Commit 06b3a59bd619
Changed files (24)
systems
common
base
desktop
hardware
programs
users
kyushu
systems/common/base/default.nix
@@ -37,6 +37,7 @@
pciutils
psmisc
pv
+ ripgrep
rsync
tpm2-tss
traceroute
systems/common/desktop/default.nix
@@ -5,11 +5,12 @@
}:
{
imports = [
- # (./. + "/${desktop}.nix")
+ (./. + "/${desktop}.nix")
./binfmt.nix
+ ../programs/nix-ld.nix
+ ../services/pipewire.nix
# ../hardware/yubikey.nix
- # ../services/pipewire.nixt
# ../virt
];
# Enable Plymouth and surpress some logs by default.
@@ -39,5 +40,76 @@
ripgrep
];
- services.power-profiles-daemon.enable = true;
+ fonts = {
+ fontDir.enable = true;
+ enableGhostscriptFonts = true;
+ packages = with pkgs; [
+ cascadia-code
+ corefonts
+ dejavu_fonts
+ # emojione
+ feh
+ fira
+ fira-code
+ fira-code-symbols
+ fira-mono
+ font-awesome
+ go-font
+ hack-font
+ inconsolata
+ jetbrains-mono
+ liberation_ttf
+ nerd-fonts.jetbrains-mono
+ nerd-fonts.inconsolata
+ nerd-fonts.fira-code
+ nerd-fonts.fira-mono
+ nerd-fonts.caskaydia-cove
+ nerd-fonts.caskaydia-mono
+ nerd-fonts.overpass
+ nerd-fonts.ubuntu
+ nerd-fonts.ubuntu-mono
+ nerd-fonts.ubuntu-sans
+ noto-fonts
+ noto-fonts-cjk-sans
+ noto-fonts-emoji
+ noto-fonts-extra
+ overpass
+ symbola
+ twemoji-color-font
+ ubuntu_font_family
+ unifont
+ recursive
+ ];
+
+ # Use fonts specified by user rather than default ones
+ enableDefaultPackages = false;
+
+ # TODO configure thoses
+ # fontconfig = {
+ # enable = true;
+ # defaultFonts = {
+ # serif = [
+ # "${theme.fonts.default.name}"
+ # "${theme.fonts.emoji.name}"
+ # ];
+ # sansSerif = [
+ # "${theme.fonts.default.name}"
+ # "${theme.fonts.emoji.name}"
+ # ];
+ # monospace = [ "${theme.fonts.monospace.name}" ];
+ # emoji = [ "${theme.fonts.emoji.name}" ];
+ # };
+ # };
+ };
+
+ services = {
+ envfs.enable = true;
+ power-profiles-daemon.enable = true;
+ udisks2.enable = true;
+
+ # Make `/run/user/X` larger
+ logind.extraConfig = ''
+ RuntimeDirectorySize=20%
+ '';
+ };
}
systems/common/desktop/sway.nix
@@ -0,0 +1,42 @@
+{ pkgs
+, lib
+, self
+, ...
+}:
+let
+ swayRun = pkgs.writeShellScript "sway-run" ''
+ export XDG_SESSION_TYPE=wayland
+ export XDG_SESSION_DESKTOP=sway
+ export XDG_CURRENT_DESKTOP=sway
+
+ systemd-run --user --scope --collect --quiet --unit=sway systemd-cat --identifier=sway ${pkgs.sway}/bin/sway $@
+ '';
+in
+{
+ imports = [
+ ./tiling-common.nix
+ ];
+
+ programs.sway = {
+ enable = true;
+ wrapperFeatures.gtk = true;
+ xwayland.enable = true;
+ };
+
+ # Allow swaylock to unlock the computer for us
+ security.pam.services.swaylock = {
+ text = "auth include login";
+ };
+
+ services.greetd.settings = {
+ default_session = {
+ # command = "${pkgs.greetd.greetd}/bin/agreety --cmd sway";
+ command = "${lib.makeBinPath [ pkgs.greetd.tuigreet ]}/tuigreet -r --asterisks --time --cmd ${swayRun}";
+ users = "greeter";
+ };
+ initial_session = {
+ command = "${swayRun}";
+ user = "vincent";
+ };
+ };
+}
systems/common/desktop/tiling-common.nix
@@ -0,0 +1,50 @@
+{ lib, pkgs, ... }:
+{
+ programs = {
+ dconf.enable = true;
+ };
+
+ environment = {
+ variables.NIXOS_OZONE_WL = "1";
+
+ systemPackages = with pkgs; [
+ qogir-icon-theme
+ libheif
+ libheif.out
+ polkit_gnome
+ ];
+ };
+
+ services = {
+ dbus = {
+ enable = true;
+ implementation = "broker"; # trying this one out
