nixos-configs/modules/beatific.nix

280 lines
9.1 KiB
Nix
Raw Normal View History

2023-08-02 01:59:06 +00:00
{ config, lib, pkgs, ... }:
let
2023-08-02 02:37:29 +00:00
inherit (lib) mkDefault mkIf mkMerge mkOption mkOverride types;
2023-08-02 01:59:06 +00:00
cfg = config.beatific;
2023-08-02 15:18:26 +00:00
mkFlag = description: mkOption {
type = types.bool;
inherit description;
default = true;
};
2023-08-02 01:59:06 +00:00
in {
options = {
2023-08-02 02:17:10 +00:00
beatific = {
2023-08-02 02:28:32 +00:00
# The host name is reused for beatific-specific configuration.
# The bulk of common config is handled in beatific.defaults below, but
# having one option without a default ensures that the module cannot be
# imported accidentally.
2023-08-02 02:17:10 +00:00
hostName = mkOption {
type = types.str;
description = "Hostname";
};
2023-08-02 16:49:50 +00:00
isLighthouse = mkOption {
type = types.bool;
description = "Whether this host is a Nebula lighthouse";
default = false;
};
extraPrograms = mkOption {
type = types.bool;
description = "Additional default programs";
default = false;
};
2023-08-02 02:28:32 +00:00
# Groups of related defaults can be disabled by flipping off the switches here:
# beatific.defaults.${category} = false;
# They default to true because the point is to do these things by default.
2023-08-02 02:17:10 +00:00
defaults = {
2023-08-02 15:19:57 +00:00
time = mkFlag "Default time zone and NTP";
i18n = mkFlag "Default locale settings";
programs = mkFlag "Default installed programs";
2023-08-02 16:49:50 +00:00
ssh = mkFlag "Default sshd settings";
nebula = mkFlag "Default beatific nebula settings";
2023-08-02 15:19:57 +00:00
tvb = mkFlag "Default tvb account";
tvbSync = mkFlag "Configure system syncthing for tvb";
2023-10-22 20:52:10 +00:00
hosts = mkFlag "Default 10.22.20.* DNS host entries";
2023-08-02 02:17:10 +00:00
};
2023-08-02 01:59:06 +00:00
};
};
2023-08-02 02:17:10 +00:00
config = mkMerge [
{
2023-08-02 02:28:32 +00:00
# Options to always set
2023-08-02 02:17:10 +00:00
networking.hostName = cfg.hostName;
2024-11-30 22:37:00 +00:00
networking.stevenblack = {
enable = true;
block = [ "fakenews" "gambling" "porn" ];
};
2024-12-17 19:36:35 +00:00
nix.channel.enable = false;
2023-08-02 02:19:18 +00:00
nix.extraOptions = "experimental-features = nix-command flakes";
2024-11-12 23:37:31 +00:00
nix.settings.trusted-users = [ "tvb" ];
2024-01-04 20:55:43 +00:00
# Link /etc/nixos to the flake source
environment.etc.nixos.source = ./..;
2024-01-27 19:10:46 +00:00
environment.etc."bashrc.local".source = ./bashrc;
2024-01-04 20:55:43 +00:00
environment.shellAliases = {
# Shortcut for nixos-rebuild
2024-01-19 04:36:58 +00:00
nr = "sudo nixos-rebuild --fast --flake $HOME/nixos-configs";
2024-01-27 19:11:12 +00:00
# Always preserve mode, ownership, ts with copy
2024-01-04 20:55:43 +00:00
cp = "cp -rp";
2024-01-26 18:00:51 +00:00
xo = "xdg-open";
2024-11-12 02:03:14 +00:00
scp = "scp -p";
smv = "rsync -av --remove-source-files";
2024-08-08 02:24:27 +00:00
ffprobe = "ffprobe -hide_banner";
ffmpeg = "ffmpeg -hide_banner";
2024-01-27 19:11:12 +00:00
".." = "cd ..";
