AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/AlukardBF/nixos-config

Browse Source
This commit is contained in:
Dmitriy Holkin 2019-10-10 20:11:09 +04:00
commit 57fbf2917f
9 changed files with 72 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
modules/applications/packages.nix
View File

@ -34,7 +34,9 @@ with deviceSpecific; {
libnotify
tree
iperf
(youtube-to-mpv.override { isLaptop = isLaptop; })
wg-conf
# Other
(vivaldi.override { proprietaryCodecs = true; })
wget

19
modules/applications/wg-conf.nix Normal file
View File

@ -0,0 +1,19 @@
{ stdenv, pkgs }:
let
myScript = pkgs.writeShellScriptBin "wg-conf" ''
if [[ -z "$1" ]]; then
exit 1
fi
systemctl stop wg-quick-wg0.service
cp "$1" /root/wg0.conf
systemctl start wg-quick-wg0.service
'';
in
stdenv.mkDerivation rec {
name = "wg-conf";
src = myScript;
installPhase = ''
mkdir -p $out/bin
cp ./bin/wg-conf $out/bin/wg-conf
'';
}

3
modules/hardware.nix
View File

@ -58,6 +58,9 @@ with deviceSpecific; {
anonymousClients.allowedIpRanges = ["127.0.0.1"];
};
};
boot.extraModprobeConfig = lib.mkIf (device == "AMD-Workstation") ''
options snd slots=snd_virtuoso,snd_usb_audio
'';
# SSD Section
boot.kernel.sysctl = {

2
modules/packages.nix
View File

@ -3,6 +3,7 @@
(self: old: rec {
# nerdfonts = nur.balsoft.pkgs.roboto-mono-nerd;
youtube-to-mpv = pkgs.callPackage ./applications/youtube-to-mpv.nix {};
wg-conf = pkgs.callPackage ./applications/wg-conf.nix {};
xonar-fp = pkgs.writers.writeBashBin "xonar-fp" ''
CURRENT_STATE=`amixer -c 0 sget "Front Panel" | egrep -o '\[o.+\]'`
if [[ $CURRENT_STATE == '[on]' ]]; then
@ -25,6 +26,7 @@
nixpkgs.config = {
packageOverrides = pkgs: {
i3lock-fancy = pkgs.callPackage ./applications/i3lock-fancy.nix {};
git-with-libsecret = pkgs.git.override { withLibsecret = true; };
mullvad-vpn = pkgs.mullvad-vpn.overrideAttrs (oldAttrs: rec {
version = "2019.8";
src = pkgs.fetchurl {

2
modules/services.nix
View File

@ -83,6 +83,8 @@
services.upower.enable = true;
services.gnome3.gnome-keyring.enable = true;
# virtualisation.docker.enable = config.deviceSpecific.isHost;
# virtualisation.virtualbox.host = lib.mkIf config.deviceSpecific.isHost {
# enable = true;

72
modules/wireguard.nix
View File

@ -2,45 +2,37 @@
let
cfg = config.secrets.wireguard.${config.device};
in {
# Enable wireguard
networking.wg-quick.interfaces = lib.mkIf cfg.enable {
wg0 = cfg.interface;
};
# Enable killswitch
environment.systemPackages =
lib.mkIf (cfg.killswitch.package == "iptables") [
pkgs.iptables
];
networking.nftables =
lib.mkIf (cfg.killswitch.package == "nftables") {
enable = true;
ruleset = ''
flush ruleset
table inet firewall {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state { established, related } accept
ct state invalid drop
ip protocol icmp icmp type echo-request accept
ip daddr 192.168.0.1/24 accept
reject
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy drop;
oifname "lo" accept
oifname "wg0" accept
oifname "docker0" accept
oifname "vboxnet0" accept
oifname "vboxnet1" accept
udp dport domain drop
ip daddr 192.168.0.1/24 accept
udp dport 51820 accept
}
}
'';
config = lib.mkIf cfg.enable {
boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ];
environment.systemPackages = [ pkgs.wireguard pkgs.wireguard-tools ];
networking.firewall.checkReversePath = false;
systemd.services."wg-quick-wg0" = {
description = "wg-quick WireGuard Tunnel - wg0";
requires = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
wantedBy = [ "multi-user.target" ];
environment.DEVICE = "wg0";
path = [ pkgs.kmod pkgs.wireguard-tools ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
${lib.strings.optionalString (!config.boot.isContainer) "modprobe wireguard"}
wg-quick up /root/wg0.conf
'';
postStart = lib.mkIf cfg.killswitch ''
${pkgs.iptables}/bin/iptables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ${pkgs.iptables}/bin/iptables -I OUTPUT -s 192.168.0.0/24 -j ACCEPT && ${pkgs.iptables}/bin/ip6tables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
'';
preStop = ''
${lib.strings.optionalString (cfg.killswitch) "${pkgs.iptables}/bin/iptables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ${pkgs.iptables}/bin/iptables -D OUTPUT -s 192.168.0.0/24 && ${pkgs.iptables}/bin/ip6tables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT"}
wg-quick down /root/wg0.conf
'';
};
};
}

6
modules/workspace/misc.nix
View File

@ -15,8 +15,14 @@
services.udiskie.enable = true;
programs.git = {
enable = true;
package = pkgs.git-with-libsecret;
userEmail = "alukard.develop@gmail.com";
userName = "Dmitriy Holkin";
extraConfig = {
credential = {
helper = "libsecret";
};
};
};
news.display = "silent";
# programs.command-not-found = {

10
modules/workspace/zsh.nix
View File

@ -45,10 +45,12 @@
"clr" = "clear";
"weather" = "curl wttr.in/Volzhskiy";
"l" = "ls -lah --group-directories-first";
"rede" = "systemctl --user start redshift.service";
"redd" = "systemctl --user stop redshift.service";
"bare" = "systemctl --user start barrier-client.service";
"bard" = "systemctl --user stop barrier-client.service";
"rede" = "systemctl --user start redshift.service &";
"redd" = "systemctl --user stop redshift.service &";
"bare" = "systemctl --user start barrier-client.service &";
"bard" = "systemctl --user stop barrier-client.service &";
"wgup" = "_ systemctl start wg-quick-wg0.service";
"wgdown" = "_ systemctl stop wg-quick-wg0.service";
};
};
}

BIN
secret.nix.gpg
View File

Binary file not shown.