diff --git a/base.nix b/base.nix index 4dd8df1..aee07b5 100644 --- a/base.nix +++ b/base.nix @@ -26,6 +26,9 @@ smartmontools testdisk usbutils + ] ++ lib.optionals (builtins.elem config.nixpkgs.system [ "x86_64-linux" "aarch64_linux"]) [ + cage + weston ]; # TODO: selectively whitelist? @@ -33,7 +36,6 @@ nixpkgs.config.allowUnfreePredicate = (pkg: true); nixpkgs.config.nonfreeLicensing = true; # used by ffmpeg - # TODO: per host? hardware.enableRedistributableFirmware = true; nix.settings.experimental-features = [ @@ -49,10 +51,8 @@ nix.gc.automatic = true; nix.gc.dates = "weekly"; nix.gc.options = "--delete-older-than 30d"; - nix.extraOptions = '' - min-free = ${toString (1 * 1024 * 1024 * 1024)} - max-free = ${toString (5 * 1024 * 1024 * 1024)} - ''; + nix.settings.min-free = 1 * 1024 * 1024 * 1024; + nix.settings.max-free = 5 * 1024 * 1024 * 1024; services.thermald.enable = lib.mkIf (config.nixpkgs.system == "x86_64-linux") true; @@ -67,7 +67,5 @@ noto-fonts-extra ]; - # firewall - services.fail2ban.enable = config.services.openssh.enable; networking.firewall.enable = true; # default } diff --git a/cheatsheet.md b/cheatsheet.md index 6fc65d2..f951fd6 100644 --- a/cheatsheet.md +++ b/cheatsheet.md @@ -1,48 +1,8 @@ -# How to deploy - * https://nixos.wiki/wiki/Nixos-rebuild * https://www.haskellforall.com/2023/01/announcing-nixos-rebuild-new-deployment.html -Build locally, deploy on local, with `nom`: - - sudo true && sudo nixos-rebuild test --flake . --recreate-lock-file --no-write-lock-file |& nom - -Via git, build on remote: - - ssh -t HOST sudo nixos-rebuild test --flake git+ssh://gitea@gitea.noximilien.pbsds.net/pbsds/nix-config.git --recreate-lock-file --no-write-lock-file - # or - ssh -t HOST sudo nixos-rebuild test --flake git+ssh://git@github.com/pbsds/nix-dotfiles.git --recreate-lock-file --no-write-lock-file - -Via `remote-exec`, build on remote: - - nix develop .#remote - remote-set FOOBAR - remote sudo nixos-rebuild test --flake . --recreate-lock-file --no-write-lock-file - -From local checkout to remote where you're not a trusted user, via `tar` build on remote: - - tar cf - --directory="$(nix eval --raw .#inputs.self.outPath)" . | ssh -tt HOST -- bash -c '"set -x; cd $(mktemp -d); tar xf - && nixos-rebuild test --flake . \"\$@\""' -- --print-build-logs --recreate-lock-file --no-write-lock-file - -> TODO: ^ doesn't work, as tar consumes the stdin leaving sudo without one... - -.. wait doesn't that litter `/tmp` or `/run/user/.../tmp`? - - ¯\_(ツ)_/¯ - -From local checkout to remote if local nix daemon has ssh keys, then build on remote: - - nix copy --from "$(nix eval .#inputs.self.outPath)" --to TODO - -Build locally, copy to remote - - TODO - # How to evaluate the nixos flake/configuration.nix, checking if the drv hash is equal Flakes: nix eval .