Compare commits
12 Commits
5dafbc3a24
...
528a813b93
Author | SHA1 | Date |
---|---|---|
madmin | 528a813b93 | |
madmin | 047dd40467 | |
madmin | a33ba96d02 | |
madmin | d25a86ed2d | |
madmin | b7a5d89ed2 | |
madmin | cad1551224 | |
madmin | 982a69cff8 | |
madmin | a7f233e00e | |
madmin | ea518f6478 | |
madmin | f6cf1cab64 | |
madmin | da1d577cd3 | |
madmin | 6bb2c10f83 |
|
@ -1,7 +1,7 @@
|
||||||
{ config, lib, pkgs, outputs, configLib, ... }:
|
{ config, lib, pkgs, outputs, configLib, ... }:
|
||||||
{
|
{
|
||||||
imports = (configLib.scanPaths ./.)
|
imports = (configLib.scanPaths ./.)
|
||||||
++ (builtins.attrValues outputs.homeManagerModules);
|
++ (builtins.attrValues outputs.homeManagerModules);# ++ [{ name = "geteduroam-cli"; src = "${pkgs.geteduroam}/result/bin/geteduroam-cli";}];
|
||||||
|
|
||||||
services.ssh-agent.enable = true;
|
services.ssh-agent.enable = true;
|
||||||
|
|
||||||
|
@ -40,11 +40,12 @@
|
||||||
coreutils# basic gnu utils
|
coreutils# basic gnu utils
|
||||||
usbutils
|
usbutils
|
||||||
ntfs3g# NTFS fs
|
ntfs3g# NTFS fs
|
||||||
|
bluez# Official Linux Bluetooth protocol stack
|
||||||
pmutils# power management https://pm-utils.freedesktop.org/wiki/
|
pmutils# power management https://pm-utils.freedesktop.org/wiki/
|
||||||
|
|
||||||
wireshark
|
wireshark
|
||||||
nmap
|
nmap
|
||||||
|
#TODO:how to import my own pkgs{ name = "geteduroam-cli"; src = "${pkgs.geteduroam}/result/bin/geteduroam-cli"}
|
||||||
mosh# mobile shell
|
mosh# mobile shell
|
||||||
# curl
|
# curl
|
||||||
ripgrep# better grep
|
ripgrep# better grep
|
||||||
|
|
|
@ -1,34 +0,0 @@
|
||||||
{ pkgs, ... }:
|
|
||||||
{
|
|
||||||
programs.firejail = {
|
|
||||||
enable = true;
|
|
||||||
wrappedBinaries = {
|
|
||||||
librewolf = {
|
|
||||||
executable = "${pkgs.librewolf}/bin/librewolf";
|
|
||||||
profile = "${pkgs.firejail}/etc/firejail/librewolf.profile";
|
|
||||||
extraArgs = [
|
|
||||||
# Required for U2F USB stick
|
|
||||||
"--ignore=private-dev"
|
|
||||||
# Enforce dark mode
|
|
||||||
"--env=GTK_THEME=Adwaita:dark"
|
|
||||||
# Enable system notifications
|
|
||||||
"--dbus-user.talk=org.freedesktop.Notifications"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
signal-desktop = {
|
|
||||||
# Enable tray icon otherwise Signal window might be hidden
|
|
||||||
executable = "${pkgs.signal-desktop}/bin/signal-desktop --use-tray-icon";
|
|
||||||
profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile";
|
|
||||||
extraArgs = [
|
|
||||||
# Enforce dark mode
|
|
||||||
"--env=GTK_THEME=Adwaita:dark"
|
|
||||||
#TODO: Enable Wayland mode
|
|
||||||
#"--env=NIXOS_OZONE_WL=1"
|
|
||||||
# Allow tray icon (should be upstreamed into signal-desktop.profile)
|
|
||||||
"--dbus-user.talk=org.kde.StatusNotifierWatcher"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
home.packages = with pkgs; [
|
home.packages = with pkgs; [
|
||||||
pkgs.noto-fonts
|
pkgs.noto-fonts
|
||||||
# pkgs.nerdfonts # => loads the complete collection.
|
# pkgs.nerdfonts # => loads the complete collection.
|
||||||
(nerdfonts.override { fonts = [ "FiraCode" "GeistMono" "SourceCodePro" "DroidSansMono"]; })
|
(nerdfonts.override { fonts = [ "FiraCode" "GeistMono" "SourceCodePro" "DroidSansMono" "Meslo"]; })
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -6,5 +6,6 @@
|
||||||
inherit (pkgs)
|
inherit (pkgs)
|
||||||
# Here go packages without my configs
|
# Here go packages without my configs
|
||||||
#!Remember to comment without space after package
|
#!Remember to comment without space after package
|
||||||
|
;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
imports = (configLib.scanPaths ./.)
