Merge branch 'main' of ssh://git.0x76.dev:42/v/infrastructure

2023-06-01 10:28:50 +02:00 · 2023-06-01 10:28:50 +02:00 · f387a44282
commit f387a44282
parent ea94f285ef 01692a4eee
24 changed files with 497 additions and 197 deletions
--- a/nixos/common/common.nix
+++ b/nixos/common/common.nix
@ -1,82 +0,0 @@
-{ config, lib, pkgs, ... }: {
-  imports = [ ./users ./modules ];
-
-  # Clean /tmp on boot.
-  boot.tmp.cleanOnBoot = true;
-
-  # Set your time zone.
-  time.timeZone = lib.mkDefault "Europe/Amsterdam";
-
-  # Systemd OOMd
-  # Fedora enables these options by default. See the 10-oomd-* files here:
-  # https://src.fedoraproject.org/rpms/systemd/tree/acb90c49c42276b06375a66c73673ac3510255
-  systemd.oomd = {
-    enableRootSlice = true;
-    enableUserServices = true;
-  };
-
-  # Nix Settings
-  nix = {
-    package = pkgs.nixUnstable;
-    settings = {
-      auto-optimise-store = true;
-      trusted-users = [ "root" "victor" ];
-      substituters = [
-        "https://cachix.cachix.org"
-        "https://nix-community.cachix.org"
-        "https://nixpkgs-review-bot.cachix.org"
-        "https://colmena.cachix.org"
-        "https://cache.garnix.io"
-        "https://0x76-infra.cachix.org"
-        "https://webcord.cachix.org"
-      ];
-      trusted-public-keys = [
-        "cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM="
-        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-        "nixpkgs-review-bot.cachix.org-1:eppgiDjPk7Hkzzz7XlUesk3rcEHqNDozGOrcLc8IqwE="
-        "colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg="
-        "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
-        "0x76-infra.cachix.org-1:dC1qp+VEN3jj5pdK4URlXR9hf3atT+MnpKGu6PZjMc8="
-        "webcord.cachix.org-1:l555jqOZGHd2C9+vS8ccdh8FhqnGe8L78QrHNn+EFEs="
-      ];
-    };
-    optimise = {
-      automatic = true;
-      dates = [ "weekly" ];
-    };
-    gc = {
-      automatic = true;
-      dates = "weekly";
-      randomizedDelaySec = "3h";
-      options = "--delete-older-than 7d";
-    };
-    extraOptions = ''
-      experimental-features = nix-command flakes
-    '';
-  };
-
-  nixpkgs.config.allowUnfree = true;
-
-  nixpkgs.config.permittedInsecurePackages = [
-                 "nodejs-14.21.3"
-                 "openssl-1.1.1t"
-                 "nodejs-16.20.0"
-               ];
-
-
-  # Limit the systemd journal to 100 MB of disk or the
-  # last 7 days of logs, whichever happens first.
-  services.journald.extraConfig = ''
-    SystemMaxUse=100M
-    MaxFileSec=7day
-  '';
-
-  # Enable SSH
-  services.openssh = {
-    enable = true;
-    settings = {
-      PasswordAuthentication = lib.mkDefault false;
-      PermitRootLogin = lib.mkDefault "no";
-    };
-  };
-}
--- a/nixos/common/default.nix
+++ b/nixos/common/default.nix
@ -1,13 +1,6 @@
-{ inputs, lib, config, ... }: {
-  # This file deals with everything requiring `inputs`, the rest being delagated to `common.nix`
-  # this is because we can't import inputs from all contexts as that can lead to infinite recursion.
-  imports = [ ./common.nix inputs.vault-secrets.nixosModules.vault-secrets ];
-
-  nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
-  nix.registry.nixpkgs.flake = inputs.nixpkgs;
-
-  home-manager.sharedModules =
-    [ ./hm-modules inputs.nixvim.homeManagerModules.nixvim ];
+{ lib, pkgs, inputs, config, ... }: {
+  imports =
+    [ ./users ./modules inputs.vault-secrets.nixosModules.vault-secrets ];

