formatting: new formatting'
This commit is contained in:
parent
7efcab98a9
commit
ef1b9f6c91
15 changed files with 358 additions and 152 deletions
5
common/gui/default.nix
Normal file
5
common/gui/default.nix
Normal file
|
|
@ -0,0 +1,5 @@
|
||||||
|
{lib, ...}: {
|
||||||
|
imports = [./thunar.nix];
|
||||||
|
|
||||||
|
thunar.enable = lib.mkDefault true;
|
||||||
|
}
|
||||||
|
|
@ -1,15 +1,21 @@
|
||||||
{
|
{
|
||||||
pkgs,
|
pkgs,
|
||||||
config,
|
config,
|
||||||
|
lib,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
programs.thunar = {
|
options = {
|
||||||
enable = true;
|
thunar.enable = lib.mkEnableOption "Enables thunar and its plugins";
|
||||||
plugins = with pkgs.xfce; [
|
};
|
||||||
thunar-archive-plugin
|
config = lib.mkIf config.thunar.enable {
|
||||||
thunar-volman
|
programs.thunar = {
|
||||||
];
|
enable = true;
|
||||||
|
plugins = with pkgs.xfce; [
|
||||||
|
thunar-archive-plugin
|
||||||
|
thunar-volman
|
||||||
|
];
|
||||||
|
};
|
||||||
|
services.gvfs.enable = true; # Mount, trash, and other functionalities
|
||||||
|
services.tumbler.enable = true; # Thumbnail support for images
|
||||||
};
|
};
|
||||||
services.gvfs.enable = true; # Mount, trash, and other functionalities
|
|
||||||
services.tumbler.enable = true; # Thumbnail support for images
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
21
common/gui/thunar.sync-conflict-20240508-115349-N2TYFZ4.nix
Normal file
21
common/gui/thunar.sync-conflict-20240508-115349-N2TYFZ4.nix
Normal file
|
|
@ -0,0 +1,21 @@
|
||||||
|
{
|
||||||
|
pkgs,
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
options = {
|
||||||
|
thunar.enable = lib.mkEnableOption "Enables thunar and its plugins";
|
||||||
|
};
|
||||||
|
config = lib.mkIf config.thunar.enable {
|
||||||
|
programs.thunar = {
|
||||||
|
enable = true;
|
||||||
|
plugins = with pkgs.xfce; [
|
||||||
|
thunar-archive-plugin
|
||||||
|
thunar-volman
|
||||||
|
];
|
||||||
|
};
|
||||||
|
services.gvfs.enable = true; # Mount, trash, and other functionalities
|
||||||
|
services.tumbler.enable = true; # Thumbnail support for images
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
@ -4,6 +4,7 @@
|
||||||
pkgs,
|
pkgs,
|
||||||
inputs,
|
inputs,
|
||||||
outputs,
|
outputs,
|
||||||
|
user,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
imports = [
|
imports = [
|
||||||
|
|
@ -20,6 +21,8 @@
|
||||||
nix.settings.auto-optimise-store = true;
|
nix.settings.auto-optimise-store = true;
|
||||||
nix.optimise.automatic = true;
|
nix.optimise.automatic = true;
|
||||||
|
|
||||||
|
nix.settings.trusted-users = ["${user}"];
|
||||||
|
|
||||||
# Disable so comma can be installed
|
# Disable so comma can be installed
|
||||||
programs.command-not-found.enable = false;
|
programs.command-not-found.enable = false;
|
||||||
programs.nix-index-database.comma.enable = true;
|
programs.nix-index-database.comma.enable = true;
|
||||||
|
|
|
||||||
|
|
@ -1,93 +0,0 @@
|
||||||
{user, ...}: {
|
|
||||||
# https://www.ssh-audit.com/hardening_guides.html
|
|
||||||
# https://github.com/jtesta/ssh-audit
|
|
||||||
