From 0f61799a35670f49d2b386952827330ea3085cdd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20Gro=C3=9Fmann?= Date: Mon, 27 Feb 2023 11:56:37 +0900 Subject: [PATCH] chore: cleaned up configuration feat: Added LAN config for kaist --- configuration.nix | 111 +++-------------------------------------- flake.lock | 24 ++++----- modules/networking.nix | 34 +++++++++++++ modules/nix.nix | 44 ++++++++++++++++ modules/rekey.nix | 37 +++++--------- modules/xserver.nix | 24 +++++++++ secrets/koreaIP.age | 14 ++++++ 7 files changed, 147 insertions(+), 141 deletions(-) create mode 100644 modules/networking.nix create mode 100644 modules/nix.nix create mode 100644 modules/xserver.nix create mode 100644 secrets/koreaIP.age diff --git a/configuration.nix b/configuration.nix index d49ef89..5276b29 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,6 +1,3 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, @@ -20,6 +17,9 @@ in { ./modules/nvidia.nix ./modules/wireguard.nix ./modules/smb-mounts.nix + ./modules/networking.nix + ./modules/nix.nix + ./modules/xserver.nix ]; # Use the systemd-boot EFI boot loader. @@ -29,40 +29,8 @@ in { networking.hostName = "patricknix"; # Define your hostname. networking.hostId = "68438432"; - networking.extraHosts = '' - 10.0.0.1 paperless.lel.lol - ''; - - # Identities with which all secrets are encrypted - rekey.masterIdentityPaths = [./secrets/NIXOSc.key ./secrets/NIXOSa.key]; - - rekey.pubKey = ./keys + "/${config.networking.hostName}.pub"; - - networking.wireless.iwd.enable = true; - rekey.secrets.eduroam = { - file = ./secrets/iwd/eduroam.8021x.age; - path = "/etc/iwd/eduroam.8021x"; - }; - rekey.secrets.devoloog = { - file = ./secrets/iwd/devolo-og.psk.age; - path = "/etc/iwd/devolo-og.psk"; - }; - - networking.useNetworkd = true; - networking.dhcpcd.enable = false; - # Should remain enabled since nscd from glibc is kinda ass - services.nscd.enableNsncd = true; - systemd.network.wait-online.anyInterface = true; - services.resolved = { - enable = true; - }; - # Set your time zone. - time.timeZone = "Europe/Berlin"; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + time.timeZone = "Asia/Seoul"; # Select internationalisation properties. i18n.defaultLocale = "C.UTF-8"; @@ -71,27 +39,10 @@ in { packages = with pkgs; [terminus_font]; useXkbConfig = true; # use xkbOptions in tty. }; + # Identities with which all secrets are encrypted + rekey.masterIdentityPaths = [./secrets/NIXOSc.key ./secrets/NIXOSa.key]; - # Configure keymap in X11 - services.xserver = { - enable = true; - displayManager.startx.enable = true; - layout = "de"; - xkbVariant = "bone"; - autoRepeatDelay = 235; - autoRepeatInterval = 60; - videoDrivers = ["modesetting"]; - libinput = { - enable = true; - mouse.accelProfile = "flat"; - touchpad = { - accelProfile = "flat"; - naturalScrolling = true; - }; - }; - }; - services.autorandr.enable = true; - services.physlock.enable = true; + rekey.pubKey = ./keys + "/${config.networking.hostName}.pub"; hardware.opengl.enable = true; @@ -178,11 +129,6 @@ in { services.pcscd.enable = true; services.fstrim.enable = true; hardware.cpu.intel.updateMicrocode = true; - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - networking.firewall.enable = false; services.udev.packages = with pkgs; [yubikey-personalization libu2f-host]; @@ -191,47 +137,4 @@ in { export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) umask 077 ''; - - # Copy the NixOS configuration file and link it from the resulting system - # (/run/current-system/configuration.nix). This is useful in case you - # accidentally delete configuration.nix. - # breaks flake based building - # system.copySystemConfiguration = true; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "23.05"; # Did you read the comment? - - nix = { - settings = { - auto-optimise-store = true; - allowed-users = ["@wheel"]; - trusted-users = ["root" "@wheel"]; - system-features = ["recursive-nix"]; - substituters = [ - "https://nix-config.cachix.org" - "https://nix-community.cachix.org" - ]; - trusted-public-keys = [ - "nix-config.cachix.org-1:Vd6raEuldeIZpttVQfrUbLvXJHzzzkS0pezXCVVjDG4=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - ]; - cores = 0; - max-jobs = "auto"; - }; - daemonCPUSchedPolicy = "batch"; - daemonIOSchedPriority = 5; - distributedBuilds = true; - extraOptions = '' - builders-use-substitutes = true - experimental-features = nix-command flakes recursive-nix - flake-registry = /etc/nix/registry.json - ''; - optimise.automatic = true; - gc.automatic = true; - }; } diff --git a/flake.lock b/flake.lock index fbf0f0a..1d5ab88 100644 --- a/flake.lock +++ b/flake.lock @@ -8,11 +8,11 @@ ] }, "locked": { - "lastModified": 1676599101, - "narHash": "sha256-CKS6UsOGhoNxGDBt9wyFiWHvtng/+BMAJ4G8ahhe1DE=", + "lastModified": 1677247280, + "narHash": "sha256-sa+8MtoAOSLsWP9vf0qiJUyMovIEYgDzHE8TkoK04Hk=", "owner": "ryantm", "repo": "agenix", - "rev": "de657061b13cf329c57a1a9730a5049a971b40b3", + "rev": "833f87c8ff574a29aea3e091045cbaed3cf86bc1", "type": "github" }, "original": { @@ -103,11 +103,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1676367705, - "narHash": "sha256-un5UbRat9TwruyImtwUGcKF823rCEp4fQxnsaLFL7CM=", + "lastModified": 1677400245, + "narHash": "sha256-+/oDZltWUhYFYcIRjH0F5lSNWcBj+4o5kzmDSheiLRw=", "owner": "nix-community", "repo": "home-manager", - "rev": "da72e6fc6b7dc0c3f94edbd310aae7cd95c678b5", + "rev": "693d76eeb84124cc3110793ff127aeab3832f95c", "type": "github" }, "original": { @@ -118,11 +118,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1676569297, - "narHash": "sha256-2n4C4H3/U+3YbDrQB6xIw7AaLdFISCCFwOkcETAigqU=", + "lastModified": 1677342105, + "narHash": "sha256-kv1fpkfCJGb0M+LZaCHFUuIS9kRIwyVgupHu86Y28nc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ac1f5b72a9e95873d1de0233fddcb56f99884b37", + "rev": "b1f87ca164a9684404c8829b851c3586c4d9f089", "type": "github" }, "original": { @@ -161,11 +161,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1676513100, - "narHash": "sha256-MK39nQV86L2ag4TmcK5/+r1ULpzRLPbbfvWbPvIoYJE=", + "lastModified": 1677160285, + "narHash": "sha256-tBzpCjMP+P3Y3nKLYvdBkXBg3KvTMo3gvi8tLQaqXVY=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "5f0cba88ac4d6dd8cad5c6f6f1540b3d6a21a798", + "rev": "2bd861ab81469428d9c823ef72c4bb08372dd2c4", "type": "github" }, "original": { diff --git a/modules/networking.nix b/modules/networking.nix new file mode 100644 index 0000000..c86756b --- /dev/null +++ b/modules/networking.nix @@ -0,0 +1,34 @@ +{ + networking.wireless.iwd.enable = true; + rekey.secrets.eduroam = { + file = ../secrets/iwd/eduroam.8021x.age; + path = "/etc/iwd/eduroam.8021x"; + }; + rekey.secrets.devoloog = { + file = ../secrets/iwd/devolo-og.psk.age; + path = "/etc/iwd/devolo-og.psk"; + }; + + networking.useNetworkd = true; + networking.dhcpcd.enable = false; + # Should remain enabled since nscd from glibc is kinda ass + services.nscd.enableNsncd = true; + systemd.network.wait-online.anyInterface = true; + # Fuck korea. + # I need a static global IP address for my dorm LAN + # So to not dox myself this config file is hardcoded + rekey.secrets.enp0s20f0u2u4 = { + file = ../secrets/koreaIP.age; + path = "/etc/systemd/network/enp0s20f0u2u4.network"; + }; + services.resolved = { + enable = true; + }; + # Add the VPN based route to my paperless instance to + # etc/hosts + networking.extraHosts = '' + 10.0.0.1 paperless.lel.lol + ''; + + networking.firewall.enable = false; +} diff --git a/modules/nix.nix b/modules/nix.nix new file mode 100644 index 0000000..ecfb0aa --- /dev/null +++ b/modules/nix.nix @@ -0,0 +1,44 @@ +{ + nix = { + settings = { + auto-optimise-store = true; + allowed-users = ["@wheel"]; + trusted-users = ["root" "@wheel"]; + system-features = ["recursive-nix"]; + substituters = [ + "https://nix-config.cachix.org" + "https://nix-community.cachix.org" + ]; + trusted-public-keys = [ + "nix-config.cachix.org-1:Vd6raEuldeIZpttVQfrUbLvXJHzzzkS0pezXCVVjDG4=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + cores = 0; + max-jobs = "auto"; + }; + daemonCPUSchedPolicy = "batch"; + daemonIOSchedPriority = 5; + distributedBuilds = true; + extraOptions = '' + builders-use-substitutes = true + experimental-features = nix-command flakes recursive-nix + flake-registry = /etc/nix/registry.json + ''; + optimise.automatic = true; + gc.automatic = true; + }; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + # breaks flake based building + # system.copySystemConfiguration = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? +} diff --git a/modules/rekey.nix b/modules/rekey.nix index 7032c49..46efc67 100644 --- a/modules/rekey.nix +++ b/modules/rekey.nix @@ -6,31 +6,6 @@ options, ... }: { - config = with lib; let - secretFiles = mapAttrsToList (_: x: x.file) config.rekey.secrets; - drv = import ./rekey-drv.nix pkgs config; - in - mkIf (config.rekey.secrets != {}) { - # export all secrets to agenix with rewritten path from rekey - age = { - secrets = let - secretPath = "${drv}/"; - newPath = x: "${secretPath}/${x}.age"; - in - mapAttrs (name: value: value // {file = newPath name;}) config.rekey.secrets; - }; - - # Warn if rekey has to been executed - # use the drvPath to prevent nix from building the derivation in this step - # drvPath is not outPath so this warning does not work - # to fix it you would need some kind of way to access the outPath without evaluating the derivation - #warnings = optional ( ! pathExists (removeSuffix ".drv" drv.drvPath)) '' - # Path ${drv.drvPath} - # Rekeyed secrets not available. - # Maybe you forgot to run "nix run '.#rekey'" to rekey them? - #''; - }; - options = with lib; { rekey.secrets = options.age.secrets; rekey.pubKey = mkOption { @@ -53,4 +28,16 @@ ''; }; }; + + config = with lib; let + secretFiles = mapAttrsToList (_: x: x.file) config.rekey.secrets; + drv = import ./rekey-drv.nix pkgs config; + in + mkIf (config.rekey.secrets != {}) { + # export all secrets to agenix with rewritten path from rekey + age.secrets = let + newPath = x: "${drv}/${x}.age"; + in + mapAttrs (name: value: value // {file = newPath name;}) config.rekey.secrets; + }; } diff --git a/modules/xserver.nix b/modules/xserver.nix new file mode 100644 index 0000000..878397c --- /dev/null +++ b/modules/xserver.nix @@ -0,0 +1,24 @@ +{ + # Configure keymap in X11 + services.xserver = { + enable = true; + displayManager.startx.enable = true; + layout = "de"; + xkbVariant = "bone"; + autoRepeatDelay = 235; + autoRepeatInterval = 60; + videoDrivers = ["modesetting"]; + libinput = { + enable = true; + mouse.accelProfile = "flat"; + touchpad = { + accelProfile = "flat"; + accelSpeed = "0.5"; + naturalScrolling = true; + disableWhileTyping = true; + }; + }; + }; + services.autorandr.enable = true; + services.physlock.enable = true; +} diff --git a/secrets/koreaIP.age b/secrets/koreaIP.age new file mode 100644 index 0000000..2215a5e --- /dev/null +++ b/secrets/koreaIP.age @@ -0,0 +1,14 @@ +age-encryption.org/v1 +-> X25519 3J4C1gErVk61rhDZ2V8wNRQhOz4gZQ+kUnF0w4bacTM +e6YK/xDjXtTTJL5wSbZ+xzhuGodu2OJeTw3u4hJ2Oik +-> piv-p256 XTQkUA A0GdsIHUCWBXggnSZj0XGHDQk3OsTH9WB7nNzhZJnwj/ +j5bCq50HjIqPp1jTsyX6WfEBNooyq8ovMkYEzrn33CQ +-> piv-p256 ZFgiIw AkhhWD/yOroM1ttX1PNAi6Fss1Nqm7pJHB4micU5IfsI +kTB28H46jvtCYF7u7PoN02kQof41ycuZbSQh6UWz57Y +-> "\s0YT#-grease 3YP75@. +aqpRxhJHTMQsvjgPW1bqZSD7YgOX9fw+VNUW+KURv6cV+gLYZeoecFruJXchA60E +9efPuI8vUfNxmYzPQChsqxqDdzwc5wg0u+ZrwSaz +--- M/B7EHfz8B63cqQ/zQwO64Pqo5ewYx2nqBoLZdtuGbY +$M:-u/6[PеЉXH&̝͢w/^~*Q޾-v`8