  vault-secrets = let
    inherit (config.networking) domain hostName;
@ -17,4 +10,99 @@
    vaultAddress = "http://${server}.${domain}:8200/";
    approlePrefix = "${domain}-${hostName}";
  };
+
+  home-manager = {
+    useGlobalPkgs = true;
+    useUserPackages = true;
+    extraSpecialArgs = { inherit inputs; };
+    sharedModules = [ ./hm-modules inputs.nixvim.homeManagerModules.nixvim ];
+  };
+
+  # Clean /tmp on boot.
+  boot.tmp.cleanOnBoot = true;
+
+  # Set your time zone.
+  time.timeZone = lib.mkDefault "Europe/Amsterdam";
+
+  # Systemd OOMd
+  # Fedora enables these options by default. See the 10-oomd-* files here:
+  # https://src.fedoraproject.org/rpms/systemd/tree/acb90c49c42276b06375a66c73673ac3510255
+  systemd.oomd = {
+    enableRootSlice = true;
+    enableUserServices = true;
+  };
+
+  # Nix Settings
+  nix = {
+    registry.nixpkgs.flake = inputs.nixpkgs;
+    nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
+    package = pkgs.nixUnstable;
+    settings = {
+      auto-optimise-store = true;
+      trusted-users = [ "root" "victor" ];
+      substituters = [
+        "https://cachix.cachix.org"
+        "https://nix-community.cachix.org"
+        "https://nixpkgs-review-bot.cachix.org"
+        "https://colmena.cachix.org"
+        "https://cache.garnix.io"
+        "https://0x76-infra.cachix.org"
+        "https://webcord.cachix.org"
+      ];
+      trusted-public-keys = [
+        "cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        "nixpkgs-review-bot.cachix.org-1:eppgiDjPk7Hkzzz7XlUesk3rcEHqNDozGOrcLc8IqwE="
+        "colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg="
+        "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
+        "0x76-infra.cachix.org-1:dC1qp+VEN3jj5pdK4URlXR9hf3atT+MnpKGu6PZjMc8="
+        "webcord.cachix.org-1:l555jqOZGHd2C9+vS8ccdh8FhqnGe8L78QrHNn+EFEs="
+      ];
+    };
+    optimise = {
+      automatic = true;
+      dates = [ "weekly" ];
+    };
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      randomizedDelaySec = "3h";
+      options = "--delete-older-than 7d";
+    };
+    extraOptions = ''
+      experimental-features = nix-command flakes
+    '';
+  };
+
+  nixpkgs.config.allowUnfree = true;
+
+  nixpkgs.config.permittedInsecurePackages =
+    [ "nodejs-14.21.3" "openssl-1.1.1t" "nodejs-16.20.0" ];
+
+  # Limit the systemd journal to 100 MB of disk or the
+  # last 7 days of logs, whichever happens first.
+  services.journald.extraConfig = ''
+    SystemMaxUse=100M
+    MaxFileSec=7day
+  '';
+
+  # Enable SSH
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = lib.mkDefault false;
+      PermitRootLogin = lib.mkDefault "no";
+    };
+  };
+
+  # Debloat
+  documentation = {
+    enable = lib.mkForce false;
+    doc.enable = lib.mkForce false;
+    man.enable = lib.mkForce false;
+    info.enable = lib.mkForce false;
+    nixos.enable = lib.mkForce false;
+  };
+
+  system.disableInstallerTools = lib.mkDefault true;
 }
--- a/nixos/common/desktop/default.nix
+++ b/nixos/common/desktop/default.nix
@ -1,9 +1,9 @@
-{ pkgs, lib, ... }: {
+{ pkgs, lib, inputs, ... }: {
  # Bootloader.
  boot = {
    kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
    loader = {
-      systemd-boot.enable = true;
+      systemd-boot.enable = lib.mkDefault true;
      efi.canTouchEfiVariables = true;
      efi.efiSysMountPoint = "/boot/efi";
    };
@ -15,6 +15,12 @@
  };

  hardware.keyboard.qmk.enable = true;
+  home-manager = {
+    useGlobalPkgs = true;
+    useUserPackages = true;
+    users.victor = import ./home.nix;
+    extraSpecialArgs = { inherit inputs; };
+  };

  # Enable my config for the gnome desktop environment
  services.v.gnome.enable = true;
@ -40,7 +46,9 @@
  services.printing.enable = true;

  # Global Packages
-  environment.systemPackages = with pkgs; [ wireguard-tools ];
+  environment = {
+    systemPackages = with pkgs; [ wireguard-tools sbctl ];
+  };

