From aca053b4e1f2d58f8dd4bb93e233a9b56677f14c Mon Sep 17 00:00:00 2001 From: Christine Elisabeth Koppel Date: Fri, 6 Feb 2026 21:31:22 +0100 Subject: [PATCH] Refactor the Nix config management. --- .gitignore | 4 + nix-system-configs/example-composed.nix | 20 + .../forgejo/forgejo-git-post.nix | 418 ----------------- nix-system-configs/forgejo/forgejo-git.nix | 415 ----------------- .../forgejo/forgejo-insystem.nix | 436 ------------------ .../forgejo/forgejo-localconfig.nix | 2 - nix-system-configs/forgejo/pull.zsh | 1 + nix-system-configs/forgejo/push.zsh | 1 + .../modules/bootloader/seabios.nix | 29 ++ .../modules/desktop-manager/gnome.nix | 12 + .../sway_greetd_homemanager.nix | 133 ++++++ nix-system-configs/modules/lix-default.nix | 111 +++++ .../modules/local/hostname_username.nix | 26 ++ .../modules/local/networking_local.nix | 45 ++ nix-system-configs/modules/scripts/pull.zsh | 143 ++++++ nix-system-configs/modules/scripts/push.zsh | 173 +++++++ .../modules/secrets/secrets.example.nix | 19 + nix-system-configs/modules/system/forgejo.nix | 86 ++++ nix-system-configs/modules/system/traefik.nix | 101 ++++ .../modules/toolsets/remote_building.nix | 50 ++ nix-system-configs/new-server-notes.md | 1 - nix-system-configs/nixos-gateway.nix | 387 ---------------- nix-system-configs/nixos-template.nix | 105 ----- 23 files changed, 954 insertions(+), 1764 deletions(-) create mode 100644 nix-system-configs/example-composed.nix delete mode 100644 nix-system-configs/forgejo/forgejo-git-post.nix delete mode 100644 nix-system-configs/forgejo/forgejo-git.nix delete mode 100644 nix-system-configs/forgejo/forgejo-insystem.nix create mode 100644 nix-system-configs/modules/bootloader/seabios.nix create mode 100644 nix-system-configs/modules/desktop-manager/gnome.nix create mode 100644 nix-system-configs/modules/desktop-manager/sway_greetd_homemanager.nix create mode 100644 nix-system-configs/modules/lix-default.nix create mode 100644 nix-system-configs/modules/local/hostname_username.nix create mode 100644 nix-system-configs/modules/local/networking_local.nix create mode 100644 nix-system-configs/modules/scripts/pull.zsh create mode 100644 nix-system-configs/modules/scripts/push.zsh create mode 100644 nix-system-configs/modules/secrets/secrets.example.nix create mode 100644 nix-system-configs/modules/system/forgejo.nix create mode 100644 nix-system-configs/modules/system/traefik.nix create mode 100644 nix-system-configs/modules/toolsets/remote_building.nix delete mode 100644 nix-system-configs/new-server-notes.md delete mode 100644 nix-system-configs/nixos-gateway.nix delete mode 100644 nix-system-configs/nixos-template.nix diff --git a/.gitignore b/.gitignore index ea8c4bf..6508bc9 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,5 @@ /target + +# Secrets and local env +/nix-system-configs/modules/secrets/secrets.nix +/.env diff --git a/nix-system-configs/example-composed.nix b/nix-system-configs/example-composed.nix new file mode 100644 index 0000000..42a1f9f --- /dev/null +++ b/nix-system-configs/example-composed.nix @@ -0,0 +1,20 @@ +{ + config, + pkgs, + lib, + ... +}: { + imports = [ + # ./secrets/secrets.nix # Add this locally after running add-secrets.zsh + # Optionally import local secrets if present (won't fail if missing) + (lib.optional (builtins.pathExists ./secrets/secrets.nix) ./secrets/secrets.nix) + ./modules/desktop-manager/sway_greetd_homemanager.nix + ./modules/local/hostname_username.nix + ./modules/local/networking_local.nix + ./modules/toolsets/remote_building.nix + ./modules/bootloader/seabios.nix + ./modules/lix-default.nix + ]; + + system.stateVersion = "25.11"; +} diff --git a/nix-system-configs/forgejo/forgejo-git-post.nix b/nix-system-configs/forgejo/forgejo-git-post.nix deleted file mode 100644 index 9ae29b1..0000000 --- a/nix-system-configs/forgejo/forgejo-git-post.nix +++ /dev/null @@ -1,418 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration-knot.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). -{ - config, - pkgs, - lib, - ... -}: let - home-manager = builtins.fetchTarball "https://github.com/nix-community/home-manager/archive/release-25.11.tar.gz"; - cfg = config.services.forgejo; - srv = cfg.settings.server; -in { - # Home Manager Configuration - imports = [ - # Include the results of the hardware scan. - (import "${home-manager}/nixos") - ]; - - networking.hostName = "forgejoprg"; # Define your hostname. - # BE SURE TO FIND AND REPLACE ALL INSTANCES OF THIS HOSTNAME IN THE CONFIGURATION FILES - # Define a user account. Don't forget to set a password with ‘passwd’. - - users.users.forgejoprg = { - isNormalUser = true; - description = "NixOS Playground"; - extraGroups = ["networkmanager" "wheel" "seat"]; - packages = with pkgs; []; - initialPassword = "nixos"; # Simple, change on first login - }; - - home-manager.users.forgejoprg = {pkgs, ...}: { - home.packages = [ - pkgs.atool - pkgs.httpie - pkgs.alacritty # Terminal emulator - pkgs.hyfetch # Add fetching packages - pkgs.macchina - pkgs.wayland # Wayland display server - pkgs.wlroots # Wayland compositor library - pkgs.maple-mono.NF # Font for better terminal appearance - pkgs.wl-clipboard # Clipboard utilities for Wayland - pkgs.mako # Wayland Sway Notification Daemon - pkgs.btop # Resource monitor - ]; - - # Set Alacritty as the default terminal emulator - home.sessionVariables = { - TERMINAL = "alacritty"; - }; - - # Use Zsh as the default shell - programs.zsh.enable = true; - - # Configure Alacritty as the default terminal emulator - programs.alacritty = { - enable = true; - settings = { - # Window configuration - window = { - opacity = 1.0; - padding = { - x = 10; - y = 10; - }; - }; - - # Font configuration - fixes spacing issues - font = { - normal = { - family = "Maple Mono NF"; - style = "Regular"; - }; - bold = { - family = "Maple Mono NF"; - style = "Bold"; - }; - italic = { - family = "Maple Mono NF"; - style = "Italic"; - }; - bold_italic = { - family = "Maple Mono NF"; - style = "Bold Italic"; - }; - size = 14.0; - }; - - # Colors (optional - using default Alacritty colors) - colors = { - primary = { - background = "#1e1e2e"; - foreground = "#cdd6f4"; - }; - }; - }; - }; - - # Configure Hyfetch system info fetcher - programs.hyfetch = { - enable = true; - settings = { - preset = "lesbian"; # Use lesbian flag preset - mode = "rgb"; # Use RGB color mode - lightness = 0.55; # Set to 55% brightness - backend = "macchina"; # Use macchina as the backend - logo_size = "small"; # Make small logo - pride_month_disable = false; # Enable pride month mode (or true to disable) - pride_month_shown = []; # List of shown pride month flags - color_align = { - mode = "horizontal"; - }; - }; - }; - - # The state version is required and should stay at the version you - # originally installed. - home.stateVersion = "25.11"; - }; - - # Use Lix instead of Nix - nixpkgs.overlays = [ - (final: prev: { - inherit - (prev.lixPackageSets.stable) - nixpkgs-review - nix-eval-jobs - nix-fast-build - colmena - ; - }) - ]; - nix.package = pkgs.lixPackageSets.stable.lix; - - # Enable Fedgejo service - services.nginx = { - enable = true; - virtualHosts."git.prg.local" = { - # Remove forceSSL and enableACME for local network - # forceSSL = true; - # enableACME = true; - extraConfig = '' - client_max_body_size 512M; - ''; - locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}"; - }; - }; - - # Enable PostgreSQL for Forgejo - services.postgresql.enable = true; - - # Forgejo configuration - services.forgejo = { - enable = true; - database = { - type = "postgres"; - host = "10.1.1.251"; # IP of your database server - name = "forgejo"; - user = "forgejo"; - passwordFile = "/home/nixosbm/manual_builds/password.txt"; # Store password in a separate file for security - }; - lfs.enable = true; - - settings = { - server = { - DOMAIN = "git.prg.local"; - ROOT_URL = "http://${srv.DOMAIN}/"; - HTTP_PORT = 3000; - # SSH integration - SSH_PORT = lib.head config.services.openssh.ports; - }; - - # Temporarily allow registration to create admin user - service.DISABLE_REGISTRATION = false; - - # Enable Actions support - actions = { - ENABLED = true; - DEFAULT_ACTIONS_URL = "github"; - }; - - # Optional: Email configuration - # mailer = { - # ENABLED = false; - # }; - }; - }; - - # Bootloader - GRUB for Legacy BIOS - boot.loader.systemd-boot.enable = lib.mkForce false; - boot.loader.grub = { - enable = true; - device = "/dev/vda"; # Install GRUB to the disk - efiSupport = false; # Disable UEFI - }; - boot.initrd.availableKernelModules = ["virtio_pci" "virtio_scsi" "ahci" "sd_mod"]; - fileSystems."