Compare commits
No commits in common. "528a813b937223d4a3ace2ac8f929fe45b785ca7" and "5dafbc3a24a3f95529505ed9a47579b1c69faa8b" have entirely different histories.
528a813b93
...
5dafbc3a24
|
@ -1,7 +1,7 @@
|
||||||
{ config, lib, pkgs, outputs, configLib, ... }:
|
{ config, lib, pkgs, outputs, configLib, ... }:
|
||||||
{
|
{
|
||||||
imports = (configLib.scanPaths ./.)
|
imports = (configLib.scanPaths ./.)
|
||||||
++ (builtins.attrValues outputs.homeManagerModules);# ++ [{ name = "geteduroam-cli"; src = "${pkgs.geteduroam}/result/bin/geteduroam-cli";}];
|
++ (builtins.attrValues outputs.homeManagerModules);
|
||||||
|
|
||||||
services.ssh-agent.enable = true;
|
services.ssh-agent.enable = true;
|
||||||
|
|
||||||
|
@ -39,13 +39,12 @@
|
||||||
pciutils# pci bus info + conns. to them
|
pciutils# pci bus info + conns. to them
|
||||||
coreutils# basic gnu utils
|
coreutils# basic gnu utils
|
||||||
usbutils
|
usbutils
|
||||||
ntfs3g# NTFS fs
|
ntfs3g # NTFS fs
|
||||||
bluez# Official Linux Bluetooth protocol stack
|
pmutils # power management https://pm-utils.freedesktop.org/wiki/
|
||||||
pmutils# power management https://pm-utils.freedesktop.org/wiki/
|
|
||||||
|
|
||||||
wireshark
|
wireshark
|
||||||
nmap
|
nmap
|
||||||
#TODO:how to import my own pkgs{ name = "geteduroam-cli"; src = "${pkgs.geteduroam}/result/bin/geteduroam-cli"}
|
|
||||||
mosh# mobile shell
|
mosh# mobile shell
|
||||||
# curl
|
# curl
|
||||||
ripgrep# better grep
|
ripgrep# better grep
|
||||||
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
{ pkgs, ... }:
|
||||||
|
{
|
||||||
|
programs.firejail = {
|
||||||
|
enable = true;
|
||||||
|
wrappedBinaries = {
|
||||||
|
librewolf = {
|
||||||
|
executable = "${pkgs.librewolf}/bin/librewolf";
|
||||||
|
profile = "${pkgs.firejail}/etc/firejail/librewolf.profile";
|
||||||
|
extraArgs = [
|
||||||
|
# Required for U2F USB stick
|
||||||
|
"--ignore=private-dev"
|
||||||
|
# Enforce dark mode
|
||||||
|
"--env=GTK_THEME=Adwaita:dark"
|
||||||
|
# Enable system notifications
|
||||||
|
"--dbus-user.talk=org.freedesktop.Notifications"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
signal-desktop = {
|
||||||
|
# Enable tray icon otherwise Signal window might be hidden
|
||||||
|
executable = "${pkgs.signal-desktop}/bin/signal-desktop --use-tray-icon";
|
||||||
|
profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile";
|
||||||
|
extraArgs = [
|
||||||
|
# Enforce dark mode
|
||||||
|
"--env=GTK_THEME=Adwaita:dark"
|
||||||
|
#TODO: Enable Wayland mode
|
||||||
|
#"--env=NIXOS_OZONE_WL=1"
|
||||||
|
# Allow tray icon (should be upstreamed into signal-desktop.profile)
|
||||||
|
"--dbus-user.talk=org.kde.StatusNotifierWatcher"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
home.packages = with pkgs; [
|
home.packages = with pkgs; [
|
||||||
pkgs.noto-fonts
|
pkgs.noto-fonts
|
||||||
# pkgs.nerdfonts # => loads the complete collection.
|
# pkgs.nerdfonts # => loads the complete collection.
|
||||||
(nerdfonts.override { fonts = [ "FiraCode" "GeistMono" "SourceCodePro" "DroidSansMono" "Meslo"]; })
|
(nerdfonts.override { fonts = [ "FiraCode" "GeistMono" "SourceCodePro" "DroidSansMono"]; })
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -6,6 +6,5 @@
|
||||||
inherit (pkgs)
|
inherit (pkgs)
|
||||||
# Here go packages without my configs
|
# Here go packages without my configs
|
||||||
#!Remember to comment without space after package
|
#!Remember to comment without space after package
|
||||||
;
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
imports = (configLib.scanPaths ./.)
