diff --git a/flake.nix b/flake.nix index 2a55083..c225240 100644 --- a/flake.nix +++ b/flake.nix @@ -45,5 +45,26 @@ } ]; }; + + nixosConfigurations."dregil" = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ({ + nixpkgs = { + config.allowUnfree = true; + overlays = with inputs; [ emacs.overlay ]; + }; + }) + ./modules/security.nix + ./hosts/dregil + agenix.nixosModules.age + hm.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.users.alex = import ./home/cli.nix; + } + ]; + }; }; } diff --git a/home/cli.nix b/home/cli.nix index 6e3d098..9c0d303 100644 --- a/home/cli.nix +++ b/home/cli.nix @@ -1,8 +1,11 @@ { config, pkgs, ... }: # minimal config, suitable for servers - -{ +let + myUser = "alex"; + myName = "Alexander Kobjolke"; + myMail = "me@failco.de"; +in { imports = [ # shell config #./modules/shell @@ -10,8 +13,8 @@ programs.home-manager.enable = true; home = { - username = "alex"; - homeDirectory = "/home/alex"; + username = myUser; + homeDirectory = "/home/${myUser}"; stateVersion = "21.05"; sessionPath = [ "$HOME/.local/bin" "$HOME/.emacs.d/bin" ]; }; @@ -31,6 +34,7 @@ gotop gnumake ripgrep # better grep + pijul sqlite.dev sqlite # pass @@ -63,14 +67,22 @@ ''; }; + xdg.configFile.pijul = { + target = "pijul/config.toml"; + text = '' + [author] + name = "${myUser}" + full_name = "${myName}" + email = "${myMail}" + ''; + }; + programs = { zsh = { enable = true; enableAutosuggestions = true; # enableSyntaxHighlighting = true; - shellAliases = { - e = "emacsclient -c $@"; - }; + shellAliases = { e = "emacsclient -c $@"; }; oh-my-zsh = { enable = true; plugins = [ "git" ]; @@ -103,8 +115,8 @@ git = { enable = true; ignores = [ "*~" "*.swp" "result" "dist-newstyle" ]; - userEmail = "me@failco.de"; - userName = "Alexander Kobjolke"; + userEmail = myMail; + userName = myName; aliases = { st = "status"; }; extraConfig = { init.defaultBranch = "main"; }; }; diff --git a/hosts/dregil/default.nix b/hosts/dregil/default.nix new file mode 100644 index 0000000..ac16c1d --- /dev/null +++ b/hosts/dregil/default.nix @@ -0,0 +1,173 @@ +{ config, lib, pkgs, ... }: +let extIface = "ens3"; +in { + imports = [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + nix.package = pkgs.nixUnstable; + nix.extraOptions = '' + experimental-features = nix-command flakes ca-derivations + ''; + #nix.registry.nixpkgs.flake = nixpkgs; + + # Binary Cache for Haskell.nix + nix.settings.trusted-public-keys = + [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ]; + + #nix.binaryCaches = [ "https://hydra.iohk.io" ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + # boot.loader.grub.efiSupport = true; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # Define on which hard drive you want to install Grub. + boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only + # boot.loader.systemd-boot.enable = true; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + age.secrets = { + # mailPass.file = ../../secrets/mailPass.age; + # wireguard-thrall.file = ../../secrets/wireguard-thrall.age; + }; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking = { + hostName = "dregil"; + domain = "failco.de"; + wireless.enable = true; + useDHCP = true; + enableIPv6 = true; + firewall = { + allowedTCPPorts = [ 22 ]; + allowedUDPPorts = [ 42666 ]; + }; + + # wireguard.interfaces = { + # wg0 = { + # ips = [ "10.0.0.1/24" ]; + # listenPort = 42666; + # + # privateKeyFile = config.age.secrets.wireguard-thrall.path; + # peers = [ + # { + # # my phone + # publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk="; + # allowedIPs = [ "10.0.0.2/32" ]; + # } + # { + # # my tablet + # publicKey = "NG9y+0RMDTjiG65yC4Z0ymJ0G5fe1mOhl4GyC3xAh1k="; + # allowedIPs = [ "10.0.0.3/32" ]; + # } + # ]; + # }; + # }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "alex@jakalx.net"; + }; + + security.sudo = { + enable = true; + execWheelOnly = true; + extraRules = [{ + groups = [ "wheel" ]; + commands = [{ + command = "/run/current-system/sw/bin/nixos-rebuild"; + options = [ "NOPASSWD" ]; + }]; + }]; + }; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "dvorak"; + }; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.alex = { + isNormalUser = true; + extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + shell = pkgs.zsh; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + wget + rsync + htop + tmux + git + #agenix.defaultPackage.x86_64-linux + restic # fast and secure backup + rclone + ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + programs.neovim = { + enable = true; + defaultEditor = true; + viAlias = true; + vimAlias = true; + }; + + # enable zsh globally in order to get home.sessionPath to propagate :() + programs.zsh.enable = true; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + services.lorri.enable = true; + + # configure backup via restic to gdrive + services.restic.backups = { }; + services.keybase = { enable = true; }; + + services.syncthing = { + enable = true; + user = "alex"; + dataDir = "/home/alex/sync"; + overrideDevices = + true; # overrides any devices added or deleted through the WebUI + overrideFolders = + true; # overrides any folders added or deleted through the WebUI + folders = { + "org" = { + path = "/home/alex/org"; + devices = [ "thrall" "redmi" ]; + }; + "scan" = { + path = "/home/alex/media/scan"; + devices = [ "thrall" "redmi" ]; + }; + }; + devices = { + "redmi" = { + id = "C43WITF-2HS2UCD-X6QFM4H-SC7XQJ7-X5F73EB-7FZHMII-KQNSH5D-NMICIAW"; + }; + }; + }; + + system.stateVersion = "20.09"; # Did you read the comment? +} diff --git a/hosts/thrall/default.nix b/hosts/thrall/default.nix index 1db9143..9e898ce 100644 --- a/hosts/thrall/default.nix +++ b/hosts/thrall/default.nix @@ -55,8 +55,8 @@ in { defaultGateway = "195.90.208.1"; nameservers = [ "1.1.1.1" "8.8.8.8" ]; firewall = { - allowedTCPPorts = [ 22 80 443 5000 ]; - allowedUDPPorts = [ 42666 ]; + allowedTCPPorts = [ 22 53 80 443 5000 ]; + allowedUDPPorts = [ 53 42666 ]; }; # wireguard related config @@ -70,18 +70,27 @@ in { listenPort = 42666; postSetup = '' + ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE ''; postShutdown = '' + ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE ''; privateKeyFile = config.age.secrets.wireguard-thrall.path; - peers = [{ - # my phone - publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk="; - allowedIPs = [ "10.0.0.2/32" ]; - }]; + peers = [ + { + # my phone + publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk="; + allowedIPs = [ "10.0.0.2/32" ]; + } + { + # my tablet + publicKey = "NG9y+0RMDTjiG65yC4Z0ymJ0G5fe1mOhl4GyC3xAh1k="; + allowedIPs = [ "10.0.0.3/32" ]; + } + ]; }; }; }; @@ -151,6 +160,12 @@ in { # List services that you want to enable: + # depending on wireguard + services.kresd = { + enable = true; + listenPlain = [ "[::1]:53" "127.0.0.1:53" "10.0.0.1:53" ]; + }; + # Enable the OpenSSH daemon. services.openssh.enable = true;