zuckerberg/nix-config
zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

clean up

Browse Source
This commit is contained in:
zuckerberg 2021-02-23 21:34:29 -05:00
parent db877a8038
commit 079ff9e8e3
13 changed files with 57 additions and 145 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
common/boot/bios.nix Normal file
View File

@ -0,0 +1,12 @@
{ config, pkgs, ... }:
{
# Use GRUB 2 for BIOS
boot.loader.grub = {
enable = true;
version = 2;
useOSProber = true;
configurationLimit = 20;
theme = pkgs.nixos-grub2-theme;
};
}

1
common/efi.nix → common/boot/efi.nix
View File

@ -2,7 +2,6 @@
{
# Use GRUB2 for EFI
boot.loader = {
efi.canTouchEfiVariables = true;
grub = {

7
common/boot/firmware.nix Normal file
View File

@ -0,0 +1,7 @@
{ config, pkgs, ... }:
{
hardware.cpu.intel.updateMicrocode = true;
# services.fwupd.enable = true;
}

2
common/luks.nix → common/boot/luks.nix
View File

@ -56,6 +56,4 @@
tor -f ${torRc} --verify-config
tor -f ${torRc} &
'';
system.stateVersion = "20.09";
}

3
common/common.nix
View File

@ -3,8 +3,11 @@
{
imports = [
./flakes.nix
./boot/firmware.nix
];
system.stateVersion = "20.09";
boot.loader.timeout = 2;
time.timeZone = "America/New_York";

5
common/firmware.nix
View File

@ -1,5 +0,0 @@
{ config, pkgs, ... }:
{
services.fwupd.enable = true;
}

14
common/pc/audio.nix
View File

@ -3,16 +3,26 @@
{
# Audio
sound.enable = true;
nixpkgs.config.pulseaudio = true; # enable pulseaudio support for packages
# enable pulseaudio support for packages
nixpkgs.config.pulseaudio = true;
# realtime pulseaudio
security.rtkit.enable = true;
hardware.pulseaudio = {
enable = true;
support32Bit = true;
package = pkgs.pulseaudioFull; # bt headset support
# TODO: switch on connect isn't working for some reason (at least when in kde)
extraConfig = "
load-module module-switch-on-connect
load-module module-switch-on-connect ignore_virtual=no
";
};
users.users.googlebot.extraGroups = [ "audio" ];
# bt headset support
hardware.bluetooth.enable = true;
users.users.googlebot.extraGroups = [ "audio" ];
}

25
common/pc/pithos.nix
View File

@ -1,17 +1,5 @@
{ config, pkgs, ... }:
#let
# pithos = pkgs.pithos.overrideAttrs (old: rec {
# pname = "pithos";
# version = "1.5.1";
# src = pkgs.fetchFromGitHub {
# owner = pname;
# repo = pname;
# rev = version;
# sha256 = "il7OAALpHFZ6wjco9Asp04zWHCD8Ni+iBdiJWcMiQA4=";
# };
# });
#in
{
nixpkgs.overlays = [
(self: super: {
@ -28,19 +16,6 @@
})
];
# nixpkgs.config.packageOverrides = pkgs: {
# pithos = pkgs.pithos.overrideAttrs (old: rec {
# pname = "pithos";
# version = "1.5.1";
# pithosSrc = pkgs.fetchFromGitHub {
# owner = pname;
# repo = pname;
# rev = version;
# sha256 = "il7OAALpHFZ6wjco9Asp04zWHCD8Ni+iBdiJWcMiQA4=";
# };
# });
# };
users.users.googlebot.packages = with pkgs; [
pithos
];

