hosts/common: split into multiple files

also add smartd, systemd-lock-handler and usbtop
This commit is contained in:
Oystein Kristoffer Tveit 2024-08-12 17:36:13 +02:00
parent feb001699d
commit dbea006c50
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
21 changed files with 323 additions and 241 deletions

View File

@ -3,102 +3,28 @@ let
inherit (config) machineVars; inherit (config) machineVars;
in { in {
imports = [ imports = [
./nix-builders/bob.nix ./fonts.nix
./nix-builders/isvegg.nix ./nix.nix
./nix-builders/tsuki.nix
./programs/gnupg.nix
./programs/neovim.nix
./programs/nix-ld.nix
./programs/ssh.nix
./programs/usbtop.nix
./services/dbus.nix
./services/openssh.nix
./services/pcscd.nix
./services/pipewire.nix
./services/printing.nix
./services/resolved.nix
./services/smartd.nix
./services/systemd-lock-handler.nix
./services/xserver.nix
]; ];
sops.defaultSopsFile = ./../.. + "/secrets/${config.networking.hostName}.yaml"; sops.defaultSopsFile = ./../.. + "/secrets/${config.networking.hostName}.yaml";
sops.secrets = {
"nix/access-tokens" = { sopsFile = ./../../secrets/common.yaml; };
"ssh/secret-config" = {
sopsFile = ./../../secrets/common.yaml;
mode = "0444";
};
};
nix = {
package = unstable-pkgs.nixVersions.stable;
distributedBuilds = config.networking.hostName != "tsuki";
settings = {
allow-dirty = true;
allowed-uris = [ "http://" "https://" ];
auto-optimise-store = true;
binary-caches = [ "https://cache.nixos.org/" ];
builders-use-substitutes = true;
experimental-features = [ "nix-command" "flakes" ];
log-lines = 50;
trusted-users = [ "h7x4" "nix-builder" ];
use-xdg-base-directories = true;
};
extraOptions = ''
!include ${config.sops.secrets."nix/access-tokens".path}
'';
registry = {
home.to = {
type = "path";
path = "/home/h7x4/nix";
};
wack.to = {
type = "path";
path = "/home/h7x4/git/wack-ctf-flake";
};
nxpt.to = {
type = "path";
path = "/home/h7x4/git/nixpkgs-tools";
};
};
};
programs.nix-ld = {
enable = true;
libraries = with pkgs; [
libusb1
];
};
programs.ssh = {
extraConfig = ''
Include ${config.sops.secrets."ssh/secret-config".path}
'';
knownHosts = {
bob = {
hostNames = [
"bob.pvv.ntnu.no"
"bob.pvv.org"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJSgh20qDIYEXiK4MUZhc879dJIyH0K/s0RZ+9wFI0F";
};
hildring = {
hostNames = [
"hildring.pvv.ntnu.no"
"hildring.pvv.org"
"login.pvv.ntnu.no"
"login.pvv.org"
];
publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGurF7rdnrDP/VgIK2Tx38of+bX/QGCGL+alrWnZ1Ca5llGneMulUt1RB9xZzNLHiaWIE+HOP0i4spEaeZhilfU=";
};
isvegg = {
hostNames = [
"isvegg.pvv.ntnu.no"
"isvegg.pvv.org"
];
publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGurF7rdnrDP/VgIK2Tx38of+bX/QGCGL+alrWnZ1Ca5llGneMulUt1RB9xZzNLHiaWIE+HOP0i4spEaeZhilfU=";
};
# tsukir = {
# hostNames = [ "nani.wtf" "gingakei.loginto.me" ];
# # publicKeyFile = config.sops.secrets."ssh/nix-builders/tsuki/pub".path;
# publicKeyFile = "/var/keys/tsuki_nix-builder.pub";
# };
};
};
time.timeZone = "Europe/Oslo"; time.timeZone = "Europe/Oslo";
console = { console = {
@ -162,49 +88,6 @@ in {
else (lib.mkIf (fixDisplayCommand != null) fixDisplayCommand)); else (lib.mkIf (fixDisplayCommand != null) fixDisplayCommand));
}; };
fonts = {
fontDir.enable = true;
enableDefaultPackages = true;
packages = with pkgs; [
