diff options
Diffstat (limited to 'nix')
-rw-r--r-- | nix/flake.nix | 69 | ||||
-rw-r--r-- | nix/modules/configuration.nix | 53 | ||||
-rw-r--r-- | nix/modules/cuda.nix | 9 | ||||
-rw-r--r-- | nix/modules/default.nix | 21 | ||||
-rw-r--r-- | nix/modules/dovecot.nix | 8 | ||||
-rw-r--r-- | nix/modules/git-daemon.nix | 9 | ||||
-rw-r--r-- | nix/modules/home/default.nix | 220 | ||||
-rw-r--r-- | nix/modules/i2pd.nix | 11 | ||||
-rw-r--r-- | nix/modules/nginx.nix | 47 | ||||
-rw-r--r-- | nix/modules/nvidia.nix | 21 | ||||
-rw-r--r-- | nix/modules/nvme-simple.nix | 35 | ||||
-rw-r--r-- | nix/modules/ollama.nix | 8 | ||||
-rw-r--r-- | nix/modules/postfix.nix | 8 | ||||
-rw-r--r-- | nix/modules/xserver.nix | 8 | ||||
-rw-r--r-- | nix/systems/affinity/default.nix | 13 |
15 files changed, 375 insertions, 165 deletions
diff --git a/nix/flake.nix b/nix/flake.nix index 2efc624..2420325 100644 --- a/nix/flake.nix +++ b/nix/flake.nix @@ -29,44 +29,53 @@ outputs = { nixpkgs, home-manager, nur, disko, lanzaboote, sops-nix, ... }@attrs: { nixosConfigurations = { installer = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - ( - { pkgs, modulesPath, ... }: - { - imports = [ (modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix") ]; - } - ) - ./systems/installer/default.nix - ]; + system = "x86_64-linux"; + modules = [ + ( + { pkgs, modulesPath, ... }: + { + imports = [ (modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix") ]; + } + ) + ./systems/installer/default.nix + ]; }; continuity = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = attrs; - modules = [ - lanzaboote.nixosModules.lanzaboote - disko.nixosModules.disko - home-manager.nixosModules.home-manager - sops-nix.nixosModules.sops - { nixpkgs.overlays = [ nur.overlays.default ]; } - { home-manager.extraSpecialArgs = attrs; } + system = "x86_64-linux"; + specialArgs = attrs; + modules = [ + lanzaboote.nixosModules.lanzaboote + disko.nixosModules.disko + home-manager.nixosModules.home-manager + sops-nix.nixosModules.sops + { nixpkgs.overlays = [ nur.overlays.default ]; } + { home-manager.extraSpecialArgs = attrs; } - ./modules/sda-simple.nix - ./systems/continuity/default.nix - ]; + ./modules/sda-simple.nix + ./systems/continuity/default.nix + ]; }; - spontaneity = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = attrs; - modules = []; + affinity = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = attrs; + modules = [ + lanzaboote.nixosModules.lanzaboote + disko.nixosModules.disko + home-manager.nixosModules.home-manager + sops-nix.nixosModules.sops + { nixpkgs.overlays = [ nur.overlays.default ]; } + { home-manager.extraSpecialArgs = attrs; } + ./modules/nvme-simple.nix + ./systems/affinity/default.nix + ]; }; - affinity = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = attrs; - modules = []; + spontaneity = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = attrs; + modules = []; }; }; }; diff --git a/nix/modules/configuration.nix b/nix/modules/configuration.nix index 4387767..4f821e2 100644 --- a/nix/modules/configuration.nix +++ b/nix/modules/configuration.nix @@ -6,6 +6,14 @@ ./pipewire.nix ./tor.nix ./kubo.nix + ./nvidia.nix + ./cuda.nix + ./nginx.nix + ./git-daemon.nix + ./postfix.nix + ./dovecot.nix + ./ollama.nix + ./i2pd.nix ]; documentation = { @@ -17,9 +25,9 @@ environment = { etc = { securetty.text = '' - # /etc/securetty: list of terminals on which root is allowed to login. - # See securetty(5) and login(1). - ''; + # /etc/securetty: list of terminals on which root is allowed to login. + # See securetty(5) and login(1). + ''; }; }; @@ -30,9 +38,9 @@ "restricthome"."