nyancat/flake
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

flake: overhaul presets

Browse source
This commit is contained in:
Guanran Wang 2023-11-04 18:02:11 +08:00
parent 63e6aa1b81
commit e690cf05ec
Signed by: nyancat
SSH key fingerprint: SHA256:8oWGKciPALWut/6WA27oFKofX+6Wtc0gQnsefXLQx/8
46 changed files with 348 additions and 194 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
darwin/packages/homebrew.nix
View file

@ -24,8 +24,6 @@
"librewolf" "librewolf"
"google-chrome" "google-chrome"
"steam"
"activate" # koekeishiya/formulae "activate" # koekeishiya/formulae
]; ];
taps = [ taps = [

0
darwin/default.nix → darwin/presets/desktop.nix
View file

7
darwin/presets/desktop/gaming.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }:
{
homebrew.casks = [
"steam"
];
}

27
flake.nix
View file

@ -168,12 +168,22 @@
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = { inherit inputs; }; specialArgs = { inherit inputs; };
modules = [ modules = [
./nixos/presets/gaming.nix # OS-specific (with presets) ./nixos/presets/desktop.nix # OS preset
./users/guanranwang/nixos/presets/gaming.nix # User-specific (with presets) ./nixos/presets/core/no-bootloader-menu.nix # Addtional, opt-in OS preset(s)
./machines/nixos/81fw-lenovo-legion-y7000 # Hardware-specific ./nixos/presets/desktop/gaming.nix
./machines/nixos/81fw-lenovo-legion-y7000/machine-1 # Machine-specific ./nixos/presets/desktop/virtualbox.nix
./nixos/presets/desktop/wayland.nix
./users/guanranwang/nixos/presets/desktop.nix # User preset
./users/guanranwang/nixos/presets/core/clash-meta-client.nix # Addtional, opt-in user preset(s)
./machines/nixos/81fw-lenovo-legion-y7000 # Hardware
./machines/nixos/81fw-lenovo-legion-y7000/machine-1 # Machine
{ {
# extra home-manager stuff
home-manager.users.guanranwang = import ./users/guanranwang/home-manager/nixos/presets/desktop/gaming.nix;
networking.hostName = "81FW-NixOS"; # Hostname networking.hostName = "81FW-NixOS"; # Hostname
time.timeZone = "Asia/Shanghai"; # Timezone time.timeZone = "Asia/Shanghai"; # Timezone
} }
@ -188,11 +198,14 @@
system = "x86_64-darwin"; system = "x86_64-darwin";
specialArgs = { inherit inputs; }; specialArgs = { inherit inputs; };
modules = [ modules = [
./darwin ./darwin/presets/desktop.nix # OS preset
./users/guanranwang/darwin/presets/desktop.nix ./users/guanranwang/darwin/presets/desktop.nix # User preset
./machines/darwin/imac-2017 ./users/guanranwang/darwin/presets/core/proxy.nix # Addtional user preset(s)
./machines/darwin/imac-2017 # Hardware
{ {
#home-manager.users.guanranwang = import ./users/guanranwang/home-manager/darwin/presets/desktop/gaming.nix;
networking.hostName = "iMac-macOS"; networking.hostName = "iMac-macOS";
time.timeZone = "Asia/Shanghai"; time.timeZone = "Asia/Shanghai";
} }

2
nixos/boot/boot.nix
View file

@ -1,11 +1,9 @@
{ lib, ... }: { lib, ... }:
{ {
# NOTE: secureboot enabled in flake.nix
boot = { boot = {
consoleLogLevel = lib.mkDefault 3; consoleLogLevel = lib.mkDefault 3;
loader = { loader = {
timeout = 0;
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
systemd-boot = { systemd-boot = {
enable = lib.mkDefault true; # mkDefault for Lanzaboote enable = lib.mkDefault true; # mkDefault for Lanzaboote