|
imports = (configLib.scanPaths ./.)
|
||||||
++ (builtins.attrValues outputs.homeManagerModules);
|
++ (builtins.attrValues outputs.homeManagerModules);
|
||||||
home.packages = builtins.attrValues {
|
home.packages = builtins.attrValues {
|
||||||
inherit (pkgs);
|
inherit (pkgs)
|
||||||
# Here go packages without my configs
|
# Here go packages without my configs
|
||||||
#!Remember to comment without space after package
|
#!Remember to comment without space after package
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,12 +0,0 @@
|
||||||
{ pkgs, ... }: {
|
|
||||||
programs.bluez = {
|
|
||||||
enable = true;
|
|
||||||
};
|
|
||||||
systemd.user.services.mpris-proxy = {
|
|
||||||
description = "Mpris proxy";
|
|
||||||
after = [ "network.target" "sound.target" ];
|
|
||||||
wantedBy = [ "default.target" ];
|
|
||||||
serviceConfig.ExecStart = "${pkgs.bluez}/bin/mpris-proxy";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
|
@ -7,7 +7,6 @@
|
||||||
inherit (pkgs)
|
inherit (pkgs)
|
||||||
# Here go packages without my configs
|
# Here go packages without my configs
|
||||||
# !Remember to comment without space after package
|
# !Remember to comment without space after package
|
||||||
keepassxc
|
|
||||||
fwupd; # firmware updater default on KDE
|
fwupd; # firmware updater default on KDE
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,40 +0,0 @@
|
||||||
# home level sops. see hosts/common/optional/sops.nix for hosts level
|
|
||||||
# TODO should I split secrets.yaml into a home level and a hosts level or move to a single sops.nix entirely?
|
|
||||||
|
|
||||||
{ inputs, config, ... }:
|
|
||||||
let
|
|
||||||
secretsDirectory = builtins.toString inputs.nix-secrets;
|
|
||||||
secretsFile = "${secretsDirectory}/secrets.yaml";
|
|
||||||
homeDirectory = config.home.homeDirectory;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
imports = [
|
|
||||||
inputs.sops-nix.homeManagerModules.sops
|
|
||||||
];
|
|
||||||
|
|
||||||
sops = {
|
|
||||||
# This is the location of the host specific age-key for ta and will to have been extracted to this location via hosts/common/core/sops.nix on the host
|
|
||||||
age.keyFile = "${homeDirectory}/.config/sops/age/keys.txt";
|
|
||||||
|
|
||||||
defaultSopsFile = "${secretsFile}";
|
|
||||||
validateSopsFiles = false;
|
|
||||||
|
|
||||||
secrets = {
|
|
||||||
"ssh_keys/stanislav" = {
|
|
||||||
path = "${homeDirectory}/.ssh/id_stanislav";
|
|
||||||
};
|
|
||||||
"ssh_keys/vladislav" = {
|
|
||||||
path = "${homeDirectory}/.ssh/id_vladislav";
|
|
||||||
};
|
|
||||||
"ssh_keys/rostislav" = {
|
|
||||||
path = "${homeDirectory}/.ssh/id_rostislav";
|
|
||||||
};
|
|
||||||
"ssh_keys/borislav" = {
|
|
||||||
path = "${homeDirectory}/.ssh/id_borislav";
|
|
||||||
};
|
|
||||||
"ssh_keys/radoslav" = {
|
|
||||||
path = "${homeDirectory}/.ssh/id_radoslav";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ inputs, configVars, configLib, ... }:
|
{ inputs, configVars, configLib, ... }:
|
||||||
#map with prefix to refactor
|
#map with prefix to refactor
|
||||||
let
|
let
|
||||||
optionals = (configLib.mapPathsToPrefix { prefix = common/optional; list = [ /system /internet /comms /utilities /dev /office ];});
|
optionals = (configLib.mapPathsToPrefix { prefix = common/optional; list = [ /system /internet /comms /utilities /dev/foot.nix /office ];});
