diff --git a/common/boot/bios.nix b/common/boot/bios.nix new file mode 100644 index 0000000..163b160 --- /dev/null +++ b/common/boot/bios.nix @@ -0,0 +1,12 @@ +{ config, pkgs, ... }: + +{ + # Use GRUB 2 for BIOS + boot.loader.grub = { + enable = true; + version = 2; + useOSProber = true; + configurationLimit = 20; + theme = pkgs.nixos-grub2-theme; + }; +} \ No newline at end of file diff --git a/common/efi.nix b/common/boot/efi.nix similarity index 99% rename from common/efi.nix rename to common/boot/efi.nix index 63712e4..440bef7 100644 --- a/common/efi.nix +++ b/common/boot/efi.nix @@ -2,7 +2,6 @@ { # Use GRUB2 for EFI - boot.loader = { efi.canTouchEfiVariables = true; grub = { diff --git a/common/boot/firmware.nix b/common/boot/firmware.nix new file mode 100644 index 0000000..08c16ef --- /dev/null +++ b/common/boot/firmware.nix @@ -0,0 +1,7 @@ +{ config, pkgs, ... }: + +{ + hardware.cpu.intel.updateMicrocode = true; + + # services.fwupd.enable = true; +} \ No newline at end of file diff --git a/common/luks.nix b/common/boot/luks.nix similarity index 98% rename from common/luks.nix rename to common/boot/luks.nix index efef123..a9d9222 100644 --- a/common/luks.nix +++ b/common/boot/luks.nix @@ -56,6 +56,4 @@ tor -f ${torRc} --verify-config tor -f ${torRc} & ''; - - system.stateVersion = "20.09"; } diff --git a/common/common.nix b/common/common.nix index 18ce448..ad0a54f 100644 --- a/common/common.nix +++ b/common/common.nix @@ -3,8 +3,11 @@ { imports = [ ./flakes.nix + ./boot/firmware.nix ]; + system.stateVersion = "20.09"; + boot.loader.timeout = 2; time.timeZone = "America/New_York"; diff --git a/common/firmware.nix b/common/firmware.nix deleted file mode 100644 index c7251d7..0000000 --- a/common/firmware.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ config, pkgs, ... }: - -{ - services.fwupd.enable = true; -} \ No newline at end of file diff --git a/common/pc/audio.nix b/common/pc/audio.nix index f38d6bc..3f5881b 100644 --- a/common/pc/audio.nix +++ b/common/pc/audio.nix @@ -3,16 +3,26 @@ { # Audio sound.enable = true; - nixpkgs.config.pulseaudio = true; # enable pulseaudio support for packages + + # enable pulseaudio support for packages + nixpkgs.config.pulseaudio = true; + + # realtime pulseaudio + security.rtkit.enable = true; + hardware.pulseaudio = { enable = true; support32Bit = true; package = pkgs.pulseaudioFull; # bt headset support + + # TODO: switch on connect isn't working for some reason (at least when in kde) extraConfig = " load-module module-switch-on-connect load-module module-switch-on-connect ignore_virtual=no "; }; + users.users.googlebot.extraGroups = [ "audio" ]; + + # bt headset support hardware.bluetooth.enable = true; - users.users.googlebot.extraGroups = [ "audio" ]; } diff --git a/common/pc/pithos.nix b/common/pc/pithos.nix index 12d7c77..2946d1f 100644 --- a/common/pc/pithos.nix +++ b/common/pc/pithos.nix @@ -1,17 +1,5 @@ { config, pkgs, ... }: -#let -# pithos = pkgs.pithos.overrideAttrs (old: rec { -# pname = "pithos"; -# version = "1.5.1"; -# src = pkgs.fetchFromGitHub { -# owner = pname; -# repo = pname; -# rev = version; -# sha256 = "il7OAALpHFZ6wjco9Asp04zWHCD8Ni+iBdiJWcMiQA4="; -# }; -# }); -#in { nixpkgs.overlays = [ (self: super: { @@ -28,19 +16,6 @@ }) ]; -# nixpkgs.config.packageOverrides = pkgs: { -# pithos = pkgs.pithos.overrideAttrs (old: rec { -# pname = "pithos"; -# version = "1.5.1"; -# pithosSrc = pkgs.fetchFromGitHub { -# owner = pname; -# repo = pname; -# rev = version; -# sha256 = "il7OAALpHFZ6wjco9Asp04zWHCD8Ni+iBdiJWcMiQA4="; -# }; -# }); -# }; - users.users.googlebot.packages = with pkgs; [ pithos ]; diff --git a/common/server/gitlab.nix b/common/server/gitlab.nix index 628dc7e..3a81c33 100644 --- a/common/server/gitlab.nix +++ b/common/server/gitlab.nix @@ -28,86 +28,15 @@ email_display_name = "neet.dev GitLab"; email_reply_to = "gitlab-no-reply@neet.dev"; }; - pages = { - enabled = true; - host = "pages.neet.dev"; - port = 443; - https = true; - }; }; pagesExtraArgs = [ "-listen-proxy" "127.0.0.1:8090" ]; }; - boot.kernel.sysctl."net.ipv4.ip_forward" = true; - services.gitlab-runner = { -# enable = true; - enable = false; - services = { - # runner for building in docker via host's nix-daemon - # nix store will be readable in runner, might be insecure - nix = { - registrationConfigFile = "/run/secrets/gitlab-runner-registration"; - dockerImage = "alpine"; - dockerVolumes = [ - "/nix/store:/nix/store:ro" - "/nix/var/nix/db:/nix/var/nix/db:ro" - "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro" - ]; - dockerDisableCache = true; - preBuildScript = pkgs.writeScript "setup-container" '' - mkdir -p -m 0755 /nix/var/log/nix/drvs - mkdir -p -m 0755 /nix/var/nix/gcroots - mkdir -p -m 0755 /nix/var/nix/profiles - mkdir -p -m 0755 /nix/var/nix/temproots - mkdir -p -m 0755 /nix/var/nix/userpool - mkdir -p -m 1777 /nix/var/nix/gcroots/per-user - mkdir -p -m 1777 /nix/var/nix/profiles/per-user - mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root - mkdir -p -m 0700 "$HOME/.nix-defexpr" - - . ${pkgs.nix}/etc/profile.d/nix.sh - - ${pkgs.nix}/bin/nix-env -i ${builtins.concatStringsSep " " (with pkgs; [ nix cacert git openssh ])} - - ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixpkgs-unstable - ${pkgs.nix}/bin/nix-channel --update nixpkgs - ''; - environmentVariables = { - ENV = "/etc/profile"; - USER = "root"; - NIX_REMOTE = "daemon"; - PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin"; - NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"; - }; - tagList = [ "nix" ]; - }; - # runner for building docker images - docker-images = { - registrationConfigFile = "/run/secrets/gitlab-runner-registration"; - dockerImage = "docker:stable"; - dockerVolumes = [ - "/var/run/docker.sock:/var/run/docker.sock" - ]; - tagList = [ "docker-images" ]; - }; - # runner for everything else - default = { - registrationConfigFile = "/run/secrets/gitlab-runner-registration"; - dockerImage = "debian:stable"; - }; - }; - }; - services.nginx.virtualHosts = { "git.neet.dev" = { enableACME = true; forceSSL = true; locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; }; - "*.pages.neet.dev" = { - forceSSL = true; - useACMEHost = "pages.neet.dev"; - locations."/".proxyPass = "http://localhost:8090"; - }; }; } diff --git a/common/server/hydra.nix b/common/server/hydra.nix index 8f53ab9..a1f8994 100644 --- a/common/server/hydra.nix +++ b/common/server/hydra.nix @@ -6,7 +6,6 @@ let notifyEmail = "hydra@neet.dev"; in { - # the lounge client services.nginx.virtualHosts."${domain}" = { enableACME = true; forceSSL = true; @@ -17,7 +16,7 @@ in services.hydra = { enable = true; - port = 3000; + inherit port; hydraURL = "https://${domain}"; useSubstitutes = true; notificationSender = notifyEmail; diff --git a/common/server/nginx.nix b/common/server/nginx.nix new file mode 100644 index 0000000..a511c97 --- /dev/null +++ b/common/server/nginx.nix @@ -0,0 +1,14 @@ +{ config, pkgs, ... }: + +{ + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedUDPPorts = [ 80 443 ]; +} \ No newline at end of file diff --git a/neet.dev/configuration.nix b/neet.dev/configuration.nix index 209540c..f57c476 100644 --- a/neet.dev/configuration.nix +++ b/neet.dev/configuration.nix @@ -4,8 +4,10 @@ imports =[ ./hardware-configuration.nix ../common/common.nix - ../common/luks.nix + ../common/boot/bios.nix + ../common/boot/luks.nix # ../common/server/nsd.nix + ../common/server/nginx.nix ../common/server/thelounge.nix ../common/server/mumble.nix ../common/server/gitlab.nix @@ -13,43 +15,15 @@ ../common/server/hydra.nix ]; - # Use the GRUB 2 boot loader. - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; boot.loader.grub.device = "/dev/sda"; - networking.hostName = "neetdev"; - networking.wireless.enable = false; + boot.initrd.luks.devices.enc-pv.device = "/dev/disk/by-uuid/06f6b0bf-fe79-4b89-a549-b464c2b162a1"; - networking.useDHCP = true; # just in case... (todo ensure false doesn't fuck up initrd) + networking.wireless.enable = false; + networking.useDHCP = false; networking.interfaces.eno1.useDHCP = true; security.acme.acceptTerms = true; security.acme.email = "letsencrypt+5@tar.ninja"; - security.acme.certs = { - "pages.neet.dev" = { - group = "nginx"; - domain = "*.pages.neet.dev"; - dnsProvider = "digitalocean"; - credentialsFile = "/var/lib/secrets/certs.secret"; - }; - }; - - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - }; - - # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [ 80 443 ]; - networking.firewall.allowedUDPPorts = [ 80 443 ]; - - # LUKS - boot.initrd.luks.devices.enc-pv.device = "/dev/disk/by-uuid/06f6b0bf-fe79-4b89-a549-b464c2b162a1"; - - system.stateVersion = "20.09"; } diff --git a/reg/configuration.nix b/reg/configuration.nix index f68bca9..3337980 100644 --- a/reg/configuration.nix +++ b/reg/configuration.nix @@ -4,9 +4,8 @@ imports = [ ./hardware-configuration.nix ../common/common.nix - ../common/efi.nix - ../common/luks.nix - ../common/firmware.nix + ../common/boot/efi.nix + ../common/boot/luks.nix ../common/pc/de.nix ../common/pc/touchpad.nix ]; @@ -21,7 +20,5 @@ networking.interfaces.enp57s0f1.useDHCP = true; networking.interfaces.wlp0s20f3.useDHCP = true; networking.interfaces.wwp0s20f0u2i12.useDHCP = true; - - system.stateVersion = "20.09"; }