Commit 12a3da0bfdf8
Changed files (11)
systems
modules
virtualisation
users
systems/hosts/foo.flake.nix
@@ -1,63 +0,0 @@
-{ pkgs, lib, ... }:
-
-with lib;
-let
- secretPath = ../../secrets/machines.nix;
- secretCondition = (builtins.pathExists secretPath);
-
- ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}";
- ips = lists.optionals secretCondition ([ "${ip}/24" ]);
- endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP;
- endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0;
- endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey;
-in
-{
- modules = {
- desktop = {
- i3.enable = true;
- };
- editors = {
- default = "vim";
- vim.enable = true;
- };
- hardware = {
- bluetooth.enable = true;
- audio.enable = true;
- yubikey.enable = true;
- };
- shell = {
- direnv.enable = true;
- git.enable = true;
- gnupg.enable = true;
- tmux.enable = true;
- zsh.enable = true;
- };
- virtualisation = {
- libvirt.enable = true;
- libvirt.nested = true;
- };
- };
- profiles = {
- home.enable = true;
- redhat.enable = true;
- laptop.enable = true;
- };
-
- environment.systemPackages = with pkgs; [ tektoncd-cli nyxt ];
-
- virtualisation.podman.enable = true;
- virtualisation.containers = {
- enable = true;
- registries = {
- search = [ "registry.fedoraproject.org" "registry.access.redhat.com" "registry.centos.org" "docker.io" "quay.io" ];
- };
- policy = {
- default = [{ type = "insecureAcceptAnything"; }];
- transports = {
- docker-daemon = {
- "" = [{ type = "insecureAcceptAnything"; }];
- };
- };
- };
- };
-}
systems/hosts/okinawa.flake.nix
@@ -1,53 +0,0 @@
-{ pkgs, lib, ... }:
-
-with lib;
-let
- secretPath = ../../secrets/machines.nix;
- secretCondition = (builtins.pathExists secretPath);
-
- ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}";
- ips = lists.optionals secretCondition ([ "${ip}/24" ]);
- endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP;
- endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0;
- endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey;
-in
-{
- modules = {
- editors = {
- default = "vim";
- vim.enable = true;
- };
- shell = {
- direnv.enable = true;
- git.enable = true;
- gnupg.enable = true;
- tmux.enable = true;
- zsh.enable = true;
- };
- virtualisation = {
- libvirt.enable = true;
- libvirt.nested = true;
- };
- };
- profiles = {
- home.enable = true;
- };
-
- environment.systemPackages = with pkgs; [ tektoncd-cli nyxt ];
-
- virtualisation.podman.enable = true;
- virtualisation.containers = {
- enable = true;
- registries = {
- search = [ "registry.fedoraproject.org" "registry.access.redhat.com" "registry.centos.org" "docker.io" "quay.io" ];
- };
- policy = {
- default = [{ type = "insecureAcceptAnything"; }];
- transports = {
- docker-daemon = {
- "" = [{ type = "insecureAcceptAnything"; }];
- };
- };
- };
- };
-}
systems/modules/profiles/base.flake.nix
@@ -1,78 +0,0 @@
-{ config, inputs, lib, pkgs, ... }:
-let
- inherit (lib) mkEnableOption mkIf mkDefault mkOverride;
- cfg = config.modules.base;
-in
-{
- imports = [ inputs.home-manager.nixosModules.home-manager ];
- options = {
- modules.base = {
- enable = mkEnableOption "base configuration";
- };
- };
- config = mkIf cfg.enable {
-
- boot = {
- # Enable running aarch64 binaries using qemu.
- binfmt.emulatedSystems = [ "aarch64-linux" ];
-
- # Clean temporary directory on boot
- cleanTmpDir = true;
-
- loader = {
- # Use systemd-boot by default, can be overridden by configurations
- systemd-boot.enable = true;
-
- # Make memtest available as a boot option.
- grub.memtest86.enable = true;
- systemd-boot.memtest86.enable = true;
- };
- };
-
- console = {
- keyMap = "fr-bepo";
- font = "Lat2-Terminus16";
- };
-
- environment = {
- # System packages to install, those are the absolute minimum packages required
- systemPackages = with pkgs; [
- file
- htop
- iotop
- lsof
- netcat
- psmisc
- pv
- wget
- ];
- };
-
- # Home manager default configuration
- home-manager = {
- useUserPackages = true;
- useGlobalPkgs = true;
- };
-
- i18n.defaultLocale = "en_US.UTF-8";
-
- # Make sure we never remove SSH_AUTH_SOCK when reseting env through sudo
- security.sudo.extraConfig = ''
- Defaults env_keep += SSH_AUTH_SOCK
- '';
- # `nix-daemon` will hit the stack limit when using `nixFlakes`.
- systemd.services.nix-daemon.serviceConfig."LimitSTACK" = "infinity";
- # Setup a *mailer* in case of failure in systemd
- systemd.services."status-email-root@" = {
- description = "status email for %i to vincent";
- serviceConfig = {
- Type = "oneshot";
- ExecStart = ''
- ${pkgs.systemd-email}/bin/systemd-email vincent@demeester.fr %i
- '';
- User = "root";
- Environment = "PATH=/run/current-system/sw/bin";
- };
- };
- };
-}
systems/modules/profiles/default.flake.nix
@@ -1,16 +0,0 @@
-# Profiles are grouping modules so that we don't have to
-# specify them for all machines all the time.
