diff --git a/home/modules/baseline.nix b/home/modules/baseline.nix index c5cdd05..f4852be 100644 --- a/home/modules/baseline.nix +++ b/home/modules/baseline.nix @@ -8,7 +8,7 @@ with lib; let cfg = config.local.baseline; in { options.local.baseline = { - enable = mkEnableOption "Basic home settings"; + enable = mkEnableOption "Basic settings"; }; config = mkIf cfg.enable { xdg.enable = true; diff --git a/sys/default.nix b/sys/default.nix index 5c7405a..0967ef4 100644 --- a/sys/default.nix +++ b/sys/default.nix @@ -1,12 +1 @@ -{ - flakes, - config, - pkgs, - lib, - ... -}: -with lib; { - imports = [ - ./modules - ]; -} +{} diff --git a/sys/modules/android.nix b/sys/modules/android.nix deleted file mode 100644 index 57c1964..0000000 --- a/sys/modules/android.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -with lib; let - cfg = config.local.sys.androidSupport; -in { - options.local.sys.androidSupport = { - enable = mkEnableOption "androidSupport settings"; - }; - config = mkIf cfg.enable { - services.udev.packages = with pkgs; [ - android-udev-rules - ]; - }; -} diff --git a/sys/modules/audio.nix b/sys/modules/audio.nix deleted file mode 100644 index df248fe..0000000 --- a/sys/modules/audio.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -with lib; let - cfg = config.local.sys.audio; -in { - options.local.sys.audio = { - enable = mkEnableOption "audio settings"; - }; - config = mkIf cfg.enable { - security.rtkit.enable = true; - - services.pipewire = { - enable = true; - - alsa = { - enable = true; - support32Bit = true; - }; - - jack.enable = true; - pulse.enable = true; - wireplumber.enable = true; - }; - }; -} diff --git a/sys/modules/baseline.nix b/sys/modules/baseline.nix deleted file mode 100644 index 3869463..0000000 --- a/sys/modules/baseline.nix +++ /dev/null @@ -1,76 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -with lib; let - cfg = config.local.sys.baseline; -in { - options.local.sys.baseline = { - enable = mkEnableOption "Basic system settings"; - }; - config = mkIf cfg.enable { - system.stateVersion = "24.05"; # DO NOT CHANGE - - nix = { - package = pkgs.nixVersions.stable; - - extraOptions = '' - experimental-features = nix-command flakes - ''; - - # Not interested in the global flake registry - settings.flake-registry = ""; - }; - - console = { - keyMap = "us"; - }; - - programs = { - zsh.enable = true; - fuse.userAllowOther = true; - }; - - environment = { - pathsToLink = [ - "/share/zsh" - ]; - - systemPackages = with pkgs; - [ - git - vim - ] - ++ optionals (!config.boot.isContainer) [ - lm_sensors - lshw - parted - pciutils - smartmontools - usbutils - ]; - }; - - services = { - openssh.enable = mkDefault true; - - earlyoom = { - enable = mkDefault true; - enableNotifications = true; - }; - }; - - # Coredumps are a security risk and may use up a lot of disk space - systemd.coredump.extraConfig = '' - Storage=none - ProcessSizeMax=0 - ''; - - security.dhparams = { - enable = true; - defaultBitSize = 4096; - }; - }; -} diff --git a/sys/modules/default.nix b/sys/modules/default.nix deleted file mode 100644 index 0696df5..0000000 --- a/sys/modules/default.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: { - imports = [ - ./baseline.nix - ./yubikey.nix - ./audio.nix - ./graphics.nix - ./virtualisation.nix - ./android.nix - ./users.nix - ]; -} diff --git a/sys/modules/graphics.nix b/sys/modules/graphics.nix deleted file mode 100644 index 162e21b..0000000 --- a/sys/modules/graphics.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -with lib; let - cfg = config.local.sys.graphics; -in { - options.local.sys.graphics = { - enable = mkEnableOption "graphics settings"; - }; - config = mkIf cfg.enable { - services = { - xserver = { - enable = true; - xkb.layout = "us"; - displayManager.startx.enable = true; - }; - libinput.enable = true; - }; - - hardware.graphics.enable = true; - - programs.dconf.enable = true; - }; -} diff --git a/sys/modules/users.nix b/sys/modules/users.nix deleted file mode 100644 index 1e90b41..0000000 --- a/sys/modules/users.nix +++ /dev/null @@ -1,75 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -with lib; let - cfg = config.local.sys.users; - userType = types.submodule { - options = { - enable = mkEnableOption "user settings"; - unixId = mkOption { - # gid and uid are always the same - type = types.int; - }; - admin = mkOption { - type = types.bool; - default = false; - }; - sshKeyPublicFile = mkOption { - type = types.listOf types.path; - default = []; - }; - }; - }; -in { - options.local.sys.users = mkOption { - type = types.attrsOf userType; - default = {}; - }; - - config = { - local.sys.users = { - fabian = { - unixId = mkDefault 1000; - admin = true; - }; - vanessa = { - unixId = mkDefault 1001; - admin = false; - }; - soto = { - unixId = mkDefault 1010; - admin = false; - }; - diaz = { - unixId = mkDefault 1011; - admin = false; - }; - }; - - users = let - enabledUsers = filterAttrs (k: v: v.enable) cfg; - in { - groups = - mapAttrs (k: v: { - gid = v.unixId; - }) - enabledUsers; - - users = - mapAttrs (k: v: { - isNormalUser = true; - uid = v.unixId; - group = k; - shell = pkgs.zsh; - extraGroups = - ["users" "networkmanager"] - ++ optionals (v.admin) ["wheel" "libvirtd" "dialout"]; - openssh.authorizedKeys.keyFiles = v.sshKeyPublicFile; - }) - enabledUsers; - }; - }; -} diff --git a/sys/modules/virtualisation.nix b/sys/modules/virtualisation.nix deleted file mode 100644 index b64741e..0000000 --- a/sys/modules/virtualisation.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -with lib; let - cfg = config.local.sys.virtualisation; -in { - options.local.sys.virtualisation = { - enable = mkEnableOption "virtualisation settings"; - }; - config = mkIf cfg.enable { - virtualisation.libvirtd.qemu.package = pkgs.qemu_kvm; - virtualisation.libvirtd.qemu.ovmf.enable = true; - virtualisation.libvirtd.qemu.ovmf.packages = [pkgs.OVMFFull.fd]; - virtualisation.libvirtd.enable = true; - # boot.kernelModules = [ "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ]; - # boot.kernelParams = [ "amd_iommu=on" "iommu=pt" "vfio-pci.ids=1002:699f,1002:aae0" "video=efifb:off" ]; - virtualisation.libvirtd.onBoot = "start"; - }; -} diff --git a/sys/modules/yubikey.nix b/sys/modules/yubikey.nix deleted file mode 100644 index c5e3008..0000000 --- a/sys/modules/yubikey.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -with lib; let - cfg = config.local.sys.yubikey; -in { - options.local.sys.yubikey = { - enable = mkEnableOption "yubikey settings"; - }; - config = mkIf cfg.enable { - services = { - pcscd.enable = true; - udev.packages = [pkgs.yubikey-personalization]; - }; - - environment.etc."pkcs11/modules/ykcs11".text = '' - module: ${pkgs.yubico-piv-tool}/lib/libykcs11.so - ''; - - programs.gnupg.agent = { - enable = true; - enableSSHSupport = true; - }; - - security.pam = { - services = { - login.u2fAuth = true; - sudo.u2fAuth = true; - }; - - u2f = { - enable = true; - control = "sufficient"; - settings = { - debug = false; - cue = true; - }; - }; - }; - }; -} diff --git a/sys/platforms/posixlycorrect/default.nix b/sys/platforms/posixlycorrect/default.nix index 8abceaf..e939e18 100644 --- a/sys/platforms/posixlycorrect/default.nix +++ b/sys/platforms/posixlycorrect/default.nix @@ -1,53 +1,114 @@ +# Edet this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, lib, - flakes, ... }: { imports = [ - flakes.home-manager.nixosModules.home-manager - flakes.impermanence.nixosModule + # Include the results of the hardware scan. ./hardware-configuration.nix + ./yubikey.nix ]; - local.sys = { - baseline.enable = true; + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.tmp.useTmpfs = true; + boot.kernelPackages = pkgs.linuxPackages_latest; - yubikey.enable = true; - audio.enable = true; - graphics.enable = true; - virtualisation.enable = true; - androidSupport.enable = true; - users = { - fabian = { - enable = true; - unixId = 1002; - }; - vanessa.enable = true; - }; - }; + networking.hostName = "posixlycorrect"; + networking.networkmanager.enable = true; - networking = { - hostName = "posixlycorrect"; - networkmanager.enable = true; + # Set your time zone. + time.timeZone = "America/Costa_Rica"; - useDHCP = false; # The global useDHCP flag is deprecated, therefore explicitly set to false here. - interfaces.enp7s0.useDHCP = true; # Per-interface useDHCP will be mandatory in the future, so this generated config - interfaces.wlp6s0.useDHCP = true; # replicates the default behaviour. - }; - - boot = { - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - tmp.useTmpfs = true; - kernelPackages = pkgs.linuxPackages_latest; - }; + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.enp7s0.useDHCP = true; + networking.interfaces.wlp6s0.useDHCP = true; # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "us"; + }; - time.timeZone = "America/Costa_Rica"; + # Enable the X11 windowing system. + services.xserver = { + enable = true; + xkb.layout = "us"; + displayManager.startx.enable = true; + }; + services.libinput.enable = true; + + hardware.graphics.enable = true; + + security.rtkit.enable = true; + + services.pipewire = { + enable = true; + + alsa = { + enable = true; + support32Bit = true; + }; + + jack.enable = true; + pulse.enable = true; + wireplumber.enable = true; + }; + + programs.zsh.enable = true; + environment.pathsToLink = ["/share/zsh"]; + + users = { + users.fabian = { + isNormalUser = true; + uid = 1002; # nunca cambiar mi ID de usuario + group = "fabian"; + shell = pkgs.zsh; + extraGroups = ["users" "wheel" "networkmanager" "dialout" "libvirtd"]; + }; + groups.fabian.gid = 1002; + }; + + services.udev.packages = [ + pkgs.android-udev-rules + ]; + + users.users.temp = { + isNormalUser = true; + extraGroups = ["wheel"]; + }; + + virtualisation.libvirtd.qemu.package = pkgs.qemu_kvm; + virtualisation.libvirtd.qemu.ovmf.enable = true; + virtualisation.libvirtd.qemu.ovmf.packages = [pkgs.OVMFFull.fd]; + virtualisation.libvirtd.enable = true; + programs.dconf.enable = true; + # boot.kernelModules = [ "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ]; + # boot.kernelParams = [ "amd_iommu=on" "iommu=pt" "vfio-pci.ids=1002:699f,1002:aae0" "video=efifb:off" ]; + virtualisation.libvirtd.onBoot = "start"; + + nix = { + package = pkgs.nixVersions.stable; + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; + + services.openssh.enable = true; + + services.earlyoom = { + enable = true; + enableNotifications = true; + }; + + system.stateVersion = "24.05"; # DO NOT CHANGE } diff --git a/sys/platforms/posixlycorrect/hardware-configuration.nix b/sys/platforms/posixlycorrect/hardware-configuration.nix index 168c7c6..a9feac6 100644 --- a/sys/platforms/posixlycorrect/hardware-configuration.nix +++ b/sys/platforms/posixlycorrect/hardware-configuration.nix @@ -2,7 +2,6 @@ config, lib, pkgs, - flakes, modulesPath, ... }: let @@ -13,7 +12,7 @@ }; in { imports = [ - flakes.nixpkgs.nixosModules.notDetected + (modulesPath + "/installer/scan/not-detected.nix") ]; boot.initrd = { diff --git a/sys/platforms/posixlycorrect/yubikey.nix b/sys/platforms/posixlycorrect/yubikey.nix new file mode 100644 index 0000000..8b83a12 --- /dev/null +++ b/sys/platforms/posixlycorrect/yubikey.nix @@ -0,0 +1,36 @@ +{ + config, + pkgs, + lib, + ... +}: { + services = { + pcscd.enable = true; + udev.packages = [pkgs.yubikey-personalization]; + }; + + environment.etc."pkcs11/modules/ykcs11".text = '' + module: ${pkgs.yubico-piv-tool}/lib/libykcs11.so + ''; + + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + security.pam = { + services = { + login.u2fAuth = true; + sudo.u2fAuth = true; + }; + + u2f = { + enable = true; + control = "sufficient"; + settings = { + debug = false; + cue = true; + }; + }; + }; +} diff --git a/sys/platforms/vps/default.nix b/sys/platforms/vps/default.nix index 2882423..e983e06 100644 --- a/sys/platforms/vps/default.nix +++ b/sys/platforms/vps/default.nix @@ -1,9 +1,8 @@ { config, - lib, pkgs, + lib, flakes, - modulesPath, ... }: with lib; { @@ -11,22 +10,16 @@ with lib; { flakes.vpsadminos.nixosConfigurations.container flakes.home-manager.nixosModules.home-manager flakes.impermanence.nixosModule - ./hardware-configuration.nix ./srv ]; - local.sys = { - baseline.enable = true; - - users.fabian = { - enable = true; - sshKeyPublicFile = [ public_files/pki/fabian.ssh ]; - }; - }; - - networking.hostName = "vps"; + environment.systemPackages = with pkgs; [ + vim + git + ]; services.openssh = { + enable = true; settings.PasswordAuthentication = false; }; @@ -45,9 +38,71 @@ with lib; { }; }; + programs = { + zsh.enable = true; + fuse.userAllowOther = true; + }; + + networking.hostName = "vps"; + + nix = { + package = pkgs.nixVersions.stable; + + extraOptions = '' + experimental-features = nix-command flakes + ''; + + # No me interesa el global registry + settings.flake-registry = ""; + }; + + users = { + users.fabian = { + isNormalUser = true; + uid = 1000; + group = "fabian"; + shell = pkgs.zsh; + extraGroups = ["users" "wheel" "networkmanager" "dialout" "libvirtd"]; + openssh.authorizedKeys.keyFiles = [public_files/pki/fabian.ssh]; + }; + groups.fabian.gid = 1000; + }; + systemd.extraConfig = '' DefaultTimeoutStartSec=900s ''; + security.dhparams = { + enable = true; + defaultBitSize = 4096; + }; + + fileSystems = { + "/mnt/export2008" = { + device = "172.16.129.19:/nas/5876"; + fsType = "nfs"; + options = ["nofail" "noatime"]; + }; + + "/mnt/export2011" = { + device = "172.16.129.151:/nas/5876/bepasty"; + fsType = "nfs"; + options = ["nofail" "noatime" "noexec"]; + }; + }; + + services.earlyoom = { + enable = mkDefault true; + enableNotifications = true; + }; + + # Coredumps son un riesgo de seguridad y puden usar mucho disco + systemd.coredump.extraConfig = '' + Storage=none + ProcessSizeMax=0 + ''; + time.timeZone = "Europe/Amsterdam"; + + system.stateVersion = "24.05"; # DO NOT CHANGE } diff --git a/sys/platforms/vps/hardware-configuration.nix b/sys/platforms/vps/hardware-configuration.nix deleted file mode 100644 index 431b227..0000000 --- a/sys/platforms/vps/hardware-configuration.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ - config, - lib, - pkgs, - flakes, - modulesPath, - ... -}: let -in { - fileSystems = { - "/mnt/export2008" = { - device = "172.16.129.19:/nas/5876"; - fsType = "nfs"; - options = ["nofail" "noatime"]; - }; - - "/mnt/export2011" = { - device = "172.16.129.151:/nas/5876/bepasty"; - fsType = "nfs"; - options = ["nofail" "noatime" "noexec"]; - }; - }; -}