adtya/configuration.nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

wynne: init

Browse source
This commit is contained in:
Adithya 2024-07-03 17:03:51 +05:30
parent b167f09b8f
commit 20e322b44a
Signed by: adtya
GPG key ID: B8857BFBA2C47B9C
15 changed files with 273 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.sops.yaml
View file

@ -4,6 +4,7 @@ keys:
- &host_rico0 age106k9u5ns9h7smh3gqc40k9fft5emknvq669qdv8a29ak3ah4j38s5ng2gt - &host_rico0 age106k9u5ns9h7smh3gqc40k9fft5emknvq669qdv8a29ak3ah4j38s5ng2gt
- &host_rico1 age1829x4l8vdhcn97af0zq898tupll0smrqywxka4pswkt6mtn8qp7qqnnnl4 - &host_rico1 age1829x4l8vdhcn97af0zq898tupll0smrqywxka4pswkt6mtn8qp7qqnnnl4
- &host_rico2 age19uy6xerll6st3s3ftfpy7075m9eetm2288l2w07k7ek6z2l3ef6qfw34cf - &host_rico2 age19uy6xerll6st3s3ftfpy7075m9eetm2288l2w07k7ek6z2l3ef6qfw34cf
- &host_wynne age1jyaf9rn5d5pqjh60shs2q5hs98fwugak8z6cs6qs7yuc3wntugmsumxmv0
creation_rules: creation_rules:
- path_regex: secrets.yaml - path_regex: secrets.yaml
key_groups: key_groups:
@ -13,3 +14,4 @@ creation_rules:
- *host_rico0 - *host_rico0
- *host_rico1 - *host_rico1
- *host_rico2 - *host_rico2
- *host_wynne

22
flake.nix
View file

@ -151,6 +151,28 @@
./hosts/rico2 ./hosts/rico2
]; ];
}; };
Wynne =
let
hostname = "Wynne";
system = "x86_64-linux";
username = "adtya";
in
nixpkgs.lib.nixosSystem {
inherit system;
pkgs = packages system;
specialArgs = { inherit inputs username; };
modules = [
{
system.configurationRevision = lib.mkIf (self ? rev) self.rev;
networking.hostName = lib.mkDefault hostname;
nixpkgs.hostPlatform = lib.mkDefault system;
}
lix-module.nixosModules.default
sops-nix.nixosModules.sops
./common
./hosts/wynne
];
};
}; };
deploy.nodes = { deploy.nodes = {

28
hosts/wynne/default.nix Normal file
View file

@ -0,0 +1,28 @@
_: {
imports = [ ./hardware ./programs ./services ./network.nix ./security.nix ];
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "en_US.UTF-8";
LC_IDENTIFICATION = "en_US.UTF-8";
LC_MEASUREMENT = "en_US.UTF-8";
LC_MONETARY = "en_US.UTF-8";
LC_NAME = "en_US.UTF-8";
LC_NUMERIC = "en_US.UTF-8";
LC_PAPER = "en_US.UTF-8";
LC_TELEPHONE = "en_US.UTF-8";
LC_TIME = "en_US.UTF-8";
LC_ALL = "en_US.UTF-8";
};
supportedLocales = [ "en_US.UTF-8/UTF-8" ];
};
time.timeZone = "Asia/Kolkata";
system = {
switch = {
enable = false;
enableNg = true;
};
stateVersion = "24.05";
};
}

30
hosts/wynne/hardware/default.nix Normal file
View file

@ -0,0 +1,30 @@
{ lib, pkgs, ... }: {
imports = [ ./filesystem.nix ];
hardware = {
cpu.intel.updateMicrocode = lib.mkDefault true;
enableRedistributableFirmware = true;
};
boot = {
consoleLogLevel = 3;
initrd = {
availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "uas" "sd_mod" ];
kernelModules = [ "i915" ];
systemd.enable = true;
};
kernelModules = [ "kvm-intel" ];
kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
kernelParams = [ "quiet" ];
kernel.sysctl = {
"vm.swappiness" = 10;
"vm.dirty_ratio" = 3;
};
loader = {
efi.canTouchEfiVariables = true;
systemd-boot.enable = true;
};
supportedFilesystems = [ "vfat" "btrfs" "ext4" ];
};
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
}

