primrose/.files
1
0
Fork 0
mirror of https://codeberg.org/leana8959/.files.git synced 2025-12-06 06:39:14 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

iron: init

Browse source
This commit is contained in:
Primrose 2025-10-23 11:37:44 +08:00
parent 3b77ed9058
commit 9aafa0207c
Signed by: primrose
GPG key ID: 4E887A4CA9714ADA
15 changed files with 797 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
default.nix
View file

@ -8,6 +8,11 @@
system = "x86_64-linux";
modules = [./nix/configurations/vanadium.nix];
};
iron = {
system = "x86_64-linux";
modules = [./nix/configurations/iron.nix];
};
installer = {
system = "x86_64-linux";
modules = [./nix/configurations/installer.nix];

159
nix/configurations/iron.nix Normal file
View file

@ -0,0 +1,159 @@
# Entry point to cherry pick modules
let
sources = import ../../npins;
hostname = "iron";
username = "leana";
in
{
config,
lib,
pkgs,
...
}: let
inherit (lib.modules) mkAliasOptionModule;
in {
imports = [
#
# Shorthands
#
(mkAliasOptionModule ["me"] ["users" "users" username])
(mkAliasOptionModule ["hm"] ["home-manager" "users" username])
#
# hostname
#
{_module.args = {inherit hostname;};}
#
# nixpkgs
#
{
# affect the generated nix.conf, doesn't need to be turned off during nixos-install
nix = {
distributedBuilds = true;
settings.builders-use-substitutes = true;
};
nixpkgs = {
overlays =
map import
[
../overlays/agenix.nix
../overlays/disko.nix
../overlays/nur.nix
../overlays/nix-tree.nix
../overlays/nil.nix
../overlays/dix.nix
../packages/overlay.nix
]
# use lix everywhere and wrap it with nom
++ [
(import (sources.lix-module + "/overlay.nix") {inherit (sources) lix;})
(import ../overlays/nix-monitored.nix)
];
# Set NIX_PATH and flake registry at the same time
# https://github.com/NixOS/nixpkgs/pull/254405
flake.source = sources.nixpkgs;
};
nix.package = pkgs.nix-monitored;
system.nixos.version = lib.substring 0 8 sources.nixpkgs.revision;
}
#
# NixOS modules
#
./iron/nixos/hardware-configuration.nix # generated
./iron/nixos/fs.nix
./iron/nixos/battery.nix
./iron/nixos/connectivity.nix
./iron/nixos/secure_dns.nix
./iron/nixos/input.nix
./iron/nixos/misc.nix
./iron/nixos/display.nix
./iron/nixos/locale.nix
./iron/nixos/programs.nix
../nixosModules/common/disable-command-not-found.nix
../nixosModules/common/network.nix
../nixosModules/common/sudo-conf.nix
../nixosModules/common/system-nixconf.nix
../nixosModules/common/xscreensaver.nix
../nixosModules/extra/leana.nix
#
# Extern modules
#
(sources.disko + "/module.nix")
../disko/iron/btrfs.nix
(sources.agenix + "/modules/age.nix")
#
# home-manager
#
(sources.home-manager + "/nixos")
{
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
sharedModules = [{home.stateVersion = lib.mkDefault config.system.stateVersion;}];
};
hm.imports = [
#
# hostname
#
{_module.args = {inherit hostname;};}
#
# home modules
#
./iron/home/programs.nix
../homeModules/common/btop
../homeModules/common/fish
../homeModules/common/starship
../homeModules/common/tmux
../homeModules/common/vim
../homeModules/common/direnv.nix
../homeModules/common/fzf.nix
../homeModules/common/git.nix
../homeModules/common/gpg.nix
../homeModules/common/leana.nix
../homeModules/common/locale.nix
../homeModules/common/lazygit.nix
../homeModules/common/packages.nix
../homeModules/common/password-store.nix
../homeModules/common/tealdeer.nix
../homeModules/common/user-nixconf.nix
../homeModules/extra/tmux-fish-integration.nix
#
# Extern modules
#
(sources.agenix + "/modules/age-home.nix")
];
}
#
# Secrets
#
{
age.secrets = {
wpa_password.file = "${../secrets/wpa_password.age}";
};
}
];
}

