tasiaiso/nixos-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

update

Browse source
This commit is contained in:
Tasia Iso 2024-04-22 04:21:07 +02:00
parent a05b144ffb
commit b11dc9f775
Signed by: tasiaiso
SSH key fingerprint: SHA256:KiRjUay5C9i6objsEOIycygBHn54pDBB3Lj7fyJ0Elw
13 changed files with 193 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -52,7 +52,6 @@ SHA256:hV3Kumt4I9Bt0/IAX3D9Y1kN93COAQFNSsAdiv9mpIg new-new-phoenix
SHA256:KiRjUay5C9i6objsEOIycygBHn54pDBB3Lj7fyJ0Elw tasia@new-new-phoenix
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLyDLtqUhEQwIsPx0XgQ9OJb2+XxL+2ra4goNJEgwf0 tasia@new-new-phoenix
```
New laptop. Main driver. TODO: give it a name.
New laptop. Main driver. TODO: give it a name.

14
common/default.nix
View file

@ -64,24 +64,32 @@
services.fwupd.enable = true;
services.tailscale.enable = true;
networking = {
networkmanager.enable = true;
firewall.enable = true;
firewall = {
enable = true;
trustedInterfaces = ["tailscale0"];
};
};
nix.settings.allowed-users = ["@wheel"];
security.sudo.execWheelOnly = true;
services.tailscale.enable = true;
programs.git = {
enable = true;
config = {
user = {
name = "Tasia Iso";
email = "tasiaiso@proton.me";
gpg.format = "ssh";
commit.gpgsign = "true";
# git config --global user.signingkey ~/.ssh/id_ed25519
};
init = {
defaultBranch = "master";
};

17
common/hardware/nvidiagpu.nix
View file

@ -1,4 +1,15 @@
{config, ...}: {
{
config,
pkgs,
...
}: {
# Enable OpenGL
hardware.opengl = {
enable = true;
driSupport = true;
driSupport32Bit = true;
};
# Load nvidia driver for Xorg and Wayland
services.xserver.videoDrivers = ["nvidia"];
@ -32,4 +43,8 @@
# Optionally, you may need to select the appropriate driver version for your specific GPU.
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
environment.systemPackages = with pkgs; [
glxinfo
];
}

2
common/hardware/ssd.nix
View file

@ -1,3 +1,3 @@
{
services.fstrim.enable = true;
}
}

45
common/packages/sshd.nix Normal file
View file

@ -0,0 +1,45 @@
{
# Hardened OpenSSH server
# Resources:
# https://cyber.gouv.fr/en/publications/openssh-secure-use-recommendations
services.openssh = {
enable = true;
banner = "hello world";
allowSFTP = false;
settings = {
PermitRootLogin = "no";
# Public key authentiation only
PasswordAuthentication = false;
ChallengeResponseAuthentication = false;
};
extraConfig = ''
# Only allow SSH v2
Protocol 2
# Check file modes in /etc/ssh
StrictModes yes
UsePrivilegeSeparation sandbox
PrintLastLog yes
# Don't mess with environment variables
PermitUserEnvironment no
# AcceptEnv
AllowTcpForwarding no
# wip
AllowTcpForwarding yes
X11Forwarding no
AllowAgentForwarding no
AllowStreamLocalForwarding no
AuthenticationMethods publickey
'';
};
}
# ssh R6: StrictHostKeyChecking ask

1
common/tasia-packages.nix
View file

@ -53,6 +53,7 @@
gotty
gping
yazi
vulnix # once im on stable
tildefriends
];

18
flake.lock
View file

@ -2,11 +2,11 @@
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1713248628,
"narHash": "sha256-NLznXB5AOnniUtZsyy/aPWOk8ussTuePp2acb9U+ISA=",
"lastModified": 1713537308,
"narHash": "sha256-XtTSSIB2DA6tOv+l0FhvfDMiyCmhoRbNB+0SeInZkbk=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "5672bc9dbf9d88246ddab5ac454e82318d094bb8",
"rev": "5c24cf2f0a12ad855f444c30b2421d044120c66f",
"type": "github"
},
"original": {
@ -25,11 +25,11 @@
},
"stable": {
"locked": {
"lastModified": 1713145326,
"narHash": "sha256-m7+IWM6mkWOg22EC5kRUFCycXsXLSU7hWmHdmBfmC3s=",
"lastModified": 1713564160,
"narHash": "sha256-YguPZpiejgzLEcO36/SZULjJQ55iWcjAmf3lYiyV1Fo=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "53a2c32bc66f5ae41a28d7a9a49d321172af621e",
"rev": "bc194f70731cc5d2b046a6c1b3b15f170f05999c",
"type": "github"
},
"original": {
@ -41,11 +41,11 @@
},
"unstable": {
"locked": {
"lastModified": 1713248628,
"narHash": "sha256-NLznXB5AOnniUtZsyy/aPWOk8ussTuePp2acb9U+ISA=",
"lastModified": 1713537308,
"narHash": "sha256-XtTSSIB2DA6tOv+l0FhvfDMiyCmhoRbNB+0SeInZkbk=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "5672bc9dbf9d88246ddab5ac454e82318d094bb8",
"rev": "5c24cf2f0a12ad855f444c30b2421d044120c66f",
"type": "github"
},
"original": {

1
flake.nix
View file

@ -27,7 +27,6 @@
