nolan/nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit.

Browse Source
This commit is contained in:
Nolan Darilek 2024-12-18 18:19:37 -06:00
commit 67823cbed6
51 changed files with 1714 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
*.iso
result

21
base.nix Normal file
View File

@ -0,0 +1,21 @@
{ pkgs, ... }:
{
services.openssh.enable = true;
security.sudo.wheelNeedsPassword = false;
users.mutableUsers = false;
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
file
vim
curl
wget
git
git-crypt
tmux
psmisc
];
environment.variables.EDITOR = "vim";
}

3
boot-iso.sh Executable file
View File

@ -0,0 +1,3 @@
#!/bin/sh
qemu-system-x86_64 -nographic -smp 4 -m 2048 -audiodev pa,id=Sound -device intel-hda -device hda-output,audiodev=Sound -cdrom result/iso/nixos-*.iso

41
espeakup.nix Normal file
View File

@ -0,0 +1,41 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.espeakup;
inherit (lib)
mkEnableOption
mkIf
mkPackageOption
mkOption
types
;
in
{
options.services.espeakup = {
enable = mkEnableOption "Espeakup screen reader";
package = mkPackageOption pkgs "espeakup" { };
defaultVoice = mkOption {
type = types.str;
default = "en-gb";
description = "Default voice for espeakup";
};
};
config = mkIf cfg.enable {
boot.kernelModules = [ "speakup_soft" ];
systemd.packages = [ pkgs.espeakup ];
systemd.services.espeakup = {
wantedBy = [ "sound.target" ];
environment = {
default_voice = cfg.defaultVoice;
};
serviceConfig = {
ExecStartPre = "";
};
};
};
}

298
flake.lock generated Normal file
View File

@ -0,0 +1,298 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs",
"systems": "systems"
},
"locked": {
"lastModified": 1723293904,
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
"owner": "ryantm",
"repo": "agenix",
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"blobs": {
"flake": false,
"locked": {
"lastModified": 1604995301,
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"type": "gitlab"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1733951536,
"narHash": "sha256-Zb5ZCa7Xj+0gy5XVXINTSr71fCfAv+IKtmIXNrykT54=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "1318c3f3b068cdcea922fa7c1a0a1f0c96c22f5f",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-24.11",
"repo": "home-manager",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1733861262,
"narHash": "sha256-+jjPup/ByS0LEVIrBbt7FnGugJgLeG9oc+ivFASYn2U=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "cf737e2eba82b603f54f71b10cb8fd09d22ce3f5",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "master",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1703013332,
"narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-24_05": {
"locked": {
"lastModified": 1717144377,
"narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "805a384895c696f802a9bf5bf4720f37385df547",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-24.05",
"type": "indirect"
}
},
"nixpkgsUnstable": {
"locked": {
"lastModified": 1733759999,
"narHash": "sha256-463SNPWmz46iLzJKRzO3Q2b0Aurff3U1n0nYItxq7jU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a73246e2eef4c6ed172979932bc80e1404ba2d56",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1733808091,
"narHash": "sha256-KWwINTQelKOoQgrXftxoqxmKFZb9pLVfnRvK270nkVk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a0f3e10d94359665dba45b71b4227b0aeb851f8e",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1717602782,
"narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e8057b67ebf307f01bdcc8fba94d94f75039d1f6",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-unstable",
"type": "indirect"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"home-manager": "home-manager_2",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_2",
"nixpkgsUnstable": "nixpkgsUnstable",
"simple-nixos-mailserver": "simple-nixos-mailserver"
}
},
"simple-nixos-mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs_3",
"nixpkgs-24_05": "nixpkgs-24_05",
"utils": "utils"
},
"locked": {
"lastModified": 1718084203,
"narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "nixos-24.05",
"repo": "nixos-mailserver",
"type": "gitlab"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1709126324,
"narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "d465f4819400de7c8d874d50b982301f28a84605",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