services.openssh = {
|
|
||||||
enable = true;
|
|
||||||
settings = {
|
|
||||||
########## Features ##########
|
|
||||||
|
|
||||||
# disallow ssh-agent forwarding to prevent lateral movement
|
|
||||||
AllowAgentForwarding = false;
|
|
||||||
|
|
||||||
# prevent TCP ports from being forwarded over SSH tunnels
|
|
||||||
# **please be aware that disabling TCP forwarding does not prevent port forwarding**
|
|
||||||
# any user with an interactive login shell can spin up his/her own instance of sshd
|
|
||||||
AllowTcpForwarding = false;
|
|
||||||
|
|
||||||
# prevent StreamLocal (Unix-domain socket) forwarding
|
|
||||||
AllowStreamLocalForwarding = false;
|
|
||||||
|
|
||||||
# disables all forwarding features
|
|
||||||
# overrides all other forwarding switches
|
|
||||||
DisableForwarding = true;
|
|
||||||
|
|
||||||
# disallow remote hosts from connecting to forwarded ports
|
|
||||||
# i.e. forwarded ports are forced to bind to 127.0.0.1 instad of 0.0.0.0
|
|
||||||
GatewayPorts = "no";
|
|
||||||
|
|
||||||
# prevent tun device forwarding
|
|
||||||
PermitTunnel = false;
|
|
||||||
|
|
||||||
# suppress MOTD
|
|
||||||
PrintMotd = false;
|
|
||||||
|
|
||||||
# disable X11 forwarding since it is not necessary
|
|
||||||
X11Forwarding = false;
|
|
||||||
|
|
||||||
########## Authentication ##########
|
|
||||||
|
|
||||||
AllowUsers = ["${user}"];
|
|
||||||
|
|
||||||
# Use keys only. Remove if you want to SSH using password (not recommended)
|
|
||||||
PasswordAuthentication = false;
|
|
||||||
HostbasedAuthentication = false;
|
|
||||||
|
|
||||||
# enable pubkey authentication
|
|
||||||
PubkeyAuthentication = true;
|
|
||||||
|
|
||||||
# Forbid root login through SSH.
|
|
||||||
PermitRootLogin = "no";
|
|
||||||
|
|
||||||
# nix enables pam by default
|
|
||||||
#UsePam = true;
|
|
||||||
|
|
||||||
########## Cryptography ##########
|
|
||||||
|
|
||||||
# explicitly define cryptography algorithms to avoid the use of weak algorithms
|
|
||||||
# AES CTR modes have been removed to mitigate the Terrapin attack
|
|
||||||
# https://terrapin-attack.com/
|
|
||||||
|
|
||||||
Ciphers = ["aes256-gcm@openssh.com" "aes128-gcm@openssh.com"];
|
|
||||||
Macs = ["hmac-sha2-256-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com"];
|
|
||||||
KexAlgorithms = ["curve25519-sha256" "curve25519-sha256@libssh.org" "diffie-hellman-group16-sha512" "diffie-hellman-group18-sha512"];
|
|
||||||
|
|
||||||
########## Connection Preferences ##########
|
|
||||||
|
|
||||||
# enforce SSH server to only use SSH protocol version 2
|
|
||||||
# SSHv1 contains security issues and should be avoided at all costs
|
|
||||||
# SSHv1 is disabled by default after OpenSSH 7.0, but this option is
|
|
||||||
# specified anyways to ensure this configuration file's compatibility
|
|
||||||
# with older versions of OpenSSH server
|
|
||||||
Protocol = 2;
|
|
||||||
|
|
||||||
# number of client alive messages sent without client responding
|
|
||||||
ClientAliveCountMax = 2;
|
|
||||||
|
|
||||||
# send a keepalive message to the client when the session has been idle for 300 seconds
|