1
nixos/boot/default.nix
View file

@ -3,7 +3,6 @@
{ {
imports = [ imports = [
./boot.nix ./boot.nix
./kernel.nix
./plymouth.nix ./plymouth.nix
./sysctl.nix ./sysctl.nix
]; ];

9
nixos/boot/kernel.nix
View file

@ -1,9 +0,0 @@
{ pkgs, ... }:
{
boot = {
#kernelPackages = pkgs.linuxPackages_latest; # latest linux kernel
kernelPackages = pkgs.linuxPackages_zen; # latest linux-zen kernel
#kernelPackages = pkgs.linuxKernel.Packages.linux_6_1; # linux 6.1 LTS kernel
};
}

7
nixos/networking/default.nix
View file

@ -2,11 +2,8 @@
{ {
imports = [ imports = [
./dns ./dns.nix
./network-manager
./dhcp.nix
./firewall.nix ./firewall.nix
./proxy.nix ./iwd.nix
]; ];
} }

5
nixos/networking/dhcp.nix
View file

@ -1,5 +0,0 @@
{ ... }:
{
#networking.useDHCP = false;
}

11
nixos/networking/dns.nix Normal file
View file

@ -0,0 +1,11 @@
{ ... }:
{
networking.nameservers = [
### Google DNS
"8.8.8.8"
"8.8.4.4"
"2001:4860:4860::8888"
"2001:4860:4860::8844"
];
}

8
nixos/networking/dns/default.nix
View file

@ -1,8 +0,0 @@
{ ... }:
{
imports = [
./dns.nix
#./systemd-resolved.nix # Returns NXDOMAIN in China Mainland, will investegate...
];
}

16
nixos/networking/dns/dns.nix
View file

@ -1,16 +0,0 @@
{ ... }:
{
networking = {
nameservers = [
"223.5.5.5"
"223.6.6.6"
"2400:3200::1"
"2400:3200:baba::1"
#"223.5.5.5#dns.alidns.com"
#"223.6.6.6#dns.alidns.com"
#"2400:3200::1#dns.alidns.com"
#"2400:3200:baba::1#dns.alidns.com"
];
};
}

12
nixos/networking/dns/systemd-resolved.nix
View file

@ -1,12 +0,0 @@
{ ... }:
{
networking.networkmanager.dns = "systemd-resolved";
services.resolved = {
enable = true;
dnssec = "true";
domains = [ "~." ];
fallbackDns = [ "8.8.8.8#dns.google" "8.8.4.4#dns.google" "2001:4860:4860::8888#dns.google" "2001:4860:4860::8844#dns.google" ];
extraConfig = "DNSOverTLS=yes";
};
}

5
nixos/networking/iwd.nix Normal file
View file

@ -0,0 +1,5 @@
{ lib, ... }:
{
networking.wireless.iwd.enable = lib.mkDefault true;
}

8
nixos/networking/network-manager/default.nix
View file

@ -1,8 +0,0 @@
{ ... }:
{
imports = [
#./networkmanager.nix
./iwd.nix
];
}

8
nixos/networking/network-manager/iwd.nix
View file

@ -1,8 +0,0 @@
{ ... }:
{
networking = {
wireless.iwd.enable = true;
networkmanager.wifi.backend = "iwd";
};
}

9
nixos/networking/network-manager/networkmanager.nix
View file

@ -1,9 +0,0 @@
{ ... }:
{
networking.networkmanager = {
enable = true;
#ethernet.macAddress = "random";
#wifi.macAddress = "random";
};
}

3
nixos/packages/default.nix
View file

@ -2,8 +2,9 @@
{ {
imports = [ imports = [
./hardware.nix ./hardware.nix # TODO: move this somewhere else?
# TODO: should this be considered user-specific?
./overlays ./overlays
./unfree ./unfree
]; ];

1
nixos/packages/graphical/default.nix
View file

@ -4,7 +4,6 @@
imports = [ imports = [
./display-server ./display-server
#./flatpak.nix
./fonts.nix ./fonts.nix
./gnome-keyring.nix ./gnome-keyring.nix
./graphical.nix ./graphical.nix

