diff options
Diffstat (limited to 'os/cez')
-rw-r--r-- | os/cez/configuration.nix | 46 | ||||
-rw-r--r-- | os/cez/hardware-configuration.nix | 34 | ||||
-rw-r--r-- | os/cez/modules/getty.nix | 15 | ||||
-rw-r--r-- | os/cez/modules/network.nix | 15 | ||||
-rw-r--r-- | os/cez/modules/sshfs.nix | 27 | ||||
-rw-r--r-- | os/cez/modules/tlp.nix | 26 | ||||
-rw-r--r-- | os/cez/modules/wayland.nix | 72 | ||||
-rw-r--r-- | os/cez/modules/wireguard.nix | 27 | ||||
-rw-r--r-- | os/cez/secrets.yaml | 32 |
9 files changed, 294 insertions, 0 deletions
diff --git a/os/cez/configuration.nix b/os/cez/configuration.nix new file mode 100644 index 0000000..00e755a --- /dev/null +++ b/os/cez/configuration.nix @@ -0,0 +1,46 @@ +{ config, pkgs, ... }: + +let + user = config.userdata.name; +in +{ + imports = [ + ../common/configuration.nix + ./hardware-configuration.nix + + ./modules/wayland.nix + ./modules/sshfs.nix + ./modules/wireguard.nix + ./modules/network.nix + ./modules/tlp.nix + ./modules/getty.nix + ]; + + boot = { + consoleLogLevel = 3; + kernelPackages = pkgs.linuxPackages_latest; + }; + + sound = { + enable = true; + extraConfig = '' + defaults.pcm.card 1 + defaults.ctl.card 1 + ''; + }; + + services.pipewire = { + enable = true; + pulse.enable = true; + }; + + programs.adb.enable = true; + users.users.${user} = { + extraGroups = [ "adbusers" ]; + packages = with pkgs; [ + geoipWithDatabase + ffmpeg + (pass.withExtensions (exts: [ exts.pass-otp ])) + ]; + }; +} diff --git a/os/cez/hardware-configuration.nix b/os/cez/hardware-configuration.nix new file mode 100644 index 0000000..b338df5 --- /dev/null +++ b/os/cez/hardware-configuration.nix @@ -0,0 +1,34 @@ +{ modulesPath, pkgs, ... }: + +{ + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + + boot = { + kernelParams = [ "quiet" ]; + loader.systemd-boot.enable = true; + + plymouth = { + enable = true; + theme = "lone"; + themePackages = with pkgs; [ adi1090x-plymouth-themes ]; + }; + + initrd = { + systemd.enable = true; + kernelModules = [ "amdgpu" ]; + luks.devices."crypt".device = + "/dev/disk/by-uuid/84acd784-caad-41a1-a2e4-39468d01fefd"; + }; + }; + + fileSystems = { + "/boot" = { + device = "/dev/disk/by-uuid/E37E-F611"; + fsType = "vfat"; + }; + "/" = { + device = "/dev/disk/by-uuid/e063c9ad-b48f-4b6c-b94e-4c21d2238bce"; + fsType = "ext4"; + }; + }; +} diff --git a/os/cez/modules/getty.nix b/os/cez/modules/getty.nix new file mode 100644 index 0000000..725eb4b --- /dev/null +++ b/os/cez/modules/getty.nix @@ -0,0 +1,15 @@ +{ config, ... }: let + user = config.userdata.name; +in { + systemd.services."getty@".serviceConfig.TTYVTDisallocate = "no"; + + services.getty = { + loginOptions = "-f ${user}"; + extraArgs = [ + "--nonewline" + "--skip-login" + "--noclear" + "--noissue" + ]; + }; +} diff --git a/os/cez/modules/network.nix b/os/cez/modules/network.nix new file mode 100644 index 0000000..fb30056 --- /dev/null +++ b/os/cez/modules/network.nix @@ -0,0 +1,15 @@ +{ ... }: + +{ + networking = { + firewall.enable = false; + + wireless.iwd = { + enable = true; + settings = { + General.EnableNetworkConfiguration = true; + Network.NameResolvingService = "resolvconf"; + }; + }; + }; +} diff --git a/os/cez/modules/sshfs.nix b/os/cez/modules/sshfs.nix new file mode 100644 index 0000000..2431b96 --- /dev/null +++ b/os/cez/modules/sshfs.nix @@ -0,0 +1,27 @@ +{ config, pkgs, ... }: + +let + domain = config.userdata.domain; + user = config.userdata.name; + uid = config.users.users.${user}.uid; + gid = config.users.groups.users.gid; +in +{ + sops.secrets."misc/sftp" = {}; + system.fsPackages = with pkgs; [ sshfs ]; + + fileSystems."/media/kay" = { + device = "sftp@${domain}:"; + fsType = "sshfs"; + options = [ + "allow_other" # for non-root access + "uid=${toString uid}" + "gid=${toString gid}" + "_netdev" # this is a network fs + "x-systemd.automount" # mount on demand + "reconnect" # handle connection drops + "ServerAliveInterval=15" # keep connections alive + "IdentityFile=${config.sops.secrets."misc/sftp".path}" + ]; + }; +} diff --git a/os/cez/modules/tlp.nix b/os/cez/modules/tlp.nix new file mode 100644 index 0000000..912fd5f --- /dev/null +++ b/os/cez/modules/tlp.nix @@ -0,0 +1,26 @@ +{ ... }: { + services.tlp = { + enable = true; + + settings = { + RADEON_DPM_STATE_ON_AC = "performance"; + RADEON_DPM_STATE_ON_BAT = "battery"; + + NMI_WATCHDOG = 0; + + CPU_SCALING_GOVERNOR_ON_AC = "performance"; + CPU_SCALING_GOVERNOR_ON_BAT = "powersave"; + + DEVICES_TO_ENABLE_ON_AC = "bluetooth"; + DEVICES_TO_DISABLE_ON_BAT_NOT_IN_USE = "bluetooth"; + + CPU_BOOST_ON_AC = 1; + CPU_BOOST_ON_BAT = 0; + CPU_HWP_DYN_BOOST_ON_AC = 1; + CPU_HWP_DYN_BOOST_ON_BAT = 0; + + PLATFORM_PROFILE_ON_AC = "balanced"; + PLATFORM_PROFILE_ON_BAT = "low-power"; + }; + }; +} diff --git a/os/cez/modules/wayland.nix b/os/cez/modules/wayland.nix new file mode 100644 index 0000000..1ce04cf --- /dev/null +++ b/os/cez/modules/wayland.nix @@ -0,0 +1,72 @@ +{ config, pkgs, ... }: let + user = config.userdata.name; +in { + # pkgs + environment.systemPackages = with pkgs; [ + bemenu + sway + i3status + swaylock + swayidle + swaybg + foot + wl-clipboard + mako + xdg-utils + libnotify + ]; + + users.users.${user} = { + extraGroups = [ "seat" ]; + packages = with pkgs; [ + zathura + mpv + imv + wtype + qemu + OVMFFull + grim + slurp + tor-browser-bundle-bin + element-desktop-wayland + pinentry-bemenu + ]; + }; + + # font + fonts = { + packages = with pkgs; [ + terminus-nerdfont + dm-sans + ]; + enableDefaultPackages = true; + fontconfig = { + hinting.style = "full"; + subpixel.rgba = "rgb"; + defaultFonts = { + monospace = [ "Terminess Nerd Font" ]; + serif = [ "DeepMind Sans" ]; + sansSerif = [ "DeepMind Sans" ]; + }; + }; + }; + + # misc + services = { + seatd.enable = true; + dbus = { + enable = true; + implementation = "broker"; + }; + }; + + programs = { + gnupg.agent = { + enable = true; + pinentryPackage = pkgs.pinentry-bemenu; + }; + }; + + security.pam.services.swaylock.text = "auth include login"; + hardware.opengl.enable = true; +} diff --git a/os/cez/modules/wireguard.nix b/os/cez/modules/wireguard.nix new file mode 100644 index 0000000..d8e8dd0 --- /dev/null +++ b/os/cez/modules/wireguard.nix @@ -0,0 +1,27 @@ +{ config, ... }: + +let + domain = config.userdata.domain; +in +{ + sops.secrets."misc/wireguard" = {}; + + networking.wg-quick.interfaces."kay" = { + autostart = false; + address = [ "10.0.1.2/24" ]; + dns = [ "10.0.1.1" ]; + mtu = 1380; + privateKeyFile = config.sops.secrets."misc/wireguard".path; + + peers = [{ + publicKey = "wJMyQDXmZO4MjYRk6NK4+J6ZKWLTTZygAH+OwbPjOiw="; + allowedIPs = [ + "10.0.1.0/24" + "104.16.0.0/12" + "172.64.0.0/13" + ]; + endpoint = "${domain}:51820"; + persistentKeepalive = 25; + }]; + }; +} diff --git a/os/cez/secrets.yaml b/os/cez/secrets.yaml new file mode 100644 index 0000000..f72eba6 --- /dev/null +++ b/os/cez/secrets.yaml @@ -0,0 +1,32 @@ +misc: + sftp: ENC[AES256_GCM,data:xic1JI1RHo3Xc/izQBubMQ5TEvQxeFIOEbkFj/MWjw7UOgQrQEozfhvmGvB3lqjdgO2e2RXYHc7RvwAfquZN9QWFFp7vS7JqhqGTg4+I0JNh28LDsdzeAXe7d4yLkJ5cl4EhU5a6Zd9Qo60JyO8HRAMSXQBuHMzTW0A4achARcTguyJUiCntxvyLiKPZGdGj7HsHfxr32S1ieejGDqxuOLTrssOgyxikWT+PqibWie+JDH20+ZP8l6ip8FdNaWcyzfED/SJybpRbDBvL3iXw9tb67SeRWKR8I91nyyLh69hwLHrp/IgboDlCW8/ZmOYoRWCJF4lH86v3312wuoU60x8IoSL7YhWW5N3WQpWxWeEmLlMFD0x6LcJclUeoIlpVNvR8wDNKeayHhdLChIs2ZiEUAAIaTcUKdWWccY7JraMosqKgS9BmnjLJLEei9kFEF+y97QxQ/q4AfyFPbajxSd7aujqXuUfqpL1aLgt65h1TyOKN3E3Y2faiTaR76EALyv2d4PdYHWhkhxXVATRhsG+N2Mg9FSCciGnD7wlu9IR28HrbLuvX7W2KsLDVdI2oBtfExTf8YQwPSk1vp28=,iv:VyhdbfiiQJqG6cKAz6WjmlG3MkM25VzQzfCt1qYgH4M=,tag:KIoEb/dkEPpeaCJaNkAflw==,type:str] + wireguard: ENC[AES256_GCM,data:WUHMeYro1PS25wEtsQKHHtpLXbtox8JtqX5863dHelBIA2SB7YZ+eWyv5hQ=,iv:hGgR3UcFeVGZjWJjdnVuQeUQtz3p4Lh6QRBJDfTr9Qo=,tag:4qpU9Ue4QtfBINdy0CSdvw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLd3E0NC9Vb25ySXR0R0xL + b0pLcUdsNjYzZ0F6SkdodFZjT0s2OE5TZ0E0CkM5RHY4MmpBNFR6TWJLejlqS2FC + TmpRRUdMRkQ3SnhvY2ZtN3ZzYjRQYmsKLS0tIEZlWkRLVWJOaXV6V3Zmb2hUV0xj + d0N3S0ZIR0MyOERHV1k5RVBVVWVHQkkKZVtPjmpOPJM8STs70/nki6vTeo4mp47A + xEVUzxeUGpoyAewxSCo9W6IGtKyZQl0TEL3ucAmhOsjX4BWe2JShMA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nur989fnjmfgfk54ctczrwg25epqqr0xgkl5d4swfxka9aw6cdrqdawvaq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFWENJNzlDL1FpTkYwV1ps + V1VWeW4yOFZwZ1h5SGwzV2oyVkJaaHF0a1JRCmpFWWRLZzdUTUliZHpCTzJDYlhu + Yk51d1orS0tsMitBM0ZKSTQ4T05sNVEKLS0tIEVuZkY1bld2RldZOVNOc1E3bG5X + dVZ3V0VUQzF5VzN0RFM5c0RjZHpJZ0EK09qgyPHEhHgRZt2GZQB5IM9Z/nfYXW28 + fcfmF6pko9qOYQ72P7vwv8Xub0SEI8GKGQwz2QPDJT9gd1qtipuhuQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-09T06:00:09Z" + mac: ENC[AES256_GCM,data:WkXFwF0bHvFvNTlLKrGk6iQpk5RqMIapluqyv3rcKATP4S1rQSCXwlUn88TNfKeOsJ6pSqoBmwPNjufr9SNrPZZNKYZ4sA4yft9jgCeBcyX6TaPPA123qL8xM3C2TcaE1oBrG9fwmMgEJMYJA7LxBAXz4sW17geb/y4TZgUDwBw=,iv:VJzYR0dbT761ezejxOwPO6x8cKPAzMZtwZHWvPhiDzI=,tag:Xu43SfKeGgCJivfgk+vp3Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 |