75
nix/configurations/iron/home/programs.nix Normal file
View file

@ -0,0 +1,75 @@
{
pkgs,
lib,
config,
...
}: {
home.sessionPath = [
"${config.home.homeDirectory}/.local/bin"
];
home.sessionVariables = let
fishCfg = config.programs.fish;
in {
"SHELL" = lib.mkIf fishCfg.enable (lib.getExe fishCfg.package);
};
home.packages = [
pkgs.nmap
pkgs.stow
pkgs.zip
pkgs.unzip
pkgs.gnutar
pkgs.p7zip
pkgs.bc
pkgs.dig
pkgs.hutils
pkgs.miniserve
pkgs.agenix
pkgs.nix-which
# pretty tui tools
pkgs.du-dust
pkgs.tokei
pkgs.hyperfine
pkgs.watchexec
pkgs.onefetch
pkgs.just
# nix tools
pkgs.alejandra
pkgs.nurl
pkgs.dix
pkgs.niv
pkgs.npins
pkgs.nix-tree
pkgs.nh
];
programs = {
neovim = {
enable = true;
defaultEditor = true;
};
lazygit.enable = true;
fish = {
enable = true;
shellAbbrs = {
"fdoc" = "find ~/Documents -name";
};
};
starship.enable = true;
tmux.enable = true;
direnv.enable = true;
ripgrep.enable = true;
password-store.enable = true;
tealdeer.enable = true;
btop.enable = true;
cmus.enable = true;
};
services = {
gpg-agent.enable = true;
};
}

11
nix/configurations/iron/nixos/battery.nix Normal file
View file

@ -0,0 +1,11 @@
{
systemd.sleep.extraConfig = ''
HibernateDelaySec=1d
'';
services.logind = {
powerKey = "hibernate";
lidSwitch = "suspend-then-hibernate"; # won't happen there's no battery anyway
lidSwitchDocked = "ignore";
};
}

70
nix/configurations/iron/nixos/connectivity.nix Normal file
View file

@ -0,0 +1,70 @@
{
config,
lib,
...
}: {
users.users.root.openssh.authorizedKeys.keys = let
# TODO: put iron keys in identities
ids = import ../../../identities.nix;
in
builtins.concatMap builtins.attrValues (builtins.attrValues ids);
networking = {
networkmanager.enable = lib.mkForce false;
firewall.allowedTCPPorts = [
8080
# For 'localsend'
# https://github.com/localsend/localsend?tab=readme-ov-file#setup
53317
];
# To enable roaming https://wiki.archlinux.org/title/Wpa_supplicant#Roaming
wireless = {
enable = true;
userControlled.enable = true;
secretsFile = config.age.secrets.wpa_password.path;
scanOnLowSignal = false;
networks = let
# wpa_supplicant uses `strchr` to seek to the first `=`, so the only forbidden character is `=`.
escapePwdKey = lib.replaceStrings ["="] ["_"];
fromList = ns: let
go = networkArgs @ {
ssid,
# Custom fields wrapping nixpkgs module options
hasPassword ? false,
scanOnLowSignal ? false,
randomizeMac ? false,
...
}: {
${ssid} = lib.mkMerge [
(builtins.removeAttrs networkArgs ["ssid" "hasPassword" "scanOnLowSignal" "randomizeMac"])
(lib.optionalAttrs hasPassword {
pskRaw = "ext:${escapePwdKey ssid}";
})
(lib.optionalAttrs scanOnLowSignal {
extraConfig = ''
bgscan="simple:30:-70:3600"
'';
})
(lib.optionalAttrs randomizeMac {
extraConfig = ''
mac_addr=1
'';
})
];
};
in
lib.mkMerge (map go ns);
in
# TODO: move this upward like identities
fromList (import ./connectivity/networks.nix);
};
};
services.mullvad-vpn.enable = true;
hardware.bluetooth.enable = true;
}

