nix/modules/nixos/default.nix
Daniel Flanagan 556c58f0fb
Some checks failed
/ check (push) Has been cancelled
Merge remote-tracking branch 'origin/main'
2024-09-30 09:16:13 -05:00

1229 lines
26 KiB
Nix

{
disko,
sops-nix,
style,
flakeInputs,
homeManagerModules,
home-manager,
home-manager-unstable,
helix,
nixosModules,
pubkey,
overlays,
}: {
ewwbar = {pkgs, ...}: {
# imports = with nixosModules; [];
environment.systemPackages = with pkgs; [eww upower jq];
# TODO: include the home-manager modules for daniel?
};
hyprland = {pkgs, ...}: {
imports = with nixosModules; [
ewwbar
pipewire
];
programs.hyprland = {
enable = true;
};
environment.systemPackages = with pkgs; [hyprpaper xwaylandvideobridge socat];
programs.hyprland = {
package = flakeInputs.hyprland.packages.${pkgs.system}.hyprland;
};
# TODO: include the home-manager modules for daniel?
};
sway = {pkgs, ...}: {
imports = with nixosModules; [
pipewire
];
home-manager.users.daniel = {
imports = with homeManagerModules; [
sway
];
};
programs.sway = {
enable = true;
wrapperFeatures.gtk = true;
};
# services.xserver.libinput.enable = true;
# TODO: a lot of this probably needs de-duping with hyprland?
services.gnome.gnome-keyring.enable = true;
xdg.portal = {
enable = true;
wlr.enable = true;
extraPortals = with pkgs; [
xdg-desktop-portal-wlr
];
};
services.dbus.enable = true;
programs.thunar = {
enable = true;
plugins = with pkgs.xfce; [thunar-archive-plugin thunar-volman];
};
services.gvfs = {
enable = true;
};
environment = {
variables = {
VISUAL = "hx";
PAGER = "less";
MANPAGER = "less";
};
systemPackages = with pkgs; [
brightnessctl
feh
grim
libinput
libinput-gestures
libnotify
mako
noto-fonts
pamixer
playerctl
pulseaudio
pulsemixer
slurp
swaybg
swayidle
swaylock
swayosd
tofi
waybar
wl-clipboard
zathura
/*
gimp
inkscape
krita
lutris
nil
nixpkgs-fmt
pavucontrol
rclone
restic
steam
vlc
vulkan-tools
weechat
wine
*/
];
};
};
deno-netlify-ddns-client = import ./deno-netlify-ddns-client.nix;
fallback-hostname = {lib, ...}: {
networking.hostName = lib.mkDefault "set-a-hostname-dingus";
};
no-giant-logs = {lib, ...}: {
services.journald.extraConfig = lib.mkDefault "SystemMaxUse=1G";
};
allow-redistributable-firmware = {lib, ...}: {
hardware.enableRedistributableFirmware = lib.mkDefault true;
};
home-manager-defaults = {
imports = [
# enable home-manager
home-manager.nixosModules.home-manager
];
home-manager.useGlobalPkgs = true;
home-manager.backupFileExtension = "hm-backup";
};
home-manager-unstable-defaults = {
imports = [
# enable home-manager
home-manager-unstable.nixosModules.home-manager
];
home-manager.useGlobalPkgs = true;
home-manager.backupFileExtension = "hm-backup";
};
mdns-and-lan-service-discovery = {
services.avahi = {
enable = true;
reflector = true;
openFirewall = true;
nssmdns4 = true;
};
};
less-pager = {pkgs, ...}: {
environment = {
systemPackages = [
pkgs.less
];
variables = {
PAGER = "less";
MANPAGER = "less";
};
};
};
helix-text-editor = {pkgs, ...}: {
environment = {
systemPackages = [
pkgs.less
helix.packages.${pkgs.system}.helix
];
variables = {
EDITOR = "hx";
SYSTEMD_EDITOR = "hx";
VISUAL = "hx";
};
};
};
zellij-multiplexer = {pkgs, ...}: {
environment.systemPackages = [
pkgs.zellij
];
};
fish-shell = {
pkgs,
lib,
...
