about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--nixos/configuration.nix145
-rw-r--r--nixos/hardware.nix30
-rw-r--r--nixos/installer.nix1
-rw-r--r--nixos/rebuild.nix9
4 files changed, 165 insertions, 20 deletions
diff --git a/nixos/configuration.nix b/nixos/configuration.nix
index 197007abe29d..acca228714b9 100644
--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
@@ -1,35 +1,140 @@
-{ config, pkgs, ... }:
+{ pkgs ? import <nixpkgs> {}, ... }:
 
-# TODO(wpcarro): Refactor to prefer nested attribute for configuration values
-# instead of using one-liner field accessors.
 {
-  imports = [
-    ./hardware-configuration.nix
-  ];
+  imports = [ ./hardware.nix ];
 
-  # TODO(wpcarro): Is this correct? I believe my laptop only supports BIOS and
-  # not UEFI.
-  boot.loader.grub.device = "/dev/sda";
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
 
-  networking.hostName = "socrates";
-  networking.wireless.enable = true;
-  # Don't remove this.
-  networking.useDHCP = false;
-  networking.interfaces.enp2s0f1.useDHCP = true;
-  networking.interfaces.wlp3s0.useDHCP = true;
+  networking = {
+    hostName = "socrates";
+    # The global useDHCP flag is deprecated, therefore explicitly set to false
+    # here.  Per-interface useDHCP will be mandatory in the future, so this
+    # generated config replicates the default behaviour.
+    useDHCP = false;
+    networkmanager.enable = true;
+    interfaces.enp2s0f1.useDHCP = true;
+    interfaces.wlp3s0.useDHCP = true;
+    firewall.allowedTCPPorts = [ 9418 80 443 ];
+  };
 
   time.timeZone = "UTC";
 
+  programs.fish.enable = true;
+  programs.mosh.enable = true;
+
   environment.systemPackages = with pkgs; [
-    emacs
+    curl
+    direnv
+    emacs26-nox
+    gnupg
+    htop
+    pass
+    vim
+    certbot
+    tree
+    git
   ];
 
+  users = {
+    # I need a git group to run the git server.
+    groups.git = {};
+
+    users.wpcarro = {
+      isNormalUser = true;
+      extraGroups = [ "git" "wheel" ];
+      shell = pkgs.fish;
+    };
+
+    users.git = {
+      group = "git";
+      isNormalUser = false;
+    };
+  };
+
+  nix = {
+    # Expose depot as <depot>, nixpkgs as <nixpkgs>
+    nixPath = [
+      "briefcase=/home/wpcarro/briefcase"
+      "depot=/home/wpcarro/depot"
+      "nixpkgs=/home/wpcarro/nixpkgs"
+    ];
+
+    # Allow wpcarro to call nixos-rebuild
+    trustedUsers = [ "root" "wpcarro" ];
+  };
+
+  ##############################################################################
+  # Services
+  ##############################################################################
   services.openssh.enable = true;
 
-  users.users.wpcarro = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" ];
+  services.lorri.enable = true;
+
+  # TODO(wpcarro): Expose the Monzo credentials to this job. Currently they're
+  # managed with direnv and pass, which presumably systemd isn't accessing.
+  systemd.user.services.monzo-token-server = {
+    enable = true;
+    description = "Ensure my Monzo access token is valid";
+    script = "/home/wpcarro/.nix-profile/bin/token-server";
+
+    serviceConfig = {
+      WorkingDirectory = "%h/briefcase/monzo_ynab";
+      Type = "oneshot";
+    };
+  };
+
+  services.gitDaemon = {
+    enable = true;
+    basePath = "/srv/git";
+    exportAll = true;
+    repositories = [ "/srv/git/briefcase" ];
+  };
+
+  # Since I'm using this laptop as a server in my flat, I'd prefer to close its
+  # lid.
+  services.logind.lidSwitch = "ignore";
+
+  # Provision SSL certificates to support HTTPS connections.
+  security.acme.acceptTerms = true;
+  security.acme.certs."wpcarro.dev".email = "wpcarro@gmail.com";
+
+  services.nginx = {
+    enable = true;
+    enableReload = true;
+
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+
+    commonHttpConfig = ''
+      log_format json_combined escape=json
+      '{'
+          '"time_local":"$time_local",'
+          '"remote_addr":"$remote_addr",'
+          '"remote_user":"$remote_user",'
+          '"request":"$request",'
+          '"status": "$status",'
+          '"body_bytes_sent":"$body_bytes_sent",'
+          '"request_time":"$request_time",'
+          '"http_referrer":"$http_referer",'
+          '"http_user_agent":"$http_user_agent"'
+      '}';
+      access_log syslog:server=unix:/dev/log json_combined;
+    '';
+
+    virtualHosts.blog = {
+      serverName = "blog.wpcarro.dev";
+      useACMEHost = "wpcarro.dev";
+      addSSL = true;
+      extraConfig = ''
+        location / {
+          proxy_pass http://localhost:80
+        }
+      '';
+    };
   };
 
-  system.stateVersion = "20.09";
+  system.stateVersion = "20.09"; # Did you read the comment?
 }
diff --git a/nixos/hardware.nix b/nixos/hardware.nix
new file mode 100644
index 000000000000..dde14eb1e627
--- /dev/null
+++ b/nixos/hardware.nix
@@ -0,0 +1,30 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/aadf1a77-1e98-4b5f-8e74-abf8e77bda34";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/1613-35B9";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  nix.maxJobs = lib.mkDefault 2;
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+}
diff --git a/nixos/installer.nix b/nixos/installer.nix
index f0c1efe21ef5..276b1f60df49 100644
--- a/nixos/installer.nix
+++ b/nixos/installer.nix
@@ -1,3 +1,4 @@
+# This expression can be used to create NixOS .iso images.
 { config, pkgs, ...  }:
 
 {
diff --git a/nixos/rebuild.nix b/nixos/rebuild.nix
new file mode 100644
index 000000000000..84a8bb05d6bf
--- /dev/null
+++ b/nixos/rebuild.nix
@@ -0,0 +1,9 @@
+{ pkgs ? import <nixpkgs> {}, ... }:
+
+pkgs.writeShellScriptBin "rebuild" ''
+  set -ue
+  sudo nixos-rebuild \
+    -I nixos-config=/home/wpcarro/briefcase/nixos/configuration.nix \
+    -I nixpkgs=/home/wpcarro/nixpkgs \
+    switch
+''