AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

commit? 42!

Browse Source
This commit is contained in:
Dmitriy Holkin 2019-10-17 00:31:54 +04:00
parent 90db3ab0ad
commit af0a69f624
11 changed files with 219 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
modules/applications.nix
View File

@ -15,8 +15,8 @@ with import ../support.nix { inherit lib config; }; {
desktop = "rofi";
};
editor = {
cmd = "${pkgs.vscodium}/bin/codium";
desktop = "codium";
cmd = "${pkgs.vscode}/bin/code";
desktop = "code";
};
browser = {
cmd = "${pkgs.vivaldi}/bin/vivaldi";

4
modules/applications/packages.nix
View File

@ -73,7 +73,8 @@ with deviceSpecific; {
home-manager.users.alukard.home.packages = with pkgs; [
nix-zsh-completions
qbittorrent
vscodium
# vscodium
vscode
# vscode-with-extensions
xarchiver
tdesktop
@ -82,6 +83,7 @@ with deviceSpecific; {
] ++ lib.optionals (!isVM) [
steam
steam-run
protontricks
];
}

20
modules/applications/podman-compose.nix Normal file
View File

@ -0,0 +1,20 @@
{ lib, python37Packages }:
with python37Packages;
buildPythonPackage rec {
pname = "podman-compose";
version = "0.1.5";
src = fetchPypi {
inherit pname version;
sha256 = "1sgbc889zq127qhxa9frhswa1mid19fs5qnyzfihx648y5i968pv";
};
propagatedBuildInputs = [ pyaml ];
meta = with lib; {
homepage = https://github.com/containers/podman-compose;
description = "A script to run docker-compose.yml using podman";
license = licenses.gpl2;
# maintainers = with maintainers; [ alukardbf ];
};
}

5
modules/default.nix
View File

@ -12,15 +12,12 @@
./workspace/dunst.nix
./workspace/mpv.nix
./workspace/kde
# ./workspace/ssh.nix
./workspace/locale.nix
./workspace/fonts.nix
./workspace/light.nix
# ./workspace/autorandr.nix
# ./workspace/gcalcli.nix
# ./workspace/rclone.nix
./workspace/xresources.nix
./workspace/barrier.nix
./workspace/podman.nix
./themes.nix
./mullvad.nix
./applications.nix

1
modules/devices.nix
View File

@ -18,6 +18,7 @@ with types; {
cpu = devInfo.cpu.vendor;
video = devInfo.video;
isSSD = devInfo.drive.type == "ssd";
# isGaming = (isNull (builtins.match ".*VM" device));
hostName = if !isNull devInfo.hostName then
devInfo.hostName
else

1
modules/packages.nix
View File

@ -4,6 +4,7 @@
# nerdfonts = nur.balsoft.pkgs.roboto-mono-nerd;
youtube-to-mpv = pkgs.callPackage ./applications/youtube-to-mpv.nix {};
wg-conf = pkgs.callPackage ./applications/wg-conf.nix {};
podman-compose = pkgs.callPackage ./applications/podman-compose.nix {};
xonar-fp = pkgs.writers.writeBashBin "xonar-fp" ''
CURRENT_STATE=`amixer -c 0 sget "Front Panel" | egrep -o '\[o.+\]'`
if [[ $CURRENT_STATE == '[on]' ]]; then

3
modules/services.nix
View File

@ -85,7 +85,10 @@
services.gnome3.gnome-keyring.enable = true;
# TODO: move environment.systemPackages to applications/package.nix
virtualisation.docker.enable = config.devices.${config.device}.enableDocker;
environment.systemPackages = lib.mkIf (config.devices.${config.device}.enableDocker)
[ pkgs.docker-compose ];
# virtualisation.virtualbox.host = lib.mkIf config.deviceSpecific.isHost {
# enable = true;
# # enableHardening = false;

27
modules/wireguard.nix
View File

@ -13,7 +13,7 @@ in {
after = [ "network.target" "network-online.target" ];
wantedBy = [ "multi-user.target" ];
environment.DEVICE = "wg0";
path = [ pkgs.kmod pkgs.wireguard-tools ];
path = [ pkgs.kmod pkgs.wireguard-tools pkgs.iptables ];
serviceConfig = {
Type = "oneshot";
@ -26,13 +26,34 @@ in {
'';
postStart = lib.mkIf cfg.killswitch ''
${pkgs.iptables}/bin/iptables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ${pkgs.iptables}/bin/iptables -I OUTPUT -s 192.168.0.0/24 -j ACCEPT && ${pkgs.iptables}/bin/ip6tables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
iptables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && && iptables -I OUTPUT -s 192.168.0.0/24 -j ACCEPT
${lib.strings.optionalString (config.virtualisation.docker.enable) "iptables -I OUTPUT -s 172.17.0.0/16 -j ACCEPT"}
'';
preStop = ''
${lib.strings.optionalString (cfg.killswitch) "${pkgs.iptables}/bin/iptables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ${pkgs.iptables}/bin/iptables -D OUTPUT -s 192.168.0.0/24 && ${pkgs.iptables}/bin/ip6tables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT"}
${lib.strings.optionalString (cfg.killswitch) "iptables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && && iptables -D OUTPUT -s 192.168.0.0/24"}
${lib.strings.optionalString (cfg.killswitch && config.virtualisation.docker.enable) "iptables -D OUTPUT -s 172.17.0.0/16"}
wg-quick down /root/wg0.conf
'';
};
# systemd.services."iptables-docker" = lib.mkIf (config.virtualisation.docker.enable) {
# description = "Configure iptables to work with docker";
# wantedBy = [ "multi-user.target" ];
# path = [ pkgs.iptables pkgs.iproute pkgs.gnugrep pkgs.gnused ];
# serviceConfig = {
# Type = "oneshot";
# RemainAfterExit = true;
# };
# script = ''
# iptables -A FORWARD -i docker0 -o $(ip route | grep default | sed -e "s/^.*dev.//" -e "s/.proto.*//") -j ACCEPT
# iptables -A FORWARD -i $(ip route | grep default | sed -e "s/^.*dev.//" -e "s/.proto.*//") -o docker0 -j ACCEPT
# '';
# };
# virtualisation.docker.extraOptions = lib.mkIf (config.virtualisation.docker.enable)
# "--iptables=false";
};
}

