summaryrefslogtreecommitdiff
path: root/os/cez
diff options
context:
space:
mode:
Diffstat (limited to 'os/cez')
-rw-r--r--os/cez/configuration.nix46
-rw-r--r--os/cez/hardware-configuration.nix34
-rw-r--r--os/cez/modules/getty.nix15
-rw-r--r--os/cez/modules/network.nix15
-rw-r--r--os/cez/modules/sshfs.nix27
-rw-r--r--os/cez/modules/tlp.nix26
-rw-r--r--os/cez/modules/wayland.nix72
-rw-r--r--os/cez/modules/wireguard.nix27
-rw-r--r--os/cez/secrets.yaml32
9 files changed, 294 insertions, 0 deletions
diff --git a/os/cez/configuration.nix b/os/cez/configuration.nix
new file mode 100644
index 0000000..00e755a
--- /dev/null
+++ b/os/cez/configuration.nix
@@ -0,0 +1,46 @@
+{ config, pkgs, ... }:
+
+let
+ user = config.userdata.name;
+in
+{
+ imports = [
+ ../common/configuration.nix
+ ./hardware-configuration.nix
+
+ ./modules/wayland.nix
+ ./modules/sshfs.nix
+ ./modules/wireguard.nix
+ ./modules/network.nix
+ ./modules/tlp.nix
+ ./modules/getty.nix
+ ];
+
+ boot = {
+ consoleLogLevel = 3;
+ kernelPackages = pkgs.linuxPackages_latest;
+ };
+
+ sound = {
+ enable = true;
+ extraConfig = ''
+ defaults.pcm.card 1
+ defaults.ctl.card 1
+ '';
+ };
+
+ services.pipewire = {
+ enable = true;
+ pulse.enable = true;
+ };
+
+ programs.adb.enable = true;
+ users.users.${user} = {
+ extraGroups = [ "adbusers" ];
+ packages = with pkgs; [
+ geoipWithDatabase
+ ffmpeg
+ (pass.withExtensions (exts: [ exts.pass-otp ]))
+ ];
+ };
+}
diff --git a/os/cez/hardware-configuration.nix b/os/cez/hardware-configuration.nix
new file mode 100644
index 0000000..b338df5
--- /dev/null
+++ b/os/cez/hardware-configuration.nix
@@ -0,0 +1,34 @@
+{ modulesPath, pkgs, ... }:
+
+{
+ imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+ boot = {
+ kernelParams = [ "quiet" ];
+ loader.systemd-boot.enable = true;
+
+ plymouth = {
+ enable = true;
+ theme = "lone";
+ themePackages = with pkgs; [ adi1090x-plymouth-themes ];
+ };
+
+ initrd = {
+ systemd.enable = true;
+ kernelModules = [ "amdgpu" ];
+ luks.devices."crypt".device =
+ "/dev/disk/by-uuid/84acd784-caad-41a1-a2e4-39468d01fefd";
+ };
+ };
+
+ fileSystems = {
+ "/boot" = {
+ device = "/dev/disk/by-uuid/E37E-F611";
+ fsType = "vfat";
+ };
+ "/" = {
+ device = "/dev/disk/by-uuid/e063c9ad-b48f-4b6c-b94e-4c21d2238bce";
+ fsType = "ext4";
+ };
+ };
+}
diff --git a/os/cez/modules/getty.nix b/os/cez/modules/getty.nix
new file mode 100644
index 0000000..725eb4b
--- /dev/null
+++ b/os/cez/modules/getty.nix
@@ -0,0 +1,15 @@
+{ config, ... }: let
+ user = config.userdata.name;
+in {
+ systemd.services."getty@".serviceConfig.TTYVTDisallocate = "no";
+
+ services.getty = {
+ loginOptions = "-f ${user}";
+ extraArgs = [
+ "--nonewline"
+ "--skip-login"
+ "--noclear"
+ "--noissue"
+ ];
+ };
+}
diff --git a/os/cez/modules/network.nix b/os/cez/modules/network.nix
new file mode 100644
index 0000000..fb30056
--- /dev/null
+++ b/os/cez/modules/network.nix
@@ -0,0 +1,15 @@
+{ ... }:
+
+{
+ networking = {
+ firewall.enable = false;
+
