jan-leila/nix-config
1
0
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

restructured repo to support nix-darwin

Browse source
This commit is contained in:
Leyla Becker 2024-11-25 16:58:12 -06:00
parent 3924a5aa8d
commit 0d0443a02a
47 changed files with 111 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

12
modules/nixos-modules/default.nix Normal file
View file

@ -0,0 +1,12 @@
# this folder container modules that are for nixos only
{...}: {
imports = [
./home-manager
./system.nix
./hardware.nix
./users.nix
./desktop.nix
./nix-development.nix
./i18n.nix
];
}

58
modules/nixos-modules/desktop.nix Normal file
View file

@ -0,0 +1,58 @@
{
lib,
pkgs,
config,
...
}: {
options.host.desktop.enable = lib.mkEnableOption "should desktop configuration be enabled";
config = lib.mkMerge [
{
host.desktop.enable = lib.mkDefault true;
}
(lib.mkIf config.host.desktop.enable {
services = {
# Enable CUPS to print documents.
printing.enable = true;
xserver = {
# Enable the X11 windowing system.
enable = true;
# Enable the GNOME Desktop Environment.
displayManager.gdm.enable = true;
desktopManager = {
gnome.enable = true;
};
# Get rid of xTerm
desktopManager.xterm.enable = false;
excludePackages = [pkgs.xterm];
};
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# If you want to use JACK applications, uncomment this
#jack.enable = true;
# use the example session manager (no others are packaged yet so this is enabled by default,
# no need to redefine it in your config for now)
#media-session.enable = true;
};
automatic-timezoned = {
enable = true;
};
};
# Enable sound with pipewire.
hardware.pulseaudio.enable = false;
# enable RealtimeKit for pulse audio
security.rtkit.enable = true;
})
];
}

16
modules/nixos-modules/hardware.nix Normal file
View file

@ -0,0 +1,16 @@
{lib, ...}: {
options.host.hardware = {
piperMouse = {
enable = lib.mkEnableOption "host has a piper mouse";
};
viaKeyboard = {
enable = lib.mkEnableOption "host has a via keyboard";
};
openRGB = {
enable = lib.mkEnableOption "host has open rgb hardware";
};
graphicsAcceleration = {
enable = lib.mkEnableOption "host has a gpu for graphical acceleration";
};
};
}

7
modules/nixos-modules/home-manager/default.nix Normal file
View file

@ -0,0 +1,7 @@
# modules in this folder are to adapt home-manager modules configs to nixos-module configs
{...}: {
imports = [
./flipperzero.nix
./i18n.nix
];
}

9
modules/nixos-modules/home-manager/flipperzero.nix Normal file
View file

@ -0,0 +1,9 @@
{
lib,
config,
...
}: let
home-users = lib.attrsets.mapAttrsToList (_: user: user) config.home-manager.users;
in {
hardware.flipperzero.enable = lib.lists.any (home-user: home-user.hardware.flipperzero.enable) home-users;
}

26
modules/nixos-modules/home-manager/i18n.nix Normal file
View file

@ -0,0 +1,26 @@
{
lib,
config,
...
}: let
home-users = lib.attrsets.mapAttrsToList (_: user: user) config.home-manager.users;
in {
config = {
i18n.supportedLocales =
lib.unique
(builtins.map (l: (lib.replaceStrings ["utf8" "utf-8" "UTF8"] ["UTF-8" "UTF-8" "UTF-8"] l) + "/UTF-8") (
[
"C.UTF-8"
"en_US.UTF-8"
config.i18n.defaultLocale
]
++ (lib.attrValues (lib.filterAttrs (n: v: n != "LANGUAGE") config.i18n.extraLocaleSettings))
++ (
map (user-config: user-config.i18n.defaultLocale) home-users
)
++ (lib.lists.flatten (
map (user-config: lib.attrValues (lib.filterAttrs (n: v: n != "LANGUAGE") user-config.i18n.extraLocaleSettings)) home-users
))
));
};
}