97
nix/configurations/iron/nixos/connectivity/networks.nix Normal file
View file

@ -0,0 +1,97 @@
let
privatePriority = 10;
limitedPriority = -10;
in [
{
ssid = "~";
priority = privatePriority;
hasPassword = true;
}
{
ssid = "Peis Wifi";
priority = privatePriority;
hasPassword = true;
}
{
ssid = "girlypop-net";
priority = privatePriority;
hasPassword = true;
}
{
ssid = "annapurna";
priority = privatePriority;
hasPassword = true;
scanOnLowSignal = true;
}
{
ssid = "5526-1"; # TODO: set bssid preference ?
priority = privatePriority;
hasPassword = true;
scanOnLowSignal = true;
}
{
ssid = "eduroam";
priority = privatePriority;
scanOnLowSignal = true;
authProtocols = ["WPA-EAP"];
auth = ''
pairwise=CCMP
group=CCMP TKIP
eap=PEAP
ca_cert="${./universite_de_rennes.pem}"
identity="ychiang@etudiant.univ-rennes.fr"
altsubject_match="DNS:radius.univ-rennes1.fr;DNS:radius1.univ-rennes1.fr;DNS:radius2.univ-rennes1.fr;DNS:vmradius-psf1.univ-rennes1.fr;DNS:vmradius-psf2.univ-rennes1.fr"
phase2="auth=MSCHAPV2"
password=ext:EDUROAM
anonymous_identity="anonymous@univ-rennes.fr"
'';
}
{
ssid = "A-WAY";
priority = privatePriority;
hasPassword = true;
randomizeMac = true;
}
{
ssid = "CAT.jpgcafe";
priority = privatePriority;
hasPassword = true;
randomizeMac = true;
}
{
ssid = "LOUISA"; # 區公所
priority = privatePriority;
hasPassword = true;
randomizeMac = true;
}
{
ssid = "LouisaCoffee"; # 七張
priority = privatePriority;
hasPassword = true;
randomizeMac = true;
}
{
ssid = "MetroTaipei x Louisa"; # 大安
priority = privatePriority;
hasPassword = true;
randomizeMac = true;
}
{ssid = "_SNCF_WIFI_INOUI";}
{ssid = "_WIFI_LYRIA";}
{ssid = "EurostarTrainsWiFi";}
{ssid = "SBB-FREE";}
{ssid = "AOT Airport Free Wi-Fi by NT";}
{ssid = "NewTaipei";}
{ssid = "Fami-WiFi";}
{
ssid = "iPhone de Léana ";
priority = limitedPriority;
hasPassword = true;
}
]

97
nix/configurations/iron/nixos/connectivity/universite_de_rennes.pem Normal file
View file