  # Enable sound with pipewire.
  sound.enable = true;
@ -85,6 +93,7 @@
    remotePlay.openFirewall = true;
  };

+  programs.adb.enable = true;
  # Networking
  networking.networkmanager.enable = true;
  networking.firewall.checkReversePath = false;
--- a/nixos/common/desktop/home.nix
+++ b/nixos/common/desktop/home.nix
@ -7,6 +7,7 @@ let
  my-python-packages = ps: with ps; [ pandas requests numpy ];
 in {
  home.packages = with pkgs; [
+    (python3.withPackages my-python-packages)
    btop
    calibre
    celluloid
@ -17,13 +18,11 @@ in {
    gimp
    inputs.comma.packages.${pkgs.system}.default
    inputs.webcord.packages.${pkgs.system}.default
-    # jetbrains.clion
    kdenlive
    mullvad-vpn
    neofetch
    nixfmt
    nixpkgs-review
-    (python3.withPackages my-python-packages)
    plex-media-player
    rustup
    solo2-cli
@ -35,7 +34,6 @@ in {

  # Enable my own hm modules
  themes.v.catppuccin.enable = true;
-  programs.v.nvim.enable = true;
  programs.v.vscode.enable = true;

  programs.riff = {
@ -56,22 +54,21 @@ in {
    userName = "Victor";
    userEmail = "victor@xirion.net";
    lfs.enable = true;
-    # delta.enable = true;
    extraConfig = {
      push.autoSetupRemote = true;
      init.defaultBranch = "main";
    };
-  };

-  programs.tmux = {
-    enable = true;
-    shortcut = "b";
-    terminal = "screen-256color";
-    clock24 = true;
+    difftastic.enable = true;
  };

  programs.firefox.enable = true;

+  programs.chromium = {
+    enable = true;
+    package = pkgs.ungoogled-chromium;
+  };
+
  programs.direnv = {
    enable = true;
    nix-direnv.enable = true;
--- a/nixos/common/hm-modules/nvim.nix
+++ b/nixos/common/hm-modules/nvim.nix
@ -11,11 +11,16 @@ in {

      globals = { mapleader = " "; };

+      options = { number = true; };
+
      maps.normal = {
        "<leader>ff" = "<cmd>lua require('telescope.builtin').find_files()<cr>";
        "<leader>fg" = "<cmd>lua require('telescope.builtin').live_grep()<cr>";
+
        "<C-_>" =
          "<cmd>lua require('Comment.api').toggle.linewise.current()<cr>"; # map ctrl+/ to commenting code
+
+        "g=" = "<cmd>lua vim.lsp.buf.format{async=true}<cr>";
      };

      extraPlugins = with pkgs.vimPlugins; [ catppuccin-nvim luasnip ];
@ -26,6 +31,19 @@ in {

      plugins = {
        bufferline.enable = true;
+        null-ls = {
+          enable = true;
+          sources = {
+            formatting.nixpkgs_fmt.enable = true;
+            code_actions.shellcheck.enable = true;
+            code_actions.statix.enable = true;
+            diagnostics = {
+              statix.enable = true;
+              deadnix.enable = true;
+              shellcheck.enable = true;
+            };
+          };
+        };
        nix.enable = true;
        treesitter = {
          enable = true;
@ -47,8 +65,8 @@ in {
        comment-nvim = { enable = true; };
        lsp = {
          enable = true;
+          servers.nil_ls.enable = true;
          servers.rust-analyzer.enable = true;
-          servers.rnix-lsp.enable = true;
          servers.pyright.enable = true;
          servers.elixirls.enable = true;
          servers.clangd.enable = true;
--- a/nixos/common/users/default.nix
+++ b/nixos/common/users/default.nix
@ -23,6 +23,8 @@
  programs.neovim = {
    enable = true;
    viAlias = true;
+    vimAlias = true;
+    defaultEditor = true;
  };