102
flake.nix Normal file
View File

@ -0,0 +1,102 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
nixpkgsUnstable.url = "github:NixOS/nixpkgs/nixos-unstable";
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
home-manager = {
url = "github:nix-community/home-manager/release-24.11";
inputs.nixpkgs.follows = "nixpkgs";
};
agenix.url = "github:ryantm/agenix";
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
};
outputs =
{
nixpkgs,
nixpkgsUnstable,
home-manager,
nixos-hardware,
agenix,
simple-nixos-mailserver,
...
}:
let
system = "x86_64-linux";
overlayUnstable = final: prev: {
unstable = import nixpkgsUnstable {
inherit system;
config.allowUnfree = true;
};
};
in
{
nixosConfigurations = {
nixbox = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
agenix.nixosModules.default
{
environment.systemPackages = [ agenix.packages.${system}.default ];
}
(
{ config, pkgs, ... }:
{
nixpkgs.overlays = [ overlayUnstable ];
}
)
home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
}
./hosts/nixbox
];
};
flynode = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
agenix.nixosModules.default
{
environment.systemPackages = [ agenix.packages.${system}.default ];
}
(
{ config, pkgs, ... }:
{
nixpkgs.overlays = [ overlayUnstable ];
}
)
nixos-hardware.nixosModules.lenovo-thinkpad-z13-gen1
home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
}
./hosts/flynode
];
};
thewordnerd = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
agenix.nixosModules.default
{
environment.systemPackages = [ agenix.packages.${system}.default ];
}
(
{ config, pkgs, ... }:
{
nixpkgs.overlays = [ overlayUnstable ];
}
)
home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
}
simple-nixos-mailserver.nixosModule
./hosts/hub
];
};
};
};
}

69
hosts/flynode/default.nix Normal file
View File

@ -0,0 +1,69 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{
imports = [
./hardware-configuration.nix
../../roles/zfs.nix
../../base.nix
../../users/root.nix
../../users/nolan/desktop.nix
../../roles/espeakup.nix
../../roles/networkmanager.nix
../../roles/nix-ld.nix
../../roles/tailscale.nix
../../roles/podman.nix
../../roles/mate.nix
../../roles/flatpak.nix
../../roles/games.nix
];
boot.loader.grub = {
enable = true;
zfsSupport = true;
efiSupport = true;
efiInstallAsRemovable = true;
mirroredBoots = [
{
devices = [ "nodev" ];
path = "/boot";
}
];
};
networking = {
hostName = "flynode";
hostId = "9dfa34d8";
};
time.timeZone = "America/Chicago";
i18n.defaultLocale = "en_US.UTF-8";
console.keyMap = "us";
# Enable the Flakes feature and the accompanying new nix command-line tool
nix.settings.experimental-features = [
"nix-command"
"flakes"
];
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "24.05"; # Did you read the comment?
}

55
hosts/flynode/hardware-configuration.nix Normal file
View File

@ -0,0 +1,55 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "zpool/root";
fsType = "zfs";
};
fileSystems."/nix" =
{ device = "zpool/nix";
fsType = "zfs";
};
fileSystems."/var" =
{ device = "zpool/var";
fsType = "zfs";
};
fileSystems."/home" =
{ device = "zpool/home";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/0642-E087";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/c9a2faf8-4e35-4946-a70f-c84d0fa359df"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

84
hosts/hub/apps/dev.nix Normal file
View File

@ -0,0 +1,84 @@
{
services = {
postgresql = {
ensureDatabases = [ "dev" ];
ensureUsers = [
{
name = "dev";
ensureDBOwnership = true;
}
];
};
authelia.instances.main.settings.access_control.rules = [
{
domain = "dev.thewordnerd.info";
policy = "bypass";
}
];
};
containers.dev = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.0.1";
localAddress = "192.168.0.2";
config =
{
config,
pkgs,
lib,
...
}:
{
services.gitea = {
enable = true;
appName = "Nolan's projects";
settings = {
server = {
ROOT_URL = "https://dev.thewordnerd.info";
DOMAIN = "dev.thewordnerd.info";
DISABLE_SSH = true;
LANDING_PAGE = "explore";
};
service = {
DISABLE_REGISTRATION = true;
# ENABLE_REVERSE_PROXY_AUTHENTICATION = true;
# ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true;
};
security = {
REVERSE_PROXY_AUTHENTICATION_USER = "Remote-User";
REVERSE_PROXY_AUTHENTICATION_EMAIL = "Remote-Email";
REVERSE_PROXY_AUTHENTICATION_FULL_NAME = "Remote-Name";
REVERSE_PROXY_TRUSTED_PROXIES = "192.168.0.0/24";
};
};
lfs.enable = true;
database = {
type = "postgres";
name = "dev";
user = "dev";
socket = "/run/postgresql";
createDatabase = false;
};
};
networking = {
firewall.allowedTCPPorts = [ 3000 ];
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
};
bindMounts = {
"/run/postgresql/.s.PGSQL.5432" = {
hostPath = "/run/postgresql/.s.PGSQL.5432";
};
};
};
services.caddy.virtualHosts."dev.thewordnerd.info".extraConfig = ''
forward_auth localhost:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
reverse_proxy dev:3000
'';
}

