Commit cb0469b98f88
Changed files (56)
modules
hardware
profiles
programs
services
virtualisation
overlays
pkgs
hardware/dell-latitude-e6540.nix
@@ -0,0 +1,25 @@
+{ config, pkgs, ... }:
+
+{
+ boot = {
+ loader.efi.canTouchEfiVariables = true;
+ kernelParams = [
+ # Kernel GPU Savings Options (NOTE i915 chipset only)
+ "i915.enable_rc6=0" "i915.enable_fbc=1"
+ "i915.lvds_use_ssc=0"
+ "drm.debug=0" "drm.vblankoffdelay=1"
+ ];
+ blacklistedKernelModules = [
+ # Kernel GPU Savings Options (NOTE i915 chipset only)
+ "sierra_net" "cdc_mbim" "cdc_ncm"
+ ];
+ };
+ hardware = {
+ opengl = {
+ enable = true;
+ extraPackages = [ pkgs.vaapiIntel ];
+ driSupport32Bit = true;
+ };
+ };
+ services.acpid.enable = true;
+}
hardware/lenovo-p50.nix
@@ -0,0 +1,49 @@
+{ config, pkgs, ...}:
+
+{
+ imports = [ ./thinkpad.nix ];
+ hardware = {
+ bluetooth = {
+ enable = true;
+ powerOnBoot = true;
+ };
+ nvidia.optimus_prime = {
+ enable = true;
+ nvidiaBusId = "PCI:1:0:0";
+ intelBusId = "PCI:0:2:0";
+ };
+ };
+ services = {
+ tlp = {
+ extraConfig = ''
+# CPU optimizations
+CPU_SCALING_GOVERNOR_ON_AC=performance
+CPU_SCALING_GOVERNOR_ON_BAT=powersave
+CPU_MIN_PERF_ON_AC=0
+CPU_MAX_PERF_ON_AC=100
+CPU_MIN_PERF_ON_BAT=0
+CPU_MAX_PERF_ON_BAT=50
+# DEVICES (wifi, ..)
+DEVICES_TO_DISABLE_ON_STARTUP=""
+DEVICES_TO_ENABLE_ON_AC="bluetooth wifi wwan"
+DEVICES_TO_DISABLE_ON_BAT=""
+# Network management
+DEVICES_TO_DISABLE_ON_LAN_CONNECT=""
+DEVICES_TO_DISABLE_ON_WIFI_CONNECT=""
+DEVICES_TO_DISABLE_ON_WWAN_CONNECT=""
+DEVICES_TO_ENABLE_ON_LAN_DISCONNECT=""
+DEVICES_TO_ENABLE_ON_WIFI_DISCONNECT=""
+DEVICES_TO_ENABLE_ON_WWAN_DISCONNECT=""
+# Docking
+DEVICES_TO_DISABLE_ON_DOCK="wifi"
+DEVICES_TO_ENABLE_ON_UNDOCK="wifi"
+# Make sure it uses the right hard drive
+DISK_DEVICES="nvme0n1p2"
+ '';
+ };
+ udev.extraRules = ''
+ # Rules for Lenovo Thinkpad WS Dock
+ SUBSYSTEM=="usb", ACTION=="add|remove", ENV{ID_VENDOR}=="17ef", ENV{ID_MODEL}=="305a", RUN+="${pkgs.vde-thinkpad}/bin/dock"
+ '';
+ };
+}
hardware/thinkpad-t460s.nix
@@ -0,0 +1,37 @@
+{ config, pkgs, ... }:
+
+{
+ imports = [ ./thinkpad.nix ];
+ services = {
+ tlp = {
+ extraConfig = ''
+# CPU optimizations
+CPU_SCALING_GOVERNOR_ON_AC=performance
+CPU_SCALING_GOVERNOR_ON_BAT=powersave
+CPU_MIN_PERF_ON_AC=0
+CPU_MAX_PERF_ON_AC=100
+CPU_MIN_PERF_ON_BAT=0
+CPU_MAX_PERF_ON_BAT=50
+# DEVICES (wifi, ..)
+DEVICES_TO_DISABLE_ON_STARTUP=""
+DEVICES_TO_ENABLE_ON_AC="bluetooth wifi wwan"
+DEVICES_TO_DISABLE_ON_BAT=""
+# Network management
+DEVICES_TO_DISABLE_ON_LAN_CONNECT=""
+DEVICES_TO_DISABLE_ON_WIFI_CONNECT=""
+DEVICES_TO_DISABLE_ON_WWAN_CONNECT=""
+DEVICES_TO_ENABLE_ON_LAN_DISCONNECT=""
+DEVICES_TO_ENABLE_ON_WIFI_DISCONNECT=""
+DEVICES_TO_ENABLE_ON_WWAN_DISCONNECT=""
+# Docking
+DEVICES_TO_DISABLE_ON_DOCK="wifi"
+DEVICES_TO_ENABLE_ON_UNDOCK="wifi"
+# Make sure it uses the right hard drive
+DISK_DEVICES="nvme0n1p3"
+ '';
+ };
+ xserver = {
+ dpi = 128;
+ };
+ };
+}
hardware/thinkpad-x220.nix
@@ -0,0 +1,55 @@
+{ config, pkgs, ... }:
+
+{
+ imports = [ ./thinkpad.nix ];
+ boot = {
+ kernelParams = [ "i915.enable_psr=1" ];
+ extraModprobeConfig = ''
+ options iwlwifi 11n_disable=1
+ '';
+ };
+ security = {
+ pam.services = {
+ slimlock.fprintAuth = false;
+ slim.fprintAuth = false;
+ login.fprintAuth = false;
+ xscreensaver.fprintAuth = false;
+ };
+ };
+ services = {
+ fprintd.enable = true;
+ tlp = {
+ extraConfig = ''
+# CPU optimizations
+CPU_SCALING_GOVERNOR_ON_AC=performance
+CPU_SCALING_GOVERNOR_ON_BAT=powersave
+CPU_MIN_PERF_ON_AC=0
+CPU_MAX_PERF_ON_AC=100
+CPU_MIN_PERF_ON_BAT=0
+CPU_MAX_PERF_ON_BAT=50
+CPU_BOOST_ON_AC=1
+CPU_BOOST_ON_BAT=0
+# DEVICES (wifi, ..)
+DEVICES_TO_DISABLE_ON_STARTUP="bluetooth"
+DEVICES_TO_ENABLE_ON_AC="bluetooth wifi wwan"
+DEVICES_TO_DISABLE_ON_BAT="bluetooth"
+# Network management
+DEVICES_TO_DISABLE_ON_LAN_CONNECT=""
+DEVICES_TO_DISABLE_ON_WIFI_CONNECT=""
+DEVICES_TO_DISABLE_ON_WWAN_CONNECT=""
+DEVICES_TO_ENABLE_ON_LAN_DISCONNECT=""
+DEVICES_TO_ENABLE_ON_WIFI_DISCONNECT=""
+DEVICES_TO_ENABLE_ON_WWAN_DISCONNECT=""
+DISK_IDLE_SECS_ON_AC=0
+DISK_IDLE_SECS_ON_BAT=2
+MAX_LOST_WORK_SECS_ON_AC=15
+MAX_LOST_WORK_SECS_ON_BAT=60
+DISK_DEVICES="ata-Corsair_Force_LX_SSD_15256501000102160059"
+SOUND_POWER_SAVE_ON_AC=0
+SOUND_POWER_SAVE_ON_BAT=1
+USB_AUTOSUSPEND=1
+USB_BLACKLIST_BTUSB=1
+ '';
+ };
+ };
+}
hardware/thinkpad.nix
@@ -0,0 +1,74 @@
+{ config, pkgs, ... }:
+
+{
+ boot = {
+ blacklistedKernelModules = [
+ # Kernel GPU Savings Options (NOTE i915 chipset only)
+ "sierra_net" "cdc_mbim" "cdc_ncm"
+ ];
+ extraModprobeConfig = ''
+ options snd_hda_intel power_save=1
+ '';
+ initrd = {
+ availableKernelModules = [ "aesni-intel" "aes_x86_64" "cryptd" ];
+ };
+ kernelModules = [ "kvm_intel" ];
+ kernelParams = [
+ # Kernel GPU Savings Options (NOTE i915 chipset only)
+ "i915.enable_rc6=1" "i915.enable_fbc=1"
+ "i915.lvds_use_ssc=0"
+ "drm.debug=0" "drm.vblankoffdelay=1"
+ "kvm_intel.nested=1"
+ "intel_iommu=on"
+ ];
+ loader.efi.canTouchEfiVariables = true;
+ };
+ environment.systemPackages = with pkgs; [
+ linuxPackages.tp_smapi
+ ];
+ hardware = {
+ trackpoint.enable = false;
+ cpu.intel.updateMicrocode = true;
+ opengl = {
+ #enable = true;
+ extraPackages = [ pkgs.vaapiIntel ];
+ #driSupport32Bit = true;
+ };
+ };
+ services = {
+ acpid = {
+ enable = true;
+ lidEventCommands = ''
+if grep -q closed /proc/acpi/button/lid/LID/state; then
+ date >> /tmp/i3lock.log
+ DISPLAY=":0.0" XAUTHORITY=/home/fadenb/.Xauthority ${pkgs.i3lock}/bin/i3lock &>> /tmp/i3lock.log
+fi
+ '';
+ };
+ tlp = {
+ enable = true;
+ };
+ xserver = {
+ synaptics.enable = false;
+ config =
+ ''
+ Section "InputClass"
+ Identifier "Enable libinput for TrackPoint"
+ MatchIsPointer "on"
+ Driver "libinput"
+ Option "ScrollMethod" "button"
+ Option "ScrollButton" "8"
+ EndSection
+ '';
+ inputClassSections = [
+ ''
+ Identifier "evdev touchpad off"
+ MatchIsTouchpad "on"
+ MatchDevicePath "/dev/input/event*"
+ Driver "evdev"
+ Option "Ignore" "true"
+ ''
+ ];
+ };
+ };
+}
machines/home.nixos.nix
@@ -0,0 +1,30 @@
+{ config, pkgs, ... }:
+
+with import ../assets/machines.nix; {
+ boot.kernelParams = [ "nfs.nfs4_disable_idmapping=0" "nfsd.nfs4_disable_idmapping=0" ];
+ networking.domain = "synodine.home";
+ time.timeZone = "Europe/Paris";
+ # To mimic autofs on fedora
+ fileSystems."/net/synodine.home/" = {
+ device = "${home.ips.synodine}:/";
+ fsType = "nfs";
+ options = [ "x-systemd.automount" "noauto" ];
+ };
+ # FIXME(vdemeester): I think it acts like this because there is only one export
+ fileSystems."/net/sakhalin.home/export/" = {
+ device = "${home.ips.sakhalin}:/";
+ fsType = "nfs";
+ options = [ "x-systemd.automount" "noauto" ];
+ };
+ # Deprecated
+ fileSystems."/mnt/synodine" = {
+ device = "${home.ips.synodine}:/";
+ fsType = "nfs";
+ options = [ "x-systemd.automount" "noauto" ];
+ };
+ fileSystems."/mnt/sakhalin" = {
+ device = "${home.ips.sakhalin}:/";
+ fsType = "nfs";
+ options = [ "x-systemd.automount" "noauto" ];
+ };
+}
machines/kerkouane.nixos.nix
@@ -0,0 +1,86 @@
+{ config, pkgs, ... }:
+
+with import ../assets/machines.nix; {
+ imports = [ ../networking.nix ];
+ time.timeZone = "Europe/Paris";
+ boot = {
+ cleanTmpDir = true;
+ loader.grub.enable = true;
+ };
+ profiles = {
+ git.enable = true;
+ nix-config.localCaches = [];
+ nix-config.buildCores = 1;
+ ssh.enable = true;
+ syncthing.enable = true;
+ wireguard.server.enable = true;
+ };
+ networking.firewall.allowPing = true;
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
+ security = {
+ acme.certs = {
+ "sbr.pm".email = "vincent@sbr.pm";
+ };
+ };
+ services = {
+ govanityurl = {
+ enable = true;
+ user = "nginx";
+ host = "go.sbr.pm";
+ config = ''
+ paths:
+ /ape:
+ repo: https://gitlab.com/vdemeester/ape
+ /nr:
+ repo: https://gitlab.com/vdemeester/nr
+ /ram:
+ repo: https://gitlab.com/vdemeester/ram
+ /sec:
+ repo: https://gitlab.com/vdemeester/sec
+ '';
+ };
+ nginx = {
+ enable = true;
+ virtualHosts."dl.sbr.pm" = {
+ enableACME = true;
+ forceSSL = true;
+ root = "/home/vincent/desktop/sites/dl.sbr.pm";
