable { + time.timeZone = "America/New_York"; + }; +} diff --git a/parts/modules/shared/base/nix.nix b/parts/modules/shared/base/nix.nix new file mode 100644 index 0000000..2c95933 --- /dev/null +++ b/parts/modules/shared/base/nix.nix @@ -0,0 +1,42 @@ +{ + config, + inputs, + lib, + pkgs, + ... +}: let + cfg = config.base.nix-settings; + inherit (lib) mkDefault mkEnableOption mkIf; + inherit (pkgs.stdenv) isLinux; +in { + options.base.nix-settings.enable = mkEnableOption "base nix settings"; + + config = mkIf cfg.enable { + nix = { + registry = + { + n.flake = mkDefault inputs.nixpkgs; + } + // (builtins.mapAttrs (_: flake: {inherit flake;}) + (inputs.nixpkgs.lib.filterAttrs (n: _: n != "nixpkgs") inputs)); + + settings = { + auto-optimise-store = isLinux; + experimental-features = ["nix-command" "flakes" "auto-allocate-uids" "repl-flake"]; + + trusted-substituters = ["https://cache.garnix.io"]; + trusted-public-keys = ["cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="]; + }; + + gc = { + automatic = mkDefault true; + options = mkDefault "--delete-older-than 7d"; + }; + }; + + nixpkgs = { + overlays = with inputs; [nur.overlay getchoo.overlays.default self.overlays.default]; + config.allowUnfree = true; + }; + }; +} diff --git a/parts/modules/shared/base/packages.nix b/parts/modules/shared/base/packages.nix new file mode 100644 index 0000000..38cd6e7 --- /dev/null +++ b/parts/modules/shared/base/packages.nix @@ -0,0 +1,21 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.base.defaultPackages; + inherit (lib) mkEnableOption mkIf; +in { + options.base.defaultPackages.enable = mkEnableOption "base module default packages"; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + python311 + ]; + + programs = { + gnupg.agent.enable = true; + }; + }; +} diff --git a/parts/modules/shared/default.nix b/parts/modules/shared/default.nix new file mode 100644 index 0000000..0199860 --- /dev/null +++ b/parts/modules/shared/default.nix @@ -0,0 +1,5 @@ +_: { + imports = [ + ./base + ]; +} diff --git a/parts/secrets/secrets.nix b/parts/secrets/secrets.nix new file mode 100644 index 0000000..7ebc07a --- /dev/null +++ b/parts/secrets/secrets.nix @@ -0,0 +1,17 @@ +let + main = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ5K+yLHuz4kyCkJDX2Gd/uGVNEJroIAU/h0f9E2Mapn getchoo-nix" + ]; + + atlas = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBA861lnShM2ejpzn9arzhpw33I4XdtULfZWhMp/plvL root@atlas"] ++ main; +in { + "shared/rootPassword.age".publicKeys = main; + "shared/sethPassword.age".publicKeys = main; + + "systems/atlas/rootPassword.age".publicKeys = atlas; + "systems/atlas/userPassword.age".publicKeys = atlas; + "systems/atlas/miniflux.age".publicKeys = atlas; + "systems/atlas/tailscaleAuthKey.age".publicKeys = atlas; + "systems/atlas/cloudflaredCreds.age".publicKeys = atlas; + "systems/atlas/cloudflareApiKey.age".publicKeys = atlas; +} diff --git a/parts/secrets/shared/rootPassword.age b/parts/secrets/shared/rootPassword.age new file mode 100644 index 0000000..3770a2d --- /dev/null +++ b/parts/secrets/shared/rootPassword.age @@ -0,0 +1,10 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEk5MkEzUSAxWmJN +N2JKK3RvdE00MFVqOExvc0I0M05BM1NvclQ0YkdKelBhb0g0c3hnCjVEMUZ5OWI2 +d2FoeXJlREJGM29GdFJHNlpEVGMvTldkT0pyQ2trS1VBTDQKLT4gZS1ncmVhc2Ug +MngodlYgKlczXkptUiBEQF85NAozLzQzZlVZMEpsUzdjY0JwdTFXczMyMEI2ODd2 +MjVVCi0tLSArTDBuNkF3UU5kK2doelhxcFhQUDJvekJxRVhLbkttYUk1OHJBS1JR +QVc4CpYqifbaJyErbpJ9zw2M8T/nSfVM1vL/bXU0/CuSP7LwIsrrHkghuR6JyS3p +POwDVg6hmNrGf//VJILqm4TKqrshWbQk99poXbEmr1hoGMZovXHYl+FkwZfVr6DW +OABQJfFnrR4ZusvM7O0zdkkcxMtEi+iEVJeIf0jQEkKJQ4gTM2DcjGAeU1G/c2U= +-----END AGE ENCRYPTED FILE----- diff --git a/parts/secrets/shared/sethPassword.age b/parts/secrets/shared/sethPassword.age new file mode 100644 index 0000000..4015d60 --- /dev/null +++ b/parts/secrets/shared/sethPassword.age @@ -0,0 +1,12 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEk5MkEzUSByV01G +VW5QVjkrRm1NaGVpdU9FcGJRMlVuUG5WRHpoOWhFNExXUzRCbUJNCjRJMmZCSzEw +S3BvSEdMemRkamUrcXoyckFqVTN0N2FuYytvUDdNN2p1QkkKLT4gTHhOOnIpLWdy +ZWFzZSBDLD9jPSogSSNjPDNhIWcgYCBWZi8KSk5TOXZmL1RnVXI4aTM0N1NIb29Y +bHdxNXZJWGVhOUtIanAzYlcyZTJFS3hJZ2ZtUVkyNnc3RXNxczNZeERjYQo0Y0Ju +NFhyQzhYWHFSYnlhUjExT1gwawotLS0gQ0hJWDRQTzZRMVNXOFhYQWpnZ0hoQVdv +b2VieUVTTm92SVJVOUplbVVkQQp39CqRv/NPvkJXqme6PWfaRUbcMUky+LolZe5G +DJ2Dy0++hyV3xBJbrfJUJPzdRrKuZ8o0UFwss1RuqVWjwLYmiwb9OafddpCMwuOw +BfuGB7HykaOYrgbgvmJuaZNUrM1wKnQXTZAzqB+TjI7MHWRyFgRkD4NuD2BWpxY9 +y+JxjbEa0MZF5W/CsTQM +-----END AGE ENCRYPTED FILE----- diff --git a/parts/secrets/systems/atlas/binaryCache.age b/parts/secrets/systems/atlas/binaryCache.age new file mode 100644 index 0000000..4a5a4b8 --- /dev/null +++ b/parts/secrets/systems/atlas/binaryCache.age @@ -0,0 +1,17 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGxXSVVGUSBDNXhv +cU1uLzVidkVaVHZRNHhHaTdWUjNQYzRNcnloTVkvdjJSWSsxb1VvCnRaanRnUktI +S0tGT2JzS2toY0lHMEhzZ0ZOdG1OUFNCMTVZSzV0b3VaK2MKLT4gc3NoLWVkMjU1 +MTkgSTkyQTNRIHdyNlczYkpHdS81T0dGWGc5a3FlY2FWN1hCSTBoSis5eGhkRjZy +SjAvaVUKTUZDVWNqQ1pOMHNSUWZMRkNXK2FjZ0JiSEt1YzRLQTRmVVQzaWx1MitE +TQotPiBbNGBUYEUtZ3JlYXNlCm1rOFJiUmZJa3NkbHU2Wk93b3E0TFZqSlJJVTlB +UTMxSzZxT0pnCi0tLSBPY00rbXphVXFWN2R2NWJJeE9Wa3ZVMkd6WFVsNk5sTjQ0 +K3RnK0xXVkFRCg1GCPUODHhK0qOcFXAa25ya2VcUhpvaCkU5bwVgHd42wKSAxqjW +adE7bXyoo94kpY7lPehG8t1ucQxZDqfz8fqBw/Qe/TncGUKbXrwnpjnkC7wENv7Y +BwAmSB47esamvlsmIvXKX9p8ccJhyUrEPL/olrs698NiokoeF8ceN524K9Ik1Cjq +4CAS7H1fZ04Bd0uhjNkLdiKMf2tzoSicjVIU0Nv1uTtCW3hlOT82gqAPsYRouSW8 +SffI9irxkqwUkIMAMLdG3VAdgdcgNfgVSmw1IUQ2Xf9hgU5VyUX9PTZ2H+yag02W +fjDkSHcjYxjMrWspQC/4dW3RknxJoIsRwXMzI1obQ5MnWgowR1hj/0CxQdPbXqE/ +dhHS+NdzjjTs8Eyp7IMXUkGxobObJCFy6Tb1Rt9ahcdZ4hPmDRT8s9E12P7GPZEq +hvDtf5X7wPxHig3GWDNuq9jXV39G2uk= +-----END AGE ENCRYPTED FILE----- diff --git a/parts/secrets/systems/atlas/cloudflareApiKey.age b/parts/secrets/systems/atlas/cloudflareApiKey.age new file mode 100644 index 0000000..e26a8a1 --- /dev/null +++ b/parts/secrets/systems/atlas/cloudflareApiKey.age @@ -0,0 +1,15 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGxXSVVGUSBNaW5V +NEx0dU5xSTBNUWFBMWxQcHc2NkJ0cU5rMHIrK0FaS05wOEZaWVJFClBLZGo1em5N +OGdrT0NISDhaaFp5bmlrRkxpVnlkMWEwbEpQR0ljQnVFaWMKLT4gc3NoLWVkMjU1 +MTkgSTkyQTNRIGxtZDhnWGw2UUlRNmlibWZJdm5qeDN4bys2Z3ZTQWUyZmNwOE5k +Ny8yZ00KQXlhc2tBTCtTeXN3Zk1IZWhWMEM4dTBtQ2cydURlR2dzVlNJc1N4STQz +VQotPiBzc2gtZWQyNTUxOSBqN0xJVUEgOXRvQytHZEp1cThYc2ExV2NSdDVzUXA0 +bGdRMENWVGwvWkdWRDNuNWtSbwpxaGNBZEx2Z3JkYTFxT3pNbXd6aHNPdlRiUTNS +RFB1T2RiWlVkZUFjRWhBCi0+IDdsLWdyZWFzZSA9Z1csZFcxbApyazRscUFIR1JX +aFNaV1hCUHU4VzZyNWFha2NRWFMzWXdpbUYxWEpodFNsNWQwOWxGaVpGUVZHemls +bjQxNEU0CllSamI0RmdNOU9qVkdCYXZ2T0VCWCsrakpwcwotLS0gMlkrMGI1Z0dp +dXl4eUd5eUNVZTFzckNTNVIzdXYvS0NoM0FObC83TG1QRQpUVcyYhenxo5+EvEfx +RlnURdpStJwr2Uf9PowvV8Kz8OXCf222/jFm1MSr2c5HY04sTJuIrY8jyShKGkZb +gX/rktW7xQMlJu6NDObyJFHnHTSbTrNhl6XtyjQeRw== +-----END AGE ENCRYPTED FILE----- diff --git a/parts/secrets/systems/atlas/cloudflaredCreds.age b/parts/secrets/systems/atlas/cloudflaredCreds.age new file mode 100644 index 0000000..800dd96 --- /dev/null +++ b/parts/secrets/systems/atlas/cloudflaredCreds.age @@ -0,0 +1,13 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGxXSVVGUSBudzFm +MmhMR1IzT2FiK2xKRVl5SG5vS1dSbDlieVIzek44bFg0WE9TZXdRCkdWdE9OS0JQ +TU5HVU9rWlBTRlNCQ2NFTzlsbWJ1ZzVCYjVXN2NDU1NTTDgKLT4gc3NoLWVkMjU1 +MTkgSTkyQTNRIDNyNDBNYkV3bEpWN2RkTXplaXEzSlhpc2hIeGJZYXhPWldRN3B2 +MVJBaUUKYS9ua1M2R0FNalRqNXdGVGVQbkxldktyZjl2MW1XWjNDMEVvS2lYQWhi +cwotPiAvU3U7PS1ncmVhc2UgQVxeJFBKdiBRMisjRwoKLS0tIHRCSjJCaFY4U0Mw +dGJTdVV3d0ZBRDdxV2VyWVdkUWd2c0tGQ1oxYi9scjAKzIRCDNZ+82I9EsLCN6Sd +uNvQIyga1EyjqF0SOWeXKe81TldrkoCvOiQaYSNK2JSwtDlM6uL0KZzWOOlUE1lV +Z9BwyDC/QhPWd2hAv/YQS+nRsgyUy8bFbLv8/tohB5ukEHqoHIUEMb9s+kIAJmtF +QhQSNBXyqhzQ8BNQnqSFmLrAKl1IsJ4VuEYODsC0fNobinYygGji624yuZRd3YeV +9UxvJPMoNLcBtsFuP49Cj/0wrVSoak7BhBUfkRwCsDcqfT8= +-----END AGE ENCRYPTED FILE----- diff --git a/parts/secrets/systems/atlas/clusterToken.age b/parts/secrets/systems/atlas/clusterToken.age new file mode 100644 index 0000000..5ca3074 --- /dev/null +++ b/parts/secrets/systems/atlas/clusterToken.age @@ -0,0 +1,17 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGxXSVVGUSB6cnhF +UXZIbjBpdVBjcEROaEhhV2QyNWw4NUlzU3dnWXRwdE5HZjM0cDJJCkNheUoyVDdK +MUJaVDQ0d2RxYVU0VWlKZFdLa1ZzSFRFREFieVVXNlJVelEKLT4gc3NoLWVkMjU1 +MTkgSTkyQTNRIDBJODBiS0wxTG52ZGFuTkF5WVJrbksrd2psT1lpcUxXekFoTzN6 +dW1RQmsKcDd6aFI4Z1Q0RUJLVjZWUkJmNG1WMUw2VWI4cWprM0MwUzhUeUsxWUt0 +TQotPiBqdCxGaCktZ3JlYXNlIHZja1ciNSB+PCghWiAvYVZnVWYgJApaT2s2czIr +a2xWV0h5T1ZVbDN1WTVRQ2JRVkN3bndRVzZweGJWcXI2SlRYYVRyTTRmOWVGK2lz +dW13ajRkNGgxCmxqZWxtdXZ6eEZId1RaZmZhL3B0QlFXRVh3UFcKLS0tIG5hR1Z2 +ZmZ5SlQ2WitscEdDRVpIMWg2UDNHdHltbnpUQ2RJejd2SEdOczgKB977ot8kAYxY +bVCk5eXqXXYRLiF8ynnVXlRKEXdOUBxreT6rISllcW+tZahAu67beZCJopqAMcLH +MREJloCuNnGPR1dTJDDd76ecOiFVpMdh6+zIF+juZ64LYjZN9CtnJlMlAk6CBniq +lDSiQTA0pyrZa3V+zFXYaqJRHhmMq9pn06mXIJV9IOV5Fy60VU1VXAW04lQxlC7+ +yQK+c+jPg2+cYqs7LCYP7UgDDzMXQ940DISwfj403ijEv96Fgp2+6Z/zLdh5pCOH +0xuV67ptxAk41mNEdXSMf7iW55ogkzDUVBQLVad2kOJKoSMLkaX/BhlvgrC74m8Q ++Icm7ol5b4lQuCLVFyurbCrVTA== +-----END AGE ENCRYPTED FILE----- diff --git a/parts/secrets/systems/atlas/miniflux.age b/parts/secrets/systems/atlas/miniflux.age new file mode 100644 index 0000000..0be7920 --- /dev/null +++ b/parts/secrets/systems/atlas/miniflux.age @@ -0,0 +1,12 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGxXSVVGUSBhUmhV +Y3JIQ01RL1ZZNXczVGJuckxnSndGbVZIVTE2bWNGZUtHdTdmSVJBCjNMTmxsSHhQ +Z2Q2Qm5PMGxsSDZrY3J3R0VMUlYvRlYrNzV1Z0RMTHFoTjQKLT4gc3NoLWVkMjU1 +MTkgSTkyQTNRIFpZNzRVbXVOemtFZU1pY1c5eUdYV0x5MUl0QmhwbElXSEtNMFhp +SXFCSDAKTkRvZ1lPVXozSkJZNDh0MkNsRCtSTmpCL3hEbXdPdjVhRVJJVVU4UTYx +SQotPiBKckFyUXQtZ3JlYXNlCi9sY3JUbkxCQ2c4aHlNVDFjcUQ4dGIvSTZET1ZK +QXJuYkJMem5zdy9OSkkKLS0tIGh6K3FxZTk0OW4wdDU3NFord0YwS0dDV0w4dGVH +REhMbyt3anRDQXBGeW8KVThL4z//n7UsTYkdD4Cpc3jVcaMJfBdir0ion0adIb3y +dhwVt6c88nXBrPe0a0esfq4Y8wwzq8cS916fSbkzChjTW7pI3DTFzZXJs/o7VIJA +aYLrEC8jWg== +-----END AGE ENCRYPTED FILE----- diff --git a/parts/secrets/systems/atlas/rootPassword.age b/parts/secrets/systems/atlas/rootPassword.age new file mode 100644 index 0000000..9609bfa --- /dev/null +++ b/parts/secrets/systems/atlas/rootPassword.age @@ -0,0 +1,13 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGxXSVVGUSBpTEdi +ZlBDdkUraVhiZmVUVjBzNDRlc056cisvbzNVeFRPQkRJb1Z2VXhVCjBmU1JCbEds +RmhRc1kvK2dXS2RRZWFKRkRMaWttS2l3ZWF2ZkJsSUZJcGMKLT4gc3NoLWVkMjU1 +MTkgSTkyQTNRIGdGVHRlMGlGSzJxcXpDNnhTYzJUb01MU29HMkI3ZGdrU01OTkEz +S1RQVWsKMDVFQVUwWERDMGhKTnROdzVWZXRhR0tvdUU5TWh1Y21HUnZvWlNxcy9K +awotPiB0LWdyZWFzZSAwCjNxYlFKa29HcG85SzdFeXBZNUszeVdCVHVVYjh5UlF6 +dkRRZ3pBbXpXQVhLY2NGdXNWdnpNT2Jsblg2em13b0wKCi0tLSBxSUtkQ25WRFlW +NElUdVpnZTE4Q0VtMkhQNTJ2NEFGZWxNejgwM1Fvb2lNCuWdXCjQizC+xKTjhHvz +oFrtSCdddtStKjVO3yGgbgPfW85j0JDnCqrJcNX4ebnNED46OqmySItFVnxiCfAd +/ekLNrB8PDY16vRK8SsZ15GinEcTsrdlbHCJ5rnLi4II+idUcAeI3E/Uo2sP8gRa +kwNTM0Rt5tAeT3sMGB6ASFdgLT2eGhUWR6vkgMc= +-----END AGE ENCRYPTED FILE----- diff --git a/parts/secrets/systems/atlas/secretsJson.age b/parts/secrets/systems/atlas/secretsJson.age new file mode 100644 index 0000000..c5fdf34 --- /dev/null +++ b/parts/secrets/systems/atlas/secretsJson.age @@ -0,0 +1,19 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGxXSVVGUSBIV2sy +ZitMaDRrOXBxYUlJZXVSbEpMSmpPUUV4STZqcExzaTJ2TGdxZTJBCmU3b3hFSHRp +VU83M1QzRGZsdmtJOUtvQ0F4cjltTWRJSzlUYVl2VDdVU3cKLT4gc3NoLWVkMjU1 +MTkgSTkyQTNRIHlPYVRwa0p1Q1o0WDZBa015RExjZk9iMXVLU1FZOHorT3haZFVU +TmNhVHMKRkJlbDAyU1IwbHduVFI1UHZqUDlIaGhhclFBbTIyOFZlM0x2SEx4Z29k +dwotPiA+YnphLWdyZWFzZQpkUlUwSVhkbkJ5S2ZvYjZDQk1yK3JLeC9YVVgvdnJX +YlVJWGVUZnVlNGxuQU9VVTZCNk10aEtGVUhjV1Mwd08zCi9xTmdNeGEvUVF0Q2hR +bFZwVzYvdkVqOXRCTEFvNGMvNzdnQmZhZ20xVXdnU1VpWmQ3Y2N0Yk1DY0MraVdB +Ci0tLSAwNTgyZERKUUk2MXFDOXhrT1drUmZhdHR5aTVBK0tpanFSTFJRYTN2WDhR +Cs/4/jHb8Op00lKo2IlJqQ3dSOlV3obyoeR6YBJoh9djxIR1LpZ3qSGuwB2l7Xqk +uBKGT+XT3hG+x/KhfFiHWyG3lMSI2xjqj7wfAlDDNMClnC298yDh4VoFoLxDkX9D +Mp/qnLiqLpFPZfJEIiFNa21yFIyVy191AwDXtzh8SLfj2jd7z+RW2YnH5L7wNeBU +2gMkI9QJ6BSw7yvMWO8TNvegGdBB4BajC8/CB5aX4m4YArhztfjP+2yD603WPVt4 +PZG3BiUqc+6tpWCqGFISl7fHY5d2onbJNHqqNBuwcKb/MtB+HOh0xhbg1gMCAi9R +zzA1dKvToSZy79hFzXfs0MruOOqNWBUaeis2e3BREDCglbfwPLoRQnXFdye1TUMr +aH9RrHDH2KCcwtwG52dIgrJIAE+Ij00VCbdYU5D8cswdngkYB8beAQWFX/NPLQlQ +i8spKTNdGoz7s2SZrfxw+2JIvbBY +-----END AGE ENCRYPTED FILE----- diff --git a/parts/secrets/systems/atlas/tailscaleAuthKey.age b/parts/secrets/systems/atlas/tailscaleAuthKey.age new file mode 100644 index 0000000..45758a1 --- /dev/null +++ b/parts/secrets/systems/atlas/tailscaleAuthKey.age @@ -0,0 +1,13 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGxXSVVGUSBBWS9z +b2dJcFFKRnl0TThXNnNDV1Z3VGlyN0pkNEE4UnN2TUZjNUdxclQ0CnUvQnNCalVx +SjZJMmRCWFZISGdkRUNyTVV1Vy93dlIvY29IWm1UQmh6Z3MKLT4gc3NoLWVkMjU1 +MTkgSTkyQTNRIDJBa3A5Qm1CRk1OVUJ4TFNJM0NXZW5ZT3Y4UXk2ZFJkSFhPd0JS +WVp4M2MKdFNJT3RIc3Z5MGFWWjRRYUVPdWc3dFVBR2hxSVNjQk5uc0pzeVBETnZ2 +bwotPiB4b0ViTkRRLWdyZWFzZQpBNHZXT3d2SXNkaXYrMElQc1NYMTRKNlVzRERE +OUtiTExHV1gzR3M0d0RHdU11NlZ6TkNUOEZ6Wk1FNlZuQ1o5CkF0WEI5RFJoUWNO +WWdQTG5lS21leHQ2TFY2aGx2N1lueWQrejZHVTdkMWtRT0pGOW9KOG1XdkxyY0FC +MAotLS0ga1FxNUdOWDNyaDFCSGI4WnNLNFB0QWtHMnhqK1JZRW9oUHRIN2VEYlo4 +NApZf2bwx5T8g+SRGKIelmVfUYx6kVu+BGMA/OKTKZmmZER1f4GfGm9ummZu9hnf +xgLNl+dlK+FetTk7267KO6TFGQGFge6SPJFi2WUosEQ6GZ10M2h9tFWA2xs= +-----END AGE ENCRYPTED FILE----- diff --git a/parts/secrets/systems/atlas/userPassword.age b/parts/secrets/systems/atlas/userPassword.age new file mode 100644 index 0000000..3e658ba --- /dev/null +++ b/parts/secrets/systems/atlas/userPassword.age @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGxXSVVGUSBJajlU +eFFSMjBlTUxoUEg3ZlNjb2tUSncwOUFnODRKZHlFai9wRkFaWVhFCmJNbnovL3NL +VjZHLzB6cDVMM0Y1bXllY3RWOEY5NWVkOWhKNmZ0eUJrQk0KLT4gc3NoLWVkMjU1 +MTkgSTkyQTNRIDJRd1lMdU9scDhFMVk5azhDc0dwMGljU2tiQkMxMDBESkpiaXdE +V3BFMDgKUWZ5UkttQmw2a3huVlhsNi81WHYxYlpJdnJ6T29UUHJ6MEZwakJUYzN1 +cwotPiA+bC1ncmVhc2UgSyl8Rm9wLUAgd1hHd3JqdWoKSHZldG9wMmRhM0ZvcEts +cUJ1K0NJK2JYUmVFVHpqYUhBRW13VjhaNXhyS3ZVL29hbVpycklOdmREZCtVeFA4 +QgpraXpwS1J2VC93YUx2bi9MMjZuUUhxQzdFaEEKLS0tIDBPczBUNUJEKzF4ZnB0 +aldTaEZwVjJ6OUtGYjFwZjUwMDJUeStzK1ZrcEUKwjr8W3jUtGjhvB0w8irGnIpR +tn8mLq5c9nMjUMAQ5qRWd6U0+XS1U7/UrP8zuzezlCNRri6tryOgujT7195CLr06 +9WAhEPqCN4FpyowsugbwPEuLgwCswn/YF5m6vg7T41m4VhXPkBlcRIR6c4T076ok +I3/MK2MEavBoGlW73cX4blDgtNozSxHLCQ== +-----END AGE ENCRYPTED FILE----- diff --git a/parts/systems/atlas/default.nix b/parts/systems/atlas/default.nix new file mode 100644 index 0000000..24cb139 --- /dev/null +++ b/parts/systems/atlas/default.nix @@ -0,0 +1,50 @@ +{ + config, + pkgs, + ... +}: { + imports = [ + ./hardware-configuration.nix + ./miniflux.nix + ./nginx.nix + ]; + + _module.args.nixinate = { + host = "atlas"; + sshUser = "root"; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = false; + }; + + boot = { + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + tmp.cleanOnBoot = true; + }; + + networking = { + domain = "mydadleft.me"; + hostName = "atlas"; + }; + + services = { + guzzle-api = { + enable = true; + domain = "api.${config.networking.domain}"; + nginx = { + enableACME = true; + acmeRoot = null; + addSSL = true; + }; + }; + }; + + users.users.atlas = { + isNormalUser = true; + shell = pkgs.bash; + passwordFile = config.age.secrets.userPassword.path; + }; + + zramSwap.enable = true; +} diff --git a/parts/systems/atlas/hardware-configuration.nix b/parts/systems/atlas/hardware-configuration.nix new file mode 100644 index 0000000..00c6cd8 --- /dev/null +++ b/parts/systems/atlas/hardware-configuration.nix @@ -0,0 +1,29 @@ +{modulesPath, ...}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot = { + extraModulePackages = []; + kernelModules = []; + + initrd = { + availableKernelModules = ["virtio_pci" "usbhid"]; + kernelModules = []; + }; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/f0c84809-83f5-414b-a973-496d25d74c6d"; + fsType = "ext4"; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/A253-0826"; + fsType = "vfat"; + }; + }; + + swapDevices = []; +} diff --git a/parts/systems/atlas/miniflux.nix b/parts/systems/atlas/miniflux.nix new file mode 100644 index 0000000..5ed5d40 --- /dev/null +++ b/parts/systems/atlas/miniflux.nix @@ -0,0 +1,20 @@ +{ + config, + self, + ... +}: { + config = { + age.secrets = { + miniflux.file = "${self}/parts/secrets/systems/${config.networking.hostName}/miniflux.age"; + }; + + services.miniflux = { + enable = true; + adminCredentialsFile = config.age.secrets.miniflux.path; + config = { + BASE_URL = "https://miniflux.${config.networking.domain}"; + LISTEN_ADDR = "localhost:7000"; + }; + }; + }; +} diff --git a/parts/systems/atlas/nginx.nix b/parts/systems/atlas/nginx.nix new file mode 100644 index 0000000..cdf483d --- /dev/null +++ b/parts/systems/atlas/nginx.nix @@ -0,0 +1,32 @@ +{ + config, + self, + ... +}: let + inherit (config.networking) domain; + inherit (self.lib.utils.nginx) mkVHosts mkProxy; +in { + server = { + acme.enable = true; + services.cloudflared.enable = true; + }; + + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts = mkVHosts { + "miniflux.${domain}" = { + locations = mkProxy "/" "7000"; + }; + + "msix.${domain}" = { + root = "/var/www/msix"; + }; + }; + }; +} diff --git a/parts/systems/caroline/default.nix b/parts/systems/caroline/default.nix new file mode 100644 index 0000000..43dc82f --- /dev/null +++ b/parts/systems/caroline/default.nix @@ -0,0 +1,17 @@ +_: { + desktop = { + homebrew.enable = true; + gpg.enable = true; + }; + + homebrew.casks = ["arc"]; + + networking = rec { + computerName = "caroline"; + hostName = computerName; + }; + + nix.settings.trusted-users = ["seth"]; + + services.tailscale.enable = true; +} diff --git a/parts/systems/default.nix b/parts/systems/default.nix new file mode 100644 index 0000000..e9ef9ba --- /dev/null +++ b/parts/systems/default.nix @@ -0,0 +1,47 @@ +{ + inputs, + self, + withSystem, + ... +}: { + flake = let + inherit (self.lib.configs) mapSystems; + profiles = import ./profiles.nix {inherit self inputs;}; + in { + darwinConfigurations = mapSystems { + caroline = { + system = "x86_64-darwin"; + profile = profiles.personal-darwin; + }; + }; + + nixosConfigurations = mapSystems { + glados = { + modules = with inputs; [ + lanzaboote.nixosModules.lanzaboote + ]; + profile = profiles.personal; + }; + + glados-wsl = { + modules = [inputs.nixos-wsl.nixosModules.wsl]; + profile = profiles.personal; + }; + + atlas = { + modules = [inputs.guzzle_api.nixosModules.default]; + system = "aarch64-linux"; + profile = profiles.server; + }; + }; + + openwrtConfigurations.turret = withSystem "x86_64-linux" ({pkgs, ...}: + pkgs.callPackage ./turret { + inherit (inputs) openwrt-imagebuilder; + }); + }; + + perSystem = {system, ...}: { + apps = (inputs.nixinate.nixinate.${system} self).nixinate; + }; +} diff --git a/parts/systems/glados-wsl/default.nix b/parts/systems/glados-wsl/default.nix new file mode 100644 index 0000000..98b57ed --- /dev/null +++ b/parts/systems/glados-wsl/default.nix @@ -0,0 +1,39 @@ +{ + modulesPath, + pkgs, + ... +}: { + imports = [ + (modulesPath + "/profiles/minimal.nix") + ../../modules/nixos/features/tailscale.nix + ]; + + environment.systemPackages = with pkgs; [ + wslu + ]; + + base.networking.enable = false; + features.tailscale.enable = true; + + wsl = { + enable = true; + defaultUser = "seth"; + nativeSystemd = true; + wslConf.network = { + hostname = "glados-wsl"; + generateResolvConf = true; + }; + startMenuLaunchers = false; + interop.includePath = false; + }; + + services.dbus.apparmor = "disabled"; + + networking.hostName = "glados-wsl"; + + security = { + apparmor.enable = false; + audit.enable = false; + auditd.enable = false; + }; +} diff --git a/parts/systems/glados/boot.nix b/parts/systems/glados/boot.nix new file mode 100644 index 0000000..4a9af4e --- /dev/null +++ b/parts/systems/glados/boot.nix @@ -0,0 +1,25 @@ +{ + lib, + pkgs, + ... +}: { + environment.systemPackages = with pkgs; [ + sbctl + tpm2-tss + ]; + + boot = { + initrd.systemd.enable = true; + kernelPackages = pkgs.linuxPackages_latest; + + bootspec.enable = true; + loader.systemd-boot.enable = lib.mkForce false; + + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + + supportedFilesystems = ["btrfs" "ntfs"]; + }; +} diff --git a/parts/systems/glados/default.nix b/parts/systems/glados/default.nix new file mode 100644 index 0000000..de2c1d5 --- /dev/null +++ b/parts/systems/glados/default.nix @@ -0,0 +1,61 @@ +{lib, ...