Compare commits
No commits in common. "528a813b937223d4a3ace2ac8f929fe45b785ca7" and "5dafbc3a24a3f95529505ed9a47579b1c69faa8b" have entirely different histories.
528a813b93
...
5dafbc3a24
|
@ -1,7 +1,7 @@
|
|||
{ config, lib, pkgs, outputs, configLib, ... }:
|
||||
{
|
||||
imports = (configLib.scanPaths ./.)
|
||||
++ (builtins.attrValues outputs.homeManagerModules);# ++ [{ name = "geteduroam-cli"; src = "${pkgs.geteduroam}/result/bin/geteduroam-cli";}];
|
||||
++ (builtins.attrValues outputs.homeManagerModules);
|
||||
|
||||
services.ssh-agent.enable = true;
|
||||
|
||||
|
@ -39,13 +39,12 @@
|
|||
pciutils# pci bus info + conns. to them
|
||||
coreutils# basic gnu utils
|
||||
usbutils
|
||||
ntfs3g# NTFS fs
|
||||
bluez# Official Linux Bluetooth protocol stack
|
||||
pmutils# power management https://pm-utils.freedesktop.org/wiki/
|
||||
ntfs3g # NTFS fs
|
||||
pmutils # power management https://pm-utils.freedesktop.org/wiki/
|
||||
|
||||
wireshark
|
||||
nmap
|
||||
#TODO:how to import my own pkgs{ name = "geteduroam-cli"; src = "${pkgs.geteduroam}/result/bin/geteduroam-cli"}
|
||||
|
||||
mosh# mobile shell
|
||||
# curl
|
||||
ripgrep# better grep
|
||||
|
|
|
@ -0,0 +1,34 @@
|
|||
{ pkgs, ... }:
|
||||
{
|
||||
programs.firejail = {
|
||||
enable = true;
|
||||
wrappedBinaries = {
|
||||
librewolf = {
|
||||
executable = "${pkgs.librewolf}/bin/librewolf";
|
||||
profile = "${pkgs.firejail}/etc/firejail/librewolf.profile";
|
||||
extraArgs = [
|
||||
# Required for U2F USB stick
|
||||
"--ignore=private-dev"
|
||||
# Enforce dark mode
|
||||
"--env=GTK_THEME=Adwaita:dark"
|
||||
# Enable system notifications
|
||||
"--dbus-user.talk=org.freedesktop.Notifications"
|
||||
];
|
||||
};
|
||||
signal-desktop = {
|
||||
# Enable tray icon otherwise Signal window might be hidden
|
||||
executable = "${pkgs.signal-desktop}/bin/signal-desktop --use-tray-icon";
|
||||
profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile";
|
||||
extraArgs = [
|
||||
# Enforce dark mode
|
||||
"--env=GTK_THEME=Adwaita:dark"
|
||||
#TODO: Enable Wayland mode
|
||||
#"--env=NIXOS_OZONE_WL=1"
|
||||
# Allow tray icon (should be upstreamed into signal-desktop.profile)
|
||||
"--dbus-user.talk=org.kde.StatusNotifierWatcher"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -6,7 +6,7 @@
|
|||
home.packages = with pkgs; [
|
||||
pkgs.noto-fonts
|
||||
# pkgs.nerdfonts # => loads the complete collection.
|
||||
(nerdfonts.override { fonts = [ "FiraCode" "GeistMono" "SourceCodePro" "DroidSansMono" "Meslo"]; })
|
||||
(nerdfonts.override { fonts = [ "FiraCode" "GeistMono" "SourceCodePro" "DroidSansMono"]; })
|
||||
];
|
||||
}
|
||||
|
||||
|
|
|
@ -6,6 +6,5 @@
|
|||
inherit (pkgs)
|
||||
# Here go packages without my configs
|
||||
#!Remember to comment without space after package
|
||||
;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
imports = (configLib.scanPaths ./.)
