patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

chore: cleaned up configuration

Browse source 
feat: Added LAN config for kaist
This commit is contained in:
Patrick Großmann 2023-02-27 11:56:37 +09:00
parent aa567d0578
commit 0f61799a35
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
7 changed files with 147 additions and 141 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

111
configuration.nix
View file

@ -1,6 +1,3 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{
config,
pkgs,
@ -20,6 +17,9 @@ in {
./modules/nvidia.nix
./modules/wireguard.nix
./modules/smb-mounts.nix
./modules/networking.nix
./modules/nix.nix
./modules/xserver.nix
];
# Use the systemd-boot EFI boot loader.
@ -29,40 +29,8 @@ in {
networking.hostName = "patricknix"; # Define your hostname.
networking.hostId = "68438432";
networking.extraHosts = ''
10.0.0.1 paperless.lel.lol
'';
# Identities with which all secrets are encrypted
rekey.masterIdentityPaths = [./secrets/NIXOSc.key ./secrets/NIXOSa.key];
rekey.pubKey = ./keys + "/${config.networking.hostName}.pub";
networking.wireless.iwd.enable = true;
rekey.secrets.eduroam = {
file = ./secrets/iwd/eduroam.8021x.age;
path = "/etc/iwd/eduroam.8021x";
};
rekey.secrets.devoloog = {
file = ./secrets/iwd/devolo-og.psk.age;
path = "/etc/iwd/devolo-og.psk";
};
networking.useNetworkd = true;
networking.dhcpcd.enable = false;
# Should remain enabled since nscd from glibc is kinda ass
services.nscd.enableNsncd = true;
systemd.network.wait-online.anyInterface = true;
services.resolved = {
enable = true;
};
# Set your time zone.
time.timeZone = "Europe/Berlin";
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
time.timeZone = "Asia/Seoul";
# Select internationalisation properties.
i18n.defaultLocale = "C.UTF-8";
@ -71,27 +39,10 @@ in {
packages = with pkgs; [terminus_font];
useXkbConfig = true; # use xkbOptions in tty.
};
# Identities with which all secrets are encrypted
rekey.masterIdentityPaths = [./secrets/NIXOSc.key ./secrets/NIXOSa.key];
# Configure keymap in X11
services.xserver = {
enable = true;
displayManager.startx.enable = true;
layout = "de";
xkbVariant = "bone";
autoRepeatDelay = 235;
autoRepeatInterval = 60;
videoDrivers = ["modesetting"];
libinput = {
enable = true;
mouse.accelProfile = "flat";
touchpad = {
accelProfile = "flat";
naturalScrolling = true;
};
};
};
services.autorandr.enable = true;
services.physlock.enable = true;
rekey.pubKey = ./keys + "/${config.networking.hostName}.pub";
hardware.opengl.enable = true;
@ -178,11 +129,6 @@ in {
services.pcscd.enable = true;
services.fstrim.enable = true;
hardware.cpu.intel.updateMicrocode = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
networking.firewall.enable = false;
services.udev.packages = with pkgs; [yubikey-personalization libu2f-host];
@ -191,47 +137,4 @@ in {
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
umask 077
'';
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# breaks flake based building
# system.copySystemConfiguration = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
nix = {
settings = {
auto-optimise-store = true;
allowed-users = ["@wheel"];
trusted-users = ["root" "@wheel"];
system-features = ["recursive-nix"];
substituters = [
"https://nix-config.cachix.org"
"https://nix-community.cachix.org"
];
trusted-public-keys = [
"nix-config.cachix.org-1:Vd6raEuldeIZpttVQfrUbLvXJHzzzkS0pezXCVVjDG4="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
cores = 0;
max-jobs = "auto";
};
daemonCPUSchedPolicy = "batch";
daemonIOSchedPriority = 5;
distributedBuilds = true;
extraOptions = ''
builders-use-substitutes = true
experimental-features = nix-command flakes recursive-nix
flake-registry = /etc/nix/registry.json
'';
optimise.automatic = true;
gc.automatic = true;
};
}