}: { + imports = [ + ./boot.nix + ./hardware-configuration.nix + ../../modules/nixos/features/tailscale.nix + ../../modules/nixos/features/virtualisation.nix + ]; + + boot = { + kernelParams = ["amd_pstate=active"]; + kernel.sysctl = { + "vm.swappiness" = 100; + "vm.vfs_cache_pressure" = 500; + "vm.dirty_background_ratio" = 1; + "vm.dirty_ratio" = 50; + }; + }; + + desktop.gnome.enable = true; + + features = { + tailscale.enable = true; + virtualisation.enable = true; + }; + + hardware = { + nvidia.enable = true; + ssd.enable = true; + }; + + networking.hostName = "glados"; + + security.tpm2 = { + enable = true; + abrmd.enable = true; + }; + + services = { + flatpak.enable = true; + fwupd.enable = true; + }; + + systemd = { + services."prepare-kexec".wantedBy = ["multi-user.target"]; + tmpfiles.rules = let + nproc = 12; + in + builtins.map + (n: "w /sys/devices/system/cpu/cpu${builtins.toString n}/cpufreq/energy_performance_preference - - - - ${"balance_performance"}") + (lib.range 0 (nproc - 1)); + }; + + powerManagement.cpuFreqGovernor = "powersave"; + + zramSwap = { + enable = true; + algorithm = "zstd"; + swapDevices = 1; + memoryPercent = 50; + }; +} diff --git a/parts/systems/glados/hardware-configuration.nix b/parts/systems/glados/hardware-configuration.nix new file mode 100644 index 0000000..a7ff9e9 --- /dev/null +++ b/parts/systems/glados/hardware-configuration.nix @@ -0,0 +1,72 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot = { + extraModulePackages = []; + kernelModules = ["kvm-amd"]; + + initrd = { + availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod"]; + kernelModules = []; + + luks.devices."cryptroot" = { + device = "/dev/disk/by-uuid/bbbc1f37-53f5-4776-a70e-f2779179de50"; + allowDiscards = true; + crypttabExtraOpts = ["tpm2-device=auto"]; + }; + }; + }; + + fileSystems = { + "/" = { + device = "/dev/mapper/cryptroot"; + fsType = "btrfs"; + options = ["subvol=root" "compress=zstd" "noatime"]; + }; + + "/var/log" = { + device = "/dev/mapper/cryptroot"; + fsType = "btrfs"; + options = ["subvol=var_log" "compress=zstd" "noatime"]; + }; + + "/nix" = { + device = "/dev/mapper/cryptroot"; + fsType = "btrfs"; + options = ["subvol=nix" "compress=zstd" "noatime" "nodatacow"]; + }; + + "/home" = { + device = "/dev/mapper/cryptroot"; + fsType = "btrfs"; + options = ["subvol=home" "compress=zstd" "noatime"]; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/B95B-9412"; + fsType = "vfat"; + }; + }; + + swapDevices = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/parts/systems/profiles.nix b/parts/systems/profiles.nix new file mode 100644 index 0000000..277d3c1 --- /dev/null +++ b/parts/systems/profiles.nix @@ -0,0 +1,101 @@ +{ + inputs, + self, + ... +}: let + specialArgs = {inherit inputs self;}; +in { + personal = { + system = "x86_64-linux"; + builder = inputs.nixpkgs.lib.nixosSystem; + inherit specialArgs; + + modules = with inputs; [ + agenix.nixosModules.default + hm.nixosModules.home-manager + nur.nixosModules.nur + self.nixosModules.default + + ../users/seth/system.nix + + { + age = { + identityPaths = ["/etc/age/key"]; + secrets = let + baseDir = "${self}/parts/secrets/shared"; + in { + rootPassword.file = "${baseDir}/rootPassword.age"; + sethPassword.file = "${baseDir}/sethPassword.age"; + }; + }; + + base.enable = true; + system.stateVersion = "23.11"; + + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + extraSpecialArgs = specialArgs; + }; + } + ]; + }; + + personal-darwin = { + builder = inputs.darwin.lib.darwinSystem; + inherit specialArgs; + modules = with inputs; [ + hm.darwinModules.home-manager + self.darwinModules.default + + ../users/seth/system.nix + + { + base.enable = true; + desktop.enable = true; + system.stateVersion = 4; + + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + extraSpecialArgs = specialArgs; + + users.seth = { + imports = [ + ../users/seth/darwin.nix + ]; + + getchoo.desktop.enable = false; + }; + }; + } + ]; + }; + + server = { + builder = inputs.nixpkgs-stable.lib.nixosSystem; + inherit specialArgs; + + modules = with inputs; [ + agenix.nixosModules.default + ../modules/nixos/base + ../modules/nixos/server + ../modules/nixos/features/tailscale.nix + + { + features.tailscale = { + enable = true; + ssh.enable = true; + }; + + server = { + enable = true; + secrets.enable = true; + }; + + nix.registry.n.flake = nixpkgs-stable; + system.stateVersion = "23.05"; + } + ]; + }; +} diff --git a/parts/systems/turret/default.nix b/parts/systems/turret/default.nix new file mode 100644 index 0000000..faac3d2 --- /dev/null +++ b/parts/systems/turret/default.nix @@ -0,0 +1,38 @@ +{ + pkgs, + openwrt-imagebuilder, + ... +}: let + inherit (pkgs) runCommand; + inherit (pkgs.stdenv) mkDerivation; + inherit (openwrt-imagebuilder.lib) build profiles; + wrtProfiles = profiles { + inherit pkgs; + release = "22.03.3"; + }; + config = mkDerivation { + name = "openwrt-config-files"; + src = ./files; + installPhase = '' + mkdir -p $out + cp -r * $out/ + ''; + }; + image = + wrtProfiles.identifyProfile "netgear_wac104" + // { + packages = ["https-dns-proxy"]; + + files = runCommand "image-files" {} '' + mkdir -p $out/etc/uci-defaults + cat > $out/etc/uci-defaults/99-custom <<EOF + uci -q batch << EOI + set system.@system[0].hostname='turret' + commit + EOI + EOF + cp -fr ${config}/etc/* $out/etc/ + ''; + }; +in + build image diff --git a/parts/systems/turret/files/etc/config/dhcp b/parts/systems/turret/files/etc/config/dhcp new file mode 100644 index 0000000..4a471cf --- /dev/null +++ b/parts/systems/turret/files/etc/config/dhcp @@ -0,0 +1,55 @@ + +config dnsmasq + option domainneeded '1' + option boguspriv '1' + option filterwin2k '0' + option localise_queries '1' + option rebind_protection '1' + option rebind_localhost '1' + option local '/lan/' + option domain 'lan' + option expandhosts '1' + option nonegcache '0' + option authoritative '1' + option readethers '1' + option leasefile '/tmp/dhcp.leases' + option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto' + option nonwildcard '1' + option localservice '1' + option ednspacket_max '1232' + option doh_backup_noresolv '-1' + option noresolv '1' + list doh_backup_server '' + list doh_backup_server '/mask.icloud.com/' + list doh_backup_server '/mask-h2.icloud.com/' + list doh_backup_server '/use-application-dns.net/' + list doh_backup_server '127.0.0.1#5054' + list doh_backup_server '127.0.0.1#5053' + list server '/mask.icloud.com/' + list server '/mask-h2.icloud.com/' + list server '/use-application-dns.net/' + list server '127.0.0.1#5054' + list server '127.0.0.1#5053' + +config dhcp 'lan' + option interface 'lan' + option start '100' + option limit '150' + option leasetime '12h' + option dhcpv4 'server' + option dhcpv6 'server' + option ra 'server' + option ra_slaac '1' + list ra_flags 'managed-config' + list ra_flags 'other-config' + +config dhcp 'wan' + option interface 'wan' + option ignore '1' + +config odhcpd 'odhcpd' + option maindhcp '0' + option leasefile '/tmp/hosts/odhcpd' + option leasetrigger '/usr/sbin/odhcpd-update' + option loglevel '4' + diff --git a/parts/systems/turret/files/etc/config/dropbear b/parts/systems/turret/files/etc/config/dropbear new file mode 100644 index 0000000..2139ba0 --- /dev/null +++ b/parts/systems/turret/files/etc/config/dropbear @@ -0,0 +1,5 @@ +config dropbear + option PasswordAuth 'on' + option RootPasswordAuth 'on' + option Port '22' +# option BannerFile '/etc/banner' diff --git a/parts/systems/turret/files/etc/config/firewall b/parts/systems/turret/files/etc/config/firewall new file mode 100644 index 0000000..b9a4647 --- /dev/null +++ b/parts/systems/turret/files/etc/config/firewall @@ -0,0 +1,189 @@ +config defaults + option syn_flood 1 + option input ACCEPT + option output ACCEPT + option forward REJECT +# Uncomment this line to disable ipv6 rules +# option disable_ipv6 1 + +config zone + option name lan + list network 'lan' + option input ACCEPT + option output ACCEPT + option forward ACCEPT + +config zone + option name wan + list network 'wan' + list network 'wan6' + option input REJECT + option output ACCEPT + option forward REJECT + option masq 1 + option mtu_fix 1 + +config forwarding + option src lan + option dest wan + +# We need to accept udp packets on port 68, +# see https://dev.openwrt.org/ticket/4108 +config rule + option name Allow-DHCP-Renew + option src wan + option proto udp + option dest_port 68 + option target ACCEPT + option family ipv4 + +# Allow IPv4 ping +config rule + option name Allow-Ping + option src wan + option proto icmp + option icmp_type echo-request + option family ipv4 + option target ACCEPT + +config rule + option name Allow-IGMP + option src wan + option proto igmp + option family ipv4 + option target ACCEPT + +# Allow DHCPv6 replies +# see https://github.com/openwrt/openwrt/issues/5066 +config rule + option name Allow-DHCPv6 + option src wan + option proto udp + option dest_port 546 + option family ipv6 + option target ACCEPT + +config rule + option name Allow-MLD + option src wan + option proto icmp + option src_ip fe80::/10 + list