ark-pixel-font
cm_unicode
corefonts
dejavu_fonts
fira-code
fira-code-symbols
iosevka
ipaexfont
ipafont
liberation_ttf
migmix
noto-fonts
noto-fonts-cjk-sans
noto-fonts-cjk-serif
noto-fonts-emoji
ocr-a
open-sans
powerline-fonts
source-han-sans
source-sans
symbola
texlivePackages.asana-math
ubuntu_font_family
victor-mono
yasashisa-gothic
(nerdfonts.override { fonts = [ "FiraCode" "DroidSansMono" ]; })
];
fontconfig = {
defaultFonts = {
serif = [ "Droid Sans Serif" "Ubuntu" ];
sansSerif = [ "Droid Sans" "Ubuntu" ];
monospace = [ "Fira Code" "Ubuntu" ];
emoji = [ "Noto Sans Emoji" ];
};
};
};
users = { users = {
users.h7x4 = { users.h7x4 = {
isNormalUser = true; isNormalUser = true;
@ -233,21 +116,7 @@ in {
}; };
services = { services = {
tumbler.enable = !config.machineVars.headless;
gnome.gnome-keyring.enable = !config.machineVars.headless; gnome.gnome-keyring.enable = !config.machineVars.headless;
printing.enable = !config.machineVars.headless;
resolved.enable = true;
openssh = {
startWhenNeeded = true;
settings = {
StreamLocalBindUnlink = true;
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "no";
};
};
udev.packages = with pkgs; [ udev.packages = with pkgs; [
yubikey-personalization yubikey-personalization
@ -255,49 +124,12 @@ in {
light light
]; ];
pcscd.enable = true;
dbus = {
enable = true;
packages = with pkgs; [
gcr
dconf
];
};
libinput = { libinput = {
enable = !config.machineVars.headless; enable = !config.machineVars.headless;
touchpad.disableWhileTyping = true; touchpad.disableWhileTyping = true;
}; };
displayManager.defaultSession = "none+xmonad"; displayManager.defaultSession = "none+xmonad";
xserver = {
enable = !config.machineVars.headless;
xkb = {
layout = "us";
options = "caps:escape";
};
desktopManager = {
xterm.enable = false;
xfce.enable = !config.machineVars.headless;
};
displayManager.lightdm.enable = !config.machineVars.headless;
windowManager.xmonad = {
enable = true;
enableContribAndExtras = true;
enableConfiguredRecompile = true;
extraPackages = hPkgs: with hPkgs; [
dbus
];
};
};
}; };
programs = { programs = {
@ -305,38 +137,6 @@ in {
git.enable = true; git.enable = true;
tmux.enable = true; tmux.enable = true;
zsh.enable = true; zsh.enable = true;
gnupg.agent.enable = true;
gnupg.agent.pinentryPackage = pkgs.pinentry-curses;
neovim = {
enable = true;
defaultEditor = true;
viAlias = true;
vimAlias = true;
configure = {
packages.myVimPackage = with pkgs.vimPlugins; {
start = [
direnv-vim
vim-nix
vim-polyglot
];
opt = [
vim-monokai
];
};
customRC = ''
set number relativenumber
set undofile
set undodir=~/.cache/vim/undodir
packadd! vim-monokai
colorscheme monokai
'';
};
};
}; };
system.extraDependencies = system.extraDependencies =
@ -379,12 +179,6 @@ in {
]); ]);
security.rtkit.enable = !config.machineVars.headless; security.rtkit.enable = !config.machineVars.headless;
services.pipewire = {
enable = !config.machineVars.headless;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
security.sudo.extraConfig = let security.sudo.extraConfig = let
sudoLecture = pkgs.writeText "sudo-lecture.txt" (extendedLib.termColors.front.red "Be careful or something, idk...\n"); sudoLecture = pkgs.writeText "sudo-lecture.txt" (extendedLib.termColors.front.red "Be careful or something, idk...\n");