72
hosts/hub/apps/nextcloud.nix Normal file
View File

@ -0,0 +1,72 @@
{
services.postgresql = {
ensureDatabases = [ "nextcloud" ];
ensureUsers = [
{
name = "nextcloud";
ensureDBOwnership = true;
}
];
};
containers.nextcloud = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.0.1";
localAddress = "192.168.0.3";
config =
{
config,
pkgs,
lib,
...
}:
{
environment.etc."nextcloud-admin-pass".text = "admin";
nixpkgs.config.allowUnfree = true;
services = {
nextcloud = {
enable = true;
hostName = "nextcloud.thewordnerd.info";
package = pkgs.nextcloud30;
configureRedis = true;
maxUploadSize = "16G";
autoUpdateApps.enable = true;
notify_push.enable = true;
webfinger = true;
settings = {
overwriteprotocol = "https";
trusted_proxies = [ "192.168.0.1" ];
default_phone_region = "US";
};
config = {
dbtype = "pgsql";
dbhost = "/run/postgresql";
adminpassFile = "/etc/nextcloud-admin-pass";
};
};
onlyoffice = {
enable = true;
hostname = "onlyoffice.thewordnerd.info";
};
resolved.enable = true;
};
networking = {
firewall.allowedTCPPorts = [ 80 ];
useHostResolvConf = lib.mkForce false;
};
virtualisation.podman = {
enable = true;
dockerCompat = true;
dockerSocket.enable = true;
};
};
bindMounts = {
"/run/postgresql/.s.PGSQL.5432" = {
hostPath = "/run/postgresql/.s.PGSQL.5432";
};
};
};
services.caddy.virtualHosts."nextcloud.thewordnerd.info".extraConfig = ''reverse_proxy nextcloud'';
}

137
hosts/hub/default.nix Normal file
View File

@ -0,0 +1,137 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ config, ... }:
{
imports = [
./hardware-configuration.nix
../../roles/zfs.nix
../../base.nix
../../users/root.nix
../../roles/tailscale.nix
../../roles/lldap.nix
../../roles/authelia.nix
../../roles/podman.nix
../../roles/minio.nix
../../roles/caddy.nix
../../roles/vscode-remote.nix
../../roles/postgres.nix
./apps/dev.nix
./apps/nextcloud.nix
];
boot.loader.grub = {
enable = true;
zfsSupport = true;
efiSupport = true;
efiInstallAsRemovable = true;
mirroredBoots = [
{
devices = [ "nodev" ];
path = "/boot";
}
];
};
networking = {
hostName = "thewordnerd";
hostId = "91312b0a";
nat = {
enable = true;
internalInterfaces = [ "ve-+" ];
externalInterface = "enp5s0";
enableIPv6 = true;
};
};
services.openssh.openFirewall = false;
time.timeZone = "America/Chicago";
i18n.defaultLocale = "en_US.UTF-8";
console.keyMap = "us";
# Enable the Flakes feature and the accompanying new nix command-line tool
nix.settings.experimental-features = [
"nix-command"
"flakes"
];
age.secrets.cloudflareApi.file = ../../secrets/cloudflare_api.age;
security.acme = {
acceptTerms = true;
defaults.email = "nolan@thewordnerd.info";
certs."thewordnerd.info" = {
domain = "*.thewordnerd.info";
dnsProvider = "cloudflare";
environmentFile = config.age.secrets.cloudflareApi.path;
};
certs."hub.thewordnerd.info" = {
dnsProvider = "cloudflare";
environmentFile = config.age.secrets.cloudflareApi.path;
};
};
age.secrets.ldap.file = ../../secrets/ldap.age;
mailserver = {
enable = true;
fqdn = "thewordnerd.info";
domains = [
"thewordnerd.info"
"lightsout.games"
];
ldap = {
enable = true;
uris = [ "ldap://localhost:3890" ];
bind = {
dn = "uid=service,ou=people,dc=thewordnerd,dc=info";
passwordFile = config.age.secrets.ldap.path;
};
searchBase = "ou=people,dc=thewordnerd,dc=info";
};
certificateScheme = "acme";
enableManageSieve = true;
fullTextSearch = {
enable = true;
# index new email as they arrive
autoIndex = true;
# this only applies to plain text attachments, binary attachments are never indexed
indexAttachments = true;
enforced = "body";
};
};
services.caddy.virtualHosts."users.thewordnerd.info".extraConfig =
''reverse_proxy localhost:17170'';
services.caddy.virtualHosts."auth.thewordnerd.info".extraConfig = ''
reverse_proxy localhost:9091
'';
services.caddy.virtualHosts."www.thewordnerd.info".extraConfig = ''
file_server
root * /var/www/thewordnerd.info
header /.well-known/matrix/* content-type application/json
'';
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "24.11"; # Did you read the comment?
}

