Compare commits
7 commits
6ee82131cd
...
a2494f5213
| Author | SHA1 | Date | |
|---|---|---|---|
|
a2494f5213 | ||
|
|
d75e91b7bc | ||
|
|
63ce7eac05 | ||
|
|
d2acd47e71 | ||
|
|
7de5751743 | ||
|
|
9bff3f718f | ||
|
|
c8cfa37bb9 |
22 changed files with 211 additions and 98 deletions
|
|
@ -26,6 +26,7 @@ in
|
|||
};
|
||||
forgejo-runner-1 = {
|
||||
system = "aarch64-linux";
|
||||
publicFqdn = "forgejo-runner-1.dev.zerforschen.plus";
|
||||
distributedBuilds = {
|
||||
isBuilder = true;
|
||||
speedFactor = 1;
|
||||
|
|
|
|||
|
|
@ -23,6 +23,15 @@
|
|||
];
|
||||
|
||||
config = {
|
||||
my = {
|
||||
# keep-sorted start
|
||||
gnome-extensions.enable = true;
|
||||
nano.enable = true;
|
||||
templates.enable = true;
|
||||
zsh.enable = true;
|
||||
# keep-sorted end
|
||||
};
|
||||
|
||||
programs = {
|
||||
home-manager.enable = true;
|
||||
fzf.enable = true;
|
||||
|
|
|
|||
|
|
@ -2,6 +2,14 @@
|
|||
{
|
||||
imports = [ ./vscode.nix ];
|
||||
config = {
|
||||
my = {
|
||||
# keep-sorted start
|
||||
nano.enable = true;
|
||||
templates.enable = true;
|
||||
zsh.enable = true;
|
||||
# keep-sorted end
|
||||
};
|
||||
|
||||
home.packages = with pkgs; [
|
||||
## Apps
|
||||
telegram-desktop
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@
|
|||
};
|
||||
in
|
||||
{
|
||||
enable = mkDefaultEnabledOption "gnome extended options";
|
||||
enable = lib.mkEnableOption "gnome extended options";
|
||||
appindicator.enable = mkDefaultEnabledOption "appindicator";
|
||||
caffeine.enable = mkDefaultEnabledOption "caffeine";
|
||||
tailscale-qs.enable = lib.mkOption {
|
||||
|
|
|
|||
|
|
@ -1,4 +1,8 @@
|
|||
{ lib, config, ... }:
|
||||
{
|
||||
options.my.nano.enable = lib.mkEnableOption "nano editor config";
|
||||
|
||||
config = lib.mkIf config.my.nano.enable {
|
||||
home = {
|
||||
sessionVariables.EDITOR = "nano";
|
||||
file.".nanorc".text = ''
|
||||
|
|
@ -6,4 +10,5 @@
|
|||
set mouse
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,18 @@
|
|||
{ osConfig, thisDevice, ... }:
|
||||
{
|
||||
services.tailscale-systray.enable = (thisDevice.isDesktop or false) && osConfig.my.tailscale.enable;
|
||||
lib,
|
||||
config,
|
||||
osConfig,
|
||||
thisDevice,
|
||||
...
