AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

move modules to flake.nix and split security

Browse Source
This commit is contained in:
Dmitriy Kholkin 2023-03-27 15:48:23 +03:00
parent 1b121753db
commit d61eff2280
10 changed files with 124 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
flake.nix
View File

@ -116,6 +116,15 @@
findModules (dir + "/${name}")) findModules (dir + "/${name}"))
(builtins.readDir dir))); (builtins.readDir dir)));
# pkgsFor = system:
# import inputs.nixpkgs {
# overlays = [ self.overlay ];
# localSystem = { inherit system; };
# config = {
# android_sdk.accept_license = true;
# };
# };
patchesPath = map (x: ./patches + "/${x}"); patchesPath = map (x: ./patches + "/${x}");
in flake-utils-plus.lib.mkFlake rec { in flake-utils-plus.lib.mkFlake rec {
inherit self inputs; inherit self inputs;
@ -137,10 +146,15 @@
hostDefaults.channelName = "unstable"; hostDefaults.channelName = "unstable";
hosts = with nixpkgs.lib; let hosts = with nixpkgs.lib; let
hostnames = builtins.attrNames (builtins.readDir ./machines); hostnames = builtins.attrNames (builtins.readDir ./machines);
mkHost = name: { mkHost = name: let
system = builtins.readFile (./machines + "/${name}/system"); system = builtins.readFile (./machines + "/${name}/system");
modules = [ # pkgs = pkgsFor system;
(import (./machines + "/${name}")) { device = name; mainuser = "ataraxia"; } in {
inherit system;
modules = __attrValues self.customModules ++ [
(import (./machines + "/${name}"))
# { nixpkgs.pkgs = pkgs; }
{ device = name; mainuser = "ataraxia"; }
inputs.vscode-server.nixosModule inputs.vscode-server.nixosModule
]; ];
specialArgs = { inherit inputs; }; specialArgs = { inherit inputs; };
@ -148,8 +162,9 @@
in (genAttrs hostnames mkHost) // { in (genAttrs hostnames mkHost) // {
AMD-Workstation = { AMD-Workstation = {
system = builtins.readFile (./machines/AMD-Workstation/system); system = builtins.readFile (./machines/AMD-Workstation/system);
modules = [ modules = __attrValues self.customModules ++ [
(import (./machines/AMD-Workstation)) { device = "AMD-Workstation"; mainuser = "ataraxia"; } (import (./machines/AMD-Workstation))
{ device = "AMD-Workstation"; mainuser = "ataraxia"; }
inputs.vscode-server.nixosModule inputs.vscode-server.nixosModule
]; ];
specialArgs = { inherit inputs; }; specialArgs = { inherit inputs; };
@ -157,8 +172,9 @@
}; };
Flakes-ISO = { Flakes-ISO = {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = __attrValues self.customModules ++ [
(import (./machines/Flakes-ISO)) { device = "Flakes-ISO"; mainuser = "ataraxia"; } (import (./machines/Flakes-ISO))
{ device = "Flakes-ISO"; mainuser = "ataraxia"; }
./machines/Home-Hypervisor/autoinstall.nix ./machines/Home-Hypervisor/autoinstall.nix
./machines/AMD-Workstation/autoinstall.nix ./machines/AMD-Workstation/autoinstall.nix
./machines/NixOS-VM/autoinstall.nix ./machines/NixOS-VM/autoinstall.nix
@ -167,7 +183,7 @@
}; };
Flakes-ISO-Aarch64 = { Flakes-ISO-Aarch64 = {
system = "aarch64-linux"; system = "aarch64-linux";
modules = [ modules = __attrValues self.customModules ++ [
(import (./machines/Flakes-ISO)) { device = "Flakes-ISO-Aarch64"; mainuser = "ataraxia"; } (import (./machines/Flakes-ISO)) { device = "Flakes-ISO-Aarch64"; mainuser = "ataraxia"; }
./machines/Arch-Builder-VM/autoinstall.nix ./machines/Arch-Builder-VM/autoinstall.nix
]; ];
@ -214,14 +230,18 @@
packages = { packages = {
Wayland-VM = nixos-generators.nixosGenerate { Wayland-VM = nixos-generators.nixosGenerate {
system = builtins.readFile (./machines/Wayland-VM/system); system = builtins.readFile (./machines/Wayland-VM/system);
modules = [ (import (./machines/Wayland-VM)) { device = "Wayland-VM"; mainuser = "ataraxia"; } ]; modules = __attrValues self.customModules ++ [
(import (./machines/Wayland-VM))
{ device = "Wayland-VM"; mainuser = "ataraxia"; }
];
specialArgs = { inherit inputs; }; specialArgs = { inherit inputs; };
format = "vm"; format = "vm";
}; };
Flakes-ISO = nixos-generators.nixosGenerate { Flakes-ISO = nixos-generators.nixosGenerate {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = __attrValues self.customModules ++ [
(import (./machines/Flakes-ISO)) { device = "Flakes-ISO"; mainuser = "ataraxia"; } (import (./machines/Flakes-ISO))
{ device = "Flakes-ISO"; mainuser = "ataraxia"; }
./machines/Home-Hypervisor/autoinstall.nix ./machines/Home-Hypervisor/autoinstall.nix
./machines/NixOS-VM/autoinstall.nix ./machines/NixOS-VM/autoinstall.nix
]; ];
@ -230,8 +250,9 @@
}; };
Flakes-ISO-Aarch64 = nixos-generators.nixosGenerate { Flakes-ISO-Aarch64 = nixos-generators.nixosGenerate {
system = "aarch64-linux"; system = "aarch64-linux";
modules = [ modules = __attrValues self.customModules ++ [
(import (./machines/Flakes-ISO)) { device = "Flakes-ISO-Aarch64"; mainuser = "ataraxia"; } (import (./machines/Flakes-ISO))
{ device = "Flakes-ISO-Aarch64"; mainuser = "ataraxia"; }
./machines/Arch-Builder-VM/autoinstall.nix ./machines/Arch-Builder-VM/autoinstall.nix
]; ];
specialArgs = { inherit inputs; }; specialArgs = { inherit inputs; };