+ locations."/" = {
+ index = "index.html";
+ };
+ };
+ virtualHosts."paste.sbr.pm" = {
+ enableACME = true;
+ forceSSL = true;
+ root = "/home/vincent/desktop/sites/paste.sbr.pm";
+ locations."/" = {
+ index = "index.html";
+ };
+ };
+ virtualHosts."go.sbr.pm" = {
+ enableACME = true;
+ forceSSL = true;
+ locations."/" = { proxyPass = "http://127.0.0.1:8080"; };
+ };
+ virtualHosts."sbr.pm" = {
+ enableACME = true;
+ forceSSL = true;
+ root = "/home/vincent/desktop/sites/sbr.pm";
+ locations."/" = {
+ index = "index.html";
+ };
+ };
+ virtualHosts."vincent.demeester.fr" = {
+ enableACME = true;
+ forceSSL = true;
+ root = "/home/vincent/desktop/sites/vincent.demeester.fr";
+ locations."/" = {
+ index = "index.html";
+ };
+ };
+ };
+ openssh.ports = [ ssh.kerkouane.port ];
+ openssh.permitRootLogin = "without-password";
+ syncthing.guiAddress = "127.0.0.1:8384";
+ };
+}
machines/okinawa.nixos.nix
@@ -0,0 +1,95 @@
+{ config, pkgs, ... }:
+
+with import ../assets/machines.nix; {
+ imports = [ ./home.nix ];
+ boot = {
+ cleanTmpDir = true;
+ };
+ networking = {
+ firewall.enable = false; # we are in safe territory :D
+ bridges.br1.interfaces = [ "enp0s31f6" ];
+ useDHCP = false;
+ interfaces.br1 = {
+ useDHCP = true;
+ };
+ };
+ profiles = {
+ avahi.enable = true;
+ git.enable = true;
+ nix-config.buildCores = 4;
+ ssh.enable = true;
+ syncthing.enable = true;
+ virtualization = {
+ enable = true;
+ nested = true;
+ listenTCP = true;
+ };
+ };
+ services = {
+ bind = {
+ enable = true;
+ forwarders = [ "8.8.8.8" "8.8.4.4" ];
+ cacheNetworks = [ "192.168.1.0/24" "127.0.0.0/8" "10.100.0.0/24" ];
+ zones = [
+ {
+ # home
+ name = "home";
+ slaves = [];
+ file = ../assets/db.home;
+ }
+ {
+ # home.reverse
+ name = "192.168.1.in-addr.arpa";
+ slaves = [];
+ file = ../assets/db.192.168.1;
+ }
+ {
+ # vpn
+ name = "vpn";
+ slaves = [];
+ file = ../assets/db.vpn;
+ }
+ {
+ # vpn.reverse
+ name = "10.100.0.in-addr.arpa";
+ slaves = [];
+ file = ../assets/db.10.100.0;
+ }
+ ];
+ };
+ nix-binary-cache = {
+ enable = true;
+ domain = "nix.cache.home";
+ aliases = [ "cache.massimo.home" "nix.okinawa.home" ];
+ };
+ syncthing.guiAddress = "0.0.0.0:8384";
+ tarsnap = {
+ enable = true;
+ archives = {
+ documents = {
+ directories = [ "/home/vincent/desktop/documents" ];
+ period = "daily";
+ keyfile = "/etc/nixos/assets/tarsnap.documents.key";
+ };
+ org = {
+ directories = [ "/home/vincent/desktop/org" ];
+ period = "daily";
+ keyfile = "/etc/nixos/assets/tarsnap.org.key";
+ };
+ sites = {
+ directories = [ "/home/vincent/desktop/sites" ];
+ period = "daily";
+ keyfile = "/etc/nixos/assets/tarsnap.sites.key";
+ };
+ };
+ };
+ wireguard = {
+ enable = true;
+ ips = [ "${wireguard.ips.okinawa}/24" ];
+ endpoint = wg.endpointIP;
+ endpointPort = wg.listenPort;
+ endpointPublicKey = wireguard.kerkouane.publicKey;
+ };
+ };
+ security.apparmor.enable = true;
+}
machines/sakhalin.nixos.nix
@@ -0,0 +1,154 @@
+{ config, pkgs, ... }:
+
+with import ../assets/machines.nix; {
+ imports = [ ./home.nix ];
+ boot = {
+ cleanTmpDir = true;
+ };
+ networking = {
+ firewall.enable = false; # we are in safe territory :D
+ bridges.br1.interfaces = [ "enp0s31f6" ];
+ useDHCP = false;
+ interfaces.br1 = {
+ useDHCP = true;
+ };
+ };
+ profiles = {
+ avahi.enable = true;
+ git.enable = true;
+ nix-config.buildCores = 4;
+ ssh.enable = true;
+ syncthing.enable = true;
+ virtualization = {
+ enable = true;
+ nested = true;
+ listenTCP = true;
+ };
+ };
+ fileSystems."/export/gaia" = { device = "/mnt/gaia"; options = [ "bind" ]; };
+ fileSystems."/export/toshito" = { device = "/mnt/toshito"; options = [ "bind" ]; };
+ services = {
+ nfs.server = {
+ enable = true;
+ exports = ''
+ /export 192.168.1.0/24(rw,fsid=0,no_subtree_check) 10.100.0.0/24(rw,fsid=0,no_subtree_check)
+ /export/gaia 192.168.1.0/24(rw,fsid=1,no_subtree_check) 10.100.0.0/24(rw,fsid=1,no_subtree_check)
+ /export/toshito 192.168.1.0/24(rw,fsid=2,no_subtree_check) 10.100.0.0/24(rw,fsid=2,no_subtree_check)
+ '';
+ };
+ bind = {
+ enable = true;
+ forwarders = [ "8.8.8.8" "8.8.4.4" ];
+ cacheNetworks = [ "192.168.1.0/24" "127.0.0.0/8" "10.100.0.0/24" ];
+ zones = [
+ {
+ # home
+ name = "home";
+ slaves = [];
+ file = ../assets/db.home;
+ }
+ {
+ # home.reverse
+ name = "192.168.1.in-addr.arpa";
+ slaves = [];
+ file = ../assets/db.192.168.1;
+ }
+ {
+ # vpn
+ name = "vpn";
+ slaves = [];
+ file = ../assets/db.vpn;
+ }
+ {
+ # vpn.reverse
+ name = "10.100.0.in-addr.arpa";
+ slaves = [];
+ file = ../assets/db.10.100.0;
+ }
+ ];
+ };
+ syncthing.guiAddress = "0.0.0.0:8384";
+ wireguard = {
+ enable = true;
+ ips = [ "${wireguard.ips.sakhalin}/24" ];
+ endpoint = wg.endpointIP;
+ endpointPort = wg.listenPort;
+ endpointPublicKey = wireguard.kerkouane.publicKey;
+ };
+ };
+ security.apparmor.enable = true;
+ # -----------------------------------
+ environment.etc."vrsync".text = ''
+ /home/vincent/desktop/pictures/screenshots/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/screenshots/
+ /home/vincent/desktop/pictures/wallpapers/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/wallpapers/
+ /home/vincent/desktop/documents/ vincent@synodine.home:/volume1/documents/
+ /mnt/gaia/photos/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/photos/
+ /mnt/gaia/music/ vincent@synodine.home:/volumeUSB2/usbshare/music/
+ '';
+ systemd.services.vrsync = {
+ description = "vrsync - sync folders to NAS";
+ requires = [ "network-online.target" ];
+ after = [ "network-online.target" ];
+
+ unitConfig.X-StopOnRemoval = false;
+ restartIfChanged = false;
+
+ path = with pkgs; [ rsync coreutils bash openssh ];
+ script = ''
+ ${pkgs.vrsync}/bin/vrsync
+ '';
+
+ startAt = "hourly";
+ serviceConfig = {
+ Type = "oneshot";
+ OnFailure = "status-email-root@%n.service";
+ };
+ };
+ # ape – sync git mirrors
+ systemd.services.ape = {
+ description = "Ape - sync git mirrors";
+ requires = [ "network-online.target" ];
+ after = [ "network-online.target" ];
+
+ restartIfChanged = false;
+ unitConfig.X-StopOnRemoval = false;
+
+ serviceConfig = {
+ Type = "oneshot";
+ User = "vincent";
+ OnFailure = "status-email-root@%n.service";
+ };
+
+ path = with pkgs; [ git ];
+ script = ''
+ ${pkgs.nur.repos.vdemeester.ape}/bin/ape up /home/vincent/var/mirrors
+ '';
+
+ startAt = "hourly";
+ };
+ # mr -i u daily
+ systemd.services.mr = {
+ description = "Update configs daily";
+ requires = [ "network-online.target" ];
+ after = [ "network-online.target" ];
+
+ restartIfChanged = false;
+ unitConfig.X-StopOnRemoval = false;
+
+ serviceConfig = {
+ Type = "oneshot";
+ User = "vincent";
+ OnFailure = "status-email-root@%n.service";
+ };
+
+ path = with pkgs; [ git mr ];
+ script = ''
+ set -e
+ cd /mnt/gaia/src/configs/
+ mr -t run git reset --hard
+ mr -t u
+ '';
+
+ startAt = "daily";
+ };
+}
machines/wakasu.nixos.nix
@@ -0,0 +1,91 @@
+{ config, pkgs, ... }:
+
+with import ../assets/machines.nix; {
+ imports = [ ../hardware/lenovo-p50.nix ./home.nix ];
+ boot = {
+ kernelModules = [ "kvm_intel" ];
+ kernelParams = [ "kvm_intel.nested=1" ];
+ kernel.sysctl = {
+ "net.bridge.bridge-nf-call-arptables" = 0;
+ "net.bridge.bridge-nf-call-iptables" = 0;
+ "net.bridge.bridge-nf-call-ip6tables" = 0;
+ };
+ };
+ networking = {
+ firewall.enable = false; # we are in safe territory :D
+ hosts = {
+ "${home.ips.honshu}" = [ "honshu.home" ];
+ "${wireguard.ips.honshu}" = [ "honshu.vpn" ];
+ "${home.ips.shikoku}" = [ "shikoku.home" ];
+ "${wireguard.ips.shikoku}" = [ "shikoku.vpn" ];
+ "${home.ips.wakasu}" = [ "wakasu.home" ];
+ "${wireguard.ips.wakasu}" = [ "wakasu.vpn" ];
+ "${home.ips.hokkaido}" = [ "hokkaido.home" ];
+ "${wireguard.ips.hokkaido}" = [ "hokkaido.vpn" ];
+ "${home.ips.sakhalin}" = [ "sakhalin.home" ];
+ "${wireguard.ips.sakhalin}" = [ "sakhalin.vpn" ];
+ "${wireguard.ips.massimo}" = [ "massimo.vpn" ];
+ "${home.ips.synodine}" = [ "synodine.home" ];
+ "${home.ips.okinawa}" = [ "okinawa.home" "cache.home" "svc.home" "nix.cache.home" "go.cache.home" ];
+ "${wireguard.ips.okinawa}" = [ "okinawa.vpn" ];