@ -0,0 +1,97 @@
-----BEGIN CERTIFICATE-----
MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj
YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM
GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua
BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe
3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4
YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR
rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm
ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU
oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF
MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v
QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF
AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q
GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2
G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi
l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3
smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI
s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG
vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ
Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb
IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0
tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E
xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV
icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5
D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ
WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ
5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG
KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg
EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID
ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG
BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t
L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA
A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+
rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+
/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA
CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F
zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA
vGp4z7h/jnZymQyd/teRCBaho1+V
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIG5TCCBM2gAwIBAgIRANpDvROb0li7TdYcrMTz2+AwDQYJKoZIhvcNAQEMBQAw
gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTIw
MDIxODAwMDAwMFoXDTMzMDUwMTIzNTk1OVowRDELMAkGA1UEBhMCTkwxGTAXBgNV
BAoTEEdFQU5UIFZlcmVuaWdpbmcxGjAYBgNVBAMTEUdFQU5UIE9WIFJTQSBDQSA0
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApYhi1aEiPsg9ZKRMAw9Q
r8Mthsr6R20VSfFeh7TgwtLQi6RSRLOh4or4EMG/1th8lijv7xnBMVZkTysFiPmT
PiLOfvz+QwO1NwjvgY+Jrs7fSoVA/TQkXzcxu4Tl3WHi+qJmKLJVu/JOuHud6mOp
LWkIbhODSzOxANJ24IGPx9h4OXDyy6/342eE6UPXCtJ8AzeumTG6Dfv5KVx24lCF
TGUzHUB+j+g0lSKg/Sf1OzgCajJV9enmZ/84ydh48wPp6vbWf1H0O3Rd3LhpMSVn
TqFTLKZSbQeLcx/l9DOKZfBCC9ghWxsgTqW9gQ7v3T3aIfSaVC9rnwVxO0VjmDdP
FNbdoxnh0zYwf45nV1QQgpRwZJ93yWedhp4ch1a6Ajwqs+wv4mZzmBSjovtV0mKw
d+CQbSToalEUP4QeJq4Udz5WNmNMI4OYP6cgrnlJ50aa0DZPlJqrKQPGL69KQQz1
2WgxvhCuVU70y6ZWAPopBa1ykbsttpLxADZre5cH573lIuLHdjx7NjpYIXRx2+QJ
URnX2qx37eZIxYXz8ggM+wXH6RDbU3V2o5DP67hXPHSAbA+p0orjAocpk2osxHKo
NSE3LCjNx8WVdxnXvuQ28tKdaK69knfm3bB7xpdfsNNTPH9ElcjscWZxpeZ5Iij8
lyrCG1z0vSWtSBsgSnUyG/sCAwEAAaOCAYswggGHMB8GA1UdIwQYMBaAFFN5v1qq
K0rPVIDh2JvAnfKyA2bLMB0GA1UdDgQWBBRvHTVJEGwy+lmgnryK6B+VvnF6DDAO
BgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwOAYDVR0gBDEwLzAtBgRVHSAAMCUwIwYIKwYBBQUH
AgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMFAGA1UdHwRJMEcwRaBDoEGGP2h0
dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9u
QXV0aG9yaXR5LmNybDB2BggrBgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6
Ly9jcnQudXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAl
BggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0B
AQwFAAOCAgEAUtlC3e0xj/1BMfPhdQhUXeLjb0xp8UE28kzWE5xDzGKbfGgnrT2R
lw5gLIx+/cNVrad//+MrpTppMlxq59AsXYZW3xRasrvkjGfNR3vt/1RAl8iI31lG
hIg6dfIX5N4esLkrQeN8HiyHKH6khm4966IkVVtnxz5CgUPqEYn4eQ+4eeESrWBh
AqXaiv7HRvpsdwLYekAhnrlGpioZ/CJIT2PTTxf+GHM6cuUnNqdUzfvrQgA8kt1/
ASXx2od/M+c8nlJqrGz29lrJveJOSEMX0c/ts02WhsfMhkYa6XujUZLmvR1Eq08r
48/EZ4l+t5L4wt0DV8VaPbsEBF1EOFpz/YS2H6mSwcFaNJbnYqqJHIvm3PLJHkFm
EoLXRVrQXdCT+3wgBfgU6heCV5CYBz/YkrdWES7tiiT8sVUDqXmVlTsbiRNiyLs2
bmEWWFUl76jViIJog5fongEqN3jLIGTG/mXrJT1UyymIcobnIGrbwwRVz/mpFQo0
vBYIi1k2ThVh0Dx88BbF9YiP84dd8Fkn5wbE6FxXYJ287qfRTgmhePecPc73Yrzt
apdRcsKVGkOpaTIJP/l+lAHRLZxk/dUtyN95G++bOSQqnOCpVPabUGl2E/OEyFrp
Ipwgu2L/WJclvd6g+ZA/iWkLSMcpnFb+uX6QBqvD6+RNxul1FaB5iHY=
-----END CERTIFICATE-----

