Merge pull request #2 from kaesaecracker/vpn1

Vpn1
2025-01-18 18:40:14 +01:00 · 2023-09-11 21:14:23 +02:00 · 2023-09-11 21:14:23 +02:00 · fe788df84d
parent ca2bde7abb ec2166ec2d
commit fe788df84d
19 changed files with 340 additions and 162 deletions
--- a/hetzner-vpn1.nix
+++ b/hetzner-vpn1.nix
@ -0,0 +1,16 @@
+{...}: {
+  imports = [
+    ./modules/server
+    (import ./modules/hardware "hetzner-vpn1")
+  ];
+
+  config = {
+    my = {
+      server.enable = true;
+    };
+
+    users.users.root.openssh.authorizedKeys.keys = [
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICdYqY3Y1/f1bsAi5Qfyr/UWuX9ixu96IeAlhoQaJkbf''
+    ];
+  };
+}
--- a/modules/_common/default.nix
+++ b/modules/_common/default.nix
@ -0,0 +1,6 @@
+{...}: {
+  imports = [
+    ./i18n.nix
+    ./nixpkgs.nix
+  ];
+}
--- a/modules/_common/i18n.nix
+++ b/modules/_common/i18n.nix
--- a/modules/_common/nixpkgs.nix
+++ b/modules/_common/nixpkgs.nix
@ -1,11 +1,6 @@
 {...}: {
  config = {
-    nixpkgs.config = {
-      allowUnfree = true;
-      permittedInsecurePackages = [
-        "electron-12.2.3"
-      ];
-    };
+    nixpkgs.config.allowUnfree = true;

    system = {
      stateVersion = "22.11";
--- a/modules/default.nix
+++ b/modules/default.nix
@ -1,54 +0,0 @@
-{
-  config,
-  pkgs,
-  ...
-}: let
-  cfg = config.my;
-in {
-  imports = [
-    ./home
-    ./desktop
-    ./i18n.nix
-    ./nixpkgs.nix
-  ];
-
-  config = {
-    networking = {
-      networkmanager.enable = true;
-      firewall.enable = true;
-    };
-
-    # Enable the OpenSSH daemon.
-    services.openssh = {
-      enable = true;
-      settings = {
-        PermitRootLogin = "no";
-        PasswordAuthentication = false;
-        KbdInteractiveAuthentication = false;
-      };
-    };
-
-    systemd.extraConfig = ''
-      DefaultTimeoutStopSec=12s
-    '';
-
-    programs = {
-      zsh.enable = true;
-
-      git = {
-        enable = true;
-        package = pkgs.gitFull;
-      };
-    };
-
-    environment = {
-      pathsToLink = ["/share/zsh"];
-
-      systemPackages = with pkgs; [
-        lm_sensors
-        tldr
-        ncdu
-      ];
-    };
-  };
-}
--- a/modules/desktop/default.nix
+++ b/modules/desktop/default.nix
@ -7,8 +7,12 @@
  cfg = config.my.desktop;
 in {
  imports = [
+    <home-manager/nixos>
+    ../_common
    ./gnome.nix
    ./kde.nix
+    ./vinzenz.nix
+    ./ronja.nix
  ];

  options.my.desktop = {
@ -16,12 +20,25 @@ in {
  };

  config = lib.mkIf cfg.enable {
+    home-manager.useUserPackages = true;
+    home-manager.useGlobalPkgs = true;
+
    services = {
      # Enable the X11 windowing system / wayland depending on DE
      xserver.enable = true;

      # Enable CUPS to print documents.
      printing.enable = true;
+
+      # Enable the OpenSSH daemon.
+      openssh = {
+        enable = true;
+        settings = {
+          PermitRootLogin = "no";
+          PasswordAuthentication = false;
+          KbdInteractiveAuthentication = false;
+        };
+      };
    };