3
modules/nixos-modules/i18n.nix Normal file
View file

@ -0,0 +1,3 @@
{...}: {
i18n.defaultLocale = "en_IE.UTF-8";
}

26
modules/nixos-modules/nix-development.nix Normal file
View file

@ -0,0 +1,26 @@
{
lib,
pkgs,
config,
inputs,
...
}: {
options.host.nix-development.enable = lib.mkEnableOption "should desktop configuration be enabled";
config = lib.mkMerge [
{
host.nix-development.enable = lib.mkDefault true;
}
(lib.mkIf config.host.nix-development.enable {
nix = {
nixPath = ["nixpkgs=${inputs.nixpkgs}"];
};
environment.systemPackages = with pkgs; [
# nix language server
nil
# nix formatter
alejandra
];
})
];
}

28
modules/nixos-modules/system.nix Normal file
View file

@ -0,0 +1,28 @@
{...}: {
nix = {
settings = {
experimental-features = ["nix-command" "flakes"];
};
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
};
optimise = {
automatic = true;
dates = ["weekly"];
};
};
services = {
openssh = {
enable = true;
ports = [22];
settings = {
PasswordAuthentication = false;
UseDns = true;
X11Forwarding = false;
};
};
};
}

340
modules/nixos-modules/users.nix Normal file
View file

@ -0,0 +1,340 @@
{
lib,
config,
inputs,
...
}: let
SOPS_AGE_KEY_DIRECTORY = import ../../const/sops_age_key_directory.nix;
host = config.host;
hostUsers = host.hostUsers;
principleUsers = host.principleUsers;
terminalUsers = host.terminalUsers;
# normalUsers = host.normalUsers;
uids = {
leyla = 1000;
ester = 1001;
eve = 1002;
jellyfin = 2000;
forgejo = 2002;
pihole = 2003;
hass = 2004;
headscale = 2005;
nextcloud = 2006;
};
gids = {
leyla = 1000;
ester = 1001;
eve = 1002;
users = 100;
jellyfin_media = 2001;
jellyfin = 2000;
forgejo = 2002;
pihole = 2003;
hass = 2004;
headscale = 2005;
nextcloud = 2006;
};
users = config.users.users;
leyla = users.leyla.name;
ester = users.ester.name;
eve = users.eve.name;
in {
options.host = {
users = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule ({
config,
name,
...
}: {
options = {
name = lib.mkOption {
type = lib.types.str;
default = name;
description = ''
What should this users name on the system be
'';
defaultText = lib.literalExpression "config.host.users.\${name}.name";
};
isPrincipleUser = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
User should be configured as root and have ssh access
'';
defaultText = lib.literalExpression "config.host.users.\${name}.isPrincipleUser";
};
isDesktopUser = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
User should install their desktop applications
'';
defaultText = lib.literalExpression "config.host.users.\${name}.isDesktopUser";
};
isTerminalUser = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
User should install their terminal applications
'';
defaultText = lib.literalExpression "config.host.users.\${name}.isTerminalUser";
};
isNormalUser = lib.mkOption {
type = lib.types.bool;
default = config.isDesktopUser || config.isTerminalUser;
description = ''
User should install their applications and can log in
'';
defaultText = lib.literalExpression "config.host.users.\${name}.isNormalUser";
};
};
}));
};
hostUsers = lib.mkOption {
default = lib.attrsets.mapAttrsToList (_: user: user) host.users;
};
principleUsers = lib.mkOption {
default = lib.lists.filter (user: user.isPrincipleUser) hostUsers;
};
normalUsers = lib.mkOption {
default = lib.lists.filter (user: user.isTerminalUser) hostUsers;
};
terminalUsers = lib.mkOption {
default = lib.lists.filter (user: user.isNormalUser) hostUsers;
};
};
config = {
assertions =
(
builtins.map (user: {
assertion = !(user.isPrincipleUser && !user.isNormalUser);
message = ''
Non normal user ${user.name} can not be a principle user.
'';
})
hostUsers
)
++ [
{
assertion = (builtins.length principleUsers) > 0;
message = ''
At least one user must be a principle user.
'';
}
];
# principle users are by definition trusted
nix.settings.trusted-users = builtins.map (user: user.name) principleUsers;
