bootstrapping

2026-04-17 13:08:19 -04:00 · 2024-09-08 08:38:29 -04:00
parent fff6bc64a6
commit 56606d043d
42 changed files with 1562 additions and 1 deletions
--- a/systems/bob/default.nix
+++ b/systems/bob/default.nix
@@ -0,0 +1,104 @@
+{
+  inputs,
+  ...
+}:
+{
+  imports = [
+    inputs.nixos-hardware.nixosModules.framework-13-7040-amd
+    ../../users/richie
+    ../common/global
+    ../common/optional/desktop.nix
+    ../common/optional/steam.nix
+    ../common/optional/syncthing_base.nix
+    ../common/optional/systemd-boot.nix
+    ../common/optional/zerotier.nix
+    ./hardware.nix
+    ./nvidia.nix
+  ];
+
+  networking = {
+    hostName = "bob";
+    networkmanager.enable = true;
+    hostId = "7c678a41";
+  };
+
+  hardware = {
+    pulseaudio.enable = false;
+    bluetooth = {
+      enable = true;
+      powerOnBoot = true;
+    };
+  };
+
+  security.rtkit.enable = true;
+
+  services = {
+
+    displayManager.sddm.enable = true;
+
+    openssh.ports = [ 262 ];
+
+    printing.enable = true;
+
+    pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+    };
+
+    syncthing.settings.folders = {
+      "notes" = {
+        id = "l62ul-lpweo"; # cspell:disable-line
+        path = "/home/richie/notes";
+        devices = [
+          "phone"
+          "jeeves"
+          "rhapsody-in-green"
+        ];
+        fsWatcherEnabled = true;
+      };
+      "books" = {
+        id = "6uppx-vadmy"; # cspell:disable-line
+        path = "/home/richie/books";
+        devices = [
+          "phone"
+          "jeeves"
+          "rhapsody-in-green"
+        ];
+        fsWatcherEnabled = true;
+      };
+      "important" = {
+        id = "4ckma-gtshs"; # cspell:disable-line
+        path = "/home/richie/important";
+        devices = [
+          "phone"
+          "jeeves"
+          "rhapsody-in-green"
+        ];
+        fsWatcherEnabled = true;
+      };
+      "music" = {
+        id = "vprc5-3azqc"; # cspell:disable-line
+        path = "/home/richie/music";
+        devices = [
+          "phone"
+          "jeeves"
+          "rhapsody-in-green"
+        ];
+        fsWatcherEnabled = true;
+      };
+      "projects" = {
+        id = "vyma6-lqqrz"; # cspell:disable-line
+        path = "/home/richie/projects";
+        devices = [
+          "jeeves"
+          "rhapsody-in-green"
+        ];
+        fsWatcherEnabled = true;
+      };
+    };
+  };
+
+  system.stateVersion = "24.05";
+}
--- a/systems/bob/hardware.nix
+++ b/systems/bob/hardware.nix
@@ -0,0 +1,65 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "nvme"
+        "xhci_pci"
+        "ahci"
+        "usbhid"
+        "usb_storage"
+        "sd_mod"
+      ];
+      kernelModules = [ ];
+      luks.devices = {
+        "luks-root-pool-nvme-Samsung_SSD_990_PRO_with_Heatsink_1TB_S73JNJ0X114418B-part2".device = "/dev/disk/by-id/nvme-Samsung_SSD_990_PRO_with_Heatsink_1TB_S73JNJ0X114418B-part2";
+      };
+    };
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems = {
+    "/" = lib.mkDefault {
+      device = "root_pool/root";
+      fsType = "zfs";
+    };
+
+    "/home" = {
+      device = "root_pool/home";
+      fsType = "zfs";
+    };
+
+    "/var" = {
+      device = "root_pool/var";
+      fsType = "zfs";
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/609D-FF29";
+      fsType = "vfat";
+      options = [
+        "fmask=0077"
+        "dmask=0077"
+      ];
+    };
+  };
+
+  swapDevices = [ ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/systems/bob/nvidia.nix
+++ b/systems/bob/nvidia.nix
@@ -0,0 +1,13 @@
+{ config, ... }:
+{
+  services.xserver.videoDrivers = [ "nvidia" ];
+  hardware = {
+    nvidia = {
+      modesetting.enable = true;
+      powerManagement.enable = true;
+      package = config.boot.kernelPackages.nvidiaPackages.production;
+      nvidiaSettings = true;
+    };
+    nvidia-container-toolkit.enable = true;
+  };
+}
--- a/systems/common/docker_templates/file_server/sites/000-default.conf
+++ b/systems/common/docker_templates/file_server/sites/000-default.conf
@@ -0,0 +1,17 @@
+<VirtualHost *:80>
+  ServerAdmin admin@domain.com
+
+  DocumentRoot /data/
+  <Directory /data/>
+    Options Indexes FollowSymLinks
+    AllowOverride All
+    Require all granted
+  </Directory>
+
+  ErrorLog ${APACHE_LOG_DIR}/error.log
+
+  # Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
+  LogLevel warn
+
+  CustomLog ${APACHE_LOG_DIR}/access.log combined
+</VirtualHost>
--- a/systems/common/global/default.nix
+++ b/systems/common/global/default.nix
@@ -0,0 +1,38 @@
+{
+  lib,
+  inputs,
+  outputs,
+  ...