53
hosts/hub/hardware-configuration.nix Normal file
View File

@ -0,0 +1,53 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "zpool/root";
fsType = "zfs";
};
fileSystems."/nix" =
{ device = "zpool/nix";
fsType = "zfs";
};
fileSystems."/var" =
{ device = "zpool/var";
fsType = "zfs";
};
fileSystems."/home" =
{ device = "zpool/home";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/8ADD-D5B1";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

64
hosts/nixbox/default.nix Normal file
View File

@ -0,0 +1,64 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{
imports = [
./hardware-configuration.nix
../../base.nix
../../users/root.nix
../../users/nolan/desktop-minimal.nix
../../roles/espeakup.nix
../../roles/networkmanager.nix
../../roles/tailscale.nix
../../roles/minio.nix
../../roles/vscode-remote.nix
../../roles/mate.nix
../../roles/media-pc.nix
];
services.minio = {
enable = true;
};
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "nixbox";
time.timeZone = "America/Chicago";
i18n.defaultLocale = "en_US.UTF-8";
console.keyMap = "us";
# Enable the Flakes feature and the accompanying new nix command-line tool
nix.settings.experimental-features = [
"nix-command"
"flakes"
];
services.mediaPC = {
enable = true;
autoLoginUser = "nolan";
};
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "24.05"; # Did you read the comment?
}

39
hosts/nixbox/hardware-configuration.nix Normal file
View File

@ -0,0 +1,39 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/a0df6959-f878-48d0-aabe-5f46915c1921";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/7EEE-698D";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp89s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

37
iso.nix Normal file
View File

@ -0,0 +1,37 @@
{ config, pkgs, ... }:
{
imports = [
<nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix>
# Provide an initial copy of the NixOS channel so that the user
# doesn't need to run "nix-channel --update" first.
<nixpkgs/nixos/modules/installer/cd-dvd/channel.nix>
./espeakup.nix
];
# Added to support `-nographic` for text console access via qemu
boot.kernelParams = [ "console=ttyS0,115200" ];
# System-wide Pipewire for Espeakup
sound.enable = true;
services.pipewire = {
enable = true;
systemWide = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
services.espeakup.enable = true;
# Set up SSH access
systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ];
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPk6C4eOYzTZ8XOuUA2tErGnSTLS/l9kRDl9+5Ql+m7VtaH/KRFbu6x+C0QAIKOrRcQOjpGYUjL1aIn0HCcoEW2PSihDmOHC+W8cy8ucScy4fPI5KpFFqTZU336Fje+NS4n587gcoaa5LjKcr2KZy/ljgzl4eNSRIqy85khfH4puxsj7LwTIqsZoqDhtD/jSqaKP1C2wuYSsijLF85UnRcT9jErnL757yUv/4xb4Is+gB0zan9GiBXRca4lzb0mY8rmMXmKhc2lm/mu8ogZRdYX5R2JP1AukzYGSdOFs4iUauihgvakuou9AugD2CC+ygYIEbWkUjwKfT9nRN93Qi9 id_rsa"
];
# Not sure if this does anything, but may make the system easier to find on
# the network
services.avahi.enable = true;
}

3
make-iso.sh Executable file
View File

@ -0,0 +1,3 @@
#!/bin/sh
nix-build '<nixpkgs/nixos>' -A config.system.build.isoImage -I nixos-config=iso.nix