22
profiles/security/pass-secret-service.nix Normal file
View File

@ -0,0 +1,22 @@
{ config, pkgs, lib, ... }: {
environment.systemPackages = [ pkgs.pass-secret-service ];
services.dbus.packages = [ pkgs.pass-secret-service ];
xdg.portal.extraPortals = [ pkgs.pass-secret-service ];
home-manager.users.${config.mainuser} = {
services.pass-secret-service.enable = true;
systemd.user.services.pass-secret-service = {
Service = {
Type = "dbus";
Environment = [ "GPG_TTY=/dev/tty1" "DISPLAY=:0" ];
BusName = "org.freedesktop.secrets";
};
Unit = rec {
Wants = [ "gpg-agent.service" ];
After = Wants;
PartOf = [ "graphical-session-pre.target" ];
};
};
};
}

42
profiles/security/user.nix Normal file
View File

@ -0,0 +1,42 @@
{ config, pkgs, lib, ... }: {
programs.firejail.enable = true;
users.mutableUsers = false;
users.users.${config.mainuser} = {
isNormalUser = true;
extraGroups = [
"adbusers"
"audio"
"cdrom"
"corectrl"
"dialout"
"disk"
"docker"
"input"
"kvm"
"libvirtd"
"lp"
"lxd"
"networkmanager"
"podman"
"qemu-libvirtd"
"render"
"scanner"
"systemd-journal"
"smbuser"
"video"
# "wheel" # remove?
];
description = "AtaraxiaDev";
uid = 1000;
hashedPassword = "$y$j9T$ZC44T3XYOPapB26cyPsA4.$8wlYEbwXFszC9nrg0vafqBZFLMPabXdhnzlT3DhUit6";
shell = pkgs.zsh;
};
programs.zsh.enable = true;
# Safe, because we using doas
users.allowNoPasswordLogin = true;
systemd.services."user@" = { serviceConfig = { Restart = "always"; }; };
services.getty.autologinUser = config.mainuser;
}

