From d30315a050f33074ed02d47c6f514fe7178837c2 Mon Sep 17 00:00:00 2001 From: nathan mccarty Date: Sat, 2 Jul 2022 02:44:43 -0400 Subject: [PATCH] Fix incorrect merging logic --- .sops.yaml | 7 +- flake.nix | 11 +- home-manager/machines/levitation.nix | 41 ++ home-manager/programs/core.nix | 405 ++++++++++---------- home-manager/programs/devel.nix | 15 +- modules/default.nix | 3 +- modules/desktop.nix | 147 +++---- modules/linux/base.nix | 70 ++-- modules/programs/utils.nix | 124 +++--- modules/services/tailscale.nix | 1 + modules/swaywm.nix | 2 +- modules/user.nix | 47 +-- modules/virtualization.nix | 32 +- secrets/{ => all}/backblaze.yaml | 0 secrets/{nathan.yaml => all/tailscale.yaml} | 0 15 files changed, 490 insertions(+), 415 deletions(-) create mode 100644 home-manager/machines/levitation.nix rename secrets/{ => all}/backblaze.yaml (100%) rename secrets/{nathan.yaml => all/tailscale.yaml} (100%) diff --git a/.sops.yaml b/.sops.yaml index 697fd1d..aed779b 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -7,7 +7,7 @@ keys: - &shadowchild age10zd0y2zpty2z39sh2qe66yuu9jd6hrcd3ag2wqtjp8tc579nmphsymhdla - &matrix age1pm647k04hhwm2dmqh07hnzflkurfevefcyf8xlhmc83a07n77e3sltyt0d creation_rules: - - path_regex: .* + - path_regex: secrets/all/.* key_groups: - age: - *nathan @@ -16,3 +16,8 @@ creation_rules: - *perception - *shadowchild - *matrix + - path_regex: secrets/levitation + key_groups: + - age: + - *nathan + - *levitation diff --git a/flake.nix b/flake.nix index 5870f83..fb4c689 100644 --- a/flake.nix +++ b/flake.nix @@ -80,7 +80,6 @@ # Setup sops # Add default secrets sops = { - defaultSopsFile = ./secrets/nathan.yaml; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; }; nixpkgs.config.allowUnfree = true; @@ -131,6 +130,7 @@ config = { isDesktop = true; nix.autoUpdate = false; + harden = false; }; }; # Configure networking @@ -149,14 +149,7 @@ # FIXME borg backup module # Setup home manager - home-manager.users.nathan = { config, lib, pkgs, ... }: { - # Module configuration - nathan = { - config = { - isDesktop = true; - }; - }; - }; + home-manager.users.nathan = import ./home-manager/machines/levitation.nix; }) ]; }; diff --git a/home-manager/machines/levitation.nix b/home-manager/machines/levitation.nix new file mode 100644 index 0000000..4f78a0e --- /dev/null +++ b/home-manager/machines/levitation.nix @@ -0,0 +1,41 @@ +{ config, lib, pkgs, ... }: + +{ + nathan = { + config = { + isDesktop = true; + }; + }; + + # Sway outputs + wayland.windowManager.sway.config = { + output = { + DP-1 = { + pos = "0 140"; + scale = "1"; + subpixel = "rgb"; + }; + DP-3 = { + pos = "2560 0"; + scale = "1.25"; + subpixel = "rgb"; + }; + HDMI-A-1 = { + pos = "5632 140"; + scale = "1"; + subpixel = "rgb"; + }; + }; + startup = [ + # GLPaper + { command = "glpaper DP-1 ${../../custom-files/sway/selen.frag} --fork"; } + { command = "glpaper DP-3 ${../../custom-files/sway/selen.frag} --fork"; } + { command = "glpaper HDMI-A-1 ${../../custom-files/sway/selen.frag} --fork"; } + ]; + }; + # Mako output configuration + programs.mako = { + # Lock mako notifs to main display + output = "DP-3"; + }; +} diff --git a/home-manager/programs/core.nix b/home-manager/programs/core.nix index ec5da81..a3eeb94 100644 --- a/home-manager/programs/core.nix +++ b/home-manager/programs/core.nix @@ -1,215 +1,218 @@ { config, lib, pkgs, ... }: -let - nathan = config.nathan; -in with lib; { - config = { - ######################### - ## SSH Configuration - ######################### - programs.ssh = mkIf nathan.programs.util.ssh { - # SSH configuration - enable = true; - # extra config to set the ciphers - extraConfig = '' - Ciphers aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr - ''; - # enable session reuse - controlMaster = "auto"; - controlPersist = "10m"; - # Configure known hosts - matchBlocks = { - "levitation" = { - forwardAgent = true; - user = "nathan"; - hostname = "100.95.223.6"; + config = mkMerge [ + (mkIf config.nathan.programs.util.git.enable { + ######################### + ## Git configuration + ######################### + programs.git = { + enable = true; + package = pkgs.gitAndTools.gitFull; + userName = "Nathan McCarty"; + userEmail = "nathan@mccarty.io"; + signing = { + key = "B7A40A5D78C08885"; + signByDefault = config.nathan.programs.util.git.gpgSign; }; - "perception" = { - forwardAgent = true; - user = "nathan"; - hostname = "100.67.146.101"; - }; - "oracles" = { - forwardAgent = true; - user = "nathan"; - hostname = "100.66.15.34"; - }; - "tounge" = { - forwardAgent = true; - user = "nathan"; - hostname = "172.23.98.121"; - }; - "shadowchild" = { - forwardAgent = true; - user = "nathan"; - hostname = "172.23.217.149"; - }; - "matrix.community.rs" = { - forwardAgent = true; - user = "nathan"; - hostname = "100.113.74.107"; - }; - "de1955" = { - user = "de1955"; - hostname = "de1955.rsync.net"; + ignores = [ + "**/*~" + "*~" + "*_archive" + "/auto/" + "auto-save-list" + ".cask/" + ".dir-locals.el" + "dist/" + "**/.DS_Store" + "*.elc" + "/elpa/" + "/.emacs.desktop" + "/.emacs.desktop.lock" + "/eshell/history" + "/eshell/lastdir" + "flycheck_*.el" + "*_flymake.*" + "/network-security.data" + ".org-id-locations" + ".persp" + ".projectile" + "*.rel" + "/server/" + "tramp" + "\\#*\\#" + ]; + delta.enable = true; + lfs.enable = true; + extraConfig = { + init = { + defaultBranch = "trunk"; + }; + log = { + showSignature = true; + abbrevCommit = true; + follow = true; + decorate = false; + }; + rerere = { + enable = true; + autoupdate = true; + }; + merge = { + ff = "only"; + conflictstyle = "diff3"; + }; + push = { + default = "simple"; + followTags = true; + }; + pull = { + rebase = true; + }; + status = { + showUntrackedFiles = "all"; + }; + transfer = { + fsckobjects = true; + }; + color = { + ui = "auto"; + }; + diff = { + mnemonicPrefix = true; + renames = true; + wordRegex = "."; + submodule = "log"; + }; + credential = { + helper = "cache"; + }; + # Disable annoying safe directory nonsense + safe = { + directory = "*"; + }; }; }; - }; - ######################### - ## Fish Configuration - ######################### - programs.fish = mkIf nathan.programs.util.fish { - enable = true; - # Setup our aliases - shellAliases = { - ls = "exa --icons"; - la = "exa --icons -a"; - lg = "exa --icons --git"; - cat = "bat"; - dig = "dog"; - df = "duf"; - }; - # Custom configuration - interactiveShellInit = '' - # Setup any-nix-shell - any-nix-shell fish --info-right | source - # Load logger function - source ~/.config/fish/functions/cmdlogger.fish - ''; - functions = { - # Setup command logging to ~/.logs - cmdlogger = { - onEvent = "fish_preexec"; - body = '' - mkdir -p ~/.logs - echo (date -u +"%Y-%m-%dT%H:%M:%SZ")" "(echo %self)" "(pwd)": "$argv >> ~/.logs/(hostname)-(date "+%Y-%m-%d").log - ''; + }) + (mkIf config.nathan.programs.util.ssh { + ######################### + ## SSH Configuration + ######################### + programs.ssh = { + # SSH configuration + enable = true; + # extra config to set the ciphers + extraConfig = '' + Ciphers aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + ''; + # enable session reuse + controlMaster = "auto"; + controlPersist = "10m"; + # Configure known hosts + matchBlocks = { + "levitation" = { + forwardAgent = true; + user = "nathan"; + hostname = "100.95.223.6"; + }; + "perception" = { + forwardAgent = true; + user = "nathan"; + hostname = "100.67.146.101"; + }; + "oracles" = { + forwardAgent = true; + user = "nathan"; + hostname = "100.66.15.34"; + }; + "tounge" = { + forwardAgent = true; + user = "nathan"; + hostname = "172.23.98.121"; + }; + "shadowchild" = { + forwardAgent = true; + user = "nathan"; + hostname = "172.23.217.149"; + }; + "matrix.community.rs" = { + forwardAgent = true; + user = "nathan"; + hostname = "100.113.74.107"; + }; + "de1955" = { + user = "de1955"; + hostname = "de1955.rsync.net"; + }; }; }; - }; - programs.starship = mkIf nathan.programs.util.fish { - enable = true; - settings = { - directory = { - truncation_length = 3; - fish_style_pwd_dir_length = 1; + }) + (mkIf config.nathan.programs.util.fish { + ######################### + ## Fish Configuration + ######################### + programs.fish = { + enable = true; + # Setup our aliases + shellAliases = { + ls = "exa --icons"; + la = "exa --icons -a"; + lg = "exa --icons --git"; + cat = "bat"; + dig = "dog"; + df = "duf"; }; - git_commit = { - commit_hash_length = 6; - only_detached = false; - }; - package = { - symbol = ""; - }; - time = { - disabled = false; - format = "[$time]($style)"; - time_format = "%I:l%M %p"; + # Custom configuration + interactiveShellInit = '' + # Setup any-nix-shell + any-nix-shell fish --info-right | source + # Load logger function + source ~/.config/fish/functions/cmdlogger.fish + ''; + functions = { + # Setup command logging to ~/.logs + cmdlogger = { + onEvent = "fish_preexec"; + body = '' + mkdir -p ~/.logs + echo (date -u +"%Y-%m-%dT%H:%M:%SZ")" "(echo %self)" "(pwd)": "$argv >> ~/.logs/(hostname)-(date "+%Y-%m-%d").log + ''; + }; }; }; - }; - - ######################### - ## Git configuration - ######################### - programs.git = mkIf nathan.programs.util.git.enable { - enable = true; - package = pkgs.gitAndTools.gitFull; - userName = "Nathan McCarty"; - userEmail = "nathan@mccarty.io"; - signing = { - key = "B7A40A5D78C08885"; - signByDefault = nathan.programs.util.git.gpgSign; + programs.starship = { + enable = true; + settings = { + directory = { + truncation_length = 3; + fish_style_pwd_dir_length = 1; + }; + git_commit = { + commit_hash_length = 6; + only_detached = false; + }; + package = { + symbol = ""; + }; + time = { + disabled = false; + format = "[$time]($style)"; + time_format = "%I:%M %p"; + }; + }; }; - ignores = [ - "**/*~" - "*~" - "*_archive" - "/auto/" - "auto-save-list" - ".cask/" - ".dir-locals.el" - "dist/" - "**/.DS_Store" - "*.elc" - "/elpa/" - "/.emacs.desktop" - "/.emacs.desktop.lock" - "/eshell/history" - "/eshell/lastdir" - "flycheck_*.el" - "*_flymake.*" - "/network-security.data" - ".org-id-locations" - ".persp" - ".projectile" - "*.rel" - "/server/" - "tramp" - "\\#*\\#" + }) + (mkIf config.nathan.programs.util.json { + ######################### + ## JSON Utilities + ######################### + programs.jq = { + enable = true; + }; + home.packages = with pkgs; [ + jc + fx ]; - delta.enable = true; - lfs.enable = true; - extraConfig = { - init = { - defaultBranch = "trunk"; - }; - log = { - showSignature = true; - abbrevCommit = true; - follow = true; - decorate = false; - }; - rerere = { - enable = true; - autoupdate = true; - }; - merge = { - ff = "only"; - conflictstyle = "diff3"; - }; - push = { - default = "simple"; - followTags = true; - }; - pull = { - rebase = true; - }; - status = { - showUntrackedFiles = "all"; - }; - transfer = { - fsckobjects = true; - }; - color = { - ui = "auto"; - }; - diff = { - mnemonicPrefix = true; - renames = true; - wordRegex = "."; - submodule = "log"; - }; - credential = { - helper = "cache"; - }; - # Disable annoying safe directory nonsense - safe = { - directory = "*"; - }; - }; - }; - } // mkIf nathan.programs.util.json { - ######################### - ## JSON Utilities - ######################### - programs.jq = mkIf nathan.programs.util.json { - enable = true; - }; - home.packages = with pkgs; [ - jc - fx - ]; - }; + }) + ]; } diff --git a/home-manager/programs/devel.nix b/home-manager/programs/devel.nix index 1dfcbb8..c07ca6c 100644 --- a/home-manager/programs/devel.nix +++ b/home-manager/programs/devel.nix @@ -6,7 +6,7 @@ let in with lib; with nLib; { - config = + config = mkMerge [ # Core development utilites (mkIf devel.core { home.packages = with pkgs; @@ -44,7 +44,7 @@ with lib; with nLib; { }; }) # Rust development - // (mkIf devel.rust { + (mkIf devel.rust { home.packages = with pkgs; [ # Rustup for having the compiler around rustup @@ -68,7 +68,7 @@ with lib; with nLib; { ]; }) # JVM Development - // (mkIf devel.jvm { + (mkIf devel.jvm { home.packages = with unstable; [ inputs.java.packages."${pkgs.system}".semeru-stable gradle @@ -79,14 +79,14 @@ with lib; with nLib; { ]; }) # Python Development - // (mkIf devel.python { + (mkIf devel.python { home.packages = with pkgs; [ python3Full nodePackages.pyright ]; }) # JavaScript/TypeScript Development - // (mkIf devel.js { + (mkIf devel.js { home.packages = with unstable; [ nodejs yarn @@ -95,12 +95,13 @@ with lib; with nLib; { ]; }) # Raku Development - // (mkIf devel.raku { + (mkIf devel.raku { home.packages = with pkgs; [ rakudo zef ]; - }); + }) + ]; } diff --git a/modules/default.nix b/modules/default.nix index 4fa363b..fc01c2a 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -9,6 +9,7 @@ in ./desktop.nix ./swaywm.nix ./hardware.nix + ./virtualization.nix ./programs/games.nix ./programs/gpg.nix ./programs/utils.nix @@ -81,7 +82,7 @@ in harden = mkEnableOptionT "Apply system hardening"; # Enable audio subsystem # On by default if the system is a desktop - audio = mkDefaultOption "audio" config.nathan.conifg.isDesktop; + audio = mkDefaultOption "audio" config.nathan.config.isDesktop; # Basic grub configuration # Off by default setupGrub = mkEnableOption "Setup grub"; diff --git a/modules/desktop.nix b/modules/desktop.nix index a5d780d..8375856 100644 --- a/modules/desktop.nix +++ b/modules/desktop.nix @@ -4,77 +4,82 @@ let in with lib; { # Generic desktop configuration - config = mkIf nc.isDesktop - { - # Ergodox - environment.systemPackages = with pkgs; [ - wally-cli + config = mkMerge [ + (mkIf nc.isDesktop + { + # Ergodox + environment.systemPackages = with pkgs; [ + wally-cli + ]; + hardware.keyboard.zsa.enable = true; + # Configure grub if configured + }) + (mkIf nc.setupGrub { + ## Boot, drivers, and host name + # Use grub + boot.loader = { + grub = { + enable = true; + version = 2; + efiSupport = true; + # Go efi only + devices = [ "nodev" ]; + # Use os-prober + useOSProber = true; + }; + efi = { + efiSysMountPoint = "/boot/"; + canTouchEfiVariables = false; + }; + }; + # Configure audio + }) + (mkIf nc.audio { + # Disable normal audio subsystem explicitly + sound.enable = false; + # Turn on rtkit, so that audio processes can be upgraded to real time + security.rtkit.enable = true; + # Turn on pipewire + services.pipewire = { + enable = true; + # Turn on all the emulation layers + alsa = { + enable = true; + support32Bit = true; + }; + pulse.enable = true; + jack.enable = true; + }; + # Turn on bluetooth services + services.blueman.enable = true; + hardware.bluetooth = { + enable = true; + package = pkgs.bluezFull; + }; + # Add pulse audio packages, but do not enable them + environment.systemPackages = with pkgs;[ + pulseaudio + pavucontrol + noisetorch ]; - hardware.keyboard.zsa.enable = true; - # Configure grub if configured - } // mkIf nc.setupGrub { - ## Boot, drivers, and host name - # Use grub - boot.loader = { - grub = { - enable = true; - version = 2; - efiSupport = true; - # Go efi only - devices = [ "nodev" ]; - # Use os-prober - useOSProber = true; + # Add noisetorch for microphone noise canceling + programs.noisetorch = { + enable = true; # TODO: https://github.com/noisetorch/NoiseTorch/releases/tag/0.11.6 }; - efi = { - efiSysMountPoint = "/boot/"; - canTouchEfiVariables = false; - }; - }; - # Configure audio - } // mkIf nc.audio { - # Disable normal audio subsystem explicitly - sound.enable = false; - # Turn on rtkit, so that audio processes can be upgraded to real time - security.rtkit.enable = true; - # Turn on pipewire - services.pipewire = { - enable = true; - # Turn on all the emulation layers - alsa = { - enable = true; - support32Bit = true; - }; - pulse.enable = true; - jack.enable = true; - }; - # Turn on bluetooth services - services.blueman.enable = true; - hardware.bluetooth = { - enable = true; - package = pkgs.bluezFull; - }; - # Add pulse audio packages, but do not enable them - environment.systemPackages = with pkgs;[ - pulseaudio - pavucontrol - noisetorch - ]; - # Add noisetorch for microphone noise canceling - programs.noisetorch = { - enable = true; # TODO: https://github.com/noisetorch/NoiseTorch/releases/tag/0.11.6 - }; - # Configure fonts - } // mkIf nc.fonts { - fonts.fonts = with pkgs; [ - ## Monospace Fonts - # FiraCode with nerd-fonts patch, as well as fira-code symbols for emacs - (nerdfonts.override { fonts = [ "FiraCode" ]; }) - fira-code-symbols - fira - # Proportional - roboto - liberation_ttf - noto-fonts - ]; - }; + # Configure fonts + }) + (mkIf nc.fonts { + fonts.fonts = with pkgs; [ + ## Monospace Fonts + # FiraCode with nerd-fonts patch, as well as fira-code symbols for emacs + (nerdfonts.override { fonts = [ "FiraCode" ]; }) + fira-code-symbols + fira + # Proportional + roboto + liberation_ttf + noto-fonts + ]; + }) + ]; } diff --git a/modules/linux/base.nix b/modules/linux/base.nix index 29cb9d8..46e36e8 100644 --- a/modules/linux/base.nix +++ b/modules/linux/base.nix @@ -1,34 +1,46 @@ { config, lib, pkgs, inputs, ... }@attrs: with lib; { - config = mkIf pkgs.stdenv.isLinux - ({ - zramSwap = mkIf config.nathan.servics.zramSwap - { - enable = true; - algorithm = "lz4"; - memoryPercent = 25; + config = mkMerge [ + (mkIf pkgs.stdenv.isLinux + { + zramSwap = mkIf config.nathan.services.zramSwap + { + enable = true; + algorithm = "lz4"; + memoryPercent = 25; + }; + nix = mkIf config.nathan.config.nix.autoGC { + autoOptimiseStore = true; }; - nix = mkIf config.nathan.config.nix.autoGC { - autoOptimiseStore = true; - }; - } // mkIf config.nathan.config.harden (import "${inputs.nixpkgs}/nixos/modules/profiles/hardened.nix" attrs)) - // mkIf (config.nathan.config.installUser && pkgs.stdenv.isLinux) - { - # System must be for us :v - networking.domain = "mccarty.io"; - } - // mkIf - (config.nathan.config.nix.autoUpdate && pkgs.stdenv.isLinux) - { - # Auto update daily at 2 am - system.autoUpgrade = { - enable = true; - allowReboot = true; - # Update from the flake - flake = "github:nathans-flakes/system"; - # Attempt to update daily at 2AM - dates = "2:00"; - }; - }; + }) + (mkIf config.nathan.config.harden (import "${inputs.nixpkgs}/nixos/modules/profiles/hardened.nix" attrs)) + (mkIf ((! config.nathan.config.harden) && config.nathan.config.isDesktop) { + # Use the zen kernel with muqss turned on + boot.kernelPackages = + let + linuxZenWMuQSS = pkgs.linuxPackagesFor (pkgs.linuxPackages_zen.kernel.override { + structuredExtraConfig = with lib.kernel; { + SCHED_MUQSS = yes; + }; + ignoreConfigErrors = true; + } + ); + in + linuxZenWMuQSS; + }) + (mkIf + (config.nathan.config.nix.autoUpdate && pkgs.stdenv.isLinux) + { + # Auto