vinzenz/nixos-configuration
0
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: vinzenz:a2494f52134980e9b0ae7a87df494afb45fca4ae
Branches Tags
vinzenz:main
vinzenz:qs
vinzenz:headscale
vinzenz:vpn1-wg
..
compare: vinzenz:6ee82131cd2db664c9e24dacca753c3e8d9de0a8
Branches Tags
vinzenz:main
vinzenz:qs
vinzenz:headscale
vinzenz:vpn1-wg

No commits in common. "a2494f52134980e9b0ae7a87df494afb45fca4ae" and "6ee82131cd2db664c9e24dacca753c3e8d9de0a8" have entirely different histories.
a2494f5213 ... 6ee82131cd

22 changed files with 98 additions and 211 deletions
Download patch file Download diff file Expand all files Collapse all files

1
devices.nix
View file

@ -26,7 +26,6 @@ in
}; };
forgejo-runner-1 = { forgejo-runner-1 = {
system = "aarch64-linux"; system = "aarch64-linux";
publicFqdn = "forgejo-runner-1.dev.zerforschen.plus";
distributedBuilds = { distributedBuilds = {
isBuilder = true; isBuilder = true;
speedFactor = 1; speedFactor = 1;

9
homeConfigurations/muede/default.nix
View file

@ -23,15 +23,6 @@
]; ];
config = { config = {
my = {
# keep-sorted start
gnome-extensions.enable = true;
nano.enable = true;
templates.enable = true;
zsh.enable = true;
# keep-sorted end
};
programs = { programs = {
home-manager.enable = true; home-manager.enable = true;
fzf.enable = true; fzf.enable = true;

8
homeConfigurations/ronja/default.nix
View file

@ -2,14 +2,6 @@
{ {
imports = [ ./vscode.nix ]; imports = [ ./vscode.nix ];
config = { config = {
my = {
# keep-sorted start
nano.enable = true;
templates.enable = true;
zsh.enable = true;
# keep-sorted end
};
home.packages = with pkgs; [ home.packages = with pkgs; [
## Apps ## Apps
telegram-desktop telegram-desktop

2
homeModules/gnome-extensions.nix
View file

@ -18,7 +18,7 @@
}; };
in in
{ {
enable = lib.mkEnableOption "gnome extended options"; enable = mkDefaultEnabledOption "gnome extended options";
appindicator.enable = mkDefaultEnabledOption "appindicator"; appindicator.enable = mkDefaultEnabledOption "appindicator";
caffeine.enable = mkDefaultEnabledOption "caffeine"; caffeine.enable = mkDefaultEnabledOption "caffeine";
tailscale-qs.enable = lib.mkOption { tailscale-qs.enable = lib.mkOption {

5
homeModules/nano.nix
View file

@ -1,8 +1,4 @@
{ lib, config, ... }:
{ {
options.my.nano.enable = lib.mkEnableOption "nano editor config";
config = lib.mkIf config.my.nano.enable {
home = { home = {
sessionVariables.EDITOR = "nano"; sessionVariables.EDITOR = "nano";
file.".nanorc".text = '' file.".nanorc".text = ''
@ -10,5 +6,4 @@
set mouse set mouse
''; '';
}; };
};
} }

18
homeModules/tailscale.nix
View file

@ -1,18 +1,4 @@
{ osConfig, thisDevice, ... }:
{ {
lib, services.tailscale-systray.enable = (thisDevice.isDesktop or false) && osConfig.my.tailscale.enable;
config,
osConfig,
thisDevice,
...
}:
{
options.my.tailscale.enable = lib.mkOption {
type = lib.types.bool;
default = (thisDevice.isDesktop or false) && osConfig.my.tailscale.enable;
description = "Whether to enable the Tailscale system tray applet. Defaults to true on desktops with Tailscale enabled.";
};
config = lib.mkIf config.my.tailscale.enable {
services.tailscale-systray.enable = true;
};
} }

