diff options
| author | Preston Pan <ret2pop@gmail.com> | 2025-02-03 02:59:16 -0800 |
|---|---|---|
| committer | Preston Pan <ret2pop@gmail.com> | 2025-02-03 02:59:16 -0800 |
| commit | d6efefc1d9e6b9fd515c5cb5f2a077e05caeaab7 (patch) | |
| tree | 16228e6842ade232308754c7b55fff3f46b4205f /config/nix.org | |
| parent | 9e4f938d03c72bdcd81b020ab5276b969023a7e3 (diff) | |
update nixos configuration to have ssh key for live iso; new journal entry
Diffstat (limited to 'config/nix.org')
| -rw-r--r-- | config/nix.org | 506 |
1 files changed, 262 insertions, 244 deletions
diff --git a/config/nix.org b/config/nix.org index eb6672a..d224180 100644 --- a/config/nix.org +++ b/config/nix.org @@ -25,18 +25,18 @@ so that adding new configurations that add modifications is made simple. nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; home-manager = { - url = "github:nix-community/home-manager/release-24.11"; - inputs.nixpkgs.follows = "nixpkgs"; + url = "github:nix-community/home-manager/release-24.11"; + inputs.nixpkgs.follows = "nixpkgs"; }; disko = { - url = "github:nix-community/disko"; - inputs.nixpkgs.follows = "nixpkgs"; + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; }; lanzaboote = { - url = "github:nix-community/lanzaboote/v0.4.1"; - inputs.nixpkgs.follows = "nixpkgs"; + url = "github:nix-community/lanzaboote/v0.4.1"; + inputs.nixpkgs.follows = "nixpkgs"; }; nur.url = "github:nix-community/NUR"; @@ -48,55 +48,55 @@ so that adding new configurations that add modifications is made simple. outputs = { nixpkgs, home-manager, nur, disko, lanzaboote, sops-nix, ... }@attrs: { nixosConfigurations = { - installer = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - ( - { pkgs, modulesPath, ... }: - { - imports = [ (modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix") ]; - } - ) - ./systems/installer/default.nix - ]; - }; - - continuity = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = attrs; - modules = [ - lanzaboote.nixosModules.lanzaboote - disko.nixosModules.disko - home-manager.nixosModules.home-manager - sops-nix.nixosModules.sops - { nixpkgs.overlays = [ nur.overlays.default ]; } - { home-manager.extraSpecialArgs = attrs; } - - ./modules/sda-simple.nix - ./systems/continuity/default.nix - ]; - }; - - affinity = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = attrs; - modules = [ - lanzaboote.nixosModules.lanzaboote - disko.nixosModules.disko - home-manager.nixosModules.home-manager - sops-nix.nixosModules.sops - { nixpkgs.overlays = [ nur.overlays.default ]; } - { home-manager.extraSpecialArgs = attrs; } - ./modules/nvme-simple.nix - ./systems/affinity/default.nix - ]; - }; - - spontaneity = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = attrs; - modules = []; - }; + installer = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ( + { pkgs, modulesPath, ... }: + { + imports = [ (modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix") ]; + } + ) + ./systems/installer/default.nix + ]; + }; + + continuity = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = attrs; + modules = [ + lanzaboote.nixosModules.lanzaboote + disko.nixosModules.disko + home-manager.nixosModules.home-manager + sops-nix.nixosModules.sops + { nixpkgs.overlays = [ nur.overlays.default ]; } + { home-manager.extraSpecialArgs = attrs; } + + ./modules/sda-simple.nix + ./systems/continuity/default.nix + ]; + }; + + affinity = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = attrs; + modules = [ + lanzaboote.nixosModules.lanzaboote + disko.nixosModules.disko + home-manager.nixosModules.home-manager + sops-nix.nixosModules.sops + { nixpkgs.overlays = [ nur.overlays.default ]; } + { home-manager.extraSpecialArgs = attrs; } + ./modules/nvme-simple.nix + ./systems/affinity/default.nix + ]; + }; + + spontaneity = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = attrs; + modules = []; + }; }; }; } @@ -535,10 +535,10 @@ because they enhance security. environment = { etc = { - securetty.text = '' - # /etc/securetty: list of terminals on which root is allowed to login. - # See securetty(5) and login(1). - ''; + securetty.text = '' + # /etc/securetty: list of terminals on which root is allowed to login. + # See securetty(5) and login(1). + ''; }; }; @@ -546,13 +546,13 @@ because they enhance security. coredump.enable = false; network.config.networkConfig.IPv6PrivacyExtensions = "kernel"; tmpfiles.settings = { - "restricthome"."/home/*".Z.mode = "~0700"; + "restricthome"."/home/*".Z.mode = "~0700"; - "restrictetcnixos"."/etc/nixos/*".Z = { - mode = "0000"; - user = "root"; - group = "root"; - }; + "restrictetcnixos"."/etc/nixos/*".Z = { + mode = "0000"; + user = "root"; + group = "root"; + }; }; }; @@ -561,126 +561,126 @@ because they enhance security. extraModulePackages = [ ]; initrd = { - availableKernelModules = [ - "xhci_pci" - "ahci" - "usb_storage" - "sd_mod" - "nvme" - "sd_mod" - "ehci_pci" - "rtsx_pci_sdmmc" - "usbhid" - ]; - - kernelModules = [ ]; + availableKernelModules = [ + "xhci_pci" + "ahci" + "usb_storage" + "sd_mod" + "nvme" + "sd_mod" + "ehci_pci" + "rtsx_pci_sdmmc" + "usbhid" + ]; + + kernelModules = [ ]; }; lanzaboote = { - enable = config.monorepo.profiles.secureBoot.enable; - pkiBundle = "/etc/secureboot"; + enable = config.monorepo.profiles.secureBoot.enable; + pkiBundle = "/etc/secureboot"; }; loader = { - systemd-boot.enable = lib.mkForce (! config.monorepo.profiles.secureBoot.enable); - efi.canTouchEfiVariables = true; + systemd-boot.enable = lib.mkForce (! config.monorepo.profiles.secureBoot.enable); + efi.canTouchEfiVariables = true; }; kernelModules = [ - "snd-seq" - "snd-rawmidi" - "xhci_hcd" - "kvm_intel" + "snd-seq" + "snd-rawmidi" + "xhci_hcd" + "kvm_intel" ]; kernelParams = [ - "debugfs=off" - "page_alloc.shuffle=1" - "slab_nomerge" - "page_poison=1" - - # madaidan - "pti=on" - "randomize_kstack_offset=on" - "vsyscall=none" - "module.sig_enforce=1" - "lockdown=confidentiality" - - # cpu - "spectre_v2=on" - "spec_store_bypass_disable=on" - "tsx=off" - "tsx_async_abort=full,nosmt" - "mds=full,nosmt" - "l1tf=full,force" - "nosmt=force" - "kvm.nx_huge_pages=force" - - # hardened - "extra_latent_entropy" - - # mineral - "init_on_alloc=1" - "random.trust_cpu=off" - "random.trust_bootloader=off" - "intel_iommu=on" - "amd_iommu=force_isolation" - "iommu=force" - "iommu.strict=1" - "init_on_free=1" - "quiet" - "loglevel=0" + "debugfs=off" + "page_alloc.shuffle=1" + "slab_nomerge" + "page_poison=1" + + # madaidan + "pti=on" + "randomize_kstack_offset=on" + "vsyscall=none" + "module.sig_enforce=1" + "lockdown=confidentiality" + + # cpu + "spectre_v2=on" + "spec_store_bypass_disable=on" + "tsx=off" + "tsx_async_abort=full,nosmt" + "mds=full,nosmt" + "l1tf=full,force" + "nosmt=force" + "kvm.nx_huge_pages=force" + + # hardened + "extra_latent_entropy" + + # mineral + "init_on_alloc=1" + "random.trust_cpu=off" + "random.trust_bootloader=off" + "intel_iommu=on" + "amd_iommu=force_isolation" + "iommu=force" + "iommu.strict=1" + "init_on_free=1" + "quiet" + "loglevel=0" ]; blacklistedKernelModules = [ - "netrom" - "rose" - - "adfs" - "affs" - "bfs" - "befs" - "cramfs" - "efs" - "erofs" - "exofs" - "freevxfs" - "f2fs" - "hfs" - "hpfs" - "jfs" - "minix" - "nilfs2" - "ntfs" - "omfs" - "qnx4" - "qnx6" - "sysv" - "ufs" + "netrom" + "rose" + + "adfs" + "affs" + "bfs" + "befs" + "cramfs" + "efs" + "erofs" + "exofs" + "freevxfs" + "f2fs" + "hfs" + "hpfs" + "jfs" + "minix" + "nilfs2" + "ntfs" + "omfs" + "qnx4" + "qnx6" + "sysv" + "ufs" ]; kernel.sysctl = { - "kernel.ftrace_enabled" = false; - "net.core.bpf_jit_enable" = false; - "kernel.kptr_restrict" = 2; - - # madaidan - "vm.swappiness" = 1; - "vm.unprivileged_userfaultfd" = 0; - "dev.tty.ldisc_autoload" = 0; - "kernel.kexec_load_disabled" = 1; - "kernel.sysrq" = 4; - "kernel.perf_event_paranoid" = 3; - - # net - "net.ipv4.icmp_echo_ignore_broadcasts" = true; - - "net.ipv4.conf.all.accept_redirects" = false; - "net.ipv4.conf.all.secure_redirects" = false; - "net.ipv4.conf.default.accept_redirects" = false; - "net.ipv4.conf.default.secure_redirects" = false; - "net.ipv6.conf.all.accept_redirects" = false; - "net.ipv6.conf.default.accept_redirects" = false; + "kernel.ftrace_enabled" = false; + "net.core.bpf_jit_enable" = false; + "kernel.kptr_restrict" = 2; + + # madaidan + "vm.swappiness" = 1; + "vm.unprivileged_userfaultfd" = 0; + "dev.tty.ldisc_autoload" = 0; + "kernel.kexec_load_disabled" = 1; + "kernel.sysrq" = 4; + "kernel.perf_event_paranoid" = 3; + + # net + "net.ipv4.icmp_echo_ignore_broadcasts" = true; + + "net.ipv4.conf.all.accept_redirects" = false; + "net.ipv4.conf.all.secure_redirects" = false; + "net.ipv4.conf.default.accept_redirects" = false; + "net.ipv4.conf.default.secure_redirects" = false; + "net.ipv6.conf.all.accept_redirects" = false; + "net.ipv6.conf.default.accept_redirects" = false; }; }; @@ -688,12 +688,12 @@ because they enhance security. useDHCP = lib.mkDefault true; hostName = config.monorepo.vars.hostName; networkmanager = { - enable = true; - # wifi.macAddress = ""; + enable = true; + # wifi.macAddress = ""; }; firewall = { - allowedTCPPorts = [ ]; - allowedUDPPorts = [ ]; + allowedTCPPorts = [ 11434 ]; + allowedUDPPorts = [ ]; }; }; @@ -704,16 +704,16 @@ because they enhance security. pulseaudio.enable = ! config.monorepo.profiles.pipewire.enable; bluetooth = { - enable = true; - powerOnBoot = true; + enable = true; + powerOnBoot = true; }; }; services = { chrony = { - enable = true; - enableNTS = true; - servers = [ "time.cloudflare.com" "ptbtime1.ptb.de" "ptbtime2.ptb.de" ]; + enable = true; + enableNTS = true; + servers = [ "time.cloudflare.com" "ptbtime1.ptb.de" "ptbtime2.ptb.de" ]; }; jitterentropy-rngd.enable = true; @@ -726,12 +726,12 @@ because they enhance security. # Misc. udev = { - extraRules = ''''; - packages = with pkgs; [ - platformio-core - platformio-core.udev - openocd - ]; + extraRules = ''''; + packages = with pkgs; [ + platformio-core + platformio-core.udev + openocd + ]; }; printing.enable = true; @@ -748,20 +748,20 @@ because they enhance security. nixpkgs = { hostPlatform = lib.mkDefault "x86_64-linux"; config = { - allowUnfree = true; - cudaSupport = lib.mkDefault config.monorepo.profiles.cuda.enable; + allowUnfree = true; + cudaSupport = lib.mkDefault config.monorepo.profiles.cuda.enable; }; }; security = { apparmor = { - enable = true; - killUnconfinedConfinables = true; + enable = true; + killUnconfinedConfinables = true; }; pam.loginLimits = [ - { domain = "*"; item = "nofile"; type = "-"; value = "32768"; } - { domain = "*"; item = "memlock"; type = "-"; value = "32768"; } + { domain = "*"; item = "nofile"; type = "-"; value = "32768"; } + { domain = "*"; item = "memlock"; type = "-"; value = "32768"; } ]; rtkit.enable = true; @@ -771,9 +771,9 @@ because they enhance security. forcePageTableIsolation = true; tpm2 = { - enable = true; - pkcs11.enable = true; - tctiEnvironment.enable = true; + enable = true; + pkcs11.enable = true; + tctiEnvironment.enable = true; }; auditd.enable = true; @@ -786,9 +786,9 @@ because they enhance security. enable = true; wlr.enable = true; extraPortals = with pkgs; [ - xdg-desktop-portal-gtk - xdg-desktop-portal - xdg-desktop-portal-hyprland + xdg-desktop-portal-gtk + xdg-desktop-portal + xdg-desktop-portal-hyprland ]; config.common.default = "*"; }; @@ -803,21 +803,21 @@ because they enhance security. users.users = { root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINSshvS1N/42pH9Unp3Zj4gjqs9BXoin99oaFWYHXZDJ preston@preston-arch" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINSshvS1N/42pH9Unp3Zj4gjqs9BXoin99oaFWYHXZDJ preston@preston-arch" ]; git = { - isSystemUser = true; - home = "/srv/git"; - shell = "${pkgs.git}/bin/git-shell"; + isSystemUser = true; + home = "/srv/git"; + shell = "${pkgs.git}/bin/git-shell"; }; "${config.monorepo.vars.userName}" = { - initialPassword = "${config.monorepo.vars.userName}"; - isNormalUser = true; - description = config.monorepo.vars.fullName; - extraGroups = [ "networkmanager" "wheel" "video" "docker" "jackaudio" "tss" "dialout" ]; - shell = pkgs.zsh; - packages = []; + initialPassword = "${config.monorepo.vars.userName}"; + isNormalUser = true; + description = config.monorepo.vars.fullName; + extraGroups = [ "networkmanager" "wheel" "video" "docker" "jackaudio" "tss" "dialout" ]; + shell = pkgs.zsh; + packages = []; }; }; @@ -2421,46 +2421,48 @@ A classic program that allows you to download from youtube. Also has integration My zsh config has some useful aliases that one should read through. Otherwise it is pretty standard. #+begin_src nix :tangle ../nix/modules/home/zsh.nix -{ lib, config, pkgs, ... }: -{ - programs.zsh = { - enable = true; - initExtra = '' - umask 0077 - export EXTRA_CCFLAGS="-I/usr/include" - source ${pkgs.zsh-vi-mode}/share/zsh-vi-mode/zsh-vi-mode.plugin.zsh - export QT_QPA_PLATFORM="wayland" - ''; + { lib, config, pkgs, ... }: + { + programs.zsh = { + enable = true; + initExtra = '' + umask 0077 + export EXTRA_CCFLAGS="-I/usr/include" + source ${pkgs.zsh-vi-mode}/share/zsh-vi-mode/zsh-vi-mode.plugin.zsh + export QT_QPA_PLATFORM="wayland" + ''; - localVariables = { - EDITOR = "emacsclient --create-frame --alternate-editor=vim"; - INPUT_METHOD = "fcitx"; - QT_IM_MODULE = "fcitx"; - GTK_IM_MODULE = "fcitx"; - XMODIFIERS = "@im=fcitx"; - XIM_SERVERS = "fcitx"; - WXSUPPRESS_SIZER_FLAGS_CHECK = "1"; - }; + localVariables = { + EDITOR = "emacsclient --create-frame --alternate-editor=vim"; + INPUT_METHOD = "fcitx"; + QT_IM_MODULE = "fcitx"; + GTK_IM_MODULE = "fcitx"; + XMODIFIERS = "@im=fcitx"; + XIM_SERVERS = "fcitx"; + WXSUPPRESS_SIZER_FLAGS_CHECK = "1"; + }; - shellAliases = { - c = "clear"; - g = "git"; - v = "vim"; - py = "python3"; - rb = "sudo nixos-rebuild switch --flake .