qenya/nixfiles
1
0
Fork 0
Code Issues 5 Pull requests Actions Activity

Compare commits

base: qenya:b83c95b8b69c09044a8eba0eac20b80ce00766e7
Branches Tags
qenya:main
qenya:flakes
qenya:lix
qenya:multihost
...
compare: qenya:bf2d7f7f10918a0d976008102390f473226dd236
Branches Tags
qenya:main
qenya:flakes
qenya:lix
qenya:multihost

12 commits
b83c95b8b6 ... bf2d7f7f10

Author SHA1 Message Date
Katherina Walshe-Grey bf2d7f7f10 Rename services directory to common 2024-06-05 23:30:24 +01:00
Katherina Walshe-Grey 1ca847cd91 [tohru] Modularise steam config 2024-06-05 23:22:51 +01:00
Katherina Walshe-Grey 433930bde6 Simplify build-related config 2024-06-05 23:03:25 +01:00
Katherina Walshe-Grey 104d995dd2 [tohru] Modularise firefox config 
(such as it is)
 2024-06-05 22:38:13 +01:00
Katherina Walshe-Grey c8da705e4b [yevaud] Modularise forgejo config 2024-06-05 22:32:50 +01:00
Katherina Walshe-Grey c680907894 Sync CLI tools across all hosts 2024-06-05 22:14:32 +01:00
Katherina Walshe-Grey 050fe2d1a7 Sync Git identity across all hosts 
(and also home directory location, but that's sort of standard anyway)
 2024-06-05 21:23:22 +01:00
Katherina Walshe-Grey 331d4006c2 [tohru] Modularise GNOME config 2024-06-05 21:15:54 +01:00
Katherina Walshe-Grey 0f824bc284 [tohru] Modularise vscode config 2024-06-05 21:07:45 +01:00
Katherina Walshe-Grey f1dff74fa5 Move <nixpkgs> pin to separate file 2024-06-05 20:43:04 +01:00
Katherina Walshe-Grey 7b87bdbc2f More deduplication 2024-06-05 20:31:13 +01:00
Katherina Walshe-Grey 4eac965b88 Modularise nginx and openssh config 2024-06-05 19:26:05 +01:00
20 changed files with 300 additions and 196 deletions
Show stats Expand all files Collapse all files

14
colmena/local.nix Normal file
View file

@ -0,0 +1,14 @@
{ name, nodes, config, lib, pkgs, ... }:
{
deployment = {
allowLocalDeployment = true;
targetHost = null;
tags = [ "local" ];
};
environment.systemPackages = with pkgs; [
colmena
npins
];
}

12
colmena/remote.nix Normal file
View file

@ -0,0 +1,12 @@
{ name, nodes, config, lib, pkgs, ... }:
{
deployment = {
targetHost = "${name}.birdsong.network";
tags = [ "remote" ];
};
imports = [
../common/openssh.nix
];
}

33
common/nginx.nix Normal file
View file

@ -0,0 +1,33 @@
{ config, lib, pkgs, ... }:
{
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
appendHttpConfig = ''
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
};
security.acme = {
acceptTerms = true;
defaults.email = "accounts@katherina.rocks"; # TODO: replace with more appropriate email
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

20
common/openssh.nix Normal file
View file

@ -0,0 +1,20 @@
{ config, lib, pkgs, ... }:
{
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "no";
};
};
services.fail2ban.enable = true;
networking.firewall.allowedTCPPorts = [ 22 ];
# Allow remote root login only from home network
# TODO: Find a less hacky way of doing remote deployment
users.users.root.openssh.authorizedKeys.keys = config.users.users.qenya.openssh.authorizedKeys.keys;
services.openssh.extraConfig = "Match Address 45.14.17.200\n PermitRootLogin prohibit-password";
}

9
common/steam.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, lib, pkgs, ... }:
{
programs.steam = {
enable = true;
remotePlay.openFirewall = true;
dedicatedServer.openFirewall = true;
};
}