5
homeModules/templates.nix
View file

@ -1,8 +1,4 @@
{ lib, config, ... }:
{ {
options.my.templates.enable = lib.mkEnableOption "file templates";
config = lib.mkIf config.my.templates.enable {
home.file = { home.file = {
"Templates/Empty file".text = ""; "Templates/Empty file".text = "";
"Templates/Empty bash script".text = '' "Templates/Empty bash script".text = ''
@ -13,5 +9,4 @@
set -x set -x
''; '';
}; };
};
} }

5
homeModules/zsh-basics.nix
View file

@ -1,8 +1,4 @@
{ lib, config, ... }:
{ {
options.my.zsh.enable = lib.mkEnableOption "zsh with basic settings";
config = lib.mkIf config.my.zsh.enable {
programs = { programs = {
command-not-found.enable = true; command-not-found.enable = true;
dircolors.enable = true; dircolors.enable = true;
@ -14,5 +10,4 @@
enableVteIntegration = true; enableVteIntegration = true;
}; };
}; };
};
} }

47
nixosConfigurations.nix
View file

@ -45,6 +45,10 @@ forDevice (
# keep-sorted start # keep-sorted start
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
lanzaboote.nixosModules.lanzaboote lanzaboote.nixosModules.lanzaboote
nova-shell.nixosModules.default
servicepoint-cli.nixosModules.default
servicepoint-simulator.nixosModules.default
servicepoint-tanks.nixosModules.default
stylix.nixosModules.stylix stylix.nixosModules.stylix
zerforschen-plus.nixosModules.default zerforschen-plus.nixosModules.default
# keep-sorted end # keep-sorted end
@ -76,32 +80,15 @@ forDevice (
lixIsNix.enable = true; lixIsNix.enable = true;
openssh.enable = true; openssh.enable = true;
overlays.unstable.enable = true; overlays.unstable.enable = true;
overlays.vscodeExtensions.enable = true;
# prometheusNode.enable = true; # prometheusNode.enable = true;
systemdBoot.enable = true; systemdBoot.enable = true;
tailscale.enable = true; tailscale.enable = true;
# keep-sorted end # keep-sorted end
# keep-sorted start
enDe.enable = isDesktop;
firmwareUpdates.enable = isDesktop;
gnome.enable = isDesktop;
kdeconnect.enable = isDesktop;
modernDesktop.enable = isDesktop;
nixLd.enable = isDesktop;
overlays.vscodeExtensions.enable = isDesktop;
quietBoot.enable = isDesktop;
stylix.enable = isDesktop;
# keep-sorted end
}; };
} }
] ]
++ lib.optionals isDesktop [ ++ lib.optionals isDesktop [
inputs.niri.nixosModules.niri
nova-shell.nixosModules.default
servicepoint-cli.nixosModules.default
servicepoint-simulator.nixosModules.default
servicepoint-tanks.nixosModules.default
# Desktop config # Desktop config
{ {
home-manager = { home-manager = {
@ -109,7 +96,16 @@ forDevice (
useGlobalPkgs = true; useGlobalPkgs = true;
useUserPackages = true; useUserPackages = true;
users = home-manager-users; users = home-manager-users;
sharedModules = [ { home.stateVersion = "22.11"; } ] ++ builtins.attrValues self.homeModules; sharedModules = [
{ home.stateVersion = "22.11"; }
# keep-sorted start
self.homeModules.gnome-extensions
self.homeModules.nano
self.homeModules.tailscale
self.homeModules.templates
self.homeModules.zsh-basics
# keep-sorted end
];
}; };
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
@ -119,6 +115,19 @@ forDevice (
daemonCPUSchedPolicy = "idle"; daemonCPUSchedPolicy = "idle";
daemonIOSchedClass = "idle"; daemonIOSchedClass = "idle";
}; };
my = {
# keep-sorted start
enDe.enable = true;
firmwareUpdates.enable = true;
gnome.enable = true;
kdeconnect.enable = true;
modernDesktop.enable = true;
nixLd.enable = true;
quietBoot.enable = true;
stylix.enable = true;
# keep-sorted end
};
} }
]; ];
} }