+ packages = [ pkgs.dconf pkgs.gcr ];
+ };
+ greetd = {
+ enable = true;
+ restart = false;
+ };
+ gvfs.enable = true; # trying this one out
+
+ libinput = {
+ touchpad = {
+ disableWhileTyping = true;
+ additionalOptions = ''
+ Option "Ignore" "on"
+ '';
+ };
+ };
+ };
+
+ xdg = {
+ portal = {
+ enable = true;
+ wlr.enable = true;
+ extraPortals = with pkgs; [
+ xdg-desktop-portal-wlr
+ xdg-desktop-portal-gtk
+ ];
+ };
+ };
+}
systems/common/hardware/bluetooth.nix
@@ -11,4 +11,5 @@
};
};
environment.systemPackages = if (builtins.isString desktop) then [ pkgs.blueberry ] else [ ];
+ services.blueman.enable = (builtins.isString desktop);
}
systems/common/hardware/laptop.nix
@@ -0,0 +1,29 @@
+{ pkgs, ... }:
+{
+ # Some systctl options for all laptops
+ boot.kernel.sysctl = {
+ "vm.swappiness" = 10;
+ "vm.dirty_ratio" = 25;
+ "vm.dirty_background_ratio" = 10;
+ "vm.dirty_writeback_centisecs" = 5000;
+ "vm.dirty_expire_centisecs" = 5000;
+ };
+
+ environment.systemPackages = with pkgs; [
+ acpi
+ powertop
+ ];
+
+ # Run nix-gc only when on AC power
+ systemd.services.nix-gc.unitConfig.ConditionACPower = true;
+
+ services = {
+ # When a laptop is docked or on external power, ignore the lid state (if the laptop is opened or closed)
+ logind.extraConfig = ''
+ HandleLidSwitchExternalPower=ignore
+ HandleLidSwitchDocked=ignore
+ '';
+ power-profiles-daemon.enable = true;
+ };
+
+}
systems/common/hardware/yubikey.nix
@@ -0,0 +1,41 @@
+{ pkgs
+, desktop
+, ...
+}:
+{
+ environment.systemPackages = with pkgs; [
+ yubico-piv-tool
+ yubikey-personalization
+ yubikey-manager
+ ] ++ lib.optional (builtins.isString desktop) [
+ yubioath-flutter # Maybe not necessary
+ ];
+
+ programs.yubikey-touch-detector.enable = (builtins.isString desktop);
+
+ services = {
+ pcscd.enable = true;
+ udev = {
+ packages = [ pkgs.yubikey-personalization ];
+ # FIXME: is it necessary ?
+ extraRules = ''
+ # Yubico YubiKey
+ KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", TAG+="uaccess", MODE="0660", GROUP="wheel"
+ # ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
+ '';
+ };
+ };
+
+ security.pam.u2f = {
+ enable = true;
+ origin = "pam://yubi";
+ authFile = pkgs.writeText "u2f-mappings" (lib.concatStrings [
+ "vincent"
+ ":4IiWZI9g6D8W6LeAW13ug4CnS8PreNRcHdcebkUDny3gWGfmpMJg4TgBWaZSIdh+sgg4jQA4MxYwTCmmP/ipWQ==,qOl+ouBRk6MMEJiE7H5LuTAirhBhN0UQrCNlLQoRsVttp6IBKG4yq4zDwm4fmYlfy1MFhvh7oOapMOmodMKJpQ==,es256,+presence" # yubikey5-a
+ ":Sz4J2qMhoE7bE/uzwUzjJxG/bE0s+cw18zXcQjRsLIdJTVbuMad1ivKlYeLZW6vWV0lYiODlRW21HTSaFzu06A==,p7OZ3z5fiAIuJRHVzm56Y8Ti934+4cVHjsG7kaapmz8cWPfXfXfj5c8QiyIz3EQ0hOoxVV5cbkzUTxe7hdQIsA==,es256,+presence" # yubikey5-c1
+ ]);
+ };
+
+ programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gnome3;
+ services.yubikey-agent.enable = true;
+};
systems/common/programs/git/config
@@ -0,0 +1,38 @@
+[alias]
+ co = checkout
+ st = status
+ ci = commit --signoff
+ ca = commit --amend
+ b = branc --color -v
+ br = branch
+ unstage = reset HEAD
+ lg = log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr)%Creset' --abbrev-commit --date=relative
+ lga = log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr)%Creset' --abbrev-commit --date=relative --branches --remotes
+ lol = log --pretty=oneline --abbrev-commit --graph --decorate
