cy/nixos-config
cy/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

some restructuring

Browse source
This commit is contained in:
cy 2024-12-13 11:27:01 -05:00
parent 26740dc299
commit f5bc46061b
5 changed files with 28 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

300
nix/hosts/ytnix/default.nix Normal file
View file

@ -0,0 +1,300 @@
{
inputs,
outputs,
lib,
config,
pkgs,
...
}: {
imports = [
./hardware-configuration.nix
];
nix = {
settings = {
experimental-features = "nix-command flakes";
auto-optimise-store = true;
flake-registry = "";
};
channel.enable = false;
optimise = {
automatic = true;
dates = [ "03:45" ];
};
gc = {
automatic = true;
dates = "19:00";
persistent = true;
options = "--delete-older-than 60d";
};
};
sops.defaultSopsFile = ./secrets.yaml;
sops.defaultSopsFormat = "yaml";
sops.age.keyFile = "/root/.config/sops/age/keys.txt";
sops.secrets = {
"borg/yt" = { };
"azure" = { };
"ntfy" = { };
};
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
tmp.cleanOnBoot = true;
kernelPackages = pkgs.linuxPackages_latest;
extraModulePackages = with config.boot.kernelPackages; [
rtl8821ce
];
};
networking = {
hostName = "ytnix";
# nftables.enable = true;
wireless.iwd = {
enable = true;
settings = {
Rank = {
# disable 2.4 GHz cause i have a shitty wireless card
# that interferes with bluetooth otherwise
BandModifier2_4GHz = 0.0;
};
};
};
networkmanager = {
enable = true;
dns = "none";
wifi.backend = "iwd";
};
nameservers = [ "127.0.0.1" "::1" ];
resolvconf.enable = true;
firewall = {
trustedInterfaces = [ "wgnord" ];
};
};
programs.nm-applet.enable = true;
time.timeZone = "America/Toronto";
security.rtkit.enable = true;
services.pipewire = {
enable = true;
pulse.enable = true;
alsa.enable = true;
alsa.support32Bit = true;
wireplumber.extraConfig.bluetoothEnhancements = {
"wireplumber.settings" = {
"bluetooth.autoswitch-to-headset-profile" = false;
};
"monitor.bluez.properties" = {
"bluez5.enable-sbc-xq" = true;
"bluez5.enable-msbc" = true;
"bluez5.enable-hw-volume" = true;
"bluez5.roles" = [ "a2dp_sink" "a2dp_source" ];
};
};
};
services.libinput.enable = true;
users.users.yt = {
isNormalUser = true;
extraGroups = [ "wheel" "libvirtd" "docker" ];
shell = pkgs.zsh;
};
environment.systemPackages = with pkgs; [
tmux
vim
wget
neovim
git
python3
wl-clipboard
mako
tree
kitty
borgbackup
brightnessctl
alsa-utils
nixd
veracrypt
bluetuith
libimobiledevice
pass-wayland
htop
file
dnsutils
age
compsize
wgnord
wireguard-tools
traceroute
sops
restic
];
environment.sessionVariables = {
NIXOS_OZONE_WL = "1";
ANKI_WAYLAND = "1";
};
system.stateVersion = "24.05";
services.gnome.gnome-keyring.enable = true;
programs.gnupg.agent.enable = true;
services.displayManager.defaultSession = "sway";
services.displayManager.sddm = {
enable = true;
wayland.enable = true;
};
programs.zsh.enable = true;
# security.sudo.wheelNeedsPassword = false;
fonts.packages = with pkgs; [
nerd-fonts.roboto-mono
];
hardware.enableAllFirmware = true;
hardware.bluetooth = {
enable = true;
powerOnBoot = true;
};
services.blueman.enable = true;
programs.sway.enable = true;
services.borgbackup.jobs.ytnixRsync = {
paths = [ "/root" "/home" "/var/lib" "/var/log" "/opt" "/etc" ];
exclude = [
"**/.cache"
"**/node_modules"
"**/cache"
"**/Cache"
"/var/lib/docker"
"/var/lib/private/ollama"
"/home/**/Downloads"
"**/.steam"
"**/.rustup"
"**/.docker"
"**/borg"
];
repo = "de3911@de3911.rsync.net:borg/yt";
encryption = {
mode = "repokey-blake2";
passCommand = "cat /run/secrets/borg/yt";
};
environment = {
BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519";
BORG_REMOTE_PATH = "borg1";
};
compression = "auto,zstd";
startAt = "daily";
extraCreateArgs = [ "--stats" ];
# warnings are often not that serious
failOnWarnings = false;
postHook = ''
${pkgs.curl}/bin/curl -u $(cat /run/secrets/ntfy) -d "ytnixRsync: backup completed with exit code: $exitStatus
$(journalctl -u borgbackup-job-ytnixRsync.service|tail -n 5)" \
https://ntfy.cything.io/chunk
'';
};
services.btrbk.instances.local = {
onCalendar = "hourly";
settings = {
snapshot_preserve = "2w";
snapshot_preserve_min = "2d";
snapshot_dir = "/snapshots";
subvolume = {
"/home" = { };
"/" = { };
};
};
};
programs.steam.enable = true;
services.logind = {
lidSwitch = "hibernate";
powerKey = "hibernate";
};
xdg.mime.defaultApplications = {
"application/pdf" = "okular.desktop";
"image/*" = "gwenview.desktop";
"*/html" = "chromium-browser.desktop";
};
programs.thunar = {
enable = true;
plugins = with pkgs.xfce; [
thunar-archive-plugin
thunar-volman
];
};
# preference changes don't work in thunar without this
programs.xfconf.enable = true;
# mount, trash and stuff in thunar
services.gvfs.enable = true;
# thumbnails in thunar
services.tumbler.enable = true;
virtualisation = {
libvirtd.enable = true;
docker.enable = true;
};
programs.virt-manager.enable = true;
services.dnscrypt-proxy2 = {
enable = true;
settings = {
ipv6_servers = true;
require_dnssec = true;
sources.public-resolvers = {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};
};
};
services.usbmuxd.enable = true;
programs.nix-ld.enable = true;
programs.evolution.enable = true;
# this is true by default and mutually exclusive with
# programs.nix-index
programs.command-not-found.enable = false;
programs.nix-index = {
enable = true;
enableZshIntegration = true;
};
xdg.portal = {
enable = true;
wlr.enable = true;
};
programs.obs-studio = {
enable = true;
plugins = with pkgs.obs-studio-plugins; [
wlrobs
];
};
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver
intel-media-sdk
];
};
services.ollama.enable = true;
}

66
nix/hosts/ytnix/hardware-configuration.nix Normal file
View file

@ -0,0 +1,66 @@
# Do not modify this file! It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3";
fsType = "btrfs";
options = [ "subvol=root" "compress=zstd" ];
};
boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/c6098a16-c8a6-4a97-8648-6f46ca919d13";
fileSystems."/home" =
{
device = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3";
fsType = "btrfs";
options = [ "subvol=home" "compress=zstd" ];
};
fileSystems."/nix" =
{
device = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3";
fsType = "btrfs";
options = [ "subvol=nix" "compress=zstd" "noatime" ];
};
fileSystems."/swap" =
{
device = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3";
fsType = "btrfs";
options = [ "subvol=swap" ];
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/29B7-F46D";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [{
device = "/swap/swapfile";
}];
boot.resumeDevice = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3";
boot.kernelParams = [ "resume_offset=53224704" ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

26
nix/hosts/ytnix/secrets.yaml Normal file
View file

@ -0,0 +1,26 @@
borg:
yt: ENC[AES256_GCM,data:CGcdcA9LnDDlTYJwsT25uY9h70yJtKhxgA==,iv:F25VTezkd4RQd7BZ3DD39hPiPj+Z3H01IgPhCGUQ5aM=,tag:mxLPXR/ffBXkByk1R1PYvQ==,type:str]
restic:
azure-yt: ENC[AES256_GCM,data:s8TJ5cNVW2Jr7kyul8mrBGwdLoTlNTb2MfpZgPU=,iv:sC0DbgFbFl6vvLqwOFDwRa3nabrIWxOTuz7GXn17IHk=,tag:2MYprYgNhh1aFlzuyw5eGQ==,type:str]
azure: ENC[AES256_GCM,data:UdHmasRElCFC66dxnnGTOw6vgOzrOIMiSLsczK0Qew2WBdZUKVnRTfSCxQrB7P8k+j3N2CDt5Y4GXvf9GVFrWCMOInOqYXcyycGXsdli2DbqpXTa3f13ykvc/aoKyw3YuFQdrNci3Kae9PYZ4v5f7fH8n4WgOKuYj3mO9k7WHxM1JBzYRRZP41Jghnb9SqVhl9UXVPI5ONBd6JI/FiezSMZPYC2FxNgQ7zHUQJ7qQ6aJTgRljslJK9I=,iv:bRoYEA1hbEXRG7PoU7Dfba9uRu3cAqfeuvSIfavZZ8M=,tag:cHXUe/njZNoG6EuHYYz0Yg==,type:str]
ntfy: ENC[AES256_GCM,data:ZfTVhdzA1+L3B+g7tw==,iv:1dXDqYi5/zBQ9iphzjn/GHGDcl90J1NYHvHQpTsVPlg=,tag:RfB1/Zz9ITJQV89cuk9OcQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhUmhsRDljYWJLS2tzUC90
a1oxZGZBUy9LaFpJeTF2MmZWQnl1NU0vQkc0CklnTGszaHRCRW5GYUU1OU9NVjVH
SW02OWVXNDNSMTFyV2NUU2xTV1dlTGMKLS0tIGpKT3lQd3I0T0xEMWo2ekd1MmM3
a1MwYjB0Tm03bzJnWTdoZ01KbXBPUkUKUr6hOsdZDJK6bFyEnBf4Vkms8EJsIvZY
ML481g9d9Vlm5x7X74nUcWemFSzttSdWEM3Y/IOHpXDbvC/Tbw+z7Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-01T00:51:59Z"
mac: ENC[AES256_GCM,data:TYyfVAAxiScRb/KAwqaglr5OjYAfb6uPb3Tdwum1rN09NLzmr8T4W3PramKCgGdTemtjl5YYpBT2lRnKfsNMpzLwg3JHsLV/6JvzCMAHuVPzHHG4SfbAlEz1uLH1/UopxW1w2RAMKK8do9+aXviL/nmXT6gbHgIVCI07U3006Lw=,iv:gyYePlF0MBSU6yhLieV/q8Gw/LbSaZWD7ghAaTLWQmk=,tag:P1L0FaTCmxeFYM6tdzhJBA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1