|
||||||
# this prevents/detects connection timeouts
|
|
||||||
ClientAliveInterval = 300;
|
|
||||||
|
|
||||||
# compression before encryption might cause security issues
|
|
||||||
Compression = false;
|
|
||||||
|
|
||||||
# prevent SSH trust relationships from allowing lateral movements
|
|
||||||
IgnoreRhosts = true;
|
|
||||||
|
|
||||||
# log verbosely for addtional information
|
|
||||||
LogLevel = "VERBOSE";
|
|
||||||
|
|
||||||
# allow a maximum of two multiplexed sessions over a single TCP connection
|
|
||||||
MaxSessions = 2;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
7
common/nixos/ssh/default.nix
Normal file
7
common/nixos/ssh/default.nix
Normal file
|
|
@ -0,0 +1,7 @@
|
||||||
|
{lib, ...}: {
|
||||||
|
imports = [./ssh.nix ./ssh_client.nix ./ssh_guard.nix];
|
||||||
|
|
||||||
|
ssh_client.enable = lib.mkDefault true;
|
||||||
|
ssh.enable = lib.mkDefault false;
|
||||||
|
ssh_guard.enable = lib.mkDefault false;
|
||||||
|
}
|
||||||
103
common/nixos/ssh/ssh.nix
Normal file
103
common/nixos/ssh/ssh.nix
Normal file
|
|
@ -0,0 +1,103 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
user,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
options = {
|
||||||
|
ssh.enable = lib.mkEnableOption "enable ssh settings";
|
||||||
|
};
|
||||||
|
config = lib.mkIf config.ssh.enable {
|
||||||
|
# https://www.ssh-audit.com/hardening_guides.html
|
||||||
|
# https://github.com/jtesta/ssh-audit
|
||||||
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
########## Features ##########
|
||||||
|
|
||||||
|
# disallow ssh-agent forwarding to prevent lateral movement
|
||||||
|
AllowAgentForwarding = false;
|
||||||
|
|
||||||
|
# prevent TCP ports from being forwarded over SSH tunnels
|
||||||
|
# **please be aware that disabling TCP forwarding does not prevent port forwarding**
|
||||||
|
# any user with an interactive login shell can spin up his/her own instance of sshd
|
||||||
|
AllowTcpForwarding = false;
|
||||||
|
|
||||||
|
# prevent StreamLocal (Unix-domain socket) forwarding
|
||||||
|
AllowStreamLocalForwarding = false;
|
||||||
|
|
||||||
|
# disables all forwarding features
|
||||||
|
# overrides all other forwarding switches
|
||||||
|
DisableForwarding = true;
|
||||||
|
|
||||||
|
# disallow remote hosts from connecting to forwarded ports
|
||||||
|
# i.e. forwarded ports are forced to bind to 127.0.0.1 instad of 0.0.0.0
|
||||||
|
GatewayPorts = "no";
|
||||||
|
|
||||||
|
# prevent tun device forwarding
|
||||||
|
PermitTunnel = false;
|
||||||
|
|
||||||
|
# suppress MOTD
|
||||||
|
PrintMotd = false;
|
||||||
|
|
||||||
|
# disable X11 forwarding since it is not necessary
|
||||||
|
X11Forwarding = false;
|
||||||
|
|
||||||
|
########## Authentication ##########
|
||||||
|
|
||||||
|
AllowUsers = ["${user}"];
|
||||||
|
|
||||||
|
# Use keys only. Remove if you want to SSH using password (not recommended)
|
||||||
|
PasswordAuthentication = false;
|
||||||
|
HostbasedAuthentication = false;
|
||||||
|
|
||||||
|
# enable pubkey authentication
|
||||||
|
PubkeyAuthentication = true;
