diff --git a/colmena/local.nix b/colmena/local.nix deleted file mode 100644 index a610670..0000000 --- a/colmena/local.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ name, nodes, config, lib, pkgs, ... }: - -{ - deployment = { - allowLocalDeployment = true; - targetHost = null; - tags = [ "local" ]; - }; - - environment.systemPackages = with pkgs; [ - colmena - npins - ]; -} diff --git a/colmena/remote.nix b/colmena/remote.nix deleted file mode 100644 index efe4e6e..0000000 --- a/colmena/remote.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ name, nodes, config, lib, pkgs, ... }: - -{ - deployment = { - targetHost = "${name}.birdsong.network"; - tags = [ "remote" ]; - }; - - imports = [ - ../common/openssh.nix - ]; -} diff --git a/common/nginx.nix b/common/nginx.nix deleted file mode 100644 index a5a91c6..0000000 --- a/common/nginx.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - services.nginx = { - enable = true; - - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - - appendHttpConfig = '' - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - add_header 'Referrer-Policy' 'strict-origin-when-cross-origin'; - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; - ''; - }; - - security.acme = { - acceptTerms = true; - defaults.email = "accounts@katherina.rocks"; # TODO: replace with more appropriate email - }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; -} \ No newline at end of file diff --git a/common/openssh.nix b/common/openssh.nix deleted file mode 100644 index 5e9651a..0000000 --- a/common/openssh.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "no"; - }; - }; - - services.fail2ban.enable = true; - - networking.firewall.allowedTCPPorts = [ 22 ]; - - # Allow remote root login only from home network - # TODO: Find a less hacky way of doing remote deployment - users.users.root.openssh.authorizedKeys.keys = config.users.users.qenya.openssh.authorizedKeys.keys; - services.openssh.extraConfig = "Match Address 45.14.17.200\n PermitRootLogin prohibit-password"; -} \ No newline at end of file diff --git a/common/steam.nix b/common/steam.nix deleted file mode 100644 index e03ca13..0000000 --- a/common/steam.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - programs.steam = { - enable = true; - remotePlay.openFirewall = true; - dedicatedServer.openFirewall = true; - }; -} \ No newline at end of file diff --git a/hive.nix b/hive.nix index 6c0d560..f331dc7 100644 --- a/hive.nix +++ b/hive.nix @@ -2,36 +2,30 @@ let sources = import ./npins; in { meta.nixpkgs = sources.nixpkgs; - defaults = { name, nodes, ... }: { - deployment.replaceUnknownProfiles = false; - networking.hostName = name; - - nixpkgs.config.allowUnfree = true; - + defaults = { pkgs, ... }: { imports = [ (import "${sources.home-manager}/nixos") - ./pinning.nix - ./users/qenya.nix ]; + deployment.replaceUnknownProfiles = false; + + # Make point systemwide to the pinned nixpkgs above + # https://jade.fyi/blog/pinning-nixos-with-npins/ + nix.settings.experimental-features = "nix-command flakes"; + nixpkgs.flake.source = sources.nixpkgs; + nix.nixPath = ["nixpkgs=flake:nixpkgs"]; }; tohru = { name, nodes, ... }: { - networking.hostId = "31da19c1"; - time.timeZone = "Europe/London"; + deployment = { + allowLocalDeployment = true; + targetHost = null; + }; - imports = [ - ./colmena/local.nix - ./hosts/tohru/configuration.nix - ]; + imports = [ ./hosts/tohru/configuration.nix ]; }; - yevaud = { name, nodes, ... }: { - networking.hostId = "09673d65"; - time.timeZone = "Etc/UTC"; - - imports = [ - ./colmena/remote.nix - ./hosts/yevaud/configuration.nix - ]; + yevaud = { + deployment.targetHost = "yevaud.birdsong.network"; + imports = [ ./hosts/yevaud/configuration.nix ]; }; } diff --git a/home/btop.nix b/home/btop.nix deleted file mode 100644 index 6d4f49b..0000000 --- a/home/btop.