Unverified Commit 408a3f25 authored by Matthias Adamczyk's avatar Matthias Adamczyk
Browse files

Initial commit

This sets up the nixfiles repository for managing the Lenovo E15 honeybooks.
Documentation how to manage these nixfiles will be added soon after.
parents
# Common configuration
Common configuration for all nixos machines.
This includes user, services and other miscellaneous configuration.
## Structure
```
└── common # Configured services
├── default.nix # Imports .nix files from this directory and
│ # includes some miscellaneous configuration
├── users.nix # Configured users on all hosts
├── vim.nix # vim config
└── services.nix # Common services on all hosts
```
{ config, pkgs, lib, ... }:
{
imports = [
../modules
./users.nix
./services.nix
];
time.timeZone = lib.mkDefault "UTC";
# internationalisation properties.
i18n.defaultLocale = lib.mkDefault "de_DE.UTF-8";
i18n.extraLocaleSettings = lib.mkDefault {
LC_TIME = "de_DE.UTF-8";
};
# Essential packages in system profile. To search, run:
# $ nix search wget
# or query https://search.nixos.org
environment.systemPackages = with pkgs; [
alacritty.terminfo
kitty.terminfo
rxvt_unicode.terminfo
termite.terminfo
# other stuff
bash-completion
borgbackup
bc
cryptsetup
curl
dnsutils
file
git
gnupg
htop
jq
killall
man-pages
mosh
ncat
nixfmt
nload
pass
pv
ripgrep
rsync
shellcheck
socat
tmux
unzip
wget
whois
#(import ./vim.nix)
vim
vnstat
];
programs = {
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
mtr.enable = true;
vim.defaultEditor = true;
};
# Periodically clean the nix store
nix.gc.automatic = true;
nix.gc.dates = "04:15";
}
{ config, pkgs, ... }:
let
nixos-unstable = import (fetchTarball "https://github.com/nixos/nixpkgs/archive/5e1e2914eb8d6548ff5bd710afb89a6043bba620.tar.gz") {};
nixos-master = import (fetchTarball "https://github.com/nixos/nixpkgs/archive/6d0da63aecb701cead9322806550e44a4f82c760.tar.gz") {};
vergedx = import (fetchTarball "https://github.com/VergeDX/nixpkgs/archive/f2321130100790c6bdf2ff618d81130e085e2896.tar.gz") {};
in
{
imports = [ ./wireless.nix ];
time.timeZone = "Europe/Berlin";
# Default packages to install for desktop hosts
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
# Terminals
alacritty
rxvt_unicode
termite
# Desktop essentials
arandr # xrandr GUI
gnome.vinagre # vnc viewer
pavucontrol # pulseaudio control gui
xclip # clipboard
xorg.xbacklight # screen brightness control
# Documents & Multimedia
evince # pdf viewer
feh # image viewer
ffmpeg # swiss army knife for video processing
gnome.nautilus # file manager
gnome.eog # image viewer
gnome.simple-scan # Scanner utility
hacksaw # screenshot utility
mpv # video player
optipng # png compression
scrot # screenshot
shotgun # screenshot
youtube-dl # youtube downloader
xournalpp # pdf editor
# Social
nixos-unstable.element-desktop
nixos-master.tdesktop
# Web/Mail/News
chromium
firefox-esr
liferea
qutebrowser
thunderbird
tor-browser-bundle-bin
# Miscellaneous tools
poppler_utils # provides pdftotext
# Dev Tools
gcc
jetbrains.idea-community
rustup
];
fonts.fonts = with pkgs; [
font-awesome
font-awesome_4
noto-fonts-emoji
ttf_bitstream_vera
];
fonts.fontconfig.defaultFonts = {
emoji = ["Noto Color Emoji"];
serif = ["Bitstream Vera Serif"];
sansSerif = ["Bitstream Vera Sans"];
monospace = ["Bitstream Vera Sans Mono"];
};
# Android debug bridge
programs.adb.enable = true;