icmp_type '130/0' + list icmp_type '131/0' + list icmp_type '132/0' + list icmp_type '143/0' + option family ipv6 + option target ACCEPT + +# Allow essential incoming IPv6 ICMP traffic +config rule + option name Allow-ICMPv6-Input + option src wan + option proto icmp + list icmp_type echo-request + list icmp_type echo-reply + list icmp_type destination-unreachable + list icmp_type packet-too-big + list icmp_type time-exceeded + list icmp_type bad-header + list icmp_type unknown-header-type + list icmp_type router-solicitation + list icmp_type neighbour-solicitation + list icmp_type router-advertisement + list icmp_type neighbour-advertisement + option limit 1000/sec + option family ipv6 + option target ACCEPT + +# Allow essential forwarded IPv6 ICMP traffic +config rule + option name Allow-ICMPv6-Forward + option src wan + option dest * + option proto icmp + list icmp_type echo-request + list icmp_type echo-reply + list icmp_type destination-unreachable + list icmp_type packet-too-big + list icmp_type time-exceeded + list icmp_type bad-header + list icmp_type unknown-header-type + option limit 1000/sec + option family ipv6 + option target ACCEPT + +config rule + option name Allow-IPSec-ESP + option src wan + option dest lan + option proto esp + option target ACCEPT + +config rule + option name Allow-ISAKMP + option src wan + option dest lan + option dest_port 500 + option proto udp + option target ACCEPT + + +### EXAMPLE CONFIG SECTIONS +# do not allow a specific ip to access wan +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option dest wan +# option proto tcp +# option target REJECT + +# block a specific mac on wan +#config rule +# option dest wan +# option src_mac 00:11:22:33:44:66 +# option target REJECT + +# block incoming ICMP traffic on a zone +#config rule +# option src lan +# option proto ICMP +# option target DROP + +# port redirect port coming in on wan to lan +#config redirect +# option src wan +# option src_dport 80 +# option dest lan +# option dest_ip 192.168.16.235 +# option dest_port 80 +# option proto tcp + +# port redirect of remapped ssh port (22001) on wan +#config redirect +# option src wan +# option src_dport 22001 +# option dest lan +# option dest_port 22 +# option proto tcp + +### FULL CONFIG SECTIONS +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 80 +# option dest wan +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp +# option target REJECT + +#config redirect +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 1024 +# option src_dport 80 +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp diff --git a/parts/systems/turret/files/etc/config/https-dns-proxy b/parts/systems/turret/files/etc/config/https-dns-proxy new file mode 100644 index 0000000..e5623ad --- /dev/null +++ b/parts/systems/turret/files/etc/config/https-dns-proxy @@ -0,0 +1,18 @@ + +config main 'config' + option dnsmasq_config_update '*' + list force_dns_port '53' + list force_dns_port '853' + option procd_trigger_wan6 '0' + option canary_domains_icloud '0' + option canary_domains_mozilla '0' + option force_dns '0' + +config https-dns-proxy + option bootstrap_dns '1.1.1.1,1.0.0.1' + option resolver_url 'https://cloudflare-dns.com/dns-query' + option listen_addr '127.0.0.1' + option listen_port '5054' + option user 'nobody' + option group 'nogroup' + diff --git a/parts/systems/turret/files/etc/config/luci b/parts/systems/turret/files/etc/config/luci new file mode 100644 index 0000000..8eb8a9b --- /dev/null +++ b/parts/systems/turret/files/etc/config/luci @@ -0,0 +1,41 @@ + +config core 'main' + option lang 'auto' + option mediaurlbase '/luci-static/bootstrap' + option resourcebase '/luci-static/resources' + option ubuspath '/ubus/' + +config extern 'flash_keep' + option uci '/etc/config/' + option dropbear '/etc/dropbear/' + option openvpn '/etc/openvpn/' + option passwd '/etc/passwd' + option opkg '/etc/opkg.conf' + option firewall '/etc/firewall.user' + option uploads '/lib/uci/upload/' + +config internal 'languages' + +config internal 'sauth' + option sessionpath '/tmp/luci-sessions' + option sessiontime '3600' + +config internal 'ccache' + option enable '1' + +config internal 'themes' + option Bootstrap '/luci-static/bootstrap' + option BootstrapDark '/luci-static/bootstrap-dark' + option BootstrapLight '/luci-static/bootstrap-light' + +config internal 'apply' + option rollback '90' + option holdoff '4' + option timeout '5' + option display '1.5' + +config internal 'diag' + option dns 'openwrt.org' + option ping 'openwrt.org' + option route 'openwrt.org' + diff --git a/parts/systems/turret/files/etc/config/network b/parts/systems/turret/files/etc/config/network new file mode 100644 index 0000000..c71cf98 --- /dev/null +++ b/parts/systems/turret/files/etc/config/network @@ -0,0 +1,29 @@ + +config interface 'loopback' + option device 'lo' + option proto 'static' + option ipaddr '127.0.0.1' + option netmask '255.0.0.0' + +config globals 'globals' + option packet_steering '1' + option ula_prefix 'fd26:3166:dece::/48' + +config device + option name 'br-lan' + option type 'bridge' + list ports 'lan2' + list ports 'lan3' + list ports 'lan4' + +config interface 'lan' + option device 'br-lan' + option proto 'static' + option ipaddr '192.168.1.1' + option netmask '255.255.255.0' + option ip6assign '60' + +config interface 'wan' + option device 'lan1' + option proto 'dhcp' + diff --git a/parts/systems/turret/files/etc/config/rpcd b/parts/systems/turret/files/etc/config/rpcd new file mode 100644 index 0000000..176c643 --- /dev/null +++ b/parts/systems/turret/files/etc/config/rpcd @@ -0,0 +1,10 @@ +config rpcd + option socket /var/run/ubus/ubus.sock + option timeout 30 + +config login + option username 'root' + option password '$p$root' + list read '*' + list write '*' + diff --git a/parts/systems/turret/files/etc/config/system b/parts/systems/turret/files/etc/config/system new file mode 100644 index 0000000..ee3415f --- /dev/null +++ b/parts/systems/turret/files/etc/config/system @@ -0,0 +1,16 @@ + +config system + option hostname 'turret' + option timezone 'UTC' + option ttylogin '0' + option log_size '64' + option urandom_seed '0' + option compat_version '1.1' + +config timeserver 'ntp' + option enabled '1' + option enable_server '0' + list server '0.openwrt.pool.ntp.org' + list server '1.openwrt.pool.ntp.org' + list server '2.openwrt.pool.ntp.org' + list server '3.openwrt.pool.ntp.org' diff --git a/parts/systems/turret/files/etc/config/ucitrack b/parts/systems/turret/files/etc/config/ucitrack new file mode 100644 index 0000000..bb4cdbc --- /dev/null +++ b/parts/systems/turret/files/etc/config/ucitrack @@ -0,0 +1,56 @@ +config network + option init network + list affects dhcp + +config wireless + list affects network + +config firewall + option init firewall + list affects luci-splash + list affects qos + list affects miniupnpd + +config olsr + option init olsrd + +config dhcp + option init dnsmasq + list affects odhcpd + +config odhcpd + option init odhcpd + +config dropbear + option init dropbear + +config httpd + option init httpd + +config fstab + option exec '/sbin/block mount' + +config qos + option init qos + +config system + option init led + option exec '/etc/init.d/log reload' + list affects luci_statistics + list affects dhcp + +config luci_splash + option init luci_splash + +config upnpd + option init miniupnpd + +config ntpclient + option init ntpclient + +config samba + option init samba + +config tinyproxy + option init tinyproxy + diff --git a/parts/systems/turret/files/etc/config/uhttpd b/parts/systems/turret/files/etc/config/uhttpd new file mode 100644 index 0000000..cb2ff71 --- /dev/null +++ b/parts/systems/turret/files/etc/config/uhttpd @@ -0,0 +1,31 @@ + +config uhttpd 'main' + list listen_http '0.0.0.0:80' + list listen_http '[::]:80' + list listen_https '0.0.0.0:443' + list listen_https '[::]:443' + option redirect_https '0' + option home '/www' + option rfc1918_filter '1' + option max_requests '3' + option max_connections '100' + option cert '/etc/uhttpd.crt' + option key '/etc/uhttpd.key' + option cgi_prefix '/cgi-bin' + list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua' + option script_timeout '60' + option network_timeout '30' + option http_keepalive '20' + option tcp_keepalive '1' + option ubus_prefix '/ubus' + +config cert 'defaults' + option days '730' + option key_type 'ec' + option bits '2048' + option ec_curve 'P-256' + option country 'ZZ' + option state 'Somewhere' + option location 'Unknown' + option commonname 'OpenWrt' + diff --git a/parts/systems/turret/files/etc/config/wireless b/parts/systems/turret/files/etc/config/wireless new file mode 100644 index 0000000..c8bb9d7 --- /dev/null +++ b/parts/systems/turret/files/etc/config/wireless @@ -0,0 +1,34 @@ + +config wifi-device 'radio0' + option type 'mac80211' + option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0' + option band '2g' + option disabled '0' + option htmode 'HT40' + option channel '1' + option cell_density '0' + +config wifi-iface 'default_radio0' + option device 'radio0' + option network 'lan' + option mode 'ap' + option ssid 'Box-2.4G' + option encryption 'psk2' + option key 'REPLACEME' + +config wifi-device 'radio1' + option type 'mac80211' + option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0' + option band '5g' + option disabled '0' + option htmode 'VHT40' + option channel '36' + option cell_density '0' + +config wifi-iface 'default_radio1' + option device 'radio1' + option network 'lan' + option mode 'ap' + option ssid 'Box-5G' + option key 'REPLACEME' + option encryption 'psk2' diff --git a/parts/systems/turret/files/etc/dropbear/authorized_keys b/parts/systems/turret/files/etc/dropbear/authorized_keys new file mode 100644 index 0000000..495c605 --- /dev/null +++ b/parts/systems/turret/files/etc/dropbear/authorized_keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIERx0I8DKtALZ9VrYnY1iBEpwl2pBlRiS8oJQvZwpl5e seth@glados