4
nix/configurations/iron/nixos/display.nix Normal file
View file

@ -0,0 +1,4 @@
{
me.extraGroups = ["video"];
programs.light.enable = true;
}

77
nix/configurations/iron/nixos/fs.nix Normal file
View file

@ -0,0 +1,77 @@
{
config,
pkgs,
...
}: {
services.btrfs.autoScrub = {
enable = true;
fileSystems = [
"/"
"/home"
"/nix"
];
};
systemd.tmpfiles.rules = [
# tmux-sessionizer directories
"d /home/leana/r 0700 leana leana - -"
"d /home/leana/pg 0700 leana leana 4w -"
"d /home/leana/wt 0700 leana leana - -"
];
fileSystems = {
/*
WARNING:
Use "noauto" if you want to mount the drive at a later time and not all the time
Otherwise the mount would fail and cascade into the graphical session being stopped
*/
"/home/leana/mnt/tdk32" = {
device = "/dev/disk/by-uuid/EF28-13EC";
fsType = "vfat";
options = [
"umask=0000"
"noauto"
"user"
];
};
"/home/leana/mnt/EOF_DIGITAL" = {
device = "/dev/disk/by-uuid/0E07-0937";
fsType = "vfat";
options = [
"umask=0000"
"noauto"
"user"
];
};
};
environment.etc."crypttab".text = ''
four /dev/disk/by-uuid/f68b6704-670a-4050-b032-2d553070139a ${config.age.secrets.four_pwd.path} noauto
two /dev/disk/by-uuid/552234e0-0820-44d8-b7ac-2653076149a5 ${config.age.secrets.two_pwd.path} noauto
sgbk /dev/disk/by-uuid/21b5207e-c3cf-49da-b944-fb405ae1eee2 ${config.age.secrets.sgbk_pwd.path} noauto
'';
systemd.mounts = let
bindToCryptDev = dev: {
what = "/dev/mapper/${dev}";
where = "/mnt/${dev}";
unitConfig = {
Requires = ["systemd-cryptsetup@${dev}.service"];
After = ["systemd-cryptsetup@${dev}.service"];
PropagatesStopTo = ["systemd-cryptsetup@${dev}.service"];
};
};
in [
(bindToCryptDev "four")
(bindToCryptDev "two")
(bindToCryptDev "sgbk")
];
environment.systemPackages = [
pkgs.lsof
pkgs.smartmontools
pkgs.compsize
];
}

32
nix/configurations/iron/nixos/hardware-configuration.nix Normal file
View file

@ -0,0 +1,32 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "thunderbolt"];
boot.initrd.kernelModules = ["dm-snapshot"];
boot.kernelModules = ["kvm-amd"];
boot.extraModulePackages = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.docker0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp195s0f4u1u4.useDHCP = lib.mkDefault true;
# networking.interfaces.vboxnet0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

11
nix/configurations/iron/nixos/input.nix Normal file
View file

@ -0,0 +1,11 @@
{
services.xserver.xkb = {
layout = "us";
variant = "dvorak";
options = builtins.concatStringsSep "," [
"caps:swapescape"
"compose:ralt"
];
};
console.useXkbConfig = true;
}

52
nix/configurations/iron/nixos/locale.nix Normal file
View file

@ -0,0 +1,52 @@
{lib, ...}: {
# https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
# `timedatectl list-timezones`
time.timeZone = "Asia/Taipei";
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocales = [
"en_US.UTF-8/UTF-8"
"fr_FR.UTF-8/UTF-8"
"zh_TW.UTF-8/UTF-8"
];
extraLocaleSettings =
# A list of env variables you might want to set
#
# "LC_CTYPE"
# "LC_NUMERIC"
# "LC_TIME"
# "LC_COLLATE"
# "LC_MONETARY"
# "LC_MESSAGES"
# "LC_PAPER"
# "LC_NAME"
# "LC_ADDRESS"
# "LC_TELEPHONE"
# "LC_MEASUREMENT"
# "LC_IDENTIFICATION"
let
genLocale = locale: lib.flip lib.genAttrs (_: locale);
in
# - xscreensaver freaks out on the time display
# - evolution add event becomes hard to use
# https://gitlab.gnome.org/GNOME/evolution/-/issues/3120
genLocale "fr_FR.UTF-8" [
"LC_TIME"
]
// genLocale "zh_TW.UTF-8" [
"LC_MONETARY"
"LC_ADDRESS"
];
};
# Wireless Regulatory Domain, uses ISO / IEC 3166 country code
#
# links:
# https://community.frame.work/t/framework-nixos-linux-users-self-help/31426/77
# https://wireless.docs.kernel.org/en/latest/en/developers/regulatory.html#the-ieee80211-regdom-module-parameter
hardware.wirelessRegulatoryDatabase = true;
boot.extraModprobeConfig = ''
options cfg80211 ieee80211_regdom="TW"
'';
}