/home/*".Z.mode = "~0700"; "restrictetcnixos"."/etc/nixos/*".Z = { - mode = "0000"; - user = "root"; - group = "root"; + mode = "0000"; + user = "root"; + group = "root"; }; }; }; @@ -43,15 +51,15 @@ initrd = { availableKernelModules = [ - "xhci_pci" - "ahci" - "usb_storage" - "sd_mod" - "nvme" - "sd_mod" - "ehci_pci" - "rtsx_pci_sdmmc" - "usbhid" + "xhci_pci" + "ahci" + "usb_storage" + "sd_mod" + "nvme" + "sd_mod" + "ehci_pci" + "rtsx_pci_sdmmc" + "usbhid" ]; kernelModules = [ ]; @@ -66,7 +74,7 @@ systemd-boot.enable = lib.mkForce (! config.monorepo.profiles.secureBoot.enable); efi.canTouchEfiVariables = true; }; - + kernelModules = [ "snd-seq" "snd-rawmidi" @@ -209,9 +217,9 @@ udev = { extraRules = ''''; packages = with pkgs; [ - platformio-core - platformio-core.udev - openocd + platformio-core + platformio-core.udev + openocd ]; }; @@ -281,12 +289,17 @@ vim curl ]; - + users.users = { root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINSshvS1N/42pH9Unp3Zj4gjqs9BXoin99oaFWYHXZDJ preston@preston-arch" ]; + git = { + isSystemUser = true; + home = "/srv/git"; + shell = "${pkgs.git}/bin/git-shell"; + }; "${config.monorepo.vars.userName}" = { initialPassword = "${config.monorepo.vars.userName}"; isNormalUser = true; diff --git a/nix/modules/cuda.nix b/nix/modules/cuda.nix new file mode 100644 index 0000000..0c90278 --- /dev/null +++ b/nix/modules/cuda.nix @@ -0,0 +1,9 @@ +{ config, lib, pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + cudatoolkit + cudaPackages.cudnn + cudaPackages.libcublas + linuxPackages.nvidia_x11 + ]; +} diff --git a/nix/modules/default.nix b/nix/modules/default.nix index 9d06837..9cdd616 100644 --- a/nix/modules/default.nix +++ b/nix/modules/default.nix @@ -9,12 +9,13 @@ options = { monorepo = { profiles = { - cuda.enable = lib.mkEnableOption "Enables CUDA support"; - documentation.enable = lib.mkEnableOption "Enables documentation on system."; - secureBoot.enable = lib.mkEnableOption "Enables secure boot. See sbctl."; - pipewire.enable = lib.mkEnableOption "Enables pipewire low latency audio setup"; - tor.enable = lib.mkEnableOption "Enables tor along with torsocks"; - home.enable = lib.mkEnableOption "Enables home user"; + cuda.enable = lib.mkEnableOption "Enables CUDA support"; + documentation.enable = lib.mkEnableOption "Enables documentation on system."; + secureBoot.enable = lib.mkEnableOption "Enables secure boot. See sbctl."; + pipewire.enable = lib.mkEnableOption "Enables pipewire low latency audio setup"; + tor.enable = lib.mkEnableOption "Enables tor along with torsocks"; + home.enable = lib.mkEnableOption "Enables home user"; + server.enable = lib.mkEnableOption "Enables server services"; }; }; }; @@ -32,10 +33,10 @@ monorepo = { profiles = { - documentation.enable = lib.mkDefault true; - pipewire.enable = lib.mkDefault true; - tor.enable = lib.mkDefault true; - home.enable = lib.mkDefault true; + documentation.enable = lib.mkDefault true; + pipewire.enable = lib.mkDefault true; + tor.enable = lib.mkDefault true; + home.enable = lib.mkDefault true; }; }; }; diff --git a/nix/modules/dovecot.nix b/nix/modules/dovecot.nix new file mode 100644 index 0000000..2921ad8 --- /dev/null +++ b/nix/modules/dovecot.nix @@ -0,0 +1,8 @@ +{ config, lib, ... }: +{ + services.dovecot2 = { + enable = lib.mkDefault config.monorepo.profiles.server.enable; + enableImap = true; + enablePop3 = true; + }; +} diff --git a/nix/modules/git-daemon.nix b/nix/modules/git-daemon.nix new file mode 100644 index 0000000..e71356e --- /dev/null +++ b/nix/modules/git-daemon.nix @@ -0,0 +1,9 @@ +{ config, lib, ... }: +{ + services.gitDaemon = { + enable = lib.mkDefault config.monorepo.profiles.server.enable; + exportAll = true; + listenAddress = "0.0.0.0"; + basePath = "/srv/git"; + }; +} diff --git a/nix/modules/home/default.nix b/nix/modules/home/default.nix index a38ee24..1f87d57 100644 --- a/nix/modules/home/default.nix +++ b/nix/modules/home/default.nix @@ -39,117 +39,134 @@ crypto.enable = lib.mkEnableOption "Enables various cryptocurrency wallets"; art.enable = lib.mkEnableOption "Enables various art programs"; music.enable = lib.mkEnableOption "Enables mpd"; + workstation.enable = lib.mkEnableOption "Enables workstation packages (music production and others)"; hyprland = { - enable = lib.mkEnableOption "Enables hyprland"; - monitors = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = [ - "HDMI-A-1" - "eDP-1" - "DP-2" - "DP-3" - "LVDS-1" - ]; - example = []; - description = "Hyprland monitors"; - }; + enable = lib.mkEnableOption "Enables hyprland"; + monitors = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ + "HDMI-A-1" + "eDP-1" + "DP-2" + "DP-3" + "LVDS-1" + ]; + example = []; + description = "Hyprland monitors"; + }; }; email = { - email = lib.mkOption { - type = lib.types.str; - default = "ret2pop@gmail.com"; - example = "john@example.com"; - description = "Email address and imaps/smtps account"; - }; - imapsServer = lib.mkOption { - type = lib.types.str; - default = "imap.gmail.com"; - example = "imap.example.com"; - description = "imaps server address"; - }; - smtpsServer = lib.mkOption { - type = lib.types.str; - default = "smtp.gmail.com"; - example = "smtp.example.com"; - description = "smtp server address"; - }; - enable = lib.mkEnableOption "Enables email"; + email = lib.mkOption { + type = lib.types.str; + default = "ret2pop@gmail.com"; + example = "john@example.com"; + description = "Email address and imaps/smtps account"; + }; + imapsServer = lib.mkOption { + type = lib.types.str; + default = "imap.gmail.com"; + example = "imap.example.com"; + description = "imaps server address"; + }; + smtpsServer = lib.mkOption { + type = lib.types.str; + default = "smtp.gmail.com"; + example = "smtp.example.com"; + description = "smtp server address"; + }; + enable = lib.mkEnableOption "Enables email"; }; }; }; config = { home.packages = (if config.monorepo.profiles.email.enable then [ pkgs.mu ] else []) - ++ - (if config.monorepo.profiles.lang-c.enable then (with pkgs; [ - autobuild - clang - gdb - gnumake - bear - clang-tools - ]) else []) - ++ - (if config.monorepo.profiles.lang-js.enable then (with pkgs; [ - nodejs - bun - yarn - typescript - vscode-langservers-extracted - ]) else []) - ++ - (if config.monorepo.profiles.lang-rust.enable then (with pkgs; [ - cargo - rust-analyzer - rustfmt - ]) else []) - ++ - (if config.monorepo.profiles.lang-python.enable then (with pkgs; [ - poetry - python3 - python312Packages.jedi - ]) else []) - ++ - (if config.monorepo.profiles.lang-sol.enable then (with pkgs; [ - solc - ]) else []) - ++ - (if config.monorepo.profiles.lang-openscad.enable then (with pkgs; [ - openscad - openscad-lsp - ]) else []) - ++ - (if config.monorepo.profiles.lang-sh.enable then (with pkgs; [ - bash-language-server - ]) else []) - ++ - (if config.monorepo.profiles.lang-coq.enable then (with pkgs; [ - coq - ]) else []) - ++ - (if config.monorepo.profiles.lang-nix.enable then (with pkgs; [ - nil - nixd - nixfmt-rfc-style - ]) else []) - ++ - (if config.monorepo.profiles.crypto.enable then (with pkgs; [ - bitcoin - electrum - monero-cli - monero-gui - ]) else []) - ++ - (if config.monorepo.profiles.art.enable then (with pkgs; [ - inkscape - krita - ]) else []) - ++ - (if config.monorepo.profiles.music.enable then (with pkgs; [ - mpc-cli - sox - ]) else []); + ++ + (if config.monorepo.profiles.lang-c.enable then (with pkgs; [ + autobuild + clang + gdb + gnumake + bear + clang-tools + ]) else []) + ++ + (if config.monorepo.profiles.lang-js.enable then (with pkgs; [ + nodejs + bun + yarn + typescript + vscode-langservers-extracted + ]) else []) + ++ + (if config.monorepo.profiles.lang-rust.enable then (with pkgs; [ + cargo + rust-analyzer + rustfmt + ]) else []) + ++ + (if config.monorepo.profiles.lang-python.enable then (with pkgs; [ + poetry + python3 + python312Packages.jedi + ]) else []) + ++ + (if config.monorepo.profiles.lang-sol.enable then (with pkgs; [ + solc + ]) else []) + ++ + (if config.monorepo.profiles.lang-openscad.enable then (with pkgs; [ + openscad + openscad-lsp + ]) else []) + ++ + (if config.monorepo.profiles.lang-sh.enable then (with pkgs; [ + bash-language-server + ]) else []) + ++ + (if config.monorepo.profiles.lang-coq.enable then (with pkgs; [ + coq + ]) else []) + ++ + (if config.monorepo.profiles.lang-nix.enable then (with pkgs; [ + nil + nixd + nixfmt-rfc-style + ]) else []) + ++ + (if config.monorepo.profiles.crypto.enable then (with pkgs; [ + bitcoin + electrum + monero-cli + monero-gui + ]) else []) + ++ + (if config.monorepo.profiles.art.enable then (with pkgs; [ + inkscape + krita + ]) else []) + ++ + (if config.monorepo.profiles.music.enable then (with pkgs; [ + mpc-cli + sox + ]) else []) + ++ + (if config.monorepo.profiles.workstation.enable then (with pkgs; [ + alsa-utils + alsa-scarlett-gui + ardour + audacity + blender + fluidsynth + qjackctl + qsynth + qpwgraph + imagemagick + inkscape + kdenlive + kicad + ]) else []); monorepo.profiles = { enable = lib.mkDefault true; @@ -170,6 +187,7 @@ crypto.enable = lib.mkDefault true; art.enable = lib.mkDefault true; + workstation.enable = lib.mkDefault true; }; }; } diff --git a/nix/modules/i2pd.nix b/nix/modules/i2pd.nix new file mode 100644 index 0000000..ef4f63f --- /dev/null +++ b/nix/modules/i2pd.nix @@ -0,0 +1,11 @@ +{ config, lib, ... }: +{ + services.i2pd = { + enable = lib.mkDefault config.monorepo.profiles.server.enable; + address = "0.0.0.0"; + inTunnels = { + }; + outTunnels = { + }; + }; +} diff --git