110
roles/authelia.nix Normal file
View File

@ -0,0 +1,110 @@
{ config, ... }:
{
age.secrets = {
ldap = {
mode = "440";
group = "authelia-main";
};
jwt = {
file = ../secrets/jwt.age;
owner = "authelia-main";
group = "authelia-main";
mode = "440";
};
autheliaSession = {
file = ../secrets/authelia_session.age;
owner = "authelia-main";
group = "authelia-main";
mode = "440";
};
autheliaStorageEncryptionKey = {
file = ../secrets/authelia_storage.age;
owner = "authelia-main";
group = "authelia-main";
mode = "440";
};
};
services = {
postgresql = {
ensureDatabases = [ "authelia" ];
ensureUsers = [
{
name = "authelia";
ensureDBOwnership = true;
}
];
};
authelia.instances.main = {
enable = true;
secrets = {
jwtSecretFile = config.age.secrets.jwt.path;
sessionSecretFile = config.age.secrets.autheliaSession.path;
storageEncryptionKeyFile = config.age.secrets.autheliaStorageEncryptionKey.path;
};
environmentVariables = {
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.ldap.path;
};
settings = {
authentication_backend = {
password_reset.disable = false;
refresh_interval = "1m";
ldap = {
implementation = "custom";
address = "ldap://localhost:3890";
timeout = "5s";
start_tls = false;
base_dn = "dc=thewordnerd,dc=info";
additional_users_dn = "ou=people";
users_filter = "(&({username_attribute}={input})(objectClass=person))";
additional_groups_dn = "ou=groups";
groups_filter = "(member={dn})";
user = "uid=service,ou=people,dc=thewordnerd,dc=info";
attributes = {
username = "uid";
display_name = "displayName";
group_name = "cn";
mail = "mail";
};
};
};
storage = {
postgres = {
address = "/run/postgresql";
database = "authelia";
username = "authelia";
password = "trusted";
};
};
access_control = {
rules = [
{
domain = "*.thewordnerd.info";
policy = "one_factor";
}
];
};
session = {
cookies = [
{
domain = "thewordnerd.info";
authelia_url = "https://auth.thewordnerd.info";
}
];
};
notifier = {
filesystem = {
filename = "/tmp/authelia.txt";
};
};
server.endpoints.authz.forward-auth.implementation = "ForwardAuth";
};
};
caddy.globalConfig = ''
servers {
trusted_proxies static 192.168.0.1
}
'';
};
}

10
roles/caddy.nix Normal file
View File

@ -0,0 +1,10 @@
{
services.caddy = {
enable = true;
email = "nolan@thewordnerd.info";
};
networking.firewall.allowedTCPPorts = [
80
443
];
}

5
roles/espeakup.nix Normal file
View File

@ -0,0 +1,5 @@
{
imports = [ ../espeakup.nix ];
services.espeakup.enable = true;
}

7
roles/flatpak.nix Normal file
View File

@ -0,0 +1,7 @@
{
services.flatpak.enable = true;
xdg.portal.enable = true;
environment.profileRelativeSessionVariables.PATH = [
"$HOME/.local/share/flatpak/exports/bin"
];
}

18
roles/games.nix Normal file
View File

@ -0,0 +1,18 @@
{ pkgs, ... }:
{
imports = [
./nix-ld.nix
];
programs.steam = {
enable = true;
remotePlay.openFirewall = true;
localNetworkGameTransfers.openFirewall = true;
};
environment.systemPackages = with pkgs; [
steam-tui
steamcmd
];
}

19
roles/gnome.nix Normal file
View File

@ -0,0 +1,19 @@
{ pkgs, ... }:
{
imports = [
./gui.nix
];
services = {
xserver.desktopManager.gnome.enable = true;
gnome.gnome-browser-connector.enable = true;
};
programs.gnome-terminal.enable = true;
environment.gnome.excludePackages = with pkgs; [
gnome-console
gnome-tour
];
}

35
roles/gui.nix Normal file
View File

@ -0,0 +1,35 @@
{ pkgs, ... }:
{
imports = [
./pipewire.nix
./non-virtual.nix
];
services = {
orca = {
enable = true;
package = pkgs.unstable.orca;
};
xserver = {
enable = true;
xkb.layout = "us";
displayManager.lightdm = {
enable = true;
greeters.gtk = {
extraConfig = ''
a11y-states = +reader
reader = orca
'';
};
};
excludePackages = [ pkgs.xterm ];
};
};
users.users.lightdm.extraGroups = [
"pipewire"
"pulse-access"
];
}

26
roles/k3s.nix Normal file
View File

@ -0,0 +1,26 @@
{ config, pkgs, ... }:
{
networking.firewall = {
allowedTCPPorts = [
6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
# 2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
# 2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
];
# allowedUDPPorts = [
# 8472 # k3s, flannel: required if using multi-node for inter-node networking
# ];
};
services.k3s = {
enable = true;
role = "server";
};
environment.systemPackages = [ pkgs.nfs-utils ];
services.openiscsi = {
enable = true;
name = "${config.networking.hostName}-initiatorhost";
};
systemd.tmpfiles.rules = [
"L+ /usr/local/bin - - - - /run/current-system/sw/bin/"
];
}

25
roles/lldap.nix Normal file
View File

@ -0,0 +1,25 @@
{
services = {
postgresql = {
ensureDatabases = [ "lldap" ];
ensureUsers = [
{
name = "lldap";
ensureDBOwnership = true;
}
];
};
lldap = {
enable = true;
settings = {
ldap_user_email = "nolan@thewordnerd.info";
ldap_base_dn = "dc=thewordnerd,dc=info";
http_url = "https://users.thewordnerd.info";
database_url = "postgres://lldap@localhost/lldap";
};
};
};
networking.firewall.interfaces."ve-+".allowedTCPPorts = [
3890
];
}