2
nixosConfigurations/damocles/android-dev.nix
View file

@ -12,7 +12,7 @@ in
{ {
nixpkgs.config.android_sdk.accept_license = true; nixpkgs.config.android_sdk.accept_license = true;
my.allowedUnfreePackages = [ allowedUnfreePackages = [
"android-sdk-cmdline-tools" "android-sdk-cmdline-tools"
"android-sdk-platform-tools" "android-sdk-platform-tools"
"android-sdk-tools" "android-sdk-tools"

4
nixosConfigurations/damocles/claude-container.nix
View file

@ -5,10 +5,8 @@
}: }:
{ {
my = { my.overlays.unstable.enable = true;
allowedUnfreePackages = [ "claude-code" ]; allowedUnfreePackages = [ "claude-code" ];
overlays.unstable.enable = true;
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
unstable.claude-code unstable.claude-code

18
nixosConfigurations/muede-lpt2/default.nix
View file

@ -5,17 +5,13 @@
]; ];
config = { config = {
my = { my.users.muede.enable = true;
# keep-sorted start my.wineGaming.enable = true;
intelGraphics.enable = true; my.steam.enable = true;
muedeDesktopSettings.enable = true; my.podman.enable = true;
podman.enable = true; my.muedeDesktopSettings.enable = true;
secureBoot.enable = true; my.intelGraphics.enable = true;
steam.enable = true; my.secureBoot.enable = true;
users.muede.enable = true;
wineGaming.enable = true;
# keep-sorted end
};
nix.settings.extra-platforms = [ nix.settings.extra-platforms = [
"aarch64-linux" "aarch64-linux"

18
nixosConfigurations/muede-pc2/default.nix
View file

@ -7,17 +7,13 @@
]; ];
config = { config = {
my = { my.users.muede.enable = true;
# keep-sorted start my.wineGaming.enable = true;
amdGraphics.enable = true; my.steam.enable = true;
muedeDesktopSettings.enable = true; my.podman.enable = true;
podman.enable = true; my.muedeDesktopSettings.enable = true;
secureBoot.enable = true; my.amdGraphics.enable = true;
steam.enable = true; my.secureBoot.enable = true;
users.muede.enable = true;
wineGaming.enable = true;
# keep-sorted end
};
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
nix.settings.extra-platforms = [ nix.settings.extra-platforms = [

12
nixosConfigurations/ronja-pc/default.nix
View file

@ -5,14 +5,10 @@
]; ];
config = { config = {
my = { my.users.ronja.enable = true;
# keep-sorted start my.steam.enable = true;
muedeDesktopSettings.enable = true; my.wineGaming.enable = true;
steam.enable = true; my.muedeDesktopSettings.enable = true;
users.ronja.enable = true;
wineGaming.enable = true;
# keep-sorted end
};
# Configure keymap in X11 # Configure keymap in X11
services.xserver.xkb = { services.xserver.xkb = {

4
nixosModules/allowed-unfree-list.nix
View file

@ -1,6 +1,6 @@
{ lib, config, ... }: { lib, config, ... }:
{ {
options.my.allowedUnfreePackages = lib.mkOption { options.allowedUnfreePackages = lib.mkOption {
type = lib.types.listOf lib.types.str; type = lib.types.listOf lib.types.str;
default = [ ]; default = [ ];
example = [ "steam" ]; example = [ "steam" ];
@ -10,7 +10,7 @@
nixpkgs.config = { nixpkgs.config = {
# https://github.com/NixOS/nixpkgs/issues/197325#issuecomment-1579420085 # https://github.com/NixOS/nixpkgs/issues/197325#issuecomment-1579420085
allowUnfreePredicate = lib.mkDefault ( allowUnfreePredicate = lib.mkDefault (
pkg: builtins.elem (lib.getName pkg) config.my.allowedUnfreePackages pkg: builtins.elem (lib.getName pkg) config.allowedUnfreePackages
); );
}; };
}; };