"..." = "cd ../..";
"...." = "cd ../../..";
"....." = "cd ../../../..";
2024-01-04 20:55:43 +00:00
};
security.sudo.extraRules = [{
users = [ "tvb" ];
commands = [ { command = "/run/current-system/sw/bin/nixos-rebuild"; options = [ "NOPASSWD" ]; } ];
}];
2023-08-02 02:17:10 +00:00
}
2023-08-02 02:28:32 +00:00
2023-08-02 02:17:10 +00:00
(mkIf cfg.defaults.time {
2023-08-02 02:28:32 +00:00
# mkDefault time zone to make it easy to configure it to non-UTC
time.timeZone = mkDefault "UTC";
2023-08-02 02:17:10 +00:00
services.ntp.enable = true;
services.ntp.servers = [ "time.nist.gov" ];
})
2023-08-02 02:28:32 +00:00
(mkIf cfg.defaults.i18n {
# en_US.UTF-8
i18n.defaultLocale = "en_US.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "en_US.UTF-8";
LC_IDENTIFICATION = "en_US.UTF-8";
LC_MEASUREMENT = "en_US.UTF-8";
LC_MONETARY = "en_US.UTF-8";
LC_NAME = "en_US.UTF-8";
LC_NUMERIC = "en_US.UTF-8";
LC_PAPER = "en_US.UTF-8";
LC_TELEPHONE = "en_US.UTF-8";
LC_TIME = "en_US.UTF-8";
};
})
2023-08-02 02:37:29 +00:00
(mkIf cfg.defaults.programs {
environment.systemPackages = with pkgs; [
2024-08-08 02:23:03 +00:00
bat # colorized and numbered `less`
bc # Terminal calculator
curl # omnipotent URL tool
2024-11-30 22:33:56 +00:00
difftastic # file diff tool
2024-08-08 02:23:03 +00:00
duf # disk-free checker
exiftool # media tag tool
2024-08-08 02:24:27 +00:00
ffmpeg # omnipotent media tool
2024-08-08 02:23:03 +00:00
file # file type inspector
htmlq # jq for html
jq # jq for json
nebula # vpn
poppler_utils # provides pdfto* utils, allows lesspipe to read pdfs
psmisc # provides killall
python3 # second-best language for everything
2024-08-08 02:25:33 +00:00
ripgrep # fast file searcher
2024-08-08 02:23:03 +00:00
rsync # incremental remote copy
sqlite # omnipotent database
tree # directory tree view
unzip # .zip archive tool
vim # terminal editor
viu # terminal image "viewer"
wget # web fetcher
zip # .zip archive tool
2024-01-17 23:05:12 +00:00
(writeShellScriptBin "clip" ''
2024-06-26 04:59:15 +00:00
${xclip}/bin/xclip -sel c < "$1"
2024-01-17 23:05:12 +00:00
'')
2023-08-02 02:37:29 +00:00
];
programs = {
2023-12-23 21:15:42 +00:00
git = {
enable = true;
2024-06-19 22:24:14 +00:00
config = {
init.defaultBranch = "master";
merge.conflictstyle = "diff3";
alias = {
amend = "commit --amend";
fixup = "commit --amend --no-edit";
pick = "cherry-pick";
};
};
2023-12-23 21:15:42 +00:00
};
htop.enable = true;
};
2023-08-02 02:37:29 +00:00
# The nixpkgs default is "nano", so we go one priority higher
environment.variables.EDITOR = mkOverride 999 "vim";
})
2023-08-02 15:18:26 +00:00
(mkIf cfg.extraPrograms {
environment.systemPackages = with pkgs; [
(pkgs.writeShellScriptBin "ebook-convert" ''
exec ${pkgs.calibre}/bin/ebook-convert "$@"
'')
imagemagick # image convertion cli
puddletag # mp3 tag editor
tesseract # OCR engine
];
})
2023-08-02 15:18:26 +00:00
(mkIf cfg.defaults.ssh {
services.openssh.enable = true;
2024-07-19 05:34:47 +00:00
services.openssh.settings.PrintMotd = true;
environment.etc."motd".text = let
2023-08-04 05:32:29 +00:00
ascii = import ./ascii.nix;
in ascii.${cfg.hostName} or ascii.beatific;