    # Enable sound with pipewire.
@ -44,7 +61,11 @@ in {
    };

    # unblock kde connect / gsconnect
-    networking.firewall = {
+    networking = {
+      networkmanager.enable = true;
+      firewall.enable = true;
+
+      firewall = {
        allowedTCPPortRanges = [
          {
            # KDE Connect
@ -61,4 +82,32 @@ in {
        ];
      };
    };
+
+    systemd.extraConfig = ''
+      DefaultTimeoutStopSec=12s
+    '';
+
+    programs = {
+      zsh.enable = true;
+
+      git = {
+        enable = true;
+        package = pkgs.gitFull;
+      };
+    };
+
+    environment = {
+      pathsToLink = ["/share/zsh"];
+
+      systemPackages = with pkgs; [
+        lm_sensors
+        tldr
+        ncdu
+      ];
+    };
+
+    nixpkgs.config.permittedInsecurePackages = [
+      "electron-12.2.3"
+    ];
+  };
 }
--- a/modules/desktop/gnome.nix
+++ b/modules/desktop/gnome.nix
@ -4,22 +4,22 @@
  lib,
  ...
 }: let
-  cfg = config.my.gnome;
+  desktopCfg = config.my.desktop;
+  cfg = desktopCfg.gnome;

-  #applyGnomeUserSettings = {
-  #  home.packages = with pkgs; [
-  #    gnome.gpaste
-  #    amberol
-  #  ];
-
-#    dconf.settings = {
- #     "org/gnome/desktop/peripherals/keyboard" = {
-  #      numlock-state = true;
-  #    };
-  #  };
-  #};
+  applyGnomeUserSettings = {
+    home.packages = with pkgs; [
+      gnome.gpaste
+      amberol
+    ];
+    dconf.settings = {
+      "org/gnome/desktop/peripherals/keyboard" = {
+        numlock-state = true;
+      };
+    };
+  };
 in {
-  options.my.gnome = {
+  options.my.desktop.gnome = {
    enable = lib.mkEnableOption "gnome desktop";
  };

@ -39,7 +39,9 @@ in {
      };
    };

-    environment.systemPackages = [pkgs.gnomeExtensions.gsconnect];
+    environment.systemPackages = with pkgs; [
+      gnomeExtensions.gsconnect
+    ];

    # remove some gnome default apps
    environment.gnome.excludePackages = with pkgs.gnome; [
@ -56,8 +58,8 @@ in {
    ];

    home-manager.users = {
-  #    vinzenz = lib.mkIf config.my.home.vinzenz.enable applyGnomeUserSettings;
-  #    ronja = lib.mkIf config.my.home.ronja.enable applyGnomeUserSettings;
+      vinzenz = lib.mkIf desktopCfg.vinzenz.enable applyGnomeUserSettings;
+      ronja = lib.mkIf desktopCfg.ronja.enable applyGnomeUserSettings;
    };
  };
 }
--- a/modules/desktop/kde.nix
+++ b/modules/desktop/kde.nix
@ -4,21 +4,21 @@
  lib,
  ...
 }: let
-  cfg = config.my.kde;
+  desktopCfg = config.my.desktop;
+  cfg = desktopCfg.kde;

-  # applyKdeUserSettings = {
-  #   #home = {
-  #   #  packages = with pkgs; [
-  #   #  ];
-  #   #};
-
-  #   services.kdeconnect = {
-  #     enable = true;
-  #     indicator = true;
-  #   };
-  # };
+  applyKdeUserSettings = {
+    home = {
+      packages = with pkgs; [
+      ];
+    };
+    services.kdeconnect = {
+      enable = true;
+      indicator = true;
+    };
+  };
 in {
-  options.my.kde = {
+  options.my.desktop.kde = {
    enable = lib.mkEnableOption "KDE desktop";
  };

@ -37,17 +37,19 @@ in {
      };
    };

-    environment.systemPackages = with pkgs; [
+    environment = {
+      systemPackages = with pkgs; [
        libsForQt5.kate
        libsForQt5.kalk
      ];