38
hive.nix
View file

@ -2,30 +2,36 @@ let sources = import ./npins;
in { in {
meta.nixpkgs = sources.nixpkgs; meta.nixpkgs = sources.nixpkgs;
defaults = { pkgs, ... }: { defaults = { name, nodes, ... }: {
deployment.replaceUnknownProfiles = false;
networking.hostName = name;
nixpkgs.config.allowUnfree = true;
imports = [ imports = [
(import "${sources.home-manager}/nixos") (import "${sources.home-manager}/nixos")
./pinning.nix
./users/qenya.nix
]; ];
deployment.replaceUnknownProfiles = false;
# Make <nixpkgs> point systemwide to the pinned nixpkgs above
# https://jade.fyi/blog/pinning-nixos-with-npins/
nix.settings.experimental-features = "nix-command flakes";
nixpkgs.flake.source = sources.nixpkgs;
nix.nixPath = ["nixpkgs=flake:nixpkgs"];
}; };
tohru = { name, nodes, ... }: { tohru = { name, nodes, ... }: {
deployment = { networking.hostId = "31da19c1";
allowLocalDeployment = true; time.timeZone = "Europe/London";
targetHost = null;
imports = [
./colmena/local.nix
./hosts/tohru/configuration.nix
];
}; };
imports = [ ./hosts/tohru/configuration.nix ]; yevaud = { name, nodes, ... }: {
}; networking.hostId = "09673d65";
time.timeZone = "Etc/UTC";
yevaud = { imports = [
deployment.targetHost = "yevaud.birdsong.network"; ./colmena/remote.nix
imports = [ ./hosts/yevaud/configuration.nix ]; ./hosts/yevaud/configuration.nix
];
}; };
} }

5
home/btop.nix Normal file
View file

@ -0,0 +1,5 @@
{ config, lib, pkgs, ... }:
{
programs.btop.enable = true;
}

12
home/cli.nix Normal file
View file

@ -0,0 +1,12 @@
{ config, lib, pkgs, ... }:
{
home.packages = with pkgs; [
tree # like `ls -R` but nicer
# Extremely important
fortune
cowsay
lolcat
];
}

6
home/firefox.nix Normal file
View file

@ -0,0 +1,6 @@
{ config, lib, pkgs, ... }:
{
# TODO: nix-ify Firefox config
programs.firefox.enable = true;
}

25
home/gnome/appearance.nix Normal file
View file

@ -0,0 +1,25 @@
{ config, lib, pkgs, ... }:
{
dconf = {
enable = true;
settings =
let
backgroundOptions = {
color-shading-type = "solid";
picture-options = "zoom";
picture-uri = "${config.home.homeDirectory}/.background-image";
primary-color = "#3a4ba0";
secondary-color = "#2f302f";
};
in
{
"org/gnome/desktop/background" = backgroundOptions // {
picture-uri-dark = backgroundOptions.picture-uri;
};
"org/gnome/desktop/screensaver" = backgroundOptions;
"org/gnome/desktop/interface".color-scheme = "prefer-dark";
};
};
home.file.".background-image".source = ./background-image.jpg;
}

0
hosts/tohru/background-image.jpg → home/gnome/background-image.jpg
View file

Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.3 MiB

After

Width:  |  Height:  |  Size: 1.3 MiB

8
home/gnome/default.nix Normal file
View file

@ -0,0 +1,8 @@
{ config, lib, pkgs, ... }:
{
imports = [
# TODO: nix-ify other parts of GNOME config
./appearance.nix
];
}

40
home/vscode.nix Normal file
View file

@ -0,0 +1,40 @@
{ config, lib, pkgs, ... }:
{
programs.vscode =
let
system = builtins.currentSystem;
sources = import ../npins;
extensions = (import sources.nix-vscode-extensions).extensions.${system};
in
{
enable = true;
enableExtensionUpdateCheck = false;
enableUpdateCheck = false;
package = pkgs.vscodium;
extensions = (with pkgs.vscode-extensions; [
jnoortheen.nix-ide
ms-python.python
]) ++ (with extensions.open-vsx; [
robbowen.synthwave-vscode
]);
mutableExtensionsDir = false;
userSettings = {
"extensions.autoUpdate" = false;
"git.autofetch" = true;
"nix.enableLanguageServer" = true;
"nix.serverPath" = "nil";
"nix.serverSettings".nil = {
diagnostics.ignored = [ "unused_binding" "unused_with" ];
formatting.command = [ "nixpkgs-fmt" ];
};
"workbench.colorTheme" = "SynthWave '84";
};
};
# Language servers etc
home.packages = with pkgs; [
nil
nixpkgs-fmt
];
}