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
|
|
|
@ -1,7 +0,0 @@
|
||||||
{ configVars, ... }:
|
|
||||||
{
|
|
||||||
networking.firewall = {
|
|
||||||
enable = true;
|
|
||||||
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ inputs, outputs, configLib, ... }:
|
{ configLib, ... }:
|
||||||
{
|
{
|
||||||
imports = (configLib.scanPaths ./.);
|
import = (configLib.scanPaths ./.);
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,8 +1,7 @@
|
||||||
# http://web.archive.org/web/20240621185719/https://dataswamp.org/~solene/2022-10-02-nixos-fail2ban.html
|
# http://web.archive.org/web/20240621185719/https://dataswamp.org/~solene/2022-10-02-nixos-fail2ban.html
|
||||||
{ pkgs, ... }:
|
|
||||||
{
|
{
|
||||||
services.fail2ban = {
|
services.fail2ban = {
|
||||||
enable = false;
|
enable = true;
|
||||||
ignoreIP = [
|
ignoreIP = [
|
||||||
"192.168.1.0/24"
|
"192.168.1.0/24"
|
||||||
];
|
];
|
||||||
|
@ -11,36 +10,35 @@
|
||||||
banaction = "iptables-ipset-proto6-allports";
|
banaction = "iptables-ipset-proto6-allports";
|
||||||
|
|
||||||
|
|
||||||
jails = {
|
jails = {
|
||||||
|
|
||||||
# max 6 failures in 600 seconds
|
# max 6 failures in 600 seconds
|
||||||
"nginx-spam" = ''
|
"nginx-spam" = ''
|
||||||
enabled = true
|
enabled = true
|
||||||
filter = nginx-bruteforce
|
filter = nginx-bruteforce
|
||||||
logpath = /var/log/nginx/access.log
|
logpath = /var/log/nginx/access.log
|
||||||
backend = auto
|
backend = auto
|
||||||
maxretry = 6
|
maxretry = 6
|
||||||
findtime = 600
|
findtime = 600
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# max 3 failures in 600 seconds
|
# max 3 failures in 600 seconds
|
||||||
"postfix-bruteforce" = ''
|
"postfix-bruteforce" = ''
|
||||||
enabled = true
|
enabled = true
|
||||||
filter = postfix-bruteforce
|
filter = postfix-bruteforce
|
||||||
findtime = 600
|
findtime = 600
|
||||||
maxretry = 3
|
maxretry = 3
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# max 10 failures in 600 seconds
|
# max 10 failures in 600 seconds
|
||||||
"molly" = ''
|
"molly" = ''
|
||||||
enabled = true
|
enabled = true
|
||||||
filter = molly
|
filter = molly
|
||||||
findtime = 600
|
findtime = 600
|
||||||
maxretry = 10
|
maxretry = 10
|
||||||
logpath = /var/log/molly-brown/access.log
|
logpath = /var/log/molly-brown/access.log
|
||||||
backend = auto
|
backend = auto
|
||||||
'';
|
'';
|
||||||
};
|
|
||||||
};
|
};
|
||||||
environment.etc = {
|
environment.etc = {
|
||||||
"fail2ban/filter.d/molly.conf".text = ''
|
"fail2ban/filter.d/molly.conf".text = ''
|
||||||
|
@ -60,5 +58,7 @@
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
|
|
|
@ -1,34 +1,2 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ pkgs, ... }:
|
||||||
{
|
{ }
|
||||||
programs.firejail = {
|
|
||||||
enable = true;
|
|
||||||
wrappedBinaries = {
|
|
||||||
librewolf = {
|
|
||||||
executable = "${pkgs.librewolf}/bin/librewolf";
|
|
||||||
profile = "${pkgs.firejail}/etc/firejail/librewolf.profile";
|
|
||||||
extraArgs = [
|
|
||||||
# Required for U2F USB stick
|
|
||||||
"--ignore=private-dev"
|
|
||||||
# Enforce dark mode
|
|
||||||
"--env=GTK_THEME=Adwaita:dark"
|
|
||||||
# Enable system notifications
|
|
||||||
"--dbus-user.talk=org.freedesktop.Notifications"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