#continuity"; - nfu = "cd ~/monorepo/nix && git add . && git commit -m \"new flake lock\" && nix flake update"; - usite - = "cd ~/monorepo/publish-org-roam-ui && bash local.sh && rm -rf ~/website_html/graph_view; cp -r ~/monorepo/publish-org-roam-ui/out ~/website_html/graph_view && rsync -azvP --chmod=\"Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r\" ~/website_html/ root@${config.monorepo.vars.remoteHost}:/usr/share/nginx/ret2pop/"; - sai = "eval \"$(ssh-agent -s)\" && ssh-add ~/.ssh/id_ed25519 && ssh-add -l"; - i3 = "exec ${pkgs.i3-gaps}/bin/i3"; + shellAliases = { + c = "clear"; + g = "git"; + v = "vim"; + py = "python3"; + rb = "sudo nixos-rebuild switch --flake .#continuity"; + rba = "sudo nixos-rebuild switch --flake .#affinity"; + nfu = "cd ~/monorepo/nix && git add . && git commit -m \"new flake lock\" && nix flake update"; + usync = "rsync -azvP --chmod=\"Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r\" ~/website_html/ root@nullring.xyz:/usr/share/nginx/ret2pop/"; + usite + = "cd ~/src/publish-org-roam-ui && bash local.sh && rm -rf ~/website_html/graph_view; cp -r ~/src/publish-org-roam-ui/out ~/website_html/graph_view && rsync -azvP --chmod=\"Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r\" ~/website_html/ root@${config.monorepo.vars.remoteHost}:/usr/share/nginx/ret2pop/"; + sai = "eval \"$(ssh-agent -s)\" && ssh-add ~/.ssh/id_ed25519 && ssh-add -l"; + i3 = "exec ${pkgs.i3-gaps}/bin/i3"; + }; + loginExtra = '' + if [[ "$(tty)" = "/dev/tty1" ]]; then + exec Hyprland + fi + ''; }; - loginExtra = '' - if [[ "$(tty)" = "/dev/tty1" ]]; then - exec Hyprland - fi - ''; - }; -} + } #+end_src *** User This configuration is the backbone configuration for the default user. It specifies some @@ -2480,6 +2482,9 @@ for these configurations. if [ ! -d /home/${config.monorepo.vars.userName}/org ]; then mkdir -p /home/${config.monorepo.vars.userName}/org fi + if [ ! -d /home/${config.monorepo.vars.userName}/src ]; then + mkdir -p /home/${config.monorepo.vars.userName}/src + fi touch /home/${config.monorepo.vars.userName}/org/agenda.org touch /home/${config.monorepo.vars.userName}/org/notes.org ''; @@ -2600,7 +2605,7 @@ work deterministically. *** ISO Default Profile This contains the installation script I use to install my systems. #+begin_src nix :tangle ../nix/systems/installer/default.nix - { pkgs, config, ... }: + { pkgs, config, lib, ... }: let commits = import ./commits.nix; in @@ -2611,15 +2616,28 @@ This contains the installation script I use to install my systems. enable = true; }; firewall = { - allowedTCPPorts = [ ]; + allowedTCPPorts = [ 22 ]; allowedUDPPorts = [ ]; }; wireless.enable = false; }; + services.openssh = { + enable = true; + ports = [ 22 ]; + settings = { + PasswordAuthentication = true; + AllowUsers = null; + UseDns = true; + PermitRootLogin = lib.mkForce "prohibit-password"; + }; + }; users.extraUsers.root.password = "nixos"; users.extraUsers.nixos.password = "nixos"; users.users = { + root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICts6+MQiMwpA+DfFQxjIN214Jn0pCw/2BDvOzPhR/H2 preston@continuity-dell" + ]; nixos = { packages = with pkgs; [ git @@ -2637,7 +2655,7 @@ This contains the installation script I use to install my systems. ping -q -c1 google.com &>/dev/null && echo "online! Proceeding with the installation..." || nmtui cd if [ ! -d "$HOME/monorepo/" ]; then - git clone --recurse-submodules https://git.nullring.xyz/monorepo.git + git clone https://git.nullring.xyz/monorepo.git cd monorepo git checkout "${commits.monorepoCommitHash}" fi |