11 files changed, 233 insertions, 0 deletions
diff --git a/modules/system/boot/default.nix b/modules/system/boot/default.nix
new file mode 100644
index 0000000..b037f63
--- /dev/null
+++ b/modules/system/boot/default.nix
@@ -0,0 +1,44 @@
+{ pkgs, config, lib, ... }:
+let cfg = config.my.system.boot;
+in {
+  options.my.system.boot = with lib; {
+    tmp = { clean = mkEnableOption "clean `/tmp` on boot."; };
+    initrd = {
+      network = { enable = mkEnableOption "enable SSH with initrd"; };
+    };
+  };
+
+  config = {
+    boot = {
+      loader = {
+        # Use the systemd-boot EFI boot loader.
+        systemd-boot.enable = true;
+        # Prohibits gaining root access by passing init=/bin/sh as a kernel parameter
+        systemd-boot.editor = false;
+        efi.canTouchEfiVariables = true;
+      };
+
+      kernelPackages = pkgs.linuxPackages_latest;
+      cleanTmpDir = cfg.tmp.clean;
+      tmpOnTmpfs = true;
+
+      initrd = {
+        luks.devices."system".allowDiscards = true;
+        network = lib.mkIf cfg.initrd.network.enable {
+          enable = true;
+          postCommands = ''
+            echo "cryptsetup-askpass; exit" > /root/.profile
+          '';
+          ssh = {
+            enable = true;
+            port = 2222;
+            hostKeys =
+              [ /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_rsa_key ];
+            authorizedKeys =
+              config.users.users.fcuny.openssh.authorizedKeys.keys;
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/modules/system/btrfs/default.nix b/modules/system/btrfs/default.nix
new file mode 100644
index 0000000..d569c78
--- /dev/null
+++ b/modules/system/btrfs/default.nix
@@ -0,0 +1,5 @@
+{ ... }:
+
+{
+  services.btrfs.autoScrub.enable = true;
+}
diff --git a/modules/system/console/default.nix b/modules/system/console/default.nix
new file mode 100644
index 0000000..c9c24b0
--- /dev/null
+++ b/modules/system/console/default.nix
@@ -0,0 +1,6 @@
+{ ... }: {
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "us";
+  };
+}
diff --git a/modules/system/default.nix b/modules/system/default.nix
new file mode 100644
index 0000000..bf3e367
--- /dev/null
+++ b/modules/system/default.nix
@@ -0,0 +1,16 @@
+{ ... }:
+
+{
+  imports = [
+    ./boot
+    ./btrfs
+    ./console
+    ./documentation
+    ./fonts
+    ./locale
+    ./nix
+    ./packages
+    ./security
+    ./users
+  ];
+}
diff --git a/modules/system/documentation/default.nix b/modules/system/documentation/default.nix
new file mode 100644
index 0000000..67f84ff
--- /dev/null
+++ b/modules/system/documentation/default.nix
@@ -0,0 +1,14 @@
+{ config, lib, pkgs, ... }: {
+  documentation = {
+    enable = true;
+    dev.enable = true;
+    info.enable = true;
+    man = {
+      enable = true;
+      generateCaches = true;
+    };
+    nixos.enable = true;
+  };
+
+  environment.systemPackages = with pkgs; [ man-pages man-pages-posix ];
+}
diff --git a/modules/system/fonts/default.nix b/modules/system/fonts/default.nix
new file mode 100644
index 0000000..df01140
--- /dev/null
+++ b/modules/system/fonts/default.nix
@@ -0,0 +1,29 @@
+{ pkgs, config, lib, ... }:
+let cfg = config.my.systems.fonts;
+in {
+  options.my.systems.fonts = with lib; {
+    enable = mkEnableOption "fonts configuration";
+  };
+
+  config = lib.mkIf cfg.enable {
+    fonts = {
+      enableDefaultFonts = true;
+      fontDir.enable = true;
+      fontconfig.enable = true;
+      fonts = with pkgs; [
+        dejavu_fonts
+        font-awesome_5
+        noto-fonts
+        noto-fonts-cjk # Chinese, Japanese, Korean
+        noto-fonts-emoji
+        noto-fonts-emoji
+        noto-fonts-extra
+        source-code-pro
+        source-sans-pro
+        source-serif-pro