19
roles/mate.nix Normal file
View File

@ -0,0 +1,19 @@
{ pkgs, ... }:
{
imports = [
./gui.nix
];
hardware.bluetooth.enable = true;
services = {
xserver.desktopManager.mate.enable = true;
blueman.enable = true;
};
programs.nm-applet = {
enable = true;
indicator = false;
};
}

18
roles/media-pc.nix Normal file
View File

@ -0,0 +1,18 @@
{ config, lib, ... }:
{
options.services.mediaPC = {
enable = lib.mkEnableOption "Media PC";
autoLoginUser = lib.mkOption {
type = lib.types.str;
description = "User to autologin as";
};
};
config = lib.mkIf config.services.mediaPC.enable {
programs.firefox = {
enable = true;
# package = pkgs.firefox.override { nativeMessagingHosts = [ pkgs.gnome-browser-connector ]; };
};
};
}

6
roles/minio.nix Normal file
View File

@ -0,0 +1,6 @@
{ pkgs, ... }:
{
services.minio.enable = true;
environment.systemPackages = with pkgs; [ minio-client ];
}

3
roles/networkmanager.nix Normal file
View File

@ -0,0 +1,3 @@
{
networking.networkmanager.enable = true;
}

17
roles/nginx.nix Normal file
View File

@ -0,0 +1,17 @@
{
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
};
security.acme = {
acceptTerms = true;
defaults.email = "nolan@thewordnerd.info";
};
networking.firewall.allowedTCPPorts = [
80
443
];
}

8
roles/nix-ld.nix Normal file
View File

@ -0,0 +1,8 @@
{ pkgs, ... }:
{
programs.nix-ld = {
enable = true;
package = pkgs.nix-ld-rs;
};
}

7
roles/non-virtual.nix Normal file
View File

@ -0,0 +1,7 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
usbutils
pciutils
];
}

14
roles/pipewire.nix Normal file
View File

@ -0,0 +1,14 @@
{
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
systemWide = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
};
}

7
roles/podman.nix Normal file
View File

@ -0,0 +1,7 @@
{
virtualisation.podman = {
enable = true;
dockerCompat = true;
dockerSocket.enable = true;
};
}

14
roles/portunus.nix Normal file
View File

@ -0,0 +1,14 @@
{
services = {
portunus = {
enable = true;
domain = "users.thewordnerd.info";
ldap = {
suffix = "dc=thewordnerd,dc=info";
};
};
};
networking.firewall.interfaces."ve-+".allowedTCPPorts = [
389
];
}

20
roles/postgres.nix Normal file
View File

@ -0,0 +1,20 @@
{ pkgs, ... }:
{
services.postgresql = {
enable = true;
identMap = ''
# ArbitraryMapName systemUser DBUser
superuser_map root postgres
superuser_map postgres postgres
# Let other names login as themselves
superuser_map /^(.*)$ \1
'';
authentication = pkgs.lib.mkOverride 10 ''
local all postgres peer map=superuser_map
local sameuser all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
};
}

5
roles/tailscale.nix Normal file
View File

@ -0,0 +1,5 @@
{ config, lib, pkgs, ... }:
{
services.tailscale.enable = true;
}

39
roles/traefik.nix Normal file
View File

@ -0,0 +1,39 @@
{ config, ... }:
{
services.traefik = {
enable = true;
staticConfigOptions = {
providers = {
docker = { };
};
entryPoints = {
web = {
address = ":80";
asDefault = true;
http.redirections.entrypoint = {
to = "websecure";
scheme = "https";
};
};
websecure = {
address = ":443";
asDefault = true;
http.tls.certResolver = "letsencrypt";
};
};
certificatesResolvers.letsencrypt.acme = {
email = "nolan@thewordnerd.info";
storage = "${config.services.traefik.dataDir}/acme.json";
httpChallenge.entryPoint = "web";
};
};
};
networking.firewall.allowedTCPPorts = [
80
443
];
users.users.traefik.extraGroups = [ "podman" ];
}

12
roles/vscode-remote.nix Normal file
View File

@ -0,0 +1,12 @@
{ pkgs, ... }:
{
imports = [
./nix-ld.nix
];
environment.systemPackages = with pkgs; [
nil
nixfmt-rfc-style
];
}

27
roles/zfs.nix Normal file
View File

@ -0,0 +1,27 @@
{
services.zfs.autoScrub.enable = true;
services.sanoid = {
enable = true;
templates.backup = {
hourly = 36;
daily = 30;
monthly = 12;
yearly = 1;
autoprune = true;
autosnap = true;
};
datasets."zpool/root" = {
useTemplate = [ "backup" ];
};
datasets."zpool/home" = {
useTemplate = [ "backup" ];
};
datasets."zpool/var" = {
useTemplate = [ "backup" ];
};
};
}