-    environment.plasma5.excludePackages = with pkgs.libsForQt5; [
+      plasma5.excludePackages = with pkgs.libsForQt5; [
        elisa
        gwenview
        okular
        khelpcenter
      ];
+    };

    programs = {
      dconf.enable = true;
@ -55,8 +57,8 @@ in {
    };

    home-manager.users = {
-      #vinzenz = lib.mkIf config.my.home.vinzenz.enable applyKdeUserSettings;
-      #ronja = lib.mkIf config.my.home.ronja.enable applyKdeUserSettings;
+      vinzenz = lib.mkIf desktopCfg.vinzenz.enable applyKdeUserSettings;
+      ronja = lib.mkIf desktopCfg.ronja.enable applyKdeUserSettings;
    };
  };
 }
--- a/modules/desktop/ronja.nix
+++ b/modules/desktop/ronja.nix
@ -5,9 +5,9 @@
  ...
 }:
 with lib; let
-  cfg = config.my.home.ronja;
+  cfg = config.my.desktop.ronja;
 in {
-  options.my.home.ronja = {
+  options.my.desktop.ronja = {
    enable = lib.mkEnableOption "user ronja";
  };

@ -21,7 +21,6 @@ in {
    };

    # home manager
-    my.home.enable = true;
    home-manager.users.ronja = {
      config,
      pkgs,
--- a/modules/desktop/vinzenz.nix
+++ b/modules/desktop/vinzenz.nix
@ -4,9 +4,9 @@
  lib,
  ...
 }: let
-  cfg = config.my.home.vinzenz;
+  cfg = config.my.desktop.vinzenz;
 in {
-  options.my.home.vinzenz = {
+  options.my.desktop.vinzenz = {
    enable = lib.mkEnableOption "user vinzenz";
  };

@ -20,7 +20,6 @@ in {
    };

    # home manager
-    my.home.enable = true;
    home-manager.users.vinzenz = {
      config,
      pkgs,
@ -80,13 +79,6 @@ in {
        '';
      };

-      services = {
-        kdeconnect = {
-          enable = true;
-          indicator = true;
-        };
-      };
-
      programs = {
        home-manager.enable = true;

--- a/modules/hardware/common-desktop.nix
+++ b/modules/hardware/common-desktop.nix
@ -0,0 +1,33 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  isEnabled = config.my.hardware.common-desktop.enable;
+in {
+  imports = [
+  ];
+
+  options.my.hardware.common-desktop = {
+    enable = lib.mkEnableOption "common desktop hardware settings";
+  };
+
+  config = lib.mkIf isEnabled {
+    boot.loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    networking.useDHCP = lib.mkDefault true;
+    # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+    # networking.interfaces.wlp5s0.useDHCP = lib.mkDefault true;
+
+    hardware.enableRedistributableFirmware = true;
+
+    nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  };
+}
--- a/modules/hardware/default.nix
+++ b/modules/hardware/default.nix
@ -6,6 +6,7 @@ hostName: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    (builtins.toString ./. + "/${hostName}.nix")
+    ./common-desktop.nix
  ];

