uhhhhhhhhh

add secrets
refactor things
This commit is contained in:
Ivan Bushchik 2023-07-28 15:39:50 +03:00
parent 9f5882ea76
commit e5a3158d2e
No known key found for this signature in database
GPG key ID: 9F6DDABE11A2674D
17 changed files with 161 additions and 34 deletions

View file

@ -1,7 +1,6 @@
{ config, pkgs, ... }:
{
nix = {
package = pkgs.nixUnstable;
extraOptions = ''
@ -15,7 +14,8 @@
automatic = true;
options = "--delete-older-than 7d";
};
daemonCPUSchedPolicy = "idle";
daemonIOSchedClass = "idle";
};
environment.systemPackages = with pkgs; [
@ -27,19 +27,7 @@
pciutils
coreutils-full
killall
git-crypt
];
networking.networkmanager.enable = true;
networking.nameservers = [ "1.1.1.1" "1.0.0.1" "8.8.8.8" ];
services.timesyncd.enable = true;
networking.timeServers = [ "ntp1.vniiftri.ru" "0.ru.pool.ntp.org" "0.pool.ntp.org" ];
i18n.defaultLocale = "ru_RU.UTF-8";
console = {
font = "${pkgs.terminus_font}/share/consolefonts/ter-u16b.psf.gz";
keyMap = "us";
packages = with pkgs; [ terminus_font ];
};
}

View file

@ -5,8 +5,9 @@
powertop
lm_sensors
];
boot.plymouth.enable = true;
services.tlp.enable = true;
services.upower.enable = true;
networking.wireless.iwd.enable = true;
}

12
common/locale.nix Normal file
View file

@ -0,0 +1,12 @@
{ config, pkgs, ... }:
{
time.timeZone = "Europe/Moscow";
i18n.defaultLocale = "ru_RU.UTF-8";
console = {
font = "${pkgs.terminus_font}/share/consolefonts/ter-u16b.psf.gz";
keyMap = "us";
packages = with pkgs; [ terminus_font ];
};
}

15
common/networking.nix Normal file
View file

@ -0,0 +1,15 @@
{ ... }:
{
networking.wireless.iwd.enable = true;
networking.wireless.iwd.settings = {
General = {
EnableNetworkConfiguration = true;
};
};
networking.nameservers = [ "1.1.1.1" "1.0.0.1" "8.8.8.8" ];
services.timesyncd.enable = true;
networking.timeServers = [ "ntp1.vniiftri.ru" "0.ru.pool.ntp.org" "0.pool.ntp.org" ];
}

9
common/remote-access.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }:
{
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
programs.mosh.enable = true;
}

View file

@ -1,9 +1,12 @@
{ config, pkgs, ... }:
{
let
secrets = import ../secrets.nix;
in {
users.users.ivabus = {
isNormalUser = true;
extraGroups = [ "wheel" ];
uid = 1000;
packages = with pkgs; [
tree
cargo
@ -12,6 +15,11 @@
gitFull
];
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
# Air M2 macOS
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC6HY6er37FUz2tPQnwq5SUQZ5KHmMpGQA5yNlxPOyoCV+uvdx/cU8KF7jlFoyBC9xf2FvNyB8H1MZ6t2eUs4m/pVMpoBbNSTZLSxlvv2n4HuxL2Sg3qPdioJOyxDfnXA4OIZ+Tc+z4zM3ZnPJm1ccGW7W+YPhZ7GhBpl5wlMw+m06dCt8wfdDA4fuf4brnLt1ZMs4aOtVM8u4ZEtMs3IVXVUgtRH5m0RXZ94s7RkrUHhl2UOkOclhkQOiQop9RuJMjpi+iYkDYCniuGCKcKPrmi1+qicKM8KyrYGqR7FkUvzr+H8XtJXu++Kvmjcn54jDYqM4sq/MNL2rf8QaIUGLwiq2ljH2dGamElvElWZoXQBGPp4L80IEbaMVISIcvcNj+8cKW3rPvEUK5iT8jCkIOUwm1oo70YawS5VXTPLDsZif12QduTcJhVJekEaP0ZSifO52zeJksj0adwiEMJPqm7bIk5Y+9dCbQH7PtkWY4Tw3bdGNsYnTXC80MeEfrIKE="
];
hashedPassword = secrets.hashed-password;
};
programs.zsh = {
@ -21,7 +29,47 @@
programs.gnupg.agent.enable = true;
programs.ssh.startAgent = true;
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.ivabus = {
gtk = {
enable = true;
theme = {
name = "Catppuccin-Macchiato-Standard-Blue-dark";
package = pkgs.catppuccin-gtk.override {
accents = [ "blue" ];
tweaks = [ "rimless" ];
size = "standard";
variant = "macchiato";
};
};
iconTheme = {
name = "Mint-Y-Blue";
package = pkgs.cinnamon.mint-y-icons;
};
cursorTheme = {
name = "Catppuccin-Macchiato-Dark-Cursors";
package = pkgs.catppuccin-cursors.macchiatoDark;
};
font = {
name = "Ubuntu";
size = 9;
package = pkgs.ubuntu_font_family;
};
};
home.pointerCursor = {
name = "Catppuccin-Macchiato-Dark-Cursors";
package = pkgs.catppuccin-cursors.macchiatoDark;
x11.defaultCursor = "Catppuccin-Macchiato-Dark-Cursors";
};
programs.git = {
enable = true;
userName = "Ivan Bushchik";
userEmail = "ivabus@ivabus.dev";
signing.key = "DF1D910360471F0CCF076E449F6DDABE11A2674D";
signing.signByDefault = true;
package = pkgs.gitAndTools.gitFull;
};
home.stateVersion = "23.05";
};
}

