BeiNacht/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MacBook.local-2024-12-03-09-50-14

Browse Source
This commit is contained in:
Alexander Szczepanski
2024-12-03 09:50:14 +01:00
parent bacafcc0a8
commit e57e5c4f13
11 changed files with 308 additions and 276 deletions
Download Patch File Download Diff File Expand all files Collapse all files

286
configs/common-linux.nix Normal file
View File

@ -0,0 +1,286 @@
{
config,
pkgs,
lib,
inputs,
...
}: {
imports = [
../../configs/common.nix
];
boot = {
loader = {
efi.canTouchEfiVariables = true;
grub = {
enable = true;
device = "nodev";
efiSupport = true;
configurationLimit = 5;
enableCryptodisk = true;
useOSProber = true;
};
};
tmp = {
useTmpfs = lib.mkDefault true;
cleanOnBoot = true;
};
consoleLogLevel = 0;
kernel.sysctl = {"vm.max_map_count" = 262144;};
supportedFilesystems = ["ntfs" "btrfs"];
initrd = {
postDeviceCommands = pkgs.lib.mkBefore ''
mkdir -p /mnt
# We first mount the btrfs root to /mnt
# so we can manipulate btrfs subvolumes.
mount -o subvol=/ /dev/mapper/lvm-root /mnt
# While we're tempted to just delete /root and create
# a new snapshot from /root-blank, /root is already
# populated at this point with a number of subvolumes,
# which makes `btrfs subvolume delete` fail.
# So, we remove them first.
#
# /root contains subvolumes:
# - /root/var/lib/portables
# - /root/var/lib/machines
#
# I suspect these are related to systemd-nspawn, but
# since I don't use it I'm not 100% sure.
# Anyhow, deleting these subvolumes hasn't resulted
# in any issues so far, except for fairly
# benign-looking errors from systemd-tmpfiles.
btrfs subvolume list -o /mnt/root |
cut -f9 -d' ' |
while read subvolume; do
echo "deleting /$subvolume subvolume..."
btrfs subvolume delete "/mnt/$subvolume"
done &&
echo "deleting /root subvolume..." &&
btrfs subvolume delete /mnt/root
echo "restoring blank /root subvolume..."
btrfs subvolume snapshot /mnt/root-blank /mnt/root
# Once we're done rolling back to a blank snapshot,
# we can unmount /mnt and continue on the boot process.
umount /mnt
'';
};
};
sops = {
defaultSopsFile = lib.mkDefault ../secrets/secrets.yaml;
validateSopsFiles = true;
age = {
sshKeyPaths = ["/persist/etc/ssh/ssh_host_ed25519_key"];
keyFile = "/persist/var/lib/sops-nix/key.txt";
generateKey = true;
};
secrets = {
hashedPassword = {
neededForUsers = true;
sopsFile = ../secrets/secrets.yaml;
};
};
};
environment = {
# Don't install the /lib/ld-linux.so.2 stub. This saves one instance of nixpkgs.
ldso32 = null;
shells = with pkgs; [bashInteractive zsh];
systemPackages = with pkgs; [
btrfs-progs # utils for btrfs
nethogs
iotop
nmon
lm_sensors
hdparm
];
persistence."/persist" = {
directories = [
"/var/lib/nixos"
"/var/lib/tailscale"
"/var/lib/tuptime"
"/var/lib/vnstat"
];
files = [
"/etc/machine-id"
"/etc/NIXOS"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
];
};
};
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LANGUAGE = "en_US.UTF-8";
LC_ALL = "en_US.UTF-8";
};
supportedLocales = [
"en_US.UTF-8/UTF-8"
"de_DE.UTF-8/UTF-8"
"de_DE/ISO-8859-1"
];
};
networking = {
nameservers = ["127.0.0.1"];
# If using dhcpcd:
dhcpcd.extraConfig = "nohook resolv.conf";
# If using NetworkManager:
networkmanager.dns = "none";
firewall = {
# Allow PMTU / DHCP
allowPing = true;
# Keep dmesg/journalctl -k output readable by NOT logging
# each refused connection on the open internet.
logRefusedConnections = false;
};
# useNetworkd = true;
};
nix = {
nixPath = ["nixpkgs=${inputs.nixpkgs-unstable}"];
channel.enable = false;
settings = {
auto-optimise-store = true;
experimental-features = ["nix-command" "flakes"];
connect-timeout = 5;
log-lines = 25;
max-free = 3000 * 1024 * 1024;
min-free = 512 * 1024 * 1024;
builders-use-substitutes = true;
};
daemonCPUSchedPolicy = "batch";
daemonIOSchedClass = "idle";
daemonIOSchedPriority = 7;
};
programs = {
nh = {
enable = true;
clean = {
enable = true;
extraArgs = "--keep-since 14d";
};
flake = "/home/alex/nixos-config";
};
};
services = {
vnstat.enable = true;
tuptime.enable = true;
locate.enable = true;
tailscale.enable = true;
openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
X11Forwarding = false;
KbdInteractiveAuthentication = false;
UseDns = false;
# unbind gnupg sockets if they exists
StreamLocalBindUnlink = true;
# Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
KexAlgorithms = [
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group16-sha512"
"diffie-hellman-group18-sha512"
"sntrup761x25519-sha512@openssh.com"
];
};
openFirewall = true;
};
dnscrypt-proxy2 = {
enable = true;
settings = {
ipv6_servers = true;
require_dnssec = true;
sources.public-resolvers = {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};
# You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
# server_names = [ ... ];
};
};
journald = {extraConfig = "SystemMaxUse=500M";};
};
# The notion of "online" is a broken concept
# https://github.com/systemd/systemd/blob/e1b45a756f71deac8c1aa9a008bd0dab47f64777/NEWS#L13
systemd = {
services.NetworkManager-wait-online.enable = false;
network.wait-online.enable = false;
# FIXME: Maybe upstream?
# Do not take down the network for too long when upgrading,
# This also prevents failures of services that are restarted instead of stopped.
# It will use `systemctl restart` rather than stopping it with `systemctl stop`
# followed by a delayed `systemctl start`.
services.systemd-networkd.stopIfChanged = false;
# Services that are only restarted might be not able to resolve when resolved is stopped before
# services.systemd-resolved.stopIfChanged = false;
services.nix-gc.serviceConfig = {
CPUSchedulingPolicy = "batch";
IOSchedulingClass = "idle";
IOSchedulingPriority = 7;
};
services.nix-daemon.serviceConfig.OOMScoreAdjust = 250;
# default is something like vt220... however we want to get alt least some colors...
# services."serial-getty@".environment.TERM = "xterm-256color";
};
system.activationScripts.update-diff = {
supportsDryActivation = true;
text = ''
if [[ -e /run/current-system ]]; then
echo "--- diff to current-system"
${pkgs.nvd}/bin/nvd --nix-bin-dir=${config.nix.package}/bin diff /run/current-system "$systemConfig"
echo "---"
fi
'';
};
# Turn off sudo lecture
security = {
sudo.extraConfig = ''
# rollback results in sudo lectures after each reboot
Defaults lecture = never
'';
};
}

