zuckerberg/nix-config
zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

clean up

Browse Source
This commit is contained in:
zuckerberg 2021-02-23 21:34:29 -05:00
parent db877a8038
commit 079ff9e8e3
13 changed files with 57 additions and 145 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
common/boot/bios.nix Normal file
View File

@ -0,0 +1,12 @@
{ config, pkgs, ... }:
{
# Use GRUB 2 for BIOS
boot.loader.grub = {
enable = true;
version = 2;
useOSProber = true;
configurationLimit = 20;
theme = pkgs.nixos-grub2-theme;
};
}

1
common/efi.nix → common/boot/efi.nix
View File

@ -2,7 +2,6 @@
{ {
# Use GRUB2 for EFI # Use GRUB2 for EFI
boot.loader = { boot.loader = {
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
grub = { grub = {

7
common/boot/firmware.nix Normal file
View File

@ -0,0 +1,7 @@
{ config, pkgs, ... }:
{
hardware.cpu.intel.updateMicrocode = true;
# services.fwupd.enable = true;
}

2
common/luks.nix → common/boot/luks.nix
View File

@ -56,6 +56,4 @@
tor -f ${torRc} --verify-config tor -f ${torRc} --verify-config
tor -f ${torRc} & tor -f ${torRc} &
''; '';
system.stateVersion = "20.09";
} }

3
common/common.nix
View File

@ -3,8 +3,11 @@
{ {
imports = [ imports = [
./flakes.nix ./flakes.nix
./boot/firmware.nix
]; ];
system.stateVersion = "20.09";
boot.loader.timeout = 2; boot.loader.timeout = 2;
time.timeZone = "America/New_York"; time.timeZone = "America/New_York";

5
common/firmware.nix
View File

@ -1,5 +0,0 @@
{ config, pkgs, ... }:
{
services.fwupd.enable = true;
}

14
common/pc/audio.nix
View File

@ -3,16 +3,26 @@
{ {
# Audio # Audio
sound.enable = true; sound.enable = true;
nixpkgs.config.pulseaudio = true; # enable pulseaudio support for packages
# enable pulseaudio support for packages
nixpkgs.config.pulseaudio = true;
# realtime pulseaudio
security.rtkit.enable = true;
hardware.pulseaudio = { hardware.pulseaudio = {
enable = true; enable = true;
support32Bit = true; support32Bit = true;
package = pkgs.pulseaudioFull; # bt headset support package = pkgs.pulseaudioFull; # bt headset support
# TODO: switch on connect isn't working for some reason (at least when in kde)
extraConfig = " extraConfig = "
load-module module-switch-on-connect load-module module-switch-on-connect
load-module module-switch-on-connect ignore_virtual=no load-module module-switch-on-connect ignore_virtual=no
"; ";
}; };
users.users.googlebot.extraGroups = [ "audio" ];
# bt headset support
hardware.bluetooth.enable = true; hardware.bluetooth.enable = true;
users.users.googlebot.extraGroups = [ "audio" ];
} }

25
common/pc/pithos.nix
View File

@ -1,17 +1,5 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
#let
# pithos = pkgs.pithos.overrideAttrs (old: rec {
# pname = "pithos";
# version = "1.5.1";
# src = pkgs.fetchFromGitHub {
# owner = pname;
# repo = pname;
# rev = version;
# sha256 = "il7OAALpHFZ6wjco9Asp04zWHCD8Ni+iBdiJWcMiQA4=";
# };
# });
#in
{ {
nixpkgs.overlays = [ nixpkgs.overlays = [
(self: super: { (self: super: {
@ -28,19 +16,6 @@
}) })
]; ];
# nixpkgs.config.packageOverrides = pkgs: {
# pithos = pkgs.pithos.overrideAttrs (old: rec {
# pname = "pithos";
# version = "1.5.1";
# pithosSrc = pkgs.fetchFromGitHub {
# owner = pname;
# repo = pname;
# rev = version;
# sha256 = "il7OAALpHFZ6wjco9Asp04zWHCD8Ni+iBdiJWcMiQA4=";
# };
# });
# };
users.users.googlebot.packages = with pkgs; [ users.users.googlebot.packages = with pkgs; [
pithos pithos
]; ];

