AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/AlukardBF/nixos-config

Browse Source
This commit is contained in:
Dmitriy Holkin 2019-10-10 20:11:09 +04:00
commit 57fbf2917f
9 changed files with 72 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
modules/applications/packages.nix
View File

@ -34,7 +34,9 @@ with deviceSpecific; {
libnotify libnotify
tree tree
iperf iperf
(youtube-to-mpv.override { isLaptop = isLaptop; }) (youtube-to-mpv.override { isLaptop = isLaptop; })
wg-conf
# Other # Other
(vivaldi.override { proprietaryCodecs = true; }) (vivaldi.override { proprietaryCodecs = true; })
wget wget

19
modules/applications/wg-conf.nix Normal file
View File

@ -0,0 +1,19 @@
{ stdenv, pkgs }:
let
myScript = pkgs.writeShellScriptBin "wg-conf" ''
if [[ -z "$1" ]]; then
exit 1
fi
systemctl stop wg-quick-wg0.service
cp "$1" /root/wg0.conf
systemctl start wg-quick-wg0.service
'';
in
stdenv.mkDerivation rec {
name = "wg-conf";
src = myScript;
installPhase = ''
mkdir -p $out/bin
cp ./bin/wg-conf $out/bin/wg-conf
'';
}

3
modules/hardware.nix
View File

@ -58,6 +58,9 @@ with deviceSpecific; {
anonymousClients.allowedIpRanges = ["127.0.0.1"]; anonymousClients.allowedIpRanges = ["127.0.0.1"];
}; };
}; };
boot.extraModprobeConfig = lib.mkIf (device == "AMD-Workstation") ''
options snd slots=snd_virtuoso,snd_usb_audio
'';
# SSD Section # SSD Section
boot.kernel.sysctl = { boot.kernel.sysctl = {

2
modules/packages.nix
View File

@ -3,6 +3,7 @@
(self: old: rec { (self: old: rec {
# nerdfonts = nur.balsoft.pkgs.roboto-mono-nerd; # nerdfonts = nur.balsoft.pkgs.roboto-mono-nerd;
youtube-to-mpv = pkgs.callPackage ./applications/youtube-to-mpv.nix {}; youtube-to-mpv = pkgs.callPackage ./applications/youtube-to-mpv.nix {};
wg-conf = pkgs.callPackage ./applications/wg-conf.nix {};
xonar-fp = pkgs.writers.writeBashBin "xonar-fp" '' xonar-fp = pkgs.writers.writeBashBin "xonar-fp" ''
CURRENT_STATE=`amixer -c 0 sget "Front Panel" | egrep -o '\[o.+\]'` CURRENT_STATE=`amixer -c 0 sget "Front Panel" | egrep -o '\[o.+\]'`
if [[ $CURRENT_STATE == '[on]' ]]; then if [[ $CURRENT_STATE == '[on]' ]]; then
@ -25,6 +26,7 @@
nixpkgs.config = { nixpkgs.config = {
packageOverrides = pkgs: { packageOverrides = pkgs: {
i3lock-fancy = pkgs.callPackage ./applications/i3lock-fancy.nix {}; i3lock-fancy = pkgs.callPackage ./applications/i3lock-fancy.nix {};
git-with-libsecret = pkgs.git.override { withLibsecret = true; };
mullvad-vpn = pkgs.mullvad-vpn.overrideAttrs (oldAttrs: rec { mullvad-vpn = pkgs.mullvad-vpn.overrideAttrs (oldAttrs: rec {
version = "2019.8"; version = "2019.8";
src = pkgs.fetchurl { src = pkgs.fetchurl {

2
modules/services.nix
View File

@ -83,6 +83,8 @@
services.upower.enable = true; services.upower.enable = true;
services.gnome3.gnome-keyring.enable = true;
# virtualisation.docker.enable = config.deviceSpecific.isHost; # virtualisation.docker.enable = config.deviceSpecific.isHost;
# virtualisation.virtualbox.host = lib.mkIf config.deviceSpecific.isHost { # virtualisation.virtualbox.host = lib.mkIf config.deviceSpecific.isHost {
# enable = true; # enable = true;

