Jan/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: Jan:main
Branches Tags
Jan:main
Jan:disko
..
compare: Jan:disko
Branches Tags
Jan:main
Jan:disko

No commits in common. "main" and "disko" have entirely different histories.
main ... disko

42 changed files with 113 additions and 1914 deletions
Show Stats Expand all files Collapse all files

37
README.md
View File

@ -4,39 +4,8 @@ My NixOS configuration.
## Installation ## Installation
For disk configuration we use disko, but for secrets management we use sops-nix and the particular setup makes the installation process a bit more involved. It is required that the computer from which the installation is being run has access to the `nixos-secrets` repository, otherwise you will need to manually add the required ssh keys to the installation image. For disk configuration we use disko, this means that installing the system from the configuration is just a single command:
```bash
# Load into the installer
sudo passwd # Set a root password
# From a machine with network access to the installer
# and access to the nixos-secrets repo
ssh -A root@(installer-ip)
# Set up disks
nix-shell -p disko
disko --mode disko --flake git+https://git.bulthuis.dev/Jan/nixos-config#(system)
exit
# Install NixOS
nixos-install --no-channel-copy --no-root-password --flake git+https://git.bulthuis.dev/Jan/nixos-config#(system)
# Set up host credentials for access to the secrets
cd /mnt/persist/system/etc/sops
touch sops_ed25519_key
chmod 600 sops_ed25519_key
nano sops_ed25519_key
``` ```
If `nixos-install` is being stopped by the OOM-killer, you can try adding `-j 1` to limit the amount of jobs that will be executed at the same time to 1. It might require running nixos-install multiple times untill it has managed to download all requirements and slowly start building the rest of the system. sudo nix --experimental-features "nix-command flakes" run "github:nix-community/disko/latest#disko-install" -- --flake git+https://git.bulthuis.dev/Jan/dotfiles#<hostname> --disk main /dev/sda
```
## Updating
To update the system configuration, it is a single command:
```bash
sudo system-update
```
Or if this shell script has not been installed for some reason:
```bash
sudo nixos-rebuild switch --flake git+https://git.bulthuis.dev/Jan/nixos-config
```
Sometimes it may be necessary to reboot of course.

147
flake.lock generated
View File

@ -7,11 +7,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1764350888, "lastModified": 1748225455,
"narHash": "sha256-6Rp18zavTlnlZzcoLoBTJMBahL2FycVkw2rAEs3cQvo=", "narHash": "sha256-AzlJCKaM4wbEyEpV3I/PUq5mHnib2ryEy32c+qfj6xk=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "2055a08fd0e2fd41318279a5355eb8a161accf26", "rev": "a894f2811e1ee8d10c50560551e50d6ab3c392ba",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -23,11 +23,11 @@
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1747046372, "lastModified": 1733328505,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -54,24 +54,6 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -79,11 +61,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1764304195, "lastModified": 1748134483,
"narHash": "sha256-bO7FN/bF6gG7TlZpKAZjO3VvfsLaPFkefeUfJJ7F/7w=", "narHash": "sha256-5PBK1nV8X39K3qUj8B477Aa2RdbLq3m7wRxUKRtggX4=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "86ff0ef506c209bb397849706e85cc3a913cb577", "rev": "c1e671036224089937e111e32ea899f59181c383",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -107,41 +89,20 @@
"type": "github" "type": "github"
} }
}, },
"madd": { "nix-minecraft": {
"inputs": { "inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1754781336, "lastModified": 1747581338,
"narHash": "sha256-EUavinU3psYqVDx7Cjdypsf4dUymdu1yawbwRYv6wbM=", "narHash": "sha256-/+H9qce+NPsEcAC31s3pbD64nB6GKC3+3ZNLV1+tffk=",
"ref": "refs/heads/master",
"rev": "d490b648ac5acb65aa24c8e8314c1a6fa9e2c0c1",
"revCount": 8,
"type": "git",
"url": "https://git.bulthuis.dev/Jan/madd"
},
"original": {
"type": "git",
"url": "https://git.bulthuis.dev/Jan/madd"
}
},
"nix-minecraft": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1751650156,
"narHash": "sha256-1gIPVDf159TQlcVg3WQBHMZVn8RllHOa8eT7AJPj2IE=",
"owner": "Jan-Bulthuis", "owner": "Jan-Bulthuis",
"repo": "nix-minecraft", "repo": "nix-minecraft",
"rev": "d3b3779fd78bd55db24d25e896438b2b51cbb6cb", "rev": "44b6b40d7a3e0a114567b38a203029a5bc67e838",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -172,32 +133,16 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1764242076, "lastModified": 1747958103,
"narHash": "sha256-sKoIWfnijJ0+9e4wRvIgm/HgE27bzwQxcEmo2J/gNpI=", "narHash": "sha256-qmmFCrfBwSHoWw7cVK4Aj+fns+c54EBP8cGqp/yK410=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "2fad6eac6077f03fe109c4d4eb171cf96791faa4", "rev": "fe51d34885f7b5e3e7b59572796e1bcb427eccb1",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-unstable", "ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1763049705,
"narHash": "sha256-A5LS0AJZ1yDPTa2fHxufZN++n8MCmtgrJDtxFxrH4S8=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "3acb677ea67d4c6218f33de0db0955f116b7588c",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-25.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -207,48 +152,9 @@
"disko": "disko", "disko": "disko",
"home-manager": "home-manager", "home-manager": "home-manager",
"impermanence": "impermanence", "impermanence": "impermanence",
"madd": "madd",
"nix-minecraft": "nix-minecraft", "nix-minecraft": "nix-minecraft",
"nix-modpack": "nix-modpack", "nix-modpack": "nix-modpack",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs"
"nixpkgs-stable": "nixpkgs-stable",
"secrets": "secrets",
"sops-nix": "sops-nix"
}
},
"secrets": {
"locked": {
"lastModified": 1762547267,
"narHash": "sha256-bDYmYBJxtsSES+gcpHfpnURA7QDJ3cC1Mg2jzQl5zdg=",
"ref": "refs/heads/main",
"rev": "601b97ba998f743a333fe7523dd5825816155778",
"revCount": 17,
"type": "git",
"url": "ssh://gitea@git.bulthuis.dev/Jan/nixos-secrets"
},
"original": {
"type": "git",
"url": "ssh://gitea@git.bulthuis.dev/Jan/nixos-secrets"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1759635238,
"narHash": "sha256-UvzKi02LMFP74csFfwLPAZ0mrE7k6EiYaKecplyX9Qk=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "6e5a38e08a2c31ae687504196a230ae00ea95133",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
} }
}, },
"systems": { "systems": {
@ -265,21 +171,6 @@
"repo": "default", "repo": "default",
"type": "github" "type": "github"
} }
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

14
flake.nix
View File

@ -3,25 +3,13 @@
inputs = { inputs = {
# General inputs # General inputs
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.05"; nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
home-manager.url = "github:nix-community/home-manager"; home-manager.url = "github:nix-community/home-manager";
home-manager.inputs.nixpkgs.follows = "nixpkgs"; home-manager.inputs.nixpkgs.follows = "nixpkgs";
# Secrets
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
secrets.url = "git+ssh://gitea@git.bulthuis.dev/Jan/nixos-secrets";
# Disk setup
disko.url = "github:nix-community/disko"; disko.url = "github:nix-community/disko";
disko.inputs.nixpkgs.follows = "nixpkgs"; disko.inputs.nixpkgs.follows = "nixpkgs";
impermanence.url = "github:nix-community/impermanence"; impermanence.url = "github:nix-community/impermanence";
# MADD
madd.url = "git+https://git.bulthuis.dev/Jan/madd";
madd.inputs.nixpkgs.follows = "nixpkgs";
# For Minecraft VM # For Minecraft VM
nix-minecraft.url = "github:Jan-Bulthuis/nix-minecraft"; nix-minecraft.url = "github:Jan-Bulthuis/nix-minecraft";
nix-minecraft.inputs.nixpkgs.follows = "nixpkgs"; nix-minecraft.inputs.nixpkgs.follows = "nixpkgs";

28
glue/default.nix
View File

@ -4,10 +4,6 @@ let
nixpkgs = inputs.nixpkgs; nixpkgs = inputs.nixpkgs;
lib = nixpkgs.lib; lib = nixpkgs.lib;
nixpkgs-config = {
allowUnfree = true;
};
importDir = importDir =
path: fn: path: fn:
let let
@ -53,13 +49,6 @@ let
pkgs = ( pkgs = (
import inputs.nixpkgs { import inputs.nixpkgs {
inherit system; inherit system;
config = nixpkgs-config;
}
);
stable-pkgs = (
import inputs.nixpkgs-stable {
inherit system;
config = nixpkgs-config;
} }
); );
}); });
@ -129,22 +118,13 @@ let
nixpkgs.overlays = [ overlay ] ++ inputOverlays; nixpkgs.overlays = [ overlay ] ++ inputOverlays;
}; };
nixpkgsModule =
{ ... }:
{
nixpkgs.config = nixpkgs-config;
};
nixosConfigurations = importDir "${flake}/hosts" ( nixosConfigurations = importDir "${flake}/hosts" (
attrs: attrs:
lib.mapAttrs ( lib.mapAttrs (
name: entry: name: entry:
let
pkgs-stable = systemArgs."x86_64-linux".stable-pkgs;
in
lib.nixosSystem { lib.nixosSystem {
specialArgs = { specialArgs = {
inherit inputs pkgs-stable; inherit inputs;
}; };
modules = modules =
let let
@ -163,11 +143,8 @@ let
usersModule = usersModule =
{ ... }: { ... }:
{ {
home-manager.extraSpecialArgs = {
inherit inputs pkgs-stable;
};
home-manager.sharedModules = homeModules ++ homeProfiles ++ inputHomeModules; home-manager.sharedModules = homeModules ++ homeProfiles ++ inputHomeModules;
home-manager.useUserPackages = true; home-manager.useUserPackages = false; # TODO: See if this should be changed to true?
