pegasust
/
dotfiles
1
0
Fork 0
Code Issues 6 Pull Requests Projects Releases Wiki Activity

wip: add opinionated setups, which is enabled in module import

top-level-nix
Pegasust 2022-12-25 16:15:15 -07:00
parent 93e5306ce3
commit 416f0d0c60
15 changed files with 208 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
default.nix
View File

@ -1 +1,11 @@
# We use top-level nix-flake, so default.nix is basically just a wrapper around ./flake.nix # We use top-level nix-flake, so default.nix is basically just a wrapper around ./flake.nix
(import
(
let lock = builtins.fromJSON (builtins.readFile ./flake.lock); in
fetchTarball {
url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
sha256 = lock.nodes.flake-compat.locked.narHash;
}
)
{ src = ./.; }
).defaultNix

4
dev-shell.nix
View File

@ -1,8 +1,8 @@
# Ideally, this should contain the barebone necessary for building/interacting # Ideally, this should contain the barebone necessary for building/interacting
# with tech used in this project # with tech used in this project
#
# Should also incorporate shortcuts like scripts/{hm-switch,conf-sysnix}.sh in here instead # Should also incorporate shortcuts like scripts/{hm-switch,conf-sysnix}.sh in here instead
#
# It should not contain PDE # It should not contain PDE
{pkgs? import <nixpkgs> {} {pkgs? import <nixpkgs> {}
,lib ,lib

9
flake.nix
View File

@ -36,7 +36,12 @@
# inject nixpkgs.lib onto c_ (calculus) # inject nixpkgs.lib onto c_ (calculus)
_lib = pkgs.lib; _lib = pkgs.lib;
inputs = (_lib.recursiveUpdate {inherit system;} _inputs); inputs = (_lib.recursiveUpdate {
inherit system;
# NOTE: this will only read files that are within git tree
# all secrets should go into secrets.nix and secrets/*.age
proj_root = builtins.toString ./.;
} _inputs);
inputs_w_pkgs = (_lib.recursiveUpdate {inherit pkgs;} inputs); inputs_w_pkgs = (_lib.recursiveUpdate {inherit pkgs;} inputs);
lib = _lib.recursiveUpdate (import ./lib inputs_w_pkgs) _lib; lib = _lib.recursiveUpdate (import ./lib inputs_w_pkgs) _lib;
@ -50,6 +55,6 @@
in { in {
# inherit (hosts) nixosConfigurations; # inherit (hosts) nixosConfigurations;
# inherit (users) homeConfigurations; # inherit (users) homeConfigurations;
devShell."${system}" = import ./shell.nix final_inputs; devShell."${system}" = import ./dev-shell.nix final_inputs;
}; };
} }

28
lib/default.nix
View File

@ -1,5 +1,12 @@
{pkgs,...}@inputs: let {pkgs
,nixpkgs
,proj_root
,nixosDefaultVersion? "22.05"
,defaultSystem? "x86_64-linux";
,...}@inputs: let
lib = pkgs.lib; lib = pkgs.lib;
# procedure =
in { in {
# short-hand to create a shell derivation # short-hand to create a shell derivation
# NOTE: this is pure. This means, env vars from devShells might not # NOTE: this is pure. This means, env vars from devShells might not
@ -8,4 +15,23 @@ in {
# just a pattern that we must remember: args to this are children of pkgs. # just a pattern that we must remember: args to this are children of pkgs.
{writeShellScriptBin}: writeShellScriptBin pname script {writeShellScriptBin}: writeShellScriptBin pname script
) {}); ) {});
# Configures hosts as nixosConfiguration
# [host_T] -> {host_T[int].hostName = type (nixpkgs.lib.nixosConfiguration);}
mkHost = {hostName
, nixosBareConfiguration
, nixosVersion? nixosDefaultVersion
, system? defaultSystem
, preset? "base"}: # base | minimal
nixpkgs.lib.nixosSystem (nixosBareConfiguration // {
inherit system;
modules = [
{
system.stateVersion = nixosVersion;
networking.hostName = hostName;
}
import "${proj_root}/modules/base.nix"
import "${proj_root}/modules/tailscale.sys.nix"
] ++ nixosBareConfiguration.modules;
});
} }