  config = {
--- a/modules/hardware/hetzner-vpn1.nix
+++ b/modules/hardware/hetzner-vpn1.nix
@ -0,0 +1,97 @@
+{
+  lib,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  config = {
+    boot = {
+      tmp.cleanOnBoot = true;
+      loader = {
+        systemd-boot.enable = lib.mkForce false;
+        efi.canTouchEfiVariables = lib.mkForce false;
+        grub = {
+          enable = true;
+          efiSupport = true;
+          efiInstallAsRemovable = true;
+          device = "nodev";
+        };
+      };
+      initrd = {
+        availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront"];
+        kernelModules = ["nvme"];
+      };
+    };
+
+    zramSwap.enable = true;
+    networking.domain = "";
+
+    fileSystems = {
+      "/boot" = {
+        device = "/dev/disk/by-uuid/77CF-345D";
+        fsType = "vfat";
+      };
+      "/" = {
+        device = "/dev/sda1";
+        fsType = "ext4";
+      };
+    };
+
+    # This file was populated at runtime with the networking
+    # details gathered from the active system.
+    networking = {
+      nameservers = ["8.8.8.8"];
+      defaultGateway = "172.31.1.1";
+      defaultGateway6 = {
+        address = "fe80::1";
+        interface = "eth0";
+      };
+      dhcpcd.enable = false;
+      usePredictableInterfaceNames = lib.mkForce false;
+      interfaces = {
+        eth0 = {
+          ipv4 = {
+            addresses = [
+              {
+                address = "157.90.146.125";
+                prefixLength = 32;
+              }
+            ];
+            routes = [
+              {
+                address = "172.31.1.1";
+                prefixLength = 32;
+              }
+            ];
+          };
+          ipv6 = {
+            addresses = [
+              {
+                address = "2a01:4f8:c012:7137::1";
+                prefixLength = 64;
+              }
+              {
+                address = "fe80::9400:2ff:fe87:7fc9";
+                prefixLength = 64;
+              }
+            ];
+            routes = [
+              {
+                address = "fe80::1";
+                prefixLength = 128;
+              }
+            ];
+          };
+        };
+      };
+    };
+
+    services.udev.extraRules = ''
+      ATTR{address}=="96:00:02:87:7f:c9", NAME="eth0"
+
+    '';
+  };
+}
--- a/modules/hardware/vinzenz-lpt.nix
+++ b/modules/hardware/vinzenz-lpt.nix
@ -1,5 +1,7 @@
 {...}: {
  config = {
+    my.hardware.common-desktop.enable = true;
+
    boot = {
      initrd.availableKernelModules = ["xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci"];
      initrd.kernelModules = [];
--- a/modules/hardware/vinzenz-pc2.nix
+++ b/modules/hardware/vinzenz-pc2.nix
@ -1,5 +1,7 @@
 {...}: {
  config = {
+    my.hardware.common-desktop.enable = true;
+
    boot = {
      initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "sd_mod"]; # "usb_storage"
      initrd.kernelModules = [];
--- a/modules/home/default.nix
+++ b/modules/home/default.nix
@ -1,24 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}: let
-  cfg = config.my.home;
-in {
-  imports = [
-    ./vinzenz.nix
-    ./ronja.nix
-    # enable home manager
-    <home-manager/nixos>
-  ];
-
-  options.my.home = {
-    enable = lib.mkEnableOption "my home management";
-  };
-
-  config = lib.mkIf cfg.enable {
-    home-manager.useUserPackages = true;
-    home-manager.useGlobalPkgs = true;
-  };
-}
--- a/modules/server/default.nix
+++ b/modules/server/default.nix
@ -0,0 +1,52 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  cfg = config.my.server;
+in {
+  imports = [
+    ../_common
+  ];
+
+  options.my.server = {
+    enable = lib.mkEnableOption "server role";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services = {
+      # Enable the OpenSSH daemon.
+      openssh = {
+        enable = true;
+        settings = {
+          # PermitRootLogin = "no"; # this is managed through authorized keys
+          PasswordAuthentication = false;
+          KbdInteractiveAuthentication = false;
+        };
+      };
+    };
+
+    programs = {
+      git.enable = true;
+      zsh.enable = true;
+    };
+
+    networking.firewall = {
+      enable = true;
+      allowedTCPPortRanges = [
+        {
+          # ssh
+          from = 22;
+          to = 22;
+        }
+      ];
+    };
+
+    environment = {
+      systemPackages = with pkgs; [
+        ncdu
+      ];
+    };
+  };
+}
--- a/vinzenz-lpt.nix
+++ b/vinzenz-lpt.nix
@ -1,12 +1,17 @@
 {...}: {
  imports = [
-    ./modules
-    (import ./hardware "vinzenz-lpt")
+    ./modules/desktop
+    (import ./modules/hardware "vinzenz-lpt")
  ];

  config = {
-    my.gnome.enable = true;
-    my.home.vinzenz.enable = true;
+    my = {
+      desktop = {
+        enable = true;
+        gnome.enable = true;
+        vinzenz.enable = true;
+      };
+    };

    services.flatpak.enable = true;
  };
--- a/vinzenz-pc2.nix
+++ b/vinzenz-pc2.nix
@ -1,15 +1,18 @@
 {...}: {
  imports = [
    ./modules
-    (import ./hardware "vinzenz-pc2")
+    (import ./modules/hardware "vinzenz-pc2")
  ];

  config = {
-    my.kde.enable = true;
-    my.home = {
+    my = {
+      desktop = {
+        enable = true;
+        kde.enable = true;
        vinzenz.enable = true;
        ronja.enable = true;
      };
+    };

    users.groups."games" = {
      members = ["vinzenz" "ronja"];