|
||||
++ (builtins.attrValues outputs.homeManagerModules);
|
||||
home.packages = builtins.attrValues {
|
||||
inherit (pkgs);
|
||||
inherit (pkgs)
|
||||
# Here go packages without my configs
|
||||
#!Remember to comment without space after package
|
||||
};
|
||||
|
|
|
@ -1,12 +0,0 @@
|
|||
{ pkgs, ... }: {
|
||||
programs.bluez = {
|
||||
enable = true;
|
||||
};
|
||||
systemd.user.services.mpris-proxy = {
|
||||
description = "Mpris proxy";
|
||||
after = [ "network.target" "sound.target" ];
|
||||
wantedBy = [ "default.target" ];
|
||||
serviceConfig.ExecStart = "${pkgs.bluez}/bin/mpris-proxy";
|
||||
};
|
||||
}
|
||||
|
|
@ -7,7 +7,6 @@
|
|||
inherit (pkgs)
|
||||
# Here go packages without my configs
|
||||
# !Remember to comment without space after package
|
||||
keepassxc
|
||||
fwupd; # firmware updater default on KDE
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,40 +0,0 @@
|
|||
# home level sops. see hosts/common/optional/sops.nix for hosts level
|
||||
# TODO should I split secrets.yaml into a home level and a hosts level or move to a single sops.nix entirely?
|
||||
|
||||
{ inputs, config, ... }:
|
||||
let
|
||||
secretsDirectory = builtins.toString inputs.nix-secrets;
|
||||
secretsFile = "${secretsDirectory}/secrets.yaml";
|
||||
homeDirectory = config.home.homeDirectory;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
inputs.sops-nix.homeManagerModules.sops
|
||||
];
|
||||
|
||||
sops = {
|
||||
# This is the location of the host specific age-key for ta and will to have been extracted to this location via hosts/common/core/sops.nix on the host
|
||||
age.keyFile = "${homeDirectory}/.config/sops/age/keys.txt";
|
||||
|
||||
defaultSopsFile = "${secretsFile}";
|
||||
validateSopsFiles = false;
|
||||
|
||||
secrets = {
|
||||
"ssh_keys/stanislav" = {
|
||||
path = "${homeDirectory}/.ssh/id_stanislav";
|
||||
};
|
||||
"ssh_keys/vladislav" = {
|
||||
path = "${homeDirectory}/.ssh/id_vladislav";
|
||||
};
|
||||
"ssh_keys/rostislav" = {
|
||||
path = "${homeDirectory}/.ssh/id_rostislav";
|
||||
};
|
||||
"ssh_keys/borislav" = {
|
||||
path = "${homeDirectory}/.ssh/id_borislav";
|
||||
};
|
||||
"ssh_keys/radoslav" = {
|
||||
path = "${homeDirectory}/.ssh/id_radoslav";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,7 +1,7 @@
|
|||
{ inputs, configVars, configLib, ... }:
|
||||
#map with prefix to refactor
|
||||
let
|
||||
optionals = (configLib.mapPathsToPrefix { prefix = common/optional; list = [ /system /internet /comms /utilities /dev /office ];});
|
||||
optionals = (configLib.mapPathsToPrefix { prefix = common/optional; list = [ /system /internet /comms /utilities /dev/foot.nix /office ];});
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
|
|
|
@ -1,7 +0,0 @@
|
|||
{ configVars, ... }:
|
||||
{
|
||||
networking.firewall = {
|
||||
enable = true;
|
||||
|
||||
};
|
||||
}
|
|
@ -1,4 +1,4 @@
|
|||
{ inputs, outputs, configLib, ... }:
|
||||
{ configLib, ... }:
|
||||
{
|
||||
imports = (configLib.scanPaths ./.);
|
||||
import = (configLib.scanPaths ./.);
|
||||
}
|
||||
|
|
|
@ -1,8 +1,7 @@
|
|||
# http://web.archive.org/web/20240621185719/https://dataswamp.org/~solene/2022-10-02-nixos-fail2ban.html
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
services.fail2ban = {
|
||||
enable = false;
|
||||
enable = true;
|
||||
ignoreIP = [
|
||||
"192.168.1.0/24"
|
||||
];
|
||||
|
@ -11,36 +10,35 @@
|
|||
banaction = "iptables-ipset-proto6-allports";
|
||||
|
||||
|
||||
jails = {
|
||||
|
||||
# max 6 failures in 600 seconds
|
||||
"nginx-spam" = ''
|
||||
enabled = true
|
||||
filter = nginx-bruteforce
|
||||
logpath = /var/log/nginx/access.log
|
||||
backend = auto
|
||||
maxretry = 6
|
||||
findtime = 600
|
||||
'';
|
||||
|
||||
# max 3 failures in 600 seconds
|
||||
"postfix-bruteforce" = ''
|
||||
enabled = true
|
||||
filter = postfix-bruteforce
|
||||
findtime = 600
|
||||
maxretry = 3
|
||||
'';
|
||||
|
||||
# max 10 failures in 600 seconds
|
||||
"molly" = ''