+ "${wireguard.ips.carthage}" = [ "carthage.vpn" ];
+ "${wireguard.ips.kerkouane}" = [ "kerkouane.vpn" ];
+ };
+ };
+ profiles = {
+ dev.enable = true;
+ laptop.enable = true;
+ desktop.autoLogin = true;
+ docker.enable = true;
+ nix-config.buildCores = 4;
+ #qemu-user = { arm = true; aarch64 = true; };
+ ssh = {
+ enable = true;
+ forwardX11 = true;
+ };
+ virtualization = {
+ enable = true;
+ nested = true;
+ listenTCP = true;
+ };
+ yubikey.enable = true;
+ };
+ programs = {
+ podman.enable = true;
+ };
+ security.sudo = {
+ extraConfig = ''
+ %users ALL = (root) NOPASSWD: /home/vincent/.nix-profile/bin/kubernix
+ '';
+ };
+ services = {
+ logind.extraConfig = ''
+ HandleLidSwitch=ignore
+ HandleLidSwitchExternalPower=ignore
+ HandleLidSwitchDocked=ignore
+ '';
+ #syncthing.guiAddress = "${wireguard.ips.wakasu}:8384";
+ syncthing.guiAddress = "0.0.0.0:8384";
+ smartd = {
+ enable = true;
+ devices = [ { device = "/dev/nvme0n1"; } ];
+ };
+ wireguard = {
+ enable = true;
+ ips = [ "${wireguard.ips.wakasu}/24" ];
+ endpoint = wg.endpointIP;
+ endpointPort = wg.listenPort;
+ endpointPublicKey = wireguard.kerkouane.publicKey;
+ };
+ xserver = {
+ videoDrivers = [ "nvidia" ];
+ dpi = 96;
+ serverFlagsSection = ''
+ Option "BlankTime" "0"
+ Option "StandbyTime" "0"
+ Option "SuspendTime" "0"
+ Option "OffTime" "0"
+ '';
+ };
+ };
+}
modules/hardware/sane-extra-config.nixos.nix
@@ -0,0 +1,43 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+ cfg = config.hardware.sane;
+
+ pkg = if cfg.snapshot
+ then pkgs.sane-backends-git
+ else pkgs.sane-backends;
+
+ backends = [ pkg ] ++ cfg.extraBackends;
+
+ saneConfig = pkgs.mkSaneConfig { paths = backends; };
+
+ saneExtraConfig = pkgs.runCommand "sane-extra-config" {} ''
+ cp -Lr '${pkgs.mkSaneConfig { paths = [ pkgs.sane-backends ]; }}'/etc/sane.d $out
+ chmod +w $out
+ ${concatMapStrings (c: ''
+ f="$out/${c.name}.conf"
+ [ ! -e "$f" ] || chmod +w "$f"
+ cat ${builtins.toFile "" (c.value + "\n")} >>"$f"
+ chmod -w "$f"
+ '') (mapAttrsToList nameValuePair cfg.extraConfig)}
+ chmod -w $out
+ '';
+
+in
+
+{
+ options = {
+ hardware.sane.extraConfig = mkOption {
+ type = types.attrsOf types.lines;
+ default = {};
+ example = { "some-backend" = "# some lines to add to its .conf"; };
+ };
+ };
+
+ config = mkIf (cfg.enable && cfg.extraConfig != {}) {
+ hardware.sane.configDir = saneExtraConfig.outPath;
+ };
+}
modules/profiles/avahi.nixos.nix
@@ -0,0 +1,31 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.profiles.avahi;
+in
+{
+ options = {
+ profiles.avahi = {
+ enable = mkOption {
+ default = false;
+ description = "Enable avahi profile";
+ type = types.bool;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ services = {
+ avahi = {
+ enable = true;
+ ipv4 = true;
+ ipv6 = true;
+ nssmdns = true;
+ publish = {
+ enable = true;
+ userServices = true;
+ };
+ };
+ };
+ };
+}
modules/profiles/base.nixos.nix
@@ -0,0 +1,54 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.profiles.base;
+in
+{
+ options = {
+ profiles.base = {
+ enable = mkOption {
+ default = true;
+ description = "Enable base profile";
+ type = types.bool;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ boot.loader.systemd-boot.enable = true;
+ environment = {
+ variables = {
+ EDITOR = pkgs.lib.mkOverride 0 "vim";
+ };
+ systemPackages = with pkgs; [
+ cachix
+ direnv
+ exa
+ file
+ htop
+ iotop
+ lsof
+ netcat
+ psmisc
+ pv
+ tmux
+ tree
+ vim
+ vrsync
+ wget
+ gnumake
+ ];
+ };
+ systemd.services."status-email-root@" = {
+ description = "status email for %i to vincent";
+ serviceConfig = {
+ Type = "oneshot";
+ ExecStart = ''
+ ${pkgs.nur.repos.vdemeester.systemd-email}/bin/systemd-email vincent@demeester.fr %i
+ '';
+ User = "root";
+ Environment = "PATH=/run/current-system/sw/bin";
+ };
+ };
+ };
+}
modules/profiles/buildkit.nixos.nix
@@ -0,0 +1,44 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.profiles.buildkit;
+in
+{
+ options = {
+ profiles.buildkit = {
+ enable = mkOption {
+ default = false;
+ description = "Enable buildkit profile";
+ type = types.bool;
+ };
+ package = mkOption {
+ default = pkgs.nur.repos.vdemeester.buildkit;
+ description = "buildkit package to be used";
+ type = types.package;
+ };
+ runcPackage = mkOption {
+ default = pkgs.nur.repos.vdemeester.runc;
+ description = "runc package to be used";
+ type = types.package;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ profiles.containerd = {
+ enable = true;
+ runcPackage = cfg.runcPackage;
+ };
+ environment.systemPackages = with pkgs; [
+ cfg.package
+ ];
+ virtualisation = {
+ buildkitd= {
+ enable = true;
+ package = cfg.package;
+ packages = [ cfg.runcPackage pkgs.git ];
+ extraOptions = "--oci-worker=false --containerd-worker=true";
+ };
+ };
+ };
+}
modules/profiles/containerd.nixos.nix
@@ -0,0 +1,52 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.profiles.containerd;
+in
+{
+ options = {
+ profiles.containerd = {
+ enable = mkOption {
+ default = false;
+ description = "Enable containerd profile";
+ type = types.bool;
+ };
+ package = mkOption {
+ default = pkgs.nur.repos.vdemeester.containerd;
+ description = "containerd package to be used";
+ type = types.package;
+ };
+ runcPackage = mkOption {
+ default = pkgs.runc;
+ description = "runc package to be used";
+ type = types.package;
+ };
+ cniPackage = mkOption {
+ default = pkgs.cni;
+ description = "cni package to be used";
+ type = types.package;
+ };
+ cniPluginsPackage = mkOption {
+ default = pkgs.cni-plugins;
+ description = "cni-plugins package to be used";
+ type = types.package;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ environment.systemPackages = with pkgs; [
+ cfg.cniPackage
+ cfg.cniPluginsPackage
+ cfg.package
+ cfg.runcPackage
+ ];
+ virtualisation = {
+ containerd = {
+ enable = true;
+ package = cfg.package;
+ packages = [ cfg.runcPackage ];
+ };
+ };
+ };
+}
modules/profiles/desktop.nixos.nix
@@ -0,0 +1,209 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.profiles.desktop;
+in
+{
+ options = {
+ profiles.desktop = {
+ enable = mkOption {
+ default = false;
+ description = "Enable desktop profile";
+ type = types.bool;
+ };
+ avahi = mkOption {
+ default = true;
+ description = "Enable avahi with the desktop profile";
+ type = types.bool;
+ };
+ pulseaudio = mkOption {
+ default = true;
+ description = "Enable pulseaudio with the desktop profile";
+ type = types.bool;
+ };
+ flatpak = mkOption {
+ default = true;
+ description = "Enable flatpak with the desktop profile";
+ type = types.bool;
+ };
+ syncthing = mkOption {
+ default = true;
+ description = "Enable syncthing with the desktop profile";
+ type = types.bool;
+ };
+ scanning = mkOption {
+ default = true;
+ description = "Enable scanning with the desktop profile";
+ type = types.bool;
+ };
+ printing = mkOption {
+ default = true;
+ description = "Enable printing with the desktop profile";
+ type = types.bool;
+ };
+ networkmanager = mkOption {
+ default = true;
+ description = "Enable networkmanager with the desktop profile";
+ type = types.bool;
+ };
+ autoLogin = mkOption {
+ default = false;
+ description = "Enable auto login";
+ type = types.bool;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ profiles.avahi.enable = cfg.avahi;
+ profiles.printing.enable = cfg.printing;
+ profiles.pulseaudio.enable = cfg.pulseaudio;
+ profiles.scanning.enable = cfg.scanning;
+ profiles.syncthing.enable = cfg.syncthing;
+
+ boot = {
+ tmpOnTmpfs = true;
+ plymouth.enable = true;
+ };
+
+ hardware.bluetooth.enable = true;
+
+ networking.networkmanager = {
+ enable = cfg.networkmanager;
+ unmanaged = [
+ "interface-name:ve-*"
+ "interface-name:veth*"
+ "interface-name:wg0"
+ "interface-name:docker0"
+ "interface-name:virbr*"
+ ];
+ packages = with pkgs; [ networkmanager-openvpn ];
+ };
+
+ programs.dconf.enable = true;
+ xdg.portal.enable = cfg.flatpak;
+
+ services = {
+ flatpak.enable = cfg.flatpak;
+ dbus.packages = [ pkgs.gnome3.dconf ];
+ xserver = {
+ enable = true;
+ enableTCP = false;
+ windowManager.twm.enable = true;
+ libinput.enable = true;
