Add initial configuration for dregil

flake.nix

@@ -45,5 +45,26 @@
         }
       ];
     };
+
+    nixosConfigurations."dregil" = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        ({
+          nixpkgs = {
+            config.allowUnfree = true;
+            overlays = with inputs; [ emacs.overlay ];
+          };
+        })
+        ./modules/security.nix
+        ./hosts/dregil
+        agenix.nixosModules.age
+        hm.nixosModules.home-manager
+        {
+          home-manager.useGlobalPkgs = true;
+          home-manager.useUserPackages = true;
+          home-manager.users.alex = import ./home/cli.nix;
+        }
+      ];
+    };
   };
 }

home/cli.nix

@@ -1,8 +1,11 @@
 { config, pkgs, ... }:
 
 # minimal config, suitable for servers
-
+let
-{
+  myUser = "alex";
+  myName = "Alexander Kobjolke";
+  myMail = "me@failco.de";
+in {
   imports = [
     # shell config
     #./modules/shell
@@ -10,8 +13,8 @@
 
   programs.home-manager.enable = true;
   home = {
-    username = "alex";
+    username = myUser;
-    homeDirectory = "/home/alex";
+    homeDirectory = "/home/${myUser}";
     stateVersion = "21.05";
     sessionPath = [ "$HOME/.local/bin" "$HOME/.emacs.d/bin" ];
   };
@@ -31,6 +34,7 @@
     gotop
     gnumake
     ripgrep # better grep
+    pijul
     sqlite.dev
     sqlite
     #    pass
@@ -63,14 +67,22 @@
     '';
   };
 
+  xdg.configFile.pijul = {
+    target = "pijul/config.toml";
+    text = ''
+      [author]
+      name = "${myUser}"
+      full_name = "${myName}"
+      email = "${myMail}"
+    '';
+  };
+
   programs = {
     zsh = {
       enable = true;
       enableAutosuggestions = true;
       #      enableSyntaxHighlighting = true;
-      shellAliases = {
+      shellAliases = { e = "emacsclient -c $@"; };
-          e = "emacsclient -c $@";
-      };
       oh-my-zsh = {
         enable = true;
         plugins = [ "git" ];
@@ -103,8 +115,8 @@
     git = {
       enable = true;
       ignores = [ "*~" "*.swp" "result" "dist-newstyle" ];
-      userEmail = "me@failco.de";
+      userEmail = myMail;
-      userName = "Alexander Kobjolke";
+      userName = myName;
       aliases = { st = "status"; };
       extraConfig = { init.defaultBranch = "main"; };
     };