View file

@ -11,16 +11,22 @@
};
outputs = { self, nixpkgs, ... }@inputs: {
outputs = { self, nixpkgs, home-manager, ... }@inputs: {
# Stella = Unchartevice 6540 (Ryzen 3 3250U, 16GB RAM)
nixosConfigurations."stella" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
home-manager.nixosModules.home-manager
./common/base.nix
./common/user.nix
./roles/laptop.nix
./common/laptop.nix
./common/networking.nix
./common/locale.nix
./common/remote-access.nix
./roles/graphical.nix
./roles/gaming.nix
#./roles/gaming.nix
./roles/devel.nix
./roles/yggdrasil-client.nix
./machines/stella/configuration.nix
./machines/stella/hardware.nix
];

View file

@ -6,16 +6,10 @@
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "stella";
time.timeZone = "Europe/Moscow";
services.xserver.videoDrivers=["amdgpu"];
boot.initrd.kernelModules=["amdgpu"];
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
system.stateVersion = "23.05";
}

View file

@ -39,5 +39,5 @@
STOP_CHARGE_THRESH_BAT0 = 80;
};
powerManagement.enable = true;
powerManagement.cpuFreqGovernor = "powersave";
powerManagement.cpuFreqGovernor = "performance";
}

15
roles/devel.nix Normal file
View file

@ -0,0 +1,15 @@
{ config, pkgs, ... }:
{
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
jetbrains.clion
rustc
cargo
rustup
vscode
clang
llvm
lld
];
}

View file

@ -1,3 +1,4 @@
{ config, pkgs, ... }:
{

View file

@ -9,11 +9,12 @@
mpv
glib
ffmpeg
cinnamon.mint-y-icons
cinnamon.nemo
usbmuxd
telegram-desktop
keepassxc
];
services.fwupd.enable = true;
services.greetd = {
enable = true;
vt = 7;
@ -37,7 +38,6 @@
swaylock
poweralertd
kanshi
catppuccin-cursors
libsForQt5.qt5ct
mako
pulseaudio
@ -55,15 +55,29 @@
enable = true;
alsa.enable = true;
pulse.enable = true;
alsa.support32Bit = true;
jack.enable = true;
};
qt = {
enable = true;
platformTheme = "gtk2";
style = "gtk2";
};
services.dbus.enable = true;
fonts.fonts = with pkgs; [
fonts.packages = with pkgs; [
noto-fonts
noto-fonts-cjk
noto-fonts-emoji
jetbrains-mono
font-awesome
#google-fonts
liberation_ttf
open-sans
roboto
roboto-mono
kochi-substitute
];
}

View file

@ -0,0 +1,13 @@
{ ... }:
{
services.yggdrasil = {
enable = true;
persistentKeys = true;
settings = {
Peers = [
"tls://ygg.iva.bz:50002"
];
};
};
}

9
secrets.nix Normal file
View file

@ -0,0 +1,9 @@
let
canaryHash = builtins.hashFile "sha256" ./secrets/canary;
expectedHash = "bc6f38a927602241c5e0996b61ebd3a90d5356ca76dc968ec14df3cd45c6612c";
in
if canaryHash != expectedHash then abort "Secrets are not readable. Have you run `git-crypt unlock`?"
else {
hashed-password = builtins.readFile ./secrets/hashed-password;
}

2
secrets/.gitattributes vendored Normal file
View file

@ -0,0 +1,2 @@
* filter=git-crypt diff=git-crypt
.gitattributes !filter !diff

BIN
secrets/canary Normal file

Binary file not shown.

BIN
secrets/hashed-password Normal file

Binary file not shown.