+ synaptics.enable = false;
+ layout = "fr(bepo),fr";
+ xkbVariant = "oss";
+ xkbOptions = "grp:menu_toggle,grp_led:caps,compose:caps";
+ inputClassSections = [
+ ''
+ Identifier "TypeMatrix"
+ MatchIsKeyboard "on"
+ MatchVendor "TypeMatrix.com"
+ MatchProduct "USB Keyboard"
+ Driver "evdev"
+ Option "XbkModel" "tm2030USB"
+ Option "XkbLayout" "fr"
+ Option "XkbVariant" "bepo"
+ ''
+ ''
+ Identifier "ErgoDox"
+ #MatchVendor "ErgoDox_EZ"
+ #MatchProduct "ErgoDox_EZ"
+ MatchIsKeyboard "on"
+ MatchUSBID "feed:1307"
+ Driver "evdev"
+ Option "XkbLayout" "fr"
+ Option "XkbVariant" "bepo"
+ ''
+ ];
+ displayManager = {
+ # defaultSession = "none+i3";
+ lightdm = {
+ enable = true;
+ autoLogin = {
+ enable = true;
+ user = "vincent";
+ };
+ };
+ };
+ };
+ };
+ fonts = {
+ enableFontDir = true;
+ enableGhostscriptFonts = true;
+ fonts = with pkgs; [
+ corefonts
+ dejavu_fonts
+ emojione
+ feh
+ fira
+ fira-code
+ fira-code-symbols
+ fira-mono
+ hasklig
+ inconsolata
+ iosevka
+ noto-fonts
+ noto-fonts-cjk
+ noto-fonts-emoji
+ noto-fonts-extra
+ overpass
+ symbola
+ source-code-pro
+ twemoji-color-font
+ ubuntu_font_family
+ unifont
+ ];
+ };
+
+ # Polkit.
+ security.polkit.extraConfig = ''
+ polkit.addRule(function(action, subject) {
+ if ((action.id == "org.freedesktop.udisks2.filesystem-mount-system" ||
+ action.id == "org.freedesktop.udisks2.encrypted-unlock-system"
+ ) &&
+ subject.local && subject.active && subject.isInGroup("users")) {
+ return polkit.Result.YES;
+ }
+ var YES = polkit.Result.YES;
+ var permission = {
+ // required for udisks1:
+ "org.freedesktop.udisks.filesystem-mount": YES,
+ "org.freedesktop.udisks.luks-unlock": YES,
+ "org.freedesktop.udisks.drive-eject": YES,
+ "org.freedesktop.udisks.drive-detach": YES,
+ // required for udisks2:
+ "org.freedesktop.udisks2.filesystem-mount": YES,
+ "org.freedesktop.udisks2.encrypted-unlock": YES,
+ "org.freedesktop.udisks2.eject-media": YES,
+ "org.freedesktop.udisks2.power-off-drive": YES,
+ // required for udisks2 if using udiskie from another seat (e.g. systemd):
+ "org.freedesktop.udisks2.filesystem-mount-other-seat": YES,
+ "org.freedesktop.udisks2.filesystem-unmount-others": YES,
+ "org.freedesktop.udisks2.encrypted-unlock-other-seat": YES,
+ "org.freedesktop.udisks2.eject-media-other-seat": YES,
+ "org.freedesktop.udisks2.power-off-drive-other-seat": YES
+ };
+ if (subject.isInGroup("wheel")) {
+ return permission[action.id];
+ }
+ });
+ '';
+
+ environment.systemPackages = with pkgs; [
+ cryptsetup
+ xlibs.xmodmap
+ xorg.xbacklight
+ xorg.xdpyinfo
+ xorg.xhost
+ xorg.xinit
+ xss-lock
+ xorg.xmessage
+ unzip
+ gnupg
+ pinentry
+ inxi
+ ];
+ };
+}
modules/profiles/dev.nixos.nix
@@ -0,0 +1,27 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.profiles.dev;
+in
+{
+ options = {
+ profiles.dev = {
+ enable = mkOption {
+ default = false;
+ description = "Enable dev profile";
+ type = types.bool;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ profiles.git.enable = true;
+ environment.systemPackages = with pkgs; [
+ git
+ tig
+ grc
+ ripgrep
+ gnumake
+ ];
+ };
+}
modules/profiles/docker.nixos.nix
@@ -0,0 +1,43 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.profiles.docker;
+in
+{
+ options = {
+ profiles.docker = {
+ enable = mkOption {
+ default = false;
+ description = "Enable docker profile";
+ type = types.bool;
+ };
+ package = mkOption {
+ default = pkgs.docker-edge;
+ description = "docker package to be used";
+ type = types.package;
+ };
+ runcPackage = mkOption {
+ default = pkgs.runc;
+ description = "runc package to be used";
+ type = types.package;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ profiles.containerd.enable = true;
+ virtualisation = {
+ docker = {
+ enable = true;
+ package = cfg.package;
+ liveRestore = false;
+ storageDriver = "overlay2";
+ extraOptions = "--experimental --add-runtime docker-runc=${cfg.runcPackage}/bin/runc --default-runtime=docker-runc --containerd=/run/containerd/containerd.sock";
+ };
+ };
+ environment.etc."docker/daemon.json".text = ''
+ {"features":{"buildkit": true}, "insecure-registries": ["172.30.0.0/16", "192.168.12.0/16", "massimo.home:5000", "r.svc.home:5000", "r.svc.home" ]}
+ '';
+ networking.firewall.trustedInterfaces = [ "docker0" ];
+ };
+}
modules/profiles/fish.nixos.nix
@@ -0,0 +1,28 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.profiles.fish;
+in
+{
+ options = {
+ profiles.fish = {
+ enable = mkOption {
+ default = false;
+ description = "Enable fish profile";
+ type = types.bool;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ programs.fish = {
+ enable = true;
+ promptInit = ''
+ source /etc/fish/functions/fish_prompt.fish
+ source /etc/fish/functions/fish_right_prompt.fish
+ '';
+ };
+ environment.etc."fish/functions/fish_prompt.fish".source = ./assets/fish/fish_prompt.fish;
+ environment.etc."fish/functions/fish_right_prompt.fish".source = ./assets/fish/fish_right_prompt.fish;
+ };
+}
modules/profiles/gaming.nixos.nix
@@ -0,0 +1,30 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.profiles.gaming;
+in
+{
+ options = {
+ profiles.gaming = {
+ enable = mkOption {
+ default = false;
+ description = "Enable gaming profile";
+ type = types.bool;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ hardware = {
+ opengl = {
+ driSupport32Bit = true;
+ };
+ };
+ services.udev.extraRules = ''
+ # Steam controller
+ SUBSYSTEM=="usb", ATTRS{idVendor}=="28de", MODE="0666"
+ KERNEL=="uinput", MODE="0660", GROUP="users", OPTIONS+="static_node=uinput"
+ '';
+ environment.systemPackages = with pkgs; [ steam ];
+ };
+}
modules/profiles/git.nixos.nix
@@ -0,0 +1,73 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.profiles.git;
+in
+{
+ options = {
+ profiles.git = {
+ enable = mkOption {
+ default = false;
+ description = "Enable git profile";
+ type = types.bool;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ environment.systemPackages = with pkgs; [
+ gitAndTools.gitFull
+ gitAndTools.git-annex
+ gitAndTools.git-extras
+ ];
+ environment.etc."gitconfig" = rec { text = ''
+ [alias]
+ co = checkout
+ st = status
+ ci = commit --signoff
+ ca = commit --amend
+ b = branc --color -v
+ br = branch
+ unstage = reset HEAD
+ lg = log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr)%Creset' --abbrev-commit --date=relative
+ lga = log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr)%Creset' --abbrev-commit --date=relative --branches --remotes
+ lol = log --pretty=oneline --abbrev-commit --graph --decorate
+ conflicts = !git ls-files --unmerged | cut -c51- | sort -u | xargs $EDITOR
+ resolve = !git ls-files --unmerged | cut -c51- | sort -u | xargs git add
+ [color]
+ branch = auto
+ diff = auto
+ status = auto
+ [color "branch"]
+ current = cyan reverse
+ local = cyan
+ remote = green
+ [color "diff"]
+ meta = white reverse
+ frag = magenta reverse
+ old = red
+ new = green
+ [color "status"]
+ added = green
+ changed = yellow
+ untracked = red
+ [core]
+ #excludesfile = ~/.gitignore.global
+ [push]
+ default = matching
+ [merge]
+ tool = vimdiff
+
+ [user]
+ name = Vincent Demeester
+ email = vincent@sbr.pm
+
+ [http]
+ cookiefile = /home/vincent/.gitcookies
+
+ [url "git@github.com:"]
+ pushInsteadOf = git://github.com/
+ '';
+ };
+ };
+}
modules/profiles/i18n.nixos.nix
@@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.profiles.i18n;
+in
+{
+ options = {
+ profiles.i18n = {
+ enable = mkOption {
+ default = true;
+ description = "Enable i18n profile";
+ type = types.bool;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ console.keyMap = "fr-bepo";
+ console.font = "Lat2-Terminus16";
+ i18n = {
+ defaultLocale = "en_US.UTF-8";
+ };
+ };
+}
modules/profiles/ipfs.nixos.nix
@@ -0,0 +1,43 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.profiles.ipfs;
+in
+{
+ options = {
+ profiles.ipfs = {
+ enable = mkOption {
+ default = false;
+ description = "Enable ipfs profile";
+ type = types.bool;
+ };
+ autoMount = mkOption {
+ default = true;
+ description = "Automount /ipfs and /ipns";
+ type = types.bool;
+ };
+ localDiscovery = mkOption {