hosts/dregil/default.nix

@@ -0,0 +1,173 @@
+{ config, lib, pkgs, ... }:
+let extIface = "ens3";
+in {
+  imports = [ # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+  ];
+
+  nix.package = pkgs.nixUnstable;
+  nix.extraOptions = ''
+    experimental-features = nix-command flakes ca-derivations
+  '';
+  #nix.registry.nixpkgs.flake = nixpkgs;
+
+  # Binary Cache for Haskell.nix
+  nix.settings.trusted-public-keys =
+    [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
+
+  #nix.binaryCaches = [ "https://hydra.iohk.io" ];
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  # boot.loader.grub.efiSupport = true;
+  # boot.loader.grub.efiInstallAsRemovable = true;
+  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  # Define on which hard drive you want to install Grub.
+  boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only
+  # boot.loader.systemd-boot.enable = true;
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  age.secrets = {
+    #    mailPass.file = ../../secrets/mailPass.age;
+    #    wireguard-thrall.file = ../../secrets/wireguard-thrall.age;
+  };
+
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking = {
+    hostName = "dregil";
+    domain = "failco.de";
+    wireless.enable = true;
+    useDHCP = true;
+    enableIPv6 = true;
+    firewall = {
+      allowedTCPPorts = [ 22 ];
+      allowedUDPPorts = [ 42666 ];
+    };
+
+    #    wireguard.interfaces = {
+    #      wg0 = {
+    #        ips = [ "10.0.0.1/24" ];
+    #        listenPort = 42666;
+    #
+    #        privateKeyFile = config.age.secrets.wireguard-thrall.path;
+    #        peers = [
+    #          {
+    #            # my phone
+    #            publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk=";
+    #            allowedIPs = [ "10.0.0.2/32" ];
+    #          }
+    #          {
+    #            # my tablet
+    #            publicKey = "NG9y+0RMDTjiG65yC4Z0ymJ0G5fe1mOhl4GyC3xAh1k=";
+    #            allowedIPs = [ "10.0.0.3/32" ];
+    #          }
+    #        ];
+    #      };
+    #    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "alex@jakalx.net";
+  };
+
+  security.sudo = {
+    enable = true;
+    execWheelOnly = true;
+    extraRules = [{
+      groups = [ "wheel" ];
+      commands = [{
+        command = "/run/current-system/sw/bin/nixos-rebuild";
+        options = [ "NOPASSWD" ];
+      }];
+    }];
+  };
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "dvorak";
+  };
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.alex = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+    shell = pkgs.zsh;
+  };
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    wget
+    rsync
+    htop
+    tmux
+    git
+    #agenix.defaultPackage.x86_64-linux
+    restic # fast and secure backup
+    rclone
+  ];
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+  };
+
+  programs.neovim = {
+    enable = true;
+    defaultEditor = true;
+    viAlias = true;
+    vimAlias = true;
+  };
+
+  # enable zsh globally in order to get home.sessionPath to propagate :()
+  programs.zsh.enable = true;
+
+  # List services that you want to enable:
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+
+  services.lorri.enable = true;
+
+  # configure backup via restic to gdrive
+  services.restic.backups = { };
+  services.keybase = { enable = true; };
+
+  services.syncthing = {
+    enable = true;
+    user = "alex";
+    dataDir = "/home/alex/sync";
+    overrideDevices =
+      true; # overrides any devices added or deleted through the WebUI
+    overrideFolders =
+      true; # overrides any folders added or deleted through the WebUI
+    folders = {
+      "org" = {
+        path = "/home/alex/org";
+        devices = [ "thrall" "redmi" ];
+      };
+      "scan" = {
+        path = "/home/alex/media/scan";
+        devices = [ "thrall" "redmi" ];
+      };
+    };
+    devices = {
+      "redmi" = {
+        id = "C43WITF-2HS2UCD-X6QFM4H-SC7XQJ7-X5F73EB-7FZHMII-KQNSH5D-NMICIAW";
+      };
+    };
+  };
+
+  system.stateVersion = "20.09"; # Did you read the comment?
+}

hosts/thrall/default.nix

@@ -55,8 +55,8 @@ in {
     defaultGateway = "195.90.208.1";
     nameservers = [ "1.1.1.1" "8.8.8.8" ];
     firewall = {
-      allowedTCPPorts = [ 22 80 443 5000 ];
+      allowedTCPPorts = [ 22 53 80 443 5000 ];
-      allowedUDPPorts = [ 42666 ];
+      allowedUDPPorts = [ 53 42666 ];
     };
 
     # wireguard related config
@@ -70,18 +70,27 @@ in {
         listenPort = 42666;
 
         postSetup = ''
+          ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
           ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
         '';
         postShutdown = ''
+          ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
           ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
         '';
 
         privateKeyFile = config.age.secrets.wireguard-thrall.path;
-        peers = [{
+        peers = [
-          # my phone
+          {
-          publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk=";
+            # my phone
-          allowedIPs = [ "10.0.0.2/32" ];
+            publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk=";
-        }];
+            allowedIPs = [ "10.0.0.2/32" ];
+          }
+          {
+            # my tablet
+            publicKey = "NG9y+0RMDTjiG65yC4Z0ymJ0G5fe1mOhl4GyC3xAh1k=";
+            allowedIPs = [ "10.0.0.3/32" ];
+          }
+        ];
       };
     };
   };
@@ -151,6 +160,12 @@ in {
 
   # List services that you want to enable:
 
+  # depending on wireguard
+  services.kresd = {
+    enable = true;
+    listenPlain = [ "[::1]:53" "127.0.0.1:53" "10.0.0.1:53" ];
+  };
+
   # Enable the OpenSSH daemon.
   services.openssh.enable = true;