AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

move modules to flake.nix and split security

Browse Source
This commit is contained in:
Dmitriy Kholkin 2023-03-27 15:48:23 +03:00
parent 1b121753db
commit d61eff2280
10 changed files with 124 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
flake.nix
View File

@ -116,6 +116,15 @@
findModules (dir + "/${name}"))
(builtins.readDir dir)));
# pkgsFor = system:
# import inputs.nixpkgs {
# overlays = [ self.overlay ];
# localSystem = { inherit system; };
# config = {
# android_sdk.accept_license = true;
# };
# };
patchesPath = map (x: ./patches + "/${x}");
in flake-utils-plus.lib.mkFlake rec {
inherit self inputs;
@ -137,10 +146,15 @@
hostDefaults.channelName = "unstable";
hosts = with nixpkgs.lib; let
hostnames = builtins.attrNames (builtins.readDir ./machines);
mkHost = name: {
mkHost = name: let
system = builtins.readFile (./machines + "/${name}/system");
modules = [
(import (./machines + "/${name}")) { device = name; mainuser = "ataraxia"; }
# pkgs = pkgsFor system;
in {
inherit system;
modules = __attrValues self.customModules ++ [
(import (./machines + "/${name}"))
# { nixpkgs.pkgs = pkgs; }
{ device = name; mainuser = "ataraxia"; }
inputs.vscode-server.nixosModule
];
specialArgs = { inherit inputs; };
@ -148,8 +162,9 @@
in (genAttrs hostnames mkHost) // {
AMD-Workstation = {
system = builtins.readFile (./machines/AMD-Workstation/system);
modules = [
(import (./machines/AMD-Workstation)) { device = "AMD-Workstation"; mainuser = "ataraxia"; }
modules = __attrValues self.customModules ++ [
(import (./machines/AMD-Workstation))
{ device = "AMD-Workstation"; mainuser = "ataraxia"; }
inputs.vscode-server.nixosModule
];
specialArgs = { inherit inputs; };
@ -157,8 +172,9 @@
};
Flakes-ISO = {
system = "x86_64-linux";
modules = [
(import (./machines/Flakes-ISO)) { device = "Flakes-ISO"; mainuser = "ataraxia"; }
modules = __attrValues self.customModules ++ [
(import (./machines/Flakes-ISO))
{ device = "Flakes-ISO"; mainuser = "ataraxia"; }
./machines/Home-Hypervisor/autoinstall.nix
./machines/AMD-Workstation/autoinstall.nix
./machines/NixOS-VM/autoinstall.nix
@ -167,7 +183,7 @@
};
Flakes-ISO-Aarch64 = {
system = "aarch64-linux";
modules = [
modules = __attrValues self.customModules ++ [
(import (./machines/Flakes-ISO)) { device = "Flakes-ISO-Aarch64"; mainuser = "ataraxia"; }
./machines/Arch-Builder-VM/autoinstall.nix
];
@ -214,14 +230,18 @@
packages = {
Wayland-VM = nixos-generators.nixosGenerate {
system = builtins.readFile (./machines/Wayland-VM/system);
modules = [ (import (./machines/Wayland-VM)) { device = "Wayland-VM"; mainuser = "ataraxia"; } ];
modules = __attrValues self.customModules ++ [
(import (./machines/Wayland-VM))
{ device = "Wayland-VM"; mainuser = "ataraxia"; }
];
specialArgs = { inherit inputs; };
format = "vm";
};
Flakes-ISO = nixos-generators.nixosGenerate {
system = "x86_64-linux";
modules = [
(import (./machines/Flakes-ISO)) { device = "Flakes-ISO"; mainuser = "ataraxia"; }
modules = __attrValues self.customModules ++ [
(import (./machines/Flakes-ISO))
{ device = "Flakes-ISO"; mainuser = "ataraxia"; }
./machines/Home-Hypervisor/autoinstall.nix
./machines/NixOS-VM/autoinstall.nix
];
@ -230,8 +250,9 @@
};
Flakes-ISO-Aarch64 = nixos-generators.nixosGenerate {
system = "aarch64-linux";
modules = [
(import (./machines/Flakes-ISO)) { device = "Flakes-ISO-Aarch64"; mainuser = "ataraxia"; }
modules = __attrValues self.customModules ++ [
(import (./machines/Flakes-ISO))
{ device = "Flakes-ISO-Aarch64"; mainuser = "ataraxia"; }
./machines/Arch-Builder-VM/autoinstall.nix
];
specialArgs = { inherit inputs; };