45
hosts/common/fonts.nix Normal file
View File

@ -0,0 +1,45 @@
{ pkgs, ... }:
{
fonts = {
fontDir.enable = true;
enableDefaultPackages = true;
packages = with pkgs; [
ark-pixel-font
cm_unicode
corefonts
dejavu_fonts
fira-code
fira-code-symbols
iosevka
ipaexfont
ipafont
liberation_ttf
migmix
noto-fonts
noto-fonts-cjk-sans
noto-fonts-cjk-serif
noto-fonts-emoji
ocr-a
open-sans
powerline-fonts
source-han-sans
source-sans
symbola
texlivePackages.asana-math
ubuntu_font_family
victor-mono
yasashisa-gothic
(nerdfonts.override { fonts = [ "FiraCode" "DroidSansMono" ]; })
];
fontconfig = {
defaultFonts = {
serif = [ "Droid Sans Serif" "Ubuntu" ];
sansSerif = [ "Droid Sans" "Ubuntu" ];
monospace = [ "Fira Code" "Ubuntu" ];
emoji = [ "Noto Sans Emoji" ];
};
};
};
}

View File

@ -18,11 +18,21 @@
# sshKey = config.sops.secrets."ssh/nix-builders/bob/key".path; # sshKey = config.sops.secrets."ssh/nix-builders/bob/key".path;
}]; }];
programs.ssh.extraConfig = '' programs.ssh = {
Host nix-builder-bob extraConfig = ''
HostName bob.pvv.ntnu.no Host nix-builder-bob
ProxyJump nix-builder-isvegg HostName bob.pvv.ntnu.no
User oysteikt ProxyJump nix-builder-isvegg
IdentityFile ${config.sops.secrets."ssh/nix-builders/bob/key".path} User oysteikt
''; IdentityFile ${config.sops.secrets."ssh/nix-builders/bob/key".path}
} '';
knownHosts.bob = {
hostNames = [
"bob.pvv.ntnu.no"
"bob.pvv.org"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJSgh20qDIYEXiK4MUZhc879dJIyH0K/s0RZ+9wFI0F";
};
};
}

View File

@ -20,4 +20,4 @@
User oysteikt User oysteikt
IdentityFile ${config.sops.secrets."ssh/nix-builders/isvegg/key".path} IdentityFile ${config.sops.secrets."ssh/nix-builders/isvegg/key".path}
''; '';
} }

View File

@ -22,9 +22,17 @@
sshKey = config.sops.secrets."ssh/nix-builders/tsuki/key".path; sshKey = config.sops.secrets."ssh/nix-builders/tsuki/key".path;
}]; }];
programs.ssh.extraConfig = '' programs.ssh = {
Host nix-builder-tsukir extraConfig = ''
HostName gingakei.loginto.me Host nix-builder-tsukir
Port ${toString secrets.ports.ssh.home-in} HostName gingakei.loginto.me
''; Port ${toString secrets.ports.ssh.home-in}
} '';
# knownHosts.tsukir = {
# hostNames = [ "nani.wtf" "gingakei.loginto.me" ];
# # publicKeyFile = config.sops.secrets."ssh/nix-builders/tsuki/pub".path;
# publicKeyFile = "/var/keys/tsuki_nix-builder.pub";
# };
};
}

48
hosts/common/nix.nix Normal file
View File

@ -0,0 +1,48 @@
{ config, unstable-pkgs, ... }:
{
imports = [
./nix-builders/bob.nix
./nix-builders/isvegg.nix
./nix-builders/tsuki.nix
];
sops.secrets = {
"nix/access-tokens" = { sopsFile = ./../../secrets/common.yaml; };
};
nix = {
package = unstable-pkgs.nixVersions.stable;
distributedBuilds = config.networking.hostName != "tsuki";
settings = {
allow-dirty = true;
allowed-uris = [ "http://" "https://" ];
auto-optimise-store = true;
binary-caches = [ "https://cache.nixos.org/" ];
builders-use-substitutes = true;
experimental-features = [ "nix-command" "flakes" ];
log-lines = 50;
trusted-users = [ "h7x4" "nix-builder" ];
use-xdg-base-directories = true;
};
extraOptions = ''
!include ${config.sops.secrets."nix/access-tokens".path}
'';
registry = {
home.to = {
type = "path";
path = "/home/h7x4/nix";
};
wack.to = {
type = "path";
path = "/home/h7x4/git/wack-ctf-flake";
};
nxpt.to = {
type = "path";
path = "/home/h7x4/git/nixpkgs-tools";
};
};
};
}

View File

@ -0,0 +1,9 @@
{ pkgs, ... }:
{
programs.gnupg = {
agent = {
enable = true;
pinentryPackage = pkgs.pinentry-curses;
};
};
}