4
modules/workspace/i3/default.nix
View File

@ -10,7 +10,8 @@ in {
package = pkgs.i3-gaps;
config = rec {
assigns = {
"" = [ { class = "Chromium"; } { class = "Firefox"; } ];
# "" = [ { class = "Chromium"; } { class = "Firefox"; } ];
"" = [ { class = "Spotify"; } ];
"" = [
{ class = "^Telegram"; }
{ class = "^VK"; }
@ -90,6 +91,7 @@ in {
startup = map (a: { notification = false; } // a) [
{ command = "${pkgs.xorg.xrdb}/bin/xrdb -merge ~/.Xresources"; }
{ command = "${pkgs.pywal}/bin/wal -R"; }
{ command = "${pkgs.spotifywm}/bin/spotifywm"; }
];
keybindings = let
script = name: content: "exec ${pkgs.writeScript name content}";

160
modules/workspace/podman.nix Normal file
View File

@ -0,0 +1,160 @@
# cfg = config.devices.${config.device}.enableDocker;
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.programs.podman;
surroundEachWith = str: list:
map (e: str + (toString e) + str) list;
registriesConf = let
registryList = list:
"registries = [" + (concatStringsSep ", " (surroundEachWith "'" list)) + "]";
in concatStringsSep "\n" (mapAttrsToList (type: registries: ''
[registries.${type}]
${registryList registries}
'') { inherit (cfg.registries) block insecure search; });
in {
###### interface
options = {
programs.podman = {
enable = mkOption {
type = types.bool;
default = false;
description = "Whenever to configure <command>podman</command> user-wide.";
};
installSystemWide = mkOption {
type = types.bool;
default = false;
description = "Install packages system-wide.";
};
registries = {
search = mkOption {
type = types.listOf types.str;
default = [ "docker.io" "quay.io" ];
description = ''
List of repositories to search.
'';
};
insecure = mkOption {
default = [ ];
type = types.listOf types.str;
description = ''
List of insecure repositories.
'';
};
block = mkOption {
default = [ ];
type = types.listOf types.str;
description = ''
List of blocked repositories.
'';
};
};
policy = mkOption {
default = {
default = [ { type = "reject"; }];
};
type = types.attrs;
example = literalExample ''
{
default = [ { type = "insecureAcceptAnything"; } ];
transports = {
docker-daemon = {
"" = [ { type = "insecureAcceptAnything"; } ];
};
};
}
'';
description = ''
Signature verification policy file
</para>
<para>
The default will simply reject everything.
'';
};
};
};
###### implementation
config = mkMerge [
(mkIf cfg.enable {
home-manager.users.alukard.xdg.configFile = {
"containers/libpod.conf".text = ''
cgroup_manager = "systemd"
cni_config_dir = "/etc/cni/net.d/"
cni_default_network = "podman"
cni_plugin_dir = ["${pkgs.cni-plugins}/bin/"]
conmon_path = ["${pkgs.conmon}/bin/conmon"]
image_default_transport = "docker://"
runtime = "${pkgs.crun}/bin/crun"
runtimes = ["${pkgs.crun}/bin/crun", "${pkgs.runc}/bin/runc"]
# pause
pause_image = "k8s.gcr.io/pause:3.1"
pause_command = "/pause"
'';
"containers/registries.conf".text = registriesConf;
"containers/policy.json".text = builtins.toJSON cfg.policy;
};
environment.etc."cni/net.d/87-podman-bridge.conflist".text = (builtins.toJSON {
cniVersion = "0.3.0";
name = "podman";
plugins = [
{
type = "bridge";
bridge = "cni0";
isGateway = true;
ipMasq = true;
ipam = {
type = "host-local";
subnet = "10.88.0.0/16";
routes = [
{ dst = "0.0.0.0/0"; }
];
};
}
{
type = "portmap";
capabilities = {
portMappings = true;
};
}
];
});
environment.systemPackages = mkIf cfg.installSystemWide
(with pkgs; [
buildah conmon crun fuse-overlayfs podman runc slirp4netns iptables podman-compose
]);
home-manager.users.alukard.home.packages = mkIf (!cfg.installSystemWide)
(with pkgs; [
buildah conmon crun fuse-overlayfs podman runc slirp4netns iptables podman-compose
]);
users.users.alukard = {
subUidRanges = [{ startUid = 100000; count = 65536; }];
subGidRanges = [{ startGid = 100000; count = 65536; }];
};
})
({
programs.podman = {
# enable = config.devices.${config.device}.enableDocker;
enable = false;
policy = {
default = [ { type = "insecureAcceptAnything"; }];
};
};
})
];
}

1
modules/xserver.nix
View File

@ -11,6 +11,7 @@ with deviceSpecific; with themes; {
enable = isLaptop;
# sendEventsMode = "disabled-on-external-mouse";
# middleEmulation = false;
accelProfile = lib.mkIf (!isLaptop) "flat";
naturalScrolling = true;
};