1
nixos/packages/graphical/display-server/default.nix
View file

@ -4,6 +4,5 @@
imports = [ imports = [
./display-server.nix ./display-server.nix
./input.nix ./input.nix
./wayland.nix
]; ];
} }

4
nixos/presets/core.nix
View file

@ -59,10 +59,10 @@
# i want to run it manually # i want to run it manually
#beesd.filesystems = { #beesd.filesystems = {
# root = { # root = {
# spec = "UUID=6288ce7a-a153-4302-a4de-5dc71f58da79"; # spec = "UUID=3e10ff73-e1f7-4b39-88f5-7f31dcc8f38c";
# hashTableSizeMB = 2048; # hashTableSizeMB = 2048;
# verbosity = "crit"; # verbosity = "crit";
# extraOptions = [ "--loadavg-target" "5.0" ]; # #extraOptions = [ "--loadavg-target" "5.0" ];
# }; # };
#}; #};
}; };

9
nixos/presets/core/legacy-boot.nix Executable file
View file

@ -0,0 +1,9 @@
{ ... }:
{
boot.loader = {
grub.enable = true;
grub.device = "/dev/vda"; # or "nodev" for efi only
systemd-boot.enable = false;
};
}

10
nixos/presets/core/networkmanager-iwd.nix Normal file
View file

@ -0,0 +1,10 @@
{ ... }:
{
networking.networkmanager = {
enable = true;
wifi.backend = "iwd";
ethernet.macAddress = "random";
wifi.macAddress = "random";
};
}

12
nixos/presets/core/networkmanager.nix Normal file
View file

@ -0,0 +1,12 @@
{ ... }:
{
networking = {
networkmanager = {
enable = true;
ethernet.macAddress = "random";
wifi.macAddress = "random";
};
wireless.iwd.enable = false;
};
}

5
nixos/presets/core/no-bootloader-menu.nix Normal file
View file

@ -0,0 +1,5 @@
{ ... }:
{
boot.loader.timeout = 0;
}

20
nixos/presets/core/systemd-resolved.nix Normal file
View file

@ -0,0 +1,20 @@
{ ... }:
{
### systemd-resolved
services.resolved = {
enable = true;
dnssec = "true";
domains = [ "~." ];
fallbackDns = [
"8.8.8.8#dns.google"
"8.8.4.4#dns.google"
"2001:4860:4860::8888#dns.google"
"2001:4860:4860::8844#dns.google"
];
extraConfig = "DNSOverTLS=yes";
};
### NetworkManager integration
networking.networkmanager.dns = "systemd-resolved";
}

4
nixos/presets/desktop.nix
View file

@ -1,8 +1,10 @@
{ ... }: { pkgs, ... }:
{ {
imports = [ imports = [
./core.nix ./core.nix
../packages/graphical ../packages/graphical
]; ];
boot.kernelPackages = pkgs.linuxPackages_zen;
} }

0
nixos/packages/graphical/flatpak.nix → nixos/presets/desktop/flatpak.nix
View file

3
nixos/presets/gaming.nix → nixos/presets/desktop/gaming.nix
View file

@ -1,9 +1,6 @@
{ pkgs, ... }: { pkgs, ... }:
{ {
imports = [
./desktop.nix
];
programs.gamemode = { programs.gamemode = {
enable = true; enable = true;
settings.custom = { settings.custom = {

5
nixos/presets/desktop/virtualbox.nix Normal file
View file

@ -0,0 +1,5 @@
{ ... }:
{
virtualisation.virtualbox.host.enable = true;
}

0
nixos/packages/graphical/display-server/wayland.nix → nixos/presets/desktop/wayland.nix
View file

14
users/guanranwang/darwin/presets/core.nix Normal file
View file

@ -0,0 +1,14 @@
{ pkgs, ... }:
{
users = {
knownUsers = [ "guanranwang" ];
users."guanranwang" = {
createHome = true;
description = "Guanran Wang";
home = "/Users/guanranwang";
shell = pkgs.fish;
uid = 501;
};
};
}