diff --git a/parts/users/default.nix b/parts/users/default.nix new file mode 100644 index 0000000..a639abe --- /dev/null +++ b/parts/users/default.nix @@ -0,0 +1,22 @@ +{ + lib, + config, + inputs, + self, + ... +}: let + inherit (self.lib.configs) mapHMUsers; + inherit (inputs) nixpkgs; + + pkgsFor = lib.genAttrs config.systems ( + system: + import nixpkgs { + system = "x86_64-linux"; + overlays = with inputs; [nur.overlay getchoo.overlays.default]; + } + ); +in { + flake.homeConfigurations = mapHMUsers { + seth.pkgs = pkgsFor."x86_64-linux"; + }; +} diff --git a/parts/users/seth/darwin.nix b/parts/users/seth/darwin.nix new file mode 100644 index 0000000..74e6489 --- /dev/null +++ b/parts/users/seth/darwin.nix @@ -0,0 +1,8 @@ +{pkgs, ...}: { + home.packages = with pkgs; [ + discord + iterm2 + #prismlauncher + #spotify + ]; +} diff --git a/parts/users/seth/default.nix b/parts/users/seth/default.nix new file mode 100644 index 0000000..997a6c3 --- /dev/null +++ b/parts/users/seth/default.nix @@ -0,0 +1,11 @@ +{inputs, ...}: { + imports = with inputs; [ + ./desktop + ./programs + ./shell + arkenfox.hmModules.arkenfox + nix-index-database.hmModules.nix-index + ]; + + home.stateVersion = "23.11"; +} diff --git a/parts/users/seth/desktop/budgie/default.nix b/parts/users/seth/desktop/budgie/default.nix new file mode 100644 index 0000000..7eced2b --- /dev/null +++ b/parts/users/seth/desktop/budgie/default.nix @@ -0,0 +1,44 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.getchoo.desktop.budgie; + inherit (lib) mkIf; + fromYaml = file: let + json = with pkgs; + runCommand "converted.json" {} '' + ${yj}/bin/yj < ${file} > $out + ''; + in + with builtins; fromJSON (readFile json); +in { + config = mkIf cfg.enable { + programs.alacritty = { + enable = true; + settings = let + file = + pkgs.fetchFromGitHub { + owner = "catppuccin"; + repo = "alacritty"; + rev = "3c808cbb4f9c87be43ba5241bc57373c793d2f17"; + sha256 = "sha256-w9XVtEe7TqzxxGUCDUR9BFkzLZjG8XrplXJ3lX6f+x0="; + } + + "/catppuccin-mocha.yml"; + in + (fromYaml file) + // { + }; + }; + + dconf = { + enable = true; + settings = { + "com.solus-project.budgie-panel:Budgie" = { + pinned-launchers = ["firefox.desktop" "nemo.desktop" "discord.desktop"]; + }; + }; + }; + }; +} diff --git a/parts/users/seth/desktop/default.nix b/parts/users/seth/desktop/default.nix new file mode 100644 index 0000000..bdcef3d --- /dev/null +++ b/parts/users/seth/desktop/default.nix @@ -0,0 +1,43 @@ +{ + config, + lib, + pkgs, + osConfig, + ... +}: let + cfg = config.getchoo.desktop; + desktops = ["budgie" "gnome" "plasma"]; + inherit (lib) mkEnableOption mkIf; +in { + imports = [ + ./budgie + ./gnome + ./plasma + ]; + + options.getchoo.desktop = + { + enable = mkEnableOption "desktop configuration" // {default = osConfig.desktop.enable or false;}; + } + // lib.genAttrs desktops (desktop: { + enable = + mkEnableOption desktop + // {default = osConfig.desktop.${desktop}.enable or false;}; + }); + + config = mkIf cfg.enable { + home.packages = with pkgs; [ + discord + element-desktop + spotify + steam + prismlauncher + ]; + + getchoo.programs = { + chromium.enable = true; + firefox.enable = true; + mangohud.enable = true; + }; + }; +} diff --git a/parts/users/seth/desktop/gnome/default.nix b/parts/users/seth/desktop/gnome/default.nix new file mode 100644 index 0000000..ff2d1d4 --- /dev/null +++ b/parts/users/seth/desktop/gnome/default.nix @@ -0,0 +1,88 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.getchoo.desktop.gnome; + inherit (lib) mkIf; +in { + config = mkIf cfg.enable { + home.packages = with pkgs; + [ + adw-gtk3 + tuba + ] + ++ (with pkgs.gnomeExtensions; [ + caffeine + clipboard-history + gradience + ]); + + dconf = { + enable = true; + settings = { + "org/gnome/shell" = { + disable-user-extensions = false; + + enabled-extensions = [ + ]; + + favorite-apps = [ + "firefox.desktop" + "org.gnome.Nautilus.desktop" + "discord.desktop" + ]; + }; + + "org/gnome/desktop/interface" = { + color-scheme = "prefer-dark"; + font-antialiasing = ''rgba''; + font-name = ''Noto Sans 11''; + document-font-name = ''Noto Sans 11''; + monospace-font-name = ''FiraCode Nerd Font 10''; + }; + + "org/gnome/desktop/peripherals/mouse" = { + accel-profile = ''flat''; + }; + + "org/gnome/desktop/wm/preferences" = { + titlebar-font = ''Noto Sans Bold 11''; + }; + + "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0" = { + name = "blackbox"; + command = "blackbox"; + binding = "<Control><Alt>t"; + }; + + "com/raggesilver/BlackBox" = { + font = ''FiraCode Nerd Font 12''; + theme-dark = ''Catppuccin-Mocha''; + remember-window-size = true; + }; + }; + }; + + gtk = { + enable = true; + theme = { + name = "adw-gtk3"; + package = pkgs.adw-gtk3; + }; + }; + + xdg.dataFile."blackbox/schemes/Catppuccin-Mocha.json".source = + pkgs.fetchFromGitHub { + owner = "catppuccin"; + repo = "tilix"; + rev = "3fd05e03419321f2f2a6aad6da733b28be1765ef"; + sha256 = "sha256-SI7QxQ+WBHzeuXbTye+s8pi4tDVZOV4Aa33mRYO276k="; + } + + "/src/Catppuccin-Mocha.json"; + }; +} diff --git a/parts/users/seth/desktop/plasma/default.nix b/parts/users/seth/desktop/plasma/default.nix new file mode 100644 index 0000000..4f59528 --- /dev/null +++ b/parts/users/seth/desktop/plasma/default.nix @@ -0,0 +1,59 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.getchoo.desktop.plasma; + inherit (lib) mkIf; +in { + config = mkIf cfg.enable { + home.packages = with pkgs; [ + catppuccin-cursors + (catppuccin-kde.override + { + flavour = ["mocha"]; + accents = ["mauve"]; + }) + + (catppuccin-kvantum.override + { + variant = "Mocha"; + accent = "Mauve"; + }) + + libsForQt5.qtstyleplugin-kvantum + papirus-icon-theme + ]; + + xdg = { + configFile = let + themeDir = "${config.gtk.theme.package}/share/themes/${config.gtk.theme.name}"; + in { + "gtk-4.0/gtk.css".source = "${themeDir}/gtk-4.0/gtk.css"; + "gtk-4.0/gtk-dark.css".source = "${themeDir}/gtk-4.0/gtk-dark.css"; + }; + + dataFile."konsole/catppuccin-mocha.colorscheme".source = + pkgs.fetchFromGitHub { + owner = "catppuccin"; + repo = "konsole"; + rev = "7d86b8a1e56e58f6b5649cdaac543a573ac194ca"; + sha256 = "EwSJMTxnaj2UlNJm1t6znnatfzgm1awIQQUF3VPfCTM="; + } + + "/Catppuccin-Mocha.colorscheme"; + }; + + gtk = { + enable = true; + + theme = { + name = "Catppuccin-Mocha-Standard-Mauve-dark"; + package = pkgs.catppuccin-gtk.override { + accents = ["mauve"]; + variant = "mocha"; + }; + }; + }; + }; +} diff --git a/parts/users/seth/home.nix b/parts/users/seth/home.nix new file mode 100644 index 0000000..a3d9cce --- /dev/null +++ b/parts/users/seth/home.nix @@ -0,0 +1,20 @@ +{ + lib, + pkgs, + ... +}: { + imports = [./.]; + + home = let + username = "seth"; + inherit (pkgs.stdenv) isLinux isDarwin; + optionalLinuxDarwin = lib.optionalString (isLinux || isDarwin); + in { + inherit username; + homeDirectory = optionalLinuxDarwin ( + if isLinux + then "/home/${username}" + else "/Users/${username}" + ); + }; +} diff --git a/parts/users/seth/programs/chromium.nix b/parts/users/seth/programs/chromium.nix new file mode 100644 index 0000000..e313235 --- /dev/null +++ b/parts/users/seth/programs/chromium.nix @@ -0,0 +1,27 @@ +{ + config, + lib, + ... +}: let + cfg = config.getchoo.programs.chromium; + inherit (lib) mkEnableOption mkIf; +in { + options.getchoo.programs.chromium.enable = mkEnableOption "chromium" // {default = config.getchoo.desktop.enable;}; + + config = mkIf cfg.enable { + programs.chromium = { + enable = true; + # hw accel support + commandLineArgs = [ + "--ignore-gpu-blocklist" + "--enable-gpu-rasterization" + "--enable-gpu-compositing" + #"--enable-native-gpu-memory-buffers" + "--enable-zero-copy" + "--enable-features=VaapiVideoDecoder,VaapiVideoEncoder,CanvasOopRasterization,RawDraw,WebRTCPipeWireCapturer,Vulkan,WaylandWindowDecorations,WebUIDarkMode" + "--enable-features=WebRTCPipeWireCapturer,WaylandWindowDecorations,WebUIDarkMode" + "--force-dark-mode" + ]; + }; + }; +} diff --git a/parts/users/seth/programs/default.nix b/parts/users/seth/programs/default.nix new file mode 100644 index 0000000..93ba8f5 --- /dev/null +++ b/parts/users/seth/programs/default.nix @@ -0,0 +1,60 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.getchoo.programs.defaultPrograms; + inherit (lib) mkDefault mkEnableOption mkIf; +in { + options.getchoo.programs.defaultPrograms.enable = mkEnableOption "default programs" // {default = true;}; + + imports = [ + ./chromium.nix + ./firefox + ./git.nix + ./gpg.nix + ./mangohud.nix + ./neovim + ./ssh.nix + ./vim.nix + ]; + + config = mkIf cfg.enable { + home.packages = with pkgs; [ + fd + nix-your-shell + nurl + rclone + restic + ]; + + programs = { + btop.enable = mkDefault true; + + direnv = { + enable = mkDefault true; + nix-direnv.enable = mkDefault true; + }; + + ripgrep.enable = mkDefault true; + + nix-index-database.comma.enable = mkDefault true; + }; + + xdg = + { + enable = mkDefault true; + } + // (mkIf config.programs.btop.enable { + configFile."btop/themes/catppuccin_mocha.theme".source = + pkgs.fetchFromGitHub { + owner = "catppuccin"; + repo = "btop"; + rev = "ecb8562bb6181bb9f2285c360bbafeb383249ec3"; + sha256 = "sha256-ovVtupO5jWUw6cwA3xEzRe1juUB8ykfarMRVTglx3mk="; + } + + "/catppuccin_mocha.theme"; + }); + }; +} diff --git a/parts/users/seth/programs/firefox/arkenfox.nix b/parts/users/seth/programs/firefox/arkenfox.nix new file mode 100644 index 0000000..3da3a25 --- /dev/null +++ b/parts/users/seth/programs/firefox/arkenfox.nix @@ -0,0 +1,71 @@ +{ + config, + lib, + ... +}: let + cfg = config.getchoo.programs.firefox; + inherit (lib) genAttrs mkEnableOption mkIf recursiveUpdate; + + enableSections = sections: genAttrs sections (_: {enable = true;}); +in { + options.getchoo.programs.firefox.arkenfoxConfig.enable = + mkEnableOption "default arkenfox config" // {default = true;}; + + config.programs.firefox = mkIf (cfg.enable && cfg.arkenfoxConfig.enable) { + arkenfox = { + enable = true; + version = "115.1"; + }; + + profiles.arkenfox.arkenfox = + recursiveUpdate { + enable = true; + + # enable safe browsing + "0400"."0403"."browser.safebrowsing.downloads.remote.enabled".value = true; + + # fix hulu + "1200"."1201"."security.ssl.require_safe_negotiation".value = false; + + "2600"."2651"."browser.download.useDownloadDir" = { + enable = true; + value = true; + }; + + # disable rfp letterboxing + "4500"."4504"."privacy.resistFingerprinting.letterboxing".value = false; + + "5000" = { + "5003"."signon.rememberSignons".enable = true; + # enable search autocomplete + "5021"."keyword.enabled".value = true; + }; + + # enable drm + "5500"."5508"."media.eme.enabled" = { + enable = true; + value = true; + }; + } (enableSections [ + "0100" + "0200" + "0300" + "0400" + "0600" + "0700" + "0800" + "0900" + "1000" + "1200" + "1400" + "1600" + "1700" + "2000" + "2400" + "2600" + "2700" + "2800" + "4500" + ]); + }; +} diff --git a/parts/users/seth/programs/firefox/default.nix b/parts/users/seth/programs/firefox/default.nix new file mode 100644 index 0000000..82ba80d --- /dev/null +++ b/parts/users/seth/programs/firefox/default.nix @@ -0,0 +1,50 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.getchoo.programs.firefox; + inherit (lib) mkEnableOption mkIf; +in { + options.getchoo.programs.firefox.enable = mkEnableOption "firefox" // {default = config.getchoo.desktop.enable;}; + + imports = [ + ./arkenfox.nix + ]; + + config = mkIf cfg.enable { + home.sessionVariables = { + MOZ_ENABLE_WAYLAND = "1"; + }; + + programs.firefox = { + enable = true; + profiles.arkenfox = { + extensions = with pkgs.nur.repos.rycee.firefox-addons; [ + bitwarden + floccus + private-relay + ublock-origin + ]; + + isDefault = true; + + settings = { + # disable firefox accounts & pocket + "extensions.pocket.enabled" = false; + "identity.fxaccounts.enabled" = false; + + "gfx.webrender.all" = true; + "fission.autostart" = true; + + # hw accel + "media.ffmpeg.vaapi.enabled" = true; + + # widevine drm + "media.gmp-widevinecdm.enabled" = true; + }; + }; + }; + }; +} diff --git a/parts/users/seth/programs/git.nix b/parts/users/seth/programs/git.nix new file mode 100644 index 0000000..ec92f8d --- /dev/null +++ b/parts/users/seth/programs/git.nix @@ -0,0 +1,51 @@ +{ + config, + lib, + ... +}: let + cfg = config.getchoo.programs.git; + inherit (lib) mkEnableOption mkIf; +in { + options.getchoo.programs.git.enable = mkEnableOption "git" // {default = true;}; + + config = mkIf cfg.enable { + programs = { + gh = { + enable = true; + settings = { + git_protocol = "https"; + editor = "nvim"; + prompt = "enabled"; + }; + + gitCredentialHelper = { + enable = true; + hosts = ["https://github.com" "https://github.example.com"]; + }; + }; + + git = { + enable = true; + + delta = { + enable = true; + options = { + syntax-theme = "catppuccin"; + }; + }; + + extraConfig = { + init = {defaultBranch = "main";}; + }; + + signing = { + key = "D31BD0D494BBEE86"; + signByDefault = true; + }; + + userEmail = "[email protected]"; + userName = "seth"; + }; + }; + }; +} diff --git a/parts/users/seth/programs/gpg.nix b/parts/users/seth/programs/gpg.nix new file mode 100644 index 0000000..f4f1a33 --- /dev/null +++ b/parts/users/seth/programs/gpg.nix @@ -0,0 +1,29 @@ +{ + config, + lib, + pkgs, + osConfig, + ... +}: let + cfg = config.getchoo.programs.gpg; + inherit (lib) mkEnableOption mkIf; +in { + options.getchoo.programs.gpg.enable = mkEnableOption "gpg" // {default = true;}; + + config = mkIf cfg.enable { + programs.gpg.enable = true; + + services.gpg-agent = lib.mkIf pkgs.stdenv.isLinux { + enable = true; + + enableBashIntegration = config.programs.bash.enable; + enableFishIntegration = config.programs.fish.enable; + enableZshIntegration = config.programs.zsh.enable; + + pinentryFlavor = + if osConfig ? programs + then osConfig.programs.gnupg.agent.pinentryFlavor or "curses" + else "curses"; + }; + }; +} diff --git a/parts/users/seth/programs/mangohud.nix b/parts/users/seth/programs/mangohud.nix new file mode 100644 index 0000000..1ab8bb0 --- /dev/null +++ b/parts/users/seth/programs/mangohud.nix @@ -0,0 +1,29 @@ +{ + config, + lib, + ... +}: let + cfg = config.getchoo.programs.mangohud; + inherit (lib) mkEnableOption mkIf; +in { + options.getchoo.programs.mangohud.enable = + mkEnableOption "mangohud" + // {default = config.getchoo.desktop.enable;}; + + config = mkIf cfg.enable { + programs.mangohud = { + enable = true; + settings = { + legacy_layout = false; + cpu_stats = true; + cpu_temp = true; + gpu_stats = true; + gpu_temp = true; + fps = true; + frametime = true; + media_player = true; + media_player_name = "spotify"; + }; + }; + }; +} diff --git a/parts/users/seth/programs/neovim/.luarc.json b/parts/users/seth/programs/neovim/.luarc.json new file mode 100644 index 0000000..23b9ee2 --- /dev/null +++ b/parts/users/seth/programs/neovim/.luarc.json @@ -0,0 +1,3 @@ +{ + "workspace.checkThirdParty": false +}
\ No newline at end of file diff --git a/parts/users/seth/programs/neovim/config/init.lua b/parts/users/seth/programs/neovim/config/init.lua new file mode 100644 index 0000000..854f26c --- /dev/null +++ b/parts/users/seth/programs/neovim/config/init.lua @@ -0,0 +1,17 @@ +local cmd = vim.cmd +local opt = vim.opt + +-- text options +opt.tabstop = 2 +opt.shiftwidth = 2 +opt.expandtab = false +opt.smartindent = true +opt.wrap = true + +-- appearance +opt.syntax = "on" +cmd("filetype plugin indent on") +opt.termguicolors = true + +require("getchoo.keybinds") +require("getchoo.plugins") diff --git a/parts/users/seth/programs/neovim/config/keybinds.lua b/parts/users/seth/programs/neovim/config/keybinds.lua new file mode 100644 index 0000000..7dab12e --- /dev/null +++ b/parts/users/seth/programs/neovim/config/keybinds.lua @@ -0,0 +1,49 @@ +vim.g.mapleader = "," + +local opts = { noremap = true, silent = true } +local set = function(mode, key, vimcmd) + vim.keymap.set(mode, key, vimcmd, opts) +end + +if pcall(require, "neo-tree.command") then + set("n", "<leader>t", function() + require("neo-tree.command").execute({ + toggle = true, + dir = vim.loop.cwd(), + }) + end) +end + +if pcall(require, "flash") then + set({ "n", "o", "x" }, "s", function() + require("flash").jump() + end) +end + +for i = 1, 9 do + set("n", "<leader>" .. i, function() + local vimcmd = "BufferLineGoToBuffer " .. i + vim.cmd(vimcmd) + end) +end + +set("n", "<leader>q", function() + vim.cmd("BufferLinePickClose") +end) + +set("n", "<leader>e", vim.diagnostic.open_float) +set("n", "[d", vim.diagnostic.goto_prev) +set("n", "]d", vim.diagnostic.goto_next) +set("n", "<leader>u", vim.diagnostic.setloclist) + +set("n", "<leader>f", function() + vim.cmd("Telescope") +end) + +set("n", "<leader>p", function() + vim.cmd("TroubleToggle") +end) + +set("n", "<leader>z", function() + vim.api.nvim_clear_autocmds({ group = "LspFormatting" }) +end) diff --git a/parts/users/seth/programs/neovim/config/plugins/general.lua b/parts/users/seth/programs/neovim/config/plugins/general.lua new file mode 100644 index 0000000..f9a0c2c --- /dev/null +++ b/parts/users/seth/programs/neovim/config/plugins/general.lua @@ -0,0 +1,107 @@ +---- catppuccin +local compile_path = vim.fn.stdpath("cache") .. "/catppuccin-nvim" +vim.fn.mkdir(compile_path, "p") +vim.opt.runtimepath:append(compile_path) + +require("catppuccin").setup({ + compile_path = compile_path, + flavour = "mocha", -- mocha, macchiato, frappe, latte + integrations = { + cmp = true, + flash = true, + gitsigns = true, + native_lsp = { + enabled = true, + }, + neotree = true, + treesitter_context = true, + treesitter = true, + telescope = true, + lsp_trouble = true, + }, + no_italic = true, +}) +vim.api.nvim_command("colorscheme catppuccin") + +---- bufferline +require("bufferline").setup({ + options = { + always_show_bufferline = false, + highlights = require("catppuccin.groups.integrations.bufferline").get(), + diagnostics = "nvim_lsp", + mode = "buffers", + numbers = "ordinal", + separator_style = "slant", + offsets = { + { + filetype = "neo-tree", + text = "neo-tree", + highlight = "Directory", + text_align = "left", + }, + }, + }, +}) + +---- gitsigns +require("gitsigns").setup() + +---- indent-blankline.nvim +require("indent_blankline").setup({ + filetype_exclude = { + "help", + "neo-tree", + "Trouble", + "lazy", + "mason", + "notify", + "toggleterm", + }, + show_trailing_blankline_indent = false, + show_current_context = false, +}) + +---- lualine +require("lualine").setup({ + options = { + theme = "catppuccin", + }, + extensions = { "neo-tree", "trouble" }, +}) + +---- mini.nvim +require("mini.pairs").setup({}) +require("mini.indentscope").setup({ + options = { try_as_border = true }, +}) + +vim.api.nvim_create_autocmd("FileType", { + pattern = { + "help", + "neo-tree", + "Trouble", + "lazy", + "mason", + "notify", + "toggleterm", + }, + callback = function() + vim.b.miniindentscope_disable = true + end, +}) + +---- nvim-tree +require("neo-tree").setup({ + sources = { "filesystem", "buffers", "git_status", "document_symbols" }, + open_files_do_not_replace_types = { "terminal", "Trouble", "qf", "Outline" }, + filesystem = { + bind_to_cwd = false, + follow_current_file = { enabled = true }, + use_libuv_file_watcher = true, + }, +}) + +---- which-key +require("which-key").setup({ + plugins = { spelling = true }, +}) diff --git a/parts/users/seth/programs/neovim/config/plugins/init.lua b/parts/users/seth/programs/neovim/config/plugins/init.lua new file mode 100644 index 0000000..95883c7 --- /dev/null +++ b/parts/users/seth/programs/neovim/config/plugins/init.lua @@ -0,0 +1,3 @@ +require("getchoo.plugins.general") +require("getchoo.plugins.lsp") +require("getchoo.plugins.ui") diff --git a/parts/users/seth/programs/neovim/config/plugins/lsp.lua b/parts/users/seth/programs/neovim/config/plugins/lsp.lua new file mode 100644 index 0000000..e776ed4 --- /dev/null +++ b/parts/users/seth/programs/neovim/config/plugins/lsp.lua @@ -0,0 +1,170 @@ +---- cmp +local cmp = require("cmp") +local luasnip = require("luasnip") +local mapping = cmp.mapping + +require("cmp").setup({ + completion = { + completeopt = "menu,menuone,noinsert", + }, + + snippet = { + expand = function(args) + luasnip.lsp_expand(args.body) + end, + }, + + mapping = mapping.preset.insert({ + ["<C-n>"] = mapping.select_next_item({ behavior = cmp.SelectBehavior.Insert }), + ["<C-p>"] = mapping.select_prev_item({ behavior = cmp.SelectBehavior.Insert }), + ["<C-b>"] = mapping.scroll_docs(-4), + ["<C-f>"] = mapping.scroll_docs(4), + ["<C-Space>"] = mapping.complete(), + ["<C-e>"] = mapping.abort(), + ["<CR>"] = mapping.confirm({ select = true }), + ["<S-CR>"] = mapping.confirm({ + behavior = cmp.ConfirmBehavior.Replace, + select = true, + }), + }), + + sources = cmp.config.sources({ + { name = "nvim_lsp" }, + { name = "luasnip" }, + { name = "async_path" }, + { name = "buffer" }, + }), +}) + +---- gitsigns +require("gitsigns").setup() + +---- fidget +require("fidget").setup() + +---- lsp sources +local null_ls = require("null-ls") +local diagnostics = null_ls.builtins.diagnostics +local formatting = null_ls.builtins.formatting + +local sources = { + lsp_servers = { + ["bashls"] = "bash-language-server", + ["clangd"] = "clangd", + ["eslint"] = "eslint", + ["nil_ls"] = "nil", + ["pyright"] = "pyright-langserver", + ["rust_analyzer"] = "rust-analyzer", + ["tsserver"] = "typescript-language-server", + }, + null_ls = { + diagnostics.actionlint, + diagnostics.alex, + diagnostics.codespell, + diagnostics.deadnix, + diagnostics.pylint, + diagnostics.shellcheck, + diagnostics.statix, + formatting.alejandra, + formatting.beautysh, + formatting.codespell, + formatting.just, + formatting.nimpretty, + formatting.prettier, + formatting.rustfmt, + formatting.shellharden, + formatting.stylua, + formatting.yapf, + }, +} + +--- lsp config +local capabilities = vim.tbl_deep_extend( + "force", + require("cmp_nvim_lsp").default_capabilities(vim.lsp.protocol.make_client_capabilities()), + { workspace = { didChangeWatchedFiles = { dynamicRegistration = true } } } +) + +local all_config = { + capabilities = capabilities, +} + +local servers = {} +for server, binary in pairs(sources.lsp_servers) do + if vim.fn.executable(binary) == 1 then + servers[server] = all_config + end +end + +servers["lua_ls"] = { + capabilities = capabilities, + settings = { + Lua = { + runtime = { + version = "LuaJIT", + }, + diagnostics = { + globals = { "vim" }, + }, + workspace = { + library = vim.api.nvim_get_runtime_file("", true), + }, + }, + }, +} + +for server, settings in pairs(servers) do + require("lspconfig")[server].setup(settings) +end + +---- null-ls +-- auto-format +local lsp_formatting = function(bufnr) + vim.lsp.buf.format({ + filter = function(client) + return client.name == "null-ls" + end, + bufnr = bufnr, + }) +end + +local augroup = vim.api.nvim_create_augroup("LspFormatting", {}) +local formatting_on_attach = function(client, bufnr) + if client.supports_method("textDocument/formatting") then + vim.api.nvim_clear_autocmds({ group = augroup, buffer = bufnr }) + vim.api.nvim_create_autocmd("BufWritePre", { + group = augroup, + buffer = bufnr, + callback = function() + lsp_formatting(bufnr) + end, + }) + end +end + +require("mini.comment").setup({ + options = { + custom_commentstring = function() + return require("ts_context_commentstring.internal").calculate_commentstring() + or vim.bo.context_commentstring + end, + }, +}) + +require("null-ls").setup({ + on_attach = formatting_on_attach, + sources = sources.null_ls, +}) + +require("nvim-treesitter.configs").setup({ + auto_install = false, + highlight = { enable = true }, + indent = { enable = true }, + context_commentstring = { + enable = true, + enable_autocmd = false, + }, +}) + +---- trouble +require("trouble").setup() diff --git a/parts/users/seth/programs/neovim/config/plugins/ui.lua b/parts/users/seth/programs/neovim/config/plugins/ui.lua new file mode 100644 index 0000000..3a0cc2e --- /dev/null +++ b/parts/users/seth/programs/neovim/config/plugins/ui.lua @@ -0,0 +1,40 @@ +require("dressing") + +vim.notify = require("notify") + +vim.ui.select = function(...) + return vim.ui.select(...) +end + +vim.ui.input = function(...) + return vim.ui.input(...) +end + +require("noice").setup({ + lsp = { + override = { + ["vim.lsp.util.convert_input_to_markdown_lines"] = true, + ["vim.lsp.util.stylize_markdown"] = true, + ["cmp.entry.get_documentation"] = true, + }, + }, + routes = { + { + filter = { + event = "msg_show", + any = { + { find = "%d+L, %d+B" }, + { find = "; after #%d+" }, + { find = "; before #%d+" }, + }, + }, + view = "mini", + }, + }, + presets = { + bottom_search = true, + command_palette = true, + long_message_to_split = true, + inc_rename = true, + }, +}) diff --git a/parts/users/seth/programs/neovim/default.nix b/parts/users/seth/programs/neovim/default.nix new file mode 100644 index 0000000..2a186ac --- /dev/null +++ b/parts/users/seth/programs/neovim/default.nix @@ -0,0 +1,93 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.getchoo.programs.neovim; + inherit (lib) mkEnableOption mkIf; +in { + options.getchoo.programs.neovim.enable = mkEnableOption "neovim" // {default = true;}; + + config = mkIf cfg.enable { + programs.neovim = { + enable = true; + defaultEditor = true; + extraPackages = with pkgs; [ + actionlint + alejandra + beautysh + codespell + deadnix + just + nil + nodePackages.alex + shellcheck + statix + stylua + sumneko-lua-language-server + ]; + plugins = with pkgs.vimPlugins; [ + # general + catppuccin-nvim + + # TODO: don't pin when deprecation notice + # is no longer in nixpkgs + (fidget-nvim.overrideAttrs (_: { + src = pkgs.fetchFromGitHub { + owner = "j-hui"; + repo = "fidget.nvim"; + rev = "41f327b53c7977d47aee56f05e0bdbb4b994c5eb"; + hash = "sha256-v9qARsW8Gozit4Z3+igiemjI467QgRhwM+crqwO9r6U="; + }; + })) + + flash-nvim + gitsigns-nvim + indent-blankline-nvim + lualine-nvim + neo-tree-nvim + nvim-web-devicons + mini-nvim + + # completion + nvim-cmp + cmp-nvim-lsp + cmp-buffer + cmp_luasnip + cmp-async-path + luasnip + + # ui + dressing-nvim + noice-nvim + nui-nvim + nvim-notify + + # lsp + nvim-lspconfig + null-ls-nvim + pkgs.vim-just + + ## utils + bufferline-nvim + plenary-nvim + telescope-nvim + trouble-nvim + which-key-nvim + + # treesitter + nvim-treesitter.withAllGrammars + nvim-ts-context-commentstring + ]; + extraLuaConfig = '' + require("getchoo") + ''; + }; + + xdg.configFile."nvim/lua/getchoo" = { + source = ./config; + recursive = true; + }; + }; +} diff --git a/parts/users/seth/programs/ssh.nix b/parts/users/seth/programs/ssh.nix new file mode 100644 index 0000000..080a60e --- /dev/null +++ b/parts/users/seth/programs/ssh.nix @@ -0,0 +1,50 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.getchoo.programs.ssh; + inherit (lib) mkEnableOption mkIf; +in { + options.getchoo.programs.ssh.enable = mkEnableOption "ssh" // {default = true;}; + + config = mkIf cfg.enable { + programs.ssh = { + enable = true; + package = pkgs.openssh; + + matchBlocks = let + sshDir = "${config.home.homeDirectory}/.ssh"; + in { + # git forges + "codeberg.org" = { + identityFile = "${sshDir}/codeberg"; + user = "git"; + }; + + # linux packaging + "aur.archlinux.org" = { + identityFile = "${sshDir}/aur"; + user = "aur"; + }; + + "pagure.io" = { + identityFile = "${sshDir}/copr"; + user = "git"; + }; + + # router + "192.168.1.1" = { + identityFile = "${sshDir}/openwrt"; + user = "root"; + }; + + # servers + "atlas".user = "atlas"; + }; + }; + + services.ssh-agent.enable = pkgs.stdenv.isLinux; + }; +} diff --git a/parts/users/seth/programs/vim.nix b/parts/users/seth/programs/vim.nix new file mode 100644 index 0000000..0f81cfb --- /dev/null +++ b/parts/users/seth/programs/vim.nix @@ -0,0 +1,43 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.getchoo.programs.vim; + inherit (lib) mkEnableOption mkIf; +in { + options.getchoo.programs.vim.enable = mkEnableOption "vim" // {default = true;}; + + config = mkIf cfg.enable { + programs.vim = { + enable = true; + packageConfigurable = pkgs.vim; + settings = { + expandtab = false; + shiftwidth = 2; + tabstop = 2; + }; + extraConfig = '' + " https://wiki.archlinux.org/title/XDG_Base_Directory + set runtimepath^=$XDG_CONFIG_HOME/vim + set runtimepath+=$XDG_DATA_HOME/vim + set runtimepath+=$XDG_CONFIG_HOME/vim/after + + set packpath^=$XDG_DATA_HOME/vim,$XDG_CONFIG_HOME/vim + set packpath+=$XDG_CONFIG_HOME/vim/after,$XDG_DATA_HOME/vim/after + set packpath^=$XDG_DATA_HOME/vim,$XDG_CONFIG_HOME/vim + set packpath+=$XDG_CONFIG_HOME/vim/after,$XDG_DATA_HOME/vim/after + + let g:netrw_home = $XDG_DATA_HOME."/vim" + call mkdir($XDG_DATA_HOME."/vim/spell", 'p') + + set backupdir=$XDG_STATE_HOME/vim/backup | call mkdir(&backupdir, 'p') + set directory=$XDG_STATE_HOME/vim/swap | call mkdir(&directory, 'p') + set undodir=$XDG_STATE_HOME/vim/undo | call mkdir(&undodir, 'p') + set viewdir=$XDG_STATE_HOME/vim/view | call mkdir(&viewdir, 'p') + set viminfofile=$XDG_STATE_HOME/vim/viminfo + ''; + }; + }; +} diff --git a/parts/users/seth/shell/bash.nix b/parts/users/seth/shell/bash.nix new file mode 100644 index 0000000..f9a1afa --- /dev/null +++ b/parts/users/seth/shell/bash.nix @@ -0,0 +1,21 @@ +{config, ...