24
flake.lock
View file

@ -8,11 +8,11 @@
]
},
"locked": {
"lastModified": 1676599101,
"narHash": "sha256-CKS6UsOGhoNxGDBt9wyFiWHvtng/+BMAJ4G8ahhe1DE=",
"lastModified": 1677247280,
"narHash": "sha256-sa+8MtoAOSLsWP9vf0qiJUyMovIEYgDzHE8TkoK04Hk=",
"owner": "ryantm",
"repo": "agenix",
"rev": "de657061b13cf329c57a1a9730a5049a971b40b3",
"rev": "833f87c8ff574a29aea3e091045cbaed3cf86bc1",
"type": "github"
},
"original": {
@ -103,11 +103,11 @@
"utils": "utils"
},
"locked": {
"lastModified": 1676367705,
"narHash": "sha256-un5UbRat9TwruyImtwUGcKF823rCEp4fQxnsaLFL7CM=",
"lastModified": 1677400245,
"narHash": "sha256-+/oDZltWUhYFYcIRjH0F5lSNWcBj+4o5kzmDSheiLRw=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "da72e6fc6b7dc0c3f94edbd310aae7cd95c678b5",
"rev": "693d76eeb84124cc3110793ff127aeab3832f95c",
"type": "github"
},
"original": {
@ -118,11 +118,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1676569297,
"narHash": "sha256-2n4C4H3/U+3YbDrQB6xIw7AaLdFISCCFwOkcETAigqU=",
"lastModified": 1677342105,
"narHash": "sha256-kv1fpkfCJGb0M+LZaCHFUuIS9kRIwyVgupHu86Y28nc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ac1f5b72a9e95873d1de0233fddcb56f99884b37",
"rev": "b1f87ca164a9684404c8829b851c3586c4d9f089",
"type": "github"
},
"original": {
@ -161,11 +161,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1676513100,
"narHash": "sha256-MK39nQV86L2ag4TmcK5/+r1ULpzRLPbbfvWbPvIoYJE=",
"lastModified": 1677160285,
"narHash": "sha256-tBzpCjMP+P3Y3nKLYvdBkXBg3KvTMo3gvi8tLQaqXVY=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "5f0cba88ac4d6dd8cad5c6f6f1540b3d6a21a798",
"rev": "2bd861ab81469428d9c823ef72c4bb08372dd2c4",
"type": "github"
},
"original": {

34
modules/networking.nix Normal file
View file

@ -0,0 +1,34 @@
{
networking.wireless.iwd.enable = true;
rekey.secrets.eduroam = {
file = ../secrets/iwd/eduroam.8021x.age;
path = "/etc/iwd/eduroam.8021x";
};
rekey.secrets.devoloog = {
file = ../secrets/iwd/devolo-og.psk.age;
path = "/etc/iwd/devolo-og.psk";
};
networking.useNetworkd = true;
networking.dhcpcd.enable = false;
# Should remain enabled since nscd from glibc is kinda ass
services.nscd.enableNsncd = true;
systemd.network.wait-online.anyInterface = true;
# Fuck korea.
# I need a static global IP address for my dorm LAN
# So to not dox myself this config file is hardcoded
rekey.secrets.enp0s20f0u2u4 = {
file = ../secrets/koreaIP.age;
path = "/etc/systemd/network/enp0s20f0u2u4.network";
};
services.resolved = {
enable = true;
};
# Add the VPN based route to my paperless instance to
# etc/hosts
networking.extraHosts = ''
10.0.0.1 paperless.lel.lol
'';
networking.firewall.enable = false;
}

44
modules/nix.nix Normal file
View file

@ -0,0 +1,44 @@
{
nix = {
settings = {
auto-optimise-store = true;
allowed-users = ["@wheel"];
trusted-users = ["root" "@wheel"];
system-features = ["recursive-nix"];
substituters = [
"https://nix-config.cachix.org"
"https://nix-community.cachix.org"
];
trusted-public-keys = [
"nix-config.cachix.org-1:Vd6raEuldeIZpttVQfrUbLvXJHzzzkS0pezXCVVjDG4="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
cores = 0;
max-jobs = "auto";
};
daemonCPUSchedPolicy = "batch";
daemonIOSchedPriority = 5;
distributedBuilds = true;
extraOptions = ''
builders-use-substitutes = true
experimental-features = nix-command flakes recursive-nix
flake-registry = /etc/nix/registry.json
'';
optimise.automatic = true;
gc.automatic = true;
};
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# breaks flake based building
# system.copySystemConfiguration = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