}: {
programs.fish = {
enable = true;
};
users = {
defaultUserShell = pkgs.fish;
};
};
nix-index = {
enable = true;
enableBashIntegration = true;
enableFishIntegration = true;
enableZshIntegration = true;
};
my-favorite-default-system-apps = {pkgs, ...}: {
imports = with nixosModules; [
less-pager
helix-text-editor
zellij-multiplexer
fish-shell
];
environment.systemPackages = with pkgs; [
curl
dua
eza # TODO: needs shell aliases
fd
file
iputils
nettools
/*
nodePackages.bash-language-server # just pull in as needed?
shellcheck
shfmt
*/
killall
ripgrep
rsync
sd
];
programs = {
traceroute.enable = true;
git = {
enable = true;
package = pkgs.gitFull;
lfs.enable = true;
};
};
};
mosh = {lib, ...}: {
programs.mosh = {
enable = true;
openFirewall = lib.mkDefault true;
};
};
remote-disk-key-entry-on-boot = {
lib,
pkgs,
...
}: {
/*
https://nixos.wiki/wiki/Remote_disk_unlocking
"When using DHCP, make sure your computer is always attached to the network and is able to get an IP adress, or the boot process will hang."
^ seems less than ideal
*/
boot.kernelParams = ["ip=dhcp"];
boot.initrd = {
# availableKernelModules = ["r8169"]; # ethernet drivers
systemd.users.root.shell = "/bin/cryptsetup-askpass";
network = {
enable = true;
ssh = {
enable = true;
port = 22;
authorizedKeys = [pubkey];
hostKeys = ["/etc/secrets/initrd/ssh_host_rsa_key"];
};
};
};
};
ssh-server = {lib, ...}: {
# enable an ssh server and provide root access with my primary public key
users.users.root = {
openssh.authorizedKeys.keys = [pubkey];
};
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "prohibit-password";
};
openFirewall = lib.mkDefault true;
/*
listenAddresses = [
{ addr = "0.0.0.0"; port = 22; }
];
*/
};
};
password-manager = {pkgs, ...}: {
/*
programs.goldwarden = {
## NOTE: This didn't seem to work for me, but would be awesome! (but I can't remember why?)
enable = true;
};
*/
home-manager.users.daniel = {
imports = with homeManagerModules; [
password-manager
];
};
};
linux = {pkgs, ...}: {
home-manager.users.daniel = {
imports = with homeManagerModules; [
linux
];
};
};
tailscale = {lib, ...}: {
services.tailscale = {
enable = true;
useRoutingFeatures = lib.mkDefault "client";
};
};
default-nix-configuration-and-overlays = {
lib,
config,
...
}: {
nixpkgs = {
overlays = with overlays; [
additions
modifications
unstable-packages
];
config.allowUnfree = true;
};
nix = {
nixPath = lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry;
# registry = lib.mapAttrs (_: value: {flake = value;}) flakeInputs;
settings = {
trusted-users = ["root" "daniel"];
experimental-features = lib.mkDefault ["nix-command" "flakes"];
substituters = [
# TODO: dedupe with flake's config? is that even necessary?
"https://cache.nixos.org/"
"https://helix.cachix.org"
"https://nix-community.cachix.org"
"https://nix.h.lyte.dev"
"https://hyprland.cachix.org"
];