update daily at 2 am + system.autoUpgrade = { + enable = true; + allowReboot = true; + # Update from the flake + flake = "github:nathans-flakes/system"; + # Attempt to update daily at 2AM + dates = "2:00"; + }; + }) + ]; } diff --git a/modules/programs/utils.nix b/modules/programs/utils.nix index b1e3751..afba516 100644 --- a/modules/programs/utils.nix +++ b/modules/programs/utils.nix @@ -4,66 +4,70 @@ let in with lib; { - config = mkIf nathan.programs.utils.core - { + config = mkMerge [ + (mkIf nathan.programs.utils.core + { + environment.systemPackages = with pkgs; [ + # Basic command line utilities + wget + tmux + nano + unzip + any-nix-shell + htop + # Rust rewrites of common shell utilities + starship + exa + bat + fd + sd + du-dust + ripgrep + ripgrep-all + hyperfine + bottom + dogdns + duf + # User friendly cut + choose + # Man but terse + tealdeer + # For nslookup + dnsutils + # Mosh for better high-latency ssh + mosh + # PV for viewing pipes + pv + ]; + }) + (mkIf nathan.programs.utils.productivity { environment.systemPackages = with pkgs; [ - # Basic command line utilities - wget - tmux - nano - unzip - any-nix-shell - htop - # Rust rewrites of common shell utilities - starship - exa - bat - fd - sd - du-dust - ripgrep - ripgrep-all - hyperfine - bottom - dogdns - duf - # User friendly cut - choose - # Man but terse - tealdeer - # For nslookup - dnsutils - # Mosh for better high-latency ssh - mosh - # PV for viewing pipes - pv + # Feh image viewer + feh + tokei + # Spell check + hunspell + hunspellDicts.en-us + # CLI Markdown renderer + glow + # Command line file manager + broot + # Much better curl + httpie + # CLI spreadsheets + visidata + # Cheatsheet manager + cheat + # Ping with a graph + gping + # Pandoc for documentation + pandoc ]; - } // mkIf nathan.programs.utils.productivity { - environment.systemPackages = with pkgs; [ - # Feh image viewer - feh - tokei - # Spell check - hunspell - hunspellDicts.en-us - # CLI Markdown renderer - glow - # Command line file manager - broot - # Much better curl - httpie - # CLI spreadsheets - visidata - # Cheatsheet manager - cheat - # Ping with a graph - gping - # Pandoc for documentation - pandoc - ]; - } // mkIf nathan.programs.utils.binfmt { - boot.binfmt.emulatedSystems = [ - "aarch64-linux" - ]; - }; + }) + (mkIf nathan.programs.utils.binfmt { + boot.binfmt.emulatedSystems = [ + "aarch64-linux" + ]; + }) + ]; } diff --git a/modules/services/tailscale.nix b/modules/services/tailscale.nix index 49291e4..b37a408 100644 --- a/modules/services/tailscale.nix +++ b/modules/services/tailscale.nix @@ -16,6 +16,7 @@ with lib; # Setup sops sops.secrets."tailscale-auth" = { + sopsFile = ../../secrets/all/tailscale.yaml; format = "yaml"; }; diff --git a/modules/swaywm.nix b/modules/swaywm.nix index 8507259..bf7c64c 100644 --- a/modules/swaywm.nix +++ b/modules/swaywm.nix @@ -8,7 +8,7 @@ with lib; # Turn on GDM for login services.xserver = { enable = true; - autorun = true; + autorun = false; displayManager = { gdm = { enable = true; diff --git a/modules/user.nix b/modules/user.nix index 0d59f20..165778c 100644 --- a/modules/user.nix +++ b/modules/user.nix @@ -8,28 +8,31 @@ with lib; { # If we install the user and the system is hardended, then disable mutable users mutableUsers = !(nc.installUser && nc.harden); # Configure our user, if enabled - users."