5
secrets/authelia_session.age Normal file
View File

@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 5X7MKw K1n77De40xbtpteiDbcEGDI2pxp7yXE5gCRfMIqfpR0
j0aimYoTMmi6fvF9q8czuWcxf1GDHy1C7w9F3JFjQ+8
--- 0+nNt0VIn4aaFh8l5bDDgDcYzFk3d7VRPdnUWemrofA
?…¦—PÈ¡"ÓxkÕFEÚTÕHÔüX<C3BC>T>w¡¦.df[EÊ*Óq Úšˆ•3¬ü[<5B>o³÷p§KXž‡™€A0Õ

5
secrets/authelia_storage.age Normal file
View File

@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 5X7MKw UUTkDtqwfmdl0Ac7qFKrMYbTpD6V9l+WpvqR0PrWEE4
6uQTrBqGVG7qvRpJ4tQFBL4p3fLqs/4jAdAG21bzFJw
--- JD9/tI+EThIt3exh4MFyhYhmuBdLpQFe7Y1KqJD4euo
c)øÜhTÉ2mU<ãžÈÞ#л<C390>° ³|-q<>³PpÆWF<E2809A>©".¢ Û€É^QKGbÝU~†àbó

BIN
secrets/cloudflare_api.age Normal file
View File

Binary file not shown.

6
secrets/jwt.age Normal file
View File

@ -0,0 +1,6 @@
age-encryption.org/v1
-> ssh-ed25519 5X7MKw QqTrVxbTZn4qYGBYiBy1YtLGbgOWQ+Jz6s/uY7vfrDY
y70KrtxpcydHq44puJ+vlyHerrw2sOzGegEaEZmHo2E
--- K9qJiVT5wv9b4H3p19wDsboH9plQi+0r2yHATfYDaes
¾Ý' ;ÅØÌ ‡ÎÇ`
¼ƒ <07>•-uûëñàDÞ¦˜g™<14>G]GÉ«˜mXíßè¹9š!„Ì^ÑuÉÔõµÁ”€a^ß#$y

5
secrets/ldap.age Normal file
View File

@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 5X7MKw 28VQn9+R9TgBPlelo6l0EiA2bSE7nZ9/PwnkIZmJE28
6Q5VK2vfBj6/mOo50sADbT1518foTU9bKvUIoN1B4iY
--- tDmsyfEmqI3MTv+68SqOudje1QppvOL8foHTLgJIh5M
Gn÷Àçb”^§CÞØ—!EZ®<5A>ýžhgÙàW€· <0C>ƒ<{j%œ€_夿ä i/ÓVŒ}™õ<08>ål,%1ê*êÓ

5
secrets/nolan.age Normal file
View File

@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 WXu6hQ xPIs0RMmg8qzbe5u0fkmd52vwUWtPFbp8OT+PWKfBmk
AlgW3FNZMZZKQP2WBxBtkz/fkn7D36jH6RQqQqPTFLQ
--- Fbjl6JMOoyxErJQ2vxx/JiZyjMK7aoWFqIH3WMZxbrk
>2ïïæ”ø÷[\R!ùìVlC/v5iFbšN´É‡oí}tÏ\|ñ0F;·2{í¥ÏõqúÁp2£Ð•í¯*žéŠB.JAÙCŸ‰Äöñ7?Þ ‡¨Ûy%óäÂxÚ 

16
secrets/secrets.nix Normal file
View File

@ -0,0 +1,16 @@
let
nolan = "ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDPk6C4eOYzTZ8XOuUA2tErGnSTLS/l9kRDl9+5Ql+m7VtaH/KRFbu6x+C0QAIKOrRcQOjpGYUjL1aIn0HCcoEW2PSihDmOHC+W8cy8ucScy4fPI5KpFFqTZU336Fje+NS4n587gcoaa5LjKcr2KZy/ljgzl4eNSRIqy85khfH4puxsj7LwTIqsZoqDhtD/jSqaKP1C2wuYSsijLF85UnRcT9jErnL757yUv/4xb4Is+gB0zan9GiBXRca4lzb0mY8rmMXmKhc2lm/mu8ogZRdYX5R2JP1AukzYGSdOFs4iUauihgvakuou9AugD2CC+ygYIEbWkUjwKfT9nRN93Qi9
id_rsa";
nixbox = "ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIPChjQ4PCvOkknZitrMS89GVjyxIbb/TPfczOWZ+rY6C";
hub = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHygBPmz5T8IH/D60CiA5mOlKFTtYnk8JaK6cB+RJ4rk";
in
{
"nolan.age".publicKeys = [ nixbox ];
"ldap.age".publicKeys = [ hub ];
"jwt.age".publicKeys = [ hub ];
"authelia_session.age".publicKeys = [ hub ];
"authelia_storage.age".publicKeys = [ hub ];
"cloudflare_api.age".publicKeys = [ hub ];
}