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.users = homesConfiguration; home-manager.users = homesConfiguration;
users.users = usersConfiguration; users.users = usersConfiguration;
@ -178,7 +155,6 @@ let
systemPath systemPath
overlayModule overlayModule
usersModule usersModule
nixpkgsModule
] ]
++ nixosModules ++ nixosModules
++ nixosProfiles ++ nixosProfiles

165
hosts/20212060/configuration.nix
View File

@ -1,9 +1,4 @@
{ { flake, ... }:
inputs,
pkgs,
lib,
...
}:
{ {
# State version # State version
@ -16,87 +11,8 @@
users.users.jan.extraGroups = [ users.users.jan.extraGroups = [
"wheel" "wheel"
"wireshark" "wireshark"
"podman"
]; ];
# Set up kerberos
security.krb5 = {
enable = true;
settings = {
libdefaults = {
rdns = false;
};
realms = (inputs.secrets.gewis.krb5Realm);
};
};
services.netbird = {
enable = true;
};
# TODO: Move clatd setup
# services.clatd = {
# enable = true;
# enableNetworkManagerIntegration = true;
# };
# networking.networkmanager.settings = {
# connection."ipv6.clat" = "yes";
# };
networking.networkmanager.package = pkgs.networkmanager.overrideAttrs (
final: prev: {
src = pkgs.fetchFromGitLab {
domain = "gitlab.freedesktop.org";
owner = "Mstrodl";
repo = "NetworkManager";
# rev = "d367285a1fec5167f2fa94af2ea1448b6e21650e";
# sha256 = "0BHxuJ6KtFoVxh2Xt0bq4oM3q87QBhtawyMtixz/cPs=";
rev = "fa3b0c6ade05a67316520d143608c5bd9963a23c";
hash = "sha256-7TENrRDKXMFPWv6oDuBWBYIBrDvNsy/JGtkppMk1oQo=";
};
postPatch = prev.postPatch + ''
substituteInPlace meson.build \
--replace "find_program('clang'" "find_program('${pkgs.stdenv.cc.targetPrefix}clang'"
'';
hardeningDisable = [
"zerocallusedregs"
"shadowstack"
"pacret"
];
nativeBuildInputs =
prev.nativeBuildInputs
++ (with pkgs; [
xdp-tools
bpftools
buildPackages.llvmPackages.clang
buildPackages.llvmPackages.libllvm
]);
buildInputs =
prev.buildInputs
++ (with pkgs; [
libbpf
]);
mesonFlags = prev.mesonFlags ++ [
"-Dclat=true"
"-Dnbft=false"
"-Dbpf-compiler=clang"
];
}
);
# TODO: Remove once laptop is properly integrated into domain
programs.ssh = {
package = pkgs.openssh_gssapi;
extraConfig = ''
GSSAPIAuthentication yes
'';
};
# Enable virtualisation for VMs # Enable virtualisation for VMs
virtualisation.libvirtd.enable = true; virtualisation.libvirtd.enable = true;
@ -107,46 +23,17 @@
usbmon.enable = true; usbmon.enable = true;
}; };
# Enable Nix-LD
programs.nix-ld = {
enable = true;
};
# Set up wstunnel client # Set up wstunnel client
services.wstunnel = { services.wstunnel = {
enable = true; enable = true;
clients.wg-tunnel = { clients.wg-tunnel = {
connectTo = "wss://tunnel.bulthuis.dev:443"; connectTo = "wss://tunnel.bulthuis.dev:443";
settings.local-to-remote = [ localToRemote = [
"udp://51820:10.10.40.100:51820" "udp://51820:10.10.40.100:51820"
]; ];
}; };
}; };
# Enable flatpak
services.flatpak.enable = true;
# Set up MADD
# services.madd-client = {
# enable = true;
# endpoint = "http://localhost:3000";
# interface = "wlp0s20f3";
# };
# services.madd-server = {
# enable = true;
# settings = {
# bind = "127.0.0.1:3000";
# zone = "lab.bulthuis.dev";
# networks = [ "10.0.0.0/8" ];
# registration_limit = 1;
# dns_server = "127.0.0.1:2053";
# tsig_key_name = "madd";
# tsig_key_file = "/home/jan/Code/MADD/madd.tsig";
# tsig_algorithm = "hmac-sha256";
# data_dir = "/var/lib/madd";
# };
# };
# Module setup # Module setup
modules = { modules = {
profiles.laptop.enable = true; profiles.laptop.enable = true;
@ -155,52 +42,4 @@
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
virtualisation.podman = {
enable = true;
dockerCompat = true;
dockerSocket.enable = true;
autoPrune.enable = true;
};
environment.systemPackages =
let
wrapProgram =
pkg: bwrapArgs:
pkgs.runCommandLocal pkg.name { bwrapArgs = (lib.join " \\\n" bwrapArgs) + " \\"; } ''
mkdir -p $out
# Link all top level folders
ln -s ${pkg}/* $out
# Except for bin
rm $out/bin
mkdir -p $out/bin
# Wrap each executable
for file in ${pkg}/bin/*; do
base=$(basename $file)
echo "#!/usr/bin/env bash" > $out/bin/$base
echo "exec ${pkgs.bubblewrap}/bin/bwrap \\" >> $out/bin/$base
echo "$bwrapArgs" >> $out/bin/$base
echo "-- $file \"\$@\"" >> $out/bin/$base
chmod +x $out/bin/$base
done
'';
wish = pkgs.writeShellScriptBin "wish" ''
env
exec ${lib.getExe pkgs.firefox} "$@"
'';
in
[
(wrapProgram wish [
"--new-session"
"--unshare-all"
"--clearenv"
"--dev /dev"
"--proc /proc"
"--ro-bind /nix/store /nix/store"
"--bind $HOME/Code $HOME/Code"
])
];
} }

120
hosts/20212060/users/compprog.nix
View File

@ -1,120 +0,0 @@
{
lib,
config,
pkgs,
...
