diff --git a/flake.lock b/flake.lock index c619c10..610f93c 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1768923567, - "narHash": "sha256-GVJ0jKsyXLuBzRMXCDY6D5J8wVdwP1DuQmmvYL/Vw/Q=", + "lastModified": 1766150702, + "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=", "owner": "nix-community", "repo": "disko", - "rev": "00395d188e3594a1507f214a2f15d4ce5c07cb28", + "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378", "type": "github" }, "original": { @@ -114,11 +114,11 @@ ] }, "locked": { - "lastModified": 1769069492, - "narHash": "sha256-Efs3VUPelRduf3PpfPP2ovEB4CXT7vHf8W+xc49RL/U=", + "lastModified": 1767281941, + "narHash": "sha256-6MkqajPICgugsuZ92OMoQcgSHnD6sJHwk8AxvMcIgTE=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "a1ef738813b15cf8ec759bdff5761b027e3e1d23", + "rev": "f0927703b7b1c8d97511c4116eb9b4ec6645a0fa", "type": "github" }, "original": { @@ -222,11 +222,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1769086393, - "narHash": "sha256-3ymIZ8s3+hu7sDl/Y48o6bwMxorfKrmn97KuWiw1vjY=", + "lastModified": 1768584846, + "narHash": "sha256-IRPmIOV2tPwxbhP/I9M5AmwhTC0lMPtoPStC+8T6xl0=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "9f7ba891ea5fc3ededd7804f1a23fafadbcb26ca", + "rev": "cce68f4a54fa4e3d633358364477f5cc1d782440", "type": "github" }, "original": { @@ -237,11 +237,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1769089682, - "narHash": "sha256-9yA/LIuAVQq0lXelrZPjLuLVuZdm03p8tfmHhnDIkms=", + "lastModified": 1768323494, + "narHash": "sha256-yBXJLE6WCtrGo7LKiB6NOt6nisBEEkguC/lq/rP3zRQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "078d69f03934859a181e81ba987c2bb033eebfc5", + "rev": "2c3e5ec5df46d3aeee2a1da0bfedd74e21f4bf3a", "type": "github" }, "original": { @@ -297,11 +297,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1769018530, - "narHash": "sha256-MJ27Cy2NtBEV5tsK+YraYr2g851f3Fl1LpNHDzDX15c=", + "lastModified": 1768564909, + "narHash": "sha256-Kell/SpJYVkHWMvnhqJz/8DqQg2b6PguxVWOuadbHCc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "88d3861acdd3d2f0e361767018218e51810df8a1", + "rev": "e4bae1bd10c9c57b2cf517953ab70060a828ee6f", "type": "github" }, "original": { @@ -354,11 +354,11 @@ ] }, "locked": { - "lastModified": 1768863606, - "narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=", + "lastModified": 1768481291, + "narHash": "sha256-NjKtkJraCZEnLHAJxLTI+BfdU//9coAz9p5TqveZwPU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2", + "rev": "e085e303dfcce21adcb5fec535d65aacb066f101", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 6660a65..e43d0b0 100644 --- a/flake.nix +++ b/flake.nix @@ -97,7 +97,6 @@ keep-sorted.enable = true; markdownlint.enable = true; nil.enable = true; - nixf-diagnose.enable = true; nixfmt-rfc-style.enable = true; shellcheck.enable = true; statix.enable = true; diff --git a/images/base-config.nix b/images/base-config.nix index e8e24df..afd4800 100644 --- a/images/base-config.nix +++ b/images/base-config.nix @@ -50,8 +50,10 @@ }; }; - my.profiles.core.nix.enable = true; - my.profiles.core.packages.enable = true; + imports = [ + ../profiles/core/core.nix + ../profiles/core/nix.nix + ]; documentation = { enable = lib.mkDefault false; diff --git a/images/flake-module.nix b/images/flake-module.nix index bf25a46..a8e7872 100644 --- a/images/flake-module.nix +++ b/images/flake-module.nix @@ -1,16 +1,10 @@ { self, ... }: let - inherit (self.inputs) nixos-generators sops-nix; - defaultModules = [ - { - imports = [ - ./base-config.nix - sops-nix.nixosModules.sops - ]; - _module.args.inputs = self.inputs; - } - ../profiles - ]; + inherit (self.inputs) nixos-generators; + defaultModule = { + imports = [ ./base-config.nix ]; + _module.args.inputs = self.inputs; + }; in { perSystem = @@ -20,14 +14,16 @@ in install-iso = nixos-generators.nixosGenerate { system = "x86_64-linux"; inherit pkgs; - modules = defaultModules; + modules = [ defaultModule ]; format = "install-iso"; }; # install-sd-aarch64 = nixos-generators.nixosGenerate { # system = "aarch64-linux"; # inherit pkgs; - # modules = defaultModules; + # modules = [ + # defaultModule + # ]; # format = "sd-aarch64-installer"; # }; }; @@ -39,7 +35,8 @@ in # { # nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; # } - # ] ++ defaultModules; + # defaultModule + # ]; # }; #}; } diff --git a/modules/hardware/yubikey/default.nix b/modules/hardware/yubikey/default.nix index 0b5515b..ae5b085 100644 --- a/modules/hardware/yubikey/default.nix +++ b/modules/hardware/yubikey/default.nix @@ -1,6 +1,7 @@ { config, lib, + pkgs, ... }: let diff --git a/modules/services/remote-build/default.nix b/modules/services/remote-build/default.nix index 5b14924..faa770c 100644 --- a/modules/services/remote-build/default.nix +++ b/modules/services/remote-build/default.nix @@ -19,7 +19,6 @@ in users.users.nixremote = { isSystemUser = true; group = "nixremote"; - shell = pkgs.zsh; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYSzDdxqaNHmaaLqEvOK/vB65zvqoCebI3Nxzgg5smq root@workman" ]; diff --git a/profiles/core/core.nix b/profiles/core/core.nix new file mode 100644 index 0000000..b1c697b --- /dev/null +++ b/profiles/core/core.nix @@ -0,0 +1,46 @@ +{ pkgs, ... }: +{ + # Packages + environment.systemPackages = with pkgs; [ + bandwhich # bandwidth monitor + bind # dns tools (dig, etc) + borgbackup # backup tool + cryptsetup # luks volume management + delta # git diff viewer + fd # find replacement in rust + file # show file type + fzf # fuzzy finder + gettext # localization tools + git # version control + gptfdisk # disk partitioning tools + htop # process monitor + jq # json processor + killall # kill processes by name + lsof # list open files + mosh # mobile shell + mtr # network diagnostic tool + multipath-tools # disk multipathing tools (kpartx) + neovim # text editor + nmap # network scanner + nmon # performance monitor + ouch # de-/compression tool + pciutils # lspci + progress # show progress of coreutils commands + pv # pipe viewer + reptyr # reparent process to new terminal + rsync # remote file sync + screen # terminal multiplexer + sd # sed replacement + stress-ng # stress testing + tmux # terminal multiplexer + unzip # unzip tools + usbutils # lsusb + vim # text editor + wget # file downloader + whois # domain lookup + xcp # rust cp replacement + zip # zip tools + ]; + + time.timeZone = "Europe/Berlin"; +} diff --git a/profiles/core/default.nix b/profiles/core/default.nix index 8f250b8..da72c2b 100644 --- a/profiles/core/default.nix +++ b/profiles/core/default.nix @@ -1,31 +1,23 @@ { config, lib, + pkgs, + inputs, ... -}: +}@args: let cfg = config.my.profiles.core; in { - imports = [ - ./kernel-modules.nix - ./network.nix - ./nix.nix - ./packages.nix - ./users.nix - ]; - options.my.profiles.core.enable = lib.mkEnableOption "core profile"; - config = lib.mkIf cfg.enable { - my.profiles.core = { - packages.enable = lib.mkDefault true; - kernel-modules.enable = lib.mkDefault true; - network.enable = lib.mkDefault true; - nix.enable = lib.mkDefault true; - users.enable = lib.mkDefault true; - }; - - time.timeZone = "Europe/Berlin"; - }; + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + (import ./core.nix args) + (import ./modules.nix args) + (import ./network.nix args) + (import ./nix.nix args) + (import ./users.nix args) + ] + ); } diff --git a/profiles/core/kernel-modules.nix b/profiles/core/kernel-modules.nix deleted file mode 100644 index 04791f6..0000000 --- a/profiles/core/kernel-modules.