+ wireless.iwd = {
+ enable = true;
+ settings = {
+ General.EnableNetworkConfiguration = true;
+ Network.NameResolvingService = "resolvconf";
+ };
+ };
+ };
+}
diff --git a/os/cez/modules/sshfs.nix b/os/cez/modules/sshfs.nix
new file mode 100644
index 0000000..2431b96
--- /dev/null
+++ b/os/cez/modules/sshfs.nix
@@ -0,0 +1,27 @@
+{ config, pkgs, ... }:
+
+let
+ domain = config.userdata.domain;
+ user = config.userdata.name;
+ uid = config.users.users.${user}.uid;
+ gid = config.users.groups.users.gid;
+in
+{
+ sops.secrets."misc/sftp" = {};
+ system.fsPackages = with pkgs; [ sshfs ];
+
+ fileSystems."/media/kay" = {
+ device = "sftp@${domain}:";
+ fsType = "sshfs";
+ options = [
+ "allow_other" # for non-root access
+ "uid=${toString uid}"
+ "gid=${toString gid}"
+ "_netdev" # this is a network fs
+ "x-systemd.automount" # mount on demand
+ "reconnect" # handle connection drops
+ "ServerAliveInterval=15" # keep connections alive
+ "IdentityFile=${config.sops.secrets."misc/sftp".path}"
+ ];
+ };
+}
diff --git a/os/cez/modules/tlp.nix b/os/cez/modules/tlp.nix
new file mode 100644
index 0000000..912fd5f
--- /dev/null
+++ b/os/cez/modules/tlp.nix
@@ -0,0 +1,26 @@
+{ ... }: {
+ services.tlp = {
+ enable = true;
+
+ settings = {
+ RADEON_DPM_STATE_ON_AC = "performance";
+ RADEON_DPM_STATE_ON_BAT = "battery";
+
+ NMI_WATCHDOG = 0;
+
+ CPU_SCALING_GOVERNOR_ON_AC = "performance";
+ CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
+
+ DEVICES_TO_ENABLE_ON_AC = "bluetooth";
+ DEVICES_TO_DISABLE_ON_BAT_NOT_IN_USE = "bluetooth";
+
+ CPU_BOOST_ON_AC = 1;
+ CPU_BOOST_ON_BAT = 0;
+ CPU_HWP_DYN_BOOST_ON_AC = 1;
+ CPU_HWP_DYN_BOOST_ON_BAT = 0;
+
+ PLATFORM_PROFILE_ON_AC = "balanced";
+ PLATFORM_PROFILE_ON_BAT = "low-power";
+ };
+ };
+}
diff --git a/os/cez/modules/wayland.nix b/os/cez/modules/wayland.nix
new file mode 100644
index 0000000..1ce04cf
--- /dev/null
+++ b/os/cez/modules/wayland.nix
@@ -0,0 +1,72 @@
+{ config, pkgs, ... }: let
+ user = config.userdata.name;
+in {
+ # pkgs
+ environment.systemPackages = with pkgs; [
+ bemenu
+ sway
+ i3status
+ swaylock
+ swayidle
+ swaybg
+ foot
+ wl-clipboard
+ mako
+ xdg-utils
+ libnotify
+ ];
+
+ users.users.${user} = {
+ extraGroups = [ "seat" ];
+ packages = with pkgs; [
+ zathura
+ mpv
+ imv
+ wtype
+ qemu
+ OVMFFull
+ grim
+ slurp
+ tor-browser-bundle-bin
+ element-desktop-wayland
+ pinentry-bemenu
+ ];
+ };
+
+ # font
+ fonts = {
+ packages = with pkgs; [
+ terminus-nerdfont
+ dm-sans
+ ];
+ enableDefaultPackages = true;
+ fontconfig = {
+ hinting.style = "full";
+ subpixel.rgba = "rgb";
+ defaultFonts = {
+ monospace = [ "Terminess Nerd Font" ];
+ serif = [ "DeepMind Sans" ];
+ sansSerif = [ "DeepMind Sans" ];
+ };
+ };
+ };
+
+ # misc
+ services = {
+ seatd.enable = true;
+ dbus = {
+ enable = true;
+ implementation = "broker";
+ };
+ };
+
+ programs = {
+ gnupg.agent = {
+ enable = true;
+ pinentryPackage = pkgs.pinentry-bemenu;
+ };
+ };
+
+ security.pam.services.swaylock.text = "auth include login";
