From 09513b5c4e4babfaefdd06c592ef34c0908dc572 Mon Sep 17 00:00:00 2001 From: sadbeast Date: Thu, 30 May 2024 00:47:47 +0000 Subject: oh god what have i done --- hosts/common/global/default.nix | 174 ++++++++++++++++++++++++++++++++++++++++ hosts/common/global/sops.nix | 17 ++++ 2 files changed, 191 insertions(+) create mode 100644 hosts/common/global/default.nix create mode 100644 hosts/common/global/sops.nix (limited to 'hosts/common/global') diff --git a/hosts/common/global/default.nix b/hosts/common/global/default.nix new file mode 100644 index 0000000..3f33d55 --- /dev/null +++ b/hosts/common/global/default.nix @@ -0,0 +1,174 @@ +# This holds configuration common across hosts +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { + # You can import other NixOS modules here + imports = [ + inputs.home-manager.nixosModules.home-manager + inputs.impermanence.nixosModules.impermanence + ./sops.nix + ]; + + #home-manager.useGlobalPkgs = true; + home-manager.backupFileExtension = "backup"; + home-manager.extraSpecialArgs = { + inherit inputs outputs; + }; + + nixpkgs = { + # You can add overlays here + overlays = [ + # Add overlays your own flake exports (from overlays and pkgs dir): + outputs.overlays.additions + # outputs.overlays.modifications + + outputs.overlays.stable-packages + + # You can also add overlays exported from other flakes: + # neovim-nightly-overlay.overlays.default + + # Or define it inline, for example: + # (final: prev: { + # hi = final.hello.overrideAttrs (oldAttrs: { + # patches = [ ./change-hello-to-hi.patch ]; + # }); + # }) + ]; + config = { + allowUnfree = true; + }; + }; + + nix = let + flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs; + in { + settings = { + # Enable flakes and new 'nix' command + experimental-features = "nix-command flakes ca-derivations"; + # Opinionated: disable global registry + flake-registry = ""; + # Workaround for https://github.com/NixOS/nix/issues/9574 + nix-path = config.nix.nixPath; + }; + gc = { + automatic = true; + dates = "daily"; + options = "--delete-older-than 7d"; + }; + # Opinionated: disable channels + channel.enable = false; + + # Opinionated: make flake registry and nix path match flake inputs + registry = lib.mapAttrs (_: flake: {inherit flake;}) flakeInputs; + nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs; + }; + + time.timeZone = "America/Los_Angeles"; + + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "emacs2"; + }; + + programs = { + sway.enable = true; + zsh.enable = true; + git.enable = true; + + fuse.userAllowOther = true; + }; + + users.mutableUsers = false; + + users.users.sadbeast = { + hashedPasswordFile = config.sops.secrets.sadbeast-password.path; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGpEusv/bS34Q1JQxZXikdcwnq1vToz2d+HgV+E8NRX" + ]; + + extraGroups = ["wheel" "audio" "docker"]; + shell = pkgs.zsh; + packages = [pkgs.home-manager]; + }; + + sops.secrets.sadbeast-password = { + sopsFile = ../secrets.yaml; + neededForUsers = true; + }; + + home-manager.users.sadbeast = import ../../../home/sadbeast/${config.networking.hostName}.nix; + + # This setups a SSH server. Very important if you're setting up a headless system. + # Feel free to remove if you don't need it. + services = { + avahi = { + enable = true; + nssmdns4 = true; + openFirewall = true; + }; + + openssh = { + enable = true; + settings = { + # Opinionated: forbid root login through SSH. + PermitRootLogin = "no"; + # Opinionated: use keys only. + # Remove if you want to SSH using passwords + PasswordAuthentication = false; + }; + }; + + pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + }; + + printing.enable = true; + }; + security = { + polkit.enable = true; + # rtkit is optional but recommended + rtkit.enable = true; + sudo.wheelNeedsPassword = false; + + pam.services = { + swaylock = {}; + }; + }; + + # environment.persistence."/persistent" = { + # hideMounts = true; + # directories = [ + # "/var/log" + # "/var/lib/nixos" + # "/var/lib/systemd" + # ]; + # files = [ + # "/etc/machine-id" + # "/var/lib/sops-nix/keys.txt" + # ]; + # }; + + # system.activationScripts.persistent-dirs.text = let + # mkHomePersist = user: + # lib.optionalString user.createHome '' + # mkdir -p /persistent/${user.home} + # chown ${user.name}:${user.group} /persistent/${user.home} + # chmod ${user.homeMode} /persistent/${user.home} + # ''; + # users = lib.attrValues config.users.users; + # in + # lib.concatLines (map mkHomePersist users); + + # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion + system.stateVersion = "24.05"; +} diff --git a/hosts/common/global/sops.nix b/hosts/common/global/sops.nix new file mode 100644 index 0000000..9d1d42b --- /dev/null +++ b/hosts/common/global/sops.nix @@ -0,0 +1,17 @@ +{ + inputs, + lib, + config, + ... +}: { + imports = [inputs.sops-nix.nixosModules.sops]; + + sops = { + age = { + #keyFile = "/persistent/var/lib/sops-nix/keys.txt"; + keyFile = "/var/lib/sops-nix/keys.txt"; + sshKeyPaths = []; + }; + gnupg.sshKeyPaths = []; + }; +} -- cgit v1.2.3