+ default = true;
+ description = "Enable local discovery, switch profile to server if disable";
+ type = types.bool;
+ };
+ extraConfig = mkOption {
+ default = {
+ Datastore.StorageMax = "40GB";
+ };
+ description = "Extra ipfs daemon configuration";
+ type = types.attrs;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ services.ipfs = {
+ enable = true;
+ enableGC = true;
+ localDiscovery = cfg.localDiscovery;
+ autoMount = cfg.autoMount;
+ extraConfig = cfg.extraConfig;
+ };
+ };
+}
modules/profiles/laptop.nixos.nix
@@ -0,0 +1,32 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.profiles.laptop;
+in
+{
+ options = {
+ profiles.laptop = {
+ enable = mkOption {
+ default = false;
+ description = "Enable laptop profile";
+ type = types.bool;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ boot.kernel.sysctl = {
+ "vm.swappiness" = 10;
+ "vm.dirty_ratio" = 25;
+ "vm.dirty_background_ratio" = 10;
+ "vm.dirty_writeback_centisecs" = 5000;
+ "vm.dirty_expire_centisecs" = 5000;
+ };
+ profiles.desktop.enable = true;
+ environment.systemPackages = with pkgs; [
+ lm_sensors
+ powertop
+ acpi
+ ];
+ };
+}
modules/profiles/mail.nixos.nix
@@ -0,0 +1,21 @@
+{ config, lib, pkgs, ...}:
+
+with lib;
+let
+ cfg = config.profiles.mail;
+in
+{
+ options = {
+ profiles.mail = {
+ enable = mkOption {
+ default = true;
+ description = "Enable mail profile";
+ type = types.bool;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ environment.etc."msmtprc".source = ../../assets/msmtprc;
+ environment.systemPackages = with pkgs; [ msmtp ];
+ };
+}
modules/profiles/nix-auto-update.nixos.nix
@@ -0,0 +1,65 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.profiles.nix-auto-update;
+in
+{
+ options = {
+ profiles.nix-auto-update = {
+ enable = mkOption {
+ default = true;
+ description = "Enable nix-auto-update profile";
+ type = types.bool;
+ };
+ autoUpgrade = mkOption {
+ default = true;
+ description = "Automatically try to upgrade the system";
+ type = types.bool;
+ };
+ dates = mkOption {
+ default = "weekly";
+ description = "Specification (in the format described by systemd.time(7)) of the time at which the auto-update will run. ";
+ type = types.str;
+ };
+ version = mkOption {
+ default = "20.03";
+ description = "System version (NixOS)";
+ type = types.str;
+ };
+ };
+ };
+ config = mkIf cfg.enable (
+ mkMerge [
+ {
+ system = {
+ stateVersion = cfg.version;
+ };
+ }
+ (
+ mkIf cfg.autoUpgrade {
+ systemd.services.nixos-update = {
+ description = "NixOS Upgrade";
+ unitConfig.X-StopOnRemoval = false;
+ restartIfChanged = false;
+ serviceConfig.Type = "oneshot";
+ environment = config.nix.envVars
+ // {
+ inherit (config.environment.sessionVariables) NIX_PATH;
+ HOME = "/root";
+ };
+ path = [ pkgs.gnutar pkgs.xz pkgs.git pkgs.gnumake config.nix.package.out pkgs.commonsCompress ];
+ script = ''
+ export PATH=/run/current-system/sw/bin
+ cd /etc/nixos/
+ git pull --autostash --rebase
+ /run/current-system/sw/bin/make update switch
+ '';
+ startAt = cfg.dates;
+ onFailure = [ "status-email-root@%n.service" ];
+ };
+ }
+ )
+ ]
+ );
+}
modules/profiles/nix-config.nixos.nix
@@ -0,0 +1,83 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.profiles.nix-config;
+in
+{
+ options = {
+ profiles.nix-config = {
+ enable = mkOption {
+ default = true;
+ description = "Enable nix-config profile";
+ type = types.bool;
+ };
+ gcDates = mkOption {
+ default = "weekly";
+ description = "Specification (in the format described by systemd.time(7)) of the time at which the garbage collector will run. ";
+ type = types.str;
+ };
+ olderThan = mkOption {
+ default = "15d";
+ description = "Number of day to keep when garbage collect";
+ type = types.str;
+ };
+ buildCores = mkOption {
+ type = types.int;
+ default = 2;
+ example = 4;
+ description = ''
+ Maximum number of concurrent tasks during one build.
+ '';
+ };
+ localCaches = mkOption {
+ default = [ "http://nix.cache.home" ];
+ description = "List of local nix caches";
+ type = types.listOf types.str;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ nix = {
+ buildCores = cfg.buildCores;
+ useSandbox = true;
+ gc = {
+ automatic = true;
+ dates = cfg.gcDates;
+ options = "--delete-older-than ${cfg.olderThan}";
+ };
+ # if hydra is down, don't wait forever
+ extraOptions = ''
+ connect-timeout = 20
+ build-cores = 0
+ '';
+ binaryCaches = cfg.localCaches ++ [
+ "https://cache.nixos.org/"
+ "https://r-ryantm.cachix.org"
+ "https://vdemeester.cachix.org"
+ "https://shortbrain.cachix.org"
+ ];
+ binaryCachePublicKeys = [
+ "r-ryantm.cachix.org-1:gkUbLkouDAyvBdpBX0JOdIiD2/DP1ldF3Z3Y6Gqcc4c="
+ "vdemeester.cachix.org-1:uCECG6so7v1rs77c5NFz2dCePwd+PGNeZ6E5DrkT7F0="
+ "shortbrain.cachix.org-1:dqXcXzM0yXs3eo9ChmMfmob93eemwNyhTx7wCR4IjeQ="
+ "mic92.cachix.org-1:gi8IhgiT3CYZnJsaW7fxznzTkMUOn1RY4GmXdT/nXYQ="
+ ];
+ trustedUsers = [ "root" "vincent" ];
+ };
+ nixpkgs = {
+ overlays = [
+ (import ../../overlays/sbr.overlay.nix)
+ (import ../../overlays/unstable.overlay.nix)
+ ];
+ config = {
+ allowUnfree = true;
+ packageOverrides = pkgs: {
+ nur = import (builtins.fetchTarball "https://github.com/nix-community/NUR/archive/master.tar.gz") {
+ inherit pkgs;
+ };
+ };
+ };
+ };
+ };
+}
modules/profiles/printing.nixos.nix
@@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.profiles.printing;
+in
+{
+ options = {
+ profiles.printing = {
+ enable = mkOption {
+ default = false;
+ description = "Enable printing profile";
+ type = types.bool;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ services = {
+ printing = {
+ enable = true;
+ drivers = [ pkgs.gutenprint ];
+ };
+ };
+ };
+}
modules/profiles/pulseaudio.nixos.nix
@@ -0,0 +1,63 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.profiles.pulseaudio;
+in
+{
+ options = {
+ profiles.pulseaudio = {
+ enable = mkOption {
+ default = false;
+ description = "Enable pulseaudio profile";
+ type = types.bool;
+ };
+ tcp = mkOption {
+ default = false;
+ description = "Enable pulseaudio tcp";
+ type = types.bool;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ hardware = {
+ pulseaudio = {
+ enable = true;
+ support32Bit = true;
+ zeroconf = {
+ discovery.enable = cfg.tcp;
+ publish.enable = cfg.tcp;
+ };
+ tcp = {
+ enable = cfg.tcp;
+ anonymousClients = {
+ allowAll = true;
+ allowedIpRanges = [ "127.0.0.1" "192.168.12.0/24" "10.0.0.0/24" ];
+ };
+ };
+ package = pkgs.pulseaudioFull;
+ };
+ };
+ sound.mediaKeys.enable = true;
+
+ security.pam.loginLimits = [
+ { domain = "@audio"; item = "memlock"; type = "-"; value = "unlimited"; }
+ { domain = "@audio"; item = "rtprio"; type = "-"; value = "99"; }
+ { domain = "@audio"; item = "nofile"; type = "-"; value = "99999"; }
+ ];
+
+ # spotify & pulseaudio
+ networking.firewall = {
+ allowedTCPPorts = [ 57621 57622 4713 ];
+ allowedUDPPorts = [ 57621 57622 ];
+ };
+ environment.systemPackages = with pkgs; [
+ apulse # allow alsa application to use pulse
+ pavucontrol # pulseaudio volume control
+ pasystray # systray application
+ playerctl
+ ];
+ # We assume xserver runs when pulseaudio does
+ services.xserver.displayManager.sessionCommands = "${pkgs.pasystray}/bin/pasystray &";
+ };
+}
modules/profiles/qemu.nixos.nix
@@ -0,0 +1,49 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+let
+ cfg = config.profiles.qemu-user;
+ arm = {
+ interpreter = "${pkgs.qemu-user-arm}/bin/qemu-arm";
+ magicOrExtension = ''\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00'';
+ mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff'';
+ };
+ aarch64 = {
+ interpreter = "${pkgs.qemu-user-arm64}/bin/qemu-aarch64";
+ magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7\x00'';
+ mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff'';
+ };
+ riscv64 = {
+ interpreter = "${pkgs.qemu-riscv64}/bin/qemu-riscv64";
+ magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xf3\x00'';
+ mask = ''\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff'';
+ };
+in {
+ options = {
+ profiles.qemu-user = {
+ arm = mkEnableOption "enable 32bit arm emulation";