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, lib, ... }: -let - cfg = config.my.profiles.core.kernel-modules; -in -{ - options.my.profiles.core.kernel-modules.enable = lib.mkEnableOption "kernel module profile"; - - config = lib.mkIf cfg.enable { - boot.initrd.availableKernelModules = [ - "ahci" - "e1000e" - "ehci_pci" - "nvme" - "sd_mod" - "uas" - "usbhid" - "usb_storage" - "xhci_pci" - ]; - }; -} diff --git a/profiles/core/modules.nix b/profiles/core/modules.nix new file mode 100644 index 0000000..9d0faec --- /dev/null +++ b/profiles/core/modules.nix @@ -0,0 +1,15 @@ +_: { + boot.initrd = { + availableKernelModules = [ + "ahci" + "e1000e" + "ehci_pci" + "nvme" + "sd_mod" + "uas" + "usbhid" + "usb_storage" + "xhci_pci" + ]; + }; +} diff --git a/profiles/core/network.nix b/profiles/core/network.nix index e5c2568..b620223 100644 --- a/profiles/core/network.nix +++ b/profiles/core/network.nix @@ -1,20 +1,12 @@ -{ config, lib, ... }: -let - cfg = config.my.profiles.core.network; -in -{ - options.my.profiles.core.network.enable = lib.mkEnableOption "core network profile"; +_: { + networking.networkmanager = { + enable = true; - config = lib.mkIf cfg.enable { - networking.networkmanager = { - enable = true; - - unmanaged = [ - "interface-name:br-*" # docker compose bridges - "interface-name:docker?" # docker default bridge - "interface-name:veth*" # docker veth devices - "interface-name:virbr?" # libvirt default bridge - ]; - }; + unmanaged = [ + "interface-name:br-*" # docker compose bridges + "interface-name:docker?" # docker default bridge + "interface-name:veth*" # docker veth devices + "interface-name:virbr?" # libvirt default bridge + ]; }; } diff --git a/profiles/core/nix.nix b/profiles/core/nix.nix index 8442ecb..05e2073 100644 --- a/profiles/core/nix.nix +++ b/profiles/core/nix.nix @@ -1,49 +1,36 @@ +{ inputs, ... }: { - config, - lib, - inputs, - ... -}: -let - cfg = config.my.profiles.core.nix; -in -{ - options.my.profiles.core.nix.enable = lib.mkEnableOption "core nix profile"; + nix = { + daemonCPUSchedPolicy = "idle"; + daemonIOSchedClass = "idle"; - config = lib.mkIf cfg.enable { - - nix = { - daemonCPUSchedPolicy = "idle"; - daemonIOSchedClass = "idle"; - - settings = { - trusted-users = [ - "root" - "@wheel" - ]; - auto-optimise-store = true; - builders-use-substitutes = true; - }; - - gc = { - automatic = true; - options = "--delete-older-than 30d"; - }; - - extraOptions = '' - experimental-features = nix-command flakes - ''; - - registry = { - nixpkgs.flake = inputs.nixpkgs; - unstable.flake = inputs.nixpkgs-unstable; - }; + settings = { + trusted-users = [ + "root" + "@wheel" + ]; + auto-optimise-store = true; + builders-use-substitutes = true; }; - # auto upgrade with own flakes - system.autoUpgrade = { - enable = true; - flake = "github:Stunkymonkey/nixos"; + gc = { + automatic = true; + options = "--delete-older-than 30d"; + }; + + extraOptions = '' + experimental-features = nix-command flakes + ''; + + registry = { + nixpkgs.flake = inputs.nixpkgs; + unstable.flake = inputs.nixpkgs-unstable; }; }; + + # auto upgrade with own flakes + system.autoUpgrade = { + enable = true; + flake = "github:Stunkymonkey/nixos"; + }; } diff --git a/profiles/core/packages.nix b/profiles/core/packages.nix deleted file mode 100644 index aa02e80..0000000 --- a/profiles/core/packages.