-{ lib, ... }:
-
-{
- imports = [
- ./base.flake.nix
- ./home.flake.nix
- ./laptop.flake.nix
- ./redhat.nix
- # ./desktop.flake.nix
- # FIXME: vpn, server, builder, …
- ];
-
- modules.base.enable = lib.mkDefault true;
-}
systems/modules/profiles/home.flake.nix
@@ -1,39 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
- inherit (lib) mkIf mkEnableOption;
- cfg = config.profiles.home;
-
- secretPath = ../../secrets/machines.nix;
- secretCondition = (builtins.pathExists secretPath);
- machines = lib.optionalAttrs secretCondition (import secretPath);
-in
-{
- options = {
- profiles.home = {
- enable = mkEnableOption "home configuration";
- };
- };
- config = mkIf cfg.enable {
-
- # Mount nfs on all systems at home…
- # … if we got the secret file
- fileSystems = mkIf secretCondition {
- "/net/synodine.home/" = {
- device = "${machines.home.ips.synodine}:/";
- fsType = "nfs";
- options = [ "x-systemd.automount" "noauto" ];
- } // mkIf (config.networking.hostName != "sakhalin") {
- "/net/sakhalin.home/export/" = {
- device = "${machines.home.ips.sakhalin}:/";
- fsType = "nfs";
- options = [ "x-systemd.automount" "noauto" ];
- };
- };
- };
-
- # Home is in France/Paris, so set the timezone accordingly
- time.timeZone = "Europe/Paris";
-
- # Because we are at home, we can make assumption around the network
- };
-}
systems/modules/profiles/laptop.flake.nix
@@ -1,18 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
- inherit (lib) mkIf mkEnableOption mkForce;
- cfg = config.profiles.laptop;
-in
-{
- options = {
- profiles.laptop = {
- enable = mkEnableOption "laptop configuration";
- };
- };
- config = mkIf cfg.enable {
- modules.desktop.enable = true;
- nix = {
- sshServe.enable = mkForce false;
- };
- };
-}
systems/modules/virtualisation/default.flake.nix
@@ -1,9 +0,0 @@
-# Virtualisation is grouping modules related to virtualisation, such
-# as containers (podman, docker, …), vm (qemu, libvirt, …).
-{ lib, ... }:
-
-{
- imports = [
- ./libvirt.nix
- ];
-}
systems/modules/default.flake.nix
@@ -1,14 +0,0 @@
-{ ... }:
-
-{
- imports = [
- ./desktop
- ./editors
- ./hardware
- ./profiles/default.flake.nix
- ./programs
- ./services
- ./shell
- ./virtualisation/default.flake.nix
- ];
-}
users/houbeb/default.flake.nix
@@ -1,13 +0,0 @@
-{ inputs, ... }: {
- users.users.houbeb = {
- createHome = true;
- description = "Houbeb Ben Othmene";
- extraGroups = [ "wheel" ];
- isNormalUser = true;
- openssh.authorizedKeys.keys = [
- "…"
- ];
- };
- # Home-manager "magic"
- home-manager.users.houbeb = inputs.self.internal.homeManagerConfigurations."houbeb";
-}
users/root/default.flake.nix
@@ -1,11 +0,0 @@
-{ config, inputs, lib, pkgs, ... }:
-let
- inherit (lib) mkIf;
-in
-{
- users.users.root = {
- shell = mkIf config.programs.zsh.enable pkgs.zsh;
- };
- # Home-manager "magic"
- home-manager.users.root = inputs.self.internal.homeManagerConfigurations."root";
-}
users/vincent/default.flake.nix
@@ -1,59 +0,0 @@
-{ config, inputs, lib, pkgs, ... }:
-with lib;
-let
- secretPath = ../../secrets/machines.nix;
- secretCondition = (builtins.pathExists secretPath);
-
- isAuthorized = p: builtins.isAttrs p && p.authorized or false;
- authorizedKeys = lists.optionals secretCondition (
- attrsets.mapAttrsToList
- (name: value: value.key)
- (attrsets.filterAttrs (name: value: isAuthorized value) (import secretPath).ssh)
- );
-
- hasConfigVirtualizationContainers = builtins.hasAttr "containers" config.virtualisation;
- isContainersEnabled = if hasConfigVirtualizationContainers then config.virtualisation.containers.enable else false;
-in
-{
- users.users.vincent = {
- createHome = true;
- uid = 1000;
- description = "Vincent Demeester";
- extraGroups = [ "wheel" "input" ]
- ++ optionals config.modules.desktop.enable [ "video" ]
- ++ optionals config.modules.hardware.audio.enable [ "audio" ]
- #++ optionals config.profiles.scanning.enable [ "lp" "scanner" ]
- ++ optionals config.networking.networkmanager.enable [ "networkmanager" ]
- ++ optionals config.virtualisation.docker.enable [ "docker" ]
- #++ optionals config.virtualisation.buildkitd.enable [ "buildkit" ]
- ++ optionals config.virtualisation.libvirtd.enable [ "libvirtd" ];
- shell = mkIf config.programs.zsh.enable pkgs.zsh;
- isNormalUser = true;
- openssh.authorizedKeys.keys = authorizedKeys;
- initialPassword = "changeMe";
- subUidRanges = [{ startUid = 100000; count = 65536; }];
- subGidRanges = [{ startGid = 100000; count = 65536; }];
- };
-
- nix = {
- trustedUsers = [ "vincent" ];
- sshServe.keys = authorizedKeys;
- };
-
- security = {
- pam = {
- # Nix will hit the stack limit when using `nixFlakes`.
- loginLimits = [
- { domain = config.users.users.vincent.name; item = "stack"; type = "-"; value = "unlimited"; }
- ];
- };
- };
-
- # Enable user units to persist after sessions end.
- system.activationScripts.loginctl-enable-linger-vincent = lib.stringAfter [ "users" ] ''
- ${pkgs.systemd}/bin/loginctl enable-linger ${config.users.users.vincent.name}
- '';
-
- # Home-manager "magic"
- home-manager.users.vincent = inputs.self.internal.homeManagerConfigurations."vincent";
-}