diff --git a/.gitignore b/.gitignore index 81e79884..905fdf87 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ old - +result diff --git a/flake.nix b/flake.nix index a5574aff..08857e26 100644 --- a/flake.nix +++ b/flake.nix @@ -32,11 +32,13 @@ outputs = { self, nixpkgs, + home-manager, ... } @ inputs: let inherit (nixpkgs) lib; defaultConfig = { + desktop = true; }; makeHost = host: let @@ -51,6 +53,10 @@ ./hosts/${host}/hardware-configuration.nix ./system {networking.hostName = host;} + ] + ++ lib.optionals config.desktop [ + home-manager + ./home ]; }; in { diff --git a/headless/default.nix b/headless/default.nix new file mode 100644 index 00000000..64629674 --- /dev/null +++ b/headless/default.nix @@ -0,0 +1 @@ +{...}: {} diff --git a/home/default.nix b/home/default.nix new file mode 100644 index 00000000..64629674 --- /dev/null +++ b/home/default.nix @@ -0,0 +1 @@ +{...}: {} diff --git a/system/audio.nix b/system/audio.nix new file mode 100644 index 00000000..888fa8d7 --- /dev/null +++ b/system/audio.nix @@ -0,0 +1,9 @@ +{...}: { + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + }; +} diff --git a/system/bluetooth.nix b/system/bluetooth.nix new file mode 100644 index 00000000..6dc8d175 --- /dev/null +++ b/system/bluetooth.nix @@ -0,0 +1,3 @@ +{...}: { + hardware.bluetooth.enable = true; +} diff --git a/system/btrfs.nix b/system/btrfs.nix new file mode 100644 index 00000000..1b2ae872 --- /dev/null +++ b/system/btrfs.nix @@ -0,0 +1,11 @@ +{...}: { + services.btrfs.autoScrub = { + enable = true; + interval = "Fri 07:00"; + fileSystems = [ + "/persist" + "/nix" + ]; + }; +} + diff --git a/system/default.nix b/system/default.nix index 99a4a168..b3fceaee 100644 --- a/system/default.nix +++ b/system/default.nix @@ -1,5 +1,26 @@ {...}: { imports = [ ./boot.nix + ./packages.nix + ./env.nix + ./btrfs.nix + ./users.nix + + ./networking.nix + ./persistence.nix + ./nix.nix + ./audio.nix + ./ssh.nix + + ./syncthing.nix + ./wayland.nix + ./steam.nix + + ./nfs.nix + ./fonts.nix + ./bluetooth.nix + ./zsh.nix ]; + + system.stateVersion = "24.11"; } diff --git a/system/env.nix b/system/env.nix new file mode 100644 index 00000000..8b582f61 --- /dev/null +++ b/system/env.nix @@ -0,0 +1,9 @@ +{...}: { + time.timeZone = "Europe/Berlin"; + + environment.variables = { + EDITOR = "hx"; + VISUAL = "hx"; + FLAKE = "/home/lilith/nixos"; + }; +} diff --git a/system/fonts.nix b/system/fonts.nix new file mode 100644 index 00000000..3505b118 --- /dev/null +++ b/system/fonts.nix @@ -0,0 +1,6 @@ +{...}: { + fonts.packages = with pkgs; [ + nerd-fonts.jetbrains-mono + twemoji-color-font + ]; +} diff --git a/system/networking.nix b/system/networking.nix new file mode 100644 index 00000000..7c25b5e2 --- /dev/null +++ b/system/networking.nix @@ -0,0 +1,19 @@ +{...}: { + networking.networkmanager = { + enable = true; + wifi.macAddress = "random"; + ethernet.macAddress = "random"; + }; + + networking.nftables = { + enable = true; + }; + + networking.firewall = { + enable = true; + allowedTCPPorts = [ + 22 # ssh + 22000 # syncthing + ]; + }; +} diff --git a/system/nfs.nix b/system/nfs.nix new file mode 100644 index 00000000..03f7b533 --- /dev/null +++ b/system/nfs.nix @@ -0,0 +1,13 @@ +{ ... }: { + fileSystems."