/" = { - device = "/dev/vda1"; - fsType = "ext4"; # Use "btrfs" or "xfs" if you formatted it differently - }; - - # Enable Rsync - services.rsync.enable = true; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Enable SSH - services.openssh = { - enable = true; - ports = [22]; - settings = { - PasswordAuthentication = false; - AllowUsers = null; - UseDns = true; - PermitRootLogin = "no"; - }; - }; - - # Set your time zone. - time.timeZone = "Europe/Copenhagen"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_AU.UTF-8"; - - i18n.extraLocaleSettings = { - LC_ADDRESS = "et_EE.UTF-8"; - LC_IDENTIFICATION = "et_EE.UTF-8"; - LC_MEASUREMENT = "et_EE.UTF-8"; - LC_MONETARY = "et_EE.UTF-8"; - LC_NAME = "et_EE.UTF-8"; - LC_NUMERIC = "et_EE.UTF-8"; - LC_PAPER = "et_EE.UTF-8"; - LC_TELEPHONE = "et_EE.UTF-8"; - LC_TIME = "et_EE.UTF-8"; - }; - - # Configure keymap in X11 - services.xserver.xkb = { - layout = "us"; - variant = ""; - }; - - # Enable Seatd for Wayland sessions - # IMPORTANT: Enable seatd service for River WM - services.seatd = { - enable = true; - logLevel = "info"; - }; - - # Enable the gnome-keyring secrets vault. - # Will be exposed through DBus to programs willing to store secrets. - services.gnome.gnome-keyring.enable = true; - - # Enable Sway window manager - programs.sway = { - enable = true; - wrapperFeatures.gtk = true; - }; - - services.greetd = { - enable = true; - settings = { - default_session = { - command = "${pkgs.tuigreet}/bin/tuigreet --time --cmd sway"; - user = "greeter"; - }; - }; - }; - - # Configure security to allow seatd access - security.polkit.enable = true; - - # Allow unfree packages - nixpkgs.config.allowUnfree = true; - - # Passwordless sudo for wheel group - security.sudo.wheelNeedsPassword = false; - - # Hardware U2F support - Passwordless sudo with hardware key - security.pam.u2f = { - enable = true; - settings = { - authfile = "/etc/u2f_keys"; - cue = true; - pinverification = 0; # No PIN verification - userpresence = 1; # Require user presence (touch) - }; - }; - - # SSH Agent authentication - security.pam.sshAgentAuth.enable = true; - - # Automatic upgrades - system.autoUpgrade = { - enable = true; # Set to true for automatic updates - dates = "daily"; - allowReboot = false; - }; - - # System packages - environment.systemPackages = with pkgs; [ - # Network tools - wget - curl - dig - tcpdump - ethtool - iptables - nftables - iproute2 - bridge-utils - netcat-gnu - traceroute - mtr - arp-scan - - # Monitoring - btop - htop - iotop - - # Editors - micro - vim - helix - - # System info - fastfetch - lshw - pciutils - usbutils - ]; - - # Enable zram swap - zramSwap = { - enable = true; - memoryPercent = 50; - }; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - - # List services that you want to enable: - - # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [3000]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - - # Attach the system to the IPFire network: set a static IP on the Proxmox bridge (ens18) - # Adjust `ens18` and the address below to your environment. - networking.interfaces.ens18.ipv4.addresses = [ - { - address = "10.1.1.4"; - prefixLength = 24; - } - ]; - networking.defaultGateway = "10.1.1.1"; - - # THE FOLLOWING CODE BLOCK IS FOR COPYING TO OTHER CONFIGURATIONS, NOT FOR THIS FILE - nix.distributedBuilds = true; - nix.buildMachines = [ - { - hostName = "nixos-build-machine"; - system = "x86_64-linux"; - sshUser = "nixremote"; - sshKey = "/root/.ssh/nixremote"; - maxJobs = 4; - speedFactor = 2; - supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"]; - } - ]; - - # Generate SSH key for remote building - systemd.services.generate-nixremote-key = { - description = "Generate SSH key for remote Nix builds"; - wantedBy = ["multi-user.target"]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = '' - if [ ! -f /root/.ssh/nixremote ]; then - ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /root/.ssh/nixremote -N "" -C "nix-remote-builder" - fi - ''; - }; - - programs.ssh.extraConfig = '' - Host nixos-build-machine - HostName 10.1.1.3 - IdentitiesOnly yes - IdentityFile /root/.ssh/nixremote - User nixremoteStrictHostKeyChecking accept-new - ''; - - # Manual step required: After rebuilding the client, copy /root/.ssh/nixremote.pub - # from the client to the build machine's users.users.nixremote.openssh.authorizedKeys.keys list, - # then rebuild the build machine. - # i.e on the client: run "cat /root.ssh/nixremote.pub" - # and copy the output to the build machine's configuration.nix - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration-knot.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "25.11"; # Did you read the comment? -} diff --git a/nix-system-configs/forgejo/forgejo-git.nix b/nix-system-configs/forgejo/forgejo-git.nix deleted file mode 100644 index 0d62412..0000000 --- a/nix-system-configs/forgejo/forgejo-git.nix +++ /dev/null @@ -1,415 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration-knot.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). -{ - config, - pkgs, - lib, - ... -}: let - home-manager = builtins.fetchTarball "https://github.com/nix-community/home-manager/archive/release-25.11.tar.gz"; - cfg = config.services.forgejo; - srv = cfg.settings.server; -in { - # Home Manager Configuration - imports = [ - # Include the results of the hardware scan. - (import "${home-manager}/nixos") - ]; - - networking.hostName = "forgejoprg"; # Define your hostname. - # BE SURE TO FIND AND REPLACE ALL INSTANCES OF THIS HOSTNAME IN THE CONFIGURATION FILES - # Define a user account. Don't forget to set a password with ‘passwd’. - - users.users.forgejoprg = { - isNormalUser = true; - description = "NixOS Playground"; - extraGroups = ["networkmanager" "wheel" "seat"]; - packages = with pkgs; []; - initialPassword = "nixos"; # Simple, change on first login - }; - - home-manager.users.forgejoprg = {pkgs, ...}: { - home.packages = [ - pkgs.atool - pkgs.httpie - pkgs.alacritty # Terminal emulator - pkgs.hyfetch # Add fetching packages - pkgs.macchina - pkgs.wayland # Wayland display server - pkgs.wlroots # Wayland compositor library - pkgs.maple-mono.NF # Font for better terminal appearance - pkgs.wl-clipboard # Clipboard utilities for Wayland - pkgs.mako # Wayland Sway Notification Daemon - pkgs.btop # Resource monitor - ]; - - # Set Alacritty as the default terminal emulator - home.sessionVariables = { - TERMINAL = "alacritty"; - }; - - # Use Zsh as the default shell - programs.zsh.enable = true; - - # Configure Alacritty as the default terminal emulator - programs.alacritty = { - enable = true; - settings = { - # Window configuration - window = { - opacity = 1.0; - padding = { - x = 10; - y = 10; - }; - }; - - # Font configuration - fixes spacing issues - font = { - normal = { - family = "Maple Mono NF"; - style = "Regular"; - }; - bold = { - family = "Maple Mono NF"; - style = "Bold"; - }; - italic = { - family = "Maple Mono NF"; - style = "Italic"; - }; - bold_italic = { - family = "Maple Mono NF"; - style = "Bold Italic"; - }; - size = 14.0; - }; - - # Colors (optional - using default Alacritty colors) - colors = { - primary = { - background = "#1e1e2e"; - foreground = "#cdd6f4"; - }; - }; - }; - }; - - # Configure Hyfetch system info fetcher - programs.hyfetch = { - enable = true; - settings = { - preset = "lesbian"; # Use lesbian flag preset - mode = "rgb"; # Use RGB color mode - lightness = 0.55; # Set to 55% brightness - backend = "macchina"; # Use macchina as the backend - logo_size = "small"; # Make small logo - pride_month_disable = false; # Enable pride month mode (or true to disable) - pride_month_shown = []; # List of shown pride month flags - color_align = { - mode = "horizontal"; - }; - }; - }; - - # The state version is required and should stay at the version you - # originally installed. - home.stateVersion = "25.11"; - }; - - # Use Lix instead of Nix - nixpkgs.overlays = [ - (final: prev: { - inherit - (prev.lixPackageSets.stable) - nixpkgs-review - nix-eval-jobs - nix-fast-build - colmena - ; - }) - ]; - nix.package = pkgs.lixPackageSets.stable.lix; - - # Enable Fedgejo service - services.nginx = { - enable = true; - virtualHosts."git.prg.local" = { - # Remove forceSSL and enableACME for local network - # forceSSL = true; - # enableACME = true; - extraConfig = '' - client_max_body_size 512M; - ''; - locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}"; - }; - }; - - # Enable PostgreSQL for Forgejo - services.postgresql.enable = true; - - # Forgejo configuration - services.forgejo = { - enable = true; - database = { - type = "postgres"; - host = "10.1.1.251"; # IP of your database server - name = "forgejo"; - user = "forgejo"; - passwordFile = "/home/nixosbm/manual_builds/password.txt"; # Store password in a separate file for security - }; - lfs.enable = true; - - settings = { - server = { - DOMAIN = "git.prg.local"; - ROOT_URL = "http://${srv.DOMAIN}/"; - HTTP_PORT = 3000; - # SSH integration - SSH_PORT = lib.head config.services.openssh.ports; - }; - - # Temporarily allow registration to create admin user - service.DISABLE_REGISTRATION = false; - - # Enable Actions support - actions = { - ENABLED = true; - DEFAULT_ACTIONS_URL = "github"; - }; - - # Optional: Email configuration - # mailer = { - # ENABLED = false; - # }; - }; - }; - - # Bootloader - GRUB for Legacy BIOS - boot.loader.systemd-boot.enable = lib.mkForce false; - boot.loader.grub = { - enable = true; - device = "/dev/vda"; # Install GRUB to the disk - efiSupport = false; # Disable UEFI - }; - boot.initrd.availableKernelModules = ["virtio_pci" "virtio_scsi" "ahci" "sd_mod"]; - virtualisation.diskSize = 19432; # 96GB in MiB - - # Enable Rsymc - services.rsync.enable = true; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Enable SSH - services.openssh = { - enable = true; - ports = [22]; - settings = { - PasswordAuthentication = false; - AllowUsers = null; - UseDns = true; - PermitRootLogin = "no"; - }; - }; - - # Set your time zone. - time.timeZone = "Europe/Copenhagen"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_AU.UTF-8"; - - i18n.extraLocaleSettings = { - LC_ADDRESS = "et_EE.UTF-8"; - LC_IDENTIFICATION = "et_EE.UTF-8"; - LC_MEASUREMENT = "et_EE.UTF-8"; - LC_MONETARY = "et_EE.UTF-8"; - LC_NAME = "et_EE.UTF-8"; - LC_NUMERIC = "et_EE.UTF-8"; - LC_PAPER = "et_EE.UTF-8"; - LC_TELEPHONE = "et_EE.UTF-8"; - LC_TIME = "et_EE.UTF-8"; - }; - - # Configure keymap in X11 - services.xserver.xkb = { - layout = "us"; - variant = ""; - }; - - # Enable Seatd for Wayland sessions - # IMPORTANT: Enable seatd service for River WM - services.seatd = { - enable = true; - logLevel = "info"; - }; - - # Enable the gnome-keyring secrets vault. - # Will be exposed through DBus to programs willing to store secrets. - services.gnome.gnome-keyring.enable = true; - - # Enable Sway window manager - programs.sway = { - enable = true; - wrapperFeatures.gtk = true; - }; - - services.greetd = { - enable = true; - settings = { - default_session = { - command = "${pkgs.tuigreet}/bin/tuigreet --time --cmd sway"; - user = "greeter"; - }; - }; - }; - - # Configure security to allow seatd access - security.polkit.enable = true; - - # Allow unfree packages - nixpkgs.config.allowUnfree = true; - - # Passwordless sudo for wheel group - security.sudo.wheelNeedsPassword = false; - - # Hardware U2F support - Passwordless sudo with hardware key - security.pam.u2f = { - enable = true; - settings = { - authfile = "/etc/u2f_keys"; - cue = true; - pinverification = 0; # No PIN verification - userpresence = 1; # Require user presence (touch) - }; - }; - - # SSH Agent authentication - security.pam.sshAgentAuth.enable = true; - - # Automatic upgrades - system.autoUpgrade = { - enable = true; # Set to true for automatic updates - dates = "daily"; - allowReboot = false; - }; - - # System packages - environment.systemPackages = with pkgs; [ - # Network tools - wget - curl - dig - tcpdump - ethtool - iptables - nftables - iproute2 - bridge-utils - netcat-gnu - traceroute - mtr - arp-scan - - # Monitoring - btop - htop - iotop - - # Editors - micro - vim - helix - - # System info - fastfetch - lshw - pciutils - usbutils - ]; - - # Enable zram swap - zramSwap = { - enable = true; - memoryPercent = 50; - }; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - - # List services that you want to enable: - - # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [3000]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - - # Attach the system to the IPFire network: set a static IP on the Proxmox bridge (ens18) - # Adjust `ens18` and the address below to your environment. - networking.interfaces.ens18.ipv4.addresses = [ - { - address = "10.1.1.4"; - prefixLength = 24; - } - ]; - networking.defaultGateway = "10.1.1.1"; - - # THE FOLLOWING CODE BLOCK IS FOR COPYING TO OTHER CONFIGURATIONS, NOT FOR THIS FILE - nix.distributedBuilds = true; - nix.buildMachines = [ - { - hostName = "nixos-build-machine"; - system = "x86_64-linux"; - sshUser = "nixremote"; - sshKey = "/root/.ssh/nixremote"; - maxJobs = 4; - speedFactor = 2; - supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"]; - } - ]; - - # Generate SSH key for remote building - systemd.services.generate-nixremote-key = { - description = "Generate SSH key for remote Nix builds"; - wantedBy = ["multi-user.target"]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = '' - if [ ! -f /root/.ssh/nixremote ]; then - ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /root/.ssh/nixremote -N "" -C "nix-remote-builder" - fi - ''; - }; - - programs.ssh.extraConfig = '' - Host nixos-build-machine - HostName 10.1.1.3 - IdentitiesOnly yes - IdentityFile /root/.ssh/nixremote - User nixremoteStrictHostKeyChecking accept-new - ''; - - # Manual step required: After rebuilding the client, copy /root/.ssh/nixremote.pub - # from the client to the build machine's users.users.nixremote.openssh.authorizedKeys.keys list, - # then rebuild the build machine. - # i.e on the client: run "cat /root.ssh/nixremote.pub" - # and copy the output to the build machine's configuration.nix - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration-knot.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "25.11"; # Did you read the comment? -} diff --git a/nix-system-configs/forgejo/forgejo-insystem.nix b/nix-system-configs/forgejo/forgejo-insystem.nix deleted file mode 100644 index 82c1864..0000000 --- a/nix-system-configs/forgejo/forgejo-insystem.nix +++ /dev/null @@ -1,436 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration-knot.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). -{ - config, - pkgs, - lib, - ... -}: let - home-manager = builtins.fetchTarball "https://github.com/nix-community/home-manager/archive/release-25.11.tar.gz"; - cfg = config.services.forgejo; - srv = cfg.settings.server; -in { - # Home Manager Configuration - imports = [ - # Include the results of the hardware scan. - (import "${home-manager}/nixos") - ]; - - networking.hostName = "forgejoprg"; # Define your hostname. - # BE SURE TO FIND AND REPLACE ALL INSTANCES OF THIS HOSTNAME IN THE CONFIGURATION FILES - # Define a user account. Don't forget to set a password with ‘passwd’. - - users.users.forgejoprg = { - isNormalUser = true; - description = "NixOS Playground"; - extraGroups = ["networkmanager" "wheel" "seat"]; - packages = with pkgs; []; - initialPassword = "nixos"; # Simple, change on first login - }; - - home-manager.users.forgejoprg = {pkgs, ...}: { - home.packages = [ - pkgs.atool - pkgs.httpie - pkgs.alacritty # Terminal emulator - pkgs.hyfetch # Add fetching packages - pkgs.macchina - pkgs.wayland # Wayland display server - pkgs.wlroots # Wayland compositor library - pkgs.maple-mono.NF # Font for better terminal appearance - pkgs.wl-clipboard # Clipboard utilities for Wayland - pkgs.mako # Wayland Sway Notification Daemon - pkgs.btop # Resource monitor - ]; - - # Set Alacritty as the default terminal emulator - home.sessionVariables = { - TERMINAL = "alacritty"; - }; - - # Use Zsh as the default shell - programs.zsh.enable = true; - - # Configure Alacritty as the default terminal emulator - programs.alacritty = { - enable = true; - settings = { - # Window configuration - window = { - opacity = 1.0; - padding = { - x = 10; - y = 10; - }; - }; - - # Font configuration - fixes spacing issues - font = { - normal = { - family = "Maple Mono NF"; - style = "Regular"; - }; - bold = { - family = "Maple Mono NF"; - style = "Bold"; - }; - italic = { - family = "Maple Mono NF"; - style = "Italic"; - }; - bold_italic = { - family = "Maple Mono NF"; - style = "Bold Italic"; - }; - size = 14.0; - }; - - # Colors (optional - using default Alacritty colors) - colors = { - primary = { - background = "#1e1e2e"; - foreground = "#cdd6f4"; - }; - }; - }; - }; - - # Configure Hyfetch system info fetcher - programs.hyfetch = { - enable = true; - settings = { - preset = "lesbian"; # Use lesbian flag preset - mode = "rgb"; # Use RGB color mode - lightness = 0.55; # Set to 55% brightness - backend = "macchina"; # Use macchina as the backend - logo_size = "small"; # Make small logo - pride_month_disable = false; # Enable pride month mode (or true to disable) - pride_month_shown = []; # List of shown pride month flags - color_align = { - mode = "horizontal"; - }; - }; - }; - - # The state version is required and should stay at the version you - # originally installed. - home.stateVersion = "25.11"; - }; - - # Use Lix instead of Nix - nixpkgs.overlays = [ - (final: prev: { - inherit - (prev.lixPackageSets.stable) - nixpkgs-review - nix-eval-jobs - nix-fast-build - colmena - ; - }) - ]; - nix.package = pkgs.lixPackageSets.stable.lix; - - # Enable Fedgejo service - services.nginx = { - enable = true; - virtualHosts."git.prg.local" = { - # Remove forceSSL and enableACME for local network - # forceSSL = true; - # enableACME = true; - extraConfig = '' - client_max_body_size 512M; - ''; - locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}"; - }; - }; - - # Enable PostgreSQL for Forgejo - services.postgresql.enable = true; - - # Forgejo configuration - services.forgejo = { - enable = true; - database = { - type = "postgres"; - host = "10.1.1.251"; # IP of your database server - name = "forgejo"; - user = "forgejo"; - passwordFile = "/home/forgejoprg/password.txt"; # Store password in a separate file for security - }; - lfs.enable = true; - - settings = { - server = { - DOMAIN = "git.prg.local"; - ROOT_URL = "http://${srv.DOMAIN}/"; - HTTP_PORT = 3000; - # SSH integration - SSH_PORT = lib.head config.services.openssh.ports; - }; - - # Temporarily allow registration to create admin user - service.DISABLE_REGISTRATION = false; - - # Enable Actions support - actions = { - ENABLED = true; - DEFAULT_ACTIONS_URL = "github"; - }; - - # Optional: Email configuration - # mailer = { - # ENABLED = false; - # }; - }; - }; - - # Bootloader - GRUB for Legacy BIOS - boot.loader.systemd-boot.enable = lib.mkForce false; - boot.loader.grub = { - enable = true; - device = "/dev/vda"; # Install GRUB to the disk - efiSupport = false; # Disable UEFI - }; - boot.initrd.availableKernelModules = ["virtio_pci" "virtio_scsi" "ahci" "sd_mod" "virtio_blk"]; - -fileSystems."/" = { - device = "/dev/vda1"; - fsType = "ext4"; # Use "btrfs" or "xfs" if you formatted it differently -}; - - - - # Enable Rsymc - services.rsync.enable = true; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Enable SSH - services.openssh = { - enable = true; - ports = [22]; - settings = { - PasswordAuthentication = false; - AllowUsers = null; - PermitRootLogin = "no"; - }; - }; - - # Set your time zone. - time.timeZone = "Europe/Copenhagen"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_AU.UTF-8"; - - i18n.extraLocaleSettings = { - LC_ADDRESS = "et_EE.UTF-8"; - LC_IDENTIFICATION = "et_EE.UTF-8"; - LC_MEASUREMENT = "et_EE.UTF-8"; - LC_MONETARY = "et_EE.UTF-8"; - LC_NAME = "et_EE.UTF-8"; - LC_NUMERIC = "et_EE.UTF-8"; - LC_PAPER = "et_EE.UTF-8"; - LC_TELEPHONE = "et_EE.UTF-8"; - LC_TIME = "et_EE.UTF-8"; - }; - - # Configure keymap in X11 - services.xserver.xkb = { - layout = "us"; - variant = ""; - }; - - # Enable Seatd for Wayland sessions - # IMPORTANT: Enable seatd service for River WM - services.seatd = { - enable = true; - logLevel = "info"; - }; - - # Enable the gnome-keyring secrets vault. - # Will be exposed through DBus to programs willing to store secrets. - services.gnome.gnome-keyring.enable = true; - - # Enable Sway window manager - programs.sway = { - enable = true; - wrapperFeatures.gtk = true; - }; - - services.greetd = { - enable = true; - settings = { - default_session = { - command = "${pkgs.tuigreet}/bin/tuigreet --time --cmd sway"; - user = "greeter"; - }; - }; - }; - - # Configure security to allow seatd access - security.polkit.enable = true; - - # Allow unfree packages - nixpkgs.config.allowUnfree = true; - - # Passwordless sudo for wheel group - security.sudo.wheelNeedsPassword = false; - - # Hardware U2F support - Passwordless sudo with hardware key - security.pam.u2f = { - enable = true; - settings = { - authfile = "/etc/u2f_keys"; - cue = true; - pinverification = 0; # No PIN verification - userpresence = 1; # Require user presence (touch) - }; - }; - - # SSH Agent authentication - security.pam.sshAgentAuth.enable = true; - - # Automatic upgrades - system.autoUpgrade = { - enable = true; # Set to true for automatic updates - dates = "daily"; - allowReboot = false; - }; - - # System packages - environment.systemPackages = with pkgs; [ - # Network tools - wget - curl - dig - tcpdump - ethtool - iptables - nftables - iproute2 - bridge-utils - netcat-gnu - traceroute - mtr - arp-scan - - # Monitoring - btop - htop - iotop - - # Editors - micro - vim - helix - - # System info - fastfetch - lshw - pciutils - usbutils - - # Build tools - git - ]; - - # Enable zram swap - zramSwap = { - enable = true; - memoryPercent = 50; - }; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - - # List services that you want to enable: - - # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [3000]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - - services.resolved.enable = false; - - # Use this clean static network configuration instead: - networking.useDHCP = false; - networking.networkmanager.enable = false; # Disable NetworkManager - - networking.interfaces.ens18 = { - ipv4.addresses = [ - { - address = "10.1.1.4"; - prefixLength = 24; - } - ]; - }; - - networking.defaultGateway = { - address = "10.1.1.1"; - interface = "ens18"; - }; - - # Explicitly set DNS - networking.nameservers = ["10.1.1.2"]; - - # THE FOLLOWING CODE BLOCK IS FOR COPYING TO OTHER CONFIGURATIONS, NOT FOR THIS FILE - nix.distributedBuilds = true; - nix.buildMachines = [ - { - hostName = "nixos-build-machine"; - system = "x86_64-linux"; - sshUser = "nixremote"; - sshKey = "/root/.ssh/nixremote"; - maxJobs = 4; - speedFactor = 2; - supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"]; - } - ]; - - # Generate SSH key for remote building - systemd.services.generate-nixremote-key = { - description = "Generate SSH key for remote Nix builds"; - wantedBy = ["multi-user.target"]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = '' - if [ ! -f /root/.ssh/nixremote ]; then - ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /root/.ssh/nixremote -N "" -C "nix-remote-builder" - fi - ''; - }; - - programs.ssh.extraConfig = '' - Host nixos-build-machine - HostName 10.1.1.3 - IdentitiesOnly yes - IdentityFile /root/.ssh/nixremote - User nixremoteStrictHostKeyChecking accept-new - ''; - - # Manual step required: After rebuilding the client, copy /root/.ssh/nixremote.pub - # from the client to the build machine's users.users.nixremote.openssh.authorizedKeys.keys list, - # then rebuild the build machine. - # i.e on the client: run "cat /root.ssh/nixremote.pub" - # and copy the output to the build machine's configuration.nix - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration-knot.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "25.11"; # Did you read the comment? -} diff --git a/nix-system-configs/forgejo/forgejo-localconfig.nix b/nix-system-configs/forgejo/forgejo-localconfig.nix index b9d3717..cabe61f 100644 --- a/nix-system-configs/forgejo/forgejo-localconfig.nix +++ b/nix-system-configs/forgejo/forgejo-localconfig.nix @@ -200,8 +200,6 @@ in { fsType = "ext4"; # Use "btrfs" or "xfs" if you formatted it differently }; - - # Enable Rsymc services.rsync.enable = true; diff --git a/nix-system-configs/forgejo/pull.zsh b/nix-system-configs/forgejo/pull.zsh index 8932a50..c463690 100644 --- a/nix-system-configs/forgejo/pull.zsh +++ b/nix-system-configs/forgejo/pull.zsh @@ -1,3 +1,4 @@ git pull sudo cp forgejo-localconfig.nix /etc/nixos/configuration.nix sudo nixos-rebuild switch --upgrade-all + diff --git a/nix-system-configs/forgejo/push.zsh b/nix-system-configs/forgejo/push.zsh index 52c594e..5f34a80 100644 --- a/nix-system-configs/forgejo/push.zsh +++ b/nix-system-configs/forgejo/push.zsh @@ -5,3 +5,4 @@ git add forgejo-localconfig.nix ## Be sure to add timestamp to the commit message to ensure when it was hecked up git commit . -m "Update local Nix Config $(date)" git push + diff --git a/nix-system-configs/modules/bootloader/seabios.nix b/nix-system-configs/modules/bootloader/seabios.nix new file mode 100644 index 0000000..77c0901 --- /dev/null +++ b/nix-system-configs/modules/bootloader/seabios.nix @@ -0,0 +1,29 @@ +{ + config, + pkgs, + lib, + ... +}: { + # SeaBIOS / legacy BIOS bootloader settings for VMs + boot.loader.grub.enable = lib.mkForce true; + boot.loader.grub.device = "/dev/vda"; + boot.loader.grub.efiSupport = lib.mkForce false; + + # Bootloader - GRUB for Legacy BIOS + boot.loader.systemd-boot.enable = lib.mkForce false; + boot.loader.grub = { + enable = true; + device = "/dev/vda"; # Install GRUB to the disk + efiSupport = false; # Disable UEFI + }; + boot.initrd.availableKernelModules = ["virtio_pci" "virtio_scsi" "ahci" "sd_mod" "virtio_blk"]; + + fileSystems."