21
hosts/tohru/configuration.nix
View file

@ -4,27 +4,22 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../users/qenya.nix
./home.nix ./home.nix
../../common/steam.nix
]; ];
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
boot.loader.systemd-boot.editor = false; boot.loader.systemd-boot.editor = false;
networking.hostName = "tohru";
networking.hostId = "31da19c1";
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
time.timeZone = "Europe/London";
i18n.defaultLocale = "en_GB.UTF-8"; i18n.defaultLocale = "en_GB.UTF-8";
console.keyMap = "uk"; console.keyMap = "uk";
services.xserver.enable = true; services.xserver.enable = true;
services.xserver.displayManager.gdm.enable = true; services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true; services.xserver.desktopManager.gnome.enable = true;
services.xserver.xkb.layout = "gb"; services.xserver.xkb.layout = "gb";
services.printing.enable = true; services.printing.enable = true;
@ -32,20 +27,6 @@
sound.enable = true; sound.enable = true;
hardware.pulseaudio.enable = true; hardware.pulseaudio.enable = true;
environment.systemPackages = with pkgs; [
colmena
git
npins
wget
];
programs.steam = {
enable = true;
remotePlay.openFirewall = true;
dedicatedServer.openFirewall = true;
};
nixpkgs.config.allowUnfree = true;
hardware.enableAllFirmware = true; hardware.enableAllFirmware = true;
services.fwupd.enable = true; services.fwupd.enable = true;
services.fstrim.enable = true; services.fstrim.enable = true;

82
hosts/tohru/home.nix
View file

@ -2,81 +2,19 @@
{ {
home-manager.users.qenya = { pkgs, ... }: { home-manager.users.qenya = { pkgs, ... }: {
home.homeDirectory = config.users.users.qenya.home; imports = [
../../home/btop.nix
home.packages = with pkgs; [ ../../home/cli.nix
fortune ../../home/firefox.nix
htop ../../home/gnome
tree ../../home/vscode.nix
bitwarden
tor-browser-bundle-bin
nil
nixpkgs-fmt
]; ];
dconf = { home.packages = with pkgs; [
enable = true; bitwarden
settings = tor-browser-bundle-bin
let ];
backgroundOptions = {
color-shading-type = "solid";
picture-options = "zoom";
picture-uri = "${config.users.users.qenya.home}/.background-image";
primary-color = "#3a4ba0";
secondary-color = "#2f302f";
};
in
{
"org/gnome/desktop/background" = backgroundOptions // {
picture-uri-dark = backgroundOptions.picture-uri;
};
"org/gnome/desktop/screensaver" = backgroundOptions;
"org/gnome/desktop/interface".color-scheme = "prefer-dark";
};
};
home.file.".background-image".source = ./background-image.jpg;
programs.chromium.enable = true; programs.chromium.enable = true;
programs.firefox.enable = true;
programs.git = {
enable = true;
userName = "Katherina Walshe-Grey";
userEmail = "git@katherina.rocks";
};
programs.vscode =
let
system = builtins.currentSystem;
sources = import ../../npins;
extensions = (import sources.nix-vscode-extensions).extensions.${system};
in
{
enable = true;
enableExtensionUpdateCheck = false;
enableUpdateCheck = false;
package = pkgs.vscodium;
extensions = (with pkgs.vscode-extensions; [
jnoortheen.nix-ide
ms-python.python
]) ++ (with extensions.open-vsx; [
robbowen.synthwave-vscode
]);
mutableExtensionsDir = false;
userSettings = {
"extensions.autoUpdate" = false;
"git.autofetch" = true;
"nix.enableLanguageServer" = true;
"nix.serverPath" = "nil";
"nix.serverSettings".nil = {
diagnostics.ignored = [ "unused_binding" "unused_with" ];
formatting.command = [ "nixpkgs-fmt" ];
};
"workbench.colorTheme" = "SynthWave '84";
};
};
home.stateVersion = "23.11"; home.stateVersion = "23.11";
}; };