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -let - cfg = config.my.profiles.core.packages; -in -{ - options.my.profiles.core.packages.enable = lib.mkEnableOption "core packages profile"; - - config = lib.mkIf cfg.enable { - environment.systemPackages = with pkgs; [ - bandwhich # bandwidth monitor - bind # dns tools (dig, etc) - borgbackup # backup tool - cryptsetup # luks volume management - delta # git diff viewer - fd # find replacement in rust - file # show file type - fzf # fuzzy finder - gettext # localization tools - git # version control - gptfdisk # disk partitioning tools - htop # process monitor - jq # json processor - killall # kill processes by name - lsof # list open files - mosh # mobile shell - mtr # network diagnostic tool - multipath-tools # disk multipathing tools (kpartx) - neovim # text editor - nmap # network scanner - nmon # performance monitor - ouch # de-/compression tool - pciutils # lspci - progress # show progress of coreutils commands - pv # pipe viewer - reptyr # reparent process to new terminal - rsync # remote file sync - screen # terminal multiplexer - sd # sed replacement - stress-ng # stress testing - tmux # terminal multiplexer - unzip # unzip tools - usbutils # lsusb - vim # text editor - wget # file downloader - whois # domain lookup - xcp # rust cp replacement - zip # zip tools - ]; - }; -} diff --git a/profiles/core/users.nix b/profiles/core/users.nix index c0301a4..0455088 100644 --- a/profiles/core/users.nix +++ b/profiles/core/users.nix @@ -1,42 +1,35 @@ -{ config, lib, ... }: -let - cfg = config.my.profiles.core.users; -in +{ config, ... }: { - options.my.profiles.core.users.enable = lib.mkEnableOption "core users profile"; + sops.secrets."users/felix/password".neededForUsers = true; + sops.secrets."users/felix/password" = { }; - config = lib.mkIf cfg.enable { - sops.secrets."users/felix/password".neededForUsers = true; - sops.secrets."users/felix/password" = { }; + users.users.felix = { + isNormalUser = true; + home = "/home/felix"; + group = "felix"; + extraGroups = [ + "adbusers" # adb control + "audio" # sound control + "cdrom" # emulate cds + "dialout" # serial-console + "docker" # usage of `docker` socket + "input" # mouse control + "libvirtd" # kvm control + "networkmanager" # wireless configuration + "podman" # usage of `podman` socket + "seat" # access to input devices + "video" # screen control + "wheel" # `sudo` for the user. + ]; + hashedPasswordFile = config.sops.secrets."users/felix/password".path; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFx6OLwL9MbkD3mnMsv+xrzZHN/rwCTgVs758SCLG0h felix@workman" + "no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHhjrfqyOS+M9ATSTVr9JXPERBXOow/ZmkWICjbtbEgXAAAAFHNzaDpmZWxpeC1wZXJzb25hbC0x ssh:felix-personal-1" + "no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMHExVOrEevQ+bwrrW3cXCO7Y/SyA+7wG+b6ZvAWY4MJAAAAFHNzaDpmZWxpeC1wZXJzb25hbC0y ssh:felix-personal-2" + ]; + }; - users.users.felix = { - isNormalUser = true; - home = "/home/felix"; - group = "felix"; - extraGroups = [ - "adbusers" # adb control - "audio" # sound control - "cdrom" # emulate cds - "dialout" # serial-console - "docker" # usage of `docker` socket - "input" # mouse control - "libvirtd" # kvm control - "networkmanager" # wireless configuration - "podman" # usage of `podman` socket - "seat" # access to input devices - "video" # screen control - "wheel" # `sudo` for the user. - ]; - hashedPasswordFile = config.sops.secrets."users/felix/password".path; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFx6OLwL9MbkD3mnMsv+xrzZHN/rwCTgVs758SCLG0h felix@workman" - "no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHhjrfqyOS+M9ATSTVr9JXPERBXOow/ZmkWICjbtbEgXAAAAFHNzaDpmZWxpeC1wZXJzb25hbC0x ssh:felix-personal-1" - "no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMHExVOrEevQ+bwrrW3cXCO7Y/SyA+7wG+b6ZvAWY4MJAAAAFHNzaDpmZWxpeC1wZXJzb25hbC0y ssh:felix-personal-2" - ]; - }; - - users.groups.felix = { - gid = 1000; - }; + users.groups.felix = { + gid = 1000; }; }