/" = { + device = "/dev/vda1"; + fsType = "ext4"; # Use "btrfs" or "xfs" if you formatted it differently + }; + + virtualisation.qemu.enable = true; + + myBoot.seabiosPackages = with pkgs; []; +} diff --git a/nix-system-configs/modules/desktop-manager/gnome.nix b/nix-system-configs/modules/desktop-manager/gnome.nix new file mode 100644 index 0000000..d3aca87 --- /dev/null +++ b/nix-system-configs/modules/desktop-manager/gnome.nix @@ -0,0 +1,12 @@ +{ + config, + pkgs, + lib, + ... +}: { + services.xserver.enable = true; + services.xserver.displayManager.gdm.enable = true; + services.xserver.desktopManager.gnome3.enable = true; + + myDesktop.gnome.packages = with pkgs; [gnome.gnome-shell gnome.gnome-control-center]; +} diff --git a/nix-system-configs/modules/desktop-manager/sway_greetd_homemanager.nix b/nix-system-configs/modules/desktop-manager/sway_greetd_homemanager.nix new file mode 100644 index 0000000..abc2eb3 --- /dev/null +++ b/nix-system-configs/modules/desktop-manager/sway_greetd_homemanager.nix @@ -0,0 +1,133 @@ +{ + config, + pkgs, + lib, + ... +}: let + home-manager = builtins.fetchTarball "https://github.com/nix-community/home-manager/archive/release-25.11.tar.gz"; + cfg = config.services.forgejo; + srv = cfg.settings.server; +in { + # Home Manager Configuration + imports = [ + # Include the results of the hardware scan. + (import "${home-manager}/nixos") + ]; + + # Enable the gnome-keyring secrets vault. + # Will be exposed through DBus to programs willing to store secrets. + services.gnome.gnome-keyring.enable = true; + + # Configure security to allow seatd access + security.polkit.enable = true; + + # Consolidated Sway desktop: includes greetd, alacritty, hyfetch/fastfetch, a Nerd Font and librewolf + # Enable Sway window manager + programs.sway = { + enable = true; + wrapperFeatures.gtk = true; + }; + + # Enable Seatd for Wayland sessions + services.seatd = { + enable = true; + logLevel = "info"; + }; + + services.greetd.enable = true; + services.greetd.settings = { + default_session = { + command = "${pkgs.tuigreet}/bin/tuigreet --time --cmd sway"; + user = "greeter"; + }; + }; + + home-manager.users.forgejoprg = {pkgs, ...}: { + home.packages = [ + pkgs.atool + pkgs.httpie + pkgs.alacritty # Terminal emulator + pkgs.hyfetch # Add fetching packages + pkgs.macchina + pkgs.wayland # Wayland display server + pkgs.wlroots # Wayland compositor library + pkgs.maple-mono.NF # Font for better terminal appearance + pkgs.wl-clipboard # Clipboard utilities for Wayland + pkgs.mako # Wayland Sway Notification Daemon + pkgs.btop # Resource monitor + ]; + + # Set Alacritty as the default terminal emulator + home.sessionVariables = { + TERMINAL = "alacritty"; + }; + + # Use Zsh as the default shell + programs.zsh.enable = true; + + # Configure Alacritty as the default terminal emulator + programs.alacritty = { + enable = true; + settings = { + # Window configuration + window = { + opacity = 1.0; + padding = { + x = 10; + y = 10; + }; + }; + + # Font configuration - fixes spacing issues + font = { + normal = { + family = "Maple Mono NF"; + style = "Regular"; + }; + bold = { + family = "Maple Mono NF"; + style = "Bold"; + }; + italic = { + family = "Maple Mono NF"; + style = "Italic"; + }; + bold_italic = { + family = "Maple Mono NF"; + style = "Bold Italic"; + }; + size = 14.0; + }; + + # Colors (optional - using default Alacritty colors) + colors = { + primary = { + background = "#1e1e2e"; + foreground = "#cdd6f4"; + }; + }; + }; + }; + + # Configure Hyfetch system info fetcher + programs.hyfetch = { + enable = true; + settings = { + preset = "lesbian"; # Use lesbian flag preset + mode = "rgb"; # Use RGB color mode + lightness = 0.55; # Set to 55% brightness + backend = "macchina"; # Use macchina as the backend + logo_size = "small"; # Make small logo + pride_month_disable = false; # Enable pride month mode (or true to disable) + pride_month_shown = []; # List of shown pride month flags + color_align = { + mode = "horizontal"; + }; + }; + }; + + # The state version is required and should stay at the version you + # originally installed. + home.stateVersion = "25.11"; + }; +} diff --git a/nix-system-configs/modules/lix-default.nix b/nix-system-configs/modules/lix-default.nix new file mode 100644 index 0000000..8179cea --- /dev/null +++ b/nix-system-configs/modules/lix-default.nix @@ -0,0 +1,111 @@ +{ + config, + pkgs, + lib, + ... +}: { + # Make Lix the default package manager and expose the overlay + nixpkgs.overlays = [ + (final: prev: { + inherit + (prev.lixPackageSets.stable) + nixpkgs-review + nix-eval-jobs + nix-fast-build + colmena + ; + }) + ]; + nix.package = pkgs.lixPackageSets.stable.lix; + + # Always Enable RSync + services.rsync.enable = true; + + # Enable SSH + services.openssh = { + enable = true; + ports = [22]; + settings = { + PasswordAuthentication = false; + AllowUsers = null; + PermitRootLogin = "no"; + }; + }; + + # Enable Hardware Key Passwordless Sudo + security.pam.u2f.enable = true; + security.pam.u2f.settings = { + authfile = "/etc/u2f_keys"; + authpending_file = ""; + pinverification = 0; + userpresence = 1; + }; + + # Enable SSH Passwordless Sudo + security.pam.enableSSHAgentAuth = true; + security.pam.sshAgentAuth = { + enable = true; + authorizedKeysFiles = [ + "/etc/ssh/authorized_keys.d/${user}.keys" + ]; + }; + + # Set your time zone. + time.timeZone = "Europe/Copenhagen"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_AU.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "et_EE.UTF-8"; + LC_IDENTIFICATION = "et_EE.UTF-8"; + LC_MEASUREMENT = "et_EE.UTF-8"; + LC_MONETARY = "et_EE.UTF-8"; + LC_NAME = "et_EE.UTF-8"; + LC_NUMERIC = "et_EE.UTF-8"; + LC_PAPER = "et_EE.UTF-8"; + LC_TELEPHONE = "et_EE.UTF-8"; + LC_TIME = "et_EE.UTF-8"; + }; + + # Configure keymap in X11 + services.xserver.xkb = { + layout = "us"; + variant = ""; + }; + + # Enable zram swap + zramSwap = { + enable = true; + memoryPercent = 50; + }; + + # Allow unfree packages + nixpkgs.config.allowUnfree = true; + + # Automatic upgrades + system.autoUpgrade = { + enable = true; # Set to true for automatic updates + dates = "daily"; + allowReboot = false; + }; + + # Add common networking/debugging tools to all systems by default + environment.systemPackages = with pkgs; [ + bind + wget + curl + dnsutils + dig + arp-scan + tcpdump + iproute2 + ethtool + btop + iotop + micro + helix + fastfetch + git + ]; +} diff --git a/nix-system-configs/modules/local/hostname_username.nix b/nix-system-configs/modules/local/hostname_username.nix new file mode 100644 index 0000000..44d2f46 --- /dev/null +++ b/nix-system-configs/modules/local/hostname_username.nix @@ -0,0 +1,26 @@ +{ + config, + pkgs, + lib, + ... +}: { + # Example host-specific module: set hostname and small per-host packages + # The machine file can set `config.local.hostname` before importing this module if desired. + networking.hostName = config.local.hostname or "default-hostname"; + + # Expose a small list that machine files can use as hostPackages + myLocal.hostname.packages = with pkgs; []; + + users.users.${config.local.username or "defaultuser"} = { + isNormalUser = true; + description = config.local.userDescription or "NixOS Playground"; + extraGroups = ["networkmanager" "wheel" "seat" "acme"]; + packages = with pkgs; []; + initialPassword = "nixos"; # Simple, change on first login + + # NitroKey3C OpenGPG /w pin - Christine's key, for alpha run only, later to be replaced with the more official key + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3pjIXlpg7H9h1RrmdxbIRnDIdQvf/EZKI9PG2/rY7D openpgp:0x8BCD4992" + ]; + }; +} diff --git a/nix-system-configs/modules/local/networking_local.nix b/nix-system-configs/modules/local/networking_local.nix new file mode 100644 index 0000000..5a41377 --- /dev/null +++ b/nix-system-configs/modules/local/networking_local.nix @@ -0,0 +1,45 @@ +{ + config, + pkgs, + lib, + ... +}: { + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + services.resolved.enable = false; + + # Use this clean static network configuration instead: + networking.useDHCP = false; + networking.networkmanager.enable = false; # Disable NetworkManager + + networking.interfaces.ens18 = { + ipv4.addresses = [ + { + address = config.local.address or "10.1.1.100"; + prefixLength = 24; + } + ]; + }; + + networking.defaultGateway = { + address = "10.1.1.1"; + interface = "ens18"; + }; + + # Explicitly set DNS + networking.nameservers = ["10.1.1.2"]; # PiHole DNS +} diff --git a/nix-system-configs/modules/scripts/pull.zsh b/nix-system-configs/modules/scripts/pull.zsh new file mode 100644 index 0000000..6c61cfd --- /dev/null +++ b/nix-system-configs/modules/scripts/pull.zsh @@ -0,0 +1,143 @@ +#!