${nc.user}" = mkIf nc.installUser - { - # Darwin is special - home = if pkgs.stdenv.isDarwin then "/Users/nathan" else "/home/nathan"; - description = "Nathan McCarty"; - shell = pkgs.fish; - # Linux specific configuration next - } // mkIf (nc.installUser && pkgs.stdenv.isLinux) { - isNormalUser = true; - extraGroups = [ "wheel" "networkmanager" "audio" "docker" "libvirtd" "uinput" "adbusers" "plugdev" ]; - hashedPassword = "$6$ShBAPGwzKZuB7eEv$cbb3erUqtVGFo/Vux9UwT2NkbVG9VGCxJxPiZFYL0DIc3t4GpYxjkM0M7fFnh.6V8MoSKLM/TvOtzdWbYwI58."; - openssh.authorizedKeys.keys = [ - # yubikey ssh key - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRs6zVljIlQEZ8F+aEBqqbpeFJwCw3JdveZ8TQWfkev cardno:000615938515" - # Macbook pro key - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBfkO7kq37RQMT8UE8zQt/vP4Ub7kizLw6niToJwAIe nathan@Nathans-MacBook-Pro.local" - # Phone key - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILY7KmG/eFm3hgTx7GBB5jNrV/yryg5C6xcgCxFQhn+o JuiceSSH" - # Tablet key - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMd+LlxJnluU0xvIMRIz74iypKfcSpQ5/7y2SB4c6SFY JuiceSSH" - ]; - }; + users."${nc.user}" = mkMerge [ + (mkIf nc.installUser + { + # Darwin is special + home = if pkgs.stdenv.isDarwin then "/Users/nathan" else "/home/nathan"; + description = "Nathan McCarty"; + shell = pkgs.fish; + # Linux specific configuration next + }) + (mkIf (nc.installUser && pkgs.stdenv.isLinux) { + isNormalUser = true; + extraGroups = [ "wheel" "networkmanager" "audio" "docker" "libvirtd" "uinput" "adbusers" "plugdev" ]; + hashedPassword = "$6$ShBAPGwzKZuB7eEv$cbb3erUqtVGFo/Vux9UwT2NkbVG9VGCxJxPiZFYL0DIc3t4GpYxjkM0M7fFnh.6V8MoSKLM/TvOtzdWbYwI58."; + openssh.authorizedKeys.keys = [ + # yubikey ssh key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRs6zVljIlQEZ8F+aEBqqbpeFJwCw3JdveZ8TQWfkev cardno:000615938515" + # Macbook pro key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBfkO7kq37RQMT8UE8zQt/vP4Ub7kizLw6niToJwAIe nathan@Nathans-MacBook-Pro.local" + # Phone key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILY7KmG/eFm3hgTx7GBB5jNrV/yryg5C6xcgCxFQhn+o JuiceSSH" + # Tablet key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMd+LlxJnluU0xvIMRIz74iypKfcSpQ5/7y2SB4c6SFY JuiceSSH" + ]; + }) + ]; }; # If we install the user, enable sudo security.sudo.enable = mkDefault nc.installUser; diff --git a/modules/virtualization.nix b/modules/virtualization.nix index e5719b4..d8fc76a 100644 --- a/modules/virtualization.nix +++ b/modules/virtualization.nix @@ -4,22 +4,27 @@ let in with lib; { - config = mkIf nc.virtualization.qemu { - # Enable the kernel modules - boot.kernelModules = [ "kvm-amd" "kvm-intel" ]; - # Enable libvirt - virtualisation.libvirtd.enable = true; - # Install virt-manager - environment.systemPackages = with pkgs; [ - virtmanager - ] // mkIf nc.virtualization.docker { + config = mkMerge [ + (mkIf nc.virtualization.qemu + { + # Enable the kernel modules + boot.kernelModules = [ "kvm-amd" "kvm-intel" ]; + # Enable libvirt + virtualisation.libvirtd.enable = true; + # Install virt-manager + environment.systemPackages = with pkgs; [ + virtmanager + ]; + }) + (mkIf nc.virtualization.docker { # Enable docker virtualisation.docker = { enable = true; # Automatically prune to keep things lean autoPrune.enable = true; }; - } // mkIf nc.virtualization.lxc { + }) + (mkIf nc.virtualization.lxc { virtualisation.lxd = { enable = true; recommendedSysctlSettings = true; @@ -27,7 +32,8 @@ with lib; users.users.${nc.user} = mkIf nc.installUser { extraGroups = [ "lxd" ]; }; - } // mkIf nc.virtualization.nixos { + }) + (mkIf nc.virtualization.nixos { # Setup networking for nixos containers networking = { nat = { @@ -35,6 +41,6 @@ with lib; internalInterfaces = [ "ve-+" ]; }; }; - }; - }; + }) + ]; } diff --git a/secrets/backblaze.yaml b/secrets/all/backblaze.yaml similarity index 100% rename from secrets/backblaze.yaml rename to secrets/all/backblaze.yaml diff --git a/secrets/nathan.yaml b/secrets/all/tailscale.yaml similarity index 100% rename from secrets/nathan.yaml rename to secrets/all/tailscale.yaml