22
profiles/security/pass-secret-service.nix Normal file
View File

@ -0,0 +1,22 @@
{ config, pkgs, lib, ... }: {
environment.systemPackages = [ pkgs.pass-secret-service ];
services.dbus.packages = [ pkgs.pass-secret-service ];
xdg.portal.extraPortals = [ pkgs.pass-secret-service ];
home-manager.users.${config.mainuser} = {
services.pass-secret-service.enable = true;
systemd.user.services.pass-secret-service = {
Service = {
Type = "dbus";
Environment = [ "GPG_TTY=/dev/tty1" "DISPLAY=:0" ];
BusName = "org.freedesktop.secrets";
};
Unit = rec {
Wants = [ "gpg-agent.service" ];
After = Wants;
PartOf = [ "graphical-session-pre.target" ];
};
};
};
}

42
profiles/security/user.nix Normal file
View File

@ -0,0 +1,42 @@
{ config, pkgs, lib, ... }: {
programs.firejail.enable = true;
users.mutableUsers = false;
users.users.${config.mainuser} = {
isNormalUser = true;
extraGroups = [
"adbusers"
"audio"
"cdrom"
"corectrl"
"dialout"
"disk"
"docker"
"input"
"kvm"
"libvirtd"
"lp"
"lxd"
"networkmanager"
"podman"
"qemu-libvirtd"
"render"
"scanner"
"systemd-journal"
"smbuser"
"video"
# "wheel" # remove?
];
description = "AtaraxiaDev";
uid = 1000;
hashedPassword = "$y$j9T$ZC44T3XYOPapB26cyPsA4.$8wlYEbwXFszC9nrg0vafqBZFLMPabXdhnzlT3DhUit6";
shell = pkgs.zsh;
};
programs.zsh.enable = true;
# Safe, because we using doas
users.allowNoPasswordLogin = true;
systemd.services."user@" = { serviceConfig = { Restart = "always"; }; };
services.getty.autologinUser = config.mainuser;
}

45
profiles/security.nix → profiles/security/vlock.nix
View File

@ -1,41 +1,4 @@
{ config, pkgs, lib, ... }:
with config.deviceSpecific; {
security.apparmor.enable = !isContainer;
programs.firejail.enable = true;
users.mutableUsers = false;
users.users.${config.mainuser} = {
isNormalUser = true;
extraGroups = [
"adbusers"
"audio"
"cdrom"
"corectrl"
"dialout"
"disk"
"docker"
"input"
"kvm"
"libvirtd"
"lp"
"lxd"
"networkmanager"
"podman"
"qemu-libvirtd"
"render"
"scanner"
"systemd-journal"
"smbuser"
"video"
# "wheel" # remove?
];
description = "AtaraxiaDev";
uid = 1000;
hashedPassword = "$y$j9T$ZC44T3XYOPapB26cyPsA4.$8wlYEbwXFszC9nrg0vafqBZFLMPabXdhnzlT3DhUit6";
shell = pkgs.zsh;
};
# Safe, because we using doas
users.allowNoPasswordLogin = true;
{ config, pkgs, lib, ... }: {
# FIXME: completely remove sudo
security.sudo = {
enable = true;
@ -76,7 +39,7 @@ with config.deviceSpecific; {
keepEnv = true;
cmd = "/run/current-system/sw/bin/btrfs";
args = [ "fi" "usage" "/" ];
}] ++ lib.optionals isLaptop [{
}] ++ lib.optionals config.deviceSpecific.isLaptop [{
users = [ config.mainuser ];
noPass = true;
keepEnv = true;
@ -93,6 +56,4 @@ with config.deviceSpecific; {
args = [ "build" ];
}];
};
systemd.services."user@" = { serviceConfig = { Restart = "always"; }; };
services.getty.autologinUser = config.mainuser;
}
}

