diff --git a/default.nix b/default.nix index 1366328f..0b61129e 100644 --- a/default.nix +++ b/default.nix @@ -8,6 +8,11 @@ system = "x86_64-linux"; modules = [./nix/configurations/vanadium.nix]; }; + iron = { + system = "x86_64-linux"; + modules = [./nix/configurations/iron.nix]; + }; + installer = { system = "x86_64-linux"; modules = [./nix/configurations/installer.nix]; diff --git a/nix/configurations/iron.nix b/nix/configurations/iron.nix new file mode 100644 index 00000000..38bc2d96 --- /dev/null +++ b/nix/configurations/iron.nix @@ -0,0 +1,159 @@ +# Entry point to cherry pick modules +let + sources = import ../../npins; + + hostname = "iron"; + username = "leana"; +in + { + config, + lib, + pkgs, + ... + }: let + inherit (lib.modules) mkAliasOptionModule; + in { + imports = [ + # + # Shorthands + # + (mkAliasOptionModule ["me"] ["users" "users" username]) + (mkAliasOptionModule ["hm"] ["home-manager" "users" username]) + + # + # hostname + # + {_module.args = {inherit hostname;};} + + # + # nixpkgs + # + { + # affect the generated nix.conf, doesn't need to be turned off during nixos-install + nix = { + distributedBuilds = true; + settings.builders-use-substitutes = true; + }; + + nixpkgs = { + overlays = + map import + [ + ../overlays/agenix.nix + ../overlays/disko.nix + ../overlays/nur.nix + ../overlays/nix-tree.nix + ../overlays/nil.nix + ../overlays/dix.nix + + ../packages/overlay.nix + ] + # use lix everywhere and wrap it with nom + ++ [ + (import (sources.lix-module + "/overlay.nix") {inherit (sources) lix;}) + (import ../overlays/nix-monitored.nix) + ]; + + # Set NIX_PATH and flake registry at the same time + # https://github.com/NixOS/nixpkgs/pull/254405 + flake.source = sources.nixpkgs; + }; + + nix.package = pkgs.nix-monitored; + + system.nixos.version = lib.substring 0 8 sources.nixpkgs.revision; + } + + # + # NixOS modules + # + ./iron/nixos/hardware-configuration.nix # generated + ./iron/nixos/fs.nix + + ./iron/nixos/battery.nix + + ./iron/nixos/connectivity.nix + ./iron/nixos/secure_dns.nix + ./iron/nixos/input.nix + + ./iron/nixos/misc.nix + + ./iron/nixos/display.nix + + ./iron/nixos/locale.nix + ./iron/nixos/programs.nix + + ../nixosModules/common/disable-command-not-found.nix + ../nixosModules/common/network.nix + ../nixosModules/common/sudo-conf.nix + ../nixosModules/common/system-nixconf.nix + ../nixosModules/common/xscreensaver.nix + + ../nixosModules/extra/leana.nix + + # + # Extern modules + # + (sources.disko + "/module.nix") + ../disko/iron/btrfs.nix + + (sources.agenix + "/modules/age.nix") + + # + # home-manager + # + (sources.home-manager + "/nixos") + { + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + sharedModules = [{home.stateVersion = lib.mkDefault config.system.stateVersion;}]; + }; + + hm.imports = [ + # + # hostname + # + {_module.args = {inherit hostname;};} + + # + # home modules + # + ./iron/home/programs.nix + + ../homeModules/common/btop + ../homeModules/common/fish + ../homeModules/common/starship + ../homeModules/common/tmux + ../homeModules/common/vim + ../homeModules/common/direnv.nix + ../homeModules/common/fzf.nix + ../homeModules/common/git.nix + ../homeModules/common/gpg.nix + ../homeModules/common/leana.nix + ../homeModules/common/locale.nix + ../homeModules/common/lazygit.nix + ../homeModules/common/packages.nix + ../homeModules/common/password-store.nix + ../homeModules/common/tealdeer.nix + ../homeModules/common/user-nixconf.nix + + ../homeModules/extra/tmux-fish-integration.nix + + # + # Extern modules + # + (sources.agenix + "/modules/age-home.nix") + ]; + } + + # + # Secrets + # + { + age.secrets = { + wpa_password.file = "${../secrets/wpa_password.age}"; + }; + } + ]; + } diff --git a/nix/configurations/iron/home/programs.nix b/nix/configurations/iron/home/programs.nix new file mode 100644 index 00000000..925fb616 --- /dev/null +++ b/nix/configurations/iron/home/programs.nix @@ -0,0 +1,75 @@ +{ + pkgs, + lib, + config, + ... +}: { + home.sessionPath = [ + "${config.home.homeDirectory}/.local/bin" + ]; + + home.sessionVariables = let + fishCfg = config.programs.fish; + in { + "SHELL" = lib.mkIf fishCfg.enable (lib.getExe fishCfg.package); + }; + + home.packages = [ + pkgs.nmap + pkgs.stow + pkgs.zip + pkgs.unzip + pkgs.gnutar + pkgs.p7zip + pkgs.bc + pkgs.dig + pkgs.hutils + pkgs.miniserve + pkgs.agenix + pkgs.nix-which + + # pretty tui tools + pkgs.du-dust + pkgs.tokei + pkgs.hyperfine + pkgs.watchexec + pkgs.onefetch + pkgs.just + + # nix tools + pkgs.alejandra + pkgs.nurl + pkgs.dix + pkgs.niv + pkgs.npins + pkgs.nix-tree + pkgs.nh + ]; + + programs = { + neovim = { + enable = true; + defaultEditor = true; + }; + lazygit.enable = true; + fish = { + enable = true; + shellAbbrs = { + "fdoc" = "find ~/Documents -name"; + }; + }; + starship.enable = true; + tmux.enable = true; + direnv.enable = true; + ripgrep.enable = true; + password-store.enable = true; + tealdeer.enable = true; + + btop.enable = true; + cmus.enable = true; + }; + + services = { + gpg-agent.enable = true; + }; +} diff --git a/nix/configurations/iron/nixos/battery.nix b/nix/configurations/iron/nixos/battery.nix new file mode 100644 index 00000000..bf6ca78a --- /dev/null +++ b/nix/configurations/iron/nixos/battery.nix @@ -0,0 +1,11 @@ +{ + systemd.sleep.extraConfig = '' + HibernateDelaySec=1d + ''; + + services.logind = { + powerKey = "hibernate"; + lidSwitch = "suspend-then-hibernate"; # won't happen there's no battery anyway + lidSwitchDocked = "ignore"; + }; +} diff --git a/nix/configurations/iron/nixos/connectivity.nix b/nix/configurations/iron/nixos/connectivity.nix new file mode 100644 index 00000000..403cab13 --- /dev/null +++ b/nix/configurations/iron/nixos/connectivity.nix @@ -0,0 +1,70 @@ +{ + config, + lib, + ... +}: { + users.users.root.openssh.authorizedKeys.keys = let + # TODO: put iron keys in identities + ids = import ../../../identities.nix; + in + builtins.concatMap builtins.attrValues (builtins.attrValues ids); + + networking = { + networkmanager.enable = lib.mkForce false; + + firewall.allowedTCPPorts = [ + 8080 + + # For 'localsend' + # https://github.com/localsend/localsend?tab=readme-ov-file#setup + 53317 + ]; + + # To enable roaming https://wiki.archlinux.org/title/Wpa_supplicant#Roaming + wireless = { + enable = true; + userControlled.enable = true; + secretsFile = config.age.secrets.wpa_password.path; + scanOnLowSignal = false; + networks = let + # wpa_supplicant uses `strchr` to seek to the first `=`, so the only forbidden character is `=`. + escapePwdKey = lib.replaceStrings ["="] ["_"]; + + fromList = ns: let + go = networkArgs @ { + ssid, + # Custom fields wrapping nixpkgs module options + hasPassword ? false, + scanOnLowSignal ? false, + randomizeMac ? false, + ... + }: { + ${ssid} = lib.mkMerge [ + (builtins.removeAttrs networkArgs ["ssid" "hasPassword" "scanOnLowSignal" "randomizeMac"]) + (lib.optionalAttrs hasPassword { + pskRaw = "ext:${escapePwdKey ssid}"; + }) + (lib.optionalAttrs scanOnLowSignal { + extraConfig = '' + bgscan="simple:30:-70:3600" + ''; + }) + (lib.optionalAttrs randomizeMac { + extraConfig = '' + mac_addr=1 + ''; + }) + ]; + }; + in + lib.mkMerge (map go ns); + in + # TODO: move this upward like identities + fromList (import ./connectivity/networks.nix); + }; + }; + + services.mullvad-vpn.enable = true; + + hardware.bluetooth.enable = true; +} diff --git a/nix/configurations/iron/nixos/connectivity/networks.nix b/nix/configurations/iron/nixos/connectivity/networks.nix new file mode 100644 index 00000000..e603f0e2 --- /dev/null +++ b/nix/configurations/iron/nixos/connectivity/networks.nix @@ -0,0 +1,97 @@ +let + privatePriority = 10; + limitedPriority = -10; +in [ + { + ssid = "~"; + priority = privatePriority; + hasPassword = true; + } + { + ssid = "Pei’s Wifi"; + priority = privatePriority; + hasPassword = true; + } + { + ssid = "girlypop-net"; + priority = privatePriority; + hasPassword = true; + } + + { + ssid = "annapurna"; + priority = privatePriority; + hasPassword = true; + scanOnLowSignal = true; + } + { + ssid = "5526-1"; # TODO: set bssid preference ? + priority = privatePriority; + hasPassword = true; + scanOnLowSignal = true; + } + + { + ssid = "eduroam"; + priority = privatePriority; + scanOnLowSignal = true; + + authProtocols = ["WPA-EAP"]; + auth = '' + pairwise=CCMP + group=CCMP TKIP + eap=PEAP + ca_cert="${./universite_de_rennes.pem}" + identity="ychiang@etudiant.univ-rennes.fr" + altsubject_match="DNS:radius.univ-rennes1.fr;DNS:radius1.univ-rennes1.fr;DNS:radius2.univ-rennes1.fr;DNS:vmradius-psf1.univ-rennes1.fr;DNS:vmradius-psf2.univ-rennes1.fr" + phase2="auth=MSCHAPV2" + password=ext:EDUROAM + anonymous_identity="anonymous@univ-rennes.fr" + ''; + } + + { + ssid = "A-WAY"; + priority = privatePriority; + hasPassword = true; + randomizeMac = true; + } + { + ssid = "CAT.jpgcafe"; + priority = privatePriority; + hasPassword = true; + randomizeMac = true; + } + { + ssid = "LOUISA"; # 區公所 + priority = privatePriority; + hasPassword = true; + randomizeMac = true; + } + { + ssid = "LouisaCoffee"; # 七張 + priority = privatePriority; + hasPassword = true; + randomizeMac = true; + } + { + ssid = "MetroTaipei x Louisa"; # 大安 + priority = privatePriority; + hasPassword = true; + randomizeMac = true; + } + + {ssid = "_SNCF_WIFI_INOUI";} + {ssid = "_WIFI_LYRIA";} + {ssid = "EurostarTrainsWiFi";} + {ssid = "SBB-FREE";} + {ssid = "AOT Airport Free Wi-Fi by NT";} + {ssid = "NewTaipei";} + {ssid = "Fami-WiFi";} + + { + ssid = "iPhone de Léana 江"; + priority = limitedPriority; + hasPassword = true; + } +] diff --git a/nix/configurations/iron/nixos/connectivity/universite_de_rennes.pem b/nix/configurations/iron/nixos/connectivity/universite_de_rennes.pem new file mode 100644 index 00000000..ac4d2e1f --- /dev/null +++ b/nix/configurations/iron/nixos/connectivity/universite_de_rennes.pem @@ -0,0 +1,97 @@ +-----BEGIN CERTIFICATE----- +MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb +MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow +GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj +YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL +MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE +BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM +GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua +BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe +3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4 +YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR +rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm +ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU +oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF +MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v +QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t +b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF +AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q +GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz +Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2 +G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi +l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3 +smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7 +MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD +VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE +AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4 +MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5 +MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO +ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0 +aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI +s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG +vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ +Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb +IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0 +tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E +xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV +icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5 +D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ +WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ +5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG +KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg +EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID +ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG +BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t +L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr +BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA +A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+ +rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+ +/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA +CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F +zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA +vGp4z7h/jnZymQyd/teRCBaho1+V +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIG5TCCBM2gAwIBAgIRANpDvROb0li7TdYcrMTz2+AwDQYJKoZIhvcNAQEMBQAw +gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK +ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD +VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTIw +MDIxODAwMDAwMFoXDTMzMDUwMTIzNTk1OVowRDELMAkGA1UEBhMCTkwxGTAXBgNV +BAoTEEdFQU5UIFZlcmVuaWdpbmcxGjAYBgNVBAMTEUdFQU5UIE9WIFJTQSBDQSA0 +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApYhi1aEiPsg9ZKRMAw9Q +r8Mthsr6R20VSfFeh7TgwtLQi6RSRLOh4or4EMG/1th8lijv7xnBMVZkTysFiPmT +PiLOfvz+QwO1NwjvgY+Jrs7fSoVA/TQkXzcxu4Tl3WHi+qJmKLJVu/JOuHud6mOp +LWkIbhODSzOxANJ24IGPx9h4OXDyy6/342eE6UPXCtJ8AzeumTG6Dfv5KVx24lCF +TGUzHUB+j+g0lSKg/Sf1OzgCajJV9enmZ/84ydh48wPp6vbWf1H0O3Rd3LhpMSVn +TqFTLKZSbQeLcx/l9DOKZfBCC9ghWxsgTqW9gQ7v3T3aIfSaVC9rnwVxO0VjmDdP +FNbdoxnh0zYwf45nV1QQgpRwZJ93yWedhp4ch1a6Ajwqs+wv4mZzmBSjovtV0mKw +d+CQbSToalEUP4QeJq4Udz5WNmNMI4OYP6cgrnlJ50aa0DZPlJqrKQPGL69KQQz1 +2WgxvhCuVU70y6ZWAPopBa1ykbsttpLxADZre5cH573lIuLHdjx7NjpYIXRx2+QJ +URnX2qx37eZIxYXz8ggM+wXH6RDbU3V2o5DP67hXPHSAbA+p0orjAocpk2osxHKo +NSE3LCjNx8WVdxnXvuQ28tKdaK69knfm3bB7xpdfsNNTPH9ElcjscWZxpeZ5Iij8 +lyrCG1z0vSWtSBsgSnUyG/sCAwEAAaOCAYswggGHMB8GA1UdIwQYMBaAFFN5v1qq +K0rPVIDh2JvAnfKyA2bLMB0GA1UdDgQWBBRvHTVJEGwy+lmgnryK6B+VvnF6DDAO +BgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggr +BgEFBQcDAQYIKwYBBQUHAwIwOAYDVR0gBDEwLzAtBgRVHSAAMCUwIwYIKwYBBQUH +AgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMFAGA1UdHwRJMEcwRaBDoEGGP2h0 +dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9u +QXV0aG9yaXR5LmNybDB2BggrBgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6 +Ly9jcnQudXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAl +BggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0B +AQwFAAOCAgEAUtlC3e0xj/1BMfPhdQhUXeLjb0xp8UE28kzWE5xDzGKbfGgnrT2R +lw5gLIx+/cNVrad//+MrpTppMlxq59AsXYZW3xRasrvkjGfNR3vt/1RAl8iI31lG +hIg6dfIX5N4esLkrQeN8HiyHKH6khm4966IkVVtnxz5CgUPqEYn4eQ+4eeESrWBh +AqXaiv7HRvpsdwLYekAhnrlGpioZ/CJIT2PTTxf+GHM6cuUnNqdUzfvrQgA8kt1/ +ASXx2od/M+c8nlJqrGz29lrJveJOSEMX0c/ts02WhsfMhkYa6XujUZLmvR1Eq08r +48/EZ4l+t5L4wt0DV8VaPbsEBF1EOFpz/YS2H6mSwcFaNJbnYqqJHIvm3PLJHkFm +EoLXRVrQXdCT+3wgBfgU6heCV5CYBz/YkrdWES7tiiT8sVUDqXmVlTsbiRNiyLs2 +bmEWWFUl76jViIJog5fongEqN3jLIGTG/mXrJT1UyymIcobnIGrbwwRVz/mpFQo0 +vBYIi1k2ThVh0Dx88BbF9YiP84dd8Fkn5wbE6FxXYJ287qfRTgmhePecPc73Yrzt +apdRcsKVGkOpaTIJP/l+lAHRLZxk/dUtyN95G++bOSQqnOCpVPabUGl2E/OEyFrp +Ipwgu2L/WJclvd6g+ZA/iWkLSMcpnFb+uX6QBqvD6+RNxul1FaB5iHY= +-----END CERTIFICATE----- + diff --git a/nix/configurations/iron/nixos/display.nix b/nix/configurations/iron/nixos/display.nix new file mode 100644 index 00000000..c54cd9d9 --- /dev/null +++ b/nix/configurations/iron/nixos/display.nix @@ -0,0 +1,4 @@ +{ + me.extraGroups = ["video"]; + programs.light.enable = true; +} diff --git a/nix/configurations/iron/nixos/fs.nix b/nix/configurations/iron/nixos/fs.nix new file mode 100644 index 00000000..93c4d2c4 --- /dev/null +++ b/nix/configurations/iron/nixos/fs.nix @@ -0,0 +1,77 @@ +{ + config, + pkgs, + ... +}: { + services.btrfs.autoScrub = { + enable = true; + fileSystems = [ + "/" + "/home" + "/nix" + ]; + }; + + systemd.tmpfiles.rules = [ + # tmux-sessionizer directories + "d /home/leana/r 0700 leana leana - -" + "d /home/leana/pg 0700 leana leana 4w -" + "d /home/leana/wt 0700 leana leana - -" + ]; + + fileSystems = { + /* + WARNING: + Use "noauto" if you want to mount the drive at a later time and not all the time + Otherwise the mount would fail and cascade into the graphical session being stopped + */ + + "/home/leana/mnt/tdk32" = { + device = "/dev/disk/by-uuid/EF28-13EC"; + fsType = "vfat"; + options = [ + "umask=0000" + "noauto" + "user" + ]; + }; + + "/home/leana/mnt/EOF_DIGITAL" = { + device = "/dev/disk/by-uuid/0E07-0937"; + fsType = "vfat"; + options = [ + "umask=0000" + "noauto" + "user" + ]; + }; + }; + + environment.etc."crypttab".text = '' + four /dev/disk/by-uuid/f68b6704-670a-4050-b032-2d553070139a ${config.age.secrets.four_pwd.path} noauto + two /dev/disk/by-uuid/552234e0-0820-44d8-b7ac-2653076149a5 ${config.age.secrets.two_pwd.path} noauto + sgbk /dev/disk/by-uuid/21b5207e-c3cf-49da-b944-fb405ae1eee2 ${config.age.secrets.sgbk_pwd.path} noauto + ''; + + systemd.mounts = let + bindToCryptDev = dev: { + what = "/dev/mapper/${dev}"; + where = "/mnt/${dev}"; + unitConfig = { + Requires = ["systemd-cryptsetup@${dev}.service"]; + After = ["systemd-cryptsetup@${dev}.service"]; + PropagatesStopTo = ["systemd-cryptsetup@${dev}.service"]; + }; + }; + in [ + (bindToCryptDev "four") + (bindToCryptDev "two") + (bindToCryptDev "sgbk") + ]; + + environment.systemPackages = [ + pkgs.lsof + pkgs.smartmontools + pkgs.compsize + ]; +} diff --git a/nix/configurations/iron/nixos/hardware-configuration.nix b/nix/configurations/iron/nixos/hardware-configuration.nix new file mode 100644 index 00000000..32be11fa --- /dev/null +++ b/nix/configurations/iron/nixos/hardware-configuration.nix @@ -0,0 +1,32 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "thunderbolt"]; + boot.initrd.kernelModules = ["dm-snapshot"]; + boot.kernelModules = ["kvm-amd"]; + boot.extraModulePackages = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.docker0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp195s0f4u1u4.useDHCP = lib.mkDefault true; + # networking.interfaces.vboxnet0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/nix/configurations/iron/nixos/input.nix b/nix/configurations/iron/nixos/input.nix new file mode 100644 index 00000000..6e8d794e --- /dev/null +++ b/nix/configurations/iron/nixos/input.nix @@ -0,0 +1,11 @@ +{ + services.xserver.xkb = { + layout = "us"; + variant = "dvorak"; + options = builtins.concatStringsSep "," [ + "caps:swapescape" + "compose:ralt" + ]; + }; + console.useXkbConfig = true; +} diff --git a/nix/configurations/iron/nixos/locale.nix b/nix/configurations/iron/nixos/locale.nix new file mode 100644 index 00000000..de1bd43f --- /dev/null +++ b/nix/configurations/iron/nixos/locale.nix @@ -0,0 +1,52 @@ +{lib, ...}: { + # https://en.wikipedia.org/wiki/List_of_tz_database_time_zones + # `timedatectl list-timezones` + time.timeZone = "Asia/Taipei"; + + i18n = { + defaultLocale = "en_US.UTF-8"; + extraLocales = [ + "en_US.UTF-8/UTF-8" + "fr_FR.UTF-8/UTF-8" + "zh_TW.UTF-8/UTF-8" + ]; + extraLocaleSettings = + # A list of env variables you might want to set + # + # "LC_CTYPE" + # "LC_NUMERIC" + # "LC_TIME" + # "LC_COLLATE" + # "LC_MONETARY" + # "LC_MESSAGES" + # "LC_PAPER" + # "LC_NAME" + # "LC_ADDRESS" + # "LC_TELEPHONE" + # "LC_MEASUREMENT" + # "LC_IDENTIFICATION" + let + genLocale = locale: lib.flip lib.genAttrs (_: locale); + in + # - xscreensaver freaks out on the time display + # - evolution add event becomes hard to use + # https://gitlab.gnome.org/GNOME/evolution/-/issues/3120 + genLocale "fr_FR.UTF-8" [ + "LC_TIME" + ] + // genLocale "zh_TW.UTF-8" [ + "LC_MONETARY" + "LC_ADDRESS" + ]; + }; + + # Wireless Regulatory Domain, uses ISO / IEC 3166 country code + # + # links: + # https://community.frame.work/t/framework-nixos-linux-users-self-help/31426/77 + # https://wireless.docs.kernel.org/en/latest/en/developers/regulatory.html#the-ieee80211-regdom-module-parameter + hardware.wirelessRegulatoryDatabase = true; + boot.extraModprobeConfig = '' + options cfg80211 ieee80211_regdom="TW" + ''; +} diff --git a/nix/configurations/iron/nixos/misc.nix b/nix/configurations/iron/nixos/misc.nix new file mode 100644 index 00000000..7f389df2 --- /dev/null +++ b/nix/configurations/iron/nixos/misc.nix @@ -0,0 +1,11 @@ +{ + system.stateVersion = "25.05"; + + boot.loader = { + systemd-boot = { + enable = true; + editor = false; + }; + efi.canTouchEfiVariables = true; + }; +} diff --git a/nix/configurations/iron/nixos/programs.nix b/nix/configurations/iron/nixos/programs.nix new file mode 100644 index 00000000..0e605d66 --- /dev/null +++ b/nix/configurations/iron/nixos/programs.nix @@ -0,0 +1,16 @@ +{pkgs, ...