+ aarch64 = mkEnableOption "enable 64bit arm emulation";
+ riscv64 = mkEnableOption "enable 64bit riscv emulation";
+ };
+ nix.supportedPlatforms = mkOption {
+ type = types.listOf types.str;
+ description = "extra platforms that nix will run binaries for";
+ default = [];
+ };
+ };
+ config = mkIf (cfg.arm || cfg.aarch64) {
+ nixpkgs = {
+ overlays = [ (import ../../overlays/qemu/default.nix) ];
+ };
+ boot.binfmt.registrations =
+ optionalAttrs cfg.arm { inherit arm; } //
+ optionalAttrs cfg.aarch64 { inherit aarch64; } //
+ optionalAttrs cfg.riscv64 { inherit riscv64; };
+ nix.supportedPlatforms = (optionals cfg.arm [ "armv6l-linux" "armv7l-linux" ])
+ ++ (optional cfg.aarch64 "aarch64-linux");
+ nix.extraOptions = ''
+ extra-platforms = ${toString config.nix.supportedPlatforms} i686-linux
+ '';
+ nix.sandboxPaths = [ "/run/binfmt" ] ++ (optional cfg.arm "${pkgs.qemu-user-arm}") ++ (optional cfg.aarch64 "${pkgs.qemu-user-arm64}");
+ };
+}
modules/profiles/scanning.nixos.nix
@@ -0,0 +1,28 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.profiles.scanning;
+in
+{
+ options = {
+ profiles.scanning = {
+ enable = mkOption {
+ default = false;
+ description = "Enable scanning profile";
+ type = types.bool;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ environment.systemPackages = with pkgs; [
+ saneFrontends
+ saneBackends
+ simple-scan
+ ];
+ hardware.sane = {
+ enable = true;
+ extraConfig = { "pixma" = "bjnp://192.168.12.70"; };
+ };
+ };
+}
modules/profiles/ssh.nixos.nix
@@ -0,0 +1,34 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.profiles.ssh;
+in
+{
+ options = {
+ profiles.ssh = {
+ enable = mkOption {
+ default = false;
+ description = "Enable ssh profile";
+ type = types.bool;
+ };
+ forwardX11 = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Whether to allow X11 connections to be forwarded.
+ '';
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ services = {
+ openssh = {
+ enable = true;
+ startWhenNeeded = false;
+ forwardX11 = cfg.forwardX11;
+ };
+ };
+ programs.mosh.enable = true;
+ };
+}
modules/profiles/syncthing.nixos.nix
@@ -0,0 +1,26 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.profiles.syncthing;
+in
+{
+ options = {
+ profiles.syncthing = {
+ enable = mkOption {
+ default = false;
+ description = "Enable syncthing profile";
+ type = types.bool;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ services.syncthing = {
+ enable = true;
+ user = "vincent";
+ dataDir = "/home/vincent/.syncthing";
+ configDir = "/home/vincent/.syncthing";
+ openDefaultPorts = true;
+ };
+ };
+}
modules/profiles/users.nixos.nix
@@ -0,0 +1,66 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.profiles.users;
+in
+{
+ options = {
+ profiles.users = {
+ enable = mkOption {
+ default = true;
+ description = "Enable users profile";
+ type = types.bool;
+ };
+ user = mkOption {
+ default = "vincent";
+ description = "Username to use when creating user";
+ type = types.str;
+ };
+ # add more options (like openssh keys and config)
+ };
+ };
+ config = mkIf cfg.enable {
+ users = {
+ extraUsers = {
+ ${cfg.user} = {
+ isNormalUser = true;
+ uid = 1000;
+ createHome = true;
+ extraGroups = [ "wheel" "input" ] ++ optionals config.profiles.desktop.enable ["audio" "video" "lp" "scanner" "networkmanager"]
+ ++ optionals config.profiles.docker.enable [ "docker" ]
+ ++ optionals config.profiles.buildkit.enable [ "buildkit" ]
+ ++ optionals config.profiles.virtualization.enable [ "libvirtd" "vboxusers" ];
+ shell = if config.programs.fish.enable then pkgs.fish else pkgs.zsh;
+ initialPassword = "changeMe";
+ openssh.authorizedKeys.keys =
+ with import ../../assets/machines.nix; [ ssh.yubikey.key ssh.yubikey5.key ssh.wakasu.key ssh.vincent.key ssh.houbeb.key ssh.hokkaido.key ssh.okinawa.key ];
+ subUidRanges = [{ startUid = 100000; count = 65536; }];
+ subGidRanges = [{ startGid = 100000; count = 65536; }];
+ };
+ };
+ };
+ programs.ssh.extraConfig = with import ../../assets/machines.nix; ''
+ Host kerkouane kerkouane.sbr.pm
+ Hostname kerkouane.sbr.pm
+ Port ${toString ssh.kerkouane.port}
+ Host kerkouane.vpn ${wireguard.ips.kerkouane}
+ Hostname ${wireguard.ips.kerkouane}
+ Port ${toString ssh.kerkouane.port}
+ Host carthage carthage.sbr.pm
+ Hostname carthage.sbr.pm
+ Port ${toString ssh.carthage.port}
+ Host carthage.vpn ${wireguard.ips.carthage}
+ Hostname ${wireguard.ips.carthage}
+ Port ${toString ssh.carthage.port}
+ Host hokkaido.vpn ${wireguard.ips.hokkaido}
+ Hostname ${wireguard.ips.hokkaido}
+ Host honshu.vpn ${wireguard.ips.honshu}
+ Hostname ${wireguard.ips.honshu}
+ Host okinawa.vpn ${wireguard.ips.okinawa}
+ Hostname ${wireguard.ips.okinawa}
+ Host wakasu.vpn ${wireguard.ips.wakasu}
+ Hostname ${wireguard.ips.wakasu}
+ '';
+ };
+}
modules/profiles/virtualization.nixos.nix
@@ -0,0 +1,69 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.profiles.virtualization;
+in
+{
+ options = {
+ profiles.virtualization = {
+ enable = mkOption {
+ default = false;
+ description = "Enable virtualization profile";
+ type = types.bool;
+ };
+ nested = mkOption {
+ default = false;
+ description = "Enable nested virtualization";
+ type = types.bool;
+ };
+ listenTCP = mkOption {
+ default = false;
+ description = "Make libvirt listen to TCP";
+ type = types.bool;
+ };
+ };
+ };
+ config = mkIf cfg.enable (
+ mkMerge [
+ {
+ virtualisation.libvirtd = {
+ enable = true;
+ };
+ environment.systemPackages = with pkgs; [
+ qemu
+ vde2
+ libosinfo
+ ];
+ }
+ (
+ mkIf cfg.nested {
+ environment.etc."modprobe.d/kvm.conf".text = ''
+ options kvm_intel nested=1
+ '';
+ }
+ )
+ (
+ mkIf config.profiles.desktop.enable {
+ environment.systemPackages = with pkgs; [ virtmanager ];
+ }
+ )
+ (
+ mkIf cfg.listenTCP {
+ boot.kernel.sysctl = { "net.ipv4.ip_forward" = 1; };
+ virtualisation.libvirtd = {
+ allowedBridges = [ "br1" ];
+ extraConfig = ''
+ listen_tls = 0
+ listen_tcp = 1
+ auth_tcp="none"
+ tcp_port = "16509"
+ '';
+ # extraOptions = [ "--listen" ];
+ };
+ networking.firewall.allowedTCPPorts = [ 16509 ];
+ }
+ )
+ ]
+ );
+}
modules/profiles/wireguard.server.nixos.nix
@@ -0,0 +1,35 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.profiles.wireguard.server;
+in
+{
+ options = {
+ profiles.wireguard.server = {
+ enable = mkOption {
+ default = false;
+ description = "Enable wireguard.server profile";
+ type = types.bool;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ];
+ environment.systemPackages = [ pkgs.wireguard ];
+ boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+ networking.firewall.extraCommands = ''
+ iptables -t nat -A POSTROUTING -s10.100.0.0/24 -j MASQUERADE
+ '';
+ networking.firewall.allowedUDPPorts = [ 51820 ];
+ networking.firewall.trustedInterfaces = [ "wg0" ];
+ networking.wireguard.interfaces = with import ../../assets/machines.nix; {
+ "wg0" = {
+ ips = wireguard.kerkouane.allowedIPs;
+ listenPort = wg.listenPort;
+ privateKeyFile = "/etc/nixos/wireguard.private.key";
+ peers = wg.peers;
+ };
+ };
+ };
+}
modules/profiles/yubikey.nixos.nix
@@ -0,0 +1,38 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.profiles.yubikey;
+in
+{
+ options = {
+ profiles.yubikey = {
+ enable = mkOption {
+ default = false;
+ description = "Enable yubikey profile";
+ type = types.bool;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ environment = {
+ systemPackages = with pkgs; [
+ yubico-piv-tool
+ yubikey-personalization
+ yubioath-desktop
+ yubikey-manager
+ ];
+ };
+ services = {
+ pcscd.enable = true;
+ udev = {
+ packages = with pkgs; [ yubikey-personalization ];
+ extraRules = ''
+# Yubico YubiKey
+KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", TAG+="uaccess", MODE="0660", GROUP="wheel"
+# ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
+ '';
+ };
+ };
+ };
+}
modules/profiles/zsh.nixos.nix
@@ -0,0 +1,22 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.profiles.zsh;
+in
+{
+ options = {
+ profiles.zsh = {
+ enable = mkOption {
+ default = true;
+ description = "Enable zsh profile";
+ type = types.bool;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ programs.zsh = {
+ enable = true;
+ };
+ };
+}
modules/programs/podman.nixos.nix
@@ -0,0 +1,111 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+ cfg = config.programs.podman;
+
+in
+
+{
+ options = {
+ programs.podman = {
+ enable = mkOption {
+ default = false;
+ description = ''
+ Whether to configure podman
+ '';
+ type = types.bool;
+ };
+ package = mkOption {
+ default = pkgs.podman;
+ description = "podman package to be used";
+ type = types.package;
+ };
+ runcPackage = mkOption {
+ default = pkgs.runc;
+ description = "runc package to be used";
+ type = types.package;
+ };
+ conmonPackage = mkOption {
+ default = pkgs.conmon;
+ description = "conmon package to be used";
+ type = types.package;
+ };
+ cniPackage = mkOption {
+ default = pkgs.cni;
+ description = "cni package to be used";
+ type = types.package;
+ };
+ cniPluginsPackage = mkOption {
+ default = pkgs.cni-plugins;
+ description = "cni-plugins package to be used";
+ type = types.package;
+ };
+ };
+ };
+
+ config = mkIf cfg.enable {
+
+ environment.etc."containers/libpod.conf".text = ''
+ image_default_transport = "docker://"
+ runtime_path = ["${cfg.runcPackage}/bin/runc"]
+ conmon_path = ["${cfg.conmonPackage}/bin/conmon"]
+ cni_plugin_dir = ["${cfg.cniPluginsPackage}/bin/"]
+ cgroup_manager = "systemd"
+ cni_config_dir = "/etc/cni/net.d/"
+ cni_default_network = "podman"
+ # pause
+ pause_image = "k8s.gcr.io/pause:3.1"
+ pause_command = "/pause"
+ '';
+
+ environment.etc."containers/registries.conf".text = ''
+ [registries.search]
+ registries = ['docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.access.redhat.com', 'registry.centos.org']
+
+ [registries.insecure]
+ registries = ['massimo.local:5000', '192.168.12.0/16']
+ '';
+
+ environment.etc."containers/policy.json".text = ''
+ {
+ "default": [
+ { "type": "insecureAcceptAnything" }
+ ]
+ }
+ '';
+
+ environment.etc."cni/net.d/87-podman-bridge.conflist".text = ''
+{
+ "cniVersion": "0.3.0",
+ "name": "podman",
+ "plugins": [
+ {
+ "type": "bridge",
+ "bridge": "cni0",
+ "isGateway": true,
+ "ipMasq": true,
+ "ipam": {
+ "type": "host-local",
+ "subnet": "10.88.0.0/16",
+ "routes": [
+ { "dst": "0.0.0.0/0" }
+ ]
+ }
+ },
+ {
+ "type": "portmap",
+ "capabilities": {
+ "portMappings": true
+ }
+ }
+ ]
+}
+ '';
+
+ environment.systemPackages = with pkgs; [ cfg.package cfg.conmonPackage cfg.runcPackage iptables ];
+
+ };
+}
modules/services/athens.nixos.nix
@@ -0,0 +1,72 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.services.athens;
+in
+{
+ options = {
+ services.athens = {
+ enable = mkEnableOption ''
+ Athens is a go module proxy
+ '';
+ package = mkOption {
+ type = types.package;
+ default = pkgs.nur.repos.vdemeester.athens;
+ description = ''
+ Athens package to use.
+ '';
+ };
+
+ user = mkOption {
+ type = types.str;
+ };
+
+ group = mkOption {
+ type = types.str;
+ default = "nogroup";
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ networking.firewall = {
+ allowedTCPPorts = [ 3000 ];
+ };
+ systemd.packages = [ cfg.package ];
+ environment.etc."athens/config.toml".text = ''
+ GoBinary = "${pkgs.go}/bin/go"
+ # what is that ?
+ GoEnv = "development"
+ GoGetWorkers = 30
+ ProtocolWorkers = 30
+ LogLevel = "debug"
+ BuffaloLogLevel = "debug"
+ Port = ":3000"
+ ForceSSL = false
+ CloudRuntime = "none"
+ Timeout = 300
+ StorageType = "disk"
+
+ [Storage]
+ [Storage.Disk]
+ RootPath = "/var/lib/athens"
+ '';
+ systemd.services.athens = {
+ description = "Athens service";
+ after = [ "network.target" ];
+ wantedBy = [ "multi-user.target" ];
+ preStart = ''
+ mkdir -p /var/lib/athens
+ '';
+ environment = { HOME="/var/lib/athens"; };
+ serviceConfig = {
+ User = cfg.user;
+ Restart = "on-failure";
+ ExecStart = ''
+ ${cfg.package}/bin/proxy -config_file=/etc/athens/config.toml
+ '';
+ };
+ path = [ cfg.package ] ++ [ pkgs.go pkgs.git ];
+ };
+ };
+}
modules/services/govanityurl.nixos.nix
@@ -0,0 +1,54 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.services.govanityurl;
+in
+{
+ options = {
+ services.govanityurl = {
+ enable = mkEnableOption ''
+ govanityurl is a go canonical path server
+ '';
+ package = mkOption {
+ type = types.package;
+ default = pkgs.nur.repos.vdemeester.govanityurl;
+ description = ''
+ govanityurl package to use.
+ '';
+ };
+
+ user = mkOption {
+ type = types.str;
+ };
+
+ host = mkOption {
+ type = types.str;
+ };
+
+ config = mkOption {
+ type = types.lines;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ systemd.packages = [ cfg.package ];
+ environment.etc."govanityurl/config.yaml".text = ''
+ host: ${cfg.host}
+ ${cfg.config}
+ '';
+ systemd.services.govanityurl = {
+ description = "Govanity service";
+ after = [ "network.target" ];
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig = {
+ User = cfg.user;
+ Restart = "on-failure";
+ ExecStart = ''
+ ${cfg.package}/bin/vanityurl /etc/govanityurl/config.yaml
+ '';
+ };
+ path = [ cfg.package ];
+ };
+ };
+}
modules/services/nix-binary-cache.nixos.nix
@@ -0,0 +1,94 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.services.nix-binary-cache;
+in
+{
+ options = {
+ services.nix-binary-cache = {
+ enable = mkOption {
+ default = false;
+ description = "Enable nix-binary-cache";
+ type = types.bool;
+ };
+ domain = mkOption {
+ description = "domain to serve";
+ type = types.str;
+ };
+ aliases = mkOption {
+ default = [];
+ description = "server aliases to serve";
+ type = types.listOf types.str;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ networking.firewall.allowedTCPPorts = [ 80 443];
+ services.nginx = {
+ enable = true;
+ appendHttpConfig = ''
+ proxy_cache_path /var/public-nix-cache/ levels=1:2 keys_zone=cachecache:1200m max_size=20g inactive=365d use_temp_path=off;
+ # Cache only success status codes; in particular we don't want to cache 404s.
+ # See https://serverfault.com/a/690258/128321
+ map $status $cache_header {
+ 200 "public";
+ 302 "public";
+ default "no-cache";
+ }
+ access_log logs/access.log;
+ '';
+ virtualHosts."${cfg.domain}" = {
+ serverAliases = cfg.aliases;
+ # enableACME = true;
+
+ locations."/" = {
+ root = "/var/public-nix-cache/";
+ extraConfig = ''
+ expires max;
+ add_header Cache-Control $cache_header always;
+ # Ask the upstream server if a file isn't available locally
+ error_page 404 = @fallback;
+ '';
+ };
+ extraConfig = ''
+ # Using a variable for the upstream endpoint to ensure that it is
+ # resolved at runtime as opposed to once when the config file is loaded
+ # and then cached forever (we don't want that):
+ # see https://tenzer.dk/nginx-with-dynamic-upstreams/
+ # This fixes errors like
+ # nginx: [emerg] host not found in upstream "upstream.example.com"
+ # when the upstream host is not reachable for a short time when
+ # nginx is started.
+ resolver 8.8.8.8;
+ set $upstream_endpoint https://cache.nixos.org;
+ '';
+ locations."@fallback" = {
+ proxyPass = "$upstream_endpoint";
+ extraConfig = ''
+ proxy_cache cachecache;
+ proxy_cache_valid 200 302 60m;
+ expires max;
+ add_header Cache-Control $cache_header always;
+ '';
+ };
+ # We always want to copy cache.nixos.org's nix-cache-info file,
+ # and ignore our own, because `nix-push` by default generates one
+ # without `Priority` field, and thus that file by default has priority
+ # 50 (compared to cache.nixos.org's `Priority: 40`), which will make
+ # download clients prefer `cache.nixos.org` over our binary cache.
+ locations."= /nix-cache-info" = {
+ # Note: This is duplicated with the `@fallback` above,
+ # would be nicer if we could redirect to the @fallback instead.
+ proxyPass = "$upstream_endpoint";
+ extraConfig = ''
+ proxy_cache cachecache;
+ proxy_cache_valid 200 302 60m;
+ expires max;
+ add_header Cache-Control $cache_header always;
+ '';
+ };
+ };
+ };
+ };
+}
modules/services/wireguard.client.nixos.nix
@@ -0,0 +1,71 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.services.wireguard;
+in
+{
+ options = {
+ services.wireguard = {
+ enable = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Whether to enable a reverse SSH proxy.