# Enable sound.
sound.enable = true;
hardware.pulseaudio.package = pkgs.pulseaudioFull;
hardware.pulseaudio.enable = true;
nixpkgs.config.pulseaudio = true;
# Scanning
services.avahi.enable = true;
services.avahi.nssmdns = true;
hardware.sane = {
enable = true;
extraBackends = [ pkgs.sane-airscan ];
};
services.saned = {
enable = true;
extraConfig = ''
10.0.0.0/24
'';
};
services = {
logind = {
lidSwitch = "ignore";
extraConfig = ''
HandlePowerKey=suspend
'';
};
# CUPS
printing = {
enable = true;
};
xserver = {
enable = true;
desktopManager.gnome.enable = true;
displayManager.gdm.enable = true;
# Configure keymap in X11
layout = "de";
xkbOptions = "eurosign:e";
# Touchpad
libinput.enable = true;
};
};
}
{ pkgs, lib, config, ... }:
let
nixpkgs = lib.cleanSource pkgs.path;
nixSources = pkgs.runCommand "nixos-${config.system.nixos.version}"
{ preferLocalBuild = true; } ''
mkdir -p $out
cd ${nixpkgs.outPath}
tar -cpf $out/nixpkgs.tar.gz .
sha256sum $out/nixpkgs.tar.gz | cut -d " " -f 1 > $out/nixpkgs.sha256
cp -prd ${nixpkgs.outPath} $out/nixpkgs
chmod -R u+w $out/nixpkgs
${lib.optionalString (config.system.nixos.revision != null) ''
echo -n ${config.system.nixos.revision} > $out/nixpkgs/.git-revision
''}
echo -n ${config.system.nixos.versionSuffix} > $out/nixpkgs/.git-revision
echo ${config.system.nixos.versionSuffix} | sed -e s/pre// > $out/nixpkgs/svn-revision
date +%s > $out/last_updated
'';
in {
environment.etc."src".source = nixSources;
environment.variables.NIX_PATH = lib.mkOverride 25 "/etc/src";
}
{ config, pkgs, ... }:
{
services = {
openssh = {
enable = true;
passwordAuthentication = false;
challengeResponseAuthentication = false;
};
vnstat.enable = true;
};
}
{ config, pkgs, ... }:
{
nix.trustedUsers = [ "root" "@wheel" ];
security.sudo.wheelNeedsPassword = false;
users.users.honeypotter = {
isNormalUser = true;
extraGroups = [ "audio" "video" "lp" "scanner" ];
password = "";
};
users.users.matti = {
isNormalUser = true;
extraGroups = [ "wheel" "audio" "video" "lp" "scanner" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4HRKYocVaZq5rTBYYgWp0GegdJ0x4teTykgtSjR0A+ matti@archlunix"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxErCCAEa7gepD9Kib8t7PPz3FLol3d8C6gpeUt27F3 matti@kiffi"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFekeQ8o3swU8ZF7F1S+JwuKP/8l6AhQC5pRObtT6s0m matti@kipper"
];
};
users.users.root = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4HRKYocVaZq5rTBYYgWp0GegdJ0x4teTykgtSjR0A+ matti@archlunix"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxErCCAEa7gepD9Kib8t7PPz3FLol3d8C6gpeUt27F3 matti@kiffi"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFekeQ8o3swU8ZF7F1S+JwuKP/8l6AhQC5pRObtT6s0m matti@kipper"
];
};
}
# This configuration gets imported into
# `environment.systemPackages`
with import <nixpkgs> {};
vim_configurable.customize {
# Load as `vim` executable
name = "vim";
# Custom .vimrc
vimrcConfig.customRC = ''
syntax enable
set pastetoggle=<F2>
function s:MkNonExDir(file, buf)
if empty(getbufvar(a:buf, '&buftype')) && a:file!~#'\v^\w+\:\/'
let dir=fnamemodify(a:file, ':h')
if !isdirectory(dir)
call mkdir(dir, 'p')
endif
endif
endfunction
augroup BWCCreateDir
autocmd!
autocmd BufWritePre * :call s:MkNonExDir(expand('<afile>'), +expand('<abuf>'))
augroup END
'';
# Load the following vim plugins:
vimrcConfig.packages.myVimPackage = with pkgs.vimPlugins; {
# loaded on launch
start = [
fugitive
lightline-vim
nerdtree
vim-colors-solarized
vim-polyglot
YouCompleteMe
];
# manually loadable by calling `:packadd $plugin-name`
# however, if a Vim plugin has a dependency that is not explicitly listed in
# opt that dependency will always be added to start to avoid confusion.
opt = [];
# To automatically load a plugin when opening a filetype, add vimrc lines like:
# autocmd FileType php :packadd phpCompletion
};
}
{ config, ... }:
{
networking = {
wireless = {
enable = true;
networks."Honeynet" = {
psk = "MateMateMate";
};
};
# Disable explicitly since it gets enabled by gnome
networkmanager.enable = false;
};
