diff options
Diffstat (limited to 'profiles')
| -rw-r--r-- | profiles/darwin.nix | 46 | ||||
| -rw-r--r-- | profiles/disk/vm.nix | 55 | ||||
| -rw-r--r-- | profiles/git-server.nix | 25 | ||||
| -rw-r--r-- | profiles/hardware/synology.nix | 23 | ||||
| -rw-r--r-- | profiles/home-manager.nix | 36 | ||||
| -rw-r--r-- | profiles/nix.nix | 47 | ||||
| -rw-r--r-- | profiles/server.nix | 85 |
7 files changed, 317 insertions, 0 deletions
diff --git a/profiles/darwin.nix b/profiles/darwin.nix new file mode 100644 index 0000000..e355b72 --- /dev/null +++ b/profiles/darwin.nix @@ -0,0 +1,46 @@ +{ ... }: +{ + system.defaults = { + dock = { + autohide = true; + dashboard-in-overlay = false; + launchanim = false; # Don't animate opening applications. + mru-spaces = false; # don’t rearrange spaces based on the most recent use + orientation = "left"; + show-recents = false; + showhidden = false; + tilesize = 60; # Default is 64. + wvous-br-corner = 1; # Disable Notes hot corner. + }; + finder.AppleShowAllExtensions = true; + + CustomUserPreferences = { + "com.apple.desktopservices" = { + # Avoid creating .DS_Store files on network or USB volumes + DSDontWriteNetworkStores = true; + DSDontWriteUSBStores = true; + }; + }; + + # Requires the directory to already exist. + # See system.activationScripts.postUserActivation + screencapture.location = "~/Documents/screenshots"; + SoftwareUpdate.AutomaticallyInstallMacOSUpdates = true; + }; + + system.keyboard = { + enableKeyMapping = true; + remapCapsLockToControl = true; + }; + + # TODO: - The `system.activationScripts.postUserActivation` option has + # been removed, as all activation now takes place as `root`. Please + # restructure your custom activation scripts appropriately, + # potentially using `sudo` if you need to run commands as a user. + # system.activationScripts.postUserActivation.text = '' + # mkdir -p ~/Documents/screenshots + # ''; + + # Touch ID for sudo auth + security.pam.services.sudo_local.touchIdAuth = true; +} diff --git a/profiles/disk/vm.nix b/profiles/disk/vm.nix new file mode 100644 index 0000000..1641339 --- /dev/null +++ b/profiles/disk/vm.nix @@ -0,0 +1,55 @@ +{ lib, ... }: +{ + disko.devices = { + disk.disk1 = { + device = lib.mkDefault "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + name = "root"; + size = "100%"; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + }; + }; + }; + lvm_vg = { + pool = { + type = "lvm_vg"; + lvs = { + root = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; + }; +} diff --git a/profiles/git-server.nix b/profiles/git-server.nix new file mode 100644 index 0000000..27eebc7 --- /dev/null +++ b/profiles/git-server.nix @@ -0,0 +1,25 @@ +{ pkgs, ... }: +{ + services.gitolite = { + enable = true; + adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"; + user = "git"; + group = "git"; + extraGitoliteRc = '' + # Make dirs/files group readable, needed for webserver/cgit. (Default + # setting is 0077.) + $RC{UMASK} = 0027; + $RC{GIT_CONFIG_KEYS} = 'cgit.desc cgit.hide cgit.ignore cgit.owner'; + $RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local"; + push( @{$RC{ENABLE}}, 'symbolic-ref' ); + ''; + }; + + # let's make sure the default branch is `main'. + systemd.tmpfiles.rules = [ + "C /var/lib/gitolite/.gitconfig - git git 0644 ${pkgs.writeText "gitolite-gitconfig" '' + [init] + defaultBranch = main + ''}" + ]; +} diff --git a/profiles/hardware/synology.nix b/profiles/hardware/synology.nix new file mode 100644 index 