diff options
| author | Preston Pan <ret2pop@nullring.xyz> | 2026-03-01 23:51:02 -0800 |
|---|---|---|
| committer | Preston Pan <ret2pop@nullring.xyz> | 2026-03-01 23:51:02 -0800 |
| commit | a05e0614c1bb75f77717a943dc4ac75a0cca4652 (patch) | |
| tree | d52ddee9db6d6eabbafc73f04aa83f6bbcd7f0c5 /nix/modules/configuration.nix | |
| parent | 75439737613d86975856c4bff0a1257f58fd1b1f (diff) | |
add everything; add CI
Diffstat (limited to 'nix/modules/configuration.nix')
| -rw-r--r-- | nix/modules/configuration.nix | 375 |
1 files changed, 238 insertions, 137 deletions
diff --git a/nix/modules/configuration.nix b/nix/modules/configuration.nix index 564a8b1..bee737f 100644 --- a/nix/modules/configuration.nix +++ b/nix/modules/configuration.nix @@ -13,6 +13,13 @@ let "public-inbox" "plugdev" ]; + allDomains = + (lib.attrNames config.networking.domains.baseDomains) ++ + (lib.attrNames config.networking.domains.subDomains); + + # 2. Generate BOTH possible outcomes in advance + prodHosts = map (dom: "${config.monorepo.profiles.server.ipv4} ${dom}") allDomains; + vmHosts = map (dom: "127.0.0.1 ${dom}") allDomains; in { imports = [ @@ -46,8 +53,42 @@ in ]; environment.etc."wpa_supplicant.conf".text = '' -country=CA -''; + country=CA + ''; + systemd.tmpfiles.rules = [ + "d /srv/git 0755 git git -" + ]; + + zramSwap = lib.mkIf config.monorepo.profiles.desktop.enable { + enable = true; + algorithm = "zstd"; + memoryPercent = 50; + }; + + virtualisation.vmVariant = lib.mkIf config.monorepo.profiles.server.enable { + sops.validateSopsFiles = false; + disko.devices = lib.mkForce { }; + virtualisation.forwardPorts = [ + { from = "host"; host.port = 10443; guest.port = 443; } + { from = "host"; host.port = 9080; guest.port = 80; } + ]; + virtualisation.useNixStoreImage = false; + virtualisation.sharedDirectories.sops-keys = { + source = "/home/preston/.config/sops/age"; # Path to your host key + target = "/home/preston/.config/sops/age"; + }; + networking.extraHosts = lib.mkForce (lib.concatStringsSep "\n" vmHosts); + networking.defaultGateway = lib.mkForce null; + networking.interfaces."${config.monorepo.profiles.server.interface}".useDHCP = lib.mkForce true; + + fileSystems."/" = lib.mkForce { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + }; + systemd.services.sops-nix = { + unitConfig.RequiresMountsFor = "/home/preston/.config/sops/age"; + }; + }; documentation = { enable = lib.mkDefault config.monorepo.profiles.documentation.enable; @@ -57,10 +98,23 @@ country=CA environment = { etc = { - securetty.text = '' - # /etc/securetty: list of terminals on which root is allowed to login. - # See securetty(5) and login(1). - ''; + securetty.text = '' + # /etc/securetty: list of terminals on which root is allowed to login. + # See securetty(5) and login(1). + ''; + }; + }; + + + systemd.network.enable = lib.mkDefault config.monorepo.profiles.server.enable; + systemd.network.networks."40-${config.monorepo.profiles.server.interface}" = lib.mkIf config.monorepo.profiles.server.enable { + matchConfig.Name = "${config.monorepo.profiles.server.interface}"; + networkConfig = { + IPv6AcceptRA = true; + IPv6PrivacyExtensions = false; + }; + ipv6AcceptRAConfig = { + UseAutonomousPrefix = false; }; }; @@ -69,11 +123,11 @@ country=CA coredump.enable = false; network.config.networkConfig.IPv6PrivacyExtensions = "kernel"; tmpfiles.settings = { - "restrictetcnixos"."