271
configs/common.nix
View File

@ -11,95 +11,10 @@
}; };
}; };
boot = {
loader = {
efi.canTouchEfiVariables = true;
grub = {
enable = true;
device = "nodev";
efiSupport = true;
configurationLimit = 5;
enableCryptodisk = true;
useOSProber = true;
};
};
tmp = {
useTmpfs = lib.mkDefault true;
cleanOnBoot = true;
};
consoleLogLevel = 0;
kernel.sysctl = {"vm.max_map_count" = 262144;};
supportedFilesystems = ["ntfs" "btrfs"];
initrd = {
postDeviceCommands = pkgs.lib.mkBefore ''
mkdir -p /mnt
# We first mount the btrfs root to /mnt
# so we can manipulate btrfs subvolumes.
mount -o subvol=/ /dev/mapper/lvm-root /mnt
# While we're tempted to just delete /root and create
# a new snapshot from /root-blank, /root is already
# populated at this point with a number of subvolumes,
# which makes `btrfs subvolume delete` fail.
# So, we remove them first.
#
# /root contains subvolumes:
# - /root/var/lib/portables
# - /root/var/lib/machines
#
# I suspect these are related to systemd-nspawn, but
# since I don't use it I'm not 100% sure.
# Anyhow, deleting these subvolumes hasn't resulted
# in any issues so far, except for fairly
# benign-looking errors from systemd-tmpfiles.
btrfs subvolume list -o /mnt/root |
cut -f9 -d' ' |
while read subvolume; do
echo "deleting /$subvolume subvolume..."
btrfs subvolume delete "/mnt/$subvolume"
done &&
echo "deleting /root subvolume..." &&
btrfs subvolume delete /mnt/root
echo "restoring blank /root subvolume..."
btrfs subvolume snapshot /mnt/root-blank /mnt/root
# Once we're done rolling back to a blank snapshot,
# we can unmount /mnt and continue on the boot process.
umount /mnt
'';
};
};
sops = {
defaultSopsFile = lib.mkDefault ../secrets/secrets.yaml;
validateSopsFiles = true;
age = {
sshKeyPaths = ["/persist/etc/ssh/ssh_host_ed25519_key"];
keyFile = "/persist/var/lib/sops-nix/key.txt";
generateKey = true;
};
secrets = {
hashedPassword = {
neededForUsers = true;
sopsFile = ../secrets/secrets.yaml;
};
};
};
environment = { environment = {
# Don't install the /lib/ld-linux.so.2 stub. This saves one instance of nixpkgs.
ldso32 = null;
shells = with pkgs; [bashInteractive zsh];
systemPackages = with pkgs; [ systemPackages = with pkgs; [
borgbackup borgbackup
btrfs-progs # utils for btrfs # btrfs-progs # utils for btrfs
doggo # DNS Resolver doggo # DNS Resolver
du-dust du-dust
ncdu ncdu
@ -117,16 +32,14 @@
btop btop
htop htop
glances glances
nethogs
iotop
nmap nmap
nmon
bandwhich bandwhich
lsof lsof
lm_sensors
gping
gnupg gnupg
hdparm # hdparm
inxi # hardware list inxi # hardware list
kitty.terminfo kitty.terminfo
@ -142,7 +55,7 @@
pciutils pciutils
progress progress
unixtools.xxd unixtools.xxd
usbutils # usbutils
wget wget
broot broot
@ -161,85 +74,9 @@
man-pages man-pages
man-pages-posix man-pages-posix
]; ];
persistence."/persist" = {
directories = [
"/var/lib/nixos"
"/var/lib/tailscale"
"/var/lib/tuptime"
"/var/lib/vnstat"
];
files = [
"/etc/machine-id"
"/etc/NIXOS"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
];
};
};
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LANGUAGE = "en_US.UTF-8";
LC_ALL = "en_US.UTF-8";
};
supportedLocales = [
"en_US.UTF-8/UTF-8"
"de_DE.UTF-8/UTF-8"
"de_DE/ISO-8859-1"
];
};
networking = {
nameservers = ["127.0.0.1"];
# If using dhcpcd:
dhcpcd.extraConfig = "nohook resolv.conf";