+ conflicts = !git ls-files --unmerged | cut -c51- | sort -u | xargs $EDITOR
+ resolve = !git ls-files --unmerged | cut -c51- | sort -u | xargs git add
+[color]
+ branch = auto
+ diff = auto
+ status = auto
+[color "branch"]
+ current = cyan reverse
+ local = cyan
+ remote = green
+[color "diff"]
+ meta = white reverse
+ frag = magenta reverse
+ old = red
+ new = green
+[color "status"]
+ added = green
+ changed = yellow
+ untracked = red
+[core]
+ excludesfile = /etc/gitignore
+[push]
+ default = matching
+[merge]
+ tool = vimdiff
+[url "git@github.com:"]
+ pushInsteadOf = git://github.com/
systems/common/programs/git/ignore
@@ -0,0 +1,61 @@
+# For emacs:
+*~
+*.*~
+\#*
+.\#*
+
+# For vim:
+*.swp
+.*.sw[a-z]
+*.un~
+Session.vim
+.netrwhist
+
+# Ignore tags (from etags and ctags)
+TAGS
+!TAGS/
+tags
+!tags/
+
+# Logs and databases #
+######################
+*.log
+*.cache
+
+# OS generated files #
+######################
+.DS_Store?
+.DS_Store
+.CFUserTextEncoding
+.Trash
+.Xauthority
+thumbs.db
+Icon?
+Thumbs.db
+.cache
+.pid
+.sock
+
+# Code stuffs #
+###############
+.svn
+.git
+.swp
+.idea
+.*.swp
+*~
+.tags
+tags
+.sass-cache
+tmp
+.codekit-cache
+config.codekit
+
+# Compiled thangs #
+###################
+*.class
+*.exe
+*.o
+*.so
+*.dll
+*.pyc
systems/common/programs/direnv.nix
@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+{
+ programs.direnv.enable = true;
+ environment = {
+ # Path to link from packages to /run/current-system/sw
+ pathsToLink = [
+ "/share/nix-direnv"
+ ];
+ systemPackages = [ pkgs.direnv ];
+ };
+}
systems/common/programs/git.nix
@@ -0,0 +1,12 @@
+{ pkgs, ... }:
+{
+ environment = {
+ # Install some packages
+ systemPackages = with pkgs; [
+ git
+ ];
+ # Default gitconfig
+ etc."gitconfig".source = ./git/config;
+ etc."gitignore".source = ./git/ignore;
+ };
+}
systems/common/programs/nix-ld.nix
@@ -0,0 +1,75 @@
+{ lib
+, pkgs
+, desktop
+, ...
+}: {
+ programs = {
+ nix-ld = {
+ enable = true;
+ # put whatever libraries you think you might need
+ # nix-ld includes a strong sane-default as well
+ # in addition to these
+ libraries = with pkgs; [
+ acl
+ alsa-lib
+ at-spi2-atk
+ at-spi2-core
+ atk
+ attr
+ bzip2
+ cairo
+ curl
+ dbus
+ expat
+ fontconfig
+ freetype
+ fuse3
+ gdk-pixbuf
+ glib
+ glibc
+ icu
+ libdrm
+ libglvnd
+ libnotify
+ libpulseaudio
+ libsecret
+ libsodium
+ libssh
+ libunwind
+ libusb1
+ libuuid
+ libxkbcommon
+ mesa
+ nspr
+ nss
+ openssl
+ pango
+ pipewire
+ systemd
+ stdenv.cc.cc # .lib
+ util-linux
+ zlib
+ zstd
+ ] ++ lib.optionals (builtins.isString desktop) [
+ gtk3
+ libGL
+ libappindicator-gtk3
+ vulkan-loader
+ xorg.libX11
+ xorg.libXScrnSaver
+ xorg.libXcomposite
+ xorg.libXcursor
+ xorg.libXdamage
+ xorg.libXext
+ xorg.libXfixes
+ xorg.libXi
+ xorg.libXrandr
+ xorg.libXrender
+ xorg.libXtst
+ xorg.libxcb
+ xorg.libxkbfile
+ xorg.libxshmfence
+ ];
+ };
+ };
+}
systems/common/programs/tmux.nix
@@ -0,0 +1,8 @@
+_: {
+ programs.tmux = {
+ enable = true;
+ clock24 = true;
+ escapeTime = 0;
+ terminal = "tmux-256color";
+ };
+}
systems/common/programs/zsh.nix
@@ -0,0 +1,6 @@
+_: {
+ programs.zsh = {
+ enable = true;
+ enableCompletion = true;
+ };
+}
systems/common/services/buildkit.nix
@@ -0,0 +1,36 @@
+_: {
+ virtualisation = {
+ containerd = {
+ enable = true;
+ };