46
nixosModules/distributed-builds.nix
View file

@ -21,26 +21,23 @@ let
_: v: (v.distributedBuilds or { }).isBuilder or false _: v: (v.distributedBuilds or { }).isBuilder or false
) allDevices; ) allDevices;
sshHostname = m: m.publicFqdn or m.hostName;
buildServerKnownHosts = lib.pipe buildServerDevices [ buildServerKnownHosts = lib.pipe buildServerDevices [
(lib.filterAttrs (_: v: v.distributedBuilds ? hostPublicKey)) (lib.filterAttrs (_: v: v.distributedBuilds ? hostPublicKey))
(lib.mapAttrs ( (lib.mapAttrs (
name: v: { _: v: {
publicKey = v.distributedBuilds.hostPublicKey; publicKey = v.distributedBuilds.hostPublicKey;
hostNames = [ (v.publicFqdn or name) ];
} }
)) ))
]; ];
remoteBuildServerDevices = builtins.filter (m: m.hostName != config.networking.hostName) ( remoteBuildServerDevices = builtins.filter (
lib.mapAttrsToList (name: v: v // { hostName = name; }) buildServerDevices m: m.hostName != config.networking.hostName
); ) (lib.mapAttrsToList (name: v: v // { hostName = name; }) buildServerDevices);
buildMachines = map ( buildMachines = map (
m: m:
{ {
hostName = sshHostname m; hostName = m.hostName;
systems = [ m.system ]; systems = [ m.system ];
sshUser = buildUser; sshUser = buildUser;
sshKey = clientSshKeyPath; sshKey = clientSshKeyPath;
@ -67,23 +64,7 @@ in
# All machines # All machines
{ {
assertions =
lib.mapAttrsToList (name: v: {
assertion = v.distributedBuilds ? hostPublicKey && v.distributedBuilds ? storeSigningPublicKey;
message = "devices.${name}: isBuilder = true requires distributedBuilds.hostPublicKey and distributedBuilds.storeSigningPublicKey";
}) buildServerDevices
++ lib.mapAttrsToList (name: v: {
assertion = lib.hasPrefix "ssh-" v.distributedBuilds.clientPublicKey;
message = "devices.${name}: distributedBuilds.clientPublicKey must start with 'ssh-'";
}) (lib.filterAttrs (_: v: (v.distributedBuilds or { }) ? clientPublicKey) allDevices)
++ lib.mapAttrsToList (name: v: {
assertion = builtins.match ".+:.+" v.distributedBuilds.storeSigningPublicKey != null;
message = "devices.${name}: distributedBuilds.storeSigningPublicKey must be in '<name>:<base64>' format";
}) (lib.filterAttrs (_: v: (v.distributedBuilds or { }) ? storeSigningPublicKey) allDevices);
nix.settings = { nix.settings = {
#fallback = true;
connect-timeout = 5;
trusted-public-keys = lib.pipe buildServerDevices [ trusted-public-keys = lib.pipe buildServerDevices [
(lib.mapAttrsToList (_: v: v.distributedBuilds.storeSigningPublicKey or null)) (lib.mapAttrsToList (_: v: v.distributedBuilds.storeSigningPublicKey or null))
(builtins.filter (k: k != null)) (builtins.filter (k: k != null))
@ -122,20 +103,11 @@ in
programs.ssh = { programs.ssh = {
knownHosts = buildServerKnownHosts; knownHosts = buildServerKnownHosts;
extraConfig = lib.concatStringsSep "\n" ( extraConfig = lib.concatStringsSep "\n" (
lib.mapAttrsToList ( lib.mapAttrsToList (name: _: ''
name: v: Match originalhost ${name} user ${buildUser}
let
names = lib.unique [
name
(v.publicFqdn or name)
];
in
''
Match originalhost ${lib.concatStringsSep "," names} user ${buildUser}
IdentityFile ${clientSshKeyPath} IdentityFile ${clientSshKeyPath}
IdentitiesOnly yes IdentitiesOnly yes
'' '') buildServerDevices
) buildServerDevices
); );
}; };
nix = { nix = {
@ -143,7 +115,7 @@ in
buildMachines = buildMachines; buildMachines = buildMachines;
settings = { settings = {
builders-use-substitutes = true; builders-use-substitutes = true;
substituters = map (m: "ssh-ng://${buildUser}@${sshHostname m}") ( substituters = map (m: "ssh-ng://${buildUser}@${m.hostName}") (
builtins.filter (m: m.distributedBuilds ? storeSigningPublicKey) remoteBuildServerDevices builtins.filter (m: m.distributedBuilds ? storeSigningPublicKey) remoteBuildServerDevices
); );
}; };