/usr/bin/env zsh + +# Color definitions +autoload -U colors && colors +BOLD="\033[1m" +RESET="\033[0m" +GREEN="\033[32m" +BLUE="\033[34m" +YELLOW="\033[33m" +RED="\033[31m" + +# Configuration +SCRIPT_DIR="${0:a:h}" +SYSTEM_DIR="${SCRIPT_DIR}/../system" +MODULES_DIR="${SCRIPT_DIR}/.." +CONFIG_TARGET="/etc/nixos/configuration.nix" +MODULES_TARGET="/etc/nixos/modules" + +# Function to print colored messages (use printf for portability) +print_info() { printf "%b\n" "${BLUE}${BOLD}[INFO]${RESET} $1"; } +print_success(){ printf "%b\n" "${GREEN}${BOLD}[SUCCESS]${RESET} $1"; } +print_error() { printf "%b\n" "${RED}${BOLD}[ERROR]${RESET} $1"; } +print_warn() { printf "%b\n" "${YELLOW}${BOLD}[WARN]${RESET} $1"; } + +# Check if running from correct directory +if [[ ! -d "$SYSTEM_DIR" ]]; then + print_error "System directory not found: $SYSTEM_DIR" + exit 1 +fi + +# Get available system configurations (use portable glob + basename) +systems=() +for f in "$SYSTEM_DIR"/*.nix; do + [ -f "$f" ] || continue + base="$(basename "$f")" + systems+=("${base%.nix}") +done + +if [[ ${#systems[@]} -eq 0 ]]; then + print_error "No system configurations found in $SYSTEM_DIR" + exit 1 +fi + +# Check for command-line argument +selected_system="" +if [[ -n "$1" ]]; then + # Argument provided, check membership with an explicit loop + for s in "${systems[@]}"; do + if [[ "$s" == "$1" ]]; then + selected_system="$1" + break + fi + done + + if [[ -n "$selected_system" ]]; then + print_info "Preselected system: ${BOLD}${selected_system}${RESET}" + else + print_error "Invalid system: $1" + print_info "Available systems: ${systems[*]}" + exit 1 + fi +else + # Interactive selection + print_info "Available system configurations:" + echo "" + + i=1 + for s in "${systems[@]}"; do + printf " %b)%b %s\n" "${GREEN}${i}" "${RESET}" "$s" + i=$((i+1)) + done + echo "" + + # Prompt for selection + while true; do + printf "%b" "${BOLD}Select a system configuration (1-${#systems[@]}): ${RESET}" + read -r selection + + if [[ "$selection" =~ ^[0-9]+$ ]] && (( selection >= 1 && selection <= ${#systems[@]} )); then + selected_system="${systems[$selection]}" + break + else + print_error "Invalid selection. Please enter a number between 1 and ${#systems[@]}" + fi + done +fi + +# Confirm selection +print_info "Selected: ${BOLD}${selected_system}${RESET}" +printf "%b" "${YELLOW}${BOLD}Continue? (y/N): ${RESET}" +read -r confirm + +if [[ ! "$confirm" =~ ^[Yy]$ ]]; then + print_warn "Aborted by user" + exit 0 +fi + +# Execute deployment steps +print_info "Starting deployment..." +echo "" + +# Step 1: Git pull +print_info "Pulling latest changes from git..." +if git pull; then + print_success "Git pull completed" +else + print_error "Git pull failed" + exit 1 +fi + +# Step 2: Sync modules directory +print_info "Syncing modules to ${BOLD}${MODULES_TARGET}${RESET}..." +if sudo rsync -av --delete --exclude='scripts' "${MODULES_DIR}/" "${MODULES_TARGET}/"; then + print_success "Modules synced" +else + print_error "Failed to sync modules" + exit 1 +fi + +# Step 3: Copy configuration +source_file="${SYSTEM_DIR}/${selected_system}.nix" +print_info "Copying ${BOLD}${source_file}${RESET} to ${BOLD}${CONFIG_TARGET}${RESET}..." + +if sudo cp "$source_file" "$CONFIG_TARGET"; then + print_success "Configuration copied" +else + print_error "Failed to copy configuration" + exit 1 +fi + +# Step 4: Rebuild system +print_info "Rebuilding NixOS system..." +echo "" +if sudo nixos-rebuild switch --upgrade-all; then + print_success "System rebuild completed successfully!" +else + print_error "System rebuild failed" + exit 1 +fi + +echo "" +print_success "${BOLD}Deployment complete!${RESET}" +print_info "System: ${BOLD}${selected_system}${RESET}" diff --git a/nix-system-configs/modules/scripts/push.zsh b/nix-system-configs/modules/scripts/push.zsh new file mode 100644 index 0000000..7c7bb69 --- /dev/null +++ b/nix-system-configs/modules/scripts/push.zsh @@ -0,0 +1,173 @@ +#!/usr/bin/env zsh + +# Color definitions +autoload -U colors && colors +BOLD="\033[1m" +RESET="\033[0m" +GREEN="\033[32m" +BLUE="\033[34m" +YELLOW="\033[33m" +RED="\033[31m" + +# Configuration +SCRIPT_DIR="${0:a:h}" +SYSTEM_DIR="${SCRIPT_DIR}/../system" +MODULES_DIR="${SCRIPT_DIR}/.." +CONFIG_SOURCE="/etc/nixos/configuration.nix" +MODULES_SOURCE="/etc/nixos/modules" + +# Function to print colored messages (use printf for portability) +print_info() { printf "%b\n" "${BLUE}${BOLD}[INFO]${RESET} $1"; } +print_success(){ printf "%b\n" "${GREEN}${BOLD}[SUCCESS]${RESET} $1"; } +print_error() { printf "%b\n" "${RED}${BOLD}[ERROR]${RESET} $1"; } +print_warn() { printf "%b\n" "${YELLOW}${BOLD}[WARN]${RESET} $1"; } + +# Check if running from correct directory +if [[ ! -d "$SYSTEM_DIR" ]]; then + print_error "System directory not found: $SYSTEM_DIR" + exit 1 +fi + +# Get available system configurations (use portable glob + basename) +systems=() +for f in "$SYSTEM_DIR"/*.nix; do + [ -f "$f" ] || continue + base="$(basename "$f")" + systems+=("${base%.nix}") +done + +if [[ ${#systems[@]} -eq 0 ]]; then + print_error "No system configurations found in $SYSTEM_DIR" + exit 1 +fi + +# Check for command-line argument +selected_system="" +if [[ -n "$1" ]]; then + # Argument provided, check membership with explicit loop + for s in "${systems[@]}"; do + if [[ "$s" == "$1" ]]; then + selected_system="$1" + break + fi + done + + if [[ -n "$selected_system" ]]; then + print_info "Preselected system: ${BOLD}${selected_system}${RESET}" + else + print_error "Invalid system: $1" + print_info "Available systems: ${systems[*]}" + exit 1 + fi +else + # Interactive selection + print_info "Available system configurations:" + echo "" + + i=1 + for s in "${systems[@]}"; do + printf " %b)%b %s\n" "${GREEN}${i}" "${RESET}" "$s" + i=$((i+1)) + done + echo "" + + # Prompt for selection + while true; do + printf "%b" "${BOLD}Select a system configuration (1-${#systems[@]}): ${RESET}" + read -r selection + + if [[ "$selection" =~ ^[0-9]+$ ]] && (( selection >= 1 && selection <= ${#systems[@]} )); then + selected_system="${systems[$selection]}" + break + else + print_error "Invalid selection. Please enter a number between 1 and ${#systems[@]}" + fi + done +fi + +# Confirm selection +print_info "Selected: ${BOLD}${selected_system}${RESET}" +printf "%b" "${YELLOW}${BOLD}Continue? (y/N): ${RESET}" +read -r confirm + +if [[ ! "$confirm" =~ ^[Yy]$ ]]; then + print_warn "Aborted by user" + exit 0 +fi + +# Execute push steps +print_info "Starting push process..." +echo "" + +# Step 1: Rebuild system +print_info "Rebuilding NixOS system..." +echo "" +if sudo nixos-rebuild switch --upgrade-all; then + print_success "System rebuild completed" +else + print_error "System rebuild failed" + exit 1 +fi + +# Step 2: Git pull +print_info "Pulling latest changes from git..." +if git pull; then + print_success "Git pull completed" +else + print_error "Git pull failed" + exit 1 +fi + +# Step 3: Copy configuration from /etc/nixos back to repo +target_file="${SYSTEM_DIR}/${selected_system}.nix" +print_info "Copying ${BOLD}${CONFIG_SOURCE}${RESET} to ${BOLD}${target_file}${RESET}..." + +if sudo cp "$CONFIG_SOURCE" "$target_file"; then + print_success "Configuration copied" +else + print_error "Failed to copy configuration" + exit 1 +fi + +# Step 4: Sync modules directory back to repo +print_info "Syncing modules from ${BOLD}${MODULES_SOURCE}${RESET}..." +if sudo rsync -av --delete --exclude='scripts' "${MODULES_SOURCE}/" "${MODULES_DIR}/"; then + print_success "Modules synced" +else + print_error "Failed to sync modules" + exit 1 +fi + +# Step 5: Add files to git +print_info "Adding changes to git..." +if git add "${target_file}"; then + print_success "Files staged" +else + print_error "Failed to stage files" + exit 1 +fi + +# Step 6: Commit with timestamp +timestamp=$(date) +commit_message="Update local Nix Config - ${selected_system} - ${timestamp}" +print_info "Committing changes..." + +if git commit -m "${commit_message}"; then + print_success "Changes committed" +else + print_warn "No changes to commit or commit failed" +fi + +# Step 7: Push to remote +print_info "Pushing to remote repository..." +if git push; then + print_success "Changes pushed to remote" +else + print_error "Failed to push changes" + exit 1 +fi + +echo "" +print_success "${BOLD}Push complete!