move all profiles, modules, and flakes to top-level

7 files changed, 317 insertions, 0 deletions

diff --git a/profiles/darwin.nix b/profiles/darwin.nix
new file mode 100644
index 0000000..e355b72
--- /dev/null
+++ b/profiles/darwin.nix
@@ -0,0 +1,46 @@
+{ ... }:
+{
+  system.defaults = {
+    dock = {
+      autohide = true;
+      dashboard-in-overlay = false;
+      launchanim = false; # Don't animate opening applications.
+      mru-spaces = false; # don’t rearrange spaces based on the most recent use
+      orientation = "left";
+      show-recents = false;
+      showhidden = false;
+      tilesize = 60; # Default is 64.
+      wvous-br-corner = 1; # Disable Notes hot corner.
+    };
+    finder.AppleShowAllExtensions = true;
+
+    CustomUserPreferences = {
+      "com.apple.desktopservices" = {
+        # Avoid creating .DS_Store files on network or USB volumes
+        DSDontWriteNetworkStores = true;
+        DSDontWriteUSBStores = true;
+      };
+    };
+
+    # Requires the directory to already exist.
+    # See system.activationScripts.postUserActivation
+    screencapture.location = "~/Documents/screenshots";
+    SoftwareUpdate.AutomaticallyInstallMacOSUpdates = true;
+  };
+
+  system.keyboard = {
+    enableKeyMapping = true;
+    remapCapsLockToControl = true;
+  };
+
+  # TODO:  - The `system.activationScripts.postUserActivation` option has
+  #     been removed, as all activation now takes place as `root`. Please
+  #     restructure your custom activation scripts appropriately,
+  #     potentially using `sudo` if you need to run commands as a user.
+  # system.activationScripts.postUserActivation.text = ''
+  #   mkdir -p ~/Documents/screenshots
+  # '';
+
+  # Touch ID for sudo auth
+  security.pam.services.sudo_local.touchIdAuth = true;
+}
diff --git a/profiles/disk/vm.nix b/profiles/disk/vm.nix
new file mode 100644
index 0000000..1641339
--- /dev/null
+++ b/profiles/disk/vm.nix
@@ -0,0 +1,55 @@
+{ lib, ... }:
+{
+  disko.devices = {
+    disk.disk1 = {
+      device = lib.mkDefault "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "500M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              type = "lvm_pv";
+              vg = "pool";
+            };
+          };
+        };
+      };
+    };
+    lvm_vg = {
+      pool = {
+        type = "lvm_vg";
+        lvs = {
+          root = {
+            size = "100%FREE";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+              mountOptions = [
+                "defaults"
+              ];
+            };
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/profiles/git-server.nix b/profiles/git-server.nix
new file mode 100644
index 0000000..27eebc7
--- /dev/null
+++ b/profiles/git-server.nix
@@ -0,0 +1,25 @@
+{ pkgs, ... }:
+{
+  services.gitolite = {
+    enable = true;
+    adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi";
+    user = "git";
+    group = "git";
+    extraGitoliteRc = ''
+      # Make dirs/files group readable, needed for webserver/cgit. (Default
+      # setting is 0077.)
+      $RC{UMASK} = 0027;
+      $RC{GIT_CONFIG_KEYS} = 'cgit.desc cgit.hide cgit.ignore cgit.owner';
+      $RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local";
+      push( @{$RC{ENABLE}}, 'symbolic-ref' );
+    '';
+  };
+
+  # let's make sure the default branch is `main'.
+  systemd.tmpfiles.rules = [
+    "C /var/lib/gitolite/.gitconfig - git git 0644 ${pkgs.writeText "gitolite-gitconfig" ''
+      [init]
+      	defaultBranch = main
+    ''}"
+  ];
+}
diff --git a/profiles/hardware/synology.nix b/profiles/hardware/synology.nix
new file mode 100644
index 0000000..ad1fd3f
--- /dev/null
+++ b/profiles/hardware/synology.nix
@@ -0,0 +1,23 @@
+{ lib, modulesPath, ... }:
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "uhci_hcd"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
diff --git a/profiles/home-manager.nix b/profiles/home-manager.nix
new file mode 100644
index 0000000..3a81cce
--- /dev/null
+++ b/profiles/home-manager.nix
@@ -0,0 +1,36 @@
+{
+  self,
+  hostName,
+  inputs,
+  config,
+  adminUser,
+  ...