68
modules/wireguard.nix
View File

@ -2,45 +2,37 @@
let let
cfg = config.secrets.wireguard.${config.device}; cfg = config.secrets.wireguard.${config.device};
in { in {
# Enable wireguard config = lib.mkIf cfg.enable {
networking.wg-quick.interfaces = lib.mkIf cfg.enable { boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ];
wg0 = cfg.interface; environment.systemPackages = [ pkgs.wireguard pkgs.wireguard-tools ];
networking.firewall.checkReversePath = false;
systemd.services."wg-quick-wg0" = {
description = "wg-quick WireGuard Tunnel - wg0";
requires = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
wantedBy = [ "multi-user.target" ];
environment.DEVICE = "wg0";
path = [ pkgs.kmod pkgs.wireguard-tools ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
}; };
# Enable killswitch
environment.systemPackages = script = ''
lib.mkIf (cfg.killswitch.package == "iptables") [ ${lib.strings.optionalString (!config.boot.isContainer) "modprobe wireguard"}
pkgs.iptables wg-quick up /root/wg0.conf
]; '';
networking.nftables =
lib.mkIf (cfg.killswitch.package == "nftables") { postStart = lib.mkIf cfg.killswitch ''
enable = true; ${pkgs.iptables}/bin/iptables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ${pkgs.iptables}/bin/iptables -I OUTPUT -s 192.168.0.0/24 -j ACCEPT && ${pkgs.iptables}/bin/ip6tables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
ruleset = '' '';
flush ruleset
table inet firewall { preStop = ''
chain input { ${lib.strings.optionalString (cfg.killswitch) "${pkgs.iptables}/bin/iptables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ${pkgs.iptables}/bin/iptables -D OUTPUT -s 192.168.0.0/24 && ${pkgs.iptables}/bin/ip6tables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT"}
type filter hook input priority 0; policy drop; wg-quick down /root/wg0.conf
iif "lo" accept
ct state { established, related } accept
ct state invalid drop
ip protocol icmp icmp type echo-request accept
ip daddr 192.168.0.1/24 accept
reject
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy drop;
oifname "lo" accept
oifname "wg0" accept
oifname "docker0" accept
oifname "vboxnet0" accept
oifname "vboxnet1" accept
udp dport domain drop
ip daddr 192.168.0.1/24 accept
udp dport 51820 accept
}
}
''; '';
}; };
};
} }

6
modules/workspace/misc.nix
View File

@ -15,8 +15,14 @@
services.udiskie.enable = true; services.udiskie.enable = true;
programs.git = { programs.git = {
enable = true; enable = true;
package = pkgs.git-with-libsecret;
userEmail = "alukard.develop@gmail.com"; userEmail = "alukard.develop@gmail.com";
userName = "Dmitriy Holkin"; userName = "Dmitriy Holkin";
extraConfig = {
credential = {
helper = "libsecret";
};
};
}; };
news.display = "silent"; news.display = "silent";
# programs.command-not-found = { # programs.command-not-found = {

10
modules/workspace/zsh.nix
View File

@ -45,10 +45,12 @@
"clr" = "clear"; "clr" = "clear";
"weather" = "curl wttr.in/Volzhskiy"; "weather" = "curl wttr.in/Volzhskiy";
"l" = "ls -lah --group-directories-first"; "l" = "ls -lah --group-directories-first";
"rede" = "systemctl --user start redshift.service"; "rede" = "systemctl --user start redshift.service &";
"redd" = "systemctl --user stop redshift.service"; "redd" = "systemctl --user stop redshift.service &";
"bare" = "systemctl --user start barrier-client.service"; "bare" = "systemctl --user start barrier-client.service &";
"bard" = "systemctl --user stop barrier-client.service"; "bard" = "systemctl --user stop barrier-client.service &";
"wgup" = "_ systemctl start wg-quick-wg0.service";
"wgdown" = "_ systemctl stop wg-quick-wg0.service";
}; };
}; };
} }

BIN
secret.nix.gpg
View File

Binary file not shown.