qenya/nixfiles
1
0
Fork 0
Code Issues 4 Pull requests Actions Activity

Compare commits

base: qenya:bf2d7f7f10918a0d976008102390f473226dd236
Branches Tags
qenya:main
qenya:flakes
qenya:lix
qenya:multihost
..
compare: qenya:b83c95b8b69c09044a8eba0eac20b80ce00766e7
Branches Tags
qenya:main
qenya:flakes
qenya:lix
qenya:multihost

No commits in common. "bf2d7f7f10918a0d976008102390f473226dd236" and "b83c95b8b69c09044a8eba0eac20b80ce00766e7" have entirely different histories.
bf2d7f7f10 ... b83c95b8b6

20 changed files with 193 additions and 297 deletions
Show stats Expand all files Collapse all files

14
colmena/local.nix
View file

@ -1,14 +0,0 @@
{ name, nodes, config, lib, pkgs, ... }:
{
deployment = {
allowLocalDeployment = true;
targetHost = null;
tags = [ "local" ];
};
environment.systemPackages = with pkgs; [
colmena
npins
];
}

12
colmena/remote.nix
View file

@ -1,12 +0,0 @@
{ name, nodes, config, lib, pkgs, ... }:
{
deployment = {
targetHost = "${name}.birdsong.network";
tags = [ "remote" ];
};
imports = [
../common/openssh.nix
];
}

33
common/nginx.nix
View file

@ -1,33 +0,0 @@
{ config, lib, pkgs, ... }:
{
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
appendHttpConfig = ''
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
};
security.acme = {
acceptTerms = true;
defaults.email = "accounts@katherina.rocks"; # TODO: replace with more appropriate email
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

20
common/openssh.nix
View file

@ -1,20 +0,0 @@
{ config, lib, pkgs, ... }:
{
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "no";
};
};
services.fail2ban.enable = true;
networking.firewall.allowedTCPPorts = [ 22 ];
# Allow remote root login only from home network
# TODO: Find a less hacky way of doing remote deployment
users.users.root.openssh.authorizedKeys.keys = config.users.users.qenya.openssh.authorizedKeys.keys;
services.openssh.extraConfig = "Match Address 45.14.17.200\n PermitRootLogin prohibit-password";
}

9
common/steam.nix
View file

@ -1,9 +0,0 @@
{ config, lib, pkgs, ... }:
{
programs.steam = {
enable = true;
remotePlay.openFirewall = true;
dedicatedServer.openFirewall = true;
};
}

38
hive.nix
View file

@ -2,36 +2,30 @@ let sources = import ./npins;
in {
meta.nixpkgs = sources.nixpkgs;
defaults = { name, nodes, ... }: {
deployment.replaceUnknownProfiles = false;
networking.hostName = name;
nixpkgs.config.allowUnfree = true;
defaults = { pkgs, ... }: {
imports = [
(import "${sources.home-manager}/nixos")
./pinning.nix
./users/qenya.nix
];
deployment.replaceUnknownProfiles = false;
# Make <nixpkgs> point systemwide to the pinned nixpkgs above
# https://jade.fyi/blog/pinning-nixos-with-npins/
nix.settings.experimental-features = "nix-command flakes";
nixpkgs.flake.source = sources.nixpkgs;
nix.nixPath = ["nixpkgs=flake:nixpkgs"];
};
tohru = { name, nodes, ... }: {
networking.hostId = "31da19c1";
time.timeZone = "Europe/London";
imports = [
./colmena/local.nix
./hosts/tohru/configuration.nix
];
deployment = {
allowLocalDeployment = true;
targetHost = null;
};
yevaud = { name, nodes, ... }: {
networking.hostId = "09673d65";
time.timeZone = "Etc/UTC";
imports = [ ./hosts/tohru/configuration.nix ];
};
imports = [
./colmena/remote.nix
./hosts/yevaud/configuration.nix
];
yevaud = {
deployment.targetHost = "yevaud.birdsong.network";
imports = [ ./hosts/yevaud/configuration.nix ];
};
}

5
home/btop.nix
View file

@ -1,5 +0,0 @@
{ config, lib, pkgs, ... }:
{
programs.btop.enable = true;
}

12
home/cli.nix
View file

@ -1,12 +0,0 @@
{ config, lib, pkgs, ... }:
{
home.packages = with pkgs; [
tree # like `ls -R` but nicer
# Extremely important
fortune
cowsay
lolcat
];
}

6
home/firefox.nix
View file

@ -1,6 +0,0 @@
{ config, lib, pkgs, ... }:
{
# TODO: nix-ify Firefox config
programs.firefox.enable = true;
}