View File

@ -0,0 +1,31 @@
{ pkgs, ... }:
{
programs.neovim = {
enable = true;
defaultEditor = true;
viAlias = true;
vimAlias = true;
configure = {
packages.myVimPackage = with pkgs.vimPlugins; {
start = [
direnv-vim
vim-nix
vim-polyglot
];
opt = [
vim-monokai
];
};
customRC = ''
set number relativenumber
set undofile
set undodir=~/.cache/vim/undodir
packadd! vim-monokai
colorscheme monokai
'';
};
};
}

View File

@ -0,0 +1,9 @@
{ pkgs, ... }:
{
programs.nix-ld = {
enable = true;
libraries = with pkgs; [
libusb1
];
};
}

View File

@ -0,0 +1,32 @@
{ config, ... }:
{
sops.secrets."ssh/secret-config" = {
sopsFile = ./../../../secrets/common.yaml;
mode = "0444";
};
programs.ssh = {
extraConfig = ''
Include ${config.sops.secrets."ssh/secret-config".path}
'';
knownHosts = {
hildring = {
hostNames = [
"hildring.pvv.ntnu.no"
"hildring.pvv.org"
"login.pvv.ntnu.no"
"login.pvv.org"
];
publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGurF7rdnrDP/VgIK2Tx38of+bX/QGCGL+alrWnZ1Ca5llGneMulUt1RB9xZzNLHiaWIE+HOP0i4spEaeZhilfU=";
};
isvegg = {
hostNames = [
"isvegg.pvv.ntnu.no"
"isvegg.pvv.org"
];
publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGurF7rdnrDP/VgIK2Tx38of+bX/QGCGL+alrWnZ1Ca5llGneMulUt1RB9xZzNLHiaWIE+HOP0i4spEaeZhilfU=";
};
};
};
}

View File

@ -0,0 +1,22 @@
{ pkgs, lib, ... }:
{
# programs.usbtop.enable = true;
boot.kernelModules = [ "usbmon" ];
security.wrappers."usbtop" = {
owner = "root";
group = "usbmon";
setgid = true;
source = lib.getExe pkgs.usbtop;
};
users.groups.usbmon = {
# NOTE: picked at random
gid = 872;
};
services.udev.extraRules = ''
SUBSYSTEM=="usbmon", MODE="0660", OWNER="root", GROUP="usbmon"
'';
}

View File

@ -0,0 +1,10 @@
{ pkgs, ... }:
{
services.dbus = {
enable = true;
packages = with pkgs; [
gcr
dconf
];
};
}

View File

@ -0,0 +1,12 @@
{ ... }:
{
services.openssh = {
startWhenNeeded = true;
settings = {
StreamLocalBindUnlink = true;
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "no";
};
};
}

View File

@ -0,0 +1,4 @@
{ ... }:
{
services.pcscd.enable = true;
}

View File

@ -0,0 +1,9 @@
{ config, ... }:
{
services.pipewire = {
enable = !config.machineVars.headless;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
}

View File

@ -0,0 +1,4 @@
{ config, ... }:
{
services.printing.enable = !config.machineVars.headless;
}

View File

@ -0,0 +1,4 @@
{ ... }:
{
services.resolved.enable = true;
}

View File

@ -0,0 +1,4 @@
{ ... }:
{
services.smartd.enable = true;
}

View File

@ -0,0 +1,4 @@
{ ... }:
{
services.systemd-lock-handler.enable = true;
}

View File

@ -0,0 +1,25 @@
{ config, ... }:
{
services.xserver = {
enable = !config.machineVars.headless;
xkb = {
layout = "us";
options = "caps:escape";
};
# desktopManager = {
# xterm.enable = false;
# xfce.enable = !config.machineVars.headless;
# };
displayManager.lightdm.enable = !config.machineVars.headless;
windowManager.xmonad = {
enable = true;
enableContribAndExtras = true;
enableConfiguredRecompile = true;
extraPackages = hPkgs: with hPkgs; [ dbus ];
};
};
}

View File

@ -66,8 +66,6 @@
# hostId = ""; # hostId = "";
}; };
programs.usbtop.enable = true;
services = { services = {
openssh = { openssh = {
enable = true; enable = true;