+}:
+{
+  imports = [
+    inputs.home-manager.nixosModules.home-manager
+    ./docker.nix
+    ./fail2ban.nix
+    ./libs.nix
+    ./locale.nix
+    ./nh.nix
+    ./nix.nix
+    ./programs.nix
+    ./ssh.nix
+  ];
+
+  security.auditd.enable = lib.mkDefault true;
+
+  programs = {
+    zsh.enable = true;
+    fish.enable = true;
+  };
+
+  users.mutableUsers = lib.mkDefault true;
+
+  home-manager = {
+    useGlobalPkgs = true;
+    useUserPackages = true;
+    extraSpecialArgs = {inherit inputs outputs;};
+  };
+
+  nixpkgs.config.allowUnfree = true;
+
+  hardware.enableRedistributableFirmware = true;
+}
--- a/systems/common/global/docker.nix
+++ b/systems/common/global/docker.nix
@@ -0,0 +1,28 @@
+{ lib, ... }:
+{
+  users = {
+    users.docker-service = {
+      isSystemUser = true;
+      group = "docker-service";
+      extraGroups = [ "docker" ];
+      uid = 600;
+    };
+    groups.docker-service = {
+      gid = 600;
+    };
+  };
+
+  virtualisation.docker = {
+    enable = lib.mkDefault true;
+    logDriver = "local";
+    storageDriver = "overlay2";
+    daemon.settings = {
+      experimental = true;
+      exec-opts = [ "native.cgroupdriver=systemd" ];
+      log-opts = {
+        max-size = "10m";
+        max-file = "5";
+      };
+    };
+  };
+}
--- a/systems/common/global/fail2ban.nix
+++ b/systems/common/global/fail2ban.nix
@@ -0,0 +1,14 @@
+{ config, lib, ... }:
+{
+  services.fail2ban = {
+    enable = lib.mkIf config.networking.firewall.enable (lib.mkDefault true);
+    maxretry = 5;
+    bantime = "24h";
+    bantime-increment = {
+      enable = true;
+      formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
+      maxtime = "168h";
+      overalljails = true;
+    };
+  };
+}
--- a/systems/common/global/libs.nix
+++ b/systems/common/global/libs.nix
@@ -0,0 +1,26 @@
+{ lib, pkgs, ... }:
+{
+  programs.nix-ld = {
+    enable = lib.mkDefault true;
+    libraries = with pkgs; [
+      acl
+      attr
+      bzip2
+      curl
+      glib
+      libglvnd
+      libmysqlclient
+      libsodium
+      libssh
+      libxml2
+      openssl
+      stdenv.cc.cc
+      systemd
+      util-linux
+      xz
+      zlib
+      zlib-ng
+      zstd
+    ];
+  };
+}
--- a/systems/common/global/locale.nix
+++ b/systems/common/global/locale.nix
@@ -0,0 +1,21 @@
+{ lib, ... }:
+{
+  time.timeZone = lib.mkDefault "America/New_York";
+  console.keyMap = lib.mkDefault "us";
+
+  i18n = {
+    defaultLocale = lib.mkDefault "en_US.utf8";
+    supportedLocales = lib.mkDefault [ "en_US.UTF-8/UTF-8" ];
+    extraLocaleSettings = lib.mkDefault {
+      LC_ADDRESS = "en_US.UTF-8";
+      LC_IDENTIFICATION = "en_US.UTF-8";
+      LC_MEASUREMENT = "en_US.UTF-8";
+      LC_MONETARY = "en_US.UTF-8";
+      LC_NAME = "en_US.UTF-8";
+      LC_NUMERIC = "en_US.UTF-8";
+      LC_PAPER = "en_US.UTF-8";
+      LC_TELEPHONE = "en_US.UTF-8";
+      LC_TIME = "en_US.UTF-8";
+    };
+  };
+}