trusted-public-keys = [
# TODO: dedupe with flake's config? is that even necessary?
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"helix.cachix.org-1:ejp9KQpR1FBI2onstMQ34yogDm4OgU2ru6lIwPvuCVs="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"h.lyte.dev:HeVWtne31ZG8iMf+c15VY3/Mky/4ufXlfTpT8+4Xbs0="
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
];
auto-optimise-store = true;
};
};
};
laptop = {pkgs, ...}: {
imports = with nixosModules; [
family-users
wifi
];
services.udev.extraRules = ''
ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness"
ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chmod g+w /sys/class/backlight/%k/brightness"
'';
services.upower.enable = true;
# NOTE: I previously let plasma settings handle this
services.logind = {
lidSwitch = "suspend-then-hibernate";
extraConfig = ''
HandleLidSwitchDocked=ignore
HandlePowerKey=suspend-then-hibernate
IdleActionSec=11m
IdleAction=suspend-then-hibernate
'';
};
};
emacs = {pkgs, ...}: {
environment.systemPackages = with pkgs; [
emacs
];
home-manager.users.daniel = {
imports = with homeManagerModules; [
emacs
];
};
};
development-tools = {pkgs, ...}: {
imports = with nixosModules; [
postgres
podman
troubleshooting-tools
emacs
];
environment.sessionVariables.NIXOS_OZONE_WL = "1";
programs.neovim = {
enable = true;
/*
plugins = [
pkgs.vimPlugins.nvim-treesitter.withAllGrammars
];
*/
};
environment.systemPackages = with pkgs; [
taplo # toml language server for editing helix configs per repo
pgcli
oil
watchexec
android-tools
kubectl
stern
libresprite
# logseq
audacity
wol
shellcheck
skim
sops
gron
shfmt
vscode-langservers-extracted
nodePackages.bash-language-server
nodePackages.yaml-language-server
xh
curl
google-chrome
];
hardware.gpgSmartcards.enable = true;
services.udev.packages = with pkgs; [
# TODO: I think these get the whole package pulled in... should find out
# if there's a way to get just the rules and not 4 chromes
platformio
openocd
pkgs.yubikey-personalization
via
];
programs.adb.enable = true;
users.users.daniel.extraGroups = ["adbusers"];
home-manager.users.daniel = {
home.packages = with pkgs; [
yubikey-personalization
yubikey-manager
yubico-piv-tool
];
programs.thunderbird = {
enable = true;
profiles = {
daniel = {
isDefault = true;
# name = "daniel";
};
};
};
programs.nushell = {
enable = true;
};
programs.jujutsu = {
enable = true;
};
programs.k9s = {
enable = true;
};
programs.vscode = {
enable = true;
};
programs.jq = {
enable = true;
};
programs.chromium = {
enable = true;
};
programs.btop = {
enable = true;
package = pkgs.btop.override {
rocmSupport = true;
};
};
};
};
troubleshooting-tools = {pkgs, ...}: {
environment.systemPackages = with pkgs; [
comma
iftop
bottom
btop
dnsutils
dogdns
htop
inetutils
nmap
pciutils
hexyl
pkgs.unixtools.xxd
usbutils
comma
];
};
music-consumption = {pkgs, ...}: {
environment = {
systemPackages = with pkgs; [
spotube
spotdl
];
};
};
video-tools = {pkgs, ...}: {
environment = {
systemPackages = with pkgs; [
ffmpeg-full
obs-studio
];
};
};
graphical-workstation = {
pkgs,
lib,
options,
config,
...
}: {
imports = with nixosModules; [
sway
# hyprland
enable-flatpaks-and-appimages
fonts
development-tools
printing
music-consumption
video-tools
];
xdg.portal.enable = true;
hardware =
if builtins.hasAttr "graphics" options.hardware
then {
graphics = {
enable = true;
/*
driSupport32Bit = true;
driSupport = true;
*/
};
}
else {
opengl = {
enable = true;
driSupport32Bit = true;
driSupport = true;
};
};
environment = {
systemPackages = with pkgs; [
libnotify
slides
];
variables = {
/*
GTK_THEME = "Catppuccin-Mocha-Compact-Sapphire-Dark";
GTK_USE_PORTAL = "1";
*/
};
};
};
# gnome = {};
# intel = {};
kde-connect = {
programs.kdeconnect.enable = true;
/*
# handled by enabling
networking.firewall = {
allowedTCPPortRanges = [ { from = 1714; to = 1764; } ];
allowedUDPPortRanges = [ { from = 1714; to = 1764; } ];
};
*/
};
fonts = {pkgs, ...}: {
fonts.packages = with pkgs; [
(nerdfonts.override {fonts = ["NerdFontsSymbolsOnly"];})
pkgs.iosevkaLyteTerm
];
};
plasma6 = {
pkgs,
lib,
...