|
||||
}:
|
||||
{
|
||||
options.my.tailscale.enable = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = (thisDevice.isDesktop or false) && osConfig.my.tailscale.enable;
|
||||
description = "Whether to enable the Tailscale system tray applet. Defaults to true on desktops with Tailscale enabled.";
|
||||
};
|
||||
|
||||
config = lib.mkIf config.my.tailscale.enable {
|
||||
services.tailscale-systray.enable = true;
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,8 @@
|
|||
{ lib, config, ... }:
|
||||
{
|
||||
options.my.templates.enable = lib.mkEnableOption "file templates";
|
||||
|
||||
config = lib.mkIf config.my.templates.enable {
|
||||
home.file = {
|
||||
"Templates/Empty file".text = "";
|
||||
"Templates/Empty bash script".text = ''
|
||||
|
|
@ -9,4 +13,5 @@
|
|||
set -x
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,8 @@
|
|||
{ lib, config, ... }:
|
||||
{
|
||||
options.my.zsh.enable = lib.mkEnableOption "zsh with basic settings";
|
||||
|
||||
config = lib.mkIf config.my.zsh.enable {
|
||||
programs = {
|
||||
command-not-found.enable = true;
|
||||
dircolors.enable = true;
|
||||
|
|
@ -10,4 +14,5 @@
|
|||
enableVteIntegration = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -45,10 +45,6 @@ forDevice (
|
|||
# keep-sorted start
|
||||
home-manager.nixosModules.home-manager
|
||||
lanzaboote.nixosModules.lanzaboote
|
||||
nova-shell.nixosModules.default
|
||||
servicepoint-cli.nixosModules.default
|
||||
servicepoint-simulator.nixosModules.default
|
||||
servicepoint-tanks.nixosModules.default
|
||||
stylix.nixosModules.stylix
|
||||
zerforschen-plus.nixosModules.default
|
||||
# keep-sorted end
|
||||
|
|
@ -80,15 +76,32 @@ forDevice (
|
|||
lixIsNix.enable = true;
|
||||
openssh.enable = true;
|
||||
overlays.unstable.enable = true;
|
||||
overlays.vscodeExtensions.enable = true;
|
||||
# prometheusNode.enable = true;
|
||||
systemdBoot.enable = true;
|
||||
tailscale.enable = true;
|
||||
# keep-sorted end
|
||||
|
||||
# keep-sorted start
|
||||
enDe.enable = isDesktop;
|
||||
firmwareUpdates.enable = isDesktop;
|
||||
gnome.enable = isDesktop;
|
||||
kdeconnect.enable = isDesktop;
|
||||
modernDesktop.enable = isDesktop;
|
||||
nixLd.enable = isDesktop;
|
||||
overlays.vscodeExtensions.enable = isDesktop;
|
||||
quietBoot.enable = isDesktop;
|
||||
stylix.enable = isDesktop;
|
||||
# keep-sorted end
|
||||
};
|
||||
}
|
||||
]
|
||||
++ lib.optionals isDesktop [
|
||||
inputs.niri.nixosModules.niri
|
||||
nova-shell.nixosModules.default
|
||||
servicepoint-cli.nixosModules.default
|
||||
servicepoint-simulator.nixosModules.default
|
||||
servicepoint-tanks.nixosModules.default
|
||||
|
||||
# Desktop config
|
||||
{
|
||||
home-manager = {
|
||||
|
|
@ -96,16 +109,7 @@ forDevice (
|
|||
useGlobalPkgs = true;
|
||||
useUserPackages = true;
|
||||
users = home-manager-users;
|
||||
sharedModules = [
|
||||
{ home.stateVersion = "22.11"; }
|
||||
# keep-sorted start
|
||||
self.homeModules.gnome-extensions
|
||||
self.homeModules.nano
|
||||
self.homeModules.tailscale
|
||||
self.homeModules.templates
|
||||
self.homeModules.zsh-basics
|
||||
# keep-sorted end
|
||||
];
|
||||
sharedModules = [ { home.stateVersion = "22.11"; } ] ++ builtins.attrValues self.homeModules;
|
||||
};
|
||||
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
|
@ -115,19 +119,6 @@ forDevice (
|
|||
daemonCPUSchedPolicy = "idle";
|
||||
daemonIOSchedClass = "idle";
|
||||
};
|
||||
|
||||
my = {
|
||||
# keep-sorted start
|