--- a/systems/common/global/nh.nix
+++ b/systems/common/global/nh.nix
@@ -0,0 +1,10 @@
+{
+  programs.nh = {
+    enable = true;
+    clean = {
+      enable = true;
+      dates = "weekly";
+      extraArgs = "--keep-since 7d --keep 3";
+    };
+  };
+}
--- a/systems/common/global/nix.nix
+++ b/systems/common/global/nix.nix
@@ -0,0 +1,28 @@
+{
+  inputs,
+  lib,
+  ...
+}: let
+  flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
+in {
+  nix = {
+    settings = {
+      trusted-users = [
+        "root"
+        "@wheel"
+      ];
+      auto-optimise-store = lib.mkDefault true;
+      experimental-features = [
+        "nix-command"
+        "flakes"
+        "ca-derivations"
+      ];
+      warn-dirty = false;
+      flake-registry = ""; # disable global flake registries
+    };
+
+    # Add each flake input as a registry and nix_path
+    registry = lib.mapAttrs (_: flake: {inherit flake;}) flakeInputs;
+    nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
+  };
+}
--- a/systems/common/global/programs.nix
+++ b/systems/common/global/programs.nix
@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    git
+    python312
+  ];
+}
--- a/systems/common/global/ssh.nix
+++ b/systems/common/global/ssh.nix
@@ -0,0 +1,71 @@
+{ lib, ... }:
+{
+  services.openssh = {
+    enable = lib.mkDefault true;
+    extraConfig = "StreamLocalBindUnlink yes";
+
+    hostKeys = [
+      {
+        bits = 4096;
+        path = "/etc/ssh/ssh_host_rsa_key";
+        type = "rsa";
+      }
+      {
+        path = "/etc/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+      {
+        path = "/etc/ssh/ssh_host_ecdsa_key";
+        type = "ecdsa";
+      }
+    ];
+
+    settings = {
+      AllowAgentForwarding = "no";
+      AllowTcpForwarding = lib.mkDefault "yes";
+      ChallengeResponseAuthentication = "no";
+      ClientAliveCountMax = lib.mkDefault 2;
+      Compression = "NO";
+      IgnoreRhosts = "yes";
+      LogLevel = lib.mkDefault "VERBOSE";
+      MaxAuthTries = 3;
+      MaxSessions = lib.mkDefault 2;
+      PasswordAuthentication = false;
+      PermitEmptyPasswords = "no";
+      PermitRootLogin = lib.mkForce "no";
+      TcpKeepAlive = "no";
+      X11Forwarding = lib.mkDefault false;
+      KexAlgorithms = [
+        "curve25519-sha256@libssh.org"
+        "diffie-hellman-group-exchange-sha256"
+      ];
+
+      Ciphers = [
+        "chacha20-poly1305@openssh.com"
+        "aes256-gcm@openssh.com"
+        "aes128-gcm@openssh.com"
+        "aes256-ctr"
+        "aes192-ctr"
+        "aes128-ctr"
+      ];
+
+      Macs = [
+        "hmac-sha2-512-etm@openssh.com"
+        "hmac-sha2-256-etm@openssh.com"
+        "umac-128-etm@openssh.com"
+        "hmac-sha2-512"
+        "hmac-sha2-256"
+        "umac-128@openssh.com"
+      ];
+    };
+  };
+
+  services = {
+    endlessh-go = {
+      enable = lib.mkDefault true;
+      port = 22;
+    };
+  };
+
+    networking.firewall.allowedTCPPorts = [ 22 ];