+ buildkitd = {
+ enable = true;
+ settings = {
+ grpc = {
+ # This can be overridden per host
+ address = [ "unix:///run/buildkit/buildkitd.sock" ];
+ ;
+ };
+ worker.oci = {
+ enabled = false;
+ };
+ worker.containerd = {
+ enabled = true;
+ platforms = [ "linux/amd64" "linux/arm64" ];
+ namespace = "buildkit";
+ };
+ # FIXME: change thoses
+ registry = {
+ "r.svc.home:5000" = {
+ http = true;
+ insecure = true;
+ };
+ "r.svc.home" = {
+ http = true;
+ insecure = true;
+ };
+ };
+ };
+ };
+ };
+ }
systems/common/services/containers.nix
@@ -0,0 +1,33 @@
+_: {
+ networking.firewall.checkReversePath = false;
+ virtualisation.podman.enable = true;
+ virtualisation.containers = {
+ enable = true;
+ registries = {
+ search = [ "registry.fedoraproject.org" "registry.access.redhat.com" "registry.centos.org" "docker.io" "quay.io" ];
+ };
+ policy = {
+ default = [{ type = "insecureAcceptAnything"; }];
+ transports = {
+ docker-daemon = {
+ "" = [{ type = "insecureAcceptAnything"; }];
+ };
+ };
+ };
+ containersConf.settings = {
+ network = {
+ default_subnet_pools = [
+ # See https://github.com/kubernetes-sigs/kind/issues/2872 for this
+ { "base" = "11.0.0.0/24"; "size" = 24; }
+ {
+ "base" = "192.168.129.0/24";
+ "size" = 24;
+ }
+ { "base" = "192.168.130.0/24"; "size" = 24; }
+ { "base" = "192.168.131.0/24"; "size" = 24; }
+ { "base" = "192.168.132.0/24"; "size" = 24; }
+ ];
+ };
+ };
+ };
+}
systems/common/services/docker.nix
@@ -0,0 +1,19 @@
+_: {
+ virtualisation = {
+ docker = {
+ enable = true;
+ liveRestore = false;
+ storageDriver = "overlay2";
+ daemon.settings = {
+ userland-proxy = false;
+ experimental = true;
+ bip = "172.26.0.1/16";
+ features = { buildkit = true; };
+ insecure-registries = [ "172.30.0.0/16" "192.168.1.0/16" "10.100.0.0/16" "shikoku.home:5000" "r.svc.home:5000" "r.svc.home" ];
+ # seccomp-profile = ./my-seccomp.json;
+ };
+ };
+ };
+ environment.systemPackages = with pkgs; [ docker-buildx ];
+ networking.firewall.trustedInterfaces = [ "docker0" ];
+}
systems/common/services/lxd.nix
@@ -0,0 +1,21 @@
+{ pkgs
+, ...
+}:
+{
+ virtualisation = {
+ lxd = {
+ enable = true;
+ # zfsSupport = true;
+ ui = {
+ enable = true;
+ package = pkgs.lxd-ui;
+ };
+ };
+ };
+
+ networking = {
+ firewall = {
+ trustedInterfaces = [ "lxdbr0" ];
+ };
+ };
+}
systems/common/services/networkmanager.nix
@@ -0,0 +1,30 @@
+{ config
+, lib
+, pkgs
+, desktop
+, ...
+}: {
+ networking = {
+ networkmanager = {
+ enable = true;
+ wifi = {
+ backend = "iwd";
+ };
+ unmanaged = [
+ "interface-name:br-*"
+ "interface-name:ve-*" # FIXME are those docker's or libvirt's
+ "interface-name:veth-*" # FIXME are those docker's or libvirt's
+ ]
+ # Do not manager wireguard
+ ++ lib.optionals config.networking.wireguard.enable [ "interface-name:wg0" ]
+ # Do not manage docker interfaces
+ ++ lib.optionals config.virtualisation.docker.enable [ "interface-name:docker0" ]
+ # Do not manager libvirt interfaces
+ ++ lib.optionals config.virtualisation.libvirtd.enable [ "interface-name:virbr*" ];
+ plugins = with pkgs; [ networkmanager-openvpn ];
+ };
+ };
+
+ # Workaround https://github.com/NixOS/nixpkgs/issues/180175
+ systemd.services.NetworkManager-wait-online.enable = false;
+}
systems/common/services/pipewire.nix
@@ -0,0 +1,33 @@
+{ lib
+, pkgs
+, desktop
+, ...