45
profiles/security.nix → profiles/security/vlock.nix
View File

@ -1,41 +1,4 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }: {
with config.deviceSpecific; {
security.apparmor.enable = !isContainer;
programs.firejail.enable = true;
users.mutableUsers = false;
users.users.${config.mainuser} = {
isNormalUser = true;
extraGroups = [
"adbusers"
"audio"
"cdrom"
"corectrl"
"dialout"
"disk"
"docker"
"input"
"kvm"
"libvirtd"
"lp"
"lxd"
"networkmanager"
"podman"
"qemu-libvirtd"
"render"
"scanner"
"systemd-journal"
"smbuser"
"video"
# "wheel" # remove?
];
description = "AtaraxiaDev";
uid = 1000;
hashedPassword = "$y$j9T$ZC44T3XYOPapB26cyPsA4.$8wlYEbwXFszC9nrg0vafqBZFLMPabXdhnzlT3DhUit6";
shell = pkgs.zsh;
};
# Safe, because we using doas
users.allowNoPasswordLogin = true;
# FIXME: completely remove sudo # FIXME: completely remove sudo
security.sudo = { security.sudo = {
enable = true; enable = true;
@ -76,7 +39,7 @@ with config.deviceSpecific; {
keepEnv = true; keepEnv = true;
cmd = "/run/current-system/sw/bin/btrfs"; cmd = "/run/current-system/sw/bin/btrfs";
args = [ "fi" "usage" "/" ]; args = [ "fi" "usage" "/" ];
}] ++ lib.optionals isLaptop [{ }] ++ lib.optionals config.deviceSpecific.isLaptop [{
users = [ config.mainuser ]; users = [ config.mainuser ];
noPass = true; noPass = true;
keepEnv = true; keepEnv = true;
@ -93,6 +56,4 @@ with config.deviceSpecific; {
args = [ "build" ]; args = [ "build" ];
}]; }];
}; };
systemd.services."user@" = { serviceConfig = { Restart = "always"; }; }; }
services.getty.autologinUser = config.mainuser;
}

40
profiles/workspace/misc.nix
View File

@ -1,16 +1,14 @@
{ pkgs, lib, config, ... }: { { pkgs, lib, config, ... }: {
environment.sessionVariables = rec { environment.sessionVariables =
LESS = "MR"; builtins.mapAttrs (_: toString)
LESSHISTFILE = "~/.local/share/lesshist"; config.home-manager.users.${config.mainuser}.home.sessionVariables // rec {
SYSTEMD_LESS = LESS; LESS = "MR";
CARGO_HOME = "${config.home-manager.users.${config.mainuser}.xdg.dataHome}/cargo"; LESSHISTFILE = "~/.local/share/lesshist";
LIBVIRT_DEFAULT_URI = "qemu:///system"; SYSTEMD_LESS = LESS;
}; CARGO_HOME = "${config.home-manager.users.${config.mainuser}.xdg.dataHome}/cargo";
LIBVIRT_DEFAULT_URI = "qemu:///system";
environment.systemPackages = [ pkgs.pass-secret-service ]; };
services.dbus.packages = [ pkgs.pass-secret-service ];
xdg.portal.extraPortals = [ pkgs.pass-secret-service ];
programs.ydotool.enable = true; programs.ydotool.enable = true;
services.journald.extraConfig = "Compress=false"; services.journald.extraConfig = "Compress=false";
@ -18,23 +16,7 @@
home-manager.users.${config.mainuser} = { home-manager.users.${config.mainuser} = {
news.display = "silent"; news.display = "silent";
systemd.user.startServices = true; systemd.user.startServices = true;
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
#TODO: Move to another file
services.pass-secret-service.enable = true;
systemd.user.services.pass-secret-service = {
Service = {
Type = "dbus";
Environment = [ "GPG_TTY=/dev/tty1" "DISPLAY=:0" ];
BusName = "org.freedesktop.secrets";
};
Unit = rec {
Wants = [ "gpg-agent.service" ];
After = Wants;
PartOf = [ "graphical-session-pre.target" ];
};
};
}; };
systemd.services.systemd-timesyncd.wantedBy = [ "multi-user.target" ]; systemd.services.systemd-timesyncd.wantedBy = [ "multi-user.target" ];
@ -61,10 +43,6 @@
persist.state.homeDirectories = [ persist.state.homeDirectories = [
"projects" "projects"
"nixos-config" "nixos-config"
# {
# directory = "nixos-config";
# method = "symlink";
# }
] ++ lib.optionals (!config.deviceSpecific.isServer) [ ] ++ lib.optionals (!config.deviceSpecific.isServer) [
"games" "games"
# "persist" # "persist"

