uhhhhhhhhh

add secrets
refactor things
This commit is contained in:
Ivan Bushchik 2023-07-28 15:39:50 +03:00
parent 9f5882ea76
commit e5a3158d2e
No known key found for this signature in database
GPG key ID: 9F6DDABE11A2674D
17 changed files with 161 additions and 34 deletions

View file

@ -1,7 +1,6 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
nix = { nix = {
package = pkgs.nixUnstable; package = pkgs.nixUnstable;
extraOptions = '' extraOptions = ''
@ -15,7 +14,8 @@
automatic = true; automatic = true;
options = "--delete-older-than 7d"; options = "--delete-older-than 7d";
}; };
daemonCPUSchedPolicy = "idle";
daemonIOSchedClass = "idle";
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
@ -27,19 +27,7 @@
pciutils pciutils
coreutils-full coreutils-full
killall killall
git-crypt
]; ];
networking.networkmanager.enable = true;
networking.nameservers = [ "1.1.1.1" "1.0.0.1" "8.8.8.8" ];
services.timesyncd.enable = true;
networking.timeServers = [ "ntp1.vniiftri.ru" "0.ru.pool.ntp.org" "0.pool.ntp.org" ];
i18n.defaultLocale = "ru_RU.UTF-8";
console = {
font = "${pkgs.terminus_font}/share/consolefonts/ter-u16b.psf.gz";
keyMap = "us";
packages = with pkgs; [ terminus_font ];
};
} }

View file

@ -5,8 +5,9 @@
powertop powertop
lm_sensors lm_sensors
]; ];
boot.plymouth.enable = true;
services.tlp.enable = true; services.tlp.enable = true;
services.upower.enable = true; services.upower.enable = true;
networking.wireless.iwd.enable = true;
} }

12
common/locale.nix Normal file
View file

@ -0,0 +1,12 @@
{ config, pkgs, ... }:
{
time.timeZone = "Europe/Moscow";
i18n.defaultLocale = "ru_RU.UTF-8";
console = {
font = "${pkgs.terminus_font}/share/consolefonts/ter-u16b.psf.gz";
keyMap = "us";
packages = with pkgs; [ terminus_font ];
};
}

15
common/networking.nix Normal file
View file

@ -0,0 +1,15 @@
{ ... }:
{
networking.wireless.iwd.enable = true;
networking.wireless.iwd.settings = {
General = {
EnableNetworkConfiguration = true;
};
};
networking.nameservers = [ "1.1.1.1" "1.0.0.1" "8.8.8.8" ];
services.timesyncd.enable = true;
networking.timeServers = [ "ntp1.vniiftri.ru" "0.ru.pool.ntp.org" "0.pool.ntp.org" ];
}

9
common/remote-access.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }:
{
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
programs.mosh.enable = true;
}

View file

@ -1,9 +1,12 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ let
secrets = import ../secrets.nix;
in {
users.users.ivabus = { users.users.ivabus = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
uid = 1000;
packages = with pkgs; [ packages = with pkgs; [
tree tree
cargo cargo
@ -12,6 +15,11 @@
gitFull gitFull
]; ];
shell = pkgs.zsh; shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
# Air M2 macOS
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC6HY6er37FUz2tPQnwq5SUQZ5KHmMpGQA5yNlxPOyoCV+uvdx/cU8KF7jlFoyBC9xf2FvNyB8H1MZ6t2eUs4m/pVMpoBbNSTZLSxlvv2n4HuxL2Sg3qPdioJOyxDfnXA4OIZ+Tc+z4zM3ZnPJm1ccGW7W+YPhZ7GhBpl5wlMw+m06dCt8wfdDA4fuf4brnLt1ZMs4aOtVM8u4ZEtMs3IVXVUgtRH5m0RXZ94s7RkrUHhl2UOkOclhkQOiQop9RuJMjpi+iYkDYCniuGCKcKPrmi1+qicKM8KyrYGqR7FkUvzr+H8XtJXu++Kvmjcn54jDYqM4sq/MNL2rf8QaIUGLwiq2ljH2dGamElvElWZoXQBGPp4L80IEbaMVISIcvcNj+8cKW3rPvEUK5iT8jCkIOUwm1oo70YawS5VXTPLDsZif12QduTcJhVJekEaP0ZSifO52zeJksj0adwiEMJPqm7bIk5Y+9dCbQH7PtkWY4Tw3bdGNsYnTXC80MeEfrIKE="
];
hashedPassword = secrets.hashed-password;
}; };
programs.zsh = { programs.zsh = {
@ -21,7 +29,47 @@
programs.gnupg.agent.enable = true; programs.gnupg.agent.enable = true;
programs.ssh.startAgent = true; programs.ssh.startAgent = true;
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.ivabus = {
gtk = {
enable = true;
theme = {
name = "Catppuccin-Macchiato-Standard-Blue-dark";
package = pkgs.catppuccin-gtk.override {
accents = [ "blue" ];
tweaks = [ "rimless" ];
size = "standard";
variant = "macchiato";
};
};
iconTheme = {
name = "Mint-Y-Blue";
package = pkgs.cinnamon.mint-y-icons;
};
cursorTheme = {
name = "Catppuccin-Macchiato-Dark-Cursors";
package = pkgs.catppuccin-cursors.macchiatoDark;
};
font = {
name = "Ubuntu";
size = 9;
package = pkgs.ubuntu_font_family;
};
};
home.pointerCursor = {
name = "Catppuccin-Macchiato-Dark-Cursors";
package = pkgs.catppuccin-cursors.macchiatoDark;
x11.defaultCursor = "Catppuccin-Macchiato-Dark-Cursors";
};
programs.git = { programs.git = {
enable = true; enable = true;
userName = "Ivan Bushchik";
userEmail = "ivabus@ivabus.dev";
signing.key = "DF1D910360471F0CCF076E449F6DDABE11A2674D";
signing.signByDefault = true;
package = pkgs.gitAndTools.gitFull;
};
home.stateVersion = "23.05";
}; };
} }