+}:
+{
+  home-manager.extraSpecialArgs =
+    {
+      inherit
+        self
+        hostName
+        inputs
+        adminUser
+        ;
+    }
+    // {
+      mainConfig = config;
+      configPath = "${self}/configs/users/fcuny";
+    };
+
+  home-manager.sharedModules = [
+    inputs.agenix.homeManagerModules.default
+    "${self}/users/modules/userinfo.nix"
+    {
+      nixpkgs.overlays = [
+        inputs.agenix.overlays.default
+        inputs.emacs-overlay.overlay
+        self.overlays.default
+      ];
+      nixpkgs.config.allowUnfree = true;
+    }
+  ];
+}
diff --git a/profiles/nix.nix b/profiles/nix.nix
new file mode 100644
index 0000000..acfe151
--- /dev/null
+++ b/profiles/nix.nix
@@ -0,0 +1,47 @@
+{ lib, pkgs, ... }:
+{
+  nix = {
+    extraOptions = ''
+      tarball-ttl = 900
+    '';
+    gc = {
+      automatic = true;
+      options = "--delete-older-than 7d";
+      interval = {
+        Weekday = 0;
+        Hour = 0;
+        Minute = 0;
+      };
+    };
+    optimise = {
+      automatic = true;
+      interval = {
+        Weekday = 0;
+        Hour = 0;
+        Minute = 0;
+      };
+    };
+    package = pkgs.nixVersions.stable;
+    settings = {
+      trusted-substituters = [
+        "https://cachix.cachix.org"
+        "https://nixpkgs.cachix.org"
+        "https://nix-community.cachix.org"
+      ];
+      trusted-public-keys = [
+        "cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM="
+        "nixpkgs.cachix.org-1:q91R6hxbwFvDqTSDKwDAV4T5PxqXGxswD8vhONFMeOE="
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
+      trusted-users = [
+        "@admin"
+        "fcuny"
+      ];
+      experimental-features = lib.mkDefault [
+        "nix-command"
+        "flakes"
+      ];
+    };
+  };
+}
diff --git a/profiles/server.nix b/profiles/server.nix
new file mode 100644
index 0000000..1588314
--- /dev/null
+++ b/profiles/server.nix
@@ -0,0 +1,85 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+
+  imports = [
+    ./nix.nix
+  ];
+
+  time.timeZone = "America/Los_Angeles";
+
+  # Don't require password for sudo
+  security.sudo.wheelNeedsPassword = false;
+
+  # Virtualization settings
+  virtualisation.docker.enable = true;
+
+  # Select internationalisation properties.
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+  };
+
+  boot.loader.systemd-boot.enable = true;
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  environment.systemPackages = with pkgs; [
+    curl
+    fd
+    fish
+    git
+    htop
+    jq
+    mtr
+    pciutils
+    powertop
+    ripgrep
+    tcpdump
+    traceroute
+    vim
+  ];
+
+  boot.kernel.sysctl = {
+    "net.ipv4.tcp_fastopen" = 3;
+    "net.ipv4.tcp_tw_reuse" = 1;
+  };
+
+  networking = {
+    firewall = {
+      enable = false;
+      allowPing = true;
+      logRefusedConnections = false;
+    };
+    useNetworkd = lib.mkDefault true;
+  };
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+
+  # Default to systemd-networkd usage.
+  systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;
+
+  # Use systemd-resolved for DoT support.
+  services.resolved = {
+    enable = true;
+    dnssec = "false";
+    extraConfig = ''
+      DNSOverTLS=yes
+    '';
+  };
+
+  # Used by systemd-resolved, not directly by resolv.conf.
+  networking.nameservers = [
+    "8.8.8.8#dns.google"
+    "1.0.0.1#cloudflare-dns.com"
+  ];
+
+  ## disable that slow "building man-cache" step
+  documentation.man.generateCaches = lib.mkForce false;
+}