|
||||||
|
|
||||||
|
# Forbid root login through SSH.
|
||||||
|
PermitRootLogin = "no";
|
||||||
|
|
||||||
|
# nix enables pam by default
|
||||||
|
#UsePam = true;
|
||||||
|
|
||||||
|
########## Cryptography ##########
|
||||||
|
|
||||||
|
# explicitly define cryptography algorithms to avoid the use of weak algorithms
|
||||||
|
# AES CTR modes have been removed to mitigate the Terrapin attack
|
||||||
|
# https://terrapin-attack.com/
|
||||||
|
|
||||||
|
Ciphers = ["aes256-gcm@openssh.com" "aes128-gcm@openssh.com"];
|
||||||
|
Macs = ["hmac-sha2-256-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com"];
|
||||||
|
KexAlgorithms = ["curve25519-sha256" "curve25519-sha256@libssh.org" "diffie-hellman-group16-sha512" "diffie-hellman-group18-sha512"];
|
||||||
|
|
||||||
|
########## Connection Preferences ##########
|
||||||
|
|
||||||
|
# enforce SSH server to only use SSH protocol version 2
|
||||||
|
# SSHv1 contains security issues and should be avoided at all costs
|
||||||
|
# SSHv1 is disabled by default after OpenSSH 7.0, but this option is
|
||||||
|
# specified anyways to ensure this configuration file's compatibility
|
||||||
|
# with older versions of OpenSSH server
|
||||||
|
Protocol = 2;
|
||||||
|
|
||||||
|
# number of client alive messages sent without client responding
|
||||||
|
ClientAliveCountMax = 2;
|
||||||
|
|
||||||
|
# send a keepalive message to the client when the session has been idle for 300 seconds
|
||||||
|
# this prevents/detects connection timeouts
|
||||||
|
ClientAliveInterval = 300;
|
||||||
|
|
||||||
|
# compression before encryption might cause security issues
|
||||||
|
Compression = false;
|
||||||
|
|
||||||
|
# prevent SSH trust relationships from allowing lateral movements
|
||||||
|
IgnoreRhosts = true;
|
||||||
|
|
||||||
|
# log verbosely for addtional information
|
||||||
|
LogLevel = "VERBOSE";
|
||||||
|
|
||||||
|
# allow a maximum of two multiplexed sessions over a single TCP connection
|
||||||
|
MaxSessions = 2;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
@ -1,37 +1,45 @@
|
||||||
{...}: {
|
{
|
||||||
programs.ssh = {
|
config,
|
||||||
# disable unnecessary forwardings
|
lib,
|
||||||
forwardX11 = false;
|
...
|
||||||
|
}: {
|
||||||
|
options = {
|
||||||
|
ssh_client.enable = lib.mkEnableOption "enable ssh client settings";
|
||||||
|
};
|
||||||
|
config = lib.mkIf config.ssh_client.enable {
|
||||||
|
programs.ssh = {
|
||||||
|
# disable unnecessary forwardings
|
||||||
|
forwardX11 = false;
|
||||||
|
|
||||||
# explicitly define cryptography algorithms to avoid the use of weak algorithms
|
# explicitly define cryptography algorithms to avoid the use of weak algorithms
|
||||||
# AES CTR modes have been removed to mitigate the Terrapin attack
|
# AES CTR modes have been removed to mitigate the Terrapin attack
|
||||||
# https://terrapin-attack.com/
|
# https://terrapin-attack.com/
|
||||||
ciphers = [
|
ciphers = [
|
||||||
"aes256-gcm@openssh.com"
|
"aes256-gcm@openssh.com"
|
||||||
"aes128-gcm@openssh.com"
|
"aes128-gcm@openssh.com"
|
||||||
];
|
];
|
||||||
hostKeyAlgorithms = [
|
hostKeyAlgorithms = [
|
||||||
"ssh-ed25519"
|
"ssh-ed25519"
|
||||||
"ssh-ed25519-cert-v01@openssh.com"
|
"ssh-ed25519-cert-v01@openssh.com"
|
||||||
"sk-ssh-ed25519@openssh.com"
|
"sk-ssh-ed25519@openssh.com"
|
||||||
"sk-ssh-ed25519-cert-v01@openssh.com"
|
"sk-ssh-ed25519-cert-v01@openssh.com"
|
||||||
"rsa-sha2-256"
|
"rsa-sha2-256"
|
||||||
"rsa-sha2-256-cert-v01@openssh.com"
|
"rsa-sha2-256-cert-v01@openssh.com"
|
||||||
"rsa-sha2-512"
|
"rsa-sha2-512"
|
||||||
"rsa-sha2-512-cert-v01@openssh.com"
|
"rsa-sha2-512-cert-v01@openssh.com"
|
||||||
];
|
];
|
||||||
macs = [