/mnt/nas" = { + device = "nixserver:/share"; + fsType = "nfs"; + options = [ + "nfsvers=4.2" + "noauto" + "x-systemd.automount" + "x-systemd.idle-timeout=600" + "_netdev" + ]; + }; +} diff --git a/system/nix.nix b/system/nix.nix new file mode 100644 index 00000000..870b737e --- /dev/null +++ b/system/nix.nix @@ -0,0 +1,15 @@ +{...}: { + nix = { + gc = { + automatic = true; + dates = "05:30"; + options = "--delete-older-than 7d"; + }; + settings = { + keep-outputs = true; + auto-optimise-store = true; + experimental-features = ["nix-command" "flakes"]; + trusted-users = ["root" "@wheel"]; + }; + }; +} diff --git a/system/packages.nix b/system/packages.nix new file mode 100644 index 00000000..c0805ad6 --- /dev/null +++ b/system/packages.nix @@ -0,0 +1,21 @@ +{ pkgs, ...}: { + environment.systemPackages = with pkgs; [ + age + compsize + duf + eza + bat + file + htop + btop + git + jq + yq + du-dust + ripgrep + sops + wget + wireguard-tools + zip + ]; +} diff --git a/system/persistence.nix b/system/persistence.nix new file mode 100644 index 00000000..359b9c80 --- /dev/null +++ b/system/persistence.nix @@ -0,0 +1,60 @@ +{impermanence, conf, lib, config, ...}: { + imports = [impermanence.nixosModule]; + + environment.persistence."/persist/data" = { + hideMounts = true; + directories = [ + "/etc/NetworkManager/system-connections" + "/var/lib/bluetooth" + ]; + files = []; + + users.lilith = { + directories = [ + ".config/syncthing" + ".config/sops" + ".config/keepassxc" + ".config/obsidian" + ".config/vesktop" + ".gnupg" + ".ssh" + + ".thunderbird" + ".mozilla" + + "nixos" + "sync" + "obsidian" + "code" + ".keepass" + ]; + files = []; + } + }; + + environment.persistence."/persist/cache" = { + hideMounts = true; + directories = [ + "/root/.cache/nix" + "/var/lib/btrfs" + "/var/lib/nixos" + "/var/lib/systemd/backlight" + "/var/lib/systemd/timers" + "/var/log" + ]; + files = [ + "/etc/machine-id" + ]; + + users.lilith = { + directories = [ + ".cache/nix" + ".cache/keepassxc" + ".cargo" + ".local/state/wireplumber" + "tmp" + ]; + files = []; + }; + }; +} diff --git a/system/ssh.nix b/system/ssh.nix new file mode 100644 index 00000000..3aeb7287 --- /dev/null +++ b/system/ssh.nix @@ -0,0 +1,11 @@ +{...}: { + networking.firewall.allowedTCPPorts = [22]; + services.openssh = { + enable = true; + ports = [22]; + settings = { + PermitRootLogin = "no"; + PasswordAuthentication = false; + }; + }; +} diff --git a/system/steam.nix b/system/steam.nix new file mode 100644 index 00000000..d2df690f --- /dev/null +++ b/system/steam.nix @@ -0,0 +1,5 @@ +{...}: { + programs.steam.enable = true; + + programs.steam.remotePlay.openFirewall = true; +} diff --git a/system/syncthing.nix b/system/syncthing.nix new file mode 100644 index 00000000..27cb61bc --- /dev/null +++ b/system/syncthing.nix @@ -0,0 +1,49 @@ +{ config, ...