71
common/server/gitlab.nix
View File

@ -28,86 +28,15 @@
email_display_name = "neet.dev GitLab";
email_reply_to = "gitlab-no-reply@neet.dev";
};
pages = {
enabled = true;
host = "pages.neet.dev";
port = 443;
https = true;
};
};
pagesExtraArgs = [ "-listen-proxy" "127.0.0.1:8090" ];
};
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
services.gitlab-runner = {
# enable = true;
enable = false;
services = {
# runner for building in docker via host's nix-daemon
# nix store will be readable in runner, might be insecure
nix = {
registrationConfigFile = "/run/secrets/gitlab-runner-registration";
dockerImage = "alpine";
dockerVolumes = [
"/nix/store:/nix/store:ro"
"/nix/var/nix/db:/nix/var/nix/db:ro"
"/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
];
dockerDisableCache = true;
preBuildScript = pkgs.writeScript "setup-container" ''
mkdir -p -m 0755 /nix/var/log/nix/drvs
mkdir -p -m 0755 /nix/var/nix/gcroots
mkdir -p -m 0755 /nix/var/nix/profiles
mkdir -p -m 0755 /nix/var/nix/temproots
mkdir -p -m 0755 /nix/var/nix/userpool
mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
mkdir -p -m 1777 /nix/var/nix/profiles/per-user
mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
mkdir -p -m 0700 "$HOME/.nix-defexpr"
. ${pkgs.nix}/etc/profile.d/nix.sh
${pkgs.nix}/bin/nix-env -i ${builtins.concatStringsSep " " (with pkgs; [ nix cacert git openssh ])}
${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixpkgs-unstable
${pkgs.nix}/bin/nix-channel --update nixpkgs
'';
environmentVariables = {
ENV = "/etc/profile";
USER = "root";
NIX_REMOTE = "daemon";
PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
};
tagList = [ "nix" ];
};
# runner for building docker images
docker-images = {
registrationConfigFile = "/run/secrets/gitlab-runner-registration";
dockerImage = "docker:stable";
dockerVolumes = [
"/var/run/docker.sock:/var/run/docker.sock"
];
tagList = [ "docker-images" ];
};
# runner for everything else
default = {
registrationConfigFile = "/run/secrets/gitlab-runner-registration";
dockerImage = "debian:stable";
};
};
};
services.nginx.virtualHosts = {
"git.neet.dev" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
};
"*.pages.neet.dev" = {
forceSSL = true;
useACMEHost = "pages.neet.dev";
locations."/".proxyPass = "http://localhost:8090";
};
};
}

3
common/server/hydra.nix
View File

@ -6,7 +6,6 @@ let
notifyEmail = "hydra@neet.dev";
in
{
# the lounge client
services.nginx.virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
@ -17,7 +16,7 @@ in
services.hydra = {
enable = true;
port = 3000;
inherit port;
hydraURL = "https://${domain}";
useSubstitutes = true;
notificationSender = notifyEmail;

14
common/server/nginx.nix Normal file
View File

@ -0,0 +1,14 @@
{ config, pkgs, ... }:
{
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 80 443 ];
}

38
neet.dev/configuration.nix
View File

@ -4,8 +4,10 @@
imports =[
./hardware-configuration.nix
../common/common.nix
../common/luks.nix
../common/boot/bios.nix
../common/boot/luks.nix
# ../common/server/nsd.nix
../common/server/nginx.nix
../common/server/thelounge.nix
../common/server/mumble.nix
../common/server/gitlab.nix
@ -13,43 +15,15 @@
../common/server/hydra.nix
];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
networking.hostName = "neetdev";
networking.wireless.enable = false;
boot.initrd.luks.devices.enc-pv.device = "/dev/disk/by-uuid/06f6b0bf-fe79-4b89-a549-b464c2b162a1";
networking.useDHCP = true; # just in case... (todo ensure false doesn't fuck up initrd)
networking.wireless.enable = false;
networking.useDHCP = false;
networking.interfaces.eno1.useDHCP = true;
security.acme.acceptTerms = true;
security.acme.email = "letsencrypt+5@tar.ninja";
security.acme.certs = {
"pages.neet.dev" = {
group = "nginx";
domain = "*.pages.neet.dev";
dnsProvider = "digitalocean";
credentialsFile = "/var/lib/secrets/certs.secret";
};
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
};
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 80 443 ];
# LUKS
boot.initrd.luks.devices.enc-pv.device = "/dev/disk/by-uuid/06f6b0bf-fe79-4b89-a549-b464c2b162a1";
system.stateVersion = "20.09";
}

7
reg/configuration.nix
View File

@ -4,9 +4,8 @@
imports = [
./hardware-configuration.nix
../common/common.nix
../common/efi.nix
../common/luks.nix
../common/firmware.nix
../common/boot/efi.nix
../common/boot/luks.nix
../common/pc/de.nix
../common/pc/touchpad.nix
];
@ -21,7 +20,5 @@
networking.interfaces.enp57s0f1.useDHCP = true;
networking.interfaces.wlp0s20f3.useDHCP = true;
networking.interfaces.wwp0s20f0u2i12.useDHCP = true;
system.stateVersion = "20.09";
}