}:
{
home.stateVersion = "24.11";
home.packages = with pkgs; [
# Desktop environment
gnome-text-editor
gnome-calculator
gnome-console
gnome-logs
gnome-system-monitor
nautilus
adwaita-icon-theme
gnome-control-center
gnome-shell-extensions
glib
gnome-menus
gtk3.out
xdg-user-dirs
xdg-user-dirs-gtk
cantarell-fonts
dejavu_fonts
source-code-pro
source-sans
gnome-session
adwaita-fonts
# Coding tools
vim-full
nano
neovim
emacs
gedit
geany
kdePackages.kate
vscode
python310
jdk17
gnumake
gcc
lldb
# pypy310
# Runners
(writeShellScriptBin "mygcc" "gcc -std=gnu17 -x c -Wall -O2 -static -pipe -o $1 \"$1.c\" -lm")
(writeShellScriptBin "mygpp" "g++ -std=gnu++20 -x c++ -Wall -O2 -static -pipe -o $1 \"$1.cpp\" -lm")
(writeShellScriptBin "mypython" "python3 $@")
(writeShellScriptBin "myjavac" "javac -encoding UTF-8 -sourcepath . -d . $@")
(writeShellScriptBin "mykotlinc" "kotlinc -d . $@")
];
modules.profiles.gnome.enable = true;
programs.vscode = {
enable = true;
mutableExtensionsDir = false;
profiles.default = {
extensions = with pkgs.vscode-extensions; [
ms-vscode.cpptools
ms-dotnettools.csharp
formulahendry.code-runner
vscjava.vscode-java-debug
dbaeumer.vscode-eslint
redhat.java
ms-python.python
];
};
};
programs.firefox = {
enable = true;
package = pkgs.firefox;
profiles.default = {
settings = {
"browser.startup.homepage" = "https://domjudge.bulthuis.dev";
};
bookmarks = {
force = true;
settings = [
{
name = "Sites";
toolbar = true;
bookmarks = [
{
name = "C Reference";
url = "https://en.cppreference.com/w/c";
}
{
name = "C++ Reference";
url = "https://en.cppreference.com/w/cpp";
}
{
name = "Python 3.10 documentation";
url = "https://docs.python.org/3.10/download.html";
}
{
name = "Java 17 API Specification";
url = "https://docs.oracle.com/en/java/javase/17/docs/api/";
}
{
name = "Kotlin Language Documentation";
url = "https://kotlinlang.org/docs/kotlin-reference.pdf";
}
{
name = "DOMjudge Team Manual";
url = "https://www.domjudge.org/docs/manual/main/index.html";
}
];
}
];
};
};
};
}

22
hosts/20212060/users/jan.nix
View File

@ -1,5 +1,4 @@
{ {
pkgs,
... ...
}: }:
@ -7,25 +6,4 @@
home.stateVersion = "24.11"; home.stateVersion = "24.11";
modules.profiles.jan.enable = true; modules.profiles.jan.enable = true;
# home.packages = with pkgs; [
# opencloud-desktop
# code-nautilus
# nautilus-open-in-blackbox
# ];
xdg.desktopEntries = {
canvas = {
name = "Canvas";
type = "Application";
exec = "${pkgs.chromium}/bin/chromium --app=\"https://canvas.tue.nl\" --user-data-dir=/home/jan/.local/state/Canvas";
settings.StartupWMClass = "chrome-canvas.tue.nl__-Default";
};
overleaf = {
name = "Overleaf";
type = "Application";
exec = "${pkgs.chromium}/bin/chromium --app=\"https://www.overleaf.com\" --user-data-dir=/home/jan/.local/state/Overleaf";
settings.StartupWMClass = "chrome-www.overleaf.com__-Default";
};
};
} }

BIN
hosts/vm-audio/carla-project.zip
View File

Binary file not shown.

2
hosts/vm-audio/configuration.nix
View File

@ -77,7 +77,7 @@
group = "mixer"; group = "mixer";
extraGroups = [ "systemd-journal" ]; extraGroups = [ "systemd-journal" ];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKxoQSxfYqf9ITN8Fhckk8WbY4dwtBAXOhC9jxihJvq Personal" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKxoQSxfYqf9ITN8Fhckk8WbY4dwtBAXOhC9jxihJvq jan@bulthuis.dev"
]; ];
}; };
users.groups.mixer = { }; users.groups.mixer = { };

7
hosts/vm-audio/users/local.nix Normal file
View File

@ -0,0 +1,7 @@
{ ... }:
{
home.stateVersion = "24.11";
modules.profiles.base.enable = true;
}

39
hosts/vm-infra/configuration.nix
View File

@ -1,39 +0,0 @@
{
inputs,
...
}:
{
# State version
system.stateVersion = "25.05";
# Machine hostname
networking.hostName = "vm-infra";
# Enabled modules
modules = {
profiles.vm.enable = true;
};
# Setup JOOL NAT64
networking.jool = {
enable = true;
nat64.default = {
global.pool6 = "64:ff9b::/96";
pool4 = [
{
protocol = "TCP";
prefix = "10.64.0.1/32";
}
{
protocol = "UDP";
prefix = "10.64.0.1/32";
}
{
protocol = "ICMP";
prefix = "10.64.0.1/32";
}
];
};
};
}

15
hosts/vm-minecraft/configuration.nix
View File

@ -25,26 +25,13 @@
# Set up minecraft servers # Set up minecraft servers
users.users.local.extraGroups = [ "minecraft" ]; users.users.local.extraGroups = [ "minecraft" ];
modules.impermanence.directories = [
"/srv/minecraft"
];
services.minecraft-servers = { services.minecraft-servers = {
enable = true; enable = true;
eula = true; eula = true;
openFirewall = true; openFirewall = true;
servers = { servers = {
vanilla = {
enable = true;
autoStart = true;
serverProperties = {
white-list = true;
difficulty = "normal";
max-players = 5;
};
package = inputs.nix-minecraft.legacyPackages.${pkgs.system}.fabricServers.fabric-1_21_7;
};
modpack = { modpack = {
enable = false; enable = true;
autoStart = true; autoStart = true;
serverProperties = { }; serverProperties = { };
package = inputs.nix-modpack.packages.${pkgs.system}.mkModpackServer { package = inputs.nix-modpack.packages.${pkgs.system}.mkModpackServer {

7
hosts/vm-minecraft/users/local.nix Normal file
View File

@ -0,0 +1,7 @@
{ ... }:
{
home.stateVersion = "24.11";
modules.profiles.base.enable = true;
}

143
hosts/vm-oddjob/configuration.nix
View File

@ -1,143 +0,0 @@
{
inputs,
lib,
pkgs,
config,
...