71
common/server/gitlab.nix
View File

@ -28,86 +28,15 @@
email_display_name = "neet.dev GitLab"; email_display_name = "neet.dev GitLab";
email_reply_to = "gitlab-no-reply@neet.dev"; email_reply_to = "gitlab-no-reply@neet.dev";
}; };
pages = {
enabled = true;
host = "pages.neet.dev";
port = 443;
https = true;
};
}; };
pagesExtraArgs = [ "-listen-proxy" "127.0.0.1:8090" ]; pagesExtraArgs = [ "-listen-proxy" "127.0.0.1:8090" ];
}; };
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
services.gitlab-runner = {
# enable = true;
enable = false;
services = {
# runner for building in docker via host's nix-daemon
# nix store will be readable in runner, might be insecure
nix = {
registrationConfigFile = "/run/secrets/gitlab-runner-registration";
dockerImage = "alpine";
dockerVolumes = [
"/nix/store:/nix/store:ro"
"/nix/var/nix/db:/nix/var/nix/db:ro"
"/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
];
dockerDisableCache = true;
preBuildScript = pkgs.writeScript "setup-container" ''
mkdir -p -m 0755 /nix/var/log/nix/drvs
mkdir -p -m 0755 /nix/var/nix/gcroots
mkdir -p -m 0755 /nix/var/nix/profiles
mkdir -p -m 0755 /nix/var/nix/temproots
mkdir -p -m 0755 /nix/var/nix/userpool
mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
mkdir -p -m 1777 /nix/var/nix/profiles/per-user
mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
mkdir -p -m 0700 "$HOME/.nix-defexpr"
. ${pkgs.nix}/etc/profile.d/nix.sh
${pkgs.nix}/bin/nix-env -i ${builtins.concatStringsSep " " (with pkgs; [ nix cacert git openssh ])}
${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixpkgs-unstable
${pkgs.nix}/bin/nix-channel --update nixpkgs
'';
environmentVariables = {
ENV = "/etc/profile";
USER = "root";
NIX_REMOTE = "daemon";
PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
};
tagList = [ "nix" ];
};
# runner for building docker images
docker-images = {
registrationConfigFile = "/run/secrets/gitlab-runner-registration";
dockerImage = "docker:stable";
dockerVolumes = [
"/var/run/docker.sock:/var/run/docker.sock"
];
tagList = [ "docker-images" ];
};
# runner for everything else
default = {
registrationConfigFile = "/run/secrets/gitlab-runner-registration";
dockerImage = "debian:stable";
};
};
};
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"git.neet.dev" = { "git.neet.dev" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
}; };
"*.pages.neet.dev" = {
forceSSL = true;
useACMEHost = "pages.neet.dev";
locations."/".proxyPass = "http://localhost:8090";
};
}; };
} }

3
common/server/hydra.nix
View File

@ -6,7 +6,6 @@ let
notifyEmail = "hydra@neet.dev"; notifyEmail = "hydra@neet.dev";
in in
{ {
# the lounge client
services.nginx.virtualHosts."${domain}" = { services.nginx.virtualHosts."${domain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@ -17,7 +16,7 @@ in
services.hydra = { services.hydra = {
enable = true; enable = true;
port = 3000; inherit port;
hydraURL = "https://${domain}"; hydraURL = "https://${domain}";
useSubstitutes = true; useSubstitutes = true;
notificationSender = notifyEmail; notificationSender = notifyEmail;

14
common/server/nginx.nix Normal file
View File

@ -0,0 +1,14 @@
{ config, pkgs, ... }:
{
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 80 443 ];
}

38
neet.dev/configuration.nix
View File

@ -4,8 +4,10 @@
imports =[ imports =[
./hardware-configuration.nix ./hardware-configuration.nix
../common/common.nix ../common/common.nix
../common/luks.nix ../common/boot/bios.nix
../common/boot/luks.nix
# ../common/server/nsd.nix # ../common/server/nsd.nix
../common/server/nginx.nix
../common/server/thelounge.nix ../common/server/thelounge.nix
../common/server/mumble.nix ../common/server/mumble.nix
../common/server/gitlab.nix ../common/server/gitlab.nix
@ -13,43 +15,15 @@
../common/server/hydra.nix ../common/server/hydra.nix
]; ];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda"; boot.loader.grub.device = "/dev/sda";
networking.hostName = "neetdev"; networking.hostName = "neetdev";
networking.wireless.enable = false; boot.initrd.luks.devices.enc-pv.device = "/dev/disk/by-uuid/06f6b0bf-fe79-4b89-a549-b464c2b162a1";
networking.useDHCP = true; # just in case... (todo ensure false doesn't fuck up initrd) networking.wireless.enable = false;
networking.useDHCP = false;
networking.interfaces.eno1.useDHCP = true; networking.interfaces.eno1.useDHCP = true;
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
security.acme.email = "letsencrypt+5@tar.ninja"; security.acme.email = "letsencrypt+5@tar.ninja";
security.acme.certs = {
"pages.neet.dev" = {
group = "nginx";
domain = "*.pages.neet.dev";
dnsProvider = "digitalocean";
credentialsFile = "/var/lib/secrets/certs.secret";
};
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
};
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 80 443 ];
# LUKS
boot.initrd.luks.devices.enc-pv.device = "/dev/disk/by-uuid/06f6b0bf-fe79-4b89-a549-b464c2b162a1";
system.stateVersion = "20.09";
} }

7
reg/configuration.nix
View File

@ -4,9 +4,8 @@
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../common/common.nix ../common/common.nix
../common/efi.nix ../common/boot/efi.nix
../common/luks.nix ../common/boot/luks.nix
../common/firmware.nix
../common/pc/de.nix ../common/pc/de.nix
../common/pc/touchpad.nix ../common/pc/touchpad.nix
]; ];
@ -21,7 +20,5 @@
networking.interfaces.enp57s0f1.useDHCP = true; networking.interfaces.enp57s0f1.useDHCP = true;
networking.interfaces.wlp0s20f3.useDHCP = true; networking.interfaces.wlp0s20f3.useDHCP = true;
networking.interfaces.wwp0s20f0u2i12.useDHCP = true; networking.interfaces.wwp0s20f0u2i12.useDHCP = true;
system.stateVersion = "20.09";
} }