0000000..ad1fd3f --- /dev/null +++ b/profiles/hardware/synology.nix @@ -0,0 +1,23 @@ +{ lib, modulesPath, ... }: +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + swapDevices = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/profiles/home-manager.nix b/profiles/home-manager.nix new file mode 100644 index 0000000..3a81cce --- /dev/null +++ b/profiles/home-manager.nix @@ -0,0 +1,36 @@ +{ + self, + hostName, + inputs, + config, + adminUser, + ... +}: +{ + home-manager.extraSpecialArgs = + { + inherit + self + hostName + inputs + adminUser + ; + } + // { + mainConfig = config; + configPath = "${self}/configs/users/fcuny"; + }; + + home-manager.sharedModules = [ + inputs.agenix.homeManagerModules.default + "${self}/users/modules/userinfo.nix" + { + nixpkgs.overlays = [ + inputs.agenix.overlays.default + inputs.emacs-overlay.overlay + self.overlays.default + ]; + nixpkgs.config.allowUnfree = true; + } + ]; +} diff --git a/profiles/nix.nix b/profiles/nix.nix new file mode 100644 index 0000000..acfe151 --- /dev/null +++ b/profiles/nix.nix @@ -0,0 +1,47 @@ +{ lib, pkgs, ... }: +{ + nix = { + extraOptions = '' + tarball-ttl = 900 + ''; + gc = { + automatic = true; + options = "--delete-older-than 7d"; + interval = { + Weekday = 0; + Hour = 0; + Minute = 0; + }; + }; + optimise = { + automatic = true; + interval = { + Weekday = 0; + Hour = 0; + Minute = 0; + }; + }; + package = pkgs.nixVersions.stable; + settings = { + trusted-substituters = [ + "https://cachix.cachix.org" + "https://nixpkgs.cachix.org" + "https://nix-community.cachix.org" + ]; + trusted-public-keys = [ + "cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM=" + "nixpkgs.cachix.org-1:q91R6hxbwFvDqTSDKwDAV4T5PxqXGxswD8vhONFMeOE=" + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + trusted-users = [ + "@admin" + "fcuny" + ]; + experimental-features = lib.mkDefault [ + "nix-command" + "flakes" + ]; + }; + }; +} diff --git a/profiles/server.nix b/profiles/server.nix new file mode 100644 index 0000000..1588314 --- /dev/null +++ b/profiles/server.nix @@ -0,0 +1,85 @@ +{ + config, + lib, + pkgs, + ... +}: +{ + + imports = [ + ./nix.nix + ]; + + time.timeZone = "America/Los_Angeles"; + + # Don't require password for sudo + security.sudo.wheelNeedsPassword = false; + + # Virtualization settings + virtualisation.docker.enable = true; + + # Select internationalisation properties. + i18n = { + defaultLocale = "en_US.UTF-8"; + }; + + boot.loader.systemd-boot.enable = true; + boot.kernelPackages = pkgs.linuxPackages_latest; + + environment.systemPackages = with pkgs; [ + curl + fd + fish + git + htop + jq + mtr + pciutils + powertop + ripgrep + tcpdump + traceroute + vim + ]; + + boot.kernel.sysctl = { + "net.ipv4.tcp_fastopen" = 3; + "net.ipv4.tcp_tw_reuse" = 1; + }; + + networking = { + firewall = { + enable = false; + allowPing = true; + logRefusedConnections = false; + }; + useNetworkd = lib.mkDefault true; + }; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + + # Default to systemd-networkd usage. + systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP; + + # Use systemd-resolved for DoT support. + services.resolved = { + enable = true; + dnssec = "false"; + extraConfig = '' + DNSOverTLS=yes + ''; + }; + + # Used by systemd-resolved, not directly by resolv.conf. + networking.nameservers = [ + "8.8.8.8#dns.google" + "1.0.0.1#cloudflare-dns.com" + ]; + + ## disable that slow "building man-cache" step + documentation.man.generateCaches = lib.mkForce false; +} |