10
modules/base.sys.nix Normal file
View File

@ -0,0 +1,10 @@
{pkgs
,lib
,proj_root
}:{
imports = [
./minimal.sys.nix
./mosh.sys.nix
./tailscale.sys.nix
];
}

8
modules/kde.sys.nix Normal file
View File

@ -0,0 +1,8 @@
{pkgs
,lib
,config
,proj_root
,agenix
}: {
environment.noXlibs = lib.mkForce false;
}

27
modules/minimal.sys.nix Normal file
View File

@ -0,0 +1,27 @@
{pkgs
,lib
,proj_root
}:{
# prune old builds after a while
nix.settings.auto-optimize-store = true;
nix.package = pkgs.nixFlakes; # nix flakes
nix.extraOptions = ''
experimental=feature = nix-command flakes
'';
programs.neovim = {
enable = true;
defaultEditor = true;
};
programs.git.enable = true;
environment.systemPackages = [
pkgs.gnumake
pkgs.wget
pkgs.inetutils # network diag
pkgs.mtr # network diag
pkgs.sysstat # sys diag
];
users.users.root = {
# openssh runs in root, no? This is because port < 1024 requires root.
openssh.authorizedKeys.keys = lib.strings.splitString "\n" (builtins.readFile "${proj_root}/ssh/authorized_keys");
};
}

12
modules/mosh.sys.nix Normal file
View File

@ -0,0 +1,12 @@
{pkgs
,lib
,config
}: {
environment.systemPackages = [pkgs.mosh];
networking.firewall = lib.mkIf config.networking.firewall.enable {
allowedUDPPortRanges = [
{ from = 60000; to = 61000; } # mosh
];
};
}

16
modules/secrets.nix Normal file
View File

@ -0,0 +1,16 @@
{agenix
,proj_root}: {
age.secrets.s3fs = {
file = "${proj_root}/secrets/s3fs.age";
# mode = "600"; # owner + group only
# owner = "hungtr";
# group = "users";
};
age.secrets."s3fs.digital-garden" = {
file = "${proj_root}/secrets/s3fs.digital-garden.age";
};
age.secrets._nhitrl_cred = {
file = "${proj_root}/secrets/_nhitrl.age";
};
environment.systemPackages = [agenix.defaultPackage.x86_64-linux];
}

48
modules/tailscale.sys.nix Normal file
View File

@ -0,0 +1,48 @@
{pkgs
,config
,lib
,...}: {
environment.systemPackages = [pkgs.tailscale];
services.tailscale.enable = true;
systemd.services.tailscale-autoconnect = {
description = "Automatically connects to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
# have the job run this shell script
script = ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${pkgs.tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# ${pkgs.tailscale}/bin/tailscale up # blocks, doesn't give url
# This time, configure device auth so that we authenticate from portal
# https://tailscale.com/kb/1099/device-authorization/#enable-device-authorization-for-your-network
${pkgs.tailscale}/bin/tailscale up -authkey tskey-auth-kJcgTG5CNTRL-PUVFkk31z1bThHpfq3FC5b1jcMmkW2EYW
'';
};
networking.firewall = lib.mkIf config.networking.firewall.enable {
trustedInterfaces = [
"tailscale0"
];
allowedUDPPorts = [
config.services.tailscale.port
];
allowedTCPPorts = [
22
];
checkReversePath = "loose";
};
}

2
secrets.nix
View File

@ -3,7 +3,7 @@ let
users = { users = {
"hungtr@bao" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+1+gps6phbZboIb9fH51VNPUCkhSSOAbkI3tq3Ou0Z"; "hungtr@bao" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+1+gps6phbZboIb9fH51VNPUCkhSSOAbkI3tq3Ou0Z";
}; };
# System-specific settings (/etc/ssh/ssh_hsot_ed25519_key.pub) # System-specific settings (/etc/ssh/ssh_host_ed25519_key.pub)
systems = { systems = {
"bao" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBuAaAE7TiQmMH300VRj/pYCri1qPmHjd+y9aX2J0Fs"; "bao" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBuAaAE7TiQmMH300VRj/pYCri1qPmHjd+y9aX2J0Fs";
}; };

10
secrets/_nhitrl.age Normal file
View File

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 ahbzMg QEQ0gfV00KEZFXSUMAnITVG2vAhS0IrnbbEXVsQRjXA
/iXv++nOsRRmWAu4dFTmxxC7qlCjMuTYuTa6GsYgsX0
-> ssh-ed25519 glsjZQ Lob1uedpMxsDygT/i6Pnuwi6BzdgZPAeemISakcncVM
UddBD1YezLMeCUn4UuHGIrK68AwCIwuHAobpkJdi/3U
-> Tx+>#u-grease ;A%8 W
m11Fw6roG6feroJ/o5Ro8Dv1C3Piq3bGbdV78TH9Z0URPru+srdINovMvoVqjkuZ
eHiRwb1fN0ymLRD6/WxT4ZLKbT6J5yNPCrc+
--- 88hy3b76RX3PAc0Lfms//lhuqsi2tsqmL9gFQqUMBKM
>%frPåúéÚó€+÷JY`•îŽð',„ë~<7E><>ÄôʼfÝÄ_Q2A59N/ÄV·þ ºÝ[ˆSgË3ü ß4Y(´cä}N[ Ò•ëJ¡ò6Uµ¯pvf/i§Ò+tÒTÞ^–Ø)<1A>

10
secrets/s3fs.age Normal file
View File

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 ahbzMg 6pTVLAgOY/JZVWiCFHLo8xQ4/CL6620IMaBRpqI8Wws
CtJeQuy5VzKZhJnIH+/cjlKsAcg0RY2bhHTWVm+hUOY
-> ssh-ed25519 glsjZQ we7RCgsnODTJ8rKYhU+9tu0DmLH+98mcQKQ3I2slikM
G81lsFLQR9polxme1K/MU2d8Y01PrTqtzJnVq0EMJF0
-> |-grease B\W,I9z ^Gx;$ Kk7!4,P
0Jl5Lhx7R8YOs9S+hUtQDDpNIqBhC/MM0N7w1MCtwYtkIIIWKfY9jkJ7+Cew2Ee5
Qb04jnE
--- b7AXWRgK45a/91iwmwt5g+CWOlU/2f4nUDfXlg/bs9A
¢²%;Þ3RmQÚWhpÌVŠ;º×®¡¥VÍÚñ[zš9al¦±=cLêüva<>ëu7é,†tø±ýUܶh^&å‰Ö¿WåJP6-ÇÒ£ n-ˆ¿=™]

10
secrets/s3fs.digital-garden.age Normal file
View File

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 ahbzMg GUriNV3lYlrA4xfIUj9PedI8p87avdQKOXhFqVnyzG4
TvLDyCGbmU0N26SLWDIhj8tAgwrx1kFyhe6knPvJbLg
-> ssh-ed25519 glsjZQ uZUN8LJ5tnBlkrQ23JutAMzOODVF/96m+5qwgE0mJgM
srPQPu/fcCSDsbyZF8HLytPts7LGib6AHKBxaVXbK+c
-> R{n]I@-grease
EdbrkSaDEZBhArX2fk83dPE8DAtFuCdzm9TlIfXWhv8+jFLNmSshkKYc2Rlj/FE1
7w
--- GYDU/uV9eu8AKstyufFIueBnuvXwlKO3Oz9LLxkkhKQ
/MôïŽ×XƒÁ€ôÑb€vÎV}®^}|~êž¹.í•qÒU–Ô"‘€Öµ*«Åy‡…ÆÄñÇIôifªjîE´JW®a\ ðÉysUïö<>“Ÿ¥Qè$

10
shell.nix
View File

@ -1,3 +1,13 @@
# This uses the exported devShells from flake.nix # This uses the exported devShells from flake.nix
# the default or base version of nix-shell can be found in dev-shell.nix instead # the default or base version of nix-shell can be found in dev-shell.nix instead
# This architecture is because we use top-level flake.nix # This architecture is because we use top-level flake.nix
(import
(
let lock = builtins.fromJSON (builtins.readFile ./flake.lock); in
fetchTarball {
url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
sha256 = lock.nodes.flake-compat.locked.narHash;
}
)
{ src = ./.; }
).shellNix