${RESET}" +print_info "System: ${BOLD}${selected_system}${RESET}" +print_info "Commit: ${commit_message}" diff --git a/nix-system-configs/modules/secrets/secrets.example.nix b/nix-system-configs/modules/secrets/secrets.example.nix new file mode 100644 index 0000000..f02c413 --- /dev/null +++ b/nix-system-configs/modules/secrets/secrets.example.nix @@ -0,0 +1,19 @@ +{ + config, + pkgs, + lib, + ... +}: { + + # TODO Figure out a better way to manage secrets. + local.secrets = { + gitUserName = "Your Name"; + gitUserEmail = "you@example.com"; + codeberg = { + username = "your-codeberg-user"; + password = "your-codeberg-password-or-token"; + }; + sshRootPassword = "changeme"; + tailscaleAuthKey = ""; + }; +} diff --git a/nix-system-configs/modules/system/forgejo.nix b/nix-system-configs/modules/system/forgejo.nix new file mode 100644 index 0000000..1bf9bf0 --- /dev/null +++ b/nix-system-configs/modules/system/forgejo.nix @@ -0,0 +1,86 @@ +{ + config, + pkgs, + lib, + ... +}: let + home-manager = builtins.fetchTarball "https://github.com/nix-community/home-manager/archive/release-25.11.tar.gz"; + cfg = config.services.forgejo; + srv = cfg.settings.server; +in { + local.hostname = "forgejoprg"; + local.username = "forgejoprg"; + local.userDescription = "Forgejo Admin"; + local.address = "10.1.1.4"; + + # Enable Fedgejo service + services.nginx = { + enable = true; + virtualHosts."git.prg.local" = { + # Remove forceSSL and enableACME for local network + # forceSSL = true; + # enableACME = true; + extraConfig = '' + client_max_body_size 512M; + ''; + locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}"; + }; + }; + + # Enable PostgreSQL for Forgejo + services.postgresql.enable = true; + + # Forgejo configuration + services.forgejo = { + enable = true; + database = { + type = "postgres"; + host = "10.1.1.251"; # IP of your database server + name = "forgejo"; + user = "forgejo"; + passwordFile = "/home/forgejoprg/password.txt"; # Store password in a separate file for security + }; + lfs.enable = true; + + settings = { + server = { + DOMAIN = "git.prg-radio.org"; + ROOT_URL = "https://git.prg-radio.org/"; + HTTP_PORT = 3000; + # SSH integration + SSH_PORT = lib.head config.services.openssh.ports; + }; + + # Temporarily allow registration to create admin user + service.DISABLE_REGISTRATION = false; + + # Enable Actions support + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "github"; + }; + + # Optional: Email configuration + # mailer = { + # ENABLED = false; + # }; + }; + }; + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [3000]; + + imports = [ + # ./secrets/secrets.nix # Add this locally after running add-secrets.zsh + # Optionally import local secrets if present (won't fail if missing) + (lib.optional (builtins.pathExists ./secrets/secrets.nix) ./secrets/secrets.nix) + ./modules/desktop-manager/sway_greetd_homemanager.nix + ./modules/local/hostname_username.nix + ./modules/local/networking_local.nix + ./modules/toolsets/remote_building.nix + ./modules/bootloader/seabios.nix + ./modules/lix-default.nix + ]; + + system.stateVersion = "25.11"; +} diff --git a/nix-system-configs/modules/system/traefik.nix b/nix-system-configs/modules/system/traefik.nix new file mode 100644 index 0000000..3ea3feb --- /dev/null +++ b/nix-system-configs/modules/system/traefik.nix @@ -0,0 +1,101 @@ +{ + config, + pkgs, + lib, + ... +}: { + local.hostname = "nixos-traefik"; + local.username = "traefikprg"; + local.userDescription = "NixOS PRG Traefik Service"; + local.address = "10.1.1.250"; + + services.traefik = { + enable = true; + group = "acme"; + staticConfigOptions = { + entryPoints = { + web = { + address = ":80"; + asDefault = true; + http.redirections.entrypoint = { + to = "websecure"; + scheme = "https"; + }; + }; + websecure = { + address = ":443"; + asDefault = true; + http.tls = { + domains = [ + { + main = "prg-radio.org"; + sans = ["*.prg-radio.org"]; + } + ]; + }; + }; + }; + log = { + level = "INFO"; + filePath = "${config.services.traefik.dataDir}/traefik.log"; + format = "json"; + }; + api.dashboard = true; + api.insecure = true; + }; + dynamicConfigOptions = { + tls.certificates = [ + { + certFile = "/var/lib/acme/prg-radio.org/cert.pem"; + keyFile = "/var/lib/acme/prg-radio.org/key.pem"; + } + ]; + http.routers = { + forgejo = { + rule = "Host(`git.prg-radio.org`)"; + service = "forgejo"; + entryPoints = ["websecure"]; + tls = {}; + }; + }; + http.services = { + forgejo.loadBalancer = { + servers = [ + {url = "http://10.1.1.4:3000";} + ]; + }; + }; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "dtu.prg@gmail.com"; + certs."prg-radio.org" = { + domain = "*.prg-radio.org"; + group = "acme"; + dnsProvider = "cloudflare"; + environmentFile = "/home/traefikprg/cloudflare/cloudflare.env"; + reloadServices = ["traefik.service"]; + }; + }; + + systemd.services.traefik = { + after = ["acme-finished-prg-radio.org.target"]; + wants = ["acme-finished-prg-radio.org.target"]; + }; + + networking.firewall.allowedTCPPorts = [80 443]; + networking.firewall.allowedUDPPorts = [80 443]; + + imports = [ + ./modules/desktop-manager/sway_greetd_homemanager.nix + ./modules/local/hostname_username.nix + ./modules/local/networking_local.nix + ./modules/bootloader/seabios.nix + ./modules/lix-default.nix + # Optionally: ./modules/toolsets/remote_building.nix + ]; + + system.stateVersion = "25.11"; +} diff --git a/nix-system-configs/modules/toolsets/remote_building.nix b/nix-system-configs/modules/toolsets/remote_building.nix new file mode 100644 index 0000000..8670a37 --- /dev/null +++ b/nix-system-configs/modules/toolsets/remote_building.nix @@ -0,0 +1,50 @@ +{ + config, + pkgs, + lib, + ... +}: { + # THE FOLLOWING CODE BLOCK IS FOR COPYING TO OTHER CONFIGURATIONS, NOT FOR THIS FILE + + nix.distributedBuilds = true; + nix.buildMachines = [ + { + hostName = "nixos-build-machine"; + system = "x86_64-linux"; + sshUser = "nixremote"; + sshKey = "/root/.ssh/nixremote"; + maxJobs = 4; + speedFactor = 2; + supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"]; + } + ]; + + # Generate SSH key for remote building + systemd.services.generate-nixremote-key = { + description = "Generate SSH key for remote Nix builds"; + wantedBy = ["multi-user.target"]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + if [ ! -f /root/.ssh/nixremote ]; then + ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /root/.ssh/nixremote -N "" -C "nix-remote-builder" + fi + ''; + }; + + programs.ssh.extraConfig = '' + Host nixos-build-machine + HostName 10.1.1.3 + IdentitiesOnly yes + IdentityFile /root/.ssh/nixremote + User nixremoteStrictHostKeyChecking accept-new + ''; + + # Manual step required: After rebuilding the client, copy /root/.ssh/nixremote.pub + # from the client to the build machine's users.users.nixremote.openssh.authorizedKeys.keys list, + # then rebuild the build machine. + # i.e on the client: run "cat /root.ssh/nixremote.pub" + # and copy the output to the build machine's configuration.nix +} diff --git a/nix-system-configs/new-server-notes.md b/nix-system-configs/new-server-notes.md deleted file mode 100644 index 4e768b5..0000000 --- a/nix-system-configs/new-server-notes.md +++ /dev/null @@ -1 +0,0 @@ -# \ No newline at end of file diff --git a/nix-system-configs/nixos-gateway.nix b/nix-system-configs/nixos-gateway.nix deleted file mode 100644 index a4360ab..0000000 --- a/nix-system-configs/nixos-gateway.nix +++ /dev/null @@ -1,387 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: { - imports = [./hardware-configuration.nix]; - - ### Lix Package Manager ### - nixpkgs.overlays = [ - (final: prev: { - inherit - (prev.lixPackageSets.stable) - nixpkgs-review - nix-eval-jobs - nix-fast-build - colmena - ; - }) - ]; - - nix.package = pkgs.lixPackageSets.stable.lix; - - ### Network Configuration ### - networking.hostName = "prg-lan-gateway"; - networking.domain = "prg.dtu.dk"; - networking.useDHCP = false; - networking.useNetworkd = true; - - # Set MAC addresses to match DTU documentation - systemd.network.links."10-wan" = { - matchConfig. OriginalName = "eth*"; - matchConfig.Type = "ether"; - linkConfig = { - Name = "ens18"; - MACAddress = "2a:99:d6:03:dd:92"; # Hardcoded MAC, ensuring that DTU's sysadmin sees it is still the same - WakeOnLan = "off"; - }; - }; - - # Discuss removing/changing them? - systemd.network.links."20-lan1" = { - matchConfig.OriginalName = "eth*"; - matchConfig.Type = "ether"; - linkConfig = { - Name = "ens19"; - MACAddress = "0e:27:6a:11:a0:77"; - }; - }; - - systemd.network.links."30-lan2" = { - matchConfig.OriginalName = "eth*"; - matchConfig.Type = "ether"; - linkConfig = { - Name = "ens20"; - MACAddress = "42:d7:85:15:e1:ff"; - }; - }; - - # WAN Interface (ens18) - systemd.network.networks."10-wan" = { - matchConfig.Name = "ens18"; - address = ["130.225.91.242/27"]; - gateway = ["130.225.91.225"]; - networkConfig = { - IPv6AcceptRA = false; - DHCP = "no"; - }; - linkConfig = { - RequiredForOnline = "routable"; - MTUBytes = "1500"; - }; - }; - - # LAN Interface 1 (ens19) - Dual IP - systemd.network.networks."20-lan1" = { - matchConfig.Name = "ens19"; - address = [ - "10.123.123.1/24" - "192.168.0.1/24" - ]; - networkConfig = { - IPv6AcceptRA = false; - DHCP = "no"; - ConfigureWithoutCarrier = true; - }; - }; - - # LAN Interface 2 (ens20) - systemd.network.networks."30-lan2" = { - matchConfig.Name = "ens20"; - address = ["10.255.255.1/24"]; - networkConfig = { - IPv6AcceptRA = false; - DHCP = "no"; - ConfigureWithoutCarrier = true; - }; - }; - - # DNS Configuration - services.resolved = { - enable = true; - dnssec = "false"; - domains = ["prg.dtu.dk"]; - fallbackDns = ["1.1.1.1" "8.8.8.8" "130.225.89.2"]; - extraConfig = '' - DNSStubListener=no - ''; - }; - - # Kernel parameters for gateway/security - boot.kernel.sysctl = { - # IP forwarding (gateway) - "net.ipv4.ip_forward" = 1; - - # Reverse Path Filtering - "net.ipv4.conf.all.rp_filter" = 1; - "net.ipv4.conf.default.rp_filter" = 1; - - # SYN flood - "net.ipv4.tcp_syncookies" = 1; - "net.ipv4.tcp_syn_retries" = 5; - - # ICMP redirects / sending redirects - "net.ipv4.conf.all.accept_redirects" = 0; - "net.ipv4.conf.default.accept_redirects" = 0; - "net.ipv4.conf.all.send_redirects" = 0; - "net.ipv4.conf.default.send_redirects" = 0; - "net.ipv4.conf.all.secure_redirects" = 0; - - # Source route / routing protections - "net.ipv4.conf.all.accept_source_route" = 0; - "net.ipv4.conf.default.accept_source_route" = 0; - - # Log suspicious packets - "net.ipv4.conf.all.log_martians" = 1; - "net.ipv4.conf.default.log_martians" = 1; - - # ICMP hygiene - "net.ipv4.icmp_echo_ignore_broadcasts" = 1; - "net.ipv4.icmp_ignore_bogus_error_responses" = 1; - - # Performance - "net.ipv4.tcp_window_scaling" = 1; - - # Disable IPv6 if desired - "net.ipv6.conf.all.disable_ipv6" = 1; - "net.ipv6.conf.default.disable_ipv6" = 1; - - # Additional hardening knobs - "kernel.kptr_restrict" = 1; # hide kernel pointers in /proc - "kernel.dmesg_restrict" = 1; # restrict dmesg - "kernel.yama.ptrace_scope" = 1; # restrict ptrace - "fs.protected_hardlinks" = 1; - "fs.protected_symlinks" = 1; - }; - - # NAT Configuration - networking.nat = { - enable = true; - externalInterface = "ens18"; - internalInterfaces = ["ens19" "ens20"]; - forwardPorts = []; # Empty - no port forwarding - }; - - # Firewall Configuration - networking.firewall = { - enable = true; - - # Trusted LAN interfaces (all ports open) - trustedInterfaces = ["ens19" "ens20"]; - - # Interface-specific rules (keep permitted ports on LAN) - interfaces = { - ens19.allowedTCPPorts = [22 53]; - ens19.allowedUDPPorts = [53 67 123]; - ens20.allowedTCPPorts = [22 53]; - ens20.allowedUDPPorts = [53 67 123]; - }; - - # Tightened iptables rules using conntrack, drop INVALID, rate-limit ICMP and logging. - extraCommands = '' - # Default policies - iptables -P INPUT DROP - iptables -P FORWARD ACCEPT - iptables -P OUTPUT ACCEPT - - # Drop invalid packets early - iptables -A INPUT -m conntrack --ctstate INVALID -j DROP - - # Allow loopback - iptables -A INPUT -i lo -j ACCEPT - - # Established/related - iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - - # Rate-limit ICMP (allow limited pings) - iptables -A INPUT -p icmp -m conntrack --ctstate NEW -m limit --limit 1/second --limit-burst 5 -j ACCEPT - - # Block new connections from WAN interface - iptables -A INPUT -i ens18 -m conntrack --ctstate NEW -j DROP - - # Log dropped packets (rate-limited) - iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables-dropped: " --log-level 7 - ''; - - extraStopCommands = '' - iptables -P INPUT ACCEPT - iptables -P FORWARD ACCEPT - iptables -P OUTPUT ACCEPT - ''; - }; - - # Hosts file - networking.extraHosts = '' - 130.225.91.242 prg-lan-gateway.prg.dtu.dk prg-lan-gateway - ''; - - # Time synchronization - time.timeZone = "Europe/Copenhagen"; - services.chrony = { - enable = true; - servers = ["time.cloudflare.com"]; - extraConfig = '' - makestep 1.0 3 - rtcsync - ''; - }; - - # Locale settings - i18n.defaultLocale = "en_US.UTF-8"; - i18n.extraLocaleSettings = { - LC_ADDRESS = "da_DK.UTF-8"; - LC_IDENTIFICATION = "da_DK.UTF-8"; - LC_MEASUREMENT = "da_DK.UTF-8"; - LC_MONETARY = "da_DK.UTF-8"; - LC_NAME = "da_DK.UTF-8"; - LC_NUMERIC = "da_DK. UTF-8"; - LC_PAPER = "da_DK.UTF-8"; - LC_TELEPHONE = "da_DK.UTF-8"; - LC_TIME = "en_DK.UTF-8"; - }; - - # Console keymap - # Change it back to Danish? - console.keyMap = "us"; - - # User configuration - - users.users.admin = { - isNormalUser = true; - description = "Gateway Administrator"; - extraGroups = ["wheel" "networkmanager" "systemd-journal"]; - openssh.authorizedKeys.keys = [ - # Christine's Hardware Key - Copy and change to the desired hardware keys - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3pjIXlpg7H9h1RrmdxbIRnDIdQvf/EZKI9PG2/rY7D openpgp:0x8BCD4992" - ]; - }; - - # Passwordless sudo for wheel group - security.sudo.wheelNeedsPassword = false; - - # Hardware U2F support - Passwordless sudo with hardware key - security.pam.u2f = { - enable = true; - settings = { - authfile = "/etc/u2f_keys"; - cue = true; - pinverification = 0; # No PIN verification - userpresence = 1; # Require user presence (touch) - }; - }; - - # SSH Agent authentication - security.pam.enableSSHAgentAuth = true; - - # System packages - environment.systemPackages = with pkgs; [ - # Network tools - wget - curl - dig - tcpdump - ethtool - iptables - nftables - iproute2 - bridge-utils - netcat-gnu - traceroute - mtr - - # Monitoring - btop - htop - iotop - bandwhich - - # Editors - micro - vim - helix - - # System info - fastfetch - lshw - pciutils - usbutils - ]; - - # OpenSSH - services.openssh = { - enable = true; - settings = { - PermitRootLogin = "no"; - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - X11Forwarding = false; - - # Additional hardening - MaxAuthTries = 3; - LoginGraceTime = "20s"; - }; - extraConfig = '' - AllowUsers admin - ''; - openFirewall = false; # Manually configured in firewall section - }; - - # Tailscale VPN - We need to discuss about this long term - services.tailscale = { - enable = true; - useRoutingFeatures = "server"; - }; - - # Automatic upgrades - system.autoUpgrade = { - enable = true; # Set to true for automatic updates - dates = "daily"; - allowReboot = false; - }; - - # Nix garbage collection - nix.gc = { - automatic = true; - dates = "weekly"; - options = "--delete-older-than 30d"; - }; - - # Nix settings - nix.settings = { - experimental-features = ["nix-command" "flakes"]; - auto-optimise-store = true; - trusted-users = ["root" "@wheel"]; - }; - - # Allow unfree packages - nixpkgs.config.allowUnfree = true; - - # Boot configuration TO BE CHANGED ACCORDING TO INSTALL VERSION - boot.loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - timeout = 3; - }; - - # Kernel optimization - boot.kernelParams = [ - "quiet" - "splash" - ]; - - # Enable zram swap - zramSwap = { - enable = true; - memoryPercent = 50; - }; - - # Protect /tmp as a tmpfs with nosuid/nodev/noexec - fileSystems."/tmp" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = ["mode=1777" "nosuid" "nodev" "noexec"]; - }; - - # System state version - system.stateVersion = "XX.XX"; -} diff --git a/nix-system-configs/nixos-template.nix b/nix-system-configs/nixos-template.nix deleted file mode 100644 index 7669fa1..0000000 --- a/nix-system-configs/nixos-template.nix +++ /dev/null @@ -1,105 +0,0 @@ -# Headless server configuration with Lix -{ - config, - pkgs, - lib, - ... -}: { - imports = [ - ./hardware-configuration.nix - ]; - - ## Use Lix, instead of Nix NixOS default ## - nixpkgs.overlays = [ - (final: prev: { - inherit - (prev.lixPackageSets.stable) - nixpkgs-review - nix-eval-jobs - nix-fast-build - colmena - ; - }) - ]; - - nix.package = pkgs.lixPackageSets.stable.lix; - - ### TO BE CHANGED ACCORDING TO INSTALL ### - - # Networking - networking.hostName = "server"; - networking.networkmanager.enable = true; - - # Time zone - time.timeZone = "Europe/Copenhagen"; - - # Locale - i18n.defaultLocale = "en_GB.UTF-8"; - # Also install Danish and Norwegian locales - i18n.extraLocales = ["da_DK.UTF-8" "nb_NO.UTF-8"]; - - # User account with hardware key support - users.users.admin = { - isNormalUser = true; - extraGroups = ["wheel" "networkmanager"]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3pjIXlpg7H9h1RrmdxbIRnDIdQvf/EZKI9PG2/rY7D openpgp:0x8BCD4992" - ]; - }; - - # Hardware Key Passwordless Sudo - security.pam.u2f.enable = true; - security.pam.u2f.settings = { - authfile = "/etc/u2f_keys"; - authpending_file = ""; - pinverification = 0; - userpresence = 1; - }; - - # SSH Passwordless Sudo - security.pam.enableSSHAgentAuth = true; - security.pam.sshAgentAuth = { - enable = true; - authorizedKeysFiles = ["/etc/ssh/authorized_keys.d/admin"]; - }; - - # Essential packages - environment.systemPackages = with pkgs; [ - wget - curl - git - btop - htop - micro - vim - helix - fastfetch - ]; - - # OpenSSH - services.openssh = { - enable = true; - settings = { - PermitRootLogin = "no"; - PasswordAuthentication = false; - }; - }; - - # Tailscale - Think about how we manage this long term - services.tailscale.enable = true; - - # Garbage collection - nix.gc = { - automatic = true; - dates = "weekly"; - options = "--delete-older-than 30d"; - }; - - # Firewall - networking.firewall.allowedTCPPorts = [22]; - - nixpkgs.config.allowUnfree = true; - - ### TO BE CHANGED ACCORDING TO INSTALL VERSION ### - system.stateVersion = "XX.XX"; -}