|
macs = [
|
||||||
"hmac-sha2-256-etm@openssh.com"
|
"hmac-sha2-256-etm@openssh.com"
|
||||||
"hmac-sha2-512-etm@openssh.com"
|
"hmac-sha2-512-etm@openssh.com"
|
||||||
"umac-128-etm@openssh.com"
|
"umac-128-etm@openssh.com"
|
||||||
];
|
];
|
||||||
kexAlgorithms = [
|
kexAlgorithms = [
|
||||||
"curve25519-sha256"
|
"curve25519-sha256"
|
||||||
"curve25519-sha256@libssh.org"
|
"curve25519-sha256@libssh.org"
|
||||||
"diffie-hellman-group16-sha512"
|
"diffie-hellman-group16-sha512"
|
||||||
"diffie-hellman-group18-sha512"
|
"diffie-hellman-group18-sha512"
|
||||||
];
|
];
|
||||||
extraConfig = "
|
extraConfig = "
|
||||||
# disable unnecessary forwardings
|
# disable unnecessary forwardings
|
||||||
ForwardAgent no
|
ForwardAgent no
|
||||||
ForwardX11Trusted no
|
ForwardX11Trusted no
|
||||||
|
|
@ -72,5 +80,6 @@
|
||||||
# display an ASCII art of the server's host key
|
# display an ASCII art of the server's host key
|
||||||
VisualHostKey yes
|
VisualHostKey yes
|
||||||
";
|
";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
21
common/nixos/ssh/ssh_guard.nix
Normal file
21
common/nixos/ssh/ssh_guard.nix
Normal file
|
|
@ -0,0 +1,21 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
options = {
|
||||||
|
ssh_guard.enable = lib.mkEnableOption "enable ssh guard";
|
||||||
|
};
|
||||||
|
config = lib.mkIf config.ssh_guard.enable {
|
||||||
|
services.sshguard = {
|
||||||
|
enable = true;
|
||||||
|
services = [
|
||||||
|
"sshd"
|
||||||
|
];
|
||||||
|
blocktime = 120;
|
||||||
|
detection_time = 1800;
|
||||||
|
blacklist_threshold = 120;
|
||||||
|
blacklist_file = "/var/lib/sshguard/blacklist.db";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
@ -1,12 +0,0 @@
|
||||||
{...}: {
|
|
||||||
services.sshguard = {
|
|
||||||
enable = true;
|
|
||||||
services = [
|
|
||||||
"sshd"
|
|
||||||
];
|
|
||||||
blocktime = 120;
|
|
||||||
detection_time = 1800;
|
|
||||||
blacklist_threshold = 120;
|
|
||||||
blacklist_file = "/var/lib/sshguard/blacklist.db";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
@ -14,7 +14,7 @@
|
||||||
element-desktop # A feature-rich client for Matrix.org
|
element-desktop # A feature-rich client for Matrix.org
|
||||||
gimp # GNU Image Manipulation Program, a powerful and open-source raster graphics editor for tasks like photo editing and graphic design.
|
gimp # GNU Image Manipulation Program, a powerful and open-source raster graphics editor for tasks like photo editing and graphic design.
|
||||||
gparted # Gnome Partition Editor, a graphical partition manager for creating, resizing, and managing disk partitions.
|
gparted # Gnome Partition Editor, a graphical partition manager for creating, resizing, and managing disk partitions.
|
||||||
# kicad # An open-source electronic design automation (EDA) suite for creating schematics, PCB layouts, and 3D models.
|
kicad # An open-source electronic design automation (EDA) suite for creating schematics, PCB layouts, and 3D models.
|
||||||
kodi # An open-source media center, providing a versatile platform for streaming and organizing media content.
|
kodi # An open-source media center, providing a versatile platform for streaming and organizing media content.
|
||||||
pavucontrol # PulseAudio Volume Control, a feature-rich GUI for controlling and configuring the PulseAudio sound system.
|
pavucontrol # PulseAudio Volume Control, a feature-rich GUI for controlling and configuring the PulseAudio sound system.
|
||||||
#sublime-music # A modern and feature-rich music player with a clean user interface and advanced playback options.
|
#sublime-music # A modern and feature-rich music player with a clean user interface and advanced playback options.