|
||||
enabled = true
|
||||
filter = molly
|
||||
findtime = 600
|
||||
maxretry = 10
|
||||
logpath = /var/log/molly-brown/access.log
|
||||
backend = auto
|
||||
'';
|
||||
};
|
||||
jails = {
|
||||
|
||||
# max 6 failures in 600 seconds
|
||||
"nginx-spam" = ''
|
||||
enabled = true
|
||||
filter = nginx-bruteforce
|
||||
logpath = /var/log/nginx/access.log
|
||||
backend = auto
|
||||
maxretry = 6
|
||||
findtime = 600
|
||||
'';
|
||||
|
||||
# max 3 failures in 600 seconds
|
||||
"postfix-bruteforce" = ''
|
||||
enabled = true
|
||||
filter = postfix-bruteforce
|
||||
findtime = 600
|
||||
maxretry = 3
|
||||
'';
|
||||
|
||||
# max 10 failures in 600 seconds
|
||||
"molly" = ''
|
||||
enabled = true
|
||||
filter = molly
|
||||
findtime = 600
|
||||
maxretry = 10
|
||||
logpath = /var/log/molly-brown/access.log
|
||||
backend = auto
|
||||
'';
|
||||
};
|
||||
environment.etc = {
|
||||
"fail2ban/filter.d/molly.conf".text = ''
|
||||
|
@ -60,5 +58,7 @@
|
|||
'';
|
||||
};
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
|
|
@ -1,34 +1,2 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
programs.firejail = {
|
||||
enable = true;
|
||||
wrappedBinaries = {
|
||||
librewolf = {
|
||||
executable = "${pkgs.librewolf}/bin/librewolf";
|
||||
profile = "${pkgs.firejail}/etc/firejail/librewolf.profile";
|
||||
extraArgs = [
|
||||
# Required for U2F USB stick
|
||||
"--ignore=private-dev"
|
||||
# Enforce dark mode
|
||||
"--env=GTK_THEME=Adwaita:dark"
|
||||
# Enable system notifications
|
||||
"--dbus-user.talk=org.freedesktop.Notifications"
|
||||
];
|
||||
};
|
||||
signal-desktop = {
|
||||
# Enable tray icon otherwise Signal window might be hidden
|
||||
executable = "${pkgs.signal-desktop}/bin/signal-desktop --use-tray-icon";
|
||||
profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile";
|
||||
extraArgs = [
|
||||
# Enforce dark mode
|
||||
"--env=GTK_THEME=Adwaita:dark"
|
||||
#TODO: Enable Wayland mode
|
||||
#"--env=NIXOS_OZONE_WL=1"
|
||||
# Allow tray icon (should be upstreamed into signal-desktop.profile)
|
||||
"--dbus-user.talk=org.kde.StatusNotifierWatcher"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
{ pkgs, ... }:
|
||||
{ }
|
||||
|
|
|
@ -1,69 +0,0 @@
|
|||
# hosts level sops. see home/[user]/common/optional/sops.nix for home/user level
|
||||
|
||||
{ pkgs, inputs, config, configVars, ... }:
|
||||
let
|
||||
secretsDirectory = builtins.toString inputs.nix-secrets;
|
||||
secretsFile = "${secretsDirectory}/secrets.yaml";
|
||||
|
||||
homeDirectory = "/home/${configVars.username}";
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
inputs.sops-nix.nixosModules.sops
|
||||
];
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = "${secretsFile}";
|
||||
validateSopsFiles = false;
|
||||
|
||||
age = {
|
||||
# automatically import host SSH keys as age keys
|
||||
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
};
|
||||
|
||||
# secrets will be output to /run/secrets
|
||||
# e.g. /run/secrets/msmtp-password
|
||||
# secrets required for user creation are handled in respective ./users/<username>.nix files
|
||||
# because they will be output to /run/secrets-for-users and only when the user is assigned to a host.
|
||||
secrets = {
|
||||
# For home-manager a separate age key is used to decrypt secrets and must be placed onto the host. This is because
|
||||
# the user doesn't have read permission for the ssh service private key. However, we can bootstrap the age key from
|
||||
# the secrets decrypted by the host key, which allows home-manager secrets to work without manually copying over
|
||||
# the age key.
|
||||
# These age keys are are unique for the user on each host and are generated on their own (i.e. they are not derived
|
||||
# from an ssh key).
|
||||
"user_age_keys/${configVars.username}_${config.networking.hostName}" = {
|
||||
owner = config.users.users.${configVars.username}.name;
|
||||
inherit (config.users.users.${configVars.username}) group;