# we should only be able to ssh into principle users of a computer who are also set up for terminal access
services.openssh.settings.AllowUsers = builtins.map (user: user.name) (lib.lists.intersectLists terminalUsers principleUsers);
# we need to set up env variables to nix can find keys to decrypt passwords on rebuild
environment = {
sessionVariables = {
SOPS_AGE_KEY_DIRECTORY = SOPS_AGE_KEY_DIRECTORY;
SOPS_AGE_KEY_FILE = "${SOPS_AGE_KEY_DIRECTORY}/key.txt";
};
};
# set up user passwords
sops = {
defaultSopsFormat = "yaml";
gnupg.sshKeyPaths = [];
age = {
keyFile = "/var/lib/sops-nix/key.txt";
sshKeyPaths = [];
# generateKey = true;
};
secrets = {
"passwords/leyla" = {
neededForUsers = true;
sopsFile = "${inputs.secrets}/user-passwords.yaml";
};
"passwords/ester" = {
neededForUsers = true;
sopsFile = "${inputs.secrets}/user-passwords.yaml";
};
"passwords/eve" = {
neededForUsers = true;
sopsFile = "${inputs.secrets}/user-passwords.yaml";
};
};
};
users = {
mutableUsers = false;
users = {
leyla = {
uid = lib.mkForce uids.leyla;
name = lib.mkForce host.users.leyla.name;
description = "Leyla";
extraGroups =
(lib.lists.optionals host.users.leyla.isNormalUser ["networkmanager"])
++ (lib.lists.optionals host.users.leyla.isPrincipleUser ["wheel" "dialout"])
++ (lib.lists.optionals host.users.leyla.isDesktopUser ["adbusers"]);
hashedPasswordFile = config.sops.secrets."passwords/leyla".path;
isNormalUser = host.users.leyla.isNormalUser;
isSystemUser = !host.users.leyla.isNormalUser;
group = config.users.users.leyla.name;
};
ester = {
uid = lib.mkForce uids.ester;
name = lib.mkForce host.users.ester.name;
description = "Ester";
extraGroups = lib.optionals host.users.ester.isNormalUser ["networkmanager"];
hashedPasswordFile = config.sops.secrets."passwords/ester".path;
isNormalUser = host.users.ester.isNormalUser;
isSystemUser = !host.users.ester.isNormalUser;
group = config.users.users.ester.name;
};
eve = {
uid = lib.mkForce uids.eve;
name = lib.mkForce host.users.eve.name;
description = "Eve";
extraGroups = lib.optionals host.users.eve.isNormalUser ["networkmanager"];
hashedPasswordFile = config.sops.secrets."passwords/eve".path;
isNormalUser = host.users.eve.isNormalUser;
isSystemUser = !host.users.eve.isNormalUser;
group = config.users.users.eve.name;
};
jellyfin = {
uid = lib.mkForce uids.jellyfin;
isSystemUser = true;
group = config.users.users.jellyfin.name;
};
forgejo = {
uid = lib.mkForce uids.forgejo;
isSystemUser = true;
group = config.users.users.forgejo.name;
};
pihole = {
uid = lib.mkForce uids.pihole;
isSystemUser = true;
group = config.users.users.pihole.name;
};
hass = {
uid = lib.mkForce uids.hass;
isSystemUser = true;
group = config.users.users.hass.name;
};
headscale = {
uid = lib.mkForce uids.headscale;
isSystemUser = true;
group = config.users.users.headscale.name;
};
nextcloud = {
uid = lib.mkForce uids.nextcloud;
isSystemUser = true;
group = config.users.users.nextcloud.name;
};
};
groups = {
leyla = {
gid = lib.mkForce gids.leyla;
members = [
leyla
];
};
ester = {
gid = lib.mkForce gids.ester;
members = [
ester
];
};
eve = {
gid = lib.mkForce gids.eve;
members = [
eve
];
};
users = {
gid = lib.mkForce gids.users;
members = [
leyla
ester
eve
];
};
jellyfin_media = {
gid = lib.mkForce gids.jellyfin_media;
members = [
users.jellyfin.name
leyla
ester
eve
];
};
jellyfin = {
gid = lib.mkForce gids.jellyfin;
members = [
users.jellyfin.name
# leyla
];
};
forgejo = {
gid = lib.mkForce gids.forgejo;
members = [
users.forgejo.name
# leyla
];
};
pihole = {
gid = lib.mkForce gids.pihole;
members = [
users.pihole.name
# leyla
];
};
hass = {
gid = lib.mkForce gids.hass;
members = [
users.hass.name
# leyla
];
};
headscale = {
gid = lib.mkForce gids.headscale;
members = [
users.headscale.name
# leyla
];
};
nextcloud = {
gid = lib.mkForce gids.nextcloud;
members = [
users.nextcloud.name
# leyla
];
};
};
};
};
}