}:
{
# State version
system.stateVersion = "24.11";
# Machine hostname
networking.hostName = "vm-oddjob";
# Enabled modules
modules = {
profiles.vm.enable = true;
};
# Omada Software Controller
users.users.omada = {
isSystemUser = true;
group = "omada";
};
users.groups.omada = { };
virtualisation.podman = {
enable = true;
dockerCompat = true;
defaultNetwork.settings.dns_enabled = true;
};
virtualisation.oci-containers = {
backend = "podman";
containers = {
omada-controller = {
volumes = [
"/var/lib/omada:/opt/tplink/EAPController/data"
];
environment = {
TZ = "Europe/Amsterdam";
};
extraOptions = [
"--network=host"
"--ulimit"
"nofile=4096:8192"
];
image = "mbentley/omada-controller:5.15";
};
};
};
modules.impermanence.directories = [
"/var/lib/omada"
];
networking.firewall = {
allowedTCPPorts = [
8088
8043
8843
];
allowedTCPPortRanges = [
{
from = 29811;
to = 29816;
}
];
allowedUDPPorts = [
19810
27001
29810
];
};
# Setup NAS backups
environment.systemPackages = with pkgs; [
keyutils
];
environment.etc."request-key.d/cifs.spnego.conf".text = ''
create cifs.spnego * * ${pkgs.cifs-utils}/bin/cifs.upcall -t %k
'';
environment.etc."request-key.d/cifs.idmap.conf".text = ''
create cifs.idmap * * ${pkgs.cifs-utils}/bin/cifs.idmap %k
'';
sops.secrets."smb-credentials" = {
sopsFile = "${inputs.secrets}/secrets/vm-oddjob.enc.yaml";
};
sops.secrets."backup-script-env" = {
sopsFile = "${inputs.secrets}/secrets/vm-oddjob.enc.yaml";
};
services.cron = {
enable = true;
systemCronJobs =
let
script = pkgs.writeShellScript "backup-script" (
lib.concatStrings (
[
''
. ${config.sops.secrets."backup-script-env".path}
export PBS_REPOSITORY=$PBS_REPOSITORY
export PBS_NAMESPACE=$PBS_NAMESPACE
export PBS_PASSWORD=$PBS_PASSWORD
export PBS_FINGERPRINT=$PBS_FINGERPRINT
''
]
++ lib.map (share: ''
systemctl start mnt-${share}.mount
${pkgs.util-linux}/bin/prlimit --nofile=1024:1024 ${pkgs.proxmox-backup-client}/bin/proxmox-backup-client backup nfs.pxar:/mnt/${share} --ns $PBS_NAMESPACE --backup-id share-${share} --change-detection-mode=metadata --exclude "#recycle"
systemctl stop mnt-${share}.mount
'') inputs.secrets.lab.nas.backupShares
)
);
in
[
"0 0 * * * root ${script}"
];
};
# Mount filesystems
systemd.services.krb5-mnt-credentials = {
description = "Set up Kerberos credentials for mounting shares";
before = map (share: "mnt-${share}.mount") inputs.secrets.lab.nas.backupShares;
requiredBy = map (share: "mnt-${share}.mount") inputs.secrets.lab.nas.backupShares;
after = [ "network-online.target" ];
requires = [ "network-online.target" ];
serviceConfig.Type = "oneshot";
script = ''
. ${config.sops.secrets."smb-credentials".path}
echo $password | ${pkgs.krb5}/bin/kinit $username
'';
};
fileSystems = lib.listToAttrs (
lib.map (share: {
name = "/mnt/${share}";
value = {
device = "//${inputs.secrets.lab.nas.host}/${share}";
fsType = "cifs";
options = [
"noauto"
"sec=krb5,credentials=${config.sops.secrets."smb-credentials".path}"
];
};
}) inputs.secrets.lab.nas.backupShares
);
}

19
hosts/vm-test/configuration.nix
View File

@ -1,19 +0,0 @@
{
lib,
pkgs,
config,
...
}:
{
# State version
system.stateVersion = "24.11";
# Machine hostname
networking.hostName = "vm-test";
# Enabled modules
modules = {
profiles.vm.enable = true;
};
}

7
hosts/vm-vpn/users/local.nix Normal file
View File

@ -0,0 +1,7 @@
{ ... }:
{
home.stateVersion = "24.11";
modules.profiles.base.enable = true;
}

117
hosts/ws-think/configuration.nix
View File

@ -1,117 +0,0 @@
{
inputs,
pkgs,
config,
...
}:
{
# State version
system.stateVersion = "24.05";
# Machine hostname
networking.hostName = "ws-think";
# Set up users
sops.secrets."passwords/jan-hashed" = {
sopsFile = "${inputs.secrets}/secrets/ws-think.enc.yaml";
neededForUsers = true;
};
users.mutableUsers = false;
users.users.Jan = {
hashedPasswordFile = config.sops.secrets."passwords/jan-hashed".path;
# Extra admin groups
# TODO: Streamline setup of this
extraGroups = [
"wheel"
"wireshark"
"podman"
"libvirtd"
];
};
# Set up kerberos
security.krb5 = {
enable = true;
settings = {
libdefaults = {
rdns = false;
};
realms = (inputs.secrets.gewis.krb5Realm);
};
};
services.netbird = {
enable = true;
};
# SSH X11 forwarding
programs.ssh.forwardX11 = true;
# Enable older samba versions
services.samba = {
enable = true;
settings = {
global = {
"invalid users" = [ "root" ];
"passwd program" = "/run/wrappers/bin/passwd %u";
"security" = "user";
"client min protocol" = "NT1";
};
};
};
# TODO: Remove once laptop is properly integrated into domain
programs.ssh = {
package = pkgs.openssh_gssapi;
extraConfig = ''
GSSAPIAuthentication yes
'';
};
# Enable virtualisation for VMs
virtualisation.libvirtd.enable = true;
programs.virt-manager.enable = true;
# Enable wireshark
programs.wireshark = {
enable = true;
dumpcap.enable = true;
usbmon.enable = true;
};
# Enable Nix-LD
programs.nix-ld = {
enable = true;
};
# Set up wstunnel client
services.wstunnel = {
enable = true;
clients.wg-tunnel = {
connectTo = "wss://tunnel.bulthuis.dev:443";
settings.local-to-remote = [
"udp://51820:10.10.40.100:51820"
];
};
};
# Enable flatpak
services.flatpak.enable = true;
# Module setup
modules = {
profiles.laptop.enable = true;
};
# Set up podman
virtualisation.podman = {
enable = true;
dockerCompat = true;
dockerSocket.enable = true;
autoPrune.enable = true;
};
# Set up hardware
imports = [ ./hardware-configuration.nix ];
}

61
hosts/ws-think/hardware-configuration.nix
View File

@ -1,61 +0,0 @@
{ ... }:
{
# Machine platform
nixpkgs.hostPlatform = "x86_64-linux";
# Set hostid (required for ZFS)
networking.hostId = "deadbeef";
# Hardware configuration
hardware.enableRedistributableFirmware = true;
boot.initrd.availableKernelModules = [
"xhci_pci"
"nvme"
"usb_storage"
"sd_mod"
"rtsx_pci_sdmmc"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
hardware.cpu.intel.updateMicrocode = true;
# Filesystems
fileSystems = {
"/" = {
device = "tank/root";
fsType = "zfs";
options = [ "zfsutil" ];
};
"/nix" = {
device = "tank/nix";
fsType = "zfs";
options = [ "zfsutil" ];
};
"/persist" = {
device = "tank/persist";
fsType = "zfs";
options = [ "zfsutil" ];
};
"/boot" = {
device = "/dev/disk/by-uuid/46BF-DE2C";
fsType = "vfat";
options = [
"fmask=0077"
"dmask=0077"
];
};
};
# Swap setup
swapDevices = [
{
device = "/dev/disk/by-uuid/9f6f2a47-e53a-45a0-8cb2-8c1082f54ccb";
discardPolicy = "both";
}
];
}

31
hosts/ws-think/users/Jan.nix
View File

@ -1,31 +0,0 @@
{
pkgs,
...
