diff options
Diffstat (limited to 'users/tazjin/nixos')
-rw-r--r-- | users/tazjin/nixos/.gitignore | 1 | ||||
-rw-r--r-- | users/tazjin/nixos/README.md | 17 | ||||
-rw-r--r-- | users/tazjin/nixos/camden/default.nix | 361 | ||||
-rw-r--r-- | users/tazjin/nixos/default.nix | 10 | ||||
-rw-r--r-- | users/tazjin/nixos/frog/default.nix | 287 | ||||
-rw-r--r-- | users/tazjin/nixos/modules/default.nix | 2 | ||||
-rw-r--r-- | users/tazjin/nixos/modules/desktop.nix | 53 | ||||
-rw-r--r-- | users/tazjin/nixos/modules/fonts.nix | 24 | ||||
-rw-r--r-- | users/tazjin/nixos/modules/hidpi.nix | 17 | ||||
-rw-r--r-- | users/tazjin/nixos/modules/home-config.nix | 21 | ||||
-rw-r--r-- | users/tazjin/nixos/modules/laptop.nix | 14 | ||||
-rw-r--r-- | users/tazjin/nixos/modules/persistence.nix | 26 | ||||
-rw-r--r-- | users/tazjin/nixos/modules/physical.nix | 90 | ||||
-rw-r--r-- | users/tazjin/nixos/modules/tgsa.nix | 24 | ||||
-rw-r--r-- | users/tazjin/nixos/modules/zerotier.nix | 14 | ||||
-rw-r--r-- | users/tazjin/nixos/polyanka/default.nix | 122 | ||||
-rw-r--r-- | users/tazjin/nixos/tverskoy/default.nix | 163 | ||||
-rw-r--r-- | users/tazjin/nixos/zamalek/default.nix | 82 |
18 files changed, 1328 insertions, 0 deletions
diff --git a/users/tazjin/nixos/.gitignore b/users/tazjin/nixos/.gitignore new file mode 100644 index 000000000000..212d3ad270f4 --- /dev/null +++ b/users/tazjin/nixos/.gitignore @@ -0,0 +1 @@ +local-config.nix diff --git a/users/tazjin/nixos/README.md b/users/tazjin/nixos/README.md new file mode 100644 index 000000000000..662f2a36acac --- /dev/null +++ b/users/tazjin/nixos/README.md @@ -0,0 +1,17 @@ +NixOS configuration +=================== + +My NixOS configurations! It configures most of the packages I require +on my systems, sets up Emacs the way I need and does a bunch of other +interesting things. + +System configuration lives in folders, and some of the modules stem +from `//ops/modules`. + +Machines are deployed with the script at `ops.nixos.rebuild-system`. + +## Configured hosts: + +* `tverskoy` - X13 AMD that's travelling around with me +* `frog` - weapon of mass computation (in storage in London) +* `camden` - NUC formerly serving tazj.in (in storage in London) diff --git a/users/tazjin/nixos/camden/default.nix b/users/tazjin/nixos/camden/default.nix new file mode 100644 index 000000000000..4f046d8ec157 --- /dev/null +++ b/users/tazjin/nixos/camden/default.nix @@ -0,0 +1,361 @@ +# This file configures camden.tazj.in, my homeserver. +{ depot, pkgs, lib, ... }: + +config: +let + nginxRedirect = { from, to, acmeHost }: { + serverName = from; + useACMEHost = acmeHost; + forceSSL = true; + + extraConfig = "return 301 https://${to}$request_uri;"; + }; +in +lib.fix (self: { + # Disable the current ACME module and use the old one from 19.09 + # instead, until the various regressions have been sorted out. + # TODO(tazjin): Remove this once the new ACME module works. + disabledModules = [ "security/acme" ]; + imports = + let + oldChannel = fetchTarball { + # NixOS 19.09 on 2020-10-04 + url = "https://github.com/NixOS/nixpkgs-channels/archive/75f4ba05c63be3f147bcc2f7bd4ba1f029cedcb1.tar.gz"; + sha256 = "157c64220lf825ll4c0cxsdwg7cxqdx4z559fdp7kpz0g6p8fhhr"; + }; + in + [ + "${depot.path}/ops/modules/quassel.nix" + "${depot.path}/ops/modules/smtprelay.nix" + "${oldChannel}/nixos/modules/security/acme.nix" + ]; + + # camden is intended to boot unattended, despite having an encrypted + # root partition. + # + # The below configuration uses an externally connected USB drive + # that contains a LUKS key file to unlock the disk automatically at + # boot. + # + # TODO(tazjin): Configure LUKS unlocking via SSH instead. + boot = { + initrd = { + availableKernelModules = [ + "ahci" + "xhci_pci" + "usbhid" + "usb_storage" + "sd_mod" + "sdhci_pci" + "rtsx_usb_sdmmc" + "r8169" + ]; + + kernelModules = [ "dm-snapshot" ]; + + luks.devices.camden-crypt = { + fallbackToPassword = true; + device = "/dev/disk/by-label/camden-crypt"; + keyFile = "/dev/sdb"; + keyFileSize = 4096; + }; + }; + + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + + cleanTmpDir = true; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-label/camden-root"; + fsType = "ext4"; + }; + + "/home" = { + device = "/dev/disk/by-label/camden-home"; + fsType = "ext4"; + }; + + "/boot" = { + device = "/dev/disk/by-label/BOOT"; + fsType = "vfat"; + }; + }; + + nix = { + maxJobs = lib.mkDefault 4; + + trustedUsers = [ "root" "tazjin" ]; + + binaryCaches = [ + "https://tazjin.cachix.org" + ]; + + binaryCachePublicKeys = [ + "tazjin.cachix.org-1:IZkgLeqfOr1kAZjypItHMg1NoBjm4zX9Zzep8oRSh7U=" + ]; + }; + + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + + networking = { + hostName = "camden"; + interfaces.enp1s0.useDHCP = true; + interfaces.enp1s0.ipv6.addresses = [ + { + address = "2a01:4b00:821a:ce02::5"; + prefixLength = 64; + } + ]; + + firewall.enable = false; + }; + + time.timeZone = "UTC"; + + # System-wide application setup + programs.fish.enable = true; + programs.mosh.enable = true; + + fonts = { + fonts = [ pkgs.jetbrains-mono ]; + fontconfig.defaultFonts.monospace = [ "JetBrains Mono" ]; + }; + + environment.systemPackages = + # programs from the depot + (with depot; [ + fun.idual.script + fun.idual.setAlarm + ]) ++ + + # programs from nixpkgs + (with pkgs; [ + bat + curl + direnv + emacs28-nox + fswebcam + git + gnupg + google-cloud-sdk + htop + jq + pass + pciutils + restic + ripgrep + screen + ]); + + users = { + # Set up my own user for logging in and doing things ... + users.tazjin = { + isNormalUser = true; + uid = 1000; + extraGroups = [ "git" "wheel" "quassel" "video" ]; + shell = pkgs.fish; + }; + + # Set up a user & group for general git shenanigans + groups.git = { }; + users.git = { + group = "git"; + isSystemUser = true; + }; + }; + + # Services setup + services.openssh.enable = true; + services.haveged.enable = true; + + # Join Tailscale into home network + services.tailscale.enable = true; + + # Allow sudo-ing via the forwarded SSH agent. + security.pam.enableSSHAgentAuth = true; + + # NixOS 20.03 broke nginx and I can't be bothered to debug it + # anymore, all solution attempts have failed, so here's a + # brute-force fix. + systemd.services.fix-nginx = { + script = "${pkgs.coreutils}/bin/chown -R nginx: /var/spool/nginx /var/cache/nginx"; + + serviceConfig = { + User = "root"; + Type = "oneshot"; + }; + }; + + systemd.timers.fix-nginx = { + wantedBy = [ "multi-user.target" ]; + timerConfig = { + OnCalendar = "minutely"; + }; + }; + + # Provision a TLS certificate outside of nginx to avoid + # nixpkgs#38144 + security.acme = { + # acceptTerms = true; + + certs."tazj.in" = { + email = "mail@tazj.in"; + user = "nginx"; + group = "nginx"; + webroot = "/var/lib/acme/acme-challenge"; + extraDomains = { + "cs.tazj.in" = null; + "git.tazj.in" = null; + "www.tazj.in" = null; + + # Local domains (for this machine only) + "camden.tazj.in" = null; + }; + postRun = "systemctl reload nginx"; + }; + + certs."quassel.tazj.in" = { + email = "mail@tazj.in"; + webroot = "/var/lib/acme/challenge-quassel"; + user = "nginx"; # required because of a bug in the ACME module + group = "quassel"; + allowKeysForGroup = true; + }; + }; + + # Forward logs to Google Cloud Platform + services.journaldriver = { + enable = true; + logStream = "home"; + googleCloudProject = "tazjins-infrastructure"; + applicationCredentials = "/etc/gcp/key.json"; + }; + + services.depot.quassel = { + enable = true; + acmeHost = "quassel.tazj.in"; + bindAddresses = [ + "0.0.0.0" + ]; + }; + + services.bitlbee = { + enable = false; + portNumber = 2337; # bees + }; + + # serve my website(s) + services.nginx = { + enable = true; + enableReload = true; + package = with pkgs; nginx.override { + modules = [ nginxModules.rtmp ]; + }; + + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + + appendConfig = '' + rtmp_auto_push on; + rtmp { + server { + listen 1935; + chunk_size 4000; + + application tvl { + live on; + + allow publish 88.98.195.213; + allow publish 10.0.1.0/24; + deny publish all; + + allow play all; + } + } + } + ''; + + commonHttpConfig = '' + log_format json_combined escape=json + '{' + '"remote_addr":"$remote_addr",' + '"method":"$request_method",' + '"uri":"$request_uri",' + '"status":$status,' + '"request_size":$request_length,' + '"response_size":$body_bytes_sent,' + '"response_time":$request_time,' + '"referrer":"$http_referer",' + '"user_agent":"$http_user_agent"' + '}'; + + access_log syslog:server=unix:/dev/log,nohostname json_combined; + ''; + + virtualHosts.homepage = { + serverName = "tazj.in"; + serverAliases = [ "camden.tazj.in" ]; + default = true; + useACMEHost = "tazj.in"; + root = depot.users.tazjin.homepage; + forceSSL = true; + + extraConfig = '' + ${depot.users.tazjin.blog.oldRedirects} + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + + location ~* \.(webp|woff2)$ { + add_header Cache-Control "public, max-age=31536000"; + } + + location /blog/ { + alias ${depot.users.tazjin.blog.rendered}/; + + if ($request_uri ~ ^/(.*)\.html$) { + return 302 /$1; + } + + try_files $uri $uri.html $uri/ =404; + } + + location = /tazjin { + return 200 "tazjin"; + } + + location /blobs/ { + alias /var/www/blobs/; + } + ''; + }; + + virtualHosts.cgit-old = nginxRedirect { + from = "git.tazj.in"; + to = "code.tvl.fyi"; + acmeHost = "tazj.in"; + }; + + virtualHosts.cs-old = nginxRedirect { + from = "cs.tazj.in"; + to = "cs.tvl.fyi"; + acmeHost = "tazj.in"; + }; + }; + + # Timer units that can be started with systemd-run to set my alarm. + systemd.user.services.light-alarm = { + script = "${depot.fun.idual.script}/bin/idualctl wakey"; + postStart = "${pkgs.systemd}/bin/systemctl --user stop light-alarm.timer"; + serviceConfig = { + Type = "oneshot"; + }; + }; + + system.stateVersion = "19.09"; +}) diff --git a/users/tazjin/nixos/default.nix b/users/tazjin/nixos/default.nix new file mode 100644 index 000000000000..b9cae51d7f69 --- /dev/null +++ b/users/tazjin/nixos/default.nix @@ -0,0 +1,10 @@ +{ depot, lib, ... }: + +let systemFor = sys: (depot.ops.nixos.nixosFor sys).system; +in depot.nix.readTree.drvTargets { + camdenSystem = systemFor depot.users.tazjin.nixos.camden; + frogSystem = systemFor depot.users.tazjin.nixos.frog; + tverskoySystem = systemFor depot.users.tazjin.nixos.tverskoy; + polyankaSystem = (depot.ops.nixos.nixosFor depot.users.tazjin.nixos.polyanka).system; + zamalekSystem = systemFor depot.users.tazjin.nixos.zamalek; +} diff --git a/users/tazjin/nixos/frog/default.nix b/users/tazjin/nixos/frog/default.nix new file mode 100644 index 000000000000..6a9848fbe0e7 --- /dev/null +++ b/users/tazjin/nixos/frog/default.nix @@ -0,0 +1,287 @@ +{ depot, lib, pkgs, ... }: + +config: +let + inherit (pkgs) lieer; + + quasselClient = pkgs.quassel.override { + client = true; + enableDaemon = false; + monolithic = false; + }; +in +lib.fix (self: { + imports = [ + "${depot.path}/ops/modules/v4l2loopback.nix" + ]; + + boot = { + tmpOnTmpfs = true; + kernelModules = [ "kvm-amd" ]; + + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + + initrd = { + luks.devices.frog-crypt.device = "/dev/disk/by-label/frog-crypt"; + availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; + kernelModules = [ "dm-snapshot" ]; + }; + + kernelPackages = pkgs.linuxPackages_latest; + kernel.sysctl = { + "kernel.perf_event_paranoid" = -1; + }; + + # Enable this again if frog is put back into use ... + # + # kernelPatches = [ + # depot.third_party.kernelPatches.trx40_usb_audio + # ]; + }; + + hardware = { + cpu.amd.updateMicrocode = true; + enableRedistributableFirmware = true; + opengl = { + enable = true; + driSupport = true; + driSupport32Bit = true; + }; + + pulseaudio = { + enable = true; + package = pkgs.pulseaudioFull; + }; + + bluetooth = { + enable = true; + }; + }; + + nix = { + maxJobs = 48; + binaryCaches = [ "ssh://nix-ssh@whitby.tvl.fyi" ]; + binaryCachePublicKeys = [ "cache.tvl.fyi:fd+9d1ceCPvDX/xVhcfv8nAa6njEhAGAEe+oGJDEeoc=" ]; + }; + + networking = { + hostName = "frog"; + useDHCP = true; + + # Don't use ISP's DNS servers: + nameservers = [ + "8.8.8.8" + "8.8.4.4" + ]; + + firewall.enable = false; + }; + + # Generate an immutable /etc/resolv.conf from the nameserver settings + # above (otherwise DHCP overwrites it): + environment.etc."resolv.conf" = with lib; { + source = pkgs.writeText "resolv.conf" '' + ${concatStringsSep "\n" (map (ns: "nameserver ${ns}") self.networking.nameservers)} + options edns0 + ''; + }; + + time.timeZone = "Europe/London"; + + fileSystems = { + "/".device = "/dev/disk/by-label/frog-root"; + "/boot".device = "/dev/disk/by-label/BOOT"; + "/home".device = "/dev/disk/by-label/frog-home"; + }; + + # Configure user account + users.extraUsers.tazjin = { + extraGroups = [ "wheel" "audio" "docker" ]; + isNormalUser = true; + uid = 1000; + shell = pkgs.fish; + }; + + security.sudo = { + enable = true; + extraConfig = "wheel ALL=(ALL:ALL) SETENV: ALL"; + }; + + fonts = { + fonts = with pkgs; [ + corefonts + dejavu_fonts + jetbrains-mono + noto-fonts-cjk + noto-fonts-emoji + ]; + + fontconfig = { + hinting.enable = true; + subpixel.lcdfilter = "light"; + + defaultFonts = { + monospace = [ "JetBrains Mono" ]; + }; + }; + }; + + # Configure location (Vauxhall, London) for services that need it. + location = { + latitude = 51.4819109; + longitude = -0.1252998; + }; + + programs.fish.enable = true; + programs.ssh.startAgent = true; + + services.redshift.enable = true; + services.openssh.enable = true; + services.fstrim.enable = true; + services.blueman.enable = true; + + # Required for Yubikey usage as smartcard + services.pcscd.enable = true; + services.udev.packages = [ + pkgs.yubikey-personalization + ]; + + # Enable Docker for Nixery testing + virtualisation.docker = { + enable = true; + autoPrune.enable = true; + }; + + services.xserver = { + enable = true; + layout = "us"; + xkbOptions = "caps:super"; + exportConfiguration = true; + videoDrivers = [ "amdgpu" ]; + displayManager = { + # Give EXWM permission to control the session. + sessionCommands = "${pkgs.xorg.xhost}/bin/xhost +SI:localuser:$USER"; + + lightdm.enable = true; + lightdm.greeters.gtk.clock-format = "%H·%M"; # TODO(tazjin): TZ? + }; + + windowManager.session = lib.singleton { + name = "exwm"; + start = "${depot.users.tazjin.emacs}/bin/tazjins-emacs"; + }; + }; + + # Do not restart the display manager automatically + systemd.services.display-manager.restartIfChanged = lib.mkForce false; + + # clangd needs more than ~2GB in the runtime directory to start up + services.logind.extraConfig = '' + RuntimeDirectorySize=16G + ''; + + # Configure email setup + systemd.user.services.lieer-tazjin = { + description = "Synchronise mail@tazj.in via lieer"; + script = "${lieer}/bin/gmi sync"; + + serviceConfig = { + WorkingDirectory = "%h/mail/account.tazjin"; + Type = "oneshot"; + }; + }; + + systemd.user.timers.lieer-tazjin = { + wantedBy = [ "timers.target" ]; + + timerConfig = { + OnActiveSec = "1"; + OnUnitActiveSec = "180"; + }; + }; + + environment.systemPackages = + # programs from the depot + (with depot; [ + fun.idual.script + fun.uggc + lieer + ops.kontemplate + quasselClient + third_party.git + tools.nsfv-setup + users.tazjin.emacs + ]) ++ + + # programs from nixpkgs + (with pkgs; [ + age + bat + chromium + clang-manpages + clang-tools_11 + clang_11 + curl + direnv + dnsutils + emacs28 # mostly for emacsclient + exa + fd + file + gdb + gnupg + go + google-chrome + google-cloud-sdk + htop + hyperfine + i3lock + iftop + imagemagick + jq + kubectl + linuxPackages.perf + man-pages + miller + msmtp + nix-prefetch-github + notmuch + obs-studio + openssh + openssl + pass + pavucontrol + pciutils + pinentry + pinentry-emacs + pmutils + pwgen + ripgrep + rustup + screen + scrot + spotify + tokei + transmission + tree + unzip + usbutils + v4l-utils + vlc + xclip + xsecurelock + yubico-piv-tool + yubikey-personalization + zoxide + + # Commented out because of interim breakage: + # steam + # lutris + ]); + + # ... and other nonsense. + system.stateVersion = "20.03"; +}) diff --git a/users/tazjin/nixos/modules/default.nix b/users/tazjin/nixos/modules/default.nix new file mode 100644 index 000000000000..d747e8e1319a --- /dev/null +++ b/users/tazjin/nixos/modules/default.nix @@ -0,0 +1,2 @@ +# Make readTree happy at this level. +_: { } diff --git a/users/tazjin/nixos/modules/desktop.nix b/users/tazjin/nixos/modules/desktop.nix new file mode 100644 index 000000000000..c78463386c46 --- /dev/null +++ b/users/tazjin/nixos/modules/desktop.nix @@ -0,0 +1,53 @@ +# EXWM and other desktop configuration. +{ depot, lib, pkgs, ... }: + +{ + services = { + pipewire = { + enable = true; + alsa.enable = true; + pulse.enable = true; + }; + + redshift.enable = true; + blueman.enable = true; + + xserver = { + enable = true; + layout = "us"; + xkbOptions = "caps:super"; + + libinput.enable = true; + + displayManager = { + # Give EXWM permission to control the session. + sessionCommands = "${pkgs.xorg.xhost}/bin/xhost +SI:localuser:$USER"; + lightdm.enable = true; + # lightdm.greeters.gtk.clock-format = "%H:%M"; # TODO(tazjin): TZ? + }; + + windowManager.session = lib.singleton { + name = "exwm"; + start = "${depot.users.tazjin.emacs}/bin/tazjins-emacs"; + }; + }; + }; + + # Set variables to enable EXWM-XIM and other Emacs features. + environment.sessionVariables = { + XMODIFIERS = "@im=exwm-xim"; + GTK_IM_MODULE = "xim"; + QT_IM_MODULE = "xim"; + CLUTTER_IM_MODULE = "xim"; + EDITOR = "emacsclient"; + }; + + # Do not restart the display manager automatically + systemd.services.display-manager.restartIfChanged = lib.mkForce false; + + # If something needs more than 10s to stop it should probably be + # killed. + systemd.extraConfig = '' + DefaultTimeoutStopSec=10s + ''; +} diff --git a/users/tazjin/nixos/modules/fonts.nix b/users/tazjin/nixos/modules/fonts.nix new file mode 100644 index 000000000000..3b4461056f24 --- /dev/null +++ b/users/tazjin/nixos/modules/fonts.nix @@ -0,0 +1,24 @@ +# Attempt at configuring reasonable font-rendering. + +{ pkgs, ... }: + +{ + fonts = { + fonts = with pkgs; [ + corefonts + dejavu_fonts + jetbrains-mono + noto-fonts-cjk + noto-fonts-emoji + ]; + + fontconfig = { + hinting.enable = true; + subpixel.lcdfilter = "light"; + + defaultFonts = { + monospace = [ "JetBrains Mono" ]; + }; + }; + }; +} diff --git a/users/tazjin/nixos/modules/hidpi.nix b/users/tazjin/nixos/modules/hidpi.nix new file mode 100644 index 000000000000..7fa3e4193341 --- /dev/null +++ b/users/tazjin/nixos/modules/hidpi.nix @@ -0,0 +1,17 @@ +# Configuration for machines with HiDPI displays, which are a total +# mess, of course. +{ ... }: + +{ + # Expose a variable to all programs that might be interested in the + # screen settings to do conditional initialisation (mostly for Emacs). + environment.variables.HIDPI_SCREEN = "true"; + + # Ensure a larger font size in early boot stage. + hardware.video.hidpi.enable = true; + + # Bump DPI across the board. + # TODO(tazjin): This should actually be set per monitor, but I + # haven't yet figured out the right interface for doing that. + services.xserver.dpi = 161; +} diff --git a/users/tazjin/nixos/modules/home-config.nix b/users/tazjin/nixos/modules/home-config.nix new file mode 100644 index 000000000000..2445afbb52c2 --- /dev/null +++ b/users/tazjin/nixos/modules/home-config.nix @@ -0,0 +1,21 @@ +# Inject the right home-manager config for the machine. + +{ config, depot, pkgs, ... }: + +{ + users.users.tazjin = { + isNormalUser = true; + createHome = true; + extraGroups = [ "wheel" "networkmanager" "video" "adbusers" ]; + uid = 1000; + shell = pkgs.fish; + initialHashedPassword = "$6$d3FywUNCuZnJ4l.$ZW2ul59MLYon1v1xhC3lTJZfZ91lWW6Tpi13MpME0cJcYZNrsx7ABdgQRn.K05awruG2Y9ARAzURnmiJ31WTS1h"; + }; + + nix = { + trustedUsers = [ "tazjin" ]; + }; + + home-manager.useGlobalPkgs = true; + home-manager.users.tazjin = depot.users.tazjin.home."${config.networking.hostName}"; +} diff --git a/users/tazjin/nixos/modules/laptop.nix b/users/tazjin/nixos/modules/laptop.nix new file mode 100644 index 000000000000..da277dd3d636 --- /dev/null +++ b/users/tazjin/nixos/modules/laptop.nix @@ -0,0 +1,14 @@ +# Configuration specifically for laptops that move around. +{ ... }: + +{ + # Automatically detect location for redshift & timezone settings. + services.geoclue2.enable = true; + location.provider = "geoclue2"; + services.localtime.enable = true; + + # Enable power-saving features. + services.tlp.enable = true; + + programs.light.enable = true; +} diff --git a/users/tazjin/nixos/modules/persistence.nix b/users/tazjin/nixos/modules/persistence.nix new file mode 100644 index 000000000000..c81958161fbf --- /dev/null +++ b/users/tazjin/nixos/modules/persistence.nix @@ -0,0 +1,26 @@ +# Configuration for persistent (non-home) data. +{ depot, pkgs, lib, ... }: + +{ + imports = [ + "${depot.third_party.impermanence}/nixos.nix" + ]; + + environment.persistence."/persist" = { + directories = [ + "/etc/NetworkManager/system-connections" + "/etc/mullvad-vpn" + "/var/cache/mullvad-vpn" + "/var/lib/bluetooth" + "/var/lib/systemd/coredump" + "/var/lib/tailscale" + "/var/log" + ]; + + files = [ + "/etc/machine-id" + ]; + }; + + programs.fuse.userAllowOther = true; +} diff --git a/users/tazjin/nixos/modules/physical.nix b/users/tazjin/nixos/modules/physical.nix new file mode 100644 index 000000000000..386b756cafef --- /dev/null +++ b/users/tazjin/nixos/modules/physical.nix @@ -0,0 +1,90 @@ +# Default configuration settings for physical machines that I use. +{ pkgs, depot, ... }: + +let + pass-otp = pkgs.pass.withExtensions (e: [ e.pass-otp ]); +in +{ + # Install all the default software. + environment.systemPackages = + # programs from the depot + (with depot; [ + users.tazjin.screenLock + users.tazjin.emacs + third_party.agenix.cli + ]) ++ + + # programs from nixpkgs + (with pkgs; [ + amber + audacity + bat + curl + ddcutil + direnv + dmd + dnsutils + electrum + emacsNativeComp # emacsclient + exa + fd + file + firefox + fractal + gdb + gh + git + gnupg + google-chrome + gtk3 # for gtk-launch + htop + hyperfine + iftop + imagemagick + jq + lieer + man-pages + mosh + msmtp + mullvad-vpn + networkmanagerapplet + nix-prefetch-github + nmap + notmuch + openssh + openssl + paperlike-go + pass-otp + pavucontrol + pinentry + pinentry-emacs + pulseaudio # for pactl + pwgen + quasselClient + rink + ripgrep + rustup + screen + scrot + tig + tokei + tree + unzip + vlc + whois + xsecurelock + zoxide + ]); + + # Run services & configure programs for all machines. + services = { + mullvad-vpn.enable = true; + fwupd.enable = true; + }; + + programs = { + fish.enable = true; + mosh.enable = true; + ssh.startAgent = true; + }; +} diff --git a/users/tazjin/nixos/modules/tgsa.nix b/users/tazjin/nixos/modules/tgsa.nix new file mode 100644 index 000000000000..ac6d940c2a1d --- /dev/null +++ b/users/tazjin/nixos/modules/tgsa.nix @@ -0,0 +1,24 @@ +{ config, depot, lib, pkgs, ... }: + +{ + systemd.services.tgsa = { + description = "telegram -> SA bbcode thing"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + DynamicUser = true; + Restart = "always"; + ExecStart = "${depot.users.tazjin.tgsa}/bin/tgsa"; + }; + }; + + services.nginx.virtualHosts."tgsa" = { + serverName = "tgsa.tazj.in"; + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://127.0.0.1:8472"; + }; + }; +} diff --git a/users/tazjin/nixos/modules/zerotier.nix b/users/tazjin/nixos/modules/zerotier.nix new file mode 100644 index 000000000000..bd503cf8f026 --- /dev/null +++ b/users/tazjin/nixos/modules/zerotier.nix @@ -0,0 +1,14 @@ +# Configuration for my Zerotier network. + +{ + environment.persistence."/persist".directories = [ + "/var/lib/zerotier-one" + ]; + + services.zerotierone.enable = true; + services.zerotierone.joinNetworks = [ + "35c192ce9bd4c8c7" + ]; + + networking.firewall.trustedInterfaces = [ "zt7nnembs4" ]; +} diff --git a/users/tazjin/nixos/polyanka/default.nix b/users/tazjin/nixos/polyanka/default.nix new file mode 100644 index 000000000000..5758ee39b3e5 --- /dev/null +++ b/users/tazjin/nixos/polyanka/default.nix @@ -0,0 +1,122 @@ +# VPS hosted at GleSYS, running my Quassel and some random network +# stuff. + +_: # ignore readTree options + +{ config, depot, lib, pkgs, ... }: + +let + mod = name: depot.path + ("/ops/modules/" + name); + usermod = name: depot.path + ("/users/tazjin/nixos/modules/" + name); +in +{ + imports = [ + (mod "quassel.nix") + (mod "www/base.nix") + (usermod "tgsa.nix") + ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only + boot.initrd.availableKernelModules = [ "ata_piix" "vmw_pvscsi" "sd_mod" "sr_mod" ]; + + # Adjust to disk size increases + boot.growPartition = true; + + virtualisation.vmware.guest.enable = true; + virtualisation.vmware.guest.headless = true; + + nix.settings.trusted-users = [ "tazjin" ]; + + fileSystems."/" = + { + device = "/dev/disk/by-uuid/4c51357a-1e34-4b59-b169-63af1fcdce71"; + fsType = "ext4"; + }; + + networking = { + hostName = "polyanka"; + domain = "tazj.in"; + useDHCP = false; + + # Required for VPN usage + networkmanager.enable = true; + + interfaces.ens192 = { + ipv4.addresses = lib.singleton { + address = "159.253.30.129"; + prefixLength = 24; + }; + + ipv6.addresses = lib.singleton { + address = "2a02:750:7:3305::308"; + prefixLength = 64; + }; + }; + + defaultGateway = "159.253.30.1"; + defaultGateway6.address = "2a02:750:7:3305::1"; + + firewall.enable = true; + firewall.allowedTCPPorts = [ 22 80 443 ]; + + nameservers = [ + "79.99.4.100" + "79.99.4.101" + "2a02:751:aaaa::1" + "2a02:751:aaaa::2" + ]; + }; + + time.timeZone = "UTC"; + + security.acme.acceptTerms = true; + security.acme.certs."polyanka.tazj.in" = { + listenHTTP = ":80"; + email = "mail@tazj.in"; + group = "quassel"; + }; + + users.users.tazjin = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + shell = pkgs.fish; + openssh.authorizedKeys.keys = depot.users.tazjin.keys.all; + }; + + security.sudo.wheelNeedsPassword = false; + + services.depot.quassel = { + enable = true; + acmeHost = "polyanka.tazj.in"; + bindAddresses = [ + "0.0.0.0" + ]; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + curl + htop + jq + nmap + bat + emacs-nox + nano + wget + ]; + + programs.mtr.enable = true; + programs.mosh.enable = true; + services.openssh.enable = true; + + services.zerotierone.enable = true; + services.zerotierone.joinNetworks = [ + "35c192ce9bd4c8c7" + ]; + + system.stateVersion = "20.09"; +} diff --git a/users/tazjin/nixos/tverskoy/default.nix b/users/tazjin/nixos/tverskoy/default.nix new file mode 100644 index 000000000000..a1248c6c5dbd --- /dev/null +++ b/users/tazjin/nixos/tverskoy/default.nix @@ -0,0 +1,163 @@ +# tverskoy is my Thinkpad X13 AMD 1st gen +{ depot, lib, pkgs, ... }: + +config: +let + quasselClient = pkgs.quassel.override { + client = true; + enableDaemon = false; + monolithic = false; + }; + + mod = name: depot.path + ("/ops/modules/" + name); + usermod = name: depot.path + ("/users/tazjin/nixos/modules/" + name); +in +lib.fix (self: { + imports = [ + (mod "open_eid.nix") + (usermod "desktop.nix") + (usermod "fonts.nix") + (usermod "home-config.nix") + (usermod "laptop.nix") + (usermod "persistence.nix") + (usermod "physical.nix") + (usermod "zerotier.nix") + + (pkgs.home-manager.src + "/nixos") + ] ++ lib.optional (builtins.pathExists ./local-config.nix) ./local-config.nix; + + tvl.cache.enable = true; + + boot = rec { + initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + initrd.kernelModules = [ ]; + + # Restore /home to the blank snapshot, erasing all ephemeral data. + initrd.postDeviceCommands = lib.mkAfter '' + zfs rollback -r zpool/ephemeral/home@tazjin-clean + ''; + + # Install thinkpad modules for TLP + extraModulePackages = [ kernelPackages.acpi_call ]; + + kernelModules = [ "kvm-amd" "i2c_dev" ]; + kernelPackages = pkgs.linuxPackages_latest; + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + zfs.enableUnstable = true; + }; + + fileSystems = { + "/" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = [ "defaults" "size=8G" "mode=755" ]; + }; + + "/home" = { + device = "zpool/ephemeral/home"; + fsType = "zfs"; + }; + + "/nix" = { + device = "zpool/local/nix"; + fsType = "zfs"; + }; + + "/depot" = { + device = "zpool/safe/depot"; + fsType = "zfs"; + }; + + "/persist" = { + device = "zpool/safe/persist"; + fsType = "zfs"; + neededForBoot = true; + }; + + # SD card + "/mnt" = { + device = "/dev/disk/by-uuid/c602d703-f1b9-4a44-9e45-94dfe24bdaa8"; + fsType = "ext4"; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/BF4F-388B"; + fsType = "vfat"; + }; + }; + + hardware = { + cpu.amd.updateMicrocode = true; + enableRedistributableFirmware = true; + bluetooth.enable = true; + + opengl = { + enable = true; + extraPackages = with pkgs; [ + vaapiVdpau + libvdpau-va-gl + ]; + }; + }; + + networking = { + hostName = "tverskoy"; + hostId = "3c91827f"; + domain = "tvl.su"; + useDHCP = false; + networkmanager.enable = true; + firewall.enable = false; + + nameservers = [ + "8.8.8.8" + "8.8.4.4" + ]; + }; + + security.rtkit.enable = true; + + services = { + printing.enable = true; + + # expose i2c device as /dev/i2c-amdgpu-dm and make it user-accessible + # this is required for sending control commands to the Dasung screen. + udev.extraRules = '' + SUBSYSTEM=="i2c-dev", ACTION=="add", DEVPATH=="/devices/pci0000:00/0000:00:08.1/0000:06:00.0/i2c-5/i2c-dev/i2c-5", SYMLINK+="i2c-amdgpu-dm", TAG+="uaccess" + ''; + + xserver.videoDrivers = [ "amdgpu" ]; + + # Automatically collect garbage from the Nix store. + depot.automatic-gc = { + enable = true; + interval = "1 hour"; + diskThreshold = 16; # GiB + maxFreed = 10; # GiB + preserveGenerations = "14d"; + }; + }; + + systemd.user.services.lieer-tazjin = { + description = "Synchronise mail@tazj.in via lieer"; + script = "${pkgs.lieer}/bin/gmi sync"; + + serviceConfig = { + WorkingDirectory = "%h/mail/account.tazjin"; + Type = "oneshot"; + }; + }; + + systemd.user.timers.lieer-tazjin = { + wantedBy = [ "timers.target" ]; + + timerConfig = { + OnActiveSec = "1"; + OnUnitActiveSec = "180"; + }; + }; + + services.tailscale.enable = true; + + system.stateVersion = "20.09"; +}) diff --git a/users/tazjin/nixos/zamalek/default.nix b/users/tazjin/nixos/zamalek/default.nix new file mode 100644 index 000000000000..71e230347a70 --- /dev/null +++ b/users/tazjin/nixos/zamalek/default.nix @@ -0,0 +1,82 @@ +# zamalek is my Huawei MateBook X (unknown year) +{ depot, lib, pkgs, ... }: + +config: +let + mod = name: depot.path + ("/ops/modules/" + name); + usermod = name: depot.path + ("/users/tazjin/nixos/modules/" + name); + + zdevice = device: { + inherit device; + fsType = "zfs"; + }; +in +{ + imports = [ + (usermod "desktop.nix") + (usermod "fonts.nix") + (usermod "hidpi.nix") + (usermod "home-config.nix") + (usermod "laptop.nix") + (usermod "persistence.nix") + (usermod "physical.nix") + (usermod "zerotier.nix") + + (depot.third_party.impermanence + "/nixos.nix") + (pkgs.home-manager.src + "/nixos") + ] ++ lib.optional (builtins.pathExists ./local-config.nix) ./local-config.nix; + + tvl.cache.enable = true; + + boot = { + initrd.availableKernelModules = [ "nvme" "xhci_pci" ]; + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + supportedFilesystems = [ "zfs" ]; + zfs.devNodes = "/dev/"; + + extraModprobeConfig = '' + options snd_hda_intel power_save=1 + options iwlwifi power_save=1 + options iwldvm force_cam=0 + options i915 enable_guc=3 enable_fbc=1 + ''; + }; + + fileSystems = { + "/" = zdevice "zpool/ephemeral/root"; + "/home" = zdevice "zpool/ephemeral/home"; + "/persist" = zdevice "zpool/persistent/data" // { neededForBoot = true; }; + "/nix" = zdevice "zpool/persistent/nix"; + "/depot" = zdevice "zpool/persistent/depot"; + + "/boot" = { + device = "/dev/disk/by-uuid/2487-3908"; + fsType = "vfat"; + }; + }; + + networking = { + hostName = "zamalek"; + domain = "tvl.su"; + hostId = "ee399356"; + networkmanager.enable = true; + + nameservers = [ + "8.8.8.8" + "8.8.4.4" + ]; + }; + + hardware = { + cpu.intel.updateMicrocode = true; + bluetooth.enable = true; + enableRedistributableFirmware = true; + opengl.enable = true; + }; + + services.xserver.libinput.touchpad.clickMethod = "clickfinger"; + services.tailscale.enable = true; + + system.stateVersion = "21.11"; +} |