refactor2

2025-03-12 15:43:41 +01:00 · 2025-03-12 15:43:41 +01:00 · 7fa104b722
commit 7fa104b722
parent 701c9d71f0
30 changed files with 240 additions and 111 deletions
--- a/system/core/audio.nix
+++ b/system/core/audio.nix
@ -0,0 +1,9 @@
+{...}: {
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+  };
+}
--- a/system/core/bluetooth.nix
+++ b/system/core/bluetooth.nix
@ -0,0 +1,3 @@
+{...}: {
+  hardware.bluetooth.enable = true;
+}
--- a/system/core/boot.nix
+++ b/system/core/boot.nix
@ -0,0 +1,6 @@
+{pkgs, ...}: {
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+}
--- a/system/core/btrfs.nix
+++ b/system/core/btrfs.nix
@ -0,0 +1,11 @@
+{...}: {
+  services.btrfs.autoScrub = {
+    enable = true;
+    interval = "Fri 07:00";
+    fileSystems = [
+      "/persist"
+      "/nix"
+    ];
+  };
+}
+
--- a/system/core/default.nix
+++ b/system/core/default.nix
@ -0,0 +1,14 @@
+{...}: {
+  imports = [
+    ./audio.nix
+    ./bluetooth.nix
+    ./boot.nix
+    ./btrfs.nix
+    ./env.nix
+    ./fonts.nix
+    ./networking.nix
+    ./nix.nix
+    ./packages.nix
+    ./persistence.nix
+  ];
+}
--- a/system/core/env.nix
+++ b/system/core/env.nix
@ -0,0 +1,9 @@
+{...}: {
+  time.timeZone = "Europe/Berlin";
+
+  environment.variables = {
+    EDITOR = "hx";
+    VISUAL = "hx";
+    FLAKE = "/home/lilith/nixos";
+  };
+}
--- a/system/core/fonts.nix
+++ b/system/core/fonts.nix
@ -0,0 +1,6 @@
+{ pkgs, ...}: {
+  fonts.packages = with pkgs; [
+    nerd-fonts.jetbrains-mono
+    twemoji-color-font
+  ];
+}
--- a/system/core/networking.nix
+++ b/system/core/networking.nix
@ -0,0 +1,19 @@
+{...}: {
+  networking.networkmanager = {
+    enable = true;
+    wifi.macAddress = "random";
+    ethernet.macAddress = "random";
+  };
+
+  networking.nftables = {
+    enable = true;
+  };
+
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      22 # ssh
+      22000 # syncthing
+    ];
+  };
+}
--- a/system/core/nix.nix
+++ b/system/core/nix.nix
@ -0,0 +1,19 @@
+{ lib, ...}: {
+  nix = {
+    gc = {
+      automatic = true;
+      dates = "05:30";
+      options = "--delete-older-than 7d";
+    };
+    settings = {
+      keep-outputs = true;
+      auto-optimise-store = true;
+      experimental-features = ["nix-command" "flakes"];
+      trusted-users = ["root" "@wheel"];
+    };
+  };
+
+  # nixpkgs.config.allowUnfreePredicate = (pkg: builtins.elem (lib.getName pkg) [
+  #   "steam"
+  # ]);
+}
--- a/system/core/packages.nix
+++ b/system/core/packages.nix
@ -0,0 +1,21 @@
+{ pkgs, ...}: {
+  environment.systemPackages = with pkgs; [
+    age
+    compsize
+    duf
+    eza
+    bat
+    file
+    htop
+    btop
+    git
+    jq
+    yq
+    du-dust
+    ripgrep
+    sops
+    wget
+    wireguard-tools
+    zip
+  ];
+}
--- a/system/core/persistence.nix
+++ b/system/core/persistence.nix
@ -0,0 +1,60 @@
+{impermanence, conf, lib, config, ...}: {
+  imports = [impermanence.nixosModule];
+
+  environment.persistence."/persist/data" = {
+    hideMounts = true;
+    directories = [
+      "/etc/NetworkManager/system-connections"
+      "/var/lib/bluetooth"
+    ];
+    files = [];
+
+    users.lilith = {
+      directories = [
+        ".config/syncthing"
+        ".config/sops"
+        ".config/keepassxc"
+        ".config/obsidian"
+        ".config/vesktop"
+        ".gnupg"
+        ".ssh"
+
+        ".thunderbird"
+        ".mozilla"
+
+        "nixos"
+        "sync"
+        "obsidian"
+        "code"
+        ".keepass"
+      ];
+      files = [];
+    };
+  };
+
+  environment.persistence."/persist/cache" = {
+    hideMounts = true;
+    directories = [
+      "/root/.cache/nix"
+      "/var/lib/btrfs"
+      "/var/lib/nixos"
+      "/var/lib/systemd/backlight"
+      "/var/lib/systemd/timers"
+      "/var/log"
+    ];
+    files = [
+      "/etc/machine-id"
+    ];
+
+    users.lilith = {
+      directories = [
+        ".cache/nix"
+        ".cache/keepassxc"
+        ".cargo"