||||
enDe.enable = true;
|
||||
firmwareUpdates.enable = true;
|
||||
gnome.enable = true;
|
||||
kdeconnect.enable = true;
|
||||
modernDesktop.enable = true;
|
||||
nixLd.enable = true;
|
||||
quietBoot.enable = true;
|
||||
stylix.enable = true;
|
||||
# keep-sorted end
|
||||
};
|
||||
}
|
||||
];
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ in
|
|||
{
|
||||
nixpkgs.config.android_sdk.accept_license = true;
|
||||
|
||||
allowedUnfreePackages = [
|
||||
my.allowedUnfreePackages = [
|
||||
"android-sdk-cmdline-tools"
|
||||
"android-sdk-platform-tools"
|
||||
"android-sdk-tools"
|
||||
|
|
|
|||
|
|
@ -5,8 +5,10 @@
|
|||
}:
|
||||
{
|
||||
|
||||
my.overlays.unstable.enable = true;
|
||||
my = {
|
||||
allowedUnfreePackages = [ "claude-code" ];
|
||||
overlays.unstable.enable = true;
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
unstable.claude-code
|
||||
|
|
|
|||
|
|
@ -5,13 +5,17 @@
|
|||
];
|
||||
|
||||
config = {
|
||||
my.users.muede.enable = true;
|
||||
my.wineGaming.enable = true;
|
||||
my.steam.enable = true;
|
||||
my.podman.enable = true;
|
||||
my.muedeDesktopSettings.enable = true;
|
||||
my.intelGraphics.enable = true;
|
||||
my.secureBoot.enable = true;
|
||||
my = {
|
||||
# keep-sorted start
|
||||
intelGraphics.enable = true;
|
||||
muedeDesktopSettings.enable = true;
|
||||
podman.enable = true;
|
||||
secureBoot.enable = true;
|
||||
steam.enable = true;
|
||||
users.muede.enable = true;
|
||||
wineGaming.enable = true;
|
||||
# keep-sorted end
|
||||
};
|
||||
|
||||
nix.settings.extra-platforms = [
|
||||
"aarch64-linux"
|
||||
|
|
|
|||
|
|
@ -7,13 +7,17 @@
|
|||
];
|
||||
|
||||
config = {
|
||||
my.users.muede.enable = true;
|
||||
my.wineGaming.enable = true;
|
||||
my.steam.enable = true;
|
||||
my.podman.enable = true;
|
||||
my.muedeDesktopSettings.enable = true;
|
||||
my.amdGraphics.enable = true;
|
||||
my.secureBoot.enable = true;
|
||||
my = {
|
||||
# keep-sorted start
|
||||
amdGraphics.enable = true;
|
||||
muedeDesktopSettings.enable = true;
|
||||
podman.enable = true;
|
||||
secureBoot.enable = true;
|
||||
steam.enable = true;
|
||||
users.muede.enable = true;
|
||||
wineGaming.enable = true;
|
||||
# keep-sorted end
|
||||
};
|
||||
|
||||
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
|
||||
nix.settings.extra-platforms = [
|
||||
|
|
|
|||
|
|
@ -5,10 +5,14 @@
|
|||
];
|
||||
|
||||
config = {
|
||||
my.users.ronja.enable = true;
|
||||
my.steam.enable = true;
|
||||
my.wineGaming.enable = true;
|
||||
my.muedeDesktopSettings.enable = true;
|
||||
my = {
|
||||
# keep-sorted start
|
||||
muedeDesktopSettings.enable = true;
|
||||
steam.enable = true;
|
||||
users.ronja.enable = true;
|
||||
wineGaming.enable = true;
|
||||
# keep-sorted end
|
||||
};
|
||||
|
||||
# Configure keymap in X11
|
||||
services.xserver.xkb = {
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
{ lib, config, ... }:
|
||||
{
|
||||
options.allowedUnfreePackages = lib.mkOption {
|
||||
options.my.allowedUnfreePackages = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.str;
|
||||
default = [ ];
|
||||
example = [ "steam" ];
|
||||
|
|
@ -10,7 +10,7 @@
|
|||
nixpkgs.config = {
|
||||
# https://github.com/NixOS/nixpkgs/issues/197325#issuecomment-1579420085
|
||||
allowUnfreePredicate = lib.mkDefault (
|
||||
pkg: builtins.elem (lib.getName pkg) config.allowedUnfreePackages
|
||||
pkg: builtins.elem (lib.getName pkg) config.my.allowedUnfreePackages
|
||||
);
