Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
135d190b74cfb20ba83ccb62701fda15ae5ab65d
nixos/hosts/nb-epicenter/configuration.nix
Dominik Polakovics 7a142bfa34 remove clevis
2023-07-13 18:28:53 +02:00

217 lines
6.7 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
nixpkgs.config.allowUnfree = true;
imports =
[ # Include the results of the hardware scan.
# ./utils/modules/clevis.nix
./utils/modules/sops.nix
./utils/modules/nur.nix
./utils/modules/sway/sway.nix
# ./modules/gnome.nix
./utils/modules/nvim/default.nix
./utils/modules/tuxedo.nix
./utils/modules/autoupgrade.nix
# ./pkgs/howdy/howdy-module.nix
# ./pkgs/howdy/ir-toggle-module.nix
# ./modules/howdy
./utils/bento.nix
./hardware-configuration.nix
];
nixpkgs.overlays = [ (import ./utils/overlays/packages.nix) ];
# security.sudo.wheelNeedsPassword = false;
# services.clevis.uuid = "7435d48f-f942-485b-9817-328ad3fc0b93";
# nixos cross building qemu
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
boot.supportedFilesystems = [ "ntfs" ];
# boot.plymouth.enable = true;
# boot.plymouth.theme = "breeze";
# boot.kernelParams = ["quiet"];
# boot.loader.systemd-boot.netbootxyz.enable = true;
# boot.plymouth.themePackages = [ pkgs.nixos-bgrt-plymouth ];
# boot.plymouth.theme = "nixos-bgrt";
# allow hibernation
security.protectKernelImage = false;
nixpkgs.config.permittedInsecurePackages = [
"openssl-1.1.1u"
"electron-13.6.9"
"nodejs-14.21.3"
];
sops.defaultSopsFile = ./secrets.yaml;
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
sops.secrets.epicenter_vpn_ca = {};
sops.secrets.epicenter_vpn_cert = {};
sops.secrets.epicenter_vpn_key = {};
sops.secrets.wg_private_key = {};
sops.secrets.wg_preshared_key = {};
sops.secrets.wg-cloonar-key = {};
virtualisation.docker.enable = true;
virtualisation.virtualbox.host = {
enable = true;
enableExtensionPack = true;
};
networking.hostName = "cl-nb-01"; # Define your hostname.
networking.resolvconf.enable = true;
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
networking.extraHosts = ''
10.25.0.25 archive.zeichnemit.at epicenter.works en.epicenter.works
10.25.0.100 download.intra.epicenter.works
127.0.0.1 wohnservice.local mieterhilfe.local wohnpartner.local wohnberatung.local wienbautvor.local wienwohntbesser.local
127.0.0.1 wohnservice-wien.local mieterhilfe.local wohnpartner-wien.local wohnberatung-wien.local wienbautvor.local wienwohntbesser.local
127.0.0.1 diabetes.local
'';
# Set your time zone.
time.timeZone = "Europe/Vienna";
console.keyMap = "de";
users.users.dominik = {
isNormalUser = true;
extraGroups = [ "wheel" "disk" "video" "audio" "mysql" "docker" "vboxusers" "networkmanager" "onepassword" "onepassword-cli" "dialout" ]; # Enable sudo for the user.
};
environment.systemPackages = with pkgs; [
bento
vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
wget
docker-compose
drone-cli
wireguard-tools
libftdi1
];
environment.variables = {
TERMINAL_COMMAND = "alacritty";
};
services.blueman.enable = true;
services.printing.enable = true;
services.printing.drivers = [ pkgs.brlaser ];
services.mysql = {
enable = true;
package = pkgs.mariadb;
ensureUsers = [
{
name = "dominik";
ensurePermissions = {
"*.*" = "ALL PRIVILEGES";
};
}
];
};
services.postgresql = {
enable = true;
ensureUsers = [
{
name = "dominik";
ensurePermissions = {
"DATABASE \"zammad\"" = "ALL PRIVILEGES";
};
}
];
ensureDatabases = [ "zammad" ];
};
system.stateVersion = "22.11"; # Did you read the comment?
security.polkit.enable = true;
systemd = {
user.services.polkit-gnome-authentication-agent-1 = {
description = "polkit-gnome-authentication-agent-1";
wantedBy = [ "graphical-session.target" ];
wants = [ "graphical-session.target" ];
after = [ "graphical-session.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
Restart = "on-failure";
RestartSec = 1;
TimeoutStopSec = 10;
};
};
};
networking.firewall = {
allowedUDPPorts = [ 51820 ]; # Clients and peers can use the same port, see listenport
# if packets are still dropped, they will show up in dmesg
logReversePathDrops = true;
# wireguard trips rpfilter up
extraCommands = ''
ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN
'';
extraStopCommands = ''
ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true
ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
'';
};
# networking.wireguard.interfaces = {
# wg0 = {
# # Determines the IP address and subnet of the client's end of the tunnel interface.
# ips = [ "10.42.98.201/32" ];
# listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
#
# # Path to the private key file.
# #
# # Note: The private key can also be included inline via the privateKey option,
# # but this makes the private key world-readable; thus, using privateKeyFile is
# # recommended.
# privateKeyFile = config.sops.secrets.wg-cloonar-key.path;
#
# peers = [
# {
# publicKey = "TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q=";
# allowedIPs = [ "0.0.0.0/0" ];
# endpoint = "vpn.cloonar.com:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
# persistentKeepalive = 25;
# }
# ];
# };
# };
# Facial recognition "Windows hello"
# services.ir-toggle.enable = true;
# services.howdy = {
# enable = true;
# device = "/dev/video2";
# };
nix = {
settings.auto-optimise-store = true;
# autoOptimiseStore = true;
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
# Free up to 1GiB whenever there is less than 100MiB left.
extraOptions = ''
min-free = ${toString (100 * 1024 * 1024)}
max-free = ${toString (1024 * 1024 * 1024)}
'';
};
}
Reference in New Issue View Git Blame Copy Permalink