|
||||||
|
|
|
||||||
|
|
@ -22,7 +22,7 @@
|
||||||
../../common/nixos/ssh_client.nix
|
../../common/nixos/ssh_client.nix
|
||||||
../../common/nixos/ssh_guard.nix
|
../../common/nixos/ssh_guard.nix
|
||||||
../../common/gui/hyprland.nix
|
../../common/gui/hyprland.nix
|
||||||
../../common/gui/thunar.nix
|
../../common/gui/default.nix
|
||||||
../../common/style/stylix.nix
|
../../common/style/stylix.nix
|
||||||
../../common/virtualization/default.nix
|
../../common/virtualization/default.nix
|
||||||
../../common/nixos/sysctl/default.nix
|
../../common/nixos/sysctl/default.nix
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,135 @@
|
||||||
|
# This is your system's configuration file.
|
||||||
|
# Use this to configure your system environment (it replaces /etc/nixos/configuration.nix)
|
||||||
|
{
|
||||||
|
inputs,
|
||||||
|
outputs,
|
||||||
|
lib,
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
user,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
# You can import other NixOS modules here
|
||||||
|
imports = [
|
||||||
|
# If you want to use modules your own flake exports (from modules/nixos):
|
||||||
|
# outputs.nixosModules.example
|
||||||
|
../../common/nixos/common.nix
|
||||||
|
../../common/nixos/laptop.nix
|
||||||
|
../../common/networking/default.nix
|
||||||
|
../../common/nixos/bluetooth.nix
|
||||||
|
../../common/nixos/restic.nix
|
||||||
|
../../common/nixos/ssh/default.nix
|
||||||
|
../../common/gui/hyprland.nix
|
||||||
|
../../common/gui/default.nix
|
||||||
|
../../common/style/stylix.nix
|
||||||
|
../../common/virtualization/default.nix
|
||||||
|
../../common/nixos/sysctl/default.nix
|
||||||
|
|
||||||
|
./auditd.nix
|
||||||
|
./kernel.nix
|
||||||
|
./sysctl.nix
|
||||||
|
./earlyoom.nix
|
||||||
|
./syncthing.nix
|
||||||
|
|
||||||
|
# Or modules from other flakes (such as nixos-hardware):
|
||||||
|
# inputs.hardware.nixosModules.common-cpu-amd
|
||||||
|
# inputs.hardware.nixosModules.common-ssd
|
||||||
|
inputs.nix-index-database.nixosModules.nix-index
|
||||||
|
inputs.stylix.nixosModules.stylix
|
||||||
|
inputs.sops-nix.nixosModules.sops
|
||||||
|
# You can also split up your configuration and import pieces of it here:
|
||||||
|
# ./users.nix
|
||||||
|
|
||||||
|
# Import your generated (nixos-generate-config) hardware configuration
|
||||||
|
./hardware-configuration.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
ssh.enable = true;
|
||||||
|
ssh_guard.enable = true;
|
||||||
|
|
||||||
|
# Bootloader.
|
||||||
|
boot = {
|
||||||
|
loader = {
|
||||||
|
systemd-boot.enable = true;
|
||||||
|
efi.canTouchEfiVariables = true;
|
||||||
|
};
|
||||||
|
initrd.luks.devices."luks-b13379b3-2025-4d55-a40a-c0f3ad8ec801".device = "/dev/disk/by-uuid/b13379b3-2025-4d55-a40a-c0f3ad8ec801";
|
||||||
|
};
|
||||||
|
|
||||||
|
# sops
|
||||||
|
sops = {
|
||||||
|
defaultSopsFile = ../../secrets/secrets.yaml;
|
||||||
|
defaultSopsFormat = "yaml";
|
||||||
|
age.keyFile = "/home/${user}/.config/sops/age/keys.txt";
|
||||||
|
};
|
||||||
|
|
||||||
|
nixpkgs = {
|
||||||
|
# You can add overlays here
|
||||||
|
overlays = [
|
||||||
|
# Add overlays your own flake exports (from overlays and pkgs dir):
|
||||||
|
outputs.overlays.additions
|
||||||
|
outputs.overlays.modifications
|
||||||
|
outputs.overlays.unstable-packages
|
||||||
|
|
||||||
|
# You can also add overlays exported from other flakes:
|
||||||
|
# neovim-nightly-overlay.overlays.default
|
||||||
|
|
||||||
|
# Or define it inline, for example:
|
||||||
|
# (final: prev: {
|
||||||
|
# hi = final.hello.overrideAttrs (oldAttrs: {
|
||||||
|
# patches = [ ./change-hello-to-hi.patch ];
|
||||||
|
# });
|
||||||
|
# })
|
||||||
|
];
|
||||||
|
# Configure your nixpkgs instance
|
||||||
|
config = {
|
||||||
|
# Disable if you don't want unfree packages
|
||||||
|
allowUnfree = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# This will add each flake input as a registry
|
||||||
|
# To make nix3 commands consistent with your flake
|
||||||
|
nix.registry = (lib.mapAttrs (_: flake: {inherit flake;})) ((lib.filterAttrs (_: lib.isType "flake")) inputs);