37
users/nolan/default.nix Normal file
View File

@ -0,0 +1,37 @@
{
users.users.nolan = {
description = "Nolan Darilek";
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPk6C4eOYzTZ8XOuUA2tErGnSTLS/l9kRDl9+5Ql+m7VtaH/KRFbu6x+C0QAIKOrRcQOjpGYUjL1aIn0HCcoEW2PSihDmOHC+W8cy8ucScy4fPI5KpFFqTZU336Fje+NS4n587gcoaa5LjKcr2KZy/ljgzl4eNSRIqy85khfH4puxsj7LwTIqsZoqDhtD/jSqaKP1C2wuYSsijLF85UnRcT9jErnL757yUv/4xb4Is+gB0zan9GiBXRca4lzb0mY8rmMXmKhc2lm/mu8ogZRdYX5R2JP1AukzYGSdOFs4iUauihgvakuou9AugD2CC+ygYIEbWkUjwKfT9nRN93Qi9 id_rsa"
];
extraGroups = [
"wheel"
"networkmanager"
"pipewire"
"pulse-access"
];
};
home-manager.users.nolan = {
home.stateVersion = "24.05";
programs = {
bash.enable = true;
direnv = {
enable = true;
nix-direnv.enable = true;
};
git = {
enable = true;
lfs.enable = true;
userName = "Nolan Darilek";
userEmail = "nolan@thewordnerd.info";
extraConfig = {
pull = {
rebase = true;
};
};
};
};
};
}

21
users/nolan/desktop-minimal.nix Normal file
View File

@ -0,0 +1,21 @@
{ pkgs, config, ... }:
{
imports = [ ./default.nix ];
age.secrets.nolan.file = ../../secrets/nolan.age;
users.users.nolan = {
hashedPasswordFile = config.age.secrets.nolan.path;
packages = with pkgs; [ wget ];
};
home-manager.users.nolan = {
programs = {
firefox = {
enable = true;
package = pkgs.firefox.override { nativeMessagingHosts = [ pkgs.gnome-browser-connector ]; };
};
};
};
}

56
users/nolan/desktop.nix Normal file
View File

@ -0,0 +1,56 @@
{ pkgs, ... }:
{
imports = [ ./desktop-minimal.nix ];
users.users.nolan = {
packages = with pkgs; [
keepassxc
podman-desktop
devpod
unstable.fractal
element-desktop
discord
spotify
thunderbird
slack
zoom
nil
nixfmt-rfc-style
];
};
programs.firefox.nativeMessagingHosts.gsconnect = true;
programs.kdeconnect = {
enable = true;
package = pkgs.gnomeExtensions.gsconnect;
};
home-manager.users.nolan = {
services = {
kdeconnect = {
enable = true;
indicator = true;
};
nextcloud-client.enable = true;
};
programs = {
git = {
extraConfig = {
credential.helper = "${pkgs.git.override { withLibsecret = true; }}/bin/git-credential-libsecret";
};
};
obs-studio = {
enable = true;
plugins = with pkgs.obs-studio-plugins; [
obs-pipewire-audio-capture
];
};
vscode = {
enable = true;
package = pkgs.unstable.vscode.fhs;
};
};
};
}

7
users/root.nix Normal file
View File

@ -0,0 +1,7 @@
{ config, pkgs, ... }:
{
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPk6C4eOYzTZ8XOuUA2tErGnSTLS/l9kRDl9+5Ql+m7VtaH/KRFbu6x+C0QAIKOrRcQOjpGYUjL1aIn0HCcoEW2PSihDmOHC+W8cy8ucScy4fPI5KpFFqTZU336Fje+NS4n587gcoaa5LjKcr2KZy/ljgzl4eNSRIqy85khfH4puxsj7LwTIqsZoqDhtD/jSqaKP1C2wuYSsijLF85UnRcT9jErnL757yUv/4xb4Is+gB0zan9GiBXRca4lzb0mY8rmMXmKhc2lm/mu8ogZRdYX5R2JP1AukzYGSdOFs4iUauihgvakuou9AugD2CC+ygYIEbWkUjwKfT9nRN93Qi9 id_rsa"
];
}