jakalx/nixos-config
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add initial configuration for dregil

Browse source
This commit is contained in:
Alexander Kobjolke 2023-03-10 18:31:32 +01:00
parent d6ab6b3f48
commit 193639d884
4 changed files with 237 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

21
flake.nix
View file

@ -45,5 +45,26 @@
}
];
};
nixosConfigurations."dregil" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
({
nixpkgs = {
config.allowUnfree = true;
overlays = with inputs; [ emacs.overlay ];
};
})
./modules/security.nix
./hosts/dregil
agenix.nixosModules.age
hm.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.alex = import ./home/cli.nix;
}
];
};
};
}

30
home/cli.nix
View file

@ -1,8 +1,11 @@
{ config, pkgs, ... }:
# minimal config, suitable for servers
{
let
myUser = "alex";
myName = "Alexander Kobjolke";
myMail = "me@failco.de";
in {
imports = [
# shell config
#./modules/shell
@ -10,8 +13,8 @@
programs.home-manager.enable = true;
home = {
username = "alex";
homeDirectory = "/home/alex";
username = myUser;
homeDirectory = "/home/${myUser}";
stateVersion = "21.05";
sessionPath = [ "$HOME/.local/bin" "$HOME/.emacs.d/bin" ];
};
@ -31,6 +34,7 @@
gotop
gnumake
ripgrep # better grep
pijul
sqlite.dev
sqlite
# pass
@ -63,14 +67,22 @@
'';
};
xdg.configFile.pijul = {
target = "pijul/config.toml";
text = ''
[author]
name = "${myUser}"
full_name = "${myName}"
email = "${myMail}"
'';
};
programs = {
zsh = {
enable = true;
enableAutosuggestions = true;
# enableSyntaxHighlighting = true;
shellAliases = {
e = "emacsclient -c $@";
};
shellAliases = { e = "emacsclient -c $@"; };
oh-my-zsh = {
enable = true;
plugins = [ "git" ];
@ -103,8 +115,8 @@
git = {
enable = true;
ignores = [ "*~" "*.swp" "result" "dist-newstyle" ];
userEmail = "me@failco.de";
userName = "Alexander Kobjolke";
userEmail = myMail;
userName = myName;
aliases = { st = "status"; };
extraConfig = { init.defaultBranch = "main"; };
};

173
hosts/dregil/default.nix Normal file
View file

@ -0,0 +1,173 @@
{ config, lib, pkgs, ... }:
let extIface = "ens3";
in {
imports = [ # Include the results of the hardware scan.
./hardware-configuration.nix
];
nix.package = pkgs.nixUnstable;
nix.extraOptions = ''
experimental-features = nix-command flakes ca-derivations
'';
#nix.registry.nixpkgs.flake = nixpkgs;
# Binary Cache for Haskell.nix
nix.settings.trusted-public-keys =
[ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
#nix.binaryCaches = [ "https://hydra.iohk.io" ];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
# boot.loader.grub.efiSupport = true;
# boot.loader.grub.efiInstallAsRemovable = true;
# boot.loader.efi.efiSysMountPoint = "/boot/efi";
# Define on which hard drive you want to install Grub.
boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only
# boot.loader.systemd-boot.enable = true;
# Set your time zone.
time.timeZone = "Europe/Berlin";
age.secrets = {
# mailPass.file = ../../secrets/mailPass.age;
# wireguard-thrall.file = ../../secrets/wireguard-thrall.age;
};
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking = {
hostName = "dregil";
domain = "failco.de";
wireless.enable = true;
useDHCP = true;
enableIPv6 = true;
firewall = {
allowedTCPPorts = [ 22 ];
allowedUDPPorts = [ 42666 ];
};
# wireguard.interfaces = {
# wg0 = {
# ips = [ "10.0.0.1/24" ];
# listenPort = 42666;
#
# privateKeyFile = config.age.secrets.wireguard-thrall.path;
# peers = [
# {
# # my phone
# publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk=";
# allowedIPs = [ "10.0.0.2/32" ];
# }
# {
# # my tablet
# publicKey = "NG9y+0RMDTjiG65yC4Z0ymJ0G5fe1mOhl4GyC3xAh1k=";
# allowedIPs = [ "10.0.0.3/32" ];
# }
# ];
# };
# };
};
security.acme = {
acceptTerms = true;
defaults.email = "alex@jakalx.net";
};
security.sudo = {
enable = true;
execWheelOnly = true;
extraRules = [{
groups = [ "wheel" ];
commands = [{
command = "/run/current-system/sw/bin/nixos-rebuild";
options = [ "NOPASSWD" ];
}];
}];
};
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "dvorak";
};
# Define a user account. Don't forget to set a password with passwd.
users.users.alex = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
shell = pkgs.zsh;
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
wget
rsync
htop
tmux
git
#agenix.defaultPackage.x86_64-linux
restic # fast and secure backup
rclone
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
programs.neovim = {
enable = true;
defaultEditor = true;
viAlias = true;
vimAlias = true;
};
# enable zsh globally in order to get home.sessionPath to propagate :()
programs.zsh.enable = true;
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.lorri.enable = true;
# configure backup via restic to gdrive
services.restic.backups = { };
services.keybase = { enable = true; };
services.syncthing = {
enable = true;
user = "alex";
dataDir = "/home/alex/sync";
overrideDevices =
true; # overrides any devices added or deleted through the WebUI
overrideFolders =
true; # overrides any folders added or deleted through the WebUI
folders = {
"org" = {
path = "/home/alex/org";
devices = [ "thrall" "redmi" ];
};
"scan" = {
path = "/home/alex/media/scan";
devices = [ "thrall" "redmi" ];
};
};
devices = {
"redmi" = {
id = "C43WITF-2HS2UCD-X6QFM4H-SC7XQJ7-X5F73EB-7FZHMII-KQNSH5D-NMICIAW";
};
};
};
system.stateVersion = "20.09"; # Did you read the comment?
}

23
hosts/thrall/default.nix
View file

@ -55,8 +55,8 @@ in {
defaultGateway = "195.90.208.1";
nameservers = [ "1.1.1.1" "8.8.8.8" ];
firewall = {
allowedTCPPorts = [ 22 80 443 5000 ];
allowedUDPPorts = [ 42666 ];
allowedTCPPorts = [ 22 53 80 443 5000 ];
allowedUDPPorts = [ 53 42666 ];
};
# wireguard related config
@ -70,18 +70,27 @@ in {
listenPort = 42666;
postSetup = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
'';
privateKeyFile = config.age.secrets.wireguard-thrall.path;
peers = [{
peers = [
{
# my phone
publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk=";
allowedIPs = [ "10.0.0.2/32" ];
}];
}
{
# my tablet
publicKey = "NG9y+0RMDTjiG65yC4Z0ymJ0G5fe1mOhl4GyC3xAh1k=";
allowedIPs = [ "10.0.0.3/32" ];
}
];
};
};
};
@ -151,6 +160,12 @@ in {
# List services that you want to enable:
# depending on wireguard
services.kresd = {
enable = true;
listenPlain = [ "[::1]:53" "127.0.0.1:53" "10.0.0.1:53" ];
};
# Enable the OpenSSH daemon.
services.openssh.enable = true;