11
roles/base.nix
View File

@ -1,13 +1,11 @@
{ inputs, ... }: { { inputs, ... }: {
imports = with inputs.self.customModules; with inputs.self.nixosProfiles; [ imports = with inputs.self.nixosProfiles; [
inputs.home-manager.nixosModules.home-manager { inputs.home-manager.nixosModules.home-manager {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
} }
applications
boot boot
devices
git git
gpg gpg
locale locale
@ -16,12 +14,9 @@
nix nix
nnn nnn
overlay overlay
persist user
secrets
secrets-envsubst
security
ssh ssh
users vlock
zsh zsh
]; ];
} }

10
roles/container.nix
View File

@ -1,11 +1,10 @@
{ inputs, pkgs, ... }: { { inputs, pkgs, ... }: {
imports = with inputs.self.customModules; with inputs.self.nixosProfiles; [ imports = with inputs.self.nixosProfiles; [
inputs.home-manager.nixosModules.home-manager { inputs.home-manager.nixosModules.home-manager {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
} }
devices
git git
gpg gpg
locale locale
@ -14,12 +13,9 @@
nix nix
nnn nnn
overlay overlay
persist
secrets
secrets-envsubst
security
ssh ssh
users user
vlock
zsh zsh
vscode-server vscode-server

6
roles/desktop.nix
View File

@ -1,11 +1,8 @@
{ inputs, ... }: { { inputs, ... }: {
imports = with inputs.self.customModules; with inputs.self.nixosProfiles; [ imports = with inputs.self.nixosProfiles; [
./base.nix ./base.nix
inputs.base16.hmModule inputs.base16.hmModule
inputs.self.customModules.seadrive
inputs.self.nixosProfiles.seadrive inputs.self.nixosProfiles.seadrive
xray
applications-setup applications-setup
hardware hardware
@ -43,6 +40,7 @@
light light
mako mako
nix-index nix-index
pass-secret-service
print-scan print-scan
proxy proxy
hyprland hyprland

14
roles/hypervisor.nix
View File

@ -1,12 +1,10 @@
{ inputs, pkgs, ... }: { { inputs, pkgs, ... }: {
imports = with inputs.self.customModules; with inputs.self.nixosProfiles; [ imports = with inputs.self.nixosProfiles; [
inputs.home-manager.nixosModules.home-manager { inputs.home-manager.nixosModules.home-manager {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
} }
applications
devices
direnv direnv
git git
gpg gpg
@ -17,14 +15,10 @@
nix-index nix-index
nnn nnn
overlay overlay
persist pass-secret-service
secrets
secrets-envsubst
security
ssh ssh
users user
vlock
zsh zsh
]; ];
environment.systemPackages = [ pkgs.kitty ];
} }

4
roles/workstation.nix
View File

@ -1,5 +1,5 @@
{ inputs, ... }: { { inputs, ... }: {
imports = with inputs.self; with inputs.self.nixosProfiles; [ imports = with inputs.self; [
inputs.self.nixosRoles.desktop nixosRoles.desktop
]; ];
} }