christoph/flake-nixinator
1
Fork 0
Code Activity
Files
4cbe9885b2be709a9954ccdc6b55b7eb6b60b77a
flake-nixinator/system/nixinator/default.nix

374 lines
11 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
lib,
mylib,
pkgs,
username,
config,
...
}: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./disks.nix
# General services
../services/fileflows-node.nix
];
systemmodules = {
bootloader = {
# Secure boot
loader = "lanzaboote";
};
impermanence.enable = true;
network = {
useNetworkManager = true;
# Systemd-networkd configs
networks = let
# TODO: mylib.networking.mkStaticSystemdNetwork needs improvement to accomodate for this
mkConfig = name: routable: rec {
enable = true;
# See man systemd.link, man systemd.netdev, man systemd.network
matchConfig = {
# This corresponds to the [MATCH] section
Name = name; # Match ethernet interface
};
# Static IP + DNS + Gateway
address = ["192.168.86.50/24"];
gateway = ["192.168.86.5"]; # Don't add "fd00::5", rely on router advertisement instead
dns = ["129.168.86.26" "fd00::1a" "8.8.8.8" "8.8.4.4" "2001:4860:4860::8888" "2001:4860:4860::8844"];
routes = builtins.map (r: {Gateway = r;}) gateway;
# See man systemd.network
networkConfig = {
# This corresponds to the [NETWORK] section
DHCP = "no";
IPv6AcceptRA = "yes"; # Accept Router Advertisements
# MulticastDNS = "no";
# LLMNR = "no";
# LinkLocalAddressing = "ipv6";
};
addresses = [
{
# Don't add this to address, we don't want to create any routes with this
Address = "fd00::32/64"; # IPv6 Unique-Local Address (ULA)
}
];
linkConfig = {
# This corresponds to the [LINK] section
RequiredForOnline = routable;
};
};
in {
# "10-ether-2_5G" = mylib.networking.mkStaticSystemdNetwork {
# interface = "enp8s0";
# ips = ["192.168.86.50/24"];
# routers = ["192.168.86.5"];
# nameservers = ["192.168.86.26" "8.8.8.8"];
# routable = true;
# };
# "10-ether-1G" = mylib.networking.mkStaticSystemdNetwork {
# interface = "enp5s0";
# ips = ["192.168.86.50/24"];
# routers = ["192.168.86.5"];
# nameservers = ["192.168.86.26" "8.8.8.8"];
# routable = false;
# };
# This should override the default network 50-ether
"10-ether-1G" = mkConfig "enp5s0" "no";
"10-ether-2_5G" = mkConfig "enp8s0" "routable";
};
# NetworkManager profiles
# Run "nix run github:Janik-Haag/nm2nix | nix run github:kamadorueda/alejandra"
# in /etc/NetworkManager/system-connections/
profiles = {
"10-ether-2_5G" = mylib.networking.mkStaticNetworkManagerProfile {
id = "Wired 2.5G";
interface = "enp8s0";
ip = "192.168.86.50/24";
router = "192.168.86.5";
nameserver = "192.168.86.26;8.8.8.8;";
ip6 = "fd00::32/64";
router6 = "fd00::5";
nameserver6 = "2001:4860:4860::8888;2001:4860:4860::8844;";
priority = 10; # Rather connect to 2.5G than to 1G
};
"10-ether-1G" = mylib.networking.mkStaticNetworkManagerProfile {
id = "Wired 1G";
interface = "enp5s0";
ip = "192.168.86.50/24";
router = "192.168.86.5";
nameserver = "192.168.86.26;8.8.8.8;";
ip6 = "fd00::32/64";
router6 = "fd00::5";
nameserver6 = "2001:4860:4860::8888;2001:4860:4860::8844;";
};
};
allowedTCPPorts = [
1111 # FAIL*
# 4242 # Lan-Mouse
# 7777 # AvaTalk
# 12777 # AvaTalk
# 31431 # Parsec
5173 # SvelteKit
8090 # PocketBase
];
allowedUDPPorts = [
1111 # FAIL*
# 4242 # Lan-Mouse
# 7777 # AvaTalk
# 12777 # AvaTalk
# 31431 # Parsec
5173 # SvelteKit
8090 # PocketBase
];
};
sops-nix.secrets.${username} = [
"makemkv-app-key"
"restic-repo-key"
];
};
# NOTE: Sops needs the keys before impermanence kicks in
# so we have to link to /persist directly...
sops.age.keyFile = "/persist/home/${username}/.secrets/age/age.key";
sops.templates."makemkv-settings.conf" = {
owner = config.users.users.${username}.name;
content = ''
app_Key = "${config.sops.placeholder.makemkv-app-key}"
sdf_Stop = ""
'';
};