}: { + programs.bash = { + enable = true; + bashrcExtra = '' + nixfile=${config.home.homeDirectory}/.nix-profile/etc/profile.d/nix.sh + [ -e "$nixfile" ] && source "$nixfile" + ''; + historyFile = "${config.xdg.stateHome}/bash/history"; + historyFileSize = 1000; + historySize = 100; + shellOptions = [ + "cdspell" + "checkjobs" + "checkwinsize" + "dirspell" + "globstar" + "histappend" + "no_empty_cmd_completion" + ]; + }; +} diff --git a/parts/users/seth/shell/default.nix b/parts/users/seth/shell/default.nix new file mode 100644 index 0000000..5f7e24c --- /dev/null +++ b/parts/users/seth/shell/default.nix @@ -0,0 +1,79 @@ +{ + config, + pkgs, + ... +}: let + inherit (builtins) fromTOML readFile; + inherit (pkgs) fetchFromGitHub; +in { + imports = [ + ./bash.nix + ./fish.nix + ]; + + programs = { + bat = { + enable = true; + config = { + theme = "catppuccin"; + }; + themes = { + catppuccin = readFile (fetchFromGitHub { + owner = "catppuccin"; + repo = "bat"; + rev = "ba4d16880d63e656acced2b7d4e034e4a93f74b1"; + sha256 = "sha256-6WVKQErGdaqb++oaXnY3i6/GuH2FhTgK0v4TN4Y0Wbw="; + } + + "/Catppuccin-mocha.tmTheme"); + }; + }; + + eza = { + enable = true; + enableAliases = true; + icons = true; + }; + + starship = { + enable = true; + enableBashIntegration = false; + enableZshIntegration = false; + settings = + { + format = "$all"; + palette = "catppuccin_mocha"; + command_timeout = 50; + } + // fromTOML (readFile ./starship.toml) + // fromTOML (readFile + (fetchFromGitHub + { + owner = "catppuccin"; + repo = "starship"; + rev = "3e3e54410c3189053f4da7a7043261361a1ed1bc"; + sha256 = "sha256-soEBVlq3ULeiZFAdQYMRFuswIIhI9bclIU8WXjxd7oY="; + } + + "/palettes/mocha.toml")); + }; + }; + + home = { + sessionVariables = let + inherit (config.xdg) configHome dataHome stateHome; + in { + EDITOR = "nvim"; + VISUAL = "$EDITOR"; + GPG_TTY = "$(tty)"; + CARGO_HOME = "${dataHome}/cargo"; + RUSTUP_HOME = "${dataHome}/rustup"; + LESSHISTFILE = "${stateHome}/less/history"; + NPM_CONFIG_USERCONFIG = "${configHome}/npm/npmrc"; + }; + + shellAliases = { + diff = "diff --color=auto"; + g = "git"; + gs = "g status"; + }; + }; +} diff --git a/parts/users/seth/shell/fish.nix b/parts/users/seth/shell/fish.nix new file mode 100644 index 0000000..7488b40 --- /dev/null +++ b/parts/users/seth/shell/fish.nix @@ -0,0 +1,52 @@ +{ + config, + pkgs, + ... +}: { + xdg.configFile."fish/themes" = { + recursive = true; + source = + pkgs.fetchFromGitHub + { + owner = "catppuccin"; + repo = "fish"; + rev = "b90966686068b5ebc9f80e5b90fdf8c02ee7a0ba"; + sha256 = "sha256-wQlYQyqklU/79K2OXRZXg5LvuIugK7vhHgpahpLFaOw="; + } + + "/themes"; + }; + + programs.fish = { + enable = true; + + interactiveShellInit = '' + set -l nixfile ${config.home.homeDirectory}/.nix-profile/etc/profile.d/nix.fish + if test -e $nixfile + source $nixfile + end + + fish_config theme choose "Catppuccin Mocha" + nix-your-shell fish | source + + abbr -a !! --position anywhere --function last_history_item + ''; + + functions = { + last_history_item.body = "echo $history[1]"; + }; + + shellAbbrs = { + nixgc = "sudo nix-collect-garbage -d && nix-collect-garbage -d"; + }; + + plugins = let + mkFishPlugins = builtins.map (plugin: { + name = plugin; + inherit (pkgs.fishPlugins.${plugin}) src; + }); + in + mkFishPlugins [ + "autopair" + ]; + }; +} diff --git a/parts/users/seth/shell/starship.toml b/parts/users/seth/shell/starship.toml new file mode 100644 index 0000000..94a2922 --- /dev/null +++ b/parts/users/seth/shell/starship.toml @@ -0,0 +1,220 @@ +[aws] +symbol = " " + +[bun] +format = "via [$symbol]($style)" + +[buf] +format = "via [$symbol]($style)" +symbol = " " + +[c] +symbol = " " + +[cmake] +format = "via [$symbol]($style)" + +[cobol] +format = "via [$symbol]($style)" + +[conda] +symbol = " " + +[crystal] +format = "via [$symbol]($style)" + +[daml] +format = "via [$symbol]($style)" + +[dart] +format = "via [$symbol]($style)" +symbol = " " + +[directory] +read_only = " " + +[deno] +format = "via [$symbol]($style)" + +[docker_context] +symbol = " " + +[dotnet] +format = "[$symbol(🎯 $tfm )]($style)" + +[elixir] +format = 'via [$symbol]($style)' +symbol = " " + +[elm] +format = 'via [$symbol]($style)' +symbol = " " + +[erlang] +format = 'via [$symbol]($style)' + +[fennel] +format = 'via [$symbol]($style)' + +[fossil_branch] +symbol = " " + +[git_branch] +symbol = " " + +[golang] +format = 'via [$symbol]($style)' +symbol = " " + +[gradle] +format = 'via [$symbol]($style)' + +[guix_shell] +symbol = " " + +[haskell] +symbol = " " + +[haxe] +format = 'via [$symbol]($style)' +symbol = "⌘ " + +[helm] +format = 'via [$symbol]($style)' + +[hg_branch] +symbol = " " + +[java] +symbol = " " + +[julia] +format = 'via [$symbol]($style)' +symbol = " " + +[kotlin] +format = 'via [$symbol]($style)' + +[lua] +format = 'via [$symbol]($style)' +symbol = " " + +[memory_usage] +symbol = " " + +[meson] +format = 'via [$symbol]($style)' +symbol = "喝 " + +[nim] +format = 'via [$symbol]($style)' +symbol = " " + +[nix_shell] +symbol = " " + +[nodejs] +format = 'via [$symbol]($style)' +symbol = " " + +[ocaml] +format = 'via [$symbol(\($switch_indicator$switch_name\) )]($style)' + +[opa] +format = 'via [$symbol]($style)' + +[os.symbols] +Alpine = " " +Amazon = " " +Android = " " +Arch = " " +CentOS = " " +Debian = " " +DragonFly = " " +Emscripten = " " +EndeavourOS = " " +Fedora = " " +FreeBSD = " " +Garuda = " " +Gentoo = " " +HardenedBSD = "ﲊ " +Illumos = " " +Linux = " " +Macos = " " +Manjaro = " " +Mariner = " " +MidnightBSD = " " +Mint = " " +NetBSD = " " +NixOS = " " +OpenBSD = " " +openSUSE = " " +OracleLinux = " " +Pop = " " +Raspbian = " " +Redhat = " " +RedHatEnterprise = " " +Redox = " " +Solus = "ﴱ " +SUSE = " " +Ubuntu = " " +Unknown = " " +Windows = " " + +[package] +symbol = " " + +[perl] +format = 'via [$symbol]($style)' + +[php] +format = 'via [$symbol]($style)' + +[pijul_channel] +symbol = "🪺 " + +[pulumi] +format = 'via [$symbol$stack]($style)' + +[purescript] +format = 'via [$symbol]($style)' + +[python] +format = 'via [$symbol]($style)' +symbol = " " + +[raku] +format = 'via [$symbol]($style)' + +[red] +format = 'via [$symbol]($style)' + +[rlang] +format = 'via [$symbol]($style)' +symbol = "ﳒ " + +[ruby] +format = 'via [$symbol]($style)' +symbol = " " + +[rust] +format = 'via [$symbol]($style)' +symbol = " " + +[scala] +symbol = " " + +[spack] +symbol = "🅢 " + +[swift] +format = 'via [$symbol]($style)' + +[vagrant] +format = 'via [$symbol]($style)' + +[vlang] +format = 'via [$symbol]($style)' + +[zig] +format = 'via [$symbol]($style)' diff --git a/parts/users/seth/shell/zsh.nix b/parts/users/seth/shell/zsh.nix new file mode 100644 index 0000000..23d5813 --- /dev/null +++ b/parts/users/seth/shell/zsh.nix @@ -0,0 +1,114 @@ +{ + config, + pkgs, + ... +}: { + programs.zsh = { + enable = true; + enableAutosuggestions = true; + + completionInit = '' + autoload -Uz bashcompinit compinit + local zdump="${config.xdg.cacheHome}/zsh/zdump" + bashcompinit + compinit -d "$zdump" + if [[ ! "$zdump.zwc" -nt "$zdump" ]] + then + zcompile "$zdump" + fi + unset zdump + ''; + + defaultKeymap = "emacs"; + dotDir = ".config/zsh"; + + initExtra = '' + if [[ -r "$XDG_CACHE_HOME/p10k-instant-prompt-*.zsh" ]]; then + source "$XDG_CACHE_HOME/p10k-instant-prompt-*.zsh" + fi + autoload -Uz promptinit colors + promptinit + colors + + nix-your-shell zsh | source /dev/stdin + + zmodload zsh/zutil + zmodload zsh/complist + zstyle ":completion::*" group-name "" + zstyle ":completion:*" menu "select" + zstyle ":completion:*" squeeze-slashes "true" + zstyle ":completion::*" use-cache "true" + zstyle ":completion::*" cache-path "$zdump" + + unsetopt beep + unsetopt hist_beep + unsetopt ignore_braces + unsetopt list_beep + setopt always_to_end + setopt prompt_subst + setopt share_history + + # clear backbuffer with ctrl-l + function clear-screen-and-scrollback() { + echoti civis >"$TTY" + printf '%b' '\e[H\e[2J' >"$TTY" + zle .reset-prompt + zle -R + printf '%b' '\e[3J' >"$TTY" + echoti cnorm >"$TTY" + } + + zle -N clear-screen-and-scrollback + bindkey '^L' clear-screen-and-scrollback + + [[ ! -f ~/.config/zsh/.p10k.zsh ]] || source ~/.config/zsh/.p10k.zsh + ''; + + history = { + expireDuplicatesFirst = true; + path = "${config.xdg.stateHome}/zsh/zsh_history"; + save = 1000; + size = 100; + }; + + plugins = [ + { + name = "cattppuccin-zsh-syntax-highlighting"; + src = pkgs.fetchFromGitHub { + owner = "catppuccin"; + repo = "zsh-syntax-highlighting"; + rev = "06d519c20798f0ebe275fc3a8101841faaeee8ea"; + sha256 = "sha256-Q7KmwUd9fblprL55W0Sf4g7lRcemnhjh4/v+TacJSfo="; + }; + + file = "themes/catppuccin_mocha-zsh-syntax-highlighting.zsh"; + } + + { + name = "nix-zsh-completions"; + src = pkgs.nix-zsh-completions; + file = "share/zsh/plugins/nix/nix-zsh-completions.plugin.zsh"; + } + + { + name = "powerlevel10k"; + src = pkgs.zsh-powerlevel10k; + file = "share/zsh-powerlevel10k/powerlevel10k.zsh-theme"; + } + + { + name = "zsh-autopair"; + src = pkgs.zsh-autopair; + file = "share/zsh/zsh-autopair/autopair.zsh"; + } + + { + name = "zsh-completions"; + src = pkgs.zsh-completions; + file = "share/zsh-completions/zsh-completions.plugin.zsh"; + } + ]; + + enableSyntaxHighlighting = true; + }; +} diff --git a/parts/users/seth/system.nix b/parts/users/seth/system.nix new file mode 100644 index 0000000..f3957c7 --- /dev/null +++ b/parts/users/seth/system.nix @@ -0,0 +1,30 @@ +{ + config, + lib, + pkgs, + ... +}: { + users.users.seth = let + inherit (pkgs.stdenv.hostPlatform) isLinux isDarwin; + in + lib.recursiveUpdate + { + shell = pkgs.fish; + home = + if isDarwin + then "/Users/seth" + else "/home/seth"; + } + (lib.optionalAttrs isLinux { + extraGroups = ["wheel"]; + isNormalUser = true; + hashedPasswordFile = config.age.secrets.sethPassword.path; + }); + + programs.fish.enable = true; + + home-manager.users.seth = { + imports = [./.]; + nixpkgs.overlays = config.nixpkgs.overlays; + }; +} |