|
imports = (configLib.scanPaths ./.)
|
||||||
++ (builtins.attrValues outputs.homeManagerModules);
|
++ (builtins.attrValues outputs.homeManagerModules);
|
||||||
home.packages = builtins.attrValues {
|
home.packages = builtins.attrValues {
|
||||||
inherit (pkgs)
|
inherit (pkgs);
|
||||||
# Here go packages without my configs
|
# Here go packages without my configs
|
||||||
#!Remember to comment without space after package
|
#!Remember to comment without space after package
|
||||||
};
|
};
|
||||||
|
|
|
@ -0,0 +1,12 @@
|
||||||
|
{ pkgs, ... }: {
|
||||||
|
programs.bluez = {
|
||||||
|
enable = true;
|
||||||
|
};
|
||||||
|
systemd.user.services.mpris-proxy = {
|
||||||
|
description = "Mpris proxy";
|
||||||
|
after = [ "network.target" "sound.target" ];
|
||||||
|
wantedBy = [ "default.target" ];
|
||||||
|
serviceConfig.ExecStart = "${pkgs.bluez}/bin/mpris-proxy";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
|
@ -7,6 +7,7 @@
|
||||||
inherit (pkgs)
|
inherit (pkgs)
|
||||||
# Here go packages without my configs
|
# Here go packages without my configs
|
||||||
# !Remember to comment without space after package
|
# !Remember to comment without space after package
|
||||||
|
keepassxc
|
||||||
fwupd; # firmware updater default on KDE
|
fwupd; # firmware updater default on KDE
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,40 @@
|
||||||
|
# home level sops. see hosts/common/optional/sops.nix for hosts level
|
||||||
|
# TODO should I split secrets.yaml into a home level and a hosts level or move to a single sops.nix entirely?
|
||||||
|
|
||||||
|
{ inputs, config, ... }:
|
||||||
|
let
|
||||||
|
secretsDirectory = builtins.toString inputs.nix-secrets;
|
||||||
|
secretsFile = "${secretsDirectory}/secrets.yaml";
|
||||||
|
homeDirectory = config.home.homeDirectory;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
inputs.sops-nix.homeManagerModules.sops
|
||||||
|
];
|
||||||
|
|
||||||
|
sops = {
|
||||||
|
# This is the location of the host specific age-key for ta and will to have been extracted to this location via hosts/common/core/sops.nix on the host
|
||||||
|
age.keyFile = "${homeDirectory}/.config/sops/age/keys.txt";
|
||||||
|
|
||||||
|
defaultSopsFile = "${secretsFile}";
|
||||||
|
validateSopsFiles = false;
|
||||||
|
|
||||||
|
secrets = {
|
||||||
|
"ssh_keys/stanislav" = {
|
||||||
|
path = "${homeDirectory}/.ssh/id_stanislav";
|
||||||
|
};
|
||||||
|
"ssh_keys/vladislav" = {
|
||||||
|
path = "${homeDirectory}/.ssh/id_vladislav";
|
||||||
|
};
|
||||||
|
"ssh_keys/rostislav" = {
|
||||||
|
path = "${homeDirectory}/.ssh/id_rostislav";
|
||||||
|
};
|
||||||
|
"ssh_keys/borislav" = {
|
||||||
|
path = "${homeDirectory}/.ssh/id_borislav";
|
||||||
|
};
|
||||||
|
"ssh_keys/radoslav" = {
|
||||||
|
path = "${homeDirectory}/.ssh/id_radoslav";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,7 +1,7 @@
|
||||||
{ inputs, configVars, configLib, ... }:
|
{ inputs, configVars, configLib, ... }:
|
||||||
#map with prefix to refactor
|
#map with prefix to refactor
|
||||||
let
|
let
|
||||||
optionals = (configLib.mapPathsToPrefix { prefix = common/optional; list = [ /system /internet /comms /utilities /dev/foot.nix /office ];});
|
optionals = (configLib.mapPathsToPrefix { prefix = common/optional; list = [ /system /internet /comms /utilities /dev /office ];});
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
{ configVars, ... }:
|
||||||
|
{
|
||||||
|
networking.firewall = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,4 +1,4 @@
|
||||||
{ configLib, ... }:
|
{ inputs, outputs, configLib, ... }:
|
||||||
{
|
{
|
||||||
import = (configLib.scanPaths ./.);
|
imports = (configLib.scanPaths ./.);
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,7 +1,8 @@
|
||||||
# http://web.archive.org/web/20240621185719/https://dataswamp.org/~solene/2022-10-02-nixos-fail2ban.html
|