6
nixosModules/gnome.nix
View file

@ -5,9 +5,9 @@
... ...
}: }:
{ {
options.my.gnome = { options = {
enable = lib.mkEnableOption "GNOME desktop environment"; my.gnome.enable = lib.mkEnableOption "GNOME desktop environment";
keep-default-apps = lib.mkEnableOption "keep gnome default apps"; my.gnome.keep-default-apps = lib.mkEnableOption "keep gnome default apps";
}; };
config = lib.mkIf config.my.gnome.enable ( config = lib.mkIf config.my.gnome.enable (

2
nixosModules/intel-graphics.nix
View file

@ -22,6 +22,6 @@
]; ];
}; };
environment.systemPackages = with pkgs; [ nvtopPackages.intel ]; environment.systemPackages = with pkgs; [ nvtopPackages.intel ];
my.allowedUnfreePackages = [ "intel-ocl" ]; allowedUnfreePackages = [ "intel-ocl" ];
}; };
} }

3
nixosModules/muede-desktop-settings.nix
View file

@ -2,9 +2,12 @@
lib, lib,
config, config,
pkgs, pkgs,
niri,
... ...
}: }:
{ {
imports = [ niri.nixosModules.niri ];
options.my.muedeDesktopSettings.enable = lib.mkEnableOption "muede desktop settings (Firefox, Logitech, RDP)"; options.my.muedeDesktopSettings.enable = lib.mkEnableOption "muede desktop settings (Firefox, Logitech, RDP)";
config = lib.mkIf config.my.muedeDesktopSettings.enable { config = lib.mkIf config.my.muedeDesktopSettings.enable {

38
nixosModules/openssh.nix
View file

@ -1,10 +1,4 @@
{ { lib, config, ... }:
lib,
config,
pkgs,
thisDevice,
...
}:
{ {
options.my.openssh.enable = lib.mkEnableOption "OpenSSH server"; options.my.openssh.enable = lib.mkEnableOption "OpenSSH server";
@ -18,35 +12,5 @@
KbdInteractiveAuthentication = false; KbdInteractiveAuthentication = false;
}; };
}; };
# On desktops, hold a systemd sleep inhibitor while SSH connections are active
security.pam.services.sshd.rules.session.ssh-inhibit = lib.mkIf (thisDevice.isDesktop or false) {
order = 10000;
control = "optional";
modulePath = "${pkgs.pam}/lib/security/pam_exec.so";
args = [
"quiet"
"${pkgs.writeShellScript "ssh-inhibit-pam" ''
PIDFILE="/run/ssh-inhibitor-''${PPID}.pid"
case "''${PAM_TYPE:-}" in
open)
${pkgs.systemd}/bin/systemd-inhibit \
--what=sleep \
--who=sshd \
--why="SSH session active" \
--mode=block \
sleep infinity &
echo $! > "$PIDFILE"
;;
close)
if [ -f "$PIDFILE" ]; then
kill "$(cat "$PIDFILE")" 2>/dev/null || true
rm -f "$PIDFILE"
fi
;;
esac
''}"
];
};
}; };
} }

2
nixosModules/steam.nix
View file

@ -40,7 +40,7 @@
]; ];
}; };
my.allowedUnfreePackages = [ allowedUnfreePackages = [
"steam" "steam"
"steam-original" "steam-original"
"steam-run" "steam-run"

2
nixosModules/user-muede.nix
View file

@ -31,7 +31,7 @@
nix.settings.trusted-users = [ "muede" ]; nix.settings.trusted-users = [ "muede" ];
my.allowedUnfreePackages = [ allowedUnfreePackages = [
"rider" "rider"
"pycharm-professional" "pycharm-professional"
"jetbrains-toolbox" "jetbrains-toolbox"