}
# sources.nix contains the nixpkgs checkout that is going
# to be used on all hosts.
let
sources = import ./nix/sources.nix;
pkgs = import sources.nixpkgs {
system = "x86_64-linux";
# own packages are applied on top as overlay
# todo overlay documentation
overlays = [
(self: super: import ./pkgs { pkgs = super; })
];
};
in {
inherit sources pkgs;
inherit (pkgs) lib; # inherit lib from pkgs
# Pass the pkgs from sources.nix to each module under lib/
kexec_tarball = import ./lib/kexec-tarball.nix { inherit pkgs; };
isoImage = import ./lib/iso-image.nix { inherit pkgs; };
deploy = import ./lib/deploy.nix { inherit pkgs; };
# not needed right now
#unlock = import ./lib/unlock-fde.nix { inherit pkgs; };
}
// (import ./lib/hosts.nix { inherit pkgs; })
{ config, pkgs, ... }:
{
imports = [
../../common
../../common/desktop.nix
./hardware-configuration.nix
./networking.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. It‘s perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
}
# Do not modify this file! It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/d95da3d4-3e00-4396-9772-5fb52bb6e68d";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/3AC3-DDDC";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/d7986f4b-d5a7-41e6-a05f-8ef669934160"; }
];
}
{ config, pkgs, ... }:
{
networking = {
hostName = "e151";
domain = "local";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
useDHCP = false;
interfaces.enp2s0.useDHCP = true;
interfaces.wlp3s0.useDHCP = true;
wireless = {
enable = true;
interfaces = ["wlp3s0"];
};
};
}
{ config, pkgs, ... }:
{
imports = [
../../common
../../common/desktop.nix
./hardware-configuration.nix
./networking.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. It‘s perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
}
# Do not modify this file! It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/7c2c5874-eee4-4684-98ad-5b400cbdf590";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/3CC4-2E50";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/3c9b6a03-68f2-4735-aaaa-34fcba970423"; }
];
}
{ config, pkgs, ... }:
{
networking = {
hostName = "e152";
domain = "local";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
useDHCP = false;
interfaces.enp2s0.useDHCP = true;
interfaces.wlp3s0.useDHCP = true;
wireless = {
enable = true;
interfaces = ["wlp3s0"];
};
};
}
{ pkgs }:
with pkgs.lib;
let
inherit (import ./hosts.nix { inherit pkgs; }) hosts groups;
in (
mapAttrs (name: hosts: pkgs.writeScript "deploy-group-${name}" ''
#!${pkgs.runtimeShell}
export PATH=
${concatMapStrings (host: ''
echo "deploying ${host.config.networking.hostName}..."
${host.config.system.build.deployScript} $1 &
PID_LIST+=" $!"
'') hosts}
# FIXME: remove jobs from PIDLIST once they finish
trap "kill $PID_LIST" SIGINT
wait $PID_LIST
'') groups
)
// (mapAttrs (name: host: host.config.system.build.deployScript) hosts)
{ pkgs ? import ../pkgs { /* TODO system */} }:
with pkgs.lib;
rec {
hostsDir = ../hosts;
hostNames = attrNames (
filterAttrs (
name: type: type == "directory"
) (
builtins.readDir hostsDir
)
);
# HACK: We want to choose a nixpkgs version depending on the host architecture, but
# the host architecture is set in the NixOS config. We accept the limitation that
# nixpkgs.system must be set in the main configuration.nix file to prevent reading
# the host configuration twice.
hostArch = hostName:
(
(
import (hostsDir + "/${hostName}/configuration.nix") {
inherit (pkgs) pkgs lib;
config = {};
modulesPath = "";
}
).nixpkgs or {}
).system or "x86_64-linux"
;
nixpkgsFor = hostName: (import ../pkgs {
system = hostArch hostName;
}).path;
hostConfig = hostName: { config, ... }: {
_module.args = {
inherit hosts groups;
};
imports = [
(import (hostsDir + "/${hostName}/configuration.nix"))
../modules
];
networking = {
inherit hostName;
};
nixpkgs.pkgs = import ../pkgs {
inherit (config.nixpkgs) config system;
};
};
hosts = listToAttrs (
map (
hostName: nameValuePair hostName (
import ((nixpkgsFor hostName) + "/nixos") {
configuration = hostConfig hostName;
system = hostArch hostName;
}
)
) hostNames
);
groupNames = unique (
concatLists (
mapAttrsToList (
name: host: host.config.deploy.groups
) hosts