# http://web.archive.org/web/20240621185719/https://dataswamp.org/~solene/2022-10-02-nixos-fail2ban.html
|
||||||
|
{ pkgs, ... }:
|
||||||
{
|
{
|
||||||
services.fail2ban = {
|
services.fail2ban = {
|
||||||
enable = true;
|
enable = false;
|
||||||
ignoreIP = [
|
ignoreIP = [
|
||||||
"192.168.1.0/24"
|
"192.168.1.0/24"
|
||||||
];
|
];
|
||||||
|
@ -40,6 +41,7 @@
|
||||||
backend = auto
|
backend = auto
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
};
|
||||||
environment.etc = {
|
environment.etc = {
|
||||||
"fail2ban/filter.d/molly.conf".text = ''
|
"fail2ban/filter.d/molly.conf".text = ''
|
||||||
[Definition]
|
[Definition]
|
||||||
|
@ -58,7 +60,5 @@
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,2 +1,34 @@
|
||||||
{ pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
{ }
|
{
|
||||||
|
programs.firejail = {
|
||||||
|
enable = true;
|
||||||
|
wrappedBinaries = {
|
||||||
|
librewolf = {
|
||||||
|
executable = "${pkgs.librewolf}/bin/librewolf";
|
||||||
|
profile = "${pkgs.firejail}/etc/firejail/librewolf.profile";
|
||||||
|
extraArgs = [
|
||||||
|
# Required for U2F USB stick
|
||||||
|
"--ignore=private-dev"
|
||||||
|
# Enforce dark mode
|
||||||
|
"--env=GTK_THEME=Adwaita:dark"
|
||||||
|
# Enable system notifications
|
||||||
|
"--dbus-user.talk=org.freedesktop.Notifications"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
signal-desktop = {
|
||||||
|
# Enable tray icon otherwise Signal window might be hidden
|
||||||
|
executable = "${pkgs.signal-desktop}/bin/signal-desktop --use-tray-icon";
|
||||||
|
profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile";
|
||||||
|
extraArgs = [
|
||||||
|
# Enforce dark mode
|
||||||
|
"--env=GTK_THEME=Adwaita:dark"
|
||||||
|
#TODO: Enable Wayland mode
|
||||||
|
#"--env=NIXOS_OZONE_WL=1"
|
||||||
|
# Allow tray icon (should be upstreamed into signal-desktop.profile)
|
||||||
|
"--dbus-user.talk=org.kde.StatusNotifierWatcher"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,69 @@
|
||||||
|
# hosts level sops. see home/[user]/common/optional/sops.nix for home/user level
|
||||||
|
|
||||||
|
{ pkgs, inputs, config, configVars, ... }:
|
||||||
|
let
|
||||||
|
secretsDirectory = builtins.toString inputs.nix-secrets;
|
||||||
|
secretsFile = "${secretsDirectory}/secrets.yaml";
|
||||||
|
|
||||||
|
homeDirectory = "/home/${configVars.username}";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
inputs.sops-nix.nixosModules.sops
|
||||||
|
];
|
||||||
|
|
||||||
|
sops = {
|
||||||
|
defaultSopsFile = "${secretsFile}";
|
||||||
|
validateSopsFiles = false;
|
||||||
|
|
||||||
|
age = {
|
||||||
|
# automatically import host SSH keys as age keys
|
||||||
|
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
# secrets will be output to /run/secrets
|
||||||
|
# e.g. /run/secrets/msmtp-password
|
||||||
|
# secrets required for user creation are handled in respective ./users/<username>.nix files
|
||||||
|
# because they will be output to /run/secrets-for-users and only when the user is assigned to a host.
|
||||||
|
secrets = {
|
||||||
|
# For home-manager a separate age key is used to decrypt secrets and must be placed onto the host. This is because
|
||||||
|
# the user doesn't have read permission for the ssh service private key. However, we can bootstrap the age key from
|
||||||
|
# the secrets decrypted by the host key, which allows home-manager secrets to work without manually copying over
|
||||||
|
# the age key.
|
||||||
|
# These age keys are are unique for the user on each host and are generated on their own (i.e. they are not derived
|
||||||
|
# from an ssh key).
|
||||||
|
"user_age_keys/${configVars.username}_${config.networking.hostName}" = {
|
||||||
|
owner = config.users.users.${configVars.username}.name;
|
||||||
|
inherit (config.users.users.${configVars.username}) group;