+        ".local/state/wireplumber"
+        "tmp"
+      ];
+      files = [];
+    };
+  };
+}
--- a/system/core/sops.nix
+++ b/system/core/sops.nix
@ -0,0 +1,5 @@
+{ sops-nix, ... }: {
+  imports = [ sops-nix.nixosModules.sops ];
+
+  sops.age.keyFile = /persist/data/home/lilith/.config/sops/age/keys.txt;
+}
--- a/system/core/ssh.nix
+++ b/system/core/ssh.nix
@ -0,0 +1,11 @@
+{...}: {
+  networking.firewall.allowedTCPPorts = [22];
+  services.openssh = {
+    enable = true;
+    ports = [22];
+    settings = {
+      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+    };
+  };
+}
--- a/system/core/syncthing.nix
+++ b/system/core/syncthing.nix
@ -0,0 +1,49 @@
+{ config, sops, ...}: let 
+    host = config.networking.hostName;
+  in {
+
+  sops.secrets."syncthing/key.pem" = {
+    sopsFile = ../hosts/${host}/secrets/default.yaml;
+  };
+  sops.secrets."syncthing/cert.pem" = {
+    sopsFile = ../hosts/${host}/secrets/default.yaml;
+  };
+
+  services.syncthing = {
+    enable = true;
+
+    user = "lilith";
+    dataDir = "/home/lilith";
+    configDir = "/home/lilith/.config/syncthing";
+
+    overrideDevices = true;
+    overrideFolders = true;
+
+    settings = {
+      key = config.sops.secrets."syncthing/key.pem".path;
+      cert = config.sops.secrets."syncthing/cert.pem".path;
+
+      devices = {
+        "phone" = {id = "C2CKYRP-72UNJRX-MUPZIUY-CCHQYGF-6T4NA6B-MO7AEZB-RSN5EAG-CN2JCAF";};
+        "nixserver" = {id = "DW6GTZ3-3JPAHLO-UEB3LBL-AWOX3BT-QPI7ODT-OZ6Q4YR-K3KK22C-5RY3XQZ";};
+        "lilith-pc" = {id = "37HHP4Q-NNQRQPQ-MVSIHAX-BK2A3GL-O6K4WXA-Y7ZQ5GZ-BY4UTFH-LG4HYAY";};
+        "lilith-pad" = {id = "GQJA6WA-G5YZZSN-4OOQMVE-JPIR22N-VFHPY4O-XMRG37D-DALH4R2-7DCTMQK";};
+        "lilith-old" = {id = "MSUZJ6K-4CIFE5D-ILO6FE4-SPRPTZI-VEWZQ7F-ECARCCF-2VLVMDQ-2HQUAAS";};
+      };
+      folders = {
+        "rdcj2-mfyb4" = {
+          path = "/home/lilith/sync";
+          devices = ["phone" "nixserver" "lilith-pad" "lilith-pc"  "lilith-old"];
+        };
+        "sdpfs-2beqd" = {
+          path = "/home/lilith/.keepass";
+          devices = ["phone" "nixserver" "lilith-pad" "lilith-pc"  "lilith-old"];
+        };
+        "7qim7-yzqpn" = {
+          path = "/home/lilith/obsidian";
+          devices = ["phone" "nixserver" "lilith-pad" "lilith-pc"  "lilith-old"];
+        };
+      };
+    };
+  };
+}
--- a/system/core/users.nix
+++ b/system/core/users.nix
@ -0,0 +1,30 @@
+{ config, ...}: let 
+    host = config.networking.hostName;
+  in {
+  users.mutableUsers = false;
+  users.users = {
+    lilith = {
+      isNormalUser = true;
+      uid = 1000;
+      extraGroups = [ "wheel" "networkmanager" ];
+      hashedPasswordFile = config.sops.secrets."user/password".path;
+    };
+  };
+
+  sops.secrets = {
+    "user/password" = {
+      sopsFile = ../hosts/${host}/secrets/default.yaml;
+      neededForUsers = true;
+    };
+    "user/ssh/private" = {
+      sopsFile = ../hosts/${host}/secrets/default.yaml;
+      path = "/home/lilith/.ssh/id_ed25519";
+      owner = "lilith";
+    };
+    "user/ssh/public" = {
+      sopsFile = ../hosts/${host}/secrets/default.yaml;
+      path = "/home/lilith/.ssh/id_ed25519.pub";
+      owner = "lilith";
+    };
+  };
+}
--- a/system/core/wayland.nix
+++ b/system/core/wayland.nix
@ -0,0 +1,24 @@
+{...}: {
+  hardware.graphics.enable = true;
+  
+  security.polkit.enable = true;
+  security.pam.services.hyprlock = {};
+
+  services.dbus.enable = true;
+
+  programs.hyprland.enable = true;
+
+  services.greetd = {
+    enable = true;
+    settings = {
+      default_session = {
+        user = "lilith";
+        command = "Hyprland";
+      };
+      initial_session = {
+        user = "lilith";
+        command = "Hyprland";
+      };
+    };
+  };
+}
--- a/system/core/zsh.nix
+++ b/system/core/zsh.nix
@ -0,0 +1,4 @@
+{pkgs, ...}: {
+  programs.zsh.enable = true;
+  users.defaultUserShell = pkgs.zsh;
+}