}: {
imports = with nixosModules; [
kde-connect
pipewire
];
services.xserver.enable = true;
services.displayManager.sddm = {
enable = true;
wayland.enable = true;
};
services.desktopManager.plasma6.enable = true;
programs.dconf.enable = true;
services.xrdp.enable = false;
services.xrdp.defaultWindowManager = "plasma";
services.xrdp.openFirewall = false;
environment.systemPackages = with pkgs; [
wl-clipboard
inkscape
krita
noto-fonts
vlc
wl-clipboard
kdePackages.qtvirtualkeyboard
maliit-keyboard
maliit-framework
kdePackages.kate
kdePackages.kcalc
kdePackages.filelight
kdePackages.krdc
kdePackages.krfb
kdePackages.kclock
kdePackages.kweather
kdePackages.ktorrent
kdePackages.kdeplasma-addons
unstable-packages.kdePackages.krdp
/*
kdePackages.kdenlive
kdePackages.merkuro
kdePackages.neochat
kdePackages.kdevelop
kdePackages.kdialog
*/
];
programs.gnupg.agent.pinentryPackage = pkgs.pinentry-tty;
};
lutris = {pkgs, ...}: {
environment = {
systemPackages = with pkgs; [
wineWowPackages.waylandFull
lutris
winetricks
];
};
};
gaming = {pkgs, ...}: {
imports = with nixosModules; [
lutris
steam
];
environment = {
systemPackages = with pkgs; [
ludusavi
# ludusavi uses rclone
rclone
];
};
};
pipewire = {
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
# wireplumber.enable = true; # this is default now
wireplumber.extraConfig = {
"monitor.bluez.properties" = {
"bluez5.enable-sbc-xq" = true;
"bluez5.enable-msbc" = true;
"bluez5.enable-hw-volume" = true;
"bluez5.roles" = ["hsp_hs" "hsp_ag" "hfp_hf" "hfp_ag"];
};
};
extraConfig.pipewire."91-null-sinks" = {
"context.objects" = [
{
# A default dummy driver. This handles nodes marked with the "node.always-driver"
# properyty when no other driver is currently active. JACK clients need this.
factory = "spa-node-factory";
args = {
"factory.name" = "support.node.driver";
"node.name" = "Dummy-Driver";
"priority.driver" = 8000;
};
}
{
factory = "adapter";
args = {
"factory.name" = "support.null-audio-sink";
"node.name" = "Microphone-Proxy";
"node.description" = "Microphone";
"media.class" = "Audio/Source/Virtual";
"audio.position" = "MONO";
};
}
{
factory = "adapter";
args = {
"factory.name" = "support.null-audio-sink";
"node.name" = "Main-Output-Proxy";
"node.description" = "Main Output";
"media.class" = "Audio/Sink";
"audio.position" = "FL,FR";
};
}
];
};
/*
extraConfig.pipewire."92-low-latency" = {
context.properties = {
default.clock.rate = 48000;
default.clock.quantum = 32;
default.clock.min-quantum = 32;
default.clock.max-quantum = 32;
};
};
*/
};
# recommended by https://nixos.wiki/wiki/PipeWire
security.rtkit.enable = true;
/*
services.pipewire = {
enable = true;
wireplumber.enable = true;
pulse.enable = true;
jack.enable = true;
alsa = {
enable = true;
support32Bit = true;
};
};
hardware = {
pulseaudio = {
enable = false;
support32Bit = true;
};
};
security = {
# I forget why I need these exactly...
polkit.enable = true;
rtkit.enable = true;
};
*/
};
music-production = {pkgs, ...}: {
/*
TODO: may want to force nixpkgs-stable for a more-stable music production
environment?
*/
imports = [
{
environment.systemPackages = with pkgs; [
helvum # pipewire graph/patchbay GUI
ardour # DAW
helm # synth
];
}
];
/*
TODO: things to look into for music production:
- https://linuxmusicians.com/viewtopic.php?t=27016
- KXStudio?