|
||||||
|
|
||||||
|
# This will additionally add your inputs to the system's legacy channels
|
||||||
|
# Making legacy nix commands consistent as well, awesome!
|
||||||
|
nix.nixPath = ["/etc/nix/path"];
|
||||||
|
environment.etc =
|
||||||
|
lib.mapAttrs'
|
||||||
|
(name: value: {
|
||||||
|
name = "nix/path/${name}";
|
||||||
|
value.source = value.flake;
|
||||||
|
})
|
||||||
|
config.nix.registry;
|
||||||
|
|
||||||
|
networking.hostName = "candlekeep";
|
||||||
|
networking.networkmanager.enable = true;
|
||||||
|
|
||||||
|
users.users = {
|
||||||
|
gwg313 = {
|
||||||
|
initialPassword = "correcthorsebatterystaple";
|
||||||
|
isNormalUser = true;
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILq54YrM3BbhBs0oDLOrc1bkg6FCCmkV4E3pWLZp0ejN gwg313@pm.me"
|
||||||
|
];
|
||||||
|
extraGroups = ["wheel"];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
environment = {
|
||||||
|
loginShellInit = ''
|
||||||
|
if [ -z $DISPLAY ] && [ "$(tty)" = "/dev/tty1" ]; then
|
||||||
|
exec Hyprland
|
||||||
|
fi
|
||||||
|
''; # Will automatically open Hyprland when logged into tty1
|
||||||
|
variables = {
|
||||||
|
TERMINAL = "alacritty";
|
||||||
|
EDITOR = "nvim";
|
||||||
|
VISUAL = "nvim";
|
||||||
|
PAGER = "moar";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
|
||||||
|
system.stateVersion = "23.05";
|
||||||
|
}
|
||||||
|
|
@ -17,9 +17,7 @@
|
||||||
../../common/networking/zerotier.nix
|
../../common/networking/zerotier.nix
|
||||||
../../common/nixos/bluetooth.nix
|
../../common/nixos/bluetooth.nix
|
||||||
../../common/nixos/restic.nix
|
../../common/nixos/restic.nix
|
||||||
../../common/nixos/ssh.nix
|
../../common/nixos/ssh/default.nix
|
||||||
../../common/nixos/ssh_client.nix
|
|
||||||
../../common/nixos/ssh_guard.nix
|
|
||||||
../../common/gui/hyprland.nix
|
../../common/gui/hyprland.nix
|
||||||
../../common/gui/steam.nix
|
../../common/gui/steam.nix
|
||||||
../../common/gui/thunar.nix
|
../../common/gui/thunar.nix
|
||||||
|
|
@ -48,6 +46,9 @@
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
ssh.enable = true;
|
||||||
|
ssh_guard.enable = true;
|
||||||
|
|
||||||
# Bootloader.
|
# Bootloader.
|
||||||
boot = {
|
boot = {
|
||||||
loader = {
|
loader = {
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,7 @@
|
||||||
}: {
|
}: {
|
||||||
imports = [
|
imports = [
|
||||||
(modulesPath + "/installer/scan/not-detected.nix")
|
(modulesPath + "/installer/scan/not-detected.nix")
|
||||||
../../common/nixos/nfs.nix
|
# ../../common/nixos/nfs.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod"];
|
boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod"];
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue