diff --git a/home/modules/baseline.nix b/home/modules/baseline.nix index f4852be..c5cdd05 100644 --- a/home/modules/baseline.nix +++ b/home/modules/baseline.nix @@ -8,7 +8,7 @@ with lib; let cfg = config.local.baseline; in { options.local.baseline = { - enable = mkEnableOption "Basic settings"; + enable = mkEnableOption "Basic home settings"; }; config = mkIf cfg.enable { xdg.enable = true; diff --git a/sys/default.nix b/sys/default.nix index 0967ef4..5c7405a 100644 --- a/sys/default.nix +++ b/sys/default.nix @@ -1 +1,12 @@ -{} +{ + flakes, + config, + pkgs, + lib, + ... +}: +with lib; { + imports = [ + ./modules + ]; +} diff --git a/sys/modules/android.nix b/sys/modules/android.nix new file mode 100644 index 0000000..57c1964 --- /dev/null +++ b/sys/modules/android.nix @@ -0,0 +1,18 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.local.sys.androidSupport; +in { + options.local.sys.androidSupport = { + enable = mkEnableOption "androidSupport settings"; + }; + config = mkIf cfg.enable { + services.udev.packages = with pkgs; [ + android-udev-rules + ]; + }; +} diff --git a/sys/modules/audio.nix b/sys/modules/audio.nix new file mode 100644 index 0000000..df248fe --- /dev/null +++ b/sys/modules/audio.nix @@ -0,0 +1,29 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.local.sys.audio; +in { + options.local.sys.audio = { + enable = mkEnableOption "audio settings"; + }; + config = mkIf cfg.enable { + security.rtkit.enable = true; + + services.pipewire = { + enable = true; + + alsa = { + enable = true; + support32Bit = true; + }; + + jack.enable = true; + pulse.enable = true; + wireplumber.enable = true; + }; + }; +} diff --git a/sys/modules/baseline.nix b/sys/modules/baseline.nix new file mode 100644 index 0000000..3869463 --- /dev/null +++ b/sys/modules/baseline.nix @@ -0,0 +1,76 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.local.sys.baseline; +in { + options.local.sys.baseline = { + enable = mkEnableOption "Basic system settings"; + }; + config = mkIf cfg.enable { + system.stateVersion = "24.05"; # DO NOT CHANGE + + nix = { + package = pkgs.nixVersions.stable; + + extraOptions = '' + experimental-features = nix-command flakes + ''; + + # Not interested in the global flake registry + settings.flake-registry = ""; + }; + + console = { + keyMap = "us"; + }; + + programs = { + zsh.enable = true; + fuse.userAllowOther = true; + }; + + environment = { + pathsToLink = [ + "/share/zsh" + ]; + + systemPackages = with pkgs; + [ + git + vim + ] + ++ optionals (!config.boot.isContainer) [ + lm_sensors + lshw + parted + pciutils + smartmontools + usbutils + ]; + }; + + services = { + openssh.enable = mkDefault true; + + earlyoom = { + enable = mkDefault true; + enableNotifications = true; + }; + }; + + # Coredumps are a security risk and may use up a lot of disk space + systemd.coredump.extraConfig = '' + Storage=none + ProcessSizeMax=0 + ''; + + security.dhparams = { + enable = true; + defaultBitSize = 4096; + }; + }; +} diff --git a/sys/modules/default.nix b/sys/modules/default.nix new file mode 100644 index 0000000..0696df5 --- /dev/null +++ b/sys/modules/default.nix @@ -0,0 +1,16 @@ +{ + config, + lib, + pkgs, + ... +}: { + imports = [ + ./baseline.nix + ./yubikey.nix + ./audio.nix + ./graphics.nix + ./virtualisation.nix + ./android.nix + ./users.nix + ]; +} diff --git a/sys/modules/graphics.nix b/sys/modules/graphics.nix new file mode 100644 index 0000000..162e21b --- /dev/null +++ b/sys/modules/graphics.nix @@ -0,0 +1,27 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.local.sys.graphics; +in { + options.local.sys.graphics = { + enable = mkEnableOption "graphics settings"; + }; + config = mkIf cfg.enable { + services = { + xserver = { + enable = true; + xkb.layout = "us"; + displayManager.startx.enable = true; + }; + libinput.enable = true; + }; + + hardware.graphics.enable = true; + + programs.dconf.enable = true; + }; +} diff --git a/sys/modules/users.nix b/sys/modules/users.nix new file mode 100644 index 0000000..1e90b41 --- /dev/null +++ b/sys/modules/users.nix @@ -0,0 +1,75 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.local.sys.users; + userType = types.submodule { + options = { + enable = mkEnableOption "user settings"; + unixId = mkOption { + # gid and uid are always the same + type = types.int; + }; + admin = mkOption { + type = types.bool; + default = false; + }; + sshKeyPublicFile = mkOption { + type = types.listOf types.path; + default = []; + }; + }; + }; +in { + options.local.sys.users = mkOption { + type = types.attrsOf userType; + default = {}; + }; + + config = { + local.sys.users = { + fabian = { + unixId = mkDefault 1000; + admin = true; + }; + vanessa = { + unixId = mkDefault 1001; + admin = false; + }; + soto = { + unixId = mkDefault 1010; + admin = false; + }; + diaz = { + unixId = mkDefault 1011; + admin = false; + }; + }; + + users = let + enabledUsers = filterAttrs (k: v: v.enable) cfg; + in { + groups = + mapAttrs (k: v: { + gid = v.unixId; + }) + enabledUsers; + + users = + mapAttrs (k: v: { + isNormalUser = true; + uid = v.unixId; + group = k; + shell = pkgs.zsh; + extraGroups = + ["users" "networkmanager"] + ++ optionals (v.admin) ["wheel" "libvirtd" "dialout"]; + openssh.authorizedKeys.keyFiles = v.sshKeyPublicFile; + }) + enabledUsers; + }; + }; +} diff --git a/sys/modules/virtualisation.nix b/sys/modules/virtualisation.nix new file mode 100644 index 0000000..b64741e --- /dev/null +++ b/sys/modules/virtualisation.nix @@ -0,0 +1,22 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.local.sys.virtualisation; +in { + options.local.sys.virtualisation = { + enable = mkEnableOption "virtualisation settings"; + }; + config = mkIf cfg.enable { + virtualisation.libvirtd.qemu.package = pkgs.qemu_kvm; + virtualisation.libvirtd.qemu.ovmf.enable = true; + virtualisation.libvirtd.qemu.ovmf.packages = [pkgs.OVMFFull.fd]; + virtualisation.libvirtd.enable = true; + # boot.kernelModules = [ "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ]; + # boot.kernelParams = [ "amd_iommu=on" "iommu=pt" "vfio-pci.ids=1002:699f,1002:aae0" "video=efifb:off" ]; + virtualisation.libvirtd.onBoot = "start"; + }; +} diff --git a/sys/modules/yubikey.nix b/sys/modules/yubikey.nix new file mode 100644 index 0000000..c5e3008 --- /dev/null +++ b/sys/modules/yubikey.nix @@ -0,0 +1,44 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.local.sys.yubikey; +in { + options.local.sys.yubikey = { + enable = mkEnableOption "yubikey settings"; + }; + config = mkIf cfg.enable { + services = { + pcscd.enable = true; + udev.packages = [pkgs.yubikey-personalization]; + }; + + environment.etc."pkcs11/modules/ykcs11".text = '' + module: ${pkgs.yubico-piv-tool}/lib/libykcs11.so + ''; + + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + security.pam = { + services = { + login.u2fAuth = true; + sudo.u2fAuth = true; + }; + + u2f = { + enable = true; + control = "sufficient"; + settings = { + debug = false; + cue = true; + }; + }; + }; + }; +} diff --git a/sys/platforms/posixlycorrect/default.nix b/sys/platforms/posixlycorrect/default.nix index e939e18..8abceaf 100644 --- a/sys/platforms/posixlycorrect/default.nix +++ b/sys/platforms/posixlycorrect/default.nix @@ -1,114 +1,53 @@ -# Edet this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, lib, + flakes, ... }: { imports = [ - # Include the results of the hardware scan. + flakes.home-manager.nixosModules.home-manager + flakes.impermanence.nixosModule ./hardware-configuration.nix - ./yubikey.nix ]; - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - boot.tmp.useTmpfs = true; - boot.kernelPackages = pkgs.linuxPackages_latest; + local.sys = { + baseline.enable = true; - networking.hostName = "posixlycorrect"; - networking.networkmanager.enable = true; + yubikey.enable = true; + audio.enable = true; + graphics.enable = true; + virtualisation.enable = true; + androidSupport.enable = true; + users = { + fabian = { + enable = true; + unixId = 1002; + }; + vanessa.enable = true; + }; + }; - # Set your time zone. - time.timeZone = "America/Costa_Rica"; + networking = { + hostName = "posixlycorrect"; + networkmanager.enable = true; - # The global useDHCP flag is deprecated, therefore explicitly set to false here. - # Per-interface useDHCP will be mandatory in the future, so this generated config - # replicates the default behaviour. - networking.useDHCP = false; - networking.interfaces.enp7s0.useDHCP = true; - networking.interfaces.wlp6s0.useDHCP = true; + useDHCP = false; # The global useDHCP flag is deprecated, therefore explicitly set to false here. + interfaces.enp7s0.useDHCP = true; # Per-interface useDHCP will be mandatory in the future, so this generated config + interfaces.wlp6s0.useDHCP = true; # replicates the default behaviour. + }; + + boot = { + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + tmp.useTmpfs = true; + kernelPackages = pkgs.linuxPackages_latest; + }; # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; - console = { - font = "Lat2-Terminus16"; - keyMap = "us"; - }; - # Enable the X11 windowing system. - services.xserver = { - enable = true; - xkb.layout = "us"; - displayManager.startx.enable = true; - }; - services.libinput.enable = true; - - hardware.graphics.enable = true; - - security.rtkit.enable = true; - - services.pipewire = { - enable = true; - - alsa = { - enable = true; - support32Bit = true; - }; - - jack.enable = true; - pulse.enable = true; - wireplumber.enable = true; - }; - - programs.zsh.enable = true; - environment.pathsToLink = ["/share/zsh"]; - - users = { - users.fabian = { - isNormalUser = true; - uid = 1002; # nunca cambiar mi ID de usuario - group = "fabian"; - shell = pkgs.zsh; - extraGroups = ["users" "wheel" "networkmanager" "dialout" "libvirtd"]; - }; - groups.fabian.gid = 1002; - }; - - services.udev.packages = [ - pkgs.android-udev-rules - ]; - - users.users.temp = { - isNormalUser = true; - extraGroups = ["wheel"]; - }; - - virtualisation.libvirtd.qemu.package = pkgs.qemu_kvm; - virtualisation.libvirtd.qemu.ovmf.enable = true; - virtualisation.libvirtd.qemu.ovmf.packages = [pkgs.OVMFFull.fd]; - virtualisation.libvirtd.enable = true; - programs.dconf.enable = true; - # boot.kernelModules = [ "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ]; - # boot.kernelParams = [ "amd_iommu=on" "iommu=pt" "vfio-pci.ids=1002:699f,1002:aae0" "video=efifb:off" ]; - virtualisation.libvirtd.onBoot = "start"; - - nix = { - package = pkgs.nixVersions.stable; - extraOptions = '' - experimental-features = nix-command flakes - ''; - }; - - services.openssh.enable = true; - - services.earlyoom = { - enable = true; - enableNotifications = true; - }; - - system.stateVersion = "24.05"; # DO NOT CHANGE + time.timeZone = "America/Costa_Rica"; } diff --git a/sys/platforms/posixlycorrect/hardware-configuration.nix b/sys/platforms/posixlycorrect/hardware-configuration.nix index a9feac6..168c7c6 100644 --- a/sys/platforms/posixlycorrect/hardware-configuration.nix +++ b/sys/platforms/posixlycorrect/hardware-configuration.nix @@ -2,6 +2,7 @@ config, lib, pkgs, + flakes, modulesPath, ... }: let @@ -12,7 +13,7 @@ }; in { imports = [ - (modulesPath + "/installer/scan/not-detected.nix") + flakes.nixpkgs.nixosModules.notDetected ]; boot.initrd = { diff --git a/sys/platforms/posixlycorrect/yubikey.nix b/sys/platforms/posixlycorrect/yubikey.nix deleted file mode 100644 index 8b83a12..0000000 --- a/sys/platforms/posixlycorrect/yubikey.