- falktx (https://github.com/DISTRHO/Cardinal)
*/
};
podman = {pkgs, ...}: {
environment = {
systemPackages = with pkgs; [
podman-compose
];
};
virtualisation = {
podman = {
enable = true;
dockerCompat = true;
dockerSocket.enable = true;
defaultNetwork.settings.dns_enabled = true;
# networkSocket.enable = true;
};
oci-containers = {
backend = "podman";
};
};
};
postgres = {pkgs, ...}: {
# this is really just for development usage
services.postgresql = {
enable = true;
ensureDatabases = ["daniel"];
ensureUsers = [
{
name = "daniel";
ensureDBOwnership = true;
}
];
# enableTCPIP = true;
package = pkgs.postgresql_15;
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all postgres peer map=superuser_map
local all daniel peer map=superuser_map
local sameuser all peer map=superuser_map
# lan ipv4
host all all 10.0.0.0/24 trust
host all all 127.0.0.1/32 trust
# tailnet ipv4
host all all 100.64.0.0/10 trust
'';
identMap = ''
# ArbitraryMapName systemUser DBUser
superuser_map root postgres
superuser_map postgres postgres
superuser_map daniel postgres
superuser_map /^(.*)$ \1 # Let other names login as themselves
'';
};
environment.systemPackages = with pkgs; [
pgcli
];
};
printing = {pkgs, ...}: {
services.printing.enable = true;
services.printing.browsing = true;
services.printing.browsedConf = ''
BrowseDNSSDSubTypes _cups,_print
BrowseLocalProtocols all
BrowseRemoteProtocols all
CreateIPPPrinterQueues All
BrowseProtocols all
'';
services.printing.drivers = [pkgs.gutenprint];
};
enable-flatpaks-and-appimages = {
services.flatpak.enable = true;
programs.appimage.binfmt = true;
};
wifi = {lib, ...}: let
inherit (lib) mkDefault;
in {
networking.networkmanager.enable = mkDefault true;
systemd.services.NetworkManager-wait-online.enable = mkDefault false;
/*
TODO: networking.networkmanager.wifi.backend = "iwd"; ?
TODO: powersave?
TODO: can I pre-configure my usual wifi networks with SSIDs and PSKs loaded from secrets?
*/
hardware.wirelessRegulatoryDatabase = true;
boot.extraModprobeConfig = ''
options cfg80211 ieee80211_regdom="US"
'';
};
steam = {pkgs, ...}: {
# programs.gamescope.enable = true;
programs.steam = {
enable = true;
/*
extest.enable = true;
gamescopeSession.enable = true;
extraPackages = with pkgs; [
gamescope
];
*/
extraCompatPackages = with pkgs; [
proton-ge-bin
];
localNetworkGameTransfers.openFirewall = true;
remotePlay.openFirewall = true;
};
hardware.steam-hardware.enable = true;
services.udev.packages = with pkgs; [steam];
environment.systemPackages = with pkgs; [
dualsensectl # for interfacing with dualsense controllers programmatically
];
# remote play ports - should be unnecessary due to programs.steam.remotePlay.openFirewall = true;
/*
networking.firewall.allowedUDPPortRanges = [ { from = 27031; to = 27036; } ];
networking.firewall.allowedTCPPortRanges = [ { from = 27036; to = 27037; } ];
*/
};
root = {
pkgs,
lib,
...