signal-desktop = {
|
|
||||||
# Enable tray icon otherwise Signal window might be hidden
|
|
||||||
executable = "${pkgs.signal-desktop}/bin/signal-desktop --use-tray-icon";
|
|
||||||
profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile";
|
|
||||||
extraArgs = [
|
|
||||||
# Enforce dark mode
|
|
||||||
"--env=GTK_THEME=Adwaita:dark"
|
|
||||||
#TODO: Enable Wayland mode
|
|
||||||
#"--env=NIXOS_OZONE_WL=1"
|
|
||||||
# Allow tray icon (should be upstreamed into signal-desktop.profile)
|
|
||||||
"--dbus-user.talk=org.kde.StatusNotifierWatcher"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
|
@ -1,69 +0,0 @@
|
||||||
# hosts level sops. see home/[user]/common/optional/sops.nix for home/user level
|
|
||||||
|
|
||||||
{ pkgs, inputs, config, configVars, ... }:
|
|
||||||
let
|
|
||||||
secretsDirectory = builtins.toString inputs.nix-secrets;
|
|
||||||
secretsFile = "${secretsDirectory}/secrets.yaml";
|
|
||||||
|
|
||||||
homeDirectory = "/home/${configVars.username}";
|
|
||||||
in
|
|
||||||
{
|
|
||||||
imports = [
|
|
||||||
inputs.sops-nix.nixosModules.sops
|
|
||||||
];
|
|
||||||
|
|
||||||
sops = {
|
|
||||||
defaultSopsFile = "${secretsFile}";
|
|
||||||
validateSopsFiles = false;
|
|
||||||
|
|
||||||
age = {
|
|
||||||
# automatically import host SSH keys as age keys
|
|
||||||
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
# secrets will be output to /run/secrets
|
|
||||||
# e.g. /run/secrets/msmtp-password
|
|
||||||
# secrets required for user creation are handled in respective ./users/<username>.nix files
|
|
||||||
# because they will be output to /run/secrets-for-users and only when the user is assigned to a host.
|
|
||||||
secrets = {
|
|
||||||
# For home-manager a separate age key is used to decrypt secrets and must be placed onto the host. This is because
|
|
||||||
# the user doesn't have read permission for the ssh service private key. However, we can bootstrap the age key from
|
|
||||||
# the secrets decrypted by the host key, which allows home-manager secrets to work without manually copying over
|
|
||||||
# the age key.
|
|
||||||
# These age keys are are unique for the user on each host and are generated on their own (i.e. they are not derived
|
|
||||||
# from an ssh key).
|
|
||||||
"user_age_keys/${configVars.username}_${config.networking.hostName}" = {
|
|
||||||
owner = config.users.users.${configVars.username}.name;
|
|
||||||
inherit (config.users.users.${configVars.username}) group;
|
|
||||||
# We need to ensure the entire directory structure is that of the user...
|
|
||||||
path = "${homeDirectory}/.config/sops/age/keys.txt";
|
|
||||||
};
|
|
||||||
|
|
||||||
# extract username/password to /run/secrets-for-users/ so it can be used to create the user
|
|
||||||
"${configVars.username}/password".neededForUsers = true;
|
|
||||||
|
|
||||||
#FIXME move to mstmp.nix and also have host and address being assigned to configVars as per fidgetingbits
|
|
||||||
msmtp-host = { };
|
|
||||||
msmtp-address = { };
|
|
||||||
msmtp-password = { };
|
|
||||||
|
|
||||||
# extract to default pam-u2f authfile location for passwordless sudo. see ../optional/yubikey
|
|
||||||
"yubico/u2f_keys" = {
|
|
||||||
path = "/home/${configVars.username}/.config/Yubico/u2f_keys";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