}:
{
home.stateVersion = "25.11";
modules.profiles.jan.enable = true;
# home.packages = with pkgs; [
# opencloud-desktop
# code-nautilus
# nautilus-open-in-blackbox
# ];
xdg.desktopEntries = {
canvas = {
name = "Canvas";
type = "Application";
exec = "${pkgs.chromium}/bin/chromium --app=\"https://canvas.tue.nl\" --user-data-dir=/home/jan/.local/state/Canvas";
settings.StartupWMClass = "chrome-canvas.tue.nl__-Default";
};
overleaf = {
name = "Overleaf";
type = "Application";
exec = "${pkgs.chromium}/bin/chromium --app=\"https://www.overleaf.com\" --user-data-dir=/home/jan/.local/state/Overleaf";
settings.StartupWMClass = "chrome-www.overleaf.com__-Default";
};
};
}

43
modules/home/desktop/gnome.nix
View File

@ -15,14 +15,14 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
# TODO: Enable extensions (declaratively) with dconf # TODO: Enable extensions with dconf
home.pointerCursor = { home.pointerCursor = {
enable = true;
name = "capitaine-cursors"; name = "capitaine-cursors";
size = 24; size = 24;
package = pkgs.capitaine-cursors; package = pkgs.capitaine-cursors;
gtk.enable = true; gtk.enable = true;
x11.enable = true;
}; };
home.packages = home.packages =
@ -50,47 +50,32 @@ in
file-roller file-roller
mission-center mission-center
dconf-editor dconf-editor
gnome-calendar
# For theming gtk3 # For theming gtk3
# adw-gtk3 # TODO: Do this better, same for morewaita, not sure if it even works adw-gtk3
# More icons
# morewaita-icon-theme
] ]
++ (with pkgs.gnomeExtensions; [ ++ (with pkgs.gnomeExtensions; [
gsconnect gsconnect
disable-workspace-animation disable-workspace-animation
wallpaper-slideshow wallpaper-slideshow
media-progress media-progress
mpris-label # luminus-desktop
pip-on-top
rounded-window-corners-reborn
]); ]);
# Set up gnome terminal as changing the default terminal is a pain # Enable and set the gtk themes
programs.gnome-terminal = { gtk = {
enable = true; enable = true;
profile."12d2da79-b36c-43d5-8e1f-cf70907b84b3" = { gtk3.extraConfig = {
visibleName = "Default"; gtk-theme-name = "adw-gtk3";
default = true; };
gtk4.extraConfig = {
gtk-theme-name = "Adwaita";
}; };
}; };
# Enable and set the gtk themes
# gtk = {
# enable = true;
# gtk3.extraConfig = {
# gtk-theme-name = "adw-gtk3";
# };
# gtk4.extraConfig = {
# gtk-theme-name = "Adwaita";
# };
# };
# Set the theme with dconf # Set the theme with dconf
# dconf.settings."org/gnome/desktop/interface" = { dconf.settings."org/gnome/desktop/interface" = {
# gtk-theme = "adw-gtk3"; gtk-theme = "adw-gtk3";
# }; };
}; };
} }

42
modules/home/development/languages/go.nix
View File

@ -1,42 +0,0 @@
{
lib,
config,
pkgs,
...
}:
with lib;
let
cfg = config.modules.go;
in
{
options.modules.go = {
enable = mkEnableOption "go";
};
config = mkIf cfg.enable {
# Development packages
home.packages = with pkgs; [
];
# VSCode configuration
programs.vscode = {
profiles.default = {
extensions = with pkgs.vscode-extensions; [
golang.go
];
userSettings = {
};
};
};
# Neovim configuration
# programs.nixvim = {
# plugins.rustaceanvim = {
# enable = true;
# };
# };
};
}

6
modules/home/development/mathematica.nix
View File

@ -9,11 +9,10 @@ with lib;
let let
cfg = config.modules.mathematica; cfg = config.modules.mathematica;
my-mathematica = pkgs.mathematica.overrideAttrs (old: { my-mathematica = pkgs.mathematica.override {
force-rebuild = "1";
# TODO: Just use a generic name for the installer? # TODO: Just use a generic name for the installer?
# source = ./Wolfram_14.2.1_LIN_Bndl.sh; # source = ./Wolfram_14.2.1_LIN_Bndl.sh;
}); };
in in
{ {
options.modules.mathematica = { options.modules.mathematica = {
@ -22,7 +21,6 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
home.packages = [ home.packages = [
# pkgs.mathematica-cuda
my-mathematica my-mathematica
]; ];
}; };

22
modules/home/utilities/bitwarden.nix
View File

@ -1,22 +0,0 @@
{
lib,
config,
pkgs,
...
}:
with lib;
let
cfg = config.modules.bitwarden;
in
{
options.modules.bitwarden = {
enable = mkEnableOption "Bitwarden";
};
config = mkIf cfg.enable {
home.packages = with pkgs; [
bitwarden-desktop
];
};
}

43
modules/home/utilities/secrets.nix
View File

@ -1,43 +0,0 @@
{
inputs,
lib,
config,
...
}:
with lib;
let
cfg = config.modules.secrets;
secrets = inputs.secrets;
in
{
options.modules.secrets = {
enable = mkEnableOption "secrets";
defaultFile = mkOption {
type = types.str;
default = "${secrets}/secrets/common.enc.yaml";
description = ''
The default file to use for SOPS.
'';
};
secrets = mkOption {
type = types.attrs;
default = { };
description = ''
All secrets that should be made available.
'';
};
};
config = mkIf cfg.enable {
# Set up SOPS
# TODO: Fix the key not being present in .config/sops before sops-nix runs
sops.defaultSopsFile = cfg.defaultFile;
sops.age.sshKeyPaths = [
"${config.home.homeDirectory}/.config/sops/sops_ed25519_key"
# "/persist/home/${config.home.username}/.config/sops/sops_ed25519_key"
];
sops.secrets = cfg.secrets;
modules.impermanence.directories = [ ".config/sops" ];
};
}

3
modules/nixos/bootloader.nix
View File

@ -16,8 +16,5 @@ in
systemd-boot.editor = false; systemd-boot.editor = false;
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
}; };
# Initrd
boot.initrd.systemd.enable = true;
}; };
} }

4
modules/nixos/disko.nix
View File

@ -20,7 +20,5 @@ in
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable { disko.devices = profile.disko.devices; };
disko.devices = profile.disko.devices;
};
} }

218
modules/nixos/domain.nix
View File

@ -1,218 +0,0 @@
{
inputs,
lib,
pkgs,
config,
...
}:
with lib;
let
cfg = config.modules.domain;
domain = inputs.secrets.lab.domain;
domainUpper = lib.strings.toUpper domain;
in
{
options.modules.domain = {
enable = mkEnableOption "Domain Integration";
join = {
userFile = mkOption {
type = types.str;
description = "File containing the user used to join the computer.";
};
passwordFile = mkOption {
type = types.str;
description = "File containing the password for the join user.";
};
domainOUFile = mkOption {
type = types.str;
description = "The OU to join the computer to.";
};
};
};
config = mkIf cfg.enable {
# Set network domain
networking.domain = domain;
networking.search = [ domain ];
# Automatically join the domain
systemd.services.adcli-join = {
description = "Automatically join the domain";
wantedBy = [ "default.target" ];
before = [ "sssd.service" ];
requiredBy = [ "sssd.service" ];
after = [
"network-online.target"
];
requires = [
"network-online.target"
];
serviceConfig = {
Type = "oneshot";
};
script = ''
ADCLI_JOIN_USER=$(cat ${cfg.join.userFile})
ADCLI_JOIN_OU=$(cat ${cfg.join.domainOUFile})
${pkgs.adcli}/bin/adcli join -D ${domain} \
-U $ADCLI_JOIN_USER \
-O $ADCLI_JOIN_OU \
--dont-expire-password=true \
--stdin-password < ${cfg.join.passwordFile}
'';
};
# Set up Kerberos
security.krb5 = {
enable = true;
settings = {
libdefaults = {
default_realm = domainUpper;
};
realms.${domainUpper} = {
};
domain_realm = {
"${domain}" = domainUpper;
".${domain}" = domainUpper;
};
};
};
# Set up SSSD
services.sssd = {
enable = true;
config = ''
[sssd]
domains = ${domain}
config_file_version = 2
services = nss, pam
[nss]
filter_users = ${concatStringsSep "," (lib.attrNames config.users.users)}
filter_groups = ${concatStringsSep "," (lib.attrNames config.users.groups)}
[domain/${domain}]
enumerate = False
ad_domain = ${domain}
krb5_realm = ${domainUpper}H
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
use_fully_qualified_names = False
ldap_schema = ad
ldap_id_mapping = True
ad_gpo_access_control = enforcing