88
hosts/yevaud/configuration.nix
View file

@ -1,97 +1,15 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
imports = imports = [
[
./hardware-configuration.nix ./hardware-configuration.nix
../../users/qenya.nix ./home.nix
./forgejo.nix
]; ];
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "yevaud";
networking.hostId = "09673d65";
time.timeZone = "Etc/UTC";
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "no";
};
};
# Allow remote root login only from home network
# TODO: Find a less hacky way of doing remote deployment
users.users.root.openssh.authorizedKeys.keys = config.users.users.qenya.openssh.authorizedKeys.keys;
services.openssh.extraConfig = "Match Address 45.14.17.200\n PermitRootLogin prohibit-password";
networking.firewall.allowedTCPPorts = [ 22 80 443 ];
# networking.firewall.allowedUDPPorts = [ ... ];
services.fail2ban.enable = true;
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
appendHttpConfig = ''
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
virtualHosts = {
"git.katherina.rocks" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://[::1]:3000/";
};
};
};
security.acme = {
acceptTerms = true;
defaults.email = "accounts@katherina.rocks";
};
services.forgejo = {
enable = true;
stateDir = "/data/forgejo";
settings = {
DEFAULT.APP_NAME = "git.katherina.rocks";
cache = {
ADAPTER = "twoqueue";
HOST = ''{"size": 100, "recent_ratio": 0.25, "ghost_ratio": 0.5}'';
};
database = {
DB_TYPE = "sqlite3";
SQLITE_JOURNAL_MODE = "WAL";
};
security.LOGIN_REMEMBER_DAYS = 365;
server = {
DOMAIN = "git.katherina.rocks";
HTTP_PORT = 3000;
ROOT_URL = "https://git.katherina.rocks/";
};
service.DISABLE_REGISTRATION = true;
};
};
system.stateVersion = "23.11"; system.stateVersion = "23.11";
} }

43
hosts/yevaud/forgejo.nix Normal file
View file

@ -0,0 +1,43 @@
{ config, lib, pkgs, ... }:
{
imports = [
../../common/nginx.nix
];
# TODO: ssh access
# TODO: email out
# TODO: interface customisation
services.nginx.virtualHosts = {
# TODO: move to new domain
"git.katherina.rocks" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://[::1]:3000/";
};
};
services.forgejo = {
enable = true;
stateDir = "/data/forgejo";
settings = {
DEFAULT.APP_NAME = "git.katherina.rocks";
cache = {
ADAPTER = "twoqueue";
HOST = ''{"size": 100, "recent_ratio": 0.25, "ghost_ratio": 0.5}'';
};
database = {
DB_TYPE = "sqlite3";
SQLITE_JOURNAL_MODE = "WAL";
};
security.LOGIN_REMEMBER_DAYS = 365;
server = {
DOMAIN = "git.katherina.rocks";
HTTP_PORT = 3000;
ROOT_URL = "https://git.katherina.rocks/";
};
service.DISABLE_REGISTRATION = true;
};
};
}

12
hosts/yevaud/home.nix Normal file
View file

@ -0,0 +1,12 @@
{ config, lib, pkgs, ... }:
{
home-manager.users.qenya = { pkgs, ... }: {
imports = [
../../home/btop.nix
../../home/cli.nix
];
home.stateVersion = "23.11";
};
}

10
pinning.nix Normal file
View file

@ -0,0 +1,10 @@
{ config, lib, pkgs, ... }:
let sources = import ./npins;
in {
# Make <nixpkgs> point systemwide to the pinned nixpkgs
# https://jade.fyi/blog/pinning-nixos-with-npins/
nix.settings.experimental-features = "nix-command flakes";
nixpkgs.flake.source = sources.nixpkgs;
nix.nixPath = [ "nixpkgs=flake:nixpkgs" ];
}

12
users/qenya.nix
View file

@ -13,4 +13,16 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEmkV9arotms79lJPsLHkdzAac4eu3pYS08ym0sB/on qenya@tohru" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEmkV9arotms79lJPsLHkdzAac4eu3pYS08ym0sB/on qenya@tohru"
]; ];
}; };
home-manager.users.qenya = { config, lib, pkgs, osConfig, ... }: {
home.homeDirectory = osConfig.users.users.qenya.home;
programs.git = {
enable = true;
userName = "Katherina Walshe-Grey";
userEmail = "git@katherina.rocks"; # TODO: update email
};
home.stateVersion = "23.11";
};
} }