#nixosConfigurations.HOSTNAME.config.system.build.toplevel.outPath - -Non-flake: - - nix-instantiate '' -A system -I nixos-config=./configuration.nix diff --git a/hosts/bolle/default.nix b/hosts/bolle/default.nix index fb4ff53..04fd39b 100644 --- a/hosts/bolle/default.nix +++ b/hosts/bolle/default.nix @@ -29,30 +29,6 @@ # Networking networking.networkmanager.enable = true; - /** / - #networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - #networking.iwd.enable = true - networking.interfaces.eno1.ipv4.addresses = [ - { address = "129.241.105.252"; prefixLength = 23; } - ]; - networking.defaultGateway.address = "192.241.104.1"; - networking.defaultGateway.interface = "eno1"; - networking.nameservers = [ - "129.241.0.200" - "129.241.0.201" - #"2001:700:300::200" - #"2001:700:300::201" - "8.8.8.8" - "1.1.1.1" - ]; - /**/ - - # Installed system packages - environment.systemPackages = with pkgs; [ - cage - weston - ]; - # TODO: remove? Move? programs.dconf.enable = true; } diff --git a/hosts/eple/default.nix b/hosts/eple/default.nix index 91ee71f..c480bed 100644 --- a/hosts/eple/default.nix +++ b/hosts/eple/default.nix @@ -42,12 +42,6 @@ networking.networkmanager.insertNameservers = config.networking.nameservers; # wtf - # Installed system packages - environment.systemPackages = with pkgs; [ - cage - weston - ]; - # TODO: remove? Move? programs.dconf.enable = true; } diff --git a/hosts/garp/default.nix b/hosts/garp/default.nix index 9471c6b..9683320 100644 --- a/hosts/garp/default.nix +++ b/hosts/garp/default.nix @@ -51,12 +51,6 @@ # Networking networking.networkmanager.enable = true; - # Installed system packages - environment.systemPackages = with pkgs; [ - cage - weston - ]; - # TODO: remove? Move? programs.dconf.enable = true; diff --git a/hosts/nord/default.nix b/hosts/nord/default.nix index fb859a3..cfce1cb 100644 --- a/hosts/nord/default.nix +++ b/hosts/nord/default.nix @@ -62,12 +62,6 @@ #networking.useDHCP = true; #TODO: avahi? resolved? https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/main/base.nix#L15-L18 - # Installed system packages - environment.systemPackages = with pkgs; [ - cage - weston - ]; - # TODO: remove? Move? programs.dconf.enable = true; diff --git a/hosts/noximilien/default.nix b/hosts/noximilien/default.nix index 3efa263..9fb4c4f 100644 --- a/hosts/noximilien/default.nix +++ b/hosts/noximilien/default.nix @@ -127,12 +127,6 @@ #networking.useDHCP = true; #TODO: avahi? resolved? https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/main/base.nix#L15-L18 - # Installed system packages - environment.systemPackages = with pkgs; [ - cage - weston - ]; - # TODO: remove? Move? programs.dconf.enable = true; } diff --git a/hosts/sopp/default.nix b/hosts/sopp/default.nix index 76f44ef..d8cc9ba 100644 --- a/hosts/sopp/default.nix +++ b/hosts/sopp/default.nix @@ -94,12 +94,6 @@ /**/ #TODO: avahi? resolved? https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/main/base.nix#L15-L18 - # Installed system packages - environment.systemPackages = with pkgs; [ - cage - weston - ]; - # TODO: remove? Move? programs.dconf.enable = true; diff --git a/profiles/shell/nix-utils.nix b/profiles/shell/nix-utils.nix index c80b9ae..adf4d9a 100644 --- a/profiles/shell/nix-utils.nix +++ b/profiles/shell/nix-utils.nix @@ -7,7 +7,7 @@ nix-top #nix-index nix-tree - #nix-search # TODO: exists? + nix-search-cli # nix-search nix-diff #comma nixfmt diff --git a/profiles/sshd.nix b/profiles/sshd.nix index a43e6f9..6dff5ec 100644 --- a/profiles/sshd.nix +++ b/profiles/sshd.nix @@ -1,4 +1,5 @@ { services.openssh.enable = true; services.openssh.settings.X11Forwarding = true; + services.fail2ban.enable = true; }