diff options
-rw-r--r-- | nixos/configuration.nix | 145 | ||||
-rw-r--r-- | nixos/hardware.nix | 30 | ||||
-rw-r--r-- | nixos/installer.nix | 1 | ||||
-rw-r--r-- | nixos/rebuild.nix | 9 |
4 files changed, 165 insertions, 20 deletions
diff --git a/nixos/configuration.nix b/nixos/configuration.nix index 197007abe29d..acca228714b9 100644 --- a/nixos/configuration.nix +++ b/nixos/configuration.nix @@ -1,35 +1,140 @@ -{ config, pkgs, ... }: +{ pkgs ? import <nixpkgs> {}, ... }: -# TODO(wpcarro): Refactor to prefer nested attribute for configuration values -# instead of using one-liner field accessors. { - imports = [ - ./hardware-configuration.nix - ]; + imports = [ ./hardware.nix ]; - # TODO(wpcarro): Is this correct? I believe my laptop only supports BIOS and - # not UEFI. - boot.loader.grub.device = "/dev/sda"; + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "socrates"; - networking.wireless.enable = true; - # Don't remove this. - networking.useDHCP = false; - networking.interfaces.enp2s0f1.useDHCP = true; - networking.interfaces.wlp3s0.useDHCP = true; + networking = { + hostName = "socrates"; + # The global useDHCP flag is deprecated, therefore explicitly set to false + # here. Per-interface useDHCP will be mandatory in the future, so this + # generated config replicates the default behaviour. + useDHCP = false; + networkmanager.enable = true; + interfaces.enp2s0f1.useDHCP = true; + interfaces.wlp3s0.useDHCP = true; + firewall.allowedTCPPorts = [ 9418 80 443 ]; + }; time.timeZone = "UTC"; + programs.fish.enable = true; + programs.mosh.enable = true; + environment.systemPackages = with pkgs; [ - emacs + curl + direnv + emacs26-nox + gnupg + htop + pass + vim + certbot + tree + git ]; + users = { + # I need a git group to run the git server. + groups.git = {}; + + users.wpcarro = { + isNormalUser = true; + extraGroups = [ "git" "wheel" ]; + shell = pkgs.fish; + }; + + users.git = { + group = "git"; + isNormalUser = false; + }; + }; + + nix = { + # Expose depot as <depot>, nixpkgs as <nixpkgs> + nixPath = [ + "briefcase=/home/wpcarro/briefcase" + "depot=/home/wpcarro/depot" + "nixpkgs=/home/wpcarro/nixpkgs" + ]; + + # Allow wpcarro to call nixos-rebuild + trustedUsers = [ "root" "wpcarro" ]; + }; + + ############################################################################## + # Services + ############################################################################## services.openssh.enable = true; - users.users.wpcarro = { - isNormalUser = true; - extraGroups = [ "wheel" ]; + services.lorri.enable = true; + + # TODO(wpcarro): Expose the Monzo credentials to this job. Currently they're + # managed with direnv and pass, which presumably systemd isn't accessing. + systemd.user.services.monzo-token-server = { + enable = true; + description = "Ensure my Monzo access token is valid"; + script = "/home/wpcarro/.nix-profile/bin/token-server"; + + serviceConfig = { + WorkingDirectory = "%h/briefcase/monzo_ynab"; + Type = "oneshot"; + }; + }; + + services.gitDaemon = { + enable = true; + basePath = "/srv/git"; + exportAll = true; + repositories = [ "/srv/git/briefcase" ]; + }; + + # Since I'm using this laptop as a server in my flat, I'd prefer to close its + # lid. + services.logind.lidSwitch = "ignore"; + + # Provision SSL certificates to support HTTPS connections. + security.acme.acceptTerms = true; + security.acme.certs."wpcarro.dev".email = "wpcarro@gmail.com"; + + services.nginx = { + enable = true; + enableReload = true; + + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + + commonHttpConfig = '' + log_format json_combined escape=json + '{' + '"time_local":"$time_local",' + '"remote_addr":"$remote_addr",' + '"remote_user":"$remote_user",' + '"request":"$request",' + '"status": "$status",' + '"body_bytes_sent":"$body_bytes_sent",' + '"request_time":"$request_time",' + '"http_referrer":"$http_referer",' + '"http_user_agent":"$http_user_agent"' + '}'; + access_log syslog:server=unix:/dev/log json_combined; + ''; + + virtualHosts.blog = { + serverName = "blog.wpcarro.dev"; + useACMEHost = "wpcarro.dev"; + addSSL = true; + extraConfig = '' + location / { + proxy_pass http://localhost:80 + } + ''; + }; }; - system.stateVersion = "20.09"; + system.stateVersion = "20.09"; # Did you read the comment? } diff --git a/nixos/hardware.nix b/nixos/hardware.nix new file mode 100644 index 000000000000..dde14eb1e627 --- /dev/null +++ b/nixos/hardware.nix @@ -0,0 +1,30 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + imports = + [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/aadf1a77-1e98-4b5f-8e74-abf8e77bda34"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/1613-35B9"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + nix.maxJobs = lib.mkDefault 2; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; +} diff --git a/nixos/installer.nix b/nixos/installer.nix index f0c1efe21ef5..276b1f60df49 100644 --- a/nixos/installer.nix +++ b/nixos/installer.nix @@ -1,3 +1,4 @@ +# This expression can be used to create NixOS .iso images. { config, pkgs, ... }: { diff --git a/nixos/rebuild.nix b/nixos/rebuild.nix new file mode 100644 index 000000000000..84a8bb05d6bf --- /dev/null +++ b/nixos/rebuild.nix @@ -0,0 +1,9 @@ +{ pkgs ? import <nixpkgs> {}, ... }: + +pkgs.writeShellScriptBin "rebuild" '' + set -ue + sudo nixos-rebuild \ + -I nixos-config=/home/wpcarro/briefcase/nixos/configuration.nix \ + -I nixpkgs=/home/wpcarro/nixpkgs \ + switch +'' |