+ '';
+ };
+ ips = mkOption {
+ type = with types; listOf str;
+ description = ''
+ The client IPs
+ '';
+ };
+ allowedIPs = mkOption {
+ default = [ "10.100.0.0/24" ];
+ type = with types; listOf str;
+ description = ''
+ The peer (server) allowedIPs
+ '';
+ };
+ endpoint = mkOption {
+ type = with types; str;
+ description = ''
+ The endpoint IP to target
+ '';
+ };
+ endpointPort = mkOption {
+ default = 51820;
+ type = with types; int;
+ description = ''
+ The endpoint Port to target
+ '';
+ };
+ endpointPublicKey = mkOption {
+ type = with types; str;
+ description = ''
+ The peer (server) public key
+ '';
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ];
+ environment.systemPackages = [ pkgs.wireguard ];
+ networking.firewall.trustedInterfaces = [ "wg0" ];
+ networking.wireguard.enable = true;
+ networking.wireguard.interfaces = {
+ wg0 = {
+ ips = cfg.ips;
+ privateKeyFile = "/etc/nixos/wireguard.private.key";
+ peers = [
+ {
+ publicKey = cfg.endpointPublicKey;
+ allowedIPs = cfg.allowedIPs;
+ endpoint = "${cfg.endpoint}:${toString cfg.endpointPort}";
+ persistentKeepalive = 25;
+ }
+ ];
+ };
+ };
+ };
+}
modules/virtualisation/buildkit.nixos.nix
@@ -0,0 +1,105 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+ cfg = config.virtualisation.buildkitd;
+
+in
+{
+ ###### interface
+
+ options.virtualisation.buildkitd = {
+ enable =
+ mkOption {
+ type = types.bool;
+ default = false;
+ description =
+ ''
+ This option enables buildkitd
+ '';
+ };
+
+ listenOptions =
+ mkOption {
+ type = types.listOf types.str;
+ default = ["/run/buildkitd/buildkitd.sock"];
+ description =
+ ''
+ A list of unix and tcp buildkitd should listen to. The format follows
+ ListenStream as described in systemd.socket(5).
+ '';
+ };
+
+
+
+ package = mkOption {
+ default = pkgs.buildkitd;
+ type = types.package;
+ example = pkgs.buildkitd;
+ description = ''
+ Buildkitd package to be used in the module
+ '';
+ };
+
+ packages = mkOption {
+ type = types.listOf types.package;
+ default = [ pkgs.runc pkgs.git ];
+ description = "List of packages to be added to buildkitd service path";
+ };
+
+ extraOptions =
+ mkOption {
+ type = types.separatedString " ";
+ default = "";
+ description =
+ ''
+ The extra command-line options to pass to
+ <command>buildkitd</command> daemon.
+ '';
+ };
+ };
+
+ ###### implementation
+
+ config = mkIf cfg.enable {
+ users.groups = [
+ { name = "buildkit";
+ gid = 350;
+ }
+ ];
+ environment.systemPackages = [ cfg.package];
+ systemd.packages = [ cfg.package ];
+
+ systemd.services.buildkitd = {
+ wants = [ "containerd.service" ];
+ after = [ "containerd.service" ];
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig = {
+ ExecStart = [
+ ""
+ ''
+ ${cfg.package}/bin/buildkitd \
+ ${cfg.extraOptions}
+ ''];
+ };
+ path = [cfg.package] ++ cfg.packages;
+ };
+
+
+ systemd.sockets.buildkitd = {
+ description = "Buildkitd Socket for the API";
+ wantedBy = [ "sockets.target" ];
+ socketConfig = {
+ ListenStream = cfg.listenOptions;
+ SocketMode = "0660";
+ SocketUser = "root";
+ SocketGroup = "buildkit";
+ };
+ };
+
+ };
+
+
+}
modules/virtualisation/containerd.nixos.nix
@@ -0,0 +1,100 @@
+# Systemd services for containerd.
+
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+ cfg = config.virtualisation.containerd;
+
+in
+
+{
+ ###### interface
+
+ options.virtualisation.containerd = {
+ enable =
+ mkOption {
+ type = types.bool;
+ default = false;
+ description =
+ ''
+ This option enables containerd, a daemon that manages
+ linux containers.
+ '';
+ };
+
+ listenOptions =
+ mkOption {
+ type = types.listOf types.str;
+ default = ["/run/containerd/containerd.sock"];
+ description =
+ ''
+ A list of unix and tcp containerd should listen to. The format follows
+ ListenStream as described in systemd.socket(5).
+ '';
+ };
+
+ package = mkOption {
+ default = pkgs.containerd;
+ type = types.package;
+ example = pkgs.containerd;
+ description = ''
+ Containerd package to be used in the module
+ '';
+ };
+
+ packages = mkOption {
+ type = types.listOf types.package;
+ default = [ pkgs.runc ];
+ description = "List of packages to be added to containerd service path";
+ };
+
+ extraOptions =
+ mkOption {
+ type = types.separatedString " ";
+ default = "";
+ description =
+ ''
+ The extra command-line options to pass to
+ <command>containerd</command> daemon.
+ '';
+ };
+ };
+
+ ###### implementation
+
+ config = mkIf cfg.enable {
+ environment.systemPackages = [ cfg.package];
+ systemd.packages = [ cfg.package];
+
+ systemd.services.containerd = {
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig = {
+ ExecStart = [
+ ""
+ ''
+ ${cfg.package}/bin/containerd \
+ ${cfg.extraOptions}
+ ''];
+ };
+ path = [cfg.package] ++ cfg.packages;
+ };
+
+
+ systemd.sockets.containerd = {
+ description = "Containerd Socket for the API";
+ wantedBy = [ "sockets.target" ];
+ socketConfig = {
+ ListenStream = cfg.listenOptions;
+ SocketMode = "0660";
+ SocketUser = "root";
+ SocketGroup = "root";
+ };
+ };
+
+ };
+
+
+}
modules/module-list.nixos.nix
@@ -0,0 +1,41 @@
+{ pkgs, lib, ... }:
+
+{
+ imports = [
+ ./hardware/sane-extra-config.nixos.nix
+ ./profiles/avahi.nixos.nix
+ ./profiles/base.nixos.nix
+ ./profiles/buildkit.nixos.nix
+ ./profiles/fish.nixos.nix
+ ./profiles/containerd.nixos.nix
+ ./profiles/desktop.nixos.nix
+ ./profiles/dev.nixos.nix
+ ./profiles/docker.nixos.nix
+ ./profiles/gaming.nixos.nix
+ ./profiles/git.nixos.nix
+ ./profiles/i18n.nixos.nix
+ ./profiles/ipfs.nixos.nix
+ ./profiles/laptop.nixos.nix
+ ./profiles/mail.nixos.nix
+ ./profiles/nix-config.nixos.nix
+ ./profiles/nix-auto-update.nixos.nix
+ ./profiles/printing.nixos.nix
+ ./profiles/pulseaudio.nixos.nix
+ ./profiles/qemu.nixos.nix
+ ./profiles/scanning.nixos.nix
+ ./profiles/ssh.nixos.nix
+ ./profiles/syncthing.nixos.nix
+ ./profiles/users.nixos.nix
+ ./profiles/virtualization.nixos.nix
+ ./profiles/wireguard.server.nixos.nix
+ ./profiles/yubikey.nixos.nix
+ ./profiles/zsh.nixos.nix
+ ./programs/podman.nixos.nix
+ ./services/athens.nixos.nix
+ ./services/govanityurl.nixos.nix
+ ./services/nix-binary-cache.nixos.nix
+ ./services/wireguard.client.nixos.nix
+ ./virtualisation/buildkit.nixos.nix
+ ./virtualisation/containerd.nixos.nix
+ ];
+}
overlays/sbr.overlay.nix
@@ -0,0 +1,8 @@
+self: super: {
+ vrsync = import ../pkgs/vrsync {
+ inherit (self) stdenv lib;
+ };
+ vde-thinkpad = import ../pkgs/vde-thinkpad {
+ inherit (self) stdenv lib;
+ };
+}
overlays/unstable.overlay.nix
@@ -0,0 +1,9 @@
+_: _: let
+ unstableTarball = fetchTarball https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz;
+ unstable = import unstableTarball { overlays = []; };
+in {
+ inherit (unstable)
+ # cachix
+ #git
+ ;
+}
pkgs/vde-thinkpad/default.nix
@@ -0,0 +1,14 @@
+{ stdenv, lib }:
+
+stdenv.mkDerivation rec {
+ name = "vde-thinkpad";
+ src = ./.;
+
+ phases = [ "install" ];
+
+ install = ''
+ mkdir -p $out/bin
+ cp $src/dock $out/bin
+ chmod +x $out/bin/dock
+ '';
+}
pkgs/vde-thinkpad/dock
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+export DISPLAY=":0.0"
+export XAUTHORITY=/home/vincent/.Xauthority
+xmessage dock
pkgs/vrsync/default.nix
@@ -0,0 +1,14 @@
+{ stdenv, lib }:
+
+stdenv.mkDerivation rec {
+ name = "vrsync";
+ src = ./.;
+
+ phases = [ "install" ];
+
+ install = ''
+ mkdir -p $out/bin
+ cp $src/vrsync $out/bin
+ chmod +x $out/bin/vrsync
+ '';
+}
pkgs/vrsync/foo
@@ -0,0 +1,1 @@
+/home/vincent/desktop/documents/ vincent@synodine.local:/volume1/documents/
\ No newline at end of file
pkgs/vrsync/vrsync
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+# Look for /etc/vrsync.conf
+# For each line run rsync with on source:target
+# and some specials cases
+CONF=${CONF:-/etc/vrsync}
+
+cmd="rsync -ave ssh --progress --size-only --delete --exclude='*~' --exclude=.stfolder"
+test -e $CONF || {
+ echo "$CONF does not exists, bailing…"
+ exit 1
+}
+
+while IFS='' read -r line || [[ -n "$line" ]]; do
+ $cmd $line $@
+done < "$CONF"
pkgs/default.nix
@@ -1,8 +1,8 @@
{ system ? builtins.currentSystem }:
-
let
pkgs = import <nixpkgs> { inherit system; };
-in rec {
+in
+rec {
scripts = import ./scripts {
inherit (pkgs) stdenv;
};
@@ -10,4 +10,10 @@ in rec {
inherit (pkgs) stdenv lib fetchFromGitHub;
};
+ vrsync = import ./vrsync {
+ inherit (pkgs) stdenv lib;
+ };
+ vde-thinkpad = import ./vde-thinkpad {
+ inherit (pkgs) stdenv lib;
+ };
}
configuration.nix
@@ -4,14 +4,14 @@
let
hostName = "${builtins.readFile ./hostname}";
in
-rec {
+{
imports = [
# Generated hardware configuration
./hardware-configuration.nix
# Default profile with default configuration
- ./modules/module-list.nix
+ ./modules/module-list.nixos.nix
# Machine specific configuration files
- (./machine + "/${hostName}.nix")
+ (./machines + "/${hostName}.nixos.nix")
];
networking.hostName = "${hostName}";
home.nix
@@ -4,7 +4,7 @@
let
hostName = "${builtins.readFile ./hostname}";
in
-rec {
+{
imports = [
# Default profile with default configuration
./modules/module-list.nix