  # Disable sudo prompt for `wheel` users.
--- a/nixos/common/users/victor.nix
+++ b/nixos/common/users/victor.nix
@ -21,4 +21,21 @@
    extraGroups =
      [ "systemd-journal" "wheel" "networkmanager" "libvirtd" "dialout" ];
  };
+
+  home-manager.users.victor = {
+    programs.home-manager.enable = true;
+
+    home.username = "victor";
+    home.homeDirectory = "/home/victor";
+    home.stateVersion = "23.05";
+
+    programs.v.nvim.enable = true;
+
+    programs.tmux = {
+      enable = true;
+      shortcut = "b";
+      terminal = "screen-256color";
+      clock24 = true;
+    };
+  };
 }
--- a/nixos/hosts/hades/default.nix
+++ b/nixos/hosts/hades/default.nix
@ -136,19 +136,19 @@
    mac = "12:fa:24:02:65:e6";
    nix = false;
  };
-  "docker-registry-proxy" = {
-    ip = "192.168.0.128";
-    mac = "0e:11:65:62:66:9f";
-  };
+  # "docker-registry-proxy" = {
+  #   ip = "192.168.0.128";
+  #   mac = "0e:11:65:62:66:9f";
+  # };
  "hassio" = {
    ip = "192.168.0.129";
    mac = "e6:80:32:fb:00:75";
    nix = false;
  };
-  "docker-registry" = {
-    ip = "192.168.0.130";
-    mac = "5e:0e:a6:cf:64:70";
-  };
+  # "docker-registry" = {
+  #   ip = "192.168.0.130";
+  #   mac = "5e:0e:a6:cf:64:70";
+  # };
  "minecraft" = {
    ip = "192.168.0.131";
    mac = "00:0c:29:9b:e1:c4";
--- a/nixos/hosts/hades/dns/configuration.nix
+++ b/nixos/hosts/hades/dns/configuration.nix
@ -17,4 +17,22 @@
    openFirewall = true;
    mode = "server";
  };
+
+  services.unbound.settings.server = {
+    local-zone = [
+      "xirion.net typetransparent"
+      "hades.xirion.net typetransparent"
+      "requests.xirion.net typetransparent"
+      "ha.xirion.net typetransparent"
+      "mail.xirion.net typetransparent"
+    ];
+
+    local-data = [
+      ''"xirion.net A 192.168.0.122"''
+      ''"hades.xirion.net A 192.168.0.122"''
+      ''"requests.xirion.net A 192.168.0.122"''
+      ''"ha.xirion.net A 192.168.0.122"''
+      ''"mail.xirion.net A 192.168.0.122"''
+    ];
+  };
 }
--- a/nixos/hosts/olympus/bastion/configuration.nix
+++ b/nixos/hosts/olympus/bastion/configuration.nix
@ -69,7 +69,5 @@ in {
    pinentryFlavor = "curses";
  };

-  home-manager.useGlobalPkgs = true;
-  home-manager.useUserPackages = true;
  home-manager.users.victor = import ./home.nix;
 }
--- a/nixos/hosts/olympus/bastion/home.nix
+++ b/nixos/hosts/olympus/bastion/home.nix
@ -1,9 +1,4 @@
 _: {
-  programs.home-manager.enable = true;
-  home.username = "victor";
-  home.homeDirectory = "/home/victor";
-  home.stateVersion = "22.05";
-
  programs.direnv = {
    enable = true;
    nix-direnv = { enable = true; };
--- a/nixos/hosts/olympus/eevee/configuration.nix
+++ b/nixos/hosts/olympus/eevee/configuration.nix
@ -2,7 +2,7 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).

-{ pkgs, inputs, ... }: {
+{ pkgs, ... }: {
  imports = [ ./hardware-configuration.nix ./hardware.nix ];

  # Bootloader.
@ -41,10 +41,7 @@
  environment.sessionVariables.NIXOS_OZONE_WL = "1";

  home-manager = {
-    useGlobalPkgs = true;
-    useUserPackages = true;
    users.victor = import ./home;
-    extraSpecialArgs = { inherit inputs; };
  };
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
--- a/nixos/hosts/olympus/eevee/hardware.nix
+++ b/nixos/hosts/olympus/eevee/hardware.nix
@ -22,6 +22,11 @@
    driSupport = true;
  };

+  hardware.logitech.wireless = {
+    enable = true;
+    enableGraphical = true;
+  };
+
  # udev
  services.udev.packages = with pkgs; [
    android-udev-rules
--- a/nixos/hosts/olympus/eevee/home/default.nix
+++ b/nixos/hosts/olympus/eevee/home/default.nix
@ -1,12 +1,4 @@
 _: {
-  programs.home-manager.enable = true;
-
-  home.username = "victor";
-  home.homeDirectory = "/home/victor";
-  home.stateVersion = "23.05";
-
-  imports = [ ../../../../common/desktop/home.nix ];
-
  dconf.settings."org/gnome/desktop/peripherals/mouse" = {
    accel-profile = "flat";
  };
--- a/nixos/hosts/thalassa/aoife/configuration.nix
+++ b/nixos/hosts/thalassa/aoife/configuration.nix
@ -2,7 +2,7 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).