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - programs.btop.enable = true; -} diff --git a/home/cli.nix b/home/cli.nix deleted file mode 100644 index b23d81f..0000000 --- a/home/cli.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - home.packages = with pkgs; [ - tree # like `ls -R` but nicer - - # Extremely important - fortune - cowsay - lolcat - ]; -} diff --git a/home/firefox.nix b/home/firefox.nix deleted file mode 100644 index 95e399e..0000000 --- a/home/firefox.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - # TODO: nix-ify Firefox config - programs.firefox.enable = true; -} diff --git a/home/gnome/appearance.nix b/home/gnome/appearance.nix deleted file mode 100644 index 129aa1a..0000000 --- a/home/gnome/appearance.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - dconf = { - enable = true; - settings = - let - backgroundOptions = { - color-shading-type = "solid"; - picture-options = "zoom"; - picture-uri = "${config.home.homeDirectory}/.background-image"; - primary-color = "#3a4ba0"; - secondary-color = "#2f302f"; - }; - in - { - "org/gnome/desktop/background" = backgroundOptions // { - picture-uri-dark = backgroundOptions.picture-uri; - }; - "org/gnome/desktop/screensaver" = backgroundOptions; - "org/gnome/desktop/interface".color-scheme = "prefer-dark"; - }; - }; - home.file.".background-image".source = ./background-image.jpg; -} diff --git a/home/gnome/default.nix b/home/gnome/default.nix deleted file mode 100644 index 9e5a1ee..0000000 --- a/home/gnome/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - imports = [ - # TODO: nix-ify other parts of GNOME config - ./appearance.nix - ]; -} diff --git a/home/vscode.nix b/home/vscode.nix deleted file mode 100644 index 8d6efee..0000000 --- a/home/vscode.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - programs.vscode = - let - system = builtins.currentSystem; - sources = import ../npins; - extensions = (import sources.nix-vscode-extensions).extensions.${system}; - in - { - enable = true; - enableExtensionUpdateCheck = false; - enableUpdateCheck = false; - package = pkgs.vscodium; - extensions = (with pkgs.vscode-extensions; [ - jnoortheen.nix-ide - ms-python.python - ]) ++ (with extensions.open-vsx; [ - robbowen.synthwave-vscode - ]); - mutableExtensionsDir = false; - userSettings = { - "extensions.autoUpdate" = false; - "git.autofetch" = true; - "nix.enableLanguageServer" = true; - "nix.serverPath" = "nil"; - "nix.serverSettings".nil = { - diagnostics.ignored = [ "unused_binding" "unused_with" ]; - formatting.command = [ "nixpkgs-fmt" ]; - }; - "workbench.colorTheme" = "SynthWave '84"; - }; - }; - - # Language servers etc - home.packages = with pkgs; [ - nil - nixpkgs-fmt - ]; -} diff --git a/home/gnome/background-image.jpg b/hosts/tohru/background-image.jpg similarity index 100% rename from home/gnome/background-image.jpg rename to hosts/tohru/background-image.jpg diff --git a/hosts/tohru/configuration.nix b/hosts/tohru/configuration.nix index 637d9cb..b39db2f 100644 --- a/hosts/tohru/configuration.nix +++ b/hosts/tohru/configuration.nix @@ -4,22 +4,27 @@ imports = [ ./hardware-configuration.nix + ../../users/qenya.nix ./home.nix - ../../common/steam.nix ]; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; boot.loader.systemd-boot.editor = false; + networking.hostName = "tohru"; + networking.hostId = "31da19c1"; networking.networkmanager.enable = true; + time.timeZone = "Europe/London"; + i18n.defaultLocale = "en_GB.UTF-8"; console.keyMap = "uk"; services.xserver.enable = true; services.xserver.displayManager.gdm.enable = true; services.xserver.desktopManager.gnome.enable = true; + services.xserver.xkb.layout = "gb"; services.printing.enable = true; @@ -27,6 +32,20 @@ sound.enable = true; hardware.pulseaudio.enable = true; + environment.systemPackages = with pkgs; [ + colmena + git + npins + wget + ]; + + programs.steam = { + enable = true; + remotePlay.openFirewall = true; + dedicatedServer.openFirewall = true; + }; + + nixpkgs.config.allowUnfree = true; hardware.enableAllFirmware = true; services.fwupd.enable = true; services.fstrim.enable = true; diff --git a/hosts/tohru/home.nix b/hosts/tohru/home.nix index 6451627..44eb80b 100644 --- a/hosts/tohru/home.nix +++ b/hosts/tohru/home.nix @@ -2,19 +2,81 @@ { home-manager.users.qenya = { pkgs, ... }: { - imports = [ - ../../home/btop.nix - ../../home/cli.nix - ../../home/firefox.nix - ../../home/gnome - ../../home/vscode.nix - ]; + home.homeDirectory = config.users.users.qenya.home; home.packages = with pkgs; [ + fortune + htop + tree + bitwarden tor-browser-bundle-bin + + nil + nixpkgs-fmt ]; + + dconf = { + enable = true; + settings = + let + backgroundOptions = { + color-shading-type = "solid"; + picture-options = "zoom"; + picture-uri = "${config.users.users.qenya.home}/.background-image"; + primary-color = "#3a4ba0"; + secondary-color = "#2f302f"; + }; + in + { + "org/gnome/desktop/background" = backgroundOptions // { + picture-uri-dark = backgroundOptions.picture-uri; + }; + "org/gnome/desktop/screensaver" = backgroundOptions; + "org/gnome/desktop/interface".color-scheme = "prefer-dark"; + }; + }; + home.file.".background-image".source = ./background-image.jpg; + programs.chromium.enable = true; + programs.firefox.enable = true; + + programs.git = { + enable = true; + userName = "Katherina Walshe-Grey"; + userEmail = "git@katherina.rocks"; + }; + + programs.vscode = + let + system = builtins.currentSystem; + sources = import ../../npins; + extensions = (import sources.nix-vscode-extensions).extensions.${system}; + in + { + enable = true; + enableExtensionUpdateCheck = false; + enableUpdateCheck = false; + package = pkgs.vscodium; + extensions = (with pkgs.vscode-extensions; [ + jnoortheen.nix-ide + ms-python.python + ]) ++ (with extensions.open-vsx; [ + robbowen.synthwave-vscode + ]); + mutableExtensionsDir = false; + userSettings = { + "extensions.autoUpdate" = false; + "git.autofetch" = true; + "nix.enableLanguageServer" = true; + "nix.serverPath" = "nil"; + "nix.serverSettings".nil = { + diagnostics.ignored = [ "unused_binding" "unused_with" ]; + formatting.command = [ "nixpkgs-fmt" ]; + }; + "workbench.colorTheme" = "SynthWave '84"; + }; + }; home.stateVersion = "23.11"; }; diff --git a/hosts/yevaud/configuration.nix b/hosts/yevaud/configuration.nix index 289bff2..06a3d29 100644 --- a/hosts/yevaud/configuration.nix +++ b/hosts/yevaud/configuration.nix @@ -1,15 +1,97 @@ { config, lib, pkgs, ... }: { - imports = [ - ./hardware-configuration.nix - ./home.nix - ./forgejo.nix - ]; + imports = + [ + ./hardware-configuration.nix + ../../users/qenya.nix + ]; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + networking.hostName = "yevaud"; + networking.hostId = "09673d65"; + + time.timeZone = "Etc/UTC"; + + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; + }; + + # Allow remote root login only from home network + # TODO: Find a less hacky way of doing remote deployment + users.users.root.openssh.authorizedKeys.keys = config.users.users.qenya.openssh.authorizedKeys.keys; + services.openssh.extraConfig = "Match Address 45.14.17.200\n PermitRootLogin prohibit-password"; + + networking.firewall.allowedTCPPorts = [ 22 80 443 ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + + services.fail2ban.enable = true; + + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + appendHttpConfig = '' + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'strict-origin-when-cross-origin'; + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + ''; + + virtualHosts = { + "git.katherina.rocks" = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://[::1]:3000/"; + }; + }; + }; + security.acme = { + acceptTerms = true; + defaults.email = "accounts@katherina.rocks"; + }; + + services.forgejo = { + enable = true; + stateDir = "/data/forgejo"; + settings = { + DEFAULT.APP_NAME = "git.katherina.rocks"; + cache = { + ADAPTER = "twoqueue"; + HOST = ''{"size": 100, "recent_ratio": 0.25, "ghost_ratio": 0.5}''; + }; + database = { + DB_TYPE = "sqlite3"; + SQLITE_JOURNAL_MODE = "WAL"; + }; + security.LOGIN_REMEMBER_DAYS = 365; + server = { + DOMAIN = "git.katherina.rocks"; + HTTP_PORT = 3000; + ROOT_URL = "https://git.katherina.rocks/"; + }; + service.DISABLE_REGISTRATION = true; + }; + }; + system.stateVersion = "23.11"; + } diff --git a/hosts/yevaud/forgejo.nix b/hosts/yevaud/forgejo.nix deleted file mode 100644 index 31e8494..0000000 --- a/hosts/yevaud/forgejo.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - imports = [ - ../../common/nginx.nix - ]; - - # TODO: ssh access - # TODO: email out - # TODO: interface customisation - - services.nginx.virtualHosts = { - # TODO: move to new domain - "git.katherina.rocks" = { - forceSSL = true; - enableACME = true; - locations."/".proxyPass = "http://[::1]:3000/"; - }; - }; - - services.forgejo = { - enable = true; - stateDir = "/data/forgejo"; - settings = { - DEFAULT.APP_NAME = "git.katherina.rocks"; - cache = { - ADAPTER = "twoqueue"; - HOST = ''{"size": 100, "recent_ratio": 0.25, "ghost_ratio": 0.5}''; - }; - database = { - DB_TYPE = "sqlite3"; - SQLITE_JOURNAL_MODE = "WAL"; - }; - security.LOGIN_REMEMBER_DAYS = 365; - server = { - DOMAIN = "git.katherina.rocks"; - HTTP_PORT = 3000; - ROOT_URL = "https://git.katherina.rocks/"; - }; - service.DISABLE_REGISTRATION = true; - }; - }; -} diff --git a/hosts/yevaud/home.nix b/hosts/yevaud/home.nix deleted file mode 100644 index d5bb904..0000000 --- a/hosts/yevaud/home.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - home-manager.users.qenya = { pkgs, ... }: { - imports = [ - ../../home/btop.nix - ../../home/cli.nix - ]; - - home.stateVersion = "23.11"; - }; -} diff --git a/pinning.nix b/pinning.nix deleted file mode 100644 index 9ac8584..0000000 --- a/pinning.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ config, lib, pkgs, ... }: - -let sources = import ./npins; -in { - # Make point systemwide to the pinned nixpkgs - # https://jade.fyi/blog/pinning-nixos-with-npins/ - nix.settings.experimental-features = "nix-command flakes"; - nixpkgs.flake.source = sources.nixpkgs; - nix.nixPath = [ "nixpkgs=flake:nixpkgs" ]; -} diff --git a/users/qenya.nix b/users/qenya.nix index 7d10ede..9310f7b 100644 --- a/users/qenya.nix +++ b/users/qenya.nix @@ -13,16 +13,4 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEmkV9arotms79lJPsLHkdzAac4eu3pYS08ym0sB/on qenya@tohru" ]; }; - - home-manager.users.qenya = { config, lib, pkgs, osConfig, ... }: { - home.homeDirectory = osConfig.users.users.qenya.home; - - programs.git = { - enable = true; - userName = "Katherina Walshe-Grey"; - userEmail = "git@katherina.rocks"; # TODO: update email - }; - - home.stateVersion = "23.11"; - }; -} +} \ No newline at end of file