boot = {
# kernelPackages = pkgs.linuxPackages_zen;
# kernelPackages = pkgs.linuxPackages_latest;
# Why do I need to know if something fails during boot???
# consoleLogLevel = 3;
# initrd.verbose = false;
# initrd.systemd.enable = true;
kernelParams = [
# Doesn't work, there is only a single framebuffer,
# so the smallest monitor determines the size
# "video=DP-1:3440x1440"
# "video=DP-2:1920x1080"
# "quiet"
# "splash"
# "intremap=on"
# "boot.shell_on_fail"
# "udev.log_priority=3"
# "rd.systemd.show_status=auto"
];
# plymouth = {
# enable = false;
# font = "${pkgs.monolisa}/share/fonts/truetype/MonoLisa-AltPars-Straight.ttf";
# logo = "${pkgs.nixos-icons}/share/icons/hicolor/128x128/apps/nix-snowflake.png";
#
# theme = "colorful_sliced";
# themePackages = with pkgs; [
# # By default we would install all themes
# (adi1090x-plymouth-themes.override {
# selected_themes = ["colorful_sliced"];
# })
# ];
# };
};
# environment.systemPackages = with pkgs; [];
programs = {
ausweisapp = {
enable = true;
openFirewall = true; # Directly set port in firewall
};
ghidra = {
enable = true;
gdb = true;
};
};
services = {
btrfs.autoScrub = {
enable = true;
interval = "weekly";
fileSystems = ["/"];
};
# Temporarily ban IPs for SSH after failed login attempts
fail2ban = {
enable = true;
};
greetd = {
enable = false;
restart = false;
useTextGreeter = true;
settings = {
terminal.vt = 1;
default_session = {
# command = "${pkgs.tuigreet}/bin/tuigreet --time --cmd $SHELL";
command = "${pkgs.tuigreet}/bin/tuigreet --time --cmd niri-session";
user = "greeter";
};
};
};
kmscon = {
enable = false;
hwRender = true;
useXkbConfig = true;
# autologinUser = username;
fonts = [
{
name = "MonoLisa Alt Script";
package = pkgs.monolisa;
}
];
# NOTE: Do NOT use multline strings here!
# This will create a linebreak in the systemd service and break login!
extraOptions = "";
extraConfig = let
color = config.home-manager.users.${username}.homemodules.color;
in ''
# term=xterm-256color
font-size=14
mode=3440x1440
palette=custom
palette-black=0,0,0
pallette-white=255,255,255
palette-red=${color.rgbS.red}
palette-light-red=${color.rgbS.red}
palette-green=${color.rgbS.green}
palette-light-green=${color.rgbS.green}
palette-yellow=${color.rgbS.yellow}
palette-light-yellow=${color.rgbS.yellow}
palette-blue=${color.rgbS.blue}
palette-light-blue=${color.rgbS.blue}
palette-magenta=${color.rgbS.pink}
palette-light-magenta=${color.rgbS.pink}
palette-cyan=${color.rgbS.teal}
palette-light-cyan=${color.rgbS.teal}
palette-foreground=${color.rgbS.text}
palette-background=0,0,0
'';
};
openssh = {
ports = [5432];
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "no";
AllowUsers = [username];
LogLevel = "VERBOSE"; # For fail2ban
};
};
# Keep this as a system service because we're backing up /persist as root
# TODO: The repository gets corrupted all the time, maybe because the service runs before the repository is mounted?
# - Was this caused by the NFS "soft" option?
# - Might this be caused by the restic service being interrupted by shutdown/rebooting?
#
# restic.backups."synology" = {
# # user = "${username}"; # Keep default (root), so restic can read everything
#
# repository = "/home/${username}/Restic";
# initialize = true;
# passwordFile = config.sops.secrets.restic-repo-key.path;
# createWrapper = true;
#
# timerConfig = {
# OnCalendar = "daily";
# Persistent = true;
# RandomizedDelaySec = "5h";
# };
#
# runCheck = true;
# checkOpts = [
# "--with-cache"
# ];
#
# pruneOpts = [
# "--keep-daily 3"
# "--keep-weekly 2"
# # "--keep-monthly 0"
# # "--keep-yearly 0"
#
# "--prune" # Automatically remove dangling files not referenced by any snapshot
# "--repack-uncompressed"
# ];
#
# paths = ["/persist"];
# exclude = [
# # The backup is just supposed to allow a system restore
# "/persist/old_homes"
# "/persist/old_roots"
#
# # Those are synced by nextcloud, no need to backup them 50 times
# "/persist/home/${username}/Documents"
# "/persist/home/${username}/NixFlake"
# "/persist/home/${username}/Notes"
# "/persist/home/${username}/Projects"
# "/persist/home/${username}/Public"
#
# # Some more caches
# ".cache"
# "cache2" # firefox
# "Cache"
# ];
# extraBackupArgs = [
# "--exclude-caches" # Excludes marked cache directories
# "--one-file-system" # Only stay on /persist (in case symlinks lead elsewhere)
# "--cleanup-cache" # Auto remove old cache directories
# ];
# };
xserver = {
# Configure keymap in X11
xkb.layout = "us";
xkb.variant = "altgr-intl";
videoDrivers = ["nvidia"]; # NVIDIA
};
};
# The current system was installed on 22.05, do not change.
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment?
}
View Git Blame Copy Permalink