37
modules/rekey.nix
View file

@ -6,31 +6,6 @@
options,
...
}: {
config = with lib; let
secretFiles = mapAttrsToList (_: x: x.file) config.rekey.secrets;
drv = import ./rekey-drv.nix pkgs config;
in
mkIf (config.rekey.secrets != {}) {
# export all secrets to agenix with rewritten path from rekey
age = {
secrets = let
secretPath = "${drv}/";
newPath = x: "${secretPath}/${x}.age";
in
mapAttrs (name: value: value // {file = newPath name;}) config.rekey.secrets;
};
# Warn if rekey has to been executed
# use the drvPath to prevent nix from building the derivation in this step
# drvPath is not outPath so this warning does not work
# to fix it you would need some kind of way to access the outPath without evaluating the derivation
#warnings = optional ( ! pathExists (removeSuffix ".drv" drv.drvPath)) ''
# Path ${drv.drvPath}
# Rekeyed secrets not available.
# Maybe you forgot to run "nix run '.#rekey'" to rekey them?
#'';
};
options = with lib; {
rekey.secrets = options.age.secrets;
rekey.pubKey = mkOption {
@ -53,4 +28,16 @@
'';
};
};
config = with lib; let
secretFiles = mapAttrsToList (_: x: x.file) config.rekey.secrets;
drv = import ./rekey-drv.nix pkgs config;
in
mkIf (config.rekey.secrets != {}) {
# export all secrets to agenix with rewritten path from rekey
age.secrets = let
newPath = x: "${drv}/${x}.age";
in
mapAttrs (name: value: value // {file = newPath name;}) config.rekey.secrets;
};
}

24
modules/xserver.nix Normal file
View file

@ -0,0 +1,24 @@
{
# Configure keymap in X11
services.xserver = {
enable = true;
displayManager.startx.enable = true;
layout = "de";
xkbVariant = "bone";
autoRepeatDelay = 235;
autoRepeatInterval = 60;
videoDrivers = ["modesetting"];
libinput = {
enable = true;
mouse.accelProfile = "flat";
touchpad = {
accelProfile = "flat";
accelSpeed = "0.5";
naturalScrolling = true;
disableWhileTyping = true;
};
};
};
services.autorandr.enable = true;
services.physlock.enable = true;
}

14
secrets/koreaIP.age Normal file
View file

@ -0,0 +1,14 @@
age-encryption.org/v1
-> X25519 3J4C1gErVk61rhDZ2V8wNRQhOz4gZQ+kUnF0w4bacTM
e6YK/xDjXtTTJL5wSbZ+xzhuGodu2OJeTw3u4hJ2Oik
-> piv-p256 XTQkUA A0GdsIHUCWBXggnSZj0XGHDQk3OsTH9WB7nNzhZJnwj/
j5bCq50HjIqPp1jTsyX6WfEBNooyq8ovMkYEzrn33CQ
-> piv-p256 ZFgiIw AkhhWD/yOroM1ttX1PNAi6Fss1Nqm7pJHB4micU5IfsI
kTB28H46jvtCYF7u7PoN02kQof41ycuZbSQh6UWz57Y
-> "\s0YT#-grease 3YP75@.
aqpRxhJHTMQsvjgPW1bqZSD7YgOX9fw+VNUW+KURv6cV+gLYZeoecFruJXchA60E
9efPuI8vUfNxmYzPQChsqxqDdzwc5wg0u+ZrwSaz
--- M/B7EHfz8B63cqQ/zQwO64Pqo5ewYx2nqBoLZdtuGbY
Þ$M:×-u/ö6<C3B6>[P°Ðµ”ˆâ<CB86>ЉX<E280B0><58>HÄ&Í¢ÀšœÌ<C593>w¬/^~*×èQ¶Þ¾¡ß-þ<>ÎÍv`8<t$©,”%
°;ï‚;†
Œ•íª—öƒÕ÷×yÿÙ Í