40
profiles/workspace/misc.nix
View File

@ -1,16 +1,14 @@
{ pkgs, lib, config, ... }: {
environment.sessionVariables = rec {
LESS = "MR";
LESSHISTFILE = "~/.local/share/lesshist";
SYSTEMD_LESS = LESS;
CARGO_HOME = "${config.home-manager.users.${config.mainuser}.xdg.dataHome}/cargo";
LIBVIRT_DEFAULT_URI = "qemu:///system";
};
environment.systemPackages = [ pkgs.pass-secret-service ];
services.dbus.packages = [ pkgs.pass-secret-service ];
xdg.portal.extraPortals = [ pkgs.pass-secret-service ];
environment.sessionVariables =
builtins.mapAttrs (_: toString)
config.home-manager.users.${config.mainuser}.home.sessionVariables // rec {
LESS = "MR";
LESSHISTFILE = "~/.local/share/lesshist";
SYSTEMD_LESS = LESS;
CARGO_HOME = "${config.home-manager.users.${config.mainuser}.xdg.dataHome}/cargo";
LIBVIRT_DEFAULT_URI = "qemu:///system";
};
programs.ydotool.enable = true;
services.journald.extraConfig = "Compress=false";
@ -18,23 +16,7 @@
home-manager.users.${config.mainuser} = {
news.display = "silent";
systemd.user.startServices = true;
nixpkgs.config.allowUnfree = true;
#TODO: Move to another file
services.pass-secret-service.enable = true;
systemd.user.services.pass-secret-service = {
Service = {
Type = "dbus";
Environment = [ "GPG_TTY=/dev/tty1" "DISPLAY=:0" ];
BusName = "org.freedesktop.secrets";
};
Unit = rec {
Wants = [ "gpg-agent.service" ];
After = Wants;
PartOf = [ "graphical-session-pre.target" ];
};
};
};
systemd.services.systemd-timesyncd.wantedBy = [ "multi-user.target" ];
@ -61,10 +43,6 @@
persist.state.homeDirectories = [
"projects"
"nixos-config"
# {
# directory = "nixos-config";
# method = "symlink";
# }
] ++ lib.optionals (!config.deviceSpecific.isServer) [
"games"
# "persist"

11
roles/base.nix
View File

@ -1,13 +1,11 @@
{ inputs, ... }: {
imports = with inputs.self.customModules; with inputs.self.nixosProfiles; [
imports = with inputs.self.nixosProfiles; [
inputs.home-manager.nixosModules.home-manager {
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
}
applications
boot
devices
git
gpg
locale
@ -16,12 +14,9 @@
nix
nnn
overlay
persist
secrets
secrets-envsubst
security
user
ssh
users
vlock
zsh
];
}

10
roles/container.nix
View File

@ -1,11 +1,10 @@
{ inputs, pkgs, ... }: {
imports = with inputs.self.customModules; with inputs.self.nixosProfiles; [
imports = with inputs.self.nixosProfiles; [
inputs.home-manager.nixosModules.home-manager {
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
}
devices
git
gpg
locale
@ -14,12 +13,9 @@
nix
nnn
overlay
persist
secrets
secrets-envsubst
security
ssh
users
user
vlock
zsh
vscode-server

6
roles/desktop.nix
View File

@ -1,11 +1,8 @@
{ inputs, ... }: {
imports = with inputs.self.customModules; with inputs.self.nixosProfiles; [
imports = with inputs.self.nixosProfiles; [
./base.nix
inputs.base16.hmModule
inputs.self.customModules.seadrive
inputs.self.nixosProfiles.seadrive
xray
applications-setup
hardware
@ -43,6 +40,7 @@
light
mako
nix-index
pass-secret-service
print-scan
proxy
hyprland

14
roles/hypervisor.nix
View File

@ -1,12 +1,10 @@
{ inputs, pkgs, ... }: {
imports = with inputs.self.customModules; with inputs.self.nixosProfiles; [
imports = with inputs.self.nixosProfiles; [
inputs.home-manager.nixosModules.home-manager {
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
}
applications
devices
direnv
git
gpg
@ -17,14 +15,10 @@
nix-index
nnn
overlay
persist
secrets
secrets-envsubst
security
pass-secret-service
ssh
users
user
vlock
zsh
];
environment.systemPackages = [ pkgs.kitty ];
}

4
roles/workstation.nix
View File

@ -1,5 +1,5 @@
{ inputs, ... }: {
imports = with inputs.self; with inputs.self.nixosProfiles; [
inputs.self.nixosRoles.desktop
imports = with inputs.self; [
nixosRoles.desktop
];
}