ad_gpo_implicit_deny = True
dyndns_update = True
dyndns_update_ptr = False
dyndns_refresh_interval = 86400
dyndns_ttl = 3600
'';
};
security.pam.services.login.sssdStrictAccess = true;
security.pam.services.sshd.sssdStrictAccess = true;
security.pam.services.su.sssdStrictAccess = true;
# Set up Sudo
security.sudo =
let
admin_group = "host_${lib.replaceStrings [ "-" ] [ "_" ] config.networking.hostName}_admin";
in
{
extraConfig = ''
%${admin_group} ALL=(ALL) SETENV: ALL
'';
};
# Set up SSH
programs.ssh = {
package = pkgs.openssh_gssapi;
extraConfig = ''
GSSAPIAuthentication yes
'';
};
services.openssh = {
package = pkgs.openssh_gssapi;
settings = {
GSSAPIAuthentication = true;
GSSAPICleanupCredentials = true;
GSSAPIStrictAcceptorCheck = true;
};
};
# Set up home directory
security.pam.services.login.makeHomeDir = true;
security.pam.services.sshd.makeHomeDir = true;
security.pam.services.su.makeHomeDir = true;
environment.etc.profile.text =
let
# TODO: Activate configuration based on AD group
homeConfiguration = inputs.home-manager.lib.homeManagerConfiguration {
inherit pkgs;
modules = [
(
{ lib, ... }:
{
home.stateVersion = "24.11";
home.username = "$USER";
home.homeDirectory = "/.$HOME";
modules.profiles.base.enable = true;
# Mount the directories from the network share
# home.activation.dirMount =
# let
# bindScript = dir: ''
# mkdir -p /network/$USER/${dir}
# mkdir -p $HOME/${dir}
# ${pkgs.bindfs}/bin/bindfs /network/$USER/${dir} $HOME/${dir}
# '';
# in
# lib.hm.dag.entryAfter [ "writeBoundary" ] ''
# if ! ${pkgs.krb5}/bin/klist -s; then
# echo "No kerberos ticket found"
# ${pkgs.krb5}/bin/kinit
# fi
# if ${pkgs.krb5}/bin/klist -s; then
# echo "Kerberos ticket found, mounting home directory"
# ${bindScript "Documents"}
# ${bindScript "Music"}
# ${bindScript "Pictures"}
# ${bindScript "Video"}
# else
# echo "Still no kerberos ticket found, skipping home directory mount"
# fi
# '';
}
)
] ++ config.home-manager.sharedModules;
};
in
mkAfter ''
# Activate Home Manager configuration for domain users
if id | egrep -o 'groups=.*' | sed 's/,/\n/g' | cut -d'(' -f2 | sed 's/)//' | egrep -o "^domain users$"; then
echo "Setting up environment for domain user"
SKIP_SANITY_CHECKS=1 ${homeConfiguration.activationPackage}/activate
if test -f "$HOME/.bashrc"; then
. $HOME/.bashrc
fi
fi
'';
# Automatically mount home share
# Can be accessed at /network/$USER
# services.autofs = {
# enable = true;
# autoMaster =
# let
# networkMap = pkgs.writeText "auto" ''
# * -fstype=cifs,sec=krb5,user=&,uid=$UID,gid=$GID,cruid=$UID ://${inputs.secrets.lab.nas.host}/home
# '';
# in
# ''
# /network ${networkMap} --timeout=30
# '';
# };
};
}

8
modules/nixos/gnome.nix
View File

@ -17,9 +17,10 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
# Enable GDM and Gnome # Enable GDM and Gnome
services.displayManager.gdm.enable = true; services.xserver.enable = true;
services.desktopManager.gnome.enable = true; services.xserver.displayManager.gdm.enable = true;
services.gnome.core-apps.enable = false; services.xserver.desktopManager.gnome.enable = true;
services.gnome.core-utilities.enable = false;
services.gnome.games.enable = false; services.gnome.games.enable = false;
services.gnome.core-developer-tools.enable = false; services.gnome.core-developer-tools.enable = false;
environment.gnome.excludePackages = with pkgs; [ environment.gnome.excludePackages = with pkgs; [
@ -28,6 +29,7 @@ in
gnome-backgrounds gnome-backgrounds
gnome-bluetooth gnome-bluetooth
gnome-color-manager gnome-color-manager
gnome-control-center
gnome-shell-extensions gnome-shell-extensions
gnome-tour gnome-tour
gnome-user-docs gnome-user-docs

18
modules/nixos/impermanence.nix
View File

@ -24,32 +24,18 @@ in
resetScript = mkOption { resetScript = mkOption {
type = types.lines; type = types.lines;
description = '' description = ''
Script to run in order to reset the system to a clean state. Script to run on boot that resets the root partition.
''; '';
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
# Filesystem setup
fileSystems."/persist".neededForBoot = true; fileSystems."/persist".neededForBoot = true;
# boot.initrd.postResumeCommands = mkAfter cfg.resetScript; boot.initrd.postResumeCommands = mkAfter cfg.resetScript;
# TODO: Reduce dependency on the root filesystem being ZFS?
boot.initrd.systemd.services.impermanence-rollback = {
description = "Rollback filesystem to clean state.";
wantedBy = [ "initrd.target" ];
after = [ "zfs-import.target" ];
before = [ "sysroot.mount" ];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = cfg.resetScript;
};
# For home-manager persistence # For home-manager persistence
programs.fuse.userAllowOther = true; programs.fuse.userAllowOther = true;
# For testing purposes with VM
virtualisation.vmVariantWithDisko.virtualisation.fileSystems."/persist".neededForBoot = true;
environment.persistence."/persist/system" = { environment.persistence."/persist/system" = {
enable = true; enable = true;
hideMounts = true; hideMounts = true;

2
modules/nixos/networkmanager.nix
View File

@ -11,7 +11,5 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
# TODO: Add sudo users to the networkmanager group? # TODO: Add sudo users to the networkmanager group?
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
networking.firewall.checkReversePath = false;
}; };
} }

44
modules/nixos/secrets.nix
View File

@ -1,44 +0,0 @@
{
inputs,
lib,
config,
...
}:
with lib;
let
cfg = config.modules.secrets;
secrets = inputs.secrets;
in
{
options.modules.secrets = {
enable = mkEnableOption "secrets";
defaultFile = mkOption {
type = types.str;
default = "${secrets}/secrets/common.enc.yaml";
description = ''
The default file to use for SOPS.
'';
};
secrets = mkOption {
type = types.attrs;
default = { };
description = ''
All secrets that should be made available.
'';
};
};
config = mkIf cfg.enable {
# Set up SOPS
# TODO: Fix the key not being present in /etc/sops before sops-nix runs
sops.defaultSopsFile = cfg.defaultFile;
sops.age.sshKeyPaths = [
"/etc/sops/sops_ed25519_key"
"/persist/system/etc/sops/sops_ed25519_key"
];
sops.secrets = cfg.secrets;
modules.impermanence.directories = [ "/etc/sops" ];
virtualisation.vmVariantWithDisko.sops.age.sshKeyPaths = [ "/tmp/shared/sops_ed25519_key" ];
};
}

21
modules/nixos/ssh.nix
View File

@ -9,24 +9,7 @@ in
enable = mkEnableOption "ssh"; enable = mkEnableOption "ssh";
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.openssh = { services.openssh.enable = true;
enable = true; # TODO: Is this default configuration secure?
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "no";
};
hostKeys = mkIf (config.modules.impermanence.enable) [
{
type = "ed25519";
path = "/persist/system/etc/ssh/ssh_host_ed25519_key";
}
{
type = "rsa";
bits = 4096;
path = "/persist/system/etc/ssh/ssh_host_rsa_key";
}
];
};
}; };
} }

19
packages/carla_osc_bridge.nix
View File

@ -1,19 +0,0 @@
{ pkgs, ... }:
with pkgs;
rustPlatform.buildRustPackage {
pname = "carla_osc_bridge";
version = "master";
src = fetchFromGitea {
domain = "git.bulthuis.dev";
owner = "Jan";
repo = "carla_osc_bridge";
rev = "c037e2d2a1b29b785d8acc10fa0cb761afdb3fcf";
hash = "sha256-Wvdfm+4dfygZwkvaUhO9w7DrrUl3ZYvtD7nYrPSD0eA=";
};
cargoHash = "sha256-s1ZKbhHudgPOy7613zbT8TkbM6B7oloLEuTYHoWjX5o=";
useFetchCargoVendor = true;
}

82
packages/helix.nix
View File

@ -1,82 +0,0 @@
{
fetchFromGitHub,
fetchzip,
lib,
rustPlatform,
git,
installShellFiles,
versionCheckHook,
nix-update-script,
}:
rustPlatform.buildRustPackage (final: rec {
pname = "helix";
version = "25.07.1";