+      ];
+
+      fontconfig.defaultFonts = { monospace = [ "Source Code Pro" ]; };
+    };
+  };
+}
diff --git a/modules/system/locale/default.nix b/modules/system/locale/default.nix
new file mode 100644
index 0000000..2026764
--- /dev/null
+++ b/modules/system/locale/default.nix
@@ -0,0 +1,7 @@
+# Language settings
+{ ... }: {
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  time.timeZone = "America/Los_Angeles";
+}
diff --git a/modules/system/nix/default.nix b/modules/system/nix/default.nix
new file mode 100644
index 0000000..2ad20c3
--- /dev/null
+++ b/modules/system/nix/default.nix
@@ -0,0 +1,16 @@
+# Nix related settings
+{ lib, pkgs, ... }: {
+  nix = {
+    package = pkgs.nixFlakes;
+    extraOptions = ''
+      experimental-features = nix-command flakes
+    '';
+    autoOptimiseStore = true;
+    trustedUsers = [ "root" "@wheel" ];
+
+    gc = {
+      automatic = true;
+      options = "--delete-older-than 14d";
+    };
+  };
+}
diff --git a/modules/system/packages/default.nix b/modules/system/packages/default.nix
new file mode 100644
index 0000000..3747f6e
--- /dev/null
+++ b/modules/system/packages/default.nix
@@ -0,0 +1,51 @@
+# Common packages
+{ config, lib, pkgs, ... }:
+with lib;
+let linuxpkgs = config.boot.kernelPackages;
+in {
+
+  # It's always useful to have bash around
+  environment.shells = with pkgs; [ bashInteractive ];
+
+  environment.systemPackages = with pkgs; [
+    binutils
+    cacert
+    curl
+    dmidecode
+    ethtool
+    flameGraph
+    git
+    htop
+    hwdata
+    iftop
+    iptraf-ng
+    linuxPackages.cpupower
+    linuxpkgs.perf
+    lm_sensors
+    lsb-release
+    lsof
+    man-pages
+    mg
+    mtr
+    numactl
+    openssl
+    openssl
+    parted
+    pciutils
+    perf-tools
+    powertop
+    rsync
+    sqlite
+    strace
+    tcpdump
+    tmux
+    traceroute
+    unzip
+    usbutils
+    vim
+    wget
+    wireguard
+  ];
+
+  programs.bcc.enable = true;
+}
diff --git a/modules/system/security/default.nix b/modules/system/security/default.nix
new file mode 100644
index 0000000..1181e6a
--- /dev/null
+++ b/modules/system/security/default.nix
@@ -0,0 +1,6 @@
+{ ... }:
+
+{
+  security.sudo.wheelNeedsPassword = false;
+  security.polkit.enable = true;
+}
diff --git a/modules/system/users/default.nix b/modules/system/users/default.nix
new file mode 100644
index 0000000..3086f18
--- /dev/null
+++ b/modules/system/users/default.nix
@@ -0,0 +1,39 @@
+{ config, lib, pkgs, ... }:
+let
+  groupExists = grp: builtins.hasAttr grp config.users.groups;
+  groupsIfExist = builtins.filter groupExists;
+in {
+  # Users are managed through this configuration. If a user is added
+  # manually, it will be removed on system activation.
+  users.mutableUsers = false;
+
+  users.groups.fcuny = { gid = 1000; };
+  users.users.fcuny = {
+    isNormalUser = true;
+    uid = 1000;
+    group = "fcuny";
+    home = "/home/fcuny";
+    shell = pkgs.zsh;
+    extraGroups = groupsIfExist [
+      "docker"
+      "users"
+      "nas" # in order to access to files downloaded by transmission
+      "wheel" # `sudo` for the user.
+      "cdrom" # in order to read from the bluray
+    ];
+    hashedPassword =
+      "$6$i.z1brxtb44JAEco$fDD2Izl.zRR9vBCB2VBKPScChGw38EEl7QEiBTJ/EwgP3oSL0X3ZHq0PJ.RtqzBsWTPUjl4F3MKOBMhnaAPr6.";
+    openssh.authorizedKeys.keys = [
+      # aptos
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIdlm/qoR/dnMjZhVSTtqFzkgN3Yf9eQ3pgKMiipg+dl"
+      # work
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINSWhXmnUplM+xltD0sYiJ6AsjkwHvbjTYLA7GHXHja9"
+    ];
+  };
+
+  users.users.root = {
+    hashedPassword = null;
+    openssh.authorizedKeys.keys =
+      config.users.users.fcuny.openssh.authorizedKeys.keys;
+  };
+}