}: { + environment.systemPackages = [ + pkgs.man-pages + pkgs.man-pages-posix + ]; + + # + # Programs + # + programs = { + vim.enable = true; + vim.defaultEditor = true; + + git.enable = true; + }; +} diff --git a/nix/configurations/iron/nixos/secure_dns.nix b/nix/configurations/iron/nixos/secure_dns.nix new file mode 100644 index 00000000..eebd747a --- /dev/null +++ b/nix/configurations/iron/nixos/secure_dns.nix @@ -0,0 +1,80 @@ +# https://nixos.wiki/wiki/Encrypted_DNS +{ + lib, + pkgs, + ... +}: { + networking = { + nameservers = ["127.0.0.1" "::1"]; + dhcpcd.extraConfig = "nohook resolv.conf"; + # networkmanager.dns = "none"; + }; + + services.resolved.enable = false; + + services.dnscrypt-proxy2 = { + enable = true; + # Settings reference: + # https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml + settings = { + listen_addresses = ["127.0.0.1:53"]; + ipv4_servers = true; + + require_dnssec = true; + require_nolog = true; + require_nofilter = true; + + lb_strategy = "p2"; + lb_estimator = true; + + # Blocklists are made of one pattern per line. + # https://github.com/DNSCrypt/dnscrypt-proxy/blob/fa59f990431a49b6485f63f96601bc7e64017bf8/dnscrypt-proxy/example-dnscrypt-proxy.toml#L583C4-L583C75 + blocked_names.blocked_names_file = let + # Prevent building up reliance on chatbots + # Gotta preserve that thinking ability of my smoof bwain + ai_list = let + src = pkgs.fetchFromGitHub { + owner = "laylavish"; + repo = "uBlockOrigin-HUGE-AI-Blocklist"; + rev = "9bb188e2701138e03f73bacebd6b19b181ca0012"; + hash = "sha256-p3wfR28DH6V8BHn9DT10d09Yq3mdbBecWwlR1CdDYUA="; + }; + in + lib.pipe (builtins.readFile "${src}/noai_hosts.txt") [ + (lib.replaceStrings ["\r\n"] ["\n"]) # convert to unix ending just in case + (lib.splitString "\n") + (builtins.filter (x: ! (x == "" || lib.hasPrefix "#" x))) + (builtins.map (x: builtins.elemAt (lib.splitString " " x) 1)) # remove 0.0.0.0 + ]; + + hategroup_list = let + src = pkgs.fetchFromGitHub { + owner = "chigh"; + repo = "hategroup-dnsbl"; + rev = "cc19c050997d5f54014bb20c764b131e003dfb17"; + hash = "sha256-SZBrjIBUw687MdrbOV7WrP5IhAAtKvPL2GqdcICHNvQ="; + }; + in + lib.pipe (builtins.readFile "${src}/blocklist.txt") [ + (lib.replaceStrings ["\r\n"] ["\n"]) # convert to unix ending just in case + (lib.splitString "\n") + (builtins.filter (x: ! (x == "" || lib.hasPrefix "#" x))) + ]; + + combined_lists = ai_list ++ hategroup_list; + in + pkgs.writeText "dnsblocklist" (builtins.concatStringsSep "\n" combined_lists); + + # Add this to test if dnscrypt-proxy is actually used to resolve DNS requests + # query_log.file = "/var/log/dnscrypt-proxy/query.log"; + sources.public-resolvers = { + urls = [ + "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" + "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" + ]; + cache_file = "/var/cache/dnscrypt-proxy/public-resolvers.md"; + minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; + }; + }; + }; +}