# This release tarball includes source code for the tree-sitter grammars,
# which is not ordinarily part of the repository.
src = fetchFromGitHub {
owner = "helix-editor";
repo = "helix";
rev = "109c812233e442addccf1739dec4406248bd3244";
hash = "sha256-c3fpREWUKGonlmV/aesmyRxbJZQypHgXStR7SwdcCo0=";
};
grammars = fetchzip {
url = "https://github.com/helix-editor/helix/releases/download/${final.version}/helix-${final.version}-source.tar.xz";
hash = "sha256-Pj/lfcQXRWqBOTTWt6+Gk61F9F1UmeCYr+26hGdG974=";
stripRoot = false;
};
cargoHash = "sha256-g5MfCedLBiz41HMkIHl9NLWiewE8t3H2iRKOuWBmRig=";
nativeBuildInputs = [
git
installShellFiles
];
env.HELIX_DEFAULT_RUNTIME = "${placeholder "out"}/lib/runtime";
patchPhase = ''
# Add the runtime data
rm -r runtime
cp ${grammars}/languages.toml languages.toml
cp -r ${grammars}/runtime runtime
chmod -R u+w runtime
'';
postInstall = ''
# not needed at runtime
rm -r runtime/grammars/sources
mkdir -p $out/lib
cp -r runtime $out/lib
installShellCompletion contrib/completion/hx.{bash,fish,zsh}
mkdir -p $out/share/{applications,icons/hicolor/256x256/apps}
cp contrib/Helix.desktop $out/share/applications
cp contrib/helix.png $out/share/icons/hicolor/256x256/apps
'';
nativeInstallCheckInputs = [
versionCheckHook
];
versionCheckProgram = "${placeholder "out"}/bin/hx";
versionCheckProgramArg = "--version";
doInstallCheck = true;
passthru = {
updateScript = nix-update-script { };
};
meta = {
description = "Post-modern modal text editor";
homepage = "https://helix-editor.com";
changelog = "https://github.com/helix-editor/helix/blob/${final.version}/CHANGELOG.md";
license = lib.licenses.mpl20;
mainProgram = "hx";
maintainers = with lib.maintainers; [
danth
yusdacra
zowoq
];
};
})

104
packages/open-stage-control.nix
View File

@ -1,104 +0,0 @@
{
lib,
buildNpmPackage,
fetchFromGitHub,
makeBinaryWrapper,
makeDesktopItem,
copyDesktopItems,
nodejs_20,
electron,
python3,
nix-update-script,
}:
buildNpmPackage rec {
pname = "open-stage-control";
version = "1.29.8";
src = fetchFromGitHub {
owner = "jean-emmanuel";
repo = "open-stage-control";
rev = "v${version}";
hash = "sha256-518KXvNffLOV2aIWlLJcnPzxEbWxYdjWeiDBC1jlecQ=";
};
# Remove some Electron stuff from package.json
postPatch = ''
sed -i -e '/"electron"\|"electron-installer-debian"/d' package.json
'';
npmDepsHash = "sha256-U4zwYL5URNW0y0W4WvWAVL0hubiiU+2z9F5mDE9l8UU=";
nodejs = nodejs_20;
nativeBuildInputs = [
copyDesktopItems
makeBinaryWrapper
];
buildInputs = [
python3.pkgs.python-rtmidi
];
doInstallCheck = true;
makeCacheWritable = true;
npmFlags = [
"--legacy-peer-deps"
"--skip-pkg"
];
# Override installPhase so we can copy the only directory that matters (app)
installPhase = ''
runHook preInstall
# copy built app and node_modules directories
mkdir -p $out/lib/node_modules/open-stage-control
cp -r app $out/lib/node_modules/open-stage-control/
# copy icon
install -Dm644 resources/images/logo.png $out/share/icons/hicolor/256x256/apps/open-stage-control.png
install -Dm644 resources/images/logo.svg $out/share/icons/hicolor/scalable/apps/open-stage-control.svg
# wrap electron and include python-rtmidi
makeWrapper '${electron}/bin/electron' $out/bin/open-stage-control \
--inherit-argv0 \
--add-flags $out/lib/node_modules/open-stage-control/app \
--prefix PYTHONPATH : "$PYTHONPATH" \
--prefix PATH : '${lib.makeBinPath [ python3 ]}'
runHook postInstall
'';
installCheckPhase = ''
XDG_CONFIG_HOME="$(mktemp -d)" $out/bin/open-stage-control --help
'';
desktopItems = [
(makeDesktopItem {
name = "open-stage-control";
exec = "open-stage-control";
icon = "open-stage-control";
desktopName = "Open Stage Control";
comment = meta.description;
categories = [
"Network"
"Audio"
"AudioVideo"
"Midi"
];
startupWMClass = "open-stage-control";
})
];
passthru.updateScript = nix-update-script { };
meta = with lib; {
description = "Libre and modular OSC / MIDI controller";
homepage = "https://openstagecontrol.ammd.net/";
license = licenses.gpl3Only;
maintainers = [ ];
platforms = platforms.linux;
mainProgram = "open-stage-control";
};
}

11
profiles/disko/vm.nix
View File

@ -3,8 +3,6 @@
disk = { disk = {
main = { main = {
type = "disk"; type = "disk";
device = "/dev/sda";
imageSize = "32G"; # For test VMs
content = { content = {
type = "gpt"; type = "gpt";
partitions = { partitions = {
@ -19,19 +17,12 @@
}; };
}; };
zfs = { zfs = {
end = "-4G"; size = "100%";
content = { content = {
type = "zfs"; type = "zfs";
pool = "tank"; pool = "tank";
}; };
}; };
swap = {
size = "100%";
content = {
type = "swap";
discardPolicy = "both";
};
};
}; };
}; };
}; };

65
profiles/disko/workstation.nix
View File

@ -1,65 +0,0 @@
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/sda"; # How do I handle this for laptops
imageSize = "64G"; # For test VMs
content = {
type = "gpt";
partitions = {
boot = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
zfs = {
end = "-16G";
content = {
type = "zfs";
pool = "tank";
};
};
swap = {
size = "100%";
content = {
type = "swap";
discardPolicy = "both";
};
};
};
};
};
};
zpool = {
tank = {
type = "zpool";
rootFsOptions = {
compression = "zstd";
};
mountpoint = null;
postCreateHook = "zfs snapshot -r tank@blank && zfs hold -r blank tank@blank";
datasets = {
root = {
type = "zfs_fs";
mountpoint = "/";
};
nix = {
type = "zfs_fs";
mountpoint = "/nix";
};
persist = {
type = "zfs_fs";
mountpoint = "/persist";
};
};
};
};
};
}

65
profiles/disko/ws-think.nix
View File

@ -1,65 +0,0 @@
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/sda";
imageSize = "64G"; # For test VMs
content = {
type = "gpt";
partitions = {
boot = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
zfs = {
end = "-16G";
content = {
type = "zfs";
pool = "tank";
};
};
swap = {
size = "100%";
content = {
type = "swap";
discardPolicy = "both";
};
};
};
};
};
};
zpool = {
tank = {
type = "zpool";
rootFsOptions = {
compression = "zstd";
};
mountpoint = null;
postCreateHook = "zfs snapshot -r tank@blank && zfs hold -r blank tank@blank";
datasets = {
root = {
type = "zfs_fs";
mountpoint = "/";
};
nix = {
type = "zfs_fs";
mountpoint = "/nix";
};
persist = {
type = "zfs_fs";
mountpoint = "/persist";
};
};
};
};
};
}

8
profiles/home/gnome.nix
View File

@ -16,15 +16,9 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
home.packages = with pkgs; [ home.packages = with pkgs; [
# firefox # TODO: Move to dediated module firefox # TODO: Move to dediated module
]; ];
dconf.settings = {
"org/gnome/shell" = {
disable-extension-version-validation = true;
};
};
modules = { modules = {
profiles.base.enable = true; profiles.base.enable = true;

136
profiles/home/jan.nix
View File

@ -1,9 +1,7 @@
{ {
pkgs, pkgs,
pkgs-stable,
lib, lib,
config, config,
inputs,
... ...
