materus
/
nixos-config
mirror of https://github.com/materusPL/nixos-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update

This commit is contained in:
Mateusz Słodkowicz 2025-05-18 15:47:12 +02:00
parent 0e60e2517f
commit 9a37d9eb2f
Signed by: materus
GPG Key ID: 28D140BCA60B4FD1
8 changed files with 161 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
flake.org
View File

@ -5,7 +5,7 @@
#+OPTIONS: \n:t
#+auto_tangle: t
* Flakes
** Main Flake
Flake of entire repo. [[./flake.nix][link]]

35
nix/common-os.nix
View File

@ -1,4 +1,35 @@
{...}:
# * Common OS
{
mkkArg,
config,
...
}:
{
imports = [
mkkArg.current.sops-nix.nixosModules.sops
# * Config
# ** Assertions
{
assertions = [
{
assertion = builtins.pathExists (config.konfig.vars.path.mkk + "/host/keys/ssh_host_ed25519_key");
message = "Not found host ed25519 key";
}
{
assertion = builtins.pathExists (config.konfig.vars.path.mkk + "/host/keys//ssh_host_rsa_key");
message = "Not found host RSA key";
}
];
}
# ** Variables
{
mkk.commonVariables = {
path = {
mkk = "/mkk";
};
};
}
# * Common OS END
];
}

16
nix/common.nix
View File

@ -8,8 +8,8 @@
}:
{
imports = [
(if mkkArg.isDecrypted then ./variables-private.nix else {})
# * NIX & NIXPKGS
# * Config
# ** NIX & NIXPKGS
{
nixpkgs.config = {
allowUnfree = lib.mkDefault true;
@ -172,7 +172,7 @@
};
}
# * Assertions
# ** Assertions
{
config.assertions = [
{
@ -186,9 +186,15 @@
}
];
}
# * Args
# ** Args
{
imports = [
(if mkkArg.isDecrypted then ./variables-private.nix else {})
(if mkkArg.isOs then ./common-os.nix else {})
];
options.konfig = lib.mkOption { default = { }; };
options.mkk.commonVariables = lib.mkOption { default = { }; };
config = {
konfig = {
unstable = mkkArg.unstable;
@ -207,7 +213,7 @@
arg = mkkArg;
rootFlake = (builtins.getFlake mkkArg.configRootPath);
vars = { };
vars = config.mkk.commonVariables;
};
_module.args.konfig = config.konfig;
};

5
nix/default.nix
View File

@ -46,10 +46,12 @@ in
current = (if isStable then stable else unstable);
isDecrypted = (isDecrypted (if isStable then stable else unstable).nixpkgs system);
isStable = isStable;
isOs = true;
}
// extraArgs;
};
modules = [
./common.nix
./hosts/${hostname}.nix
(
if
@ -62,8 +64,7 @@ in
else
{ }
)
./common.nix
./common-os.nix
] ++ extraModules;
};

BIN
nix/hosts/materusPC-private.nix
View File

Binary file not shown.

116
nix/hosts/materusPC.nix
View File

@ -9,19 +9,50 @@
{
imports = [
# * CONFIG
# ** Nix System Settings
# ** General Settings
# *** SOPS
{
sops.age.generateKey = false;
sops.gnupg.home = null;
sops.gnupg.sshKeyPaths = [ ];
sops.age.sshKeyPaths = [ (konfig.vars.path.mkk + "/host/keys/ssh_host_ed25519_key") ];
sops.defaultSopsFile = konfig.rootFlake + "/private/materusPC-secrets.yaml";
#sops.secrets."users/materus" = { neededForUsers = true; };
sops.secrets.wireguard = { };
services.openssh.hostKeys = [
{
bits = 4096;
path = konfig.vars.path.mkk + "/host/keys/ssh_host_rsa_key";
type = "rsa";
}
{
path = konfig.vars.path.mkk + "/host/keys/ssh_host_ed25519_key";
type = "ed25519";
}
];
}
# *** Nix System Settings
{
nixpkgs.hostPlatform = "x86_64-linux";
system.copySystemConfiguration = false;
system.stateVersion = "23.05";
}
# ** Network
# *** Firewall & Others
{
services = {
syncthing = {
enable = true;
user = "materus";
dataDir = "/home/materus";
};
};
networking.hostName = "materusPC";
networking.useDHCP = lib.mkDefault true;
networking.wireless.iwd.enable = true;
networking.networkmanager.enable = true;
#networking.networkmanager.wifi.backend = "iwd";
networking.firewall.enable = true;
networking.firewall = {
@ -35,9 +66,85 @@
ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport ${konfig.vars.wireguard.ports.materusPC} -j RETURN || true
ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport ${konfig.vars.wireguard.ports.materusPC} -j RETURN || true
'';
allowedTCPPorts = [
24800
5900
5357
4656
8080
9943
9944
# Syncthing
22000
config.services.syncthing.relay.statusPort
config.services.syncthing.relay.port
];
allowedUDPPorts = [
(lib.strings.toInt konfig.vars.wireguard.ports.materusPC)
24800
5900
3702
4656
6000
9943
9944
# Syncthing
22000
21027
# Zomboid
17000
17001
];
};
}
# *** NetworkManager
{
sops.templates."networkmanager.env".content = ''
WIREGUARD_PRIVATEKEY="${config.sops.placeholder.wireguard}"
'';
networking.networkmanager.ensureProfiles.environmentFiles = [
config.sops.templates."networkmanager.env".path
];
networking.networkmanager.enable = true;
#networking.networkmanager.wifi.backend = "iwd";
networking.networkmanager.settings = {
connectivity = {
uri = "http://nmcheck.gnome.org/check_network_status.txt";
};
};
networking.networkmanager.ensureProfiles.profiles = {
wg0 = {
connection = {
id = "wg0";
type = "wireguard";
interface-name = "wg0";
};
wireguard = {
private-key = "$WIREGUARD_PRIVATEKEY";
};
"wireguard-peer.${konfig.vars.wireguard.pubKeys.valkyrie}" = {
endpoint = "${konfig.vars.ip.valkyrie.ipv4}:${konfig.vars.wireguard.ports.valkyrie}";
allowed-ips = "${konfig.vars.wireguard.masks.general};";
persistent-keepalive = "20";
};
ipv4 = {
address1 = "${konfig.vars.wireguard.ip.materusPC}/23";
dns = "${konfig.vars.wireguard.ip.valkyrie};";
method = "manual";
never-default = "true";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "disabled";
};
proxy = { };
};
};
}
# ** Hardware
# *** Filesystems
{
@ -219,6 +326,9 @@
# *** Firmware & Others
{
hardware.uinput.enable = true;
hardware.steam-hardware.enable = true;
hardware.firmware = with pkgs; [
konfig.nixerusPkgs.amdgpu-pro-libs.firmware.vcn
konfig.nixerusPkgs.amdgpu-pro-libs.firmware

BIN
nix/variables-private.nix
View File

Binary file not shown.

BIN
private/materusPC-secrets.yaml Normal file
View File

Binary file not shown.