-{ inputs, ... }: {
+{ inputs, lib, ... }: {
  imports = [
    ./hardware-configuration.nix
    inputs.nixos-hardware.nixosModules.lenovo-thinkpad-z
@ -11,16 +11,19 @@

  # Bootloader.
  boot = {
+    bootspec.enable = true;
    initrd.kernelModules = [ "amdgpu" ];
    resumeDevice = "/dev/nvme0n1p2";
+    loader.systemd-boot.enable = lib.mkForce false;
+
+    lanzaboote = {
+      enable = true;
+      configurationLimit = 5;
+      pkiBundle = "/etc/secureboot";
+    };
  };

-  home-manager = {
-    useGlobalPkgs = true;
-    useUserPackages = true;
-    users.victor = import ./home;
-    extraSpecialArgs = { inherit inputs; };
-  };
+  home-manager.users.victor = import ./home;

  # Enable Ozone rendering for Chromium and Electron apps.
  environment.sessionVariables.NIXOS_OZONE_WL = "1";
--- a/nixos/hosts/thalassa/aoife/home/default.nix
+++ b/nixos/hosts/thalassa/aoife/home/default.nix
@ -1,12 +1,4 @@
 _: {
-  programs.home-manager.enable = true;
-
-  home.username = "victor";
-  home.homeDirectory = "/home/victor";
-  home.stateVersion = "23.05";
-
-  imports = [ ../../../../common/desktop/home.nix ];
-
  # Custom dconf settings
  dconf.settings."org/gnome/desktop/input-sources" = {
    xkb-options = [ "caps:swapescape" ];
--- a/nixos/pkgs/dnd-5e-latex-template/default.nix
+++ b/nixos/pkgs/dnd-5e-latex-template/default.nix
@ -1,4 +1,4 @@
-{ stdenvNoCC, fetchFromGitHub }:
+{ lib, stdenvNoCC, fetchFromGitHub }:
 stdenvNoCC.mkDerivation rec {
  pname = "dnd-5e-latex-template";
  version = "0.8.0";
@ -23,5 +23,8 @@ stdenvNoCC.mkDerivation rec {
    runHook postInstall
  '';

-  meta = { description = "DnD 5e latex template"; };
+  meta = {
+    description = "DnD 5e latex template";
+    license = lib.licenses.mit;
+  };
 }
--- a/nixos/pkgs/gitea-agatheme/default.nix
+++ b/nixos/pkgs/gitea-agatheme/default.nix
@ -1,4 +1,4 @@
-{ stdenvNoCC, fetchurl }:
+{ stdenvNoCC, fetchurl, lib }:
 stdenvNoCC.mkDerivation {
  pname = "gitea-agatheme";
  version = "1.2";
@ -14,4 +14,8 @@ stdenvNoCC.mkDerivation {
  installPhase = ''
    cp $src $out
  '';
+
+  meta = with lib; {
+    description = "Gitea/Forgejo purple theme";
+  };
 }
--- a/nixos/templates/proxmox-lxc.nix
+++ b/nixos/templates/proxmox-lxc.nix
@ -1,5 +1,5 @@
 { lib, ... }: {
-  imports = [ ../common/common.nix ../common/generic-lxc.nix ];
+  imports = [ ../common ../common/generic-lxc.nix ];

  proxmoxLXC = {
    manageNetwork = true;
--- a/nixos/util.nix
+++ b/nixos/util.nix
@ -1,4 +1,4 @@
-{ nixpkgs, home-manager, mailserver, ... }:
+{ nixpkgs, home-manager, mailserver, lanzaboote, ... }:
 let
  inherit (builtins) filter attrValues concatMap mapAttrs;
  inherit (nixpkgs.lib.attrsets) mapAttrsToList;
@ -13,7 +13,10 @@ let
        ./common/generic-lxc.nix
      ];
      "vm" = [ ./common/generic-vm.nix ];
-      "local" = [ ./common/desktop ];
+      "local" = [
+        lanzaboote.nixosModules.lanzaboote
+        ./common/desktop
+      ];
    };
  in type: import_cases.${type} ++ base_imports;
  # Helper function to resolve what should be imported depending on the type of config (lxc, vm, bare metal)