40
hosts/wynne/hardware/filesystem.nix Normal file
View file

@ -0,0 +1,40 @@
_: {
fileSystems = {
"/" = {
device = "/dev/disk/by-partlabel/WYNNE_ROOT";
fsType = "btrfs";
options = [ "subvol=@root" "compress-force=zstd" "noatime" ];
neededForBoot = true;
};
"/nix" = {
device = "/dev/disk/by-partlabel/WYNNE_ROOT";
fsType = "btrfs";
options = [ "subvol=@nix" "compress-force=zstd" "noatime" ];
neededForBoot = true;
};
"/persist" = {
device = "/dev/disk/by-partlabel/WYNNE_ROOT";
fsType = "btrfs";
options = [ "subvol=@persist" "compress-force=zstd" "noatime" ];
neededForBoot = true;
};
"/mnt/system" = {
device = "/dev/disk/by-partlabel/WYNNE_ROOT";
fsType = "btrfs";
options = [ "subvol=/" "compress-force=zstd" "noatime" ];
};
"/boot" = {
device = "/dev/disk/by-partlabel/WYNNE_BOOT";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
};
swapDevices = [
{ device = "/dev/disk/by-partlabel/WYNNE_SWAP"; }
];
}

27
hosts/wynne/network.nix Normal file
View file

@ -0,0 +1,27 @@
{ lib, ... }: {
imports = [ ./wireguard.nix ];
networking = {
nameservers = [
"2620:fe::fe#dns.quad9.net"
"9.9.9.9#dns.quad9.net"
"2620:fe::9#dns.quad9.net"
"149.112.112.112#dns.quad9.net"
];
networkmanager = {
enable = true;
dhcp = "dhcpcd";
dns = "systemd-resolved";
};
useDHCP = lib.mkDefault false;
};
services.resolved = {
enable = true;
dnssec = "true";
dnsovertls = "true";
domains = [ "~." ];
fallbackDns = [ ];
};
}

17
hosts/wynne/programs/default.nix Normal file
View file

@ -0,0 +1,17 @@
{ pkgs, ... }: {
imports = [
./neovim.nix
./starship.nix
./zsh.nix
];
programs.git.enable = true;
environment.systemPackages = with pkgs; [
sops
age
libraspberrypi
raspberrypi-eeprom
];
}

8
hosts/wynne/programs/neovim.nix Normal file
View file

@ -0,0 +1,8 @@
_: {
programs.neovim = {
enable = true;
defaultEditor = true;
viAlias = true;
vimAlias = true;
};
}

8
hosts/wynne/programs/starship.nix Normal file
View file

@ -0,0 +1,8 @@
_: {
programs.starship = {
enable = true;
settings = {
add_newline = false;
};
};
}

10
hosts/wynne/programs/zsh.nix Normal file
View file

@ -0,0 +1,10 @@
_: {
programs = {
zsh = {
enable = true;
autosuggestions.enable = true;
syntaxHighlighting.enable = true;
};
};
environment.pathsToLink = [ "/share/zsh" ];
}

9
hosts/wynne/security.nix Normal file
View file

@ -0,0 +1,9 @@
_: {
security = {
sudo = {
wheelNeedsPassword = false;
};
polkit.enable = true;
rtkit.enable = true;
};
}

6
hosts/wynne/services/btrfs.nix Normal file
View file

@ -0,0 +1,6 @@
_: {
services.btrfs.autoScrub = {
enable = true;
fileSystems = [ "/mnt/system" ];
};
}

3
hosts/wynne/services/default.nix Normal file
View file

@ -0,0 +1,3 @@
_: {
imports = [ ./btrfs.nix ./ssh.nix ];
}

21
hosts/wynne/services/ssh.nix Normal file
View file

@ -0,0 +1,21 @@
_: {
services.openssh = {
enable = true;
settings = {
KbdInteractiveAuthentication = false;
PasswordAuthentication = false;
PermitRootLogin = "no";
};
hostKeys = [
{
path = "/persist/secrets/ssh/keys/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/persist/secrets/ssh/keys/ssh_host_rsa_key";
type = "rsa";
bits = "4096";
}
];
};
}

42
hosts/wynne/wireguard.nix Normal file
View file

@ -0,0 +1,42 @@
{ config, ... }: {
sops.secrets = {
"wireguard/wynne/pk" = {
mode = "400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
};
"wireguard/wynne/psk" = {
mode = "400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
};
};
networking.firewall.trustedInterfaces = [ "wg0" ];
networking.wireguard = {
enable = true;
interfaces = {
wg0 = {
ips = [
"10.10.10.13/24"
"fd7c:585c:c4ae::13/64"
];
listenPort = 51833;
privateKeyFile = config.sops.secrets."wireguard/wynne/pk".path;
peers = [
{
name = "Proxy";
endpoint = "165.232.180.97:51821";
publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=";
presharedKeyFile = config.sops.secrets."wireguard/wynne/psk".path;
persistentKeepalive = 20;
allowedIPs = [
"10.10.10.0/24"
"fd7c:585c:c4ae::0/64"
];
}
];
};
};
};
}