/etc/nixos/*".Z = { - mode = "0000"; - user = "root"; - group = "root"; - }; + "restrictetcnixos"."/etc/nixos/*".Z = { + mode = "0000"; + user = "root"; + group = "root"; + }; }; }; @@ -85,41 +139,41 @@ country=CA }; extraModprobeConfig = '' - options snd-usb-audio vid=0x1235 pid=0x8200 device_setup=1 - options rtw88_core disable_lps_deep=y power_save=0 disable_aspm_l1ss=y - options rtw88_pci disable_msi=y disable_aspm=y - options rtw_core disable_lps_deep=y - options rtw_pci disable_msi=y disable_aspm=y - options rtw89_core disable_ps_mode=y - options rtw89_pci disable_aspm_l1=y disable_aspm_l1ss=y disable_clkreq=y - options iwlwifi 11n_disable=8 uapsd_disable=1 bt_coex_active=0 disable_11ax=1 power_save=0 -''; + options snd-usb-audio vid=0x1235 pid=0x8200 device_setup=1 + options rtw88_core disable_lps_deep=y power_save=0 disable_aspm_l1ss=y + options rtw88_pci disable_msi=y disable_aspm=y + options rtw_core disable_lps_deep=y + options rtw_pci disable_msi=y disable_aspm=y + options rtw89_core disable_ps_mode=y + options rtw89_pci disable_aspm_l1=y disable_aspm_l1ss=y disable_clkreq=y + options iwlwifi 11n_disable=8 uapsd_disable=1 bt_coex_active=0 disable_11ax=1 power_save=0 + ''; extraModulePackages = [ ]; initrd = { - availableKernelModules = [ - "xhci_pci" - "ahci" - "usb_storage" - "sd_mod" - "nvme" - "sd_mod" - "ehci_pci" - "rtsx_pci_sdmmc" - "usbhid" - ]; + availableKernelModules = [ + "xhci_pci" + "ahci" + "usb_storage" + "sd_mod" + "nvme" + "sd_mod" + "ehci_pci" + "rtsx_pci_sdmmc" + "usbhid" + ]; - kernelModules = [ ]; + kernelModules = [ ]; }; lanzaboote = { - enable = config.monorepo.profiles.secureBoot.enable; - pkiBundle = "/var/lib/sbctl"; + enable = config.monorepo.profiles.secureBoot.enable; + pkiBundle = "/var/lib/sbctl"; }; loader = { - systemd-boot.enable = lib.mkForce ((! config.monorepo.profiles.grub.enable) && (! config.monorepo.profiles.secureBoot.enable)); - efi.canTouchEfiVariables = lib.mkForce (! config.monorepo.profiles.grub.enable); + systemd-boot.enable = lib.mkForce ((! config.monorepo.profiles.grub.enable) && (! config.monorepo.profiles.secureBoot.enable)); + efi.canTouchEfiVariables = lib.mkForce (! config.monorepo.profiles.grub.enable); }; kernelModules = [ @@ -144,93 +198,138 @@ country=CA "usbcore.autosuspend=-1" "pcie_aspm=off" "pci=noaer" - # "debugfs=off" - "page_alloc.shuffle=1" - "slab_nomerge" - # "page_poison=1" + # "debugfs=off" + "page_alloc.shuffle=1" + "slab_nomerge" + # "page_poison=1" - # madaidan - "pti=on" - "randomize_kstack_offset=on" - "vsyscall=none" - # "lockdown=confidentiality" + # madaidan + "pti=on" + "randomize_kstack_offset=on" + "vsyscall=none" + # "lockdown=confidentiality" - # cpu - "spectre_v2=on" - "spec_store_bypass_disable=on" - "tsx=off" - "l1tf=full,force" - "kvm.nx_huge_pages=force" + # cpu + "spectre_v2=on" + "spec_store_bypass_disable=on" + "tsx=off" + "l1tf=full,force" + "kvm.nx_huge_pages=force" - # hardened - "extra_latent_entropy" + # hardened + "extra_latent_entropy" - # mineral - # "init_on_alloc=1" - # "random.trust_bootloader=off" - # "init_on_free=1" - "quiet" - # "loglevel=0" + # mineral + # "init_on_alloc=1" + # "random.trust_bootloader=off" + # "init_on_free=1" + "quiet" + # "loglevel=0" ]; blacklistedKernelModules = [ - "netrom" - "rose" + "netrom" + "rose" - "adfs" - "affs" - "bfs" - "befs" - "cramfs" - "efs" - "erofs" - "exofs" - "freevxfs" - "f2fs" - "hfs" - "hpfs" - "jfs" - "minix" - "nilfs2" - "ntfs" - "omfs" - "qnx4" - "qnx6" - "sysv" - "ufs" + "adfs" + "affs" + "bfs" + "befs" + "cramfs" + "efs" + "erofs" + "exofs" + "freevxfs" + "f2fs" + "hfs" + "hpfs" + "jfs" + "minix" + "nilfs2" + "ntfs" + "omfs" + "qnx4" + "qnx6" + "sysv" + "ufs" ]; - kernel.sysctl = { - "kernel.ftrace_enabled" = false; - "net.core.bpf_jit_enable" = false; - "kernel.kptr_restrict" = 2; + kernel.sysctl = + if config.monorepo.profiles.server.enable then { + "net.ipv6.conf.${config.monorepo.profiles.server.interface}.autoconf" = 0; + "net.ipv6.conf.${config.monorepo.profiles.server.interface}.accept_ra" = 1; + } else { + "kernel.ftrace_enabled" = false; + "net.core.bpf_jit_enable" = false; + "kernel.kptr_restrict" = 2; - # madaidan - "kernel.smtcontrol" = "on"; - "vm.swappiness" = 1; - "vm.unprivileged_userfaultfd" = 0; - "dev.tty.ldisc_autoload" = 0; - "kernel.kexec_load_disabled" = 1; - "kernel.sysrq" = 4; - "kernel.perf_event_paranoid" = 3; + # madaidan + "kernel.smtcontrol" = "on"; + "vm.swappiness" = 1; + "vm.unprivileged_userfaultfd" = 0; + "dev.tty.ldisc_autoload" = 0; + "kernel.kexec_load_disabled" = 1; + "kernel.sysrq" = 4; + "kernel.perf_event_paranoid" = 3; - # net - "net.ipv4.ip_forward" = 1; - "net.ipv4.icmp_echo_ignore_broadcasts" = true; - # "net.ipv4.conf.all.accept_redirects" = false; - # "net.ipv4.conf.all.secure_redirects" = false; - # "net.ipv4.conf.default.accept_redirects" = false; - # "net.ipv4.conf.default.secure_redirects" = false; - # "net.ipv6.conf.all.accept_redirects" = false; - # "net.ipv6.conf.default.accept_redirects" = false; - }; + # net + "net.ipv4.ip_forward" = 1; + "net.ipv4.icmp_echo_ignore_broadcasts" = true; + # "net.ipv4.conf.all.accept_redirects" = false; + # "net.ipv4.conf.all.secure_redirects" = false; + # "net.ipv4.conf.default.accept_redirects" = false; + # "net.ipv4.conf.default.secure_redirects" = false; + # "net.ipv6.conf.all.accept_redirects" = false; + # "net.ipv6.conf.default.accept_redirects" = false; + }; }; networking = { - nameservers = [ "8.8.8.8" "1.1.1.1"]; + interfaces = lib.mkIf config.monorepo.profiles.server.enable { + "${config.monorepo.profiles.server.interface}" = { + ipv4.addresses = [ + { + address = config.monorepo.profiles.server.ipv4; + prefixLength = 24; + } + ]; + ipv6.addresses = [ + { + address = config.monorepo.profiles.server.ipv6; + prefixLength = 64; + } + ]; + useDHCP = lib.mkForce false; + }; + }; + + defaultGateway = lib.mkIf config.monorepo.profiles.server.enable config.monorepo.profiles.server.gateway; + useDHCP = false; + tempAddresses = lib.mkIf config.monorepo.profiles.server.enable "disabled"; + extraHosts = lib.mkIf config.monorepo.profiles.server.enable (lib.concatStringsSep "\n" prodHosts); + + domains = lib.mkIf config.monorepo.profiles.server.enable { + enable = true; + baseDomains = { + "${config.monorepo.vars.remoteHost}" = { + a.data = config.monorepo.profiles.server.ipv4; + aaaa.data = config.monorepo.profiles.server.ipv6; + }; + "${config.monorepo.vars.orgHost}" = { + a.data = config.monorepo.profiles.server.ipv4; + aaaa.data = config.monorepo.profiles.server.ipv6; + txt = { + data = "v=spf1 ip4:${config.monorepo.profiles.server.ipv4} ip6:${config.monorepo.profiles.server.ipv6} -all"; + }; + }; + }; + }; + + + nameservers = [ "8.8.8.8" "1.1.1.1" ]; dhcpcd.enable = (! config.monorepo.profiles.server.enable); networkmanager = { - enable = true; + enable = lib.mkForce (! config.monorepo.profiles.server.enable); # rpis need network wifi = { powersave = false; }; @@ -270,8 +369,8 @@ country=CA }; }; firewall = { - allowedTCPPorts = [ 22 11434 ]; - allowedUDPPorts = [ ]; + allowedTCPPorts = [ 22 11434 ]; + allowedUDPPorts = [ ]; }; }; @@ -282,8 +381,8 @@ country=CA graphics.enable = ! config.monorepo.profiles.ttyonly.enable; bluetooth = { - enable = lib.mkDefault (! config.monorepo.profiles.ttyonly.enable); - powerOnBoot = lib.mkDefault (! config.monorepo.profiles.ttyonly.enable); + enable = lib.mkDefault config.monorepo.profiles.desktop.enable; + powerOnBoot = lib.mkDefault config.monorepo.profiles.desktop.enable; }; }; @@ -304,11 +403,12 @@ country=CA # Misc. udev = { extraRules = ''''; - packages = if config.monorepo.profiles.workstation.enable then with pkgs; [ - platformio-core - platformio-core.udev - openocd - ] else []; + packages = + if config.monorepo.profiles.workstation.enable then with pkgs; [ + platformio-core + platformio-core.udev + openocd + ] else [ ]; }; printing.enable = lib.mkDefault config.monorepo.profiles.workstation.enable; @@ -333,7 +433,7 @@ country=CA security = { acme = { acceptTerms = true; - defaults.email = "ret2pop@gmail.com"; + defaults.email = "${config.monorepo.vars.internetName}@gmail.com"; }; apparmor = { enable = true; @@ -377,16 +477,16 @@ country=CA xdg-desktop-portal-gtk xdg-desktop-portal xdg-desktop-portal-hyprland - ] else []; + ] else [ ]; config.common.default = "*"; }; environment.etc."gitconfig".text = '' - [init] - defaultBranch = main + [init] + defaultBranch = main ''; environment.extraInit = '' - umask 0022 + umask 0022 ''; environment.systemPackages = with pkgs; [ restic @@ -400,31 +500,32 @@ country=CA exiftool (writeShellScriptBin "new-repo" '' - #!/bin/bash - cd ${config.users.users.git.home} - git init --bare "$1" - vim "$1/description" - chown -R git:git "$1" - '' + #!/bin/bash + cd ${config.users.users.git.home} + git init --bare "$1" + vim "$1/description" + chown -R git:git "$1" + '' ) ]; - users.groups = lib.genAttrs userGroups (name: lib.mkDefault {}); + users.groups = lib.genAttrs userGroups (name: lib.mkDefault { }); - users.users = lib.genAttrs userGroups (name: { - isSystemUser = lib.mkDefault true; - group = "${name}"; - extraGroups = [ "acme" "nginx" ]; - }) // { + users.users = lib.genAttrs userGroups + (name: { + isSystemUser = lib.mkDefault true; + group = "${name}"; + extraGroups = [ "acme" "nginx" ]; + }) // { conduit = { isSystemUser = lib.mkDefault true; group = "conduit"; - extraGroups = []; + extraGroups = [ ]; }; matterbridge = { isSystemUser = lib.mkDefault true; group = "matterbridge"; - extraGroups = []; + extraGroups = [ ]; }; public-inbox = { @@ -439,7 +540,7 @@ country=CA group = "ircd"; home = "/home/ircd"; }; - + nginx = { group = "nginx"; isSystemUser = lib.mkDefault true; @@ -472,7 +573,7 @@ country=CA description = config.monorepo.vars.fullName; extraGroups = [ "networkmanager" "wheel" "video" "docker" "jackaudio" "tss" "dialout" "docker" "plugdev" ]; shell = pkgs.zsh; - packages = []; + packages = [ ]; }; }; @@ -486,7 +587,7 @@ country=CA keep-outputs = true; keep-derivations = true; auto-optimise-store = true; - max-jobs = 4; + max-jobs = 4; cores = 0; substituters = [ "https://cache.nixos-cuda.org" |