View file

@ -11,16 +11,22 @@
}; };
outputs = { self, nixpkgs, ... }@inputs: { outputs = { self, nixpkgs, home-manager, ... }@inputs: {
# Stella = Unchartevice 6540 (Ryzen 3 3250U, 16GB RAM) # Stella = Unchartevice 6540 (Ryzen 3 3250U, 16GB RAM)
nixosConfigurations."stella" = nixpkgs.lib.nixosSystem { nixosConfigurations."stella" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
home-manager.nixosModules.home-manager
./common/base.nix ./common/base.nix
./common/user.nix ./common/user.nix
./roles/laptop.nix ./common/laptop.nix
./common/networking.nix
./common/locale.nix
./common/remote-access.nix
./roles/graphical.nix ./roles/graphical.nix
./roles/gaming.nix #./roles/gaming.nix
./roles/devel.nix
./roles/yggdrasil-client.nix
./machines/stella/configuration.nix ./machines/stella/configuration.nix
./machines/stella/hardware.nix ./machines/stella/hardware.nix
]; ];

View file

@ -6,16 +6,10 @@
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "stella"; networking.hostName = "stella";
time.timeZone = "Europe/Moscow";
services.xserver.videoDrivers=["amdgpu"]; services.xserver.videoDrivers=["amdgpu"];
boot.initrd.kernelModules=["amdgpu"]; boot.initrd.kernelModules=["amdgpu"];
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
system.stateVersion = "23.05"; system.stateVersion = "23.05";
} }

View file

@ -39,5 +39,5 @@
STOP_CHARGE_THRESH_BAT0 = 80; STOP_CHARGE_THRESH_BAT0 = 80;
}; };
powerManagement.enable = true; powerManagement.enable = true;
powerManagement.cpuFreqGovernor = "powersave"; powerManagement.cpuFreqGovernor = "performance";
} }

15
roles/devel.nix Normal file
View file

@ -0,0 +1,15 @@
{ config, pkgs, ... }:
{
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
jetbrains.clion
rustc
cargo
rustup
vscode
clang
llvm
lld
];
}

View file

@ -1,3 +1,4 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {

View file

@ -9,11 +9,12 @@
mpv mpv
glib glib
ffmpeg ffmpeg
cinnamon.mint-y-icons cinnamon.nemo
usbmuxd usbmuxd
telegram-desktop telegram-desktop
keepassxc
]; ];
services.fwupd.enable = true;
services.greetd = { services.greetd = {
enable = true; enable = true;
vt = 7; vt = 7;
@ -37,7 +38,6 @@
swaylock swaylock
poweralertd poweralertd
kanshi kanshi
catppuccin-cursors
libsForQt5.qt5ct libsForQt5.qt5ct
mako mako
pulseaudio pulseaudio
@ -55,15 +55,29 @@
enable = true; enable = true;
alsa.enable = true; alsa.enable = true;
pulse.enable = true; pulse.enable = true;
alsa.support32Bit = true;
jack.enable = true;
};
qt = {
enable = true;
platformTheme = "gtk2";
style = "gtk2";
}; };
services.dbus.enable = true; services.dbus.enable = true;
fonts.fonts = with pkgs; [ fonts.packages = with pkgs; [
noto-fonts noto-fonts
noto-fonts-cjk noto-fonts-cjk
noto-fonts-emoji noto-fonts-emoji
jetbrains-mono jetbrains-mono
font-awesome font-awesome
#google-fonts
liberation_ttf
open-sans
roboto
roboto-mono
kochi-substitute
]; ];
} }

View file

@ -0,0 +1,13 @@
{ ... }:
{
services.yggdrasil = {
enable = true;
persistentKeys = true;
settings = {
Peers = [
"tls://ygg.iva.bz:50002"
];
};
};
}

9
secrets.nix Normal file
View file

@ -0,0 +1,9 @@
let
canaryHash = builtins.hashFile "sha256" ./secrets/canary;
expectedHash = "bc6f38a927602241c5e0996b61ebd3a90d5356ca76dc968ec14df3cd45c6612c";
in
if canaryHash != expectedHash then abort "Secrets are not readable. Have you run `git-crypt unlock`?"
else {
hashed-password = builtins.readFile ./secrets/hashed-password;
}

2
secrets/.gitattributes vendored Normal file
View file

@ -0,0 +1,2 @@
* filter=git-crypt diff=git-crypt
.gitattributes !filter !diff

BIN
secrets/canary Normal file

Binary file not shown.

BIN
secrets/hashed-password Normal file

Binary file not shown.