2023-08-02 15:23:52 +00:00
networking.firewall.allowPing = true;
2023-08-02 15:18:26 +00:00
networking.firewall.allowedTCPPorts = [ 22 ];
})
2023-08-02 16:49:50 +00:00
(mkIf cfg.defaults.nebula {
services.nebula.networks.beatific = let
empyreanExternalDns = "vpn.alogoulogoi.com";
empyreanInternalIp = "10.22.20.1";
nebulaPort = 4242;
in {
enable = true;
# The lighthouse only listens on the designated subdomain
listen.host = if cfg.isLighthouse then empyreanExternalDns else "0.0.0.0";
listen.port = nebulaPort;
# Standard certificate paths
ca = "/etc/nebula/beatific/beatific.crt";
cert = "/etc/nebula/beatific/${cfg.hostName}.crt";
key = "/etc/nebula/beatific/${cfg.hostName}.key";
isLighthouse = cfg.isLighthouse;
# Non-lighthouses connect to the lighthouse at empyrean
# This should be a VPN address in the static host map
lighthouses = mkIf (! cfg.isLighthouse) [ empyreanInternalIp ];
# Currently there is no VPN-level traffic filtering
firewall.outbound = [ { port = "any"; proto = "any"; host = "any"; } ];
firewall.inbound = [ { port = "any"; proto = "any"; host = "any"; } ];
# Map the lighthouse address to its public address
staticHostMap = { ${empyreanInternalIp} = [ "${empyreanExternalDns}:${toString nebulaPort}" ]; };
settings = {
# Enable UDP holepunching both ways, which allows nodes to establish more direct connections with each other
punchy = { punch = true; response = true; };
};
};
})
2023-08-02 15:18:26 +00:00
(mkIf cfg.defaults.tvb {
users.groups.tvb = {};
users.users.tvb = {
isNormalUser = true;
group = "tvb";
extraGroups = [ "wheel" ];
initialPassword = "password";
2024-01-18 23:53:57 +00:00
openssh.authorizedKeys.keyFiles = (import ../keys).tvb;
2023-08-02 15:18:26 +00:00
};
})
2023-10-22 20:52:10 +00:00
(mkIf cfg.defaults.tvbSync {
# I haven't gotten user services to work correctly yet,
# so for now, tvb monopolizes the system syncthing instance.
# Adding users in the future should probably involve multiple
# system services so as not to require login to sync.
services.syncthing = {
enable = true;
configDir = "/home/tvb/.config/syncthing";
# this doesn't prevent syncthing from putting sync points in other locations, it's just a default
# normally it would make sense to put it at ~ but see https://github.com/NixOS/nixpkgs/pull/273693
dataDir = "/home/tvb/.config/syncthing";
openDefaultPorts = true;
user = "tvb";
group = "tvb";
};
})
2023-10-22 20:52:10 +00:00
(mkIf cfg.defaults.hosts {
# Create *.home host entries for all the beatific members
networking.hosts = {
"10.22.20.1" = [
"empyrean.home"
];
"10.22.20.2" = [
"catacomb.home"
"mopidy.home.ktvb.site"
2023-10-22 20:52:10 +00:00
];
"10.22.20.3" = [
"palamas.home"
];
"10.22.20.4" = [
"stagirite.home"
];
"10.22.20.5" = [
"vagrant.home"
];
"10.22.20.6" = [
"unfolder.home"
];
"10.22.20.7" = [
"centroid.home"
];
"10.22.20.8" = [
"backyard.home"
"pool.backyard.home"
"mirror.backyard.home"
"jellyfin.home.ktvb.site"
2023-10-22 20:52:10 +00:00
];
2023-12-23 06:07:21 +00:00
"10.22.20.9" = [
"imperium.home"
];
2023-10-22 20:52:10 +00:00
};
})
2023-08-02 02:17:10 +00:00
];
2023-08-02 01:59:06 +00:00
}