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: { - services = { - pcscd.enable = true; - udev.packages = [pkgs.yubikey-personalization]; - }; - - environment.etc."pkcs11/modules/ykcs11".text = '' - module: ${pkgs.yubico-piv-tool}/lib/libykcs11.so - ''; - - programs.gnupg.agent = { - enable = true; - enableSSHSupport = true; - }; - - security.pam = { - services = { - login.u2fAuth = true; - sudo.u2fAuth = true; - }; - - u2f = { - enable = true; - control = "sufficient"; - settings = { - debug = false; - cue = true; - }; - }; - }; -} diff --git a/sys/platforms/vps/default.nix b/sys/platforms/vps/default.nix index e983e06..2882423 100644 --- a/sys/platforms/vps/default.nix +++ b/sys/platforms/vps/default.nix @@ -1,8 +1,9 @@ { config, - pkgs, lib, + pkgs, flakes, + modulesPath, ... }: with lib; { @@ -10,16 +11,22 @@ with lib; { flakes.vpsadminos.nixosConfigurations.container flakes.home-manager.nixosModules.home-manager flakes.impermanence.nixosModule + ./hardware-configuration.nix ./srv ]; - environment.systemPackages = with pkgs; [ - vim - git - ]; + local.sys = { + baseline.enable = true; + + users.fabian = { + enable = true; + sshKeyPublicFile = [ public_files/pki/fabian.ssh ]; + }; + }; + + networking.hostName = "vps"; services.openssh = { - enable = true; settings.PasswordAuthentication = false; }; @@ -38,71 +45,9 @@ with lib; { }; }; - programs = { - zsh.enable = true; - fuse.userAllowOther = true; - }; - - networking.hostName = "vps"; - - nix = { - package = pkgs.nixVersions.stable; - - extraOptions = '' - experimental-features = nix-command flakes - ''; - - # No me interesa el global registry - settings.flake-registry = ""; - }; - - users = { - users.fabian = { - isNormalUser = true; - uid = 1000; - group = "fabian"; - shell = pkgs.zsh; - extraGroups = ["users" "wheel" "networkmanager" "dialout" "libvirtd"]; - openssh.authorizedKeys.keyFiles = [public_files/pki/fabian.ssh]; - }; - groups.fabian.gid = 1000; - }; - systemd.extraConfig = '' DefaultTimeoutStartSec=900s ''; - security.dhparams = { - enable = true; - defaultBitSize = 4096; - }; - - fileSystems = { - "/mnt/export2008" = { - device = "172.16.129.19:/nas/5876"; - fsType = "nfs"; - options = ["nofail" "noatime"]; - }; - - "/mnt/export2011" = { - device = "172.16.129.151:/nas/5876/bepasty"; - fsType = "nfs"; - options = ["nofail" "noatime" "noexec"]; - }; - }; - - services.earlyoom = { - enable = mkDefault true; - enableNotifications = true; - }; - - # Coredumps son un riesgo de seguridad y puden usar mucho disco - systemd.coredump.extraConfig = '' - Storage=none - ProcessSizeMax=0 - ''; - time.timeZone = "Europe/Amsterdam"; - - system.stateVersion = "24.05"; # DO NOT CHANGE } diff --git a/sys/platforms/vps/hardware-configuration.nix b/sys/platforms/vps/hardware-configuration.nix new file mode 100644 index 0000000..431b227 --- /dev/null +++ b/sys/platforms/vps/hardware-configuration.nix @@ -0,0 +1,23 @@ +{ + config, + lib, + pkgs, + flakes, + modulesPath, + ... +}: let +in { + fileSystems = { + "/mnt/export2008" = { + device = "172.16.129.19:/nas/5876"; + fsType = "nfs"; + options = ["nofail" "noatime"]; + }; + + "/mnt/export2011" = { + device = "172.16.129.151:/nas/5876/bepasty"; + fsType = "nfs"; + options = ["nofail" "noatime" "noexec"]; + }; + }; +}