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -21,23 +21,26 @@ let
|
|||
_: v: (v.distributedBuilds or { }).isBuilder or false
|
||||
) allDevices;
|
||||
|
||||
sshHostname = m: m.publicFqdn or m.hostName;
|
||||
|
||||
buildServerKnownHosts = lib.pipe buildServerDevices [
|
||||
(lib.filterAttrs (_: v: v.distributedBuilds ? hostPublicKey))
|
||||
(lib.mapAttrs (
|
||||
_: v: {
|
||||
name: v: {
|
||||
publicKey = v.distributedBuilds.hostPublicKey;
|
||||
hostNames = [ (v.publicFqdn or name) ];
|
||||
}
|
||||
))
|
||||
];
|
||||
|
||||
remoteBuildServerDevices = builtins.filter (
|
||||
m: m.hostName != config.networking.hostName
|
||||
) (lib.mapAttrsToList (name: v: v // { hostName = name; }) buildServerDevices);
|
||||
remoteBuildServerDevices = builtins.filter (m: m.hostName != config.networking.hostName) (
|
||||
lib.mapAttrsToList (name: v: v // { hostName = name; }) buildServerDevices
|
||||
);
|
||||
|
||||
buildMachines = map (
|
||||
m:
|
||||
{
|
||||
hostName = m.hostName;
|
||||
hostName = sshHostname m;
|
||||
systems = [ m.system ];
|
||||
sshUser = buildUser;
|
||||
sshKey = clientSshKeyPath;
|
||||
|
|
@ -64,7 +67,23 @@ in
|
|||
|
||||
# All machines
|
||||
{
|
||||
assertions =
|
||||
lib.mapAttrsToList (name: v: {
|
||||
assertion = v.distributedBuilds ? hostPublicKey && v.distributedBuilds ? storeSigningPublicKey;
|
||||
message = "devices.${name}: isBuilder = true requires distributedBuilds.hostPublicKey and distributedBuilds.storeSigningPublicKey";
|
||||
}) buildServerDevices
|
||||
++ lib.mapAttrsToList (name: v: {
|
||||
assertion = lib.hasPrefix "ssh-" v.distributedBuilds.clientPublicKey;
|
||||
message = "devices.${name}: distributedBuilds.clientPublicKey must start with 'ssh-'";
|
||||
}) (lib.filterAttrs (_: v: (v.distributedBuilds or { }) ? clientPublicKey) allDevices)
|
||||
++ lib.mapAttrsToList (name: v: {
|
||||
assertion = builtins.match ".+:.+" v.distributedBuilds.storeSigningPublicKey != null;
|
||||
message = "devices.${name}: distributedBuilds.storeSigningPublicKey must be in '<name>:<base64>' format";
|
||||
}) (lib.filterAttrs (_: v: (v.distributedBuilds or { }) ? storeSigningPublicKey) allDevices);
|
||||
|
||||
nix.settings = {
|
||||
#fallback = true;
|
||||
connect-timeout = 5;
|
||||
trusted-public-keys = lib.pipe buildServerDevices [
|
||||
(lib.mapAttrsToList (_: v: v.distributedBuilds.storeSigningPublicKey or null))
|
||||
(builtins.filter (k: k != null))
|
||||
|
|
@ -103,11 +122,20 @@ in
|
|||
programs.ssh = {
|
||||
knownHosts = buildServerKnownHosts;
|
||||
extraConfig = lib.concatStringsSep "\n" (
|
||||
lib.mapAttrsToList (name: _: ''
|
||||
Match originalhost ${name} user ${buildUser}
|
||||
lib.mapAttrsToList (
|
||||
name: v:
|
||||
let
|
||||
names = lib.unique [
|
||||
name
|
||||
(v.publicFqdn or name)
|
||||
];
|
||||
in
|
||||
''
|
||||
Match originalhost ${lib.concatStringsSep "," names} user ${buildUser}
|
||||
IdentityFile ${clientSshKeyPath}
|
||||
IdentitiesOnly yes
|
||||
'') buildServerDevices
|
||||
''
|
||||
) buildServerDevices
|
||||
);
|
||||
};
|
||||
nix = {
|
||||
|
|
@ -115,7 +143,7 @@ in
|
|||
buildMachines = buildMachines;
|
||||
settings = {
|
||||
builders-use-substitutes = true;
|
||||
substituters = map (m: "ssh-ng://${buildUser}@${m.hostName}") (
|
||||
substituters = map (m: "ssh-ng://${buildUser}@${sshHostname m}") (
|
||||
builtins.filter (m: m.distributedBuilds ? storeSigningPublicKey) remoteBuildServerDevices
|
||||
);
|
||||
};
|
||||
|
|
|
|||
|
|
@ -5,9 +5,9 @@
|
|||
...