}: }:
@ -18,141 +16,31 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
home.packages = with pkgs; [ home.packages = with pkgs; [
firefox libreoffice-still
# inputs.stable-nixpkgs.legacyPackages.${config.nixpkgs.hostPlatform}.libreoffice
libreoffice
remmina remmina
thunderbird thunderbird
signal-desktop signal-desktop
prusa-slicer prusa-slicer
freecad-wayland freecad-wayland
inkscape inkscape
# ente-auth ente-auth
audacity bitwarden
carla carla
pkgs-stable.winbox winbox
# whatsapp-for-linux whatsapp-for-linux
wasistlos
discord discord
steam steam
spotify spotify
# feishin # feishin # TODO: Fix or replace as insecure
eduvpn-client eduvpn-client
river # TODO: Move
ryubing ryubing
bottles bottles
prismlauncher prismlauncher
foliate foliate
wireshark wireshark
obsidian
# devenv
# kicad
vlc
authenticator
podman
podman-compose
gnome-network-displays
gnome-logs
]; ];
programs.helix = {
enable = true;
defaultEditor = true;
# settings = {
# theme = {
# light = "adwaita-light";
# dark = "adwaita-dark";
# fallback = "default";
# };
# };
extraPackages = with pkgs; [
bash-language-server # Bash
fish-lsp # Fish
systemd-lsp # Systemd
yaml-language-server # Yaml
taplo # Toml
nixd # Nix
protols # Protobuf
dockerfile-language-server # Dockerfile
docker-compose-language-service # Docker compose
clang-tools # C, C++
neocmakelsp # Cmake
rust-analyzer # Rust
lldb # C, C++, Rust
zls # Zig
texlab # Latex
tinymist # Typst
marksman # Markdown
markdown-oxide # Markdown
vscode-langservers-extracted # HTML, CSS, JSON, ESLint
typescript-language-server # Typescript, Javascript
intelephense # PHP
vue-language-server # Vue
ruff # Python
basedpyright # Python
helix-gpt # Copilot
# texlab # Latex, Bibtex
# bibtex-tidy # Bibtex
# docker-langserver # Dockerfile
# docker-compose-langserver # Docker compose
# elixir-ls # Elixir
# gopls # Go
# golangci-lint-langserver # Go
# dlv # Go
# haskell-language-server # Haskell
# julia # Julia
# kotlin-language-server # Kotlin
# lua-language-server # Lua
# slint-lsp # Slint
# tinymist # Typst
];
languages = {
language-server = {
basedpyright = {
command = "basedpyright-langserver";
args = [ "--stdio" ];
};
tinymist = {
command = "tinymist";
config.preview.background = {
enabled = true;
args = [
"--data-plane-host=127.0.0.1:23635"
"--invert-colors=never"
"--open"
];
};
};
};
language = [
{
name = "python";
language-servers = [
{
name = "basedpyright";
except-features = [ "diagnostics" ];
}
"ruff"
];
auto-format = true;
formatter = {
command = "ruff";
args = [
"format"
"-"
];
};
}
];
};
};
modules = { modules = {
profiles.gnome.enable = true; profiles.gnome.enable = true;
@ -173,18 +61,17 @@ in
"flake.lock" "flake.lock"
]; ];
}; };
bitwarden.enable = true;
xpra = { xpra = {
enable = true; enable = true;
hosts = [ hosts = [
"mixer@10.20.40.100" "mixer@10.20.60.251"
]; ];
}; };
# Development # Development
# docker.enable = true; # docker.enable = true;
# matlab.enable = true; # matlab.enable = true;
# mathematica.enable = true; mathematica.enable = true;
# Languages # Languages
haskell.enable = false; haskell.enable = false;
@ -193,9 +80,8 @@ in
rust.enable = true; rust.enable = true;
python.enable = true; python.enable = true;
cpp.enable = true; cpp.enable = true;
tex.enable = false; tex.enable = true;
jupyter.enable = true; jupyter.enable = false;
go.enable = true;
}; };
}; };
} }

18
profiles/nixos/base.nix
View File

@ -1,4 +1,5 @@
{ {
mkModule,
pkgs, pkgs,
lib, lib,
config, config,
@ -19,19 +20,13 @@ in
bootloader.enable = mkDefault true; bootloader.enable = mkDefault true;
ssh.enable = mkDefault true; ssh.enable = mkDefault true;
# Setup sensible default persistent data
impermanence.directories = [ impermanence.directories = [
"/var/lib/nixos" "/var/lib/nixos"
]; ];
impermanence.files = [
# TODO: Remove the secrets module and use sops directly? "/etc/shadow"
secrets = { ];
enable = true;
secrets = {
"ssh-keys/deploy-priv" = {
path = "/root/.ssh/id_ed25519";
};
};
};
}; };
# Localization # Localization
@ -45,6 +40,9 @@ in
defaultEditor = true; defaultEditor = true;
}; };
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# Enable the usage of flakes # Enable the usage of flakes
nix.settings.experimental-features = [ nix.settings.experimental-features = [
"nix-command" "nix-command"

64
profiles/nixos/vm.nix
View File

@ -1,4 +1,5 @@
{ {
mkModule,
pkgs, pkgs,
lib, lib,
config, config,
@ -29,50 +30,17 @@ in
zfs rollback -r tank/root@blank zfs rollback -r tank/root@blank
''; '';
}; };
domain = {
enable = true;
join = {
userFile = config.sops.secrets."vm-join/user".path;
passwordFile = config.sops.secrets."vm-join/password".path;
domainOUFile = config.sops.secrets."vm-join/ou".path;
};
};
ssh.enable = true; ssh.enable = true;
}; };
# Initialize domain join secrets # Admin users
sops.secrets."vm-join/user" = { };
sops.secrets."vm-join/password" = { };
sops.secrets."vm-join/ou" = { };
# Autologin to root for access from hypervisor
services.getty.autologinUser = "root";
# Local user
sops.secrets."passwords/local-hashed".neededForUsers = true;
users.mutableUsers = false;
users.users.local = { users.users.local = {
isNormalUser = true; initialPassword = "local";
group = "local";
hashedPasswordFile = config.sops.secrets."passwords/local-hashed".path;
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKxoQSxfYqf9ITN8Fhckk8WbY4dwtBAXOhC9jxihJvq Admin" "ssh-ed25519 jan@bulthuis.dev"
]; ];
}; };
users.groups.local = { };
home-manager.users.local =
{ ... }:
{
home.stateVersion = "24.11";
modules.profiles.base.enable = true;
};
# System packages
environment.systemPackages = with pkgs; [
# TODO: Make module for utilities/scripts
(writeShellScriptBin "system-update" "nixos-rebuild switch --flake git+https://git.bulthuis.dev/Jan/nixos-config")
];
# Enable qemu guest agent # Enable qemu guest agent
services.qemuGuest.enable = true; services.qemuGuest.enable = true;
@ -80,7 +48,7 @@ in
# Machine platform # Machine platform
nixpkgs.hostPlatform = "x86_64-linux"; nixpkgs.hostPlatform = "x86_64-linux";
# Set hostid (required for ZFS) # Set hostid for ZFS
networking.hostId = "deadbeef"; networking.hostId = "deadbeef";
# Hardware configuration # Hardware configuration
@ -88,22 +56,22 @@ in
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [
"ata_piix" "ata_piix"
"uhci_hcd" "uhci_hcd"
"virtio_net"
"virtio_pci" "virtio_pci"
"virtio_mmio"
"virtio_blk"
"virtio_scsi" "virtio_scsi"
"9p"
"9pnet_virtio"
"sd_mod" "sd_mod"
"sr_mod" "sr_mod"
]; ];
boot.kernelModules = [ boot.initrd.kernelModules = [ ];
"kvm-intel" boot.kernelModules = [ "kvm-intel" ];
"virtio_balloon" boot.extraModulePackages = [ ];
"virtio_console" hardware.cpu.intel.updateMicrocode = true;
"virtio_rng"
"virtio_gpu" # Swapfile
swapDevices = [
{
device = "/var/lib/swapfile";
size = 6 * 1024;
}
]; ];
}; };
} }