25
home/gnome/appearance.nix
View file

@ -1,25 +0,0 @@
{ config, lib, pkgs, ... }:
{
dconf = {
enable = true;
settings =
let
backgroundOptions = {
color-shading-type = "solid";
picture-options = "zoom";
picture-uri = "${config.home.homeDirectory}/.background-image";
primary-color = "#3a4ba0";
secondary-color = "#2f302f";
};
in
{
"org/gnome/desktop/background" = backgroundOptions // {
picture-uri-dark = backgroundOptions.picture-uri;
};
"org/gnome/desktop/screensaver" = backgroundOptions;
"org/gnome/desktop/interface".color-scheme = "prefer-dark";
};
};
home.file.".background-image".source = ./background-image.jpg;
}

8
home/gnome/default.nix
View file

@ -1,8 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
# TODO: nix-ify other parts of GNOME config
./appearance.nix
];
}

40
home/vscode.nix
View file

@ -1,40 +0,0 @@
{ config, lib, pkgs, ... }:
{
programs.vscode =
let
system = builtins.currentSystem;
sources = import ../npins;
extensions = (import sources.nix-vscode-extensions).extensions.${system};
in
{
enable = true;
enableExtensionUpdateCheck = false;
enableUpdateCheck = false;
package = pkgs.vscodium;
extensions = (with pkgs.vscode-extensions; [
jnoortheen.nix-ide
ms-python.python
]) ++ (with extensions.open-vsx; [
robbowen.synthwave-vscode
]);
mutableExtensionsDir = false;
userSettings = {
"extensions.autoUpdate" = false;
"git.autofetch" = true;
"nix.enableLanguageServer" = true;
"nix.serverPath" = "nil";
"nix.serverSettings".nil = {
diagnostics.ignored = [ "unused_binding" "unused_with" ];
formatting.command = [ "nixpkgs-fmt" ];
};
"workbench.colorTheme" = "SynthWave '84";
};
};
# Language servers etc
home.packages = with pkgs; [
nil
nixpkgs-fmt
];
}

0
home/gnome/background-image.jpg → hosts/tohru/background-image.jpg
View file

Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.3 MiB

After

Width:  |  Height:  |  Size: 1.3 MiB

21
hosts/tohru/configuration.nix
View file

@ -4,22 +4,27 @@
imports =
[
./hardware-configuration.nix
../../users/qenya.nix
./home.nix
../../common/steam.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.systemd-boot.editor = false;
networking.hostName = "tohru";
networking.hostId = "31da19c1";
networking.networkmanager.enable = true;
time.timeZone = "Europe/London";
i18n.defaultLocale = "en_GB.UTF-8";
console.keyMap = "uk";
services.xserver.enable = true;
services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true;
services.xserver.xkb.layout = "gb";
services.printing.enable = true;
@ -27,6 +32,20 @@
sound.enable = true;
hardware.pulseaudio.enable = true;
environment.systemPackages = with pkgs; [
colmena
git
npins
wget
];
programs.steam = {
enable = true;
remotePlay.openFirewall = true;
dedicatedServer.openFirewall = true;
};
nixpkgs.config.allowUnfree = true;
hardware.enableAllFirmware = true;
services.fwupd.enable = true;
services.fstrim.enable = true;

76
hosts/tohru/home.nix
View file

@ -2,19 +2,81 @@
{
home-manager.users.qenya = { pkgs, ... }: {
imports = [
../../home/btop.nix
../../home/cli.nix
../../home/firefox.nix
../../home/gnome
../../home/vscode.nix
];
home.homeDirectory = config.users.users.qenya.home;
home.packages = with pkgs; [
fortune
htop
tree
bitwarden
tor-browser-bundle-bin
nil
nixpkgs-fmt
];
dconf = {
enable = true;
settings =
let
backgroundOptions = {
color-shading-type = "solid";
picture-options = "zoom";
picture-uri = "${config.users.users.qenya.home}/.background-image";
primary-color = "#3a4ba0";
secondary-color = "#2f302f";
};
in
{
"org/gnome/desktop/background" = backgroundOptions // {
picture-uri-dark = backgroundOptions.picture-uri;
};
"org/gnome/desktop/screensaver" = backgroundOptions;
"org/gnome/desktop/interface".color-scheme = "prefer-dark";
};
};
home.file.".background-image".source = ./background-image.jpg;
programs.chromium.enable = true;
programs.firefox.enable = true;
programs.git = {
enable = true;
userName = "Katherina Walshe-Grey";
userEmail = "git@katherina.rocks";
};
programs.vscode =
let
system = builtins.currentSystem;
sources = import ../../npins;
extensions = (import sources.nix-vscode-extensions).extensions.${system};
in
{
enable = true;
enableExtensionUpdateCheck = false;
enableUpdateCheck = false;
package = pkgs.vscodium;
extensions = (with pkgs.vscode-extensions; [
jnoortheen.nix-ide
ms-python.python
]) ++ (with extensions.open-vsx; [
robbowen.synthwave-vscode
]);
mutableExtensionsDir = false;
userSettings = {
"extensions.autoUpdate" = false;
"git.autofetch" = true;
"nix.enableLanguageServer" = true;
"nix.serverPath" = "nil";
"nix.serverSettings".nil = {
diagnostics.ignored = [ "unused_binding" "unused_with" ];
formatting.command = [ "nixpkgs-fmt" ];
};
"workbench.colorTheme" = "SynthWave '84";
};
};
home.stateVersion = "23.11";
};