+}
--- a/systems/common/optional/desktop.nix
+++ b/systems/common/optional/desktop.nix
@@ -0,0 +1,12 @@
+{
+  services = {
+    desktopManager.plasma6.enable = true;
+    xserver = {
+      enable = true;
+      xkb = {
+        layout = "us";
+        variant = "";
+      };
+    };
+  };
+}
--- a/systems/common/optional/libvirt.nix
+++ b/systems/common/optional/libvirt.nix
@@ -0,0 +1,7 @@
+{
+  virtualisation.libvirtd.enable = true;
+  programs.virt-manager.enable = true;
+  virtualisation.spiceUSBRedirection.enable = true;
+
+  programs.dconf.enable = true;
+}
--- a/systems/common/optional/steam.nix
+++ b/systems/common/optional/steam.nix
@@ -0,0 +1,17 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [mangohud steam-run];
+  hardware.steam-hardware.enable = true;
+
+  programs = {
+    gamemode.enable = true;
+    steam = {
+      enable = true;
+      gamescopeSession.enable = true;
+      remotePlay.openFirewall = true;
+      localNetworkGameTransfers.openFirewall = true;
+      extraCompatPackages = with pkgs; [proton-ge-bin];
+      extest.enable = true;
+    };
+  };
+}
--- a/systems/common/optional/syncthing_base.nix
+++ b/systems/common/optional/syncthing_base.nix
@@ -0,0 +1,18 @@
+{
+  services.syncthing = {
+    enable = true;
+    user = "richie";
+    overrideDevices = true;
+    overrideFolders = true;
+    dataDir = "/home/richie/Syncthing";
+    configDir = "/home/richie/.config/syncthing";
+    settings = {
+      devices = {
+        phone.id = "LTGPLAE-M4ZDJTM-TZ3DJGY-SLLAVWF-CQDVEVS-RGCS75T-GAPZYK3-KUM6LA5"; # cspell:disable-line
+        jeeves.id = "7YQ4UEW-OPQEBH4-6YKJH4B-ZCE3SAX-5EIK5JL-WJDIWUA-WA2N3D5-MNK6GAV"; # cspell:disable-line
+        rhapsody-in-green.id = "INKUNKN-KILXGL5-2TQ5JTH-ORJOLOM-WYD2PYO-YRDLQIX-3AKZFWT-ZN7OJAE"; # cspell:disable-line
+        bob.id = "YP6UYKF-KFZ3FG3-5XM3XM3-5Q24AZS-LZK67PN-LAERKU2-K4WMYBH-N57ZBA5"; # cspell:disable-line
+      };
+    };
+  };
+}
--- a/systems/common/optional/systemd-boot.nix
+++ b/systems/common/optional/systemd-boot.nix
@@ -0,0 +1,6 @@
+{
+  boot.loader = {
+    systemd-boot.enable = true;
+    efi.canTouchEfiVariables = true;
+  };
+}
--- a/systems/common/optional/update.nix
+++ b/systems/common/optional/update.nix
@@ -0,0 +1,19 @@
+{ lib, ... }:
+{
+  services.autopull = {
+    enable = lib.mkDefault true;
+    repo.dotfiles = {
+      enable = lib.mkDefault true;
+      ssh-key = lib.mkDefault "/root/.ssh/id_ed25519_ghdeploy";
+      path = lib.mkDefault /root/dotfiles;
+    };
+  };
+
+  system.autoUpgrade = {
+    enable = lib.mkDefault true;
+    flags = [ "--accept-flake-config" ];
+    randomizedDelaySec = "1h";
+    persistent = true;
+    flake = "github:RAD-Development/nix-dotfiles";
+  };
+}
--- a/systems/common/optional/zerotier.nix
+++ b/systems/common/optional/zerotier.nix
@@ -0,0 +1,6 @@
+{
+  services.zerotierone = {
+    enable = true;
+    joinNetworks = [ "e4da7455b2ae64ca" ];
+  };
+}