# pass to it, with each system as an argument
forAllSystems = nixpkgs.lib.genAttrs systems;
in {
# Your custom packages
# Accessible through 'nix build', 'nix shell', etc
packages = forAllSystems (system: import ./pkgs nixpkgs.legacyPackages.${system});

1
hosts/enry/configuration.nix
View file

@ -28,6 +28,7 @@
initialPassword = "correcthorsebatterystaple";
openssh.authorizedKeys.keys = [
"SHA256:RrcbPCE9BPVLAEhERm81NwXA28OKpn9U6irR2vG7K5I user@phoenix"
"SHA256:KiRjUay5C9i6objsEOIycygBHn54pDBB3Lj7fyJ0Elw tasia@new-new-phoenix"
];
};

24
hosts/new-new-phoenix/configuration.nix
View file

@ -12,14 +12,14 @@
../../common/locales/en.nix
../../common/locales/fr-keymap.nix
../../common/hardware/intelcpu.nix
../../common/hardware/amdgpu.nix
../../common/hardware/nvidiagpu.nix
../../common/hardware/ssd.nix
../../common/de/plasma6.nix
# ../../common/de/hyprland.nix
# ../../common/packages/syncthing.nix
../../common/packages/adguardhome.nix
../../common/packages/sshd.nix
../../common/tasia-packages.nix
# ../../modules/nixos/vedirect-reader.nix
@ -30,6 +30,17 @@
# boot.kernelModules = [ "fuse" "kvm-intel" "coretemp" ];
};
hardware.nvidia.prime = {
# Make sure to use the correct Bus ID values for your system!
intelBusId = "PCI:1:0:0";
nvidiaBusId = "PCI:0:2:0";
offload = {
enable = true;
enableOffloadCmd = true;
};
};
networking = {
hostName = "new-new-phoenix";
@ -52,7 +63,7 @@
extraGroups = ["networkmanager" "wheel" "syncthing"];
initialPassword = "correcthorsebatterystaple";
openssh.authorizedKeys.keys = [
# TODO: Add your SSH public key(s) here, if you plan on using SSH to connect
"SHA256:KiRjUay5C9i6objsEOIycygBHn54pDBB3Lj7fyJ0Elw tasia@new-new-phoenix" # self
];
};
@ -93,6 +104,13 @@
#
];
# security.auditd.enable = true;
# security.audit.enable = true;
# security.audit.rules = [
# "-a exit,always -F arch=b64 -S execve"
# ];
# You can monitor these logs with journalctl -f. If you don't see any audit logs show up, ssh in from another window and run some commands like ls. You should see a flurry of them show up.
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "23.11";
}

45
hosts/new-new-phoenix/hardware-configuration.nix Normal file
View file

@ -0,0 +1,45 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "rtsx_usb_sdmmc"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-uuid/cee0ceca-3ea6-43d8-a483-00882f9ae6bb";
fsType = "btrfs";
options = ["subvol=@"];
};
boot.initrd.luks.devices."luks-ab9bf3d3-8c4f-415b-944e-a8e8d355d11c".device = "/dev/disk/by-uuid/ab9bf3d3-8c4f-415b-944e-a8e8d355d11c";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/E290-4D47";
fsType = "vfat";
};
swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp5s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

2
hosts/phoenix/configuration.nix
View file

@ -52,7 +52,7 @@
extraGroups = ["networkmanager" "wheel" "syncthing"];
initialPassword = "correcthorsebatterystaple";
openssh.authorizedKeys.keys = [
# TODO: Add your SSH public key(s) here, if you plan on using SSH to connect
"SHA256:KiRjUay5C9i6objsEOIycygBHn54pDBB3Lj7fyJ0Elw tasia@new-new-phoenix"
];
};

41
tailscale-acl.jsonc Normal file
View file

@ -0,0 +1,41 @@
// Example/default ACLs for unrestricted connections.
{
// Declare static groups of users. Use autogroups for all users or users with a specific role.
// "groups": {
// "group:example": ["alice@example.com", "bob@example.com"],
// },
// Define the tags which can be applied to devices and by which users.
"tagOwners": {
"tag:trusted": ["autogroup:admin"],
},
// Define access control lists for users, groups, autogroups, tags,
// Tailscale IP addresses, and subnet ranges.
"acls": [
// Allow all connections.
// Comment this section out if you want to define specific restrictions.
{"action": "accept", "src": ["*"], "dst": ["*:*"]},
],
// Define users and devices that can use Tailscale SSH.
"ssh": [
// Allow all users to SSH into their own devices in check mode.
// Comment this section out if you want to define specific restrictions.
{
"action": "check",
"src": ["autogroup:member"],
"dst": ["autogroup:self"],
"users": ["autogroup:nonroot"],
},
],
// Test access rules every time they're saved.
// "tests": [
// {
// "src": "alice@example.com",
// "accept": ["tag:example"],
// "deny": ["100.101.102.103:443"],
// },
// ],
}