# If using NetworkManager:
networkmanager.dns = "none";
firewall = {
# Allow PMTU / DHCP
allowPing = true;
# Keep dmesg/journalctl -k output readable by NOT logging
# each refused connection on the open internet.
logRefusedConnections = false;
};
# useNetworkd = true;
};
nix = {
nixPath = ["nixpkgs=${inputs.nixpkgs-unstable}"];
channel.enable = false;
settings = {
auto-optimise-store = true;
experimental-features = ["nix-command" "flakes"];
connect-timeout = 5;
log-lines = 25;
max-free = 3000 * 1024 * 1024;
min-free = 512 * 1024 * 1024;
builders-use-substitutes = true;
};
daemonCPUSchedPolicy = "batch";
daemonIOSchedClass = "idle";
daemonIOSchedPriority = 7;
}; };
programs = { programs = {
nh = {
enable = true;
clean = {
enable = true;
extraArgs = "--keep-since 14d";
};
flake = "/home/alex/nixos-config";
};
ssh.knownHosts = { ssh.knownHosts = {
"github.com" = { "github.com" = {
hostNames = ["github.com"]; hostNames = ["github.com"];
@ -272,102 +109,4 @@
}; };
}; };
}; };
services = {
vnstat.enable = true;
tuptime.enable = true;
locate.enable = true;
tailscale.enable = true;
openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
X11Forwarding = false;
KbdInteractiveAuthentication = false;
UseDns = false;
# unbind gnupg sockets if they exists
StreamLocalBindUnlink = true;
# Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
KexAlgorithms = [
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group16-sha512"
"diffie-hellman-group18-sha512"
"sntrup761x25519-sha512@openssh.com"
];
};
openFirewall = true;
};
dnscrypt-proxy2 = {
enable = true;
settings = {
ipv6_servers = true;
require_dnssec = true;
sources.public-resolvers = {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};
# You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
# server_names = [ ... ];
};
};
journald = {extraConfig = "SystemMaxUse=500M";};
};
# The notion of "online" is a broken concept
# https://github.com/systemd/systemd/blob/e1b45a756f71deac8c1aa9a008bd0dab47f64777/NEWS#L13
systemd = {
services.NetworkManager-wait-online.enable = false;
network.wait-online.enable = false;
# FIXME: Maybe upstream?
# Do not take down the network for too long when upgrading,
# This also prevents failures of services that are restarted instead of stopped.
# It will use `systemctl restart` rather than stopping it with `systemctl stop`
# followed by a delayed `systemctl start`.
services.systemd-networkd.stopIfChanged = false;
# Services that are only restarted might be not able to resolve when resolved is stopped before
# services.systemd-resolved.stopIfChanged = false;
services.nix-gc.serviceConfig = {
CPUSchedulingPolicy = "batch";
IOSchedulingClass = "idle";
IOSchedulingPriority = 7;
};
services.nix-daemon.serviceConfig.OOMScoreAdjust = 250;
# default is something like vt220... however we want to get alt least some colors...
# services."serial-getty@".environment.TERM = "xterm-256color";
};
system.activationScripts.update-diff = {
supportsDryActivation = true;
text = ''
if [[ -e /run/current-system ]]; then
echo "--- diff to current-system"
${pkgs.nvd}/bin/nvd --nix-bin-dir=${config.nix.package}/bin diff /run/current-system "$systemConfig"
echo "---"
fi
'';
};
# Turn off sudo lecture
security = {
sudo.extraConfig = ''
# rollback results in sudo lectures after each reboot
Defaults lecture = never
'';
};
} }