88
hosts/yevaud/configuration.nix
View file

@ -1,15 +1,97 @@
{ config, lib, pkgs, ... }:
{
imports = [
imports =
[
./hardware-configuration.nix
./home.nix
./forgejo.nix
../../users/qenya.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "yevaud";
networking.hostId = "09673d65";
time.timeZone = "Etc/UTC";
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "no";
};
};
# Allow remote root login only from home network
# TODO: Find a less hacky way of doing remote deployment
users.users.root.openssh.authorizedKeys.keys = config.users.users.qenya.openssh.authorizedKeys.keys;
services.openssh.extraConfig = "Match Address 45.14.17.200\n PermitRootLogin prohibit-password";
networking.firewall.allowedTCPPorts = [ 22 80 443 ];
# networking.firewall.allowedUDPPorts = [ ... ];
services.fail2ban.enable = true;
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
appendHttpConfig = ''
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
virtualHosts = {
"git.katherina.rocks" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://[::1]:3000/";
};
};
};
security.acme = {
acceptTerms = true;
defaults.email = "accounts@katherina.rocks";
};
services.forgejo = {
enable = true;
stateDir = "/data/forgejo";
settings = {
DEFAULT.APP_NAME = "git.katherina.rocks";
cache = {
ADAPTER = "twoqueue";
HOST = ''{"size": 100, "recent_ratio": 0.25, "ghost_ratio": 0.5}'';
};
database = {
DB_TYPE = "sqlite3";
SQLITE_JOURNAL_MODE = "WAL";
};
security.LOGIN_REMEMBER_DAYS = 365;
server = {
DOMAIN = "git.katherina.rocks";
HTTP_PORT = 3000;
ROOT_URL = "https://git.katherina.rocks/";
};
service.DISABLE_REGISTRATION = true;
};
};
system.stateVersion = "23.11";
}

43
hosts/yevaud/forgejo.nix
View file

@ -1,43 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
../../common/nginx.nix
];
# TODO: ssh access
# TODO: email out
# TODO: interface customisation
services.nginx.virtualHosts = {
# TODO: move to new domain
"git.katherina.rocks" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://[::1]:3000/";
};
};
services.forgejo = {
enable = true;
stateDir = "/data/forgejo";
settings = {
DEFAULT.APP_NAME = "git.katherina.rocks";
cache = {
ADAPTER = "twoqueue";
HOST = ''{"size": 100, "recent_ratio": 0.25, "ghost_ratio": 0.5}'';
};
database = {
DB_TYPE = "sqlite3";
SQLITE_JOURNAL_MODE = "WAL";
};
security.LOGIN_REMEMBER_DAYS = 365;
server = {
DOMAIN = "git.katherina.rocks";
HTTP_PORT = 3000;
ROOT_URL = "https://git.katherina.rocks/";
};
service.DISABLE_REGISTRATION = true;
};
};
}

12
hosts/yevaud/home.nix
View file

@ -1,12 +0,0 @@
{ config, lib, pkgs, ... }:
{
home-manager.users.qenya = { pkgs, ... }: {
imports = [
../../home/btop.nix
../../home/cli.nix
];
home.stateVersion = "23.11";
};
}

10
pinning.nix
View file

@ -1,10 +0,0 @@
{ config, lib, pkgs, ... }:
let sources = import ./npins;
in {
# Make <nixpkgs> point systemwide to the pinned nixpkgs
# https://jade.fyi/blog/pinning-nixos-with-npins/
nix.settings.experimental-features = "nix-command flakes";
nixpkgs.flake.source = sources.nixpkgs;
nix.nixPath = [ "nixpkgs=flake:nixpkgs" ];
}

12
users/qenya.nix
View file

@ -13,16 +13,4 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEmkV9arotms79lJPsLHkdzAac4eu3pYS08ym0sB/on qenya@tohru"
];
};
home-manager.users.qenya = { config, lib, pkgs, osConfig, ... }: {
home.homeDirectory = osConfig.users.users.qenya.home;
programs.git = {
enable = true;
userName = "Katherina Walshe-Grey";
userEmail = "git@katherina.rocks"; # TODO: update email
};
home.stateVersion = "23.11";
};
}