a/nix/modules/nginx.nix b/nix/modules/nginx.nix new file mode 100644 index 0000000..7d8a24a --- /dev/null +++ b/nix/modules/nginx.nix @@ -0,0 +1,47 @@ +{ config, services, ... }: +{ + services.nginx = { + enable = true; + + # Use recommended settings + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # Only allow PFS-enabled ciphers with AES256 + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + appendHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # This might create errors + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; +''; + + virtualHosts = { + "ret2pop.net" = { + # addSSL = true; + # enableACME = true; + root = "/home/preston/ret2pop-website/"; + }; + }; + }; +} diff --git a/nix/modules/nvidia.nix b/nix/modules/nvidia.nix new file mode 100644 index 0000000..b59035c --- /dev/null +++ b/nix/modules/nvidia.nix @@ -0,0 +1,21 @@ +{ config, lib, pkgs, ... }: +{ + hardware = { + opengl.extraPackages = with pkgs; [ + vaapiVdpau + libvdpau-va-gl + nvidia-vaapi-driver + ]; + + nvidia = { + modesetting.enable = true; + powerManagement = { + enable = true; + finegrained = false; + }; + nvidiaSettings = true; + open = false; + package = config.boot.kernelPackages.nvidiaPackages.stable; + }; + }; +} diff --git a/nix/modules/nvme-simple.nix b/nix/modules/nvme-simple.nix new file mode 100644 index 0000000..665c17e --- /dev/null +++ b/nix/modules/nvme-simple.nix @@ -0,0 +1,35 @@ +{ + disko.devices = { + disk = { + my-disk = { + device = "/dev/nvme0n1"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + type = "EF00"; + size = "500M"; + priority = 1; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + root = { + size = "100%"; + priority = 2; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/nix/modules/ollama.nix b/nix/modules/ollama.nix new file mode 100644 index 0000000..f9f4dc9 --- /dev/null +++ b/nix/modules/ollama.nix @@ -0,0 +1,8 @@ +{ config, lib, ... }: +{ + services.ollama = { + enable = lib.mkDefault config.monorepo.profiles.server.enable; + acceleration = "cuda"; + host = "0.0.0.0"; + }; +} diff --git a/nix/modules/postfix.nix b/nix/modules/postfix.nix new file mode 100644 index 0000000..90eb253 --- /dev/null +++ b/nix/modules/postfix.nix @@ -0,0 +1,8 @@ +{ config, lib, ... }: +{ + services.postfix = { + enable = true; + config = { + }; + }; +} diff --git a/nix/modules/xserver.nix b/nix/modules/xserver.nix index 52ca559..d6f7ab1 100644 --- a/nix/modules/xserver.nix +++ b/nix/modules/xserver.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, ... }: +{ lib, config, pkgs, ... }: { services.xserver = { enable = lib.mkDefault true; @@ -8,8 +8,8 @@ windowManager = { i3 = { - enable = true; - package = pkgs.i3-gaps; + enable = true; + package = pkgs.i3-gaps; }; }; @@ -23,6 +23,6 @@ options = "caps:escape"; }; - videoDrivers = []; + videoDrivers = (if config.monorepo.profiles.cuda.enable then [ "nvidia" ] else []); }; } diff --git a/nix/systems/affinity/default.nix b/nix/systems/affinity/default.nix new file mode 100644 index 0000000..703103d --- /dev/null +++ b/nix/systems/affinity/default.nix @@ -0,0 +1,13 @@ +{ config, lib, ... }: +{ + imports = [ + ../../modules/default.nix + ]; + config.monorepo = { + profiles = { + server.enable = true; + cuda.enable = true; + }; + vars.hostName = "affinity"; + }; +} |