# The containing folders are created as root and if this is the first ~/.config/ entry,
|
|
||||||
# the ownership is busted and home-manager can't target because it can't write into .config...
|
|
||||||
# FIXME: We might not need this depending on how https://github.com/Mic92/sops-nix/issues/381 is fixed
|
|
||||||
system.activationScripts.sopsSetAgeKeyOwnwership =
|
|
||||||
let
|
|
||||||
ageFolder = "${homeDirectory}/.config/sops/age";
|
|
||||||
user = config.users.users.${configVars.username}.name;
|
|
||||||
group = config.users.users.${configVars.username}.group;
|
|
||||||
in
|
|
||||||
''
|
|
||||||
mkdir -p ${ageFolder} || true
|
|
||||||
chown -R ${user}:${group} ${homeDirectory}/.config
|
|
||||||
'';
|
|
||||||
}
|
|
|
@ -1,18 +1,17 @@
|
||||||
{
|
{
|
||||||
time.timeZone = "Europe/Amsterdam";
|
time.timeZone = "Europe/Paris";
|
||||||
i18n.defaultLocale = "en_GB.UTF-8";
|
i18n.defaultLocale = "en_GB.UTF-8";
|
||||||
|
|
||||||
i18n.extraLocaleSettings = {
|
i18n.extraLocaleSettings = {
|
||||||
LANGUAGE = "en_GB.UTF-8";
|
LC_MESSAGES = "de_DE.UTF-8";
|
||||||
LC_MESSAGES = "en_GB.UTF-8";
|
LC_ADDRESS = "de_DE.UTF-8";
|
||||||
LC_ADDRESS = "en_GB.UTF-8";
|
LC_IDENTIFICATION = "de_DE.UTF-8";
|
||||||
LC_IDENTIFICATION = "en_GB.UTF-8";
|
LC_MEASUREMENT = "de_DE.UTF-8";
|
||||||
LC_MEASUREMENT = "en_GB.UTF-8";
|
LC_MONETARY = "de_DE.UTF-8";
|
||||||
LC_MONETARY = "en_GB.UTF-8";
|
LC_NAME = "de_DE.UTF-8";
|
||||||
LC_NAME = "en_GB.UTF-8";
|
LC_NUMERIC = "de_DE.UTF-8";
|
||||||
LC_NUMERIC = "en_GB.UTF-8";
|
LC_PAPER = "de_DE.UTF-8";
|
||||||
LC_PAPER = "en_GB.UTF-8";
|
LC_TELEPHONE = "de_DE.UTF-8";
|
||||||
LC_TELEPHONE = "en_GB.UTF-8";
|
LC_TIME = "de_DE.UTF-8";
|
||||||
LC_TIME = "en_GB.UTF-8";
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +0,0 @@
|
||||||
# VLC media player
|
|
||||||
|
|
||||||
{ pkgs, ... }:
|
|
||||||
{
|
|
||||||
environment.systemPackages = [ pkgs.vlc ];
|
|
||||||
}
|
|
|
@ -69,13 +69,13 @@
|
||||||
hostName = "jeroboam";
|
hostName = "jeroboam";
|
||||||
# wireless.enable = true;
|
# wireless.enable = true;
|
||||||
networkmanager.enable = true;
|
networkmanager.enable = true;
|
||||||
enableIPv6 = true;
|
enableIPv6 = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
# I devices
|
# I devices
|
||||||
iphone = {
|
iphone = {
|
||||||
enable = true;
|
enable = true;
|
||||||
user = "laozi";
|
user = "Shenzhen";
|
||||||
};
|
};
|
||||||
|
|
||||||
# ================ HYPRLAND =================== #
|
# ================ HYPRLAND =================== #
|
||||||
|
@ -151,7 +151,7 @@
|
||||||
|
|
||||||
# Fix to enable VSCode to successfully remote SSH on a client to a NixOS host
|
# Fix to enable VSCode to successfully remote SSH on a client to a NixOS host
|
||||||
# https://nixos.wiki/wiki/Visual_Studio_Code # Remote_SSH
|
# https://nixos.wiki/wiki/Visual_Studio_Code # Remote_SSH
|
||||||
programs.nix-ld.enable = true;
|
# programs.nix-ld.enable = true;
|
||||||
|
|
||||||
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
|
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
|
||||||
system.stateVersion = "24.05";
|
system.stateVersion = "24.05";
|
||||||
|
|
Loading…
Reference in New Issue