+ hardware.opengl.enable = true;
+}
diff --git a/os/cez/modules/wireguard.nix b/os/cez/modules/wireguard.nix
new file mode 100644
index 0000000..d8e8dd0
--- /dev/null
+++ b/os/cez/modules/wireguard.nix
@@ -0,0 +1,27 @@
+{ config, ... }:
+
+let
+ domain = config.userdata.domain;
+in
+{
+ sops.secrets."misc/wireguard" = {};
+
+ networking.wg-quick.interfaces."kay" = {
+ autostart = false;
+ address = [ "10.0.1.2/24" ];
+ dns = [ "10.0.1.1" ];
+ mtu = 1380;
+ privateKeyFile = config.sops.secrets."misc/wireguard".path;
+
+ peers = [{
+ publicKey = "wJMyQDXmZO4MjYRk6NK4+J6ZKWLTTZygAH+OwbPjOiw=";
+ allowedIPs = [
+ "10.0.1.0/24"
+ "104.16.0.0/12"
+ "172.64.0.0/13"
+ ];
+ endpoint = "${domain}:51820";
+ persistentKeepalive = 25;
+ }];
+ };
+}
diff --git a/os/cez/secrets.yaml b/os/cez/secrets.yaml
new file mode 100644
index 0000000..f72eba6
--- /dev/null
+++ b/os/cez/secrets.yaml
@@ -0,0 +1,32 @@
+misc:
+ sftp: ENC[AES256_GCM,data:xic1JI1RHo3Xc/izQBubMQ5TEvQxeFIOEbkFj/MWjw7UOgQrQEozfhvmGvB3lqjdgO2e2RXYHc7RvwAfquZN9QWFFp7vS7JqhqGTg4+I0JNh28LDsdzeAXe7d4yLkJ5cl4EhU5a6Zd9Qo60JyO8HRAMSXQBuHMzTW0A4achARcTguyJUiCntxvyLiKPZGdGj7HsHfxr32S1ieejGDqxuOLTrssOgyxikWT+PqibWie+JDH20+ZP8l6ip8FdNaWcyzfED/SJybpRbDBvL3iXw9tb67SeRWKR8I91nyyLh69hwLHrp/IgboDlCW8/ZmOYoRWCJF4lH86v3312wuoU60x8IoSL7YhWW5N3WQpWxWeEmLlMFD0x6LcJclUeoIlpVNvR8wDNKeayHhdLChIs2ZiEUAAIaTcUKdWWccY7JraMosqKgS9BmnjLJLEei9kFEF+y97QxQ/q4AfyFPbajxSd7aujqXuUfqpL1aLgt65h1TyOKN3E3Y2faiTaR76EALyv2d4PdYHWhkhxXVATRhsG+N2Mg9FSCciGnD7wlu9IR28HrbLuvX7W2KsLDVdI2oBtfExTf8YQwPSk1vp28=,iv:VyhdbfiiQJqG6cKAz6WjmlG3MkM25VzQzfCt1qYgH4M=,tag:KIoEb/dkEPpeaCJaNkAflw==,type:str]
+ wireguard: ENC[AES256_GCM,data:WUHMeYro1PS25wEtsQKHHtpLXbtox8JtqX5863dHelBIA2SB7YZ+eWyv5hQ=,iv:hGgR3UcFeVGZjWJjdnVuQeUQtz3p4Lh6QRBJDfTr9Qo=,tag:4qpU9Ue4QtfBINdy0CSdvw==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLd3E0NC9Vb25ySXR0R0xL
+ b0pLcUdsNjYzZ0F6SkdodFZjT0s2OE5TZ0E0CkM5RHY4MmpBNFR6TWJLejlqS2FC
+ TmpRRUdMRkQ3SnhvY2ZtN3ZzYjRQYmsKLS0tIEZlWkRLVWJOaXV6V3Zmb2hUV0xj
+ d0N3S0ZIR0MyOERHV1k5RVBVVWVHQkkKZVtPjmpOPJM8STs70/nki6vTeo4mp47A
+ xEVUzxeUGpoyAewxSCo9W6IGtKyZQl0TEL3ucAmhOsjX4BWe2JShMA==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1nur989fnjmfgfk54ctczrwg25epqqr0xgkl5d4swfxka9aw6cdrqdawvaq
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFWENJNzlDL1FpTkYwV1ps
+ V1VWeW4yOFZwZ1h5SGwzV2oyVkJaaHF0a1JRCmpFWWRLZzdUTUliZHpCTzJDYlhu
+ Yk51d1orS0tsMitBM0ZKSTQ4T05sNVEKLS0tIEVuZkY1bld2RldZOVNOc1E3bG5X
+ dVZ3V0VUQzF5VzN0RFM5c0RjZHpJZ0EK09qgyPHEhHgRZt2GZQB5IM9Z/nfYXW28
+ fcfmF6pko9qOYQ72P7vwv8Xub0SEI8GKGQwz2QPDJT9gd1qtipuhuQ==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-01-09T06:00:09Z"
+ mac: ENC[AES256_GCM,data:WkXFwF0bHvFvNTlLKrGk6iQpk5RqMIapluqyv3rcKATP4S1rQSCXwlUn88TNfKeOsJ6pSqoBmwPNjufr9SNrPZZNKYZ4sA4yft9jgCeBcyX6TaPPA123qL8xM3C2TcaE1oBrG9fwmMgEJMYJA7LxBAXz4sW17geb/y4TZgUDwBw=,iv:VJzYR0dbT761ezejxOwPO6x8cKPAzMZtwZHWvPhiDzI=,tag:Xu43SfKeGgCJivfgk+vp3Q==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.8.1