}: {
users.users.root = {
home = "/root";
createHome = true;
openssh.authorizedKeys.keys = [pubkey];
shell = lib.mkForce pkgs.fish;
};
home-manager.users.root = {
imports = [homeManagerModules.common];
home = {
username = "root";
homeDirectory = "/root";
stateVersion = pkgs.lib.mkDefault "24.05";
};
};
};
daniel = {pkgs, ...}: let
username = "daniel";
in {
users.groups.${username} = {};
users.users.${username} = {
isNormalUser = true;
home = "/home/${username}/.home";
createHome = true;
openssh.authorizedKeys.keys = [pubkey];
group = username;
extraGroups = ["users" "wheel" "video" "dialout" "uucp"];
packages = [];
};
home-manager.users.daniel = {
imports = [homeManagerModules.common];
home = {
username = "daniel";
homeDirectory = "/home/daniel/.home";
stateVersion = pkgs.lib.mkDefault "24.05";
};
accounts.email.accounts = {
primary = {
primary = true;
address = "daniel@lyte.dev";
};
legacy = {
address = "wraithx2@gmail.com";
};
io = {
# TODO: finalize deprecation
address = "daniel@lytedev.io";
};
};
};
};
valerie = let
username = "valerie";
in {
users.groups.${username} = {};
users.users.${username} = {
isNormalUser = true;
home = "/home/${username}";
createHome = true;
openssh.authorizedKeys.keys = [pubkey];
group = username;
extraGroups = ["users" "video"];
packages = [];
};
};
flanfam = let
username = "flanfam";
in {
users.groups.${username} = {};
users.users.${username} = {
isNormalUser = true;
home = "/home/${username}";
createHome = true;
openssh.authorizedKeys.keys = [pubkey];
group = username;
extraGroups = ["users" "video"];
packages = [];
};
};
family-users = {
imports = with nixosModules; [
# daniel # part of common
valerie
flanfam
];
};
# a common module that is intended to be imported by all NixOS systems
common = {
lib,
pkgs,
modulesPath,
...
}: {
imports = with nixosModules; [
(modulesPath + "/installer/scan/not-detected.nix")
default-nix-configuration-and-overlays
# allow any machine to make use of sops secrets
sops-nix.nixosModules.sops
# allow disko modules to manage disk config
disko.nixosModules.disko
fallback-hostname
no-giant-logs
allow-redistributable-firmware
mdns-and-lan-service-discovery
tailscale
ssh-server
my-favorite-default-system-apps
mosh
daniel
root
];
boot.tmp.useTmpfs = true;
systemd.services.nix-daemon = {
environment.TMPDIR = "/var/tmp";
};
boot.tmp.cleanOnBoot = true;
services.irqbalance.enable = true;
services.kanidm = {
enableClient = true;
enablePam = true;
package = pkgs.kanidm;
clientSettings.uri = "https://idm.h.lyte.dev";
unixSettings = {
# hsm_pin_path = "/somewhere/else";
pam_allowed_login_groups = [];
};
};
systemd.tmpfiles.rules = [
"d /etc/kanidm 1755 nobody users -"
];
# module has the incorrect file permissions out of the box
environment.etc = {
/*
"kanidm" = {
enable = true;
user = "nobody";
group = "users";
mode = "0755";
};
*/
"kanidm/unixd" = {
user = "kanidm-unixd";
group = "kanidm-unixd";
mode = "0700";
};
"kanidm/config" = {
user = "nobody";
group = "users";
mode = "0755";
};
};
programs.gnupg.agent = {
enable = true;
pinentryPackage = lib.mkDefault pkgs.pinentry-tty;
};
time = {
timeZone = "America/Chicago";
};
i18n = {
defaultLocale = lib.mkDefault "en_US.UTF-8";
};
services = {
xserver.xkb = {
layout = lib.mkDefault "us";
# have the caps-lock key instead be a ctrl key
options = lib.mkDefault "ctrl:nocaps";
};
smartd.enable = true;
fwupd.enable = true;
};
console = {
# font = "Lat2-Terminus16"; # TODO: would like this font for non-hidpi displays, but this is not dynamic enough?
useXkbConfig = lib.mkDefault true;
earlySetup = lib.mkDefault true;
colors = with style.colors; [
bg
red
green
orange
blue
purple
yellow
fg3
fgdim
red
green
orange
blue
purple
yellow
fg
];
};
networking = {
useDHCP = lib.mkDefault true;
firewall = {
enable = lib.mkDefault true;
allowPing = lib.mkDefault true;
};
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
system.stateVersion = lib.mkDefault "24.05";
};
# intended to be auto-logged in and only run a certain application
# flanfamkiosk = {};
}