|
||||||
|
# We need to ensure the entire directory structure is that of the user...
|
||||||
|
path = "${homeDirectory}/.config/sops/age/keys.txt";
|
||||||
|
};
|
||||||
|
|
||||||
|
# extract username/password to /run/secrets-for-users/ so it can be used to create the user
|
||||||
|
"${configVars.username}/password".neededForUsers = true;
|
||||||
|
|
||||||
|
#FIXME move to mstmp.nix and also have host and address being assigned to configVars as per fidgetingbits
|
||||||
|
msmtp-host = { };
|
||||||
|
msmtp-address = { };
|
||||||
|
msmtp-password = { };
|
||||||
|
|
||||||
|
# extract to default pam-u2f authfile location for passwordless sudo. see ../optional/yubikey
|
||||||
|
"yubico/u2f_keys" = {
|
||||||
|
path = "/home/${configVars.username}/.config/Yubico/u2f_keys";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
# The containing folders are created as root and if this is the first ~/.config/ entry,
|
||||||
|
# the ownership is busted and home-manager can't target because it can't write into .config...
|
||||||
|
# FIXME: We might not need this depending on how https://github.com/Mic92/sops-nix/issues/381 is fixed
|
||||||
|
system.activationScripts.sopsSetAgeKeyOwnwership =
|
||||||
|
let
|
||||||
|
ageFolder = "${homeDirectory}/.config/sops/age";
|
||||||
|
user = config.users.users.${configVars.username}.name;
|
||||||
|
group = config.users.users.${configVars.username}.group;
|
||||||
|
in
|
||||||
|
''
|
||||||
|
mkdir -p ${ageFolder} || true
|
||||||
|
chown -R ${user}:${group} ${homeDirectory}/.config
|
||||||
|
'';
|
||||||
|
}
|
|
@ -1,17 +1,18 @@
|
||||||
{
|
{
|
||||||
time.timeZone = "Europe/Paris";
|
time.timeZone = "Europe/Amsterdam";
|
||||||
i18n.defaultLocale = "en_GB.UTF-8";
|
i18n.defaultLocale = "en_GB.UTF-8";
|
||||||
|
|
||||||
i18n.extraLocaleSettings = {
|
i18n.extraLocaleSettings = {
|
||||||
LC_MESSAGES = "de_DE.UTF-8";
|
LANGUAGE = "en_GB.UTF-8";
|
||||||
LC_ADDRESS = "de_DE.UTF-8";
|
LC_MESSAGES = "en_GB.UTF-8";
|
||||||
LC_IDENTIFICATION = "de_DE.UTF-8";
|
LC_ADDRESS = "en_GB.UTF-8";
|
||||||
LC_MEASUREMENT = "de_DE.UTF-8";
|
LC_IDENTIFICATION = "en_GB.UTF-8";
|
||||||
LC_MONETARY = "de_DE.UTF-8";
|
LC_MEASUREMENT = "en_GB.UTF-8";
|
||||||
LC_NAME = "de_DE.UTF-8";
|
LC_MONETARY = "en_GB.UTF-8";
|
||||||
LC_NUMERIC = "de_DE.UTF-8";
|
LC_NAME = "en_GB.UTF-8";
|
||||||
LC_PAPER = "de_DE.UTF-8";
|
LC_NUMERIC = "en_GB.UTF-8";
|
||||||
LC_TELEPHONE = "de_DE.UTF-8";
|
LC_PAPER = "en_GB.UTF-8";
|
||||||
LC_TIME = "de_DE.UTF-8";
|
LC_TELEPHONE = "en_GB.UTF-8";
|
||||||
|
LC_TIME = "en_GB.UTF-8";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
# VLC media player
|
||||||
|
|
||||||
|
{ pkgs, ... }:
|
||||||
|
{
|
||||||
|
environment.systemPackages = [ pkgs.vlc ];
|
||||||
|
}
|
|
@ -69,13 +69,13 @@
|
||||||
hostName = "jeroboam";
|
hostName = "jeroboam";
|
||||||
# wireless.enable = true;
|
# wireless.enable = true;
|
||||||
networkmanager.enable = true;
|
networkmanager.enable = true;
|
||||||
enableIPv6 = false;
|
enableIPv6 = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
# I devices
|
# I devices
|
||||||
iphone = {
|
iphone = {
|
||||||
enable = true;
|
enable = true;
|
||||||
user = "Shenzhen";
|
user = "laozi";
|
||||||
};
|
};
|
||||||
|
|
||||||
# ================ HYPRLAND =================== #
|
# ================ HYPRLAND =================== #
|
||||||
|
@ -151,7 +151,7 @@
|
||||||
|
|
||||||
# Fix to enable VSCode to successfully remote SSH on a client to a NixOS host
|
# Fix to enable VSCode to successfully remote SSH on a client to a NixOS host
|
||||||
# https://nixos.wiki/wiki/Visual_Studio_Code # Remote_SSH
|
# https://nixos.wiki/wiki/Visual_Studio_Code # Remote_SSH
|
||||||
# programs.nix-ld.enable = true;
|
programs.nix-ld.enable = true;
|
||||||
|
|
||||||
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
|
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
|
||||||
system.stateVersion = "24.05";
|
system.stateVersion = "24.05";
|
||||||
|
|
Loading…
Reference in New Issue