2
configs/develop.nix
View File

@ -7,7 +7,7 @@
insomnia insomnia
meld meld
#rust # rust
cargo cargo
nodejs nodejs

0
configs/home.nix Normal file
View File

2
machine/desktop/configuration.nix
View File

@ -10,7 +10,7 @@ in {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../configs/browser.nix ../../configs/browser.nix
../../configs/common.nix ../../configs/common-linux.nix
../../configs/docker.nix ../../configs/docker.nix
../../configs/games.nix ../../configs/games.nix
../../configs/develop.nix ../../configs/develop.nix

2
machine/framework/configuration.nix
View File

@ -11,7 +11,7 @@ in {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../configs/browser.nix ../../configs/browser.nix
../../configs/common.nix ../../configs/common-linux.nix
../../configs/docker.nix ../../configs/docker.nix
../../configs/games.nix ../../configs/games.nix
../../configs/virtualization.nix ../../configs/virtualization.nix

11
machine/macbook/configuration.nix
View File

@ -8,16 +8,23 @@
}: { }: {
nixpkgs.hostPlatform = "aarch64-darwin"; nixpkgs.hostPlatform = "aarch64-darwin";
imports = [
../../configs/common.nix
];
system.defaults = { system.defaults = {
dock.autohide = true; dock.autohide = true;
dock.mru-spaces = false; dock.mru-spaces = false;
# finder.AppleShowAllExtensions = true; # finder.AppleShowAllExtensions = true;
# finder.FXPreferredViewStyle = "clmv"; # finder.FXPreferredViewStyle = "clmv";
screencapture.location = "~/Pictures/screenshots"; # screencapture.location = "~/Pictures/screenshots";
screensaver.askForPasswordDelay = 10; screensaver.askForPasswordDelay = 10;
}; };
services.nix-daemon.enable = true; services = {
nix-daemon.enable = true;
};
nix.settings.experimental-features = "nix-command flakes"; nix.settings.experimental-features = "nix-command flakes";
nix = { nix = {

2
machine/mini/configuration.nix
View File

@ -8,7 +8,7 @@
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../configs/docker.nix ../../configs/docker.nix
../../configs/common.nix ../../configs/common-linux.nix
../../configs/user.nix ../../configs/user.nix
]; ];

2
machine/nixos-virtualbox/configuration.nix
View File

@ -7,7 +7,7 @@
}: { }: {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../configs/common.nix ../../configs/common-linux.nix
../../configs/docker.nix ../../configs/docker.nix
../../configs/user.nix ../../configs/user.nix
]; ];

2
machine/nixos-vm/configuration.nix
View File

@ -16,7 +16,7 @@
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../configs/common.nix ../../configs/common-linux.nix
../../configs/docker.nix ../../configs/docker.nix
../../configs/plasma.nix ../../configs/plasma.nix
../../configs/user.nix ../../configs/user.nix

2
machine/vps-arm/configuration.nix
View File

@ -11,7 +11,7 @@
in { in {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../configs/common.nix ../../configs/common-linux.nix
../../configs/docker.nix ../../configs/docker.nix
../../configs/user.nix ../../configs/user.nix