|
||||
# We need to ensure the entire directory structure is that of the user...
|
||||
path = "${homeDirectory}/.config/sops/age/keys.txt";
|
||||
};
|
||||
|
||||
# extract username/password to /run/secrets-for-users/ so it can be used to create the user
|
||||
"${configVars.username}/password".neededForUsers = true;
|
||||
|
||||
#FIXME move to mstmp.nix and also have host and address being assigned to configVars as per fidgetingbits
|
||||
msmtp-host = { };
|
||||
msmtp-address = { };
|
||||
msmtp-password = { };
|
||||
|
||||
# extract to default pam-u2f authfile location for passwordless sudo. see ../optional/yubikey
|
||||
"yubico/u2f_keys" = {
|
||||
path = "/home/${configVars.username}/.config/Yubico/u2f_keys";
|
||||
};
|
||||
};
|
||||
};
|
||||
# The containing folders are created as root and if this is the first ~/.config/ entry,
|
||||
# the ownership is busted and home-manager can't target because it can't write into .config...
|
||||
# FIXME: We might not need this depending on how https://github.com/Mic92/sops-nix/issues/381 is fixed
|
||||
system.activationScripts.sopsSetAgeKeyOwnwership =
|
||||
let
|
||||
ageFolder = "${homeDirectory}/.config/sops/age";
|
||||
user = config.users.users.${configVars.username}.name;
|
||||
group = config.users.users.${configVars.username}.group;
|
||||
in
|
||||
''
|
||||
mkdir -p ${ageFolder} || true
|
||||
chown -R ${user}:${group} ${homeDirectory}/.config
|
||||
'';
|
||||
}
|
|
@ -1,18 +1,17 @@
|
|||
{
|
||||
time.timeZone = "Europe/Amsterdam";
|
||||
time.timeZone = "Europe/Paris";
|
||||
i18n.defaultLocale = "en_GB.UTF-8";
|
||||
|
||||
i18n.extraLocaleSettings = {
|
||||
LANGUAGE = "en_GB.UTF-8";
|
||||
LC_MESSAGES = "en_GB.UTF-8";
|
||||
LC_ADDRESS = "en_GB.UTF-8";
|
||||
LC_IDENTIFICATION = "en_GB.UTF-8";
|
||||
LC_MEASUREMENT = "en_GB.UTF-8";
|
||||
LC_MONETARY = "en_GB.UTF-8";
|
||||
LC_NAME = "en_GB.UTF-8";
|
||||
LC_NUMERIC = "en_GB.UTF-8";
|
||||
LC_PAPER = "en_GB.UTF-8";
|
||||
LC_TELEPHONE = "en_GB.UTF-8";
|
||||
LC_TIME = "en_GB.UTF-8";
|
||||
LC_MESSAGES = "de_DE.UTF-8";
|
||||
LC_ADDRESS = "de_DE.UTF-8";
|
||||
LC_IDENTIFICATION = "de_DE.UTF-8";
|
||||
LC_MEASUREMENT = "de_DE.UTF-8";
|
||||
LC_MONETARY = "de_DE.UTF-8";
|
||||
LC_NAME = "de_DE.UTF-8";
|
||||
LC_NUMERIC = "de_DE.UTF-8";
|
||||
LC_PAPER = "de_DE.UTF-8";
|
||||
LC_TELEPHONE = "de_DE.UTF-8";
|
||||
LC_TIME = "de_DE.UTF-8";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,6 +0,0 @@
|
|||
# VLC media player
|
||||
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
environment.systemPackages = [ pkgs.vlc ];
|
||||
}
|
|
@ -69,13 +69,13 @@
|
|||
hostName = "jeroboam";
|
||||
# wireless.enable = true;
|
||||
networkmanager.enable = true;
|
||||
enableIPv6 = true;
|
||||
enableIPv6 = false;
|
||||
};
|
||||
|
||||
# I devices
|
||||
iphone = {
|
||||
enable = true;
|
||||
user = "laozi";
|
||||
user = "Shenzhen";
|
||||
};
|
||||
|
||||
# ================ HYPRLAND =================== #
|
||||
|
@ -151,7 +151,7 @@
|
|||
|
||||
# Fix to enable VSCode to successfully remote SSH on a client to a NixOS host
|
||||
# https://nixos.wiki/wiki/Visual_Studio_Code # Remote_SSH
|
||||
programs.nix-ld.enable = true;
|
||||
# programs.nix-ld.enable = true;
|
||||
|
||||
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
|
||||
system.stateVersion = "24.05";
|
||||
|
|
Loading…
Reference in New Issue