}: let + host = networking.hostName; + in { + + sops.secrets."syncthing/key.pem" = { + sopsFile = ../hosts/${host}/secrets/default.yaml; + }; + sops.secrets."syncthing/cert.pem" = { + sopsFile = ../hosts/${host}/secrets/default.yaml; + }; + + services.syncthing = { + enable = true; + + user = lilith; + dataDir = "/home/lilith"; + configDir = "/home/lilith/.config/syncthing"; + + overrideDevices = true; + overrideFolders = true; + + settings = { + key = config.sops.secrets."syncthing/key.pem".path; + cert = config.sops.secrets."syncthing/cert.pem".path; + + devices = { + "phone" = {id = "C2CKYRP-72UNJRX-MUPZIUY-CCHQYGF-6T4NA6B-MO7AEZB-RSN5EAG-CN2JCAF";}; + "nixserver" = {id = "DW6GTZ3-3JPAHLO-UEB3LBL-AWOX3BT-QPI7ODT-OZ6Q4YR-K3KK22C-5RY3XQZ";}; + "lilith-pc" = {id = "37HHP4Q-NNQRQPQ-MVSIHAX-BK2A3GL-O6K4WXA-Y7ZQ5GZ-BY4UTFH-LG4HYAY";}; + "lilith-pad" = {id = "GQJA6WA-G5YZZSN-4OOQMVE-JPIR22N-VFHPY4O-XMRG37D-DALH4R2-7DCTMQK";}; + "lilith-old" = {id = "MSUZJ6K-4CIFE5D-ILO6FE4-SPRPTZI-VEWZQ7F-ECARCCF-2VLVMDQ-2HQUAAS";}; + }; + folders = { + "rdcj2-mfyb4" = { + path = "/home/lilith/sync"; + devices = ["phone" "nixserver" "lilith-pad" "lilith-pc" "lilith-old"]; + }; + "sdpfs-2beqd" = { + path = "/home/lilith/.keepass"; + devices = ["phone" "nixserver" "lilith-pad" "lilith-pc" "lilith-old"]; + }; + "7qim7-yzqpn" = { + path = "/home/lilith/obsidian"; + devices = ["phone" "nixserver" "lilith-pad" "lilith-pc" "lilith-old"]; + }; + }; + }; + }; +} diff --git a/system/users.nix b/system/users.nix new file mode 100644 index 00000000..a71336e5 --- /dev/null +++ b/system/users.nix @@ -0,0 +1,30 @@ +{ config, ...}: let + host = config.networking.hostName; + in { + users.mutableUsers = false; + users.users = { + lilith = { + isNormalUser = true; + uid = 1000; + extraGroups = [ "wheel" "networkmanager" ]; + hashedPasswordFile = config.sops.secrets."user/password".path; + }; + }; + + sops.secrets = { + "user/password" = { + sopsFile = ../hosts/${host}/secrets/default.yaml; + neededForUsers = true; + }; + "user/ssh/private" = { + sopsFile = ../hosts/${conf.hostname}/secrets/default.yaml; + path = "/home/lilith/.ssh/id_ed25519"; + owner = "lilith"; + }; + "user/ssh/public" = { + sopsFile = ../hosts/${conf.hostname}/secrets/default.yaml; + path = "/home/lilith/.ssh/id_ed25519.pub"; + owner = "lilith"; + }; + }; +} diff --git a/system/wayland.nix b/system/wayland.nix new file mode 100644 index 00000000..57faec4d --- /dev/null +++ b/system/wayland.nix @@ -0,0 +1,24 @@ +{...}: { + hardware.graphics.enable = true; + + security.polkit.enable = true; + security.pam.services.hyprlock = {}; + + services.dbus.enable = true; + + programs.hyprland.enable = true; + + services.greetd = { + enable = true; + settings = { + default_session = { + user = "lilith"; + command = "Hyprland"; + }; + initial_session = { + user = "lilith"; + command = "Hyprland"; + }; + }; + }; +} diff --git a/system/zsh.nix b/system/zsh.nix new file mode 100644 index 00000000..ad14ac47 --- /dev/null +++ b/system/zsh.nix @@ -0,0 +1,4 @@ +{pkgs, ...}: { + programs.zsh.enable = true; + users.defaultUserShell = pkgs.zsh; +}