+}: {
+ # hardware.pulseaudio.enable = lib.mkForce false;
+
+ services.pipewire = {
+ enable = true;
+ alsa.enable = true;
+ alsa.support32Bit = true;
+ pulse.enable = true;
+ wireplumber = {
+ enable = true;
+ configPackages = [
+ (pkgs.writeTextDir "share/wireplumber/bluetooth.lua.d/51-bluez-config.lua" ''
+ bluez_monitor.properties = {
+ ["bluez5.enable-sbc-xq"] = true,
+ ["bluez5.enable-msbc"] = true,
+ ["bluez5.enable-hw-volume"] = true,
+ ["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]"
+ }
+ '')
+ ];
+ };
+ };
+ environment.systemPackages = with pkgs;
+ if (builtins.isString desktop) then [
+ pwvucontrol
+ apulse # allow alsa application to use pulse
+ # pavucontrol
+ ] else [ ];
+}
systems/common/users/default.nix
@@ -0,0 +1,16 @@
+{ config, ... }: {
+ # Default users, to create everywhere
+ imports = [
+ ./vincent.nix
+ ];
+ users.motd = with config; ''
+ Welcome to ${networking.hostName}
+
+ - This machine is managed by NixOS
+ - All changes are futile
+
+ OS: Nixos ${system.nixos.release} (${system.nixos.codeName})
+ Version: ${system.nixos.version}
+ Kernel: ${boot.kernelPackages.kernel.version}
+ '';
+}
systems/common/users/vincent.nix
@@ -0,0 +1,70 @@
+{ pkgs
+, lib
+, config
+, desktop
+, ...
+}:
+let
+ ifExists = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
+in
+{
+ users.users.vincent = {
+ description = "Vincent Demeester";
+ createHome = true;
+ uid = 1000;
+ isNormalUser = true;
+ shell = pkgs.zsh;
+ extraGroups =
+ [
+ "users"
+ "wheel"
+ ]
+ ++ lib.optionals (builtins.isString desktop) [
+ "networkmanager"
+ "audio"
+ "video"
+ ]
+ ++ ifExists [
+ "buildkit"
+ "docker"
+ "libvirt"
+ "libvirtd"
+ "lxd"
+ "nginx"
+ "plugdev"
+ "tss"
+ ];
+ subUidRanges = [{ startUid = 100000; count = 65536; }];
+ subGidRanges = [{ startGid = 100000; count = 65536; }];
+ initialPassword = "changeMe";
+
+ # FIXME set this up
+ # openssh.authoizeKeys.keys = [ ];
+
+ # 🤔
+ packages = [ pkgs.home-manager ];
+ };
+
+ nix.settings.trusted-users = [ "vincent" ];
+
+ security = {
+ pam = {
+ # Nix will hit the stack limit when using `nixFlakes`.
+ loginLimits = [
+ { domain = config.users.users.vincent.name; item = "stack"; type = "-"; value = "unlimited"; }
+ ];
+ };
+ };
+
+ # Enable user units to persist after sessions end.
+ system.activationScripts.loginctl-enable-linger-vincent = lib.stringAfter [ "users" ] ''
+ ${pkgs.systemd}/bin/loginctl enable-linger ${config.users.users.vincent.name}
+ '';
+
+ # Do I user home-manager nixosModule *or* home-manager on its own
+ # home-manager.users.vincent = …
+ # This is a workaround for not seemingly being able to set $EDITOR in home-manager
+ environment.sessionVariables = {
+ EDITOR = "emacs";
+ };
+}
systems/kyushu/extra.nix
@@ -3,7 +3,11 @@
imports = [
# ../common/services/backup
+ ../common/hardware/laptop.nix
+ ../common/programs/direnv.nix
+ ../common/programs/git.nix
+ ../common/programs/tmux.nix
+ ../common/services/networkmanager.nix
];
- # services.pipewire…
}
systems/default.nix
@@ -15,7 +15,7 @@
(./. + "/${hostname}/hardware.nix")
./common/base
- # ./common/users/${username}
+ ./common/users
]
++ lib.optional (builtins.pathExists (./. + "/${hostname}/extra.nix")) ./${hostname}/extra.nix
++ lib.optional (builtins.isString desktop) ./common/desktop;