|
||||
}:
|
||||
{
|
||||
options = {
|
||||
my.gnome.enable = lib.mkEnableOption "GNOME desktop environment";
|
||||
my.gnome.keep-default-apps = lib.mkEnableOption "keep gnome default apps";
|
||||
options.my.gnome = {
|
||||
enable = lib.mkEnableOption "GNOME desktop environment";
|
||||
keep-default-apps = lib.mkEnableOption "keep gnome default apps";
|
||||
};
|
||||
|
||||
config = lib.mkIf config.my.gnome.enable (
|
||||
|
|
|
|||
|
|
@ -22,6 +22,6 @@
|
|||
];
|
||||
};
|
||||
environment.systemPackages = with pkgs; [ nvtopPackages.intel ];
|
||||
allowedUnfreePackages = [ "intel-ocl" ];
|
||||
my.allowedUnfreePackages = [ "intel-ocl" ];
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,12 +2,9 @@
|
|||
lib,
|
||||
config,
|
||||
pkgs,
|
||||
niri,
|
||||
...
|
||||
}:
|
||||
{
|
||||
imports = [ niri.nixosModules.niri ];
|
||||
|
||||
options.my.muedeDesktopSettings.enable = lib.mkEnableOption "muede desktop settings (Firefox, Logitech, RDP)";
|
||||
|
||||
config = lib.mkIf config.my.muedeDesktopSettings.enable {
|
||||
|
|
|
|||
|
|
@ -1,4 +1,10 @@
|
|||
{ lib, config, ... }:
|
||||
{
|
||||
lib,
|
||||
config,
|
||||
pkgs,
|
||||
thisDevice,
|
||||
...
|
||||
}:
|
||||
{
|
||||
options.my.openssh.enable = lib.mkEnableOption "OpenSSH server";
|
||||
|
||||
|
|
@ -12,5 +18,35 @@
|
|||
KbdInteractiveAuthentication = false;
|
||||
};
|
||||
};
|
||||
|
||||
# On desktops, hold a systemd sleep inhibitor while SSH connections are active
|
||||
security.pam.services.sshd.rules.session.ssh-inhibit = lib.mkIf (thisDevice.isDesktop or false) {
|
||||
order = 10000;
|
||||
control = "optional";
|
||||
modulePath = "${pkgs.pam}/lib/security/pam_exec.so";
|
||||
args = [
|
||||
"quiet"
|
||||
"${pkgs.writeShellScript "ssh-inhibit-pam" ''
|
||||
PIDFILE="/run/ssh-inhibitor-''${PPID}.pid"
|
||||
case "''${PAM_TYPE:-}" in
|
||||
open)
|
||||
${pkgs.systemd}/bin/systemd-inhibit \
|
||||
--what=sleep \
|
||||
--who=sshd \
|
||||
--why="SSH session active" \
|
||||
--mode=block \
|
||||
sleep infinity &
|
||||
echo $! > "$PIDFILE"
|
||||
;;
|
||||
close)
|
||||
if [ -f "$PIDFILE" ]; then
|
||||
kill "$(cat "$PIDFILE")" 2>/dev/null || true
|
||||
rm -f "$PIDFILE"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
''}"
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@
|
|||
];
|
||||
};
|
||||
|
||||
allowedUnfreePackages = [
|
||||
my.allowedUnfreePackages = [
|
||||
"steam"
|
||||
"steam-original"
|
||||
"steam-run"
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@
|
|||
|
||||
nix.settings.trusted-users = [ "muede" ];
|
||||
|
||||
allowedUnfreePackages = [
|
||||
my.allowedUnfreePackages = [
|
||||
"rider"
|
||||
"pycharm-professional"
|
||||
"jetbrains-toolbox"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue