From dbea006c5066dd007e240f4fd4f7a0c7958d3ac4 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Mon, 12 Aug 2024 17:36:13 +0200 Subject: [PATCH] hosts/common: split into multiple files also add smartd, systemd-lock-handler and usbtop --- hosts/common/default.nix | 242 ++---------------- hosts/common/fonts.nix | 45 ++++ hosts/common/nix-builders/bob.nix | 26 +- hosts/common/nix-builders/isvegg.nix | 2 +- hosts/common/nix-builders/tsuki.nix | 20 +- hosts/common/nix.nix | 48 ++++ hosts/common/programs/gnupg.nix | 9 + hosts/common/programs/neovim.nix | 31 +++ hosts/common/programs/nix-ld.nix | 9 + hosts/common/programs/ssh.nix | 32 +++ hosts/common/programs/usbtop.nix | 22 ++ hosts/common/services/dbus.nix | 10 + hosts/common/services/openssh.nix | 12 + hosts/common/services/pcscd.nix | 4 + hosts/common/services/pipewire.nix | 9 + hosts/common/services/printing.nix | 4 + hosts/common/services/resolved.nix | 4 + hosts/common/services/smartd.nix | 4 + .../common/services/systemd-lock-handler.nix | 4 + hosts/common/services/xserver.nix | 25 ++ hosts/dosei/configuration.nix | 2 - 21 files changed, 323 insertions(+), 241 deletions(-) create mode 100644 hosts/common/fonts.nix create mode 100644 hosts/common/nix.nix create mode 100644 hosts/common/programs/gnupg.nix create mode 100644 hosts/common/programs/neovim.nix create mode 100644 hosts/common/programs/nix-ld.nix create mode 100644 hosts/common/programs/ssh.nix create mode 100644 hosts/common/programs/usbtop.nix create mode 100644 hosts/common/services/dbus.nix create mode 100644 hosts/common/services/openssh.nix create mode 100644 hosts/common/services/pcscd.nix create mode 100644 hosts/common/services/pipewire.nix create mode 100644 hosts/common/services/printing.nix create mode 100644 hosts/common/services/resolved.nix create mode 100644 hosts/common/services/smartd.nix create mode 100644 hosts/common/services/systemd-lock-handler.nix create mode 100644 hosts/common/services/xserver.nix diff --git a/hosts/common/default.nix b/hosts/common/default.nix index 12975d2..c1ca011 100644 --- a/hosts/common/default.nix +++ b/hosts/common/default.nix @@ -3,102 +3,28 @@ let inherit (config) machineVars; in { imports = [ - ./nix-builders/bob.nix - ./nix-builders/isvegg.nix - ./nix-builders/tsuki.nix + ./fonts.nix + ./nix.nix + + ./programs/gnupg.nix + ./programs/neovim.nix + ./programs/nix-ld.nix + ./programs/ssh.nix + ./programs/usbtop.nix + + ./services/dbus.nix + ./services/openssh.nix + ./services/pcscd.nix + ./services/pipewire.nix + ./services/printing.nix + ./services/resolved.nix + ./services/smartd.nix + ./services/systemd-lock-handler.nix + ./services/xserver.nix ]; sops.defaultSopsFile = ./../.. + "/secrets/${config.networking.hostName}.yaml"; - sops.secrets = { - "nix/access-tokens" = { sopsFile = ./../../secrets/common.yaml; }; - - "ssh/secret-config" = { - sopsFile = ./../../secrets/common.yaml; - mode = "0444"; - }; - }; - - nix = { - package = unstable-pkgs.nixVersions.stable; - distributedBuilds = config.networking.hostName != "tsuki"; - - settings = { - allow-dirty = true; - allowed-uris = [ "http://" "https://" ]; - auto-optimise-store = true; - binary-caches = [ "https://cache.nixos.org/" ]; - builders-use-substitutes = true; - experimental-features = [ "nix-command" "flakes" ]; - log-lines = 50; - trusted-users = [ "h7x4" "nix-builder" ]; - use-xdg-base-directories = true; - }; - - extraOptions = '' - !include ${config.sops.secrets."nix/access-tokens".path} - ''; - - registry = { - home.to = { - type = "path"; - path = "/home/h7x4/nix"; - }; - wack.to = { - type = "path"; - path = "/home/h7x4/git/wack-ctf-flake"; - }; - nxpt.to = { - type = "path"; - path = "/home/h7x4/git/nixpkgs-tools"; - }; - }; - }; - - programs.nix-ld = { - enable = true; - libraries = with pkgs; [ - libusb1 - ]; - }; - - programs.ssh = { - extraConfig = '' - Include ${config.sops.secrets."ssh/secret-config".path} - ''; - - knownHosts = { - bob = { - hostNames = [ - "bob.pvv.ntnu.no" - "bob.pvv.org" - ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJSgh20qDIYEXiK4MUZhc879dJIyH0K/s0RZ+9wFI0F"; - }; - hildring = { - hostNames = [ - "hildring.pvv.ntnu.no" - "hildring.pvv.org" - "login.pvv.ntnu.no" - "login.pvv.org" - ]; - publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGurF7rdnrDP/VgIK2Tx38of+bX/QGCGL+alrWnZ1Ca5llGneMulUt1RB9xZzNLHiaWIE+HOP0i4spEaeZhilfU="; - }; - isvegg = { - hostNames = [ - "isvegg.pvv.ntnu.no" - "isvegg.pvv.org" - ]; - publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGurF7rdnrDP/VgIK2Tx38of+bX/QGCGL+alrWnZ1Ca5llGneMulUt1RB9xZzNLHiaWIE+HOP0i4spEaeZhilfU="; - }; - # tsukir = { - # hostNames = [ "nani.wtf" "gingakei.loginto.me" ]; - # # publicKeyFile = config.sops.secrets."ssh/nix-builders/tsuki/pub".path; - # publicKeyFile = "/var/keys/tsuki_nix-builder.pub"; - # }; - }; - }; - time.timeZone = "Europe/Oslo"; console = { @@ -162,49 +88,6 @@ in { else (lib.mkIf (fixDisplayCommand != null) fixDisplayCommand)); }; - fonts = { - fontDir.enable = true; - - enableDefaultPackages = true; - packages = with pkgs; [ - ark-pixel-font - cm_unicode - corefonts - dejavu_fonts - fira-code - fira-code-symbols - iosevka - ipaexfont - ipafont - liberation_ttf - migmix - noto-fonts - noto-fonts-cjk-sans - noto-fonts-cjk-serif - noto-fonts-emoji - ocr-a - open-sans - powerline-fonts - source-han-sans - source-sans - symbola - texlivePackages.asana-math - ubuntu_font_family - victor-mono - yasashisa-gothic - (nerdfonts.override { fonts = [ "FiraCode" "DroidSansMono" ]; }) - ]; - - fontconfig = { - defaultFonts = { - serif = [ "Droid Sans Serif" "Ubuntu" ]; - sansSerif = [ "Droid Sans" "Ubuntu" ]; - monospace = [ "Fira Code" "Ubuntu" ]; - emoji = [ "Noto Sans Emoji" ]; - }; - }; - }; - users = { users.h7x4 = { isNormalUser = true; @@ -233,21 +116,7 @@ in { }; services = { - tumbler.enable = !config.machineVars.headless; gnome.gnome-keyring.enable = !config.machineVars.headless; - printing.enable = !config.machineVars.headless; - - resolved.enable = true; - - openssh = { - startWhenNeeded = true; - settings = { - StreamLocalBindUnlink = true; - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - PermitRootLogin = "no"; - }; - }; udev.packages = with pkgs; [ yubikey-personalization @@ -255,49 +124,12 @@ in { light ]; - pcscd.enable = true; - - dbus = { - enable = true; - packages = with pkgs; [ - gcr - dconf - ]; - }; - libinput = { enable = !config.machineVars.headless; touchpad.disableWhileTyping = true; }; displayManager.defaultSession = "none+xmonad"; - - xserver = { - enable = !config.machineVars.headless; - - xkb = { - layout = "us"; - options = "caps:escape"; - }; - - desktopManager = { - xterm.enable = false; - xfce.enable = !config.machineVars.headless; - }; - - displayManager.lightdm.enable = !config.machineVars.headless; - - windowManager.xmonad = { - enable = true; - enableContribAndExtras = true; - enableConfiguredRecompile = true; - extraPackages = hPkgs: with hPkgs; [ - dbus - ]; - }; - - }; - }; programs = { @@ -305,38 +137,6 @@ in { git.enable = true; tmux.enable = true; zsh.enable = true; - - gnupg.agent.enable = true; - gnupg.agent.pinentryPackage = pkgs.pinentry-curses; - - neovim = { - enable = true; - defaultEditor = true; - viAlias = true; - vimAlias = true; - configure = { - packages.myVimPackage = with pkgs.vimPlugins; { - start = [ - direnv-vim - vim-nix - vim-polyglot - ]; - - opt = [ - vim-monokai - ]; - }; - - customRC = '' - set number relativenumber - set undofile - set undodir=~/.cache/vim/undodir - - packadd! vim-monokai - colorscheme monokai - ''; - }; - }; }; system.extraDependencies = @@ -379,12 +179,6 @@ in { ]); security.rtkit.enable = !config.machineVars.headless; - services.pipewire = { - enable = !config.machineVars.headless; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - }; security.sudo.extraConfig = let sudoLecture = pkgs.writeText "sudo-lecture.txt" (extendedLib.termColors.front.red "Be careful or something, idk...\n"); diff --git a/hosts/common/fonts.nix b/hosts/common/fonts.nix new file mode 100644 index 0000000..8e2cf40 --- /dev/null +++ b/hosts/common/fonts.nix @@ -0,0 +1,45 @@ +{ pkgs, ... }: +{ + fonts = { + fontDir.enable = true; + + enableDefaultPackages = true; + packages = with pkgs; [ + ark-pixel-font + cm_unicode + corefonts + dejavu_fonts + fira-code + fira-code-symbols + iosevka + ipaexfont + ipafont + liberation_ttf + migmix + noto-fonts + noto-fonts-cjk-sans + noto-fonts-cjk-serif + noto-fonts-emoji + ocr-a + open-sans + powerline-fonts + source-han-sans + source-sans + symbola + texlivePackages.asana-math + ubuntu_font_family + victor-mono + yasashisa-gothic + (nerdfonts.override { fonts = [ "FiraCode" "DroidSansMono" ]; }) + ]; + + fontconfig = { + defaultFonts = { + serif = [ "Droid Sans Serif" "Ubuntu" ]; + sansSerif = [ "Droid Sans" "Ubuntu" ]; + monospace = [ "Fira Code" "Ubuntu" ]; + emoji = [ "Noto Sans Emoji" ]; + }; + }; + }; +} diff --git a/hosts/common/nix-builders/bob.nix b/hosts/common/nix-builders/bob.nix index b9de4a1..29e50bf 100644 --- a/hosts/common/nix-builders/bob.nix +++ b/hosts/common/nix-builders/bob.nix @@ -18,11 +18,21 @@ # sshKey = config.sops.secrets."ssh/nix-builders/bob/key".path; }]; - programs.ssh.extraConfig = '' - Host nix-builder-bob - HostName bob.pvv.ntnu.no - ProxyJump nix-builder-isvegg - User oysteikt - IdentityFile ${config.sops.secrets."ssh/nix-builders/bob/key".path} - ''; -} \ No newline at end of file + programs.ssh = { + extraConfig = '' + Host nix-builder-bob + HostName bob.pvv.ntnu.no + ProxyJump nix-builder-isvegg + User oysteikt + IdentityFile ${config.sops.secrets."ssh/nix-builders/bob/key".path} + ''; + + knownHosts.bob = { + hostNames = [ + "bob.pvv.ntnu.no" + "bob.pvv.org" + ]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJSgh20qDIYEXiK4MUZhc879dJIyH0K/s0RZ+9wFI0F"; + }; + }; +} diff --git a/hosts/common/nix-builders/isvegg.nix b/hosts/common/nix-builders/isvegg.nix index f04df30..65e937f 100644 --- a/hosts/common/nix-builders/isvegg.nix +++ b/hosts/common/nix-builders/isvegg.nix @@ -20,4 +20,4 @@ User oysteikt IdentityFile ${config.sops.secrets."ssh/nix-builders/isvegg/key".path} ''; -} \ No newline at end of file +} diff --git a/hosts/common/nix-builders/tsuki.nix b/hosts/common/nix-builders/tsuki.nix index 1d3dacb..524532a 100644 --- a/hosts/common/nix-builders/tsuki.nix +++ b/hosts/common/nix-builders/tsuki.nix @@ -22,9 +22,17 @@ sshKey = config.sops.secrets."ssh/nix-builders/tsuki/key".path; }]; - programs.ssh.extraConfig = '' - Host nix-builder-tsukir - HostName gingakei.loginto.me - Port ${toString secrets.ports.ssh.home-in} - ''; -} \ No newline at end of file + programs.ssh = { + extraConfig = '' + Host nix-builder-tsukir + HostName gingakei.loginto.me + Port ${toString secrets.ports.ssh.home-in} + ''; + + # knownHosts.tsukir = { + # hostNames = [ "nani.wtf" "gingakei.loginto.me" ]; + # # publicKeyFile = config.sops.secrets."ssh/nix-builders/tsuki/pub".path; + # publicKeyFile = "/var/keys/tsuki_nix-builder.pub"; + # }; + }; +} diff --git a/hosts/common/nix.nix b/hosts/common/nix.nix new file mode 100644 index 0000000..d333de1 --- /dev/null +++ b/hosts/common/nix.nix @@ -0,0 +1,48 @@ +{ config, unstable-pkgs, ... }: +{ + imports = [ + ./nix-builders/bob.nix + ./nix-builders/isvegg.nix + ./nix-builders/tsuki.nix + ]; + + sops.secrets = { + "nix/access-tokens" = { sopsFile = ./../../secrets/common.yaml; }; + }; + + nix = { + package = unstable-pkgs.nixVersions.stable; + distributedBuilds = config.networking.hostName != "tsuki"; + + settings = { + allow-dirty = true; + allowed-uris = [ "http://" "https://" ]; + auto-optimise-store = true; + binary-caches = [ "https://cache.nixos.org/" ]; + builders-use-substitutes = true; + experimental-features = [ "nix-command" "flakes" ]; + log-lines = 50; + trusted-users = [ "h7x4" "nix-builder" ]; + use-xdg-base-directories = true; + }; + + extraOptions = '' + !include ${config.sops.secrets."nix/access-tokens".path} + ''; + + registry = { + home.to = { + type = "path"; + path = "/home/h7x4/nix"; + }; + wack.to = { + type = "path"; + path = "/home/h7x4/git/wack-ctf-flake"; + }; + nxpt.to = { + type = "path"; + path = "/home/h7x4/git/nixpkgs-tools"; + }; + }; + }; +} diff --git a/hosts/common/programs/gnupg.nix b/hosts/common/programs/gnupg.nix new file mode 100644 index 0000000..c5fe85d --- /dev/null +++ b/hosts/common/programs/gnupg.nix @@ -0,0 +1,9 @@ +{ pkgs, ... }: +{ + programs.gnupg = { + agent = { + enable = true; + pinentryPackage = pkgs.pinentry-curses; + }; + }; +} diff --git a/hosts/common/programs/neovim.nix b/hosts/common/programs/neovim.nix new file mode 100644 index 0000000..d0a85e7 --- /dev/null +++ b/hosts/common/programs/neovim.nix @@ -0,0 +1,31 @@ +{ pkgs, ... }: +{ + programs.neovim = { + enable = true; + defaultEditor = true; + viAlias = true; + vimAlias = true; + configure = { + packages.myVimPackage = with pkgs.vimPlugins; { + start = [ + direnv-vim + vim-nix + vim-polyglot + ]; + + opt = [ + vim-monokai + ]; + }; + + customRC = '' + set number relativenumber + set undofile + set undodir=~/.cache/vim/undodir + + packadd! vim-monokai + colorscheme monokai + ''; + }; + }; +} diff --git a/hosts/common/programs/nix-ld.nix b/hosts/common/programs/nix-ld.nix new file mode 100644 index 0000000..4b9476f --- /dev/null +++ b/hosts/common/programs/nix-ld.nix @@ -0,0 +1,9 @@ +{ pkgs, ... }: +{ + programs.nix-ld = { + enable = true; + libraries = with pkgs; [ + libusb1 + ]; + }; +} diff --git a/hosts/common/programs/ssh.nix b/hosts/common/programs/ssh.nix new file mode 100644 index 0000000..8029199 --- /dev/null +++ b/hosts/common/programs/ssh.nix @@ -0,0 +1,32 @@ +{ config, ... }: +{ + sops.secrets."ssh/secret-config" = { + sopsFile = ./../../../secrets/common.yaml; + mode = "0444"; + }; + + programs.ssh = { + extraConfig = '' + Include ${config.sops.secrets."ssh/secret-config".path} + ''; + + knownHosts = { + hildring = { + hostNames = [ + "hildring.pvv.ntnu.no" + "hildring.pvv.org" + "login.pvv.ntnu.no" + "login.pvv.org" + ]; + publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGurF7rdnrDP/VgIK2Tx38of+bX/QGCGL+alrWnZ1Ca5llGneMulUt1RB9xZzNLHiaWIE+HOP0i4spEaeZhilfU="; + }; + isvegg = { + hostNames = [ + "isvegg.pvv.ntnu.no" + "isvegg.pvv.org" + ]; + publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGurF7rdnrDP/VgIK2Tx38of+bX/QGCGL+alrWnZ1Ca5llGneMulUt1RB9xZzNLHiaWIE+HOP0i4spEaeZhilfU="; + }; + }; + }; +} diff --git a/hosts/common/programs/usbtop.nix b/hosts/common/programs/usbtop.nix new file mode 100644 index 0000000..b6b69b6 --- /dev/null +++ b/hosts/common/programs/usbtop.nix @@ -0,0 +1,22 @@ +{ pkgs, lib, ... }: +{ + # programs.usbtop.enable = true; + + boot.kernelModules = [ "usbmon" ]; + + security.wrappers."usbtop" = { + owner = "root"; + group = "usbmon"; + setgid = true; + source = lib.getExe pkgs.usbtop; + }; + + users.groups.usbmon = { + # NOTE: picked at random + gid = 872; + }; + + services.udev.extraRules = '' + SUBSYSTEM=="usbmon", MODE="0660", OWNER="root", GROUP="usbmon" + ''; +} diff --git a/hosts/common/services/dbus.nix b/hosts/common/services/dbus.nix new file mode 100644 index 0000000..3fd6baf --- /dev/null +++ b/hosts/common/services/dbus.nix @@ -0,0 +1,10 @@ +{ pkgs, ... }: +{ + services.dbus = { + enable = true; + packages = with pkgs; [ + gcr + dconf + ]; + }; +} diff --git a/hosts/common/services/openssh.nix b/hosts/common/services/openssh.nix new file mode 100644 index 0000000..c7b9c31 --- /dev/null +++ b/hosts/common/services/openssh.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + services.openssh = { + startWhenNeeded = true; + settings = { + StreamLocalBindUnlink = true; + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "no"; + }; + }; +} diff --git a/hosts/common/services/pcscd.nix b/hosts/common/services/pcscd.nix new file mode 100644 index 0000000..54d9474 --- /dev/null +++ b/hosts/common/services/pcscd.nix @@ -0,0 +1,4 @@ +{ ... }: +{ + services.pcscd.enable = true; +} diff --git a/hosts/common/services/pipewire.nix b/hosts/common/services/pipewire.nix new file mode 100644 index 0000000..b538da9 --- /dev/null +++ b/hosts/common/services/pipewire.nix @@ -0,0 +1,9 @@ +{ config, ... }: +{ + services.pipewire = { + enable = !config.machineVars.headless; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + }; +} diff --git a/hosts/common/services/printing.nix b/hosts/common/services/printing.nix new file mode 100644 index 0000000..65fe52c --- /dev/null +++ b/hosts/common/services/printing.nix @@ -0,0 +1,4 @@ +{ config, ... }: +{ + services.printing.enable = !config.machineVars.headless; +} diff --git a/hosts/common/services/resolved.nix b/hosts/common/services/resolved.nix new file mode 100644 index 0000000..987b58f --- /dev/null +++ b/hosts/common/services/resolved.nix @@ -0,0 +1,4 @@ +{ ... }: +{ + services.resolved.enable = true; +} diff --git a/hosts/common/services/smartd.nix b/hosts/common/services/smartd.nix new file mode 100644 index 0000000..09751aa --- /dev/null +++ b/hosts/common/services/smartd.nix @@ -0,0 +1,4 @@ +{ ... }: +{ + services.smartd.enable = true; +} diff --git a/hosts/common/services/systemd-lock-handler.nix b/hosts/common/services/systemd-lock-handler.nix new file mode 100644 index 0000000..c61dc59 --- /dev/null +++ b/hosts/common/services/systemd-lock-handler.nix @@ -0,0 +1,4 @@ +{ ... }: +{ + services.systemd-lock-handler.enable = true; +} diff --git a/hosts/common/services/xserver.nix b/hosts/common/services/xserver.nix new file mode 100644 index 0000000..caabc5b --- /dev/null +++ b/hosts/common/services/xserver.nix @@ -0,0 +1,25 @@ +{ config, ... }: +{ + services.xserver = { + enable = !config.machineVars.headless; + + xkb = { + layout = "us"; + options = "caps:escape"; + }; + + # desktopManager = { + # xterm.enable = false; + # xfce.enable = !config.machineVars.headless; + # }; + + displayManager.lightdm.enable = !config.machineVars.headless; + + windowManager.xmonad = { + enable = true; + enableContribAndExtras = true; + enableConfiguredRecompile = true; + extraPackages = hPkgs: with hPkgs; [ dbus ]; + }; + }; +} diff --git a/hosts/dosei/configuration.nix b/hosts/dosei/configuration.nix index aa9acc9..fa20e8c 100644 --- a/hosts/dosei/configuration.nix +++ b/hosts/dosei/configuration.nix @@ -66,8 +66,6 @@ # hostId = ""; }; - programs.usbtop.enable = true; - services = { openssh = { enable = true;