11
nix/configurations/iron/nixos/misc.nix Normal file
View file

@ -0,0 +1,11 @@
{
system.stateVersion = "25.05";
boot.loader = {
systemd-boot = {
enable = true;
editor = false;
};
efi.canTouchEfiVariables = true;
};
}

16
nix/configurations/iron/nixos/programs.nix Normal file
View file

@ -0,0 +1,16 @@
{pkgs, ...}: {
environment.systemPackages = [
pkgs.man-pages
pkgs.man-pages-posix
];
#
# Programs
#
programs = {
vim.enable = true;
vim.defaultEditor = true;
git.enable = true;
};
}

80
nix/configurations/iron/nixos/secure_dns.nix Normal file
View file

@ -0,0 +1,80 @@
# https://nixos.wiki/wiki/Encrypted_DNS
{
lib,
pkgs,
...
}: {
networking = {
nameservers = ["127.0.0.1" "::1"];
dhcpcd.extraConfig = "nohook resolv.conf";
# networkmanager.dns = "none";
};
services.resolved.enable = false;
services.dnscrypt-proxy2 = {
enable = true;
# Settings reference:
# https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml
settings = {
listen_addresses = ["127.0.0.1:53"];
ipv4_servers = true;
require_dnssec = true;
require_nolog = true;
require_nofilter = true;
lb_strategy = "p2";
lb_estimator = true;
# Blocklists are made of one pattern per line.
# https://github.com/DNSCrypt/dnscrypt-proxy/blob/fa59f990431a49b6485f63f96601bc7e64017bf8/dnscrypt-proxy/example-dnscrypt-proxy.toml#L583C4-L583C75
blocked_names.blocked_names_file = let
# Prevent building up reliance on chatbots
# Gotta preserve that thinking ability of my smoof bwain
ai_list = let
src = pkgs.fetchFromGitHub {
owner = "laylavish";
repo = "uBlockOrigin-HUGE-AI-Blocklist";
rev = "9bb188e2701138e03f73bacebd6b19b181ca0012";
hash = "sha256-p3wfR28DH6V8BHn9DT10d09Yq3mdbBecWwlR1CdDYUA=";
};
in
lib.pipe (builtins.readFile "${src}/noai_hosts.txt") [
(lib.replaceStrings ["\r\n"] ["\n"]) # convert to unix ending just in case
(lib.splitString "\n")
(builtins.filter (x: ! (x == "" || lib.hasPrefix "#" x)))
(builtins.map (x: builtins.elemAt (lib.splitString " " x) 1)) # remove 0.0.0.0
];
hategroup_list = let
src = pkgs.fetchFromGitHub {
owner = "chigh";
repo = "hategroup-dnsbl";
rev = "cc19c050997d5f54014bb20c764b131e003dfb17";
hash = "sha256-SZBrjIBUw687MdrbOV7WrP5IhAAtKvPL2GqdcICHNvQ=";
};
in
lib.pipe (builtins.readFile "${src}/blocklist.txt") [
(lib.replaceStrings ["\r\n"] ["\n"]) # convert to unix ending just in case
(lib.splitString "\n")
(builtins.filter (x: ! (x == "" || lib.hasPrefix "#" x)))
];
combined_lists = ai_list ++ hategroup_list;
in
pkgs.writeText "dnsblocklist" (builtins.concatStringsSep "\n" combined_lists);
# Add this to test if dnscrypt-proxy is actually used to resolve DNS requests
# query_log.file = "/var/log/dnscrypt-proxy/query.log";
sources.public-resolvers = {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
cache_file = "/var/cache/dnscrypt-proxy/public-resolvers.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};
};
};
}