2
darwin/networking/proxy.nix → users/guanranwang/darwin/presets/core/proxy.nix
View file

@ -10,8 +10,6 @@
# #
{ {
#environment.systemPackages = with pkgs; [ clash-meta ];
# do i even need to add it to environment.systemPackages...
launchd.daemons."clash-meta" = { launchd.daemons."clash-meta" = {
command = "${pkgs.clash-meta}/bin/clash-meta -d /etc/clash-meta"; command = "${pkgs.clash-meta}/bin/clash-meta -d /etc/clash-meta";
}; };

17
users/guanranwang/darwin/presets/desktop.nix
View file

@ -1,19 +1,10 @@
{ pkgs, ... }: { ... }:
{ {
users = {
knownUsers = [ "guanranwang" ];
users."guanranwang" = {
createHome = true;
description = "Guanran Wang";
home = "/Users/guanranwang";
shell = pkgs.fish;
uid = 501;
};
};
# Flakes
imports = [ imports = [
./core
### Flakes
../../../../flakes/darwin/home-manager.nix ../../../../flakes/darwin/home-manager.nix
]; ];
### home-manager ### home-manager

9
users/guanranwang/darwin/presets/gaming.nix
View file

@ -1,9 +0,0 @@
{ ... }:
{
imports = [
./desktop.nix
];
### home-manager
home-manager.users.guanranwang = import ../../home-manager/darwin/presets/gaming.nix; # NOTE: using flakes
}

4
users/guanranwang/home-manager/darwin/presets/gaming.nix → users/guanranwang/home-manager/darwin/presets/desktop/gaming.nix
View file

@ -1,10 +1,6 @@
{ pkgs, ... }: { pkgs, ... }:
{ {
imports = [
./desktop.nix
];
home.packages = with pkgs; [ home.packages = with pkgs; [
prismlauncher prismlauncher
]; ];

4
users/guanranwang/home-manager/nixos/presets/gaming.nix → users/guanranwang/home-manager/nixos/presets/desktop/gaming.nix
View file

@ -1,10 +1,6 @@
{ pkgs, ... }: { pkgs, ... }:
{ {
imports = [
./desktop.nix
];
home.packages = with pkgs; [ home.packages = with pkgs; [
steam steam
#lunar-client #lunar-client

7
users/guanranwang/nixos/networking/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }:
{
imports = [
./dns.nix
];
}

11
users/guanranwang/nixos/networking/dns.nix Normal file
View file

@ -0,0 +1,11 @@
{ lib, ... }:
{
networking.nameservers = lib.mkForce [
### AliDNS
"223.5.5.5"
"223.6.6.6"
"2400:3200::1"
"2400:3200:baba::1"
];
}

44
users/guanranwang/nixos/presets/core.nix Normal file
View file

@ -0,0 +1,44 @@
{ pkgs, config, ... }:
{
users.users."guanranwang" = {
isNormalUser = true;
description = "Guanran Wang";
extraGroups = [
"wheel" # administrator
"networkmanager" # access to networkmanager
"tss" # access to tpm devices
"vboxusers" # access to virtualbox
"nix-access-tokens" # access to github tokens
];
hashedPasswordFile = config.sops.secrets."hashed-passwd".path;
shell = pkgs.fish;
packages = [];
};
imports = [
### Overrides (overrides global config)
../networking
### Flakes
../../../../flakes/nixos/sops-nix.nix
../../../../flakes/nixos/hosts.nix
];
### sops-nix
nix.extraOptions = "!include ${config.sops.secrets.nix-access-tokens.path}";
users.groups."nix-access-tokens" = {};
sops = {
defaultSopsFile = ../../secrets/secrets.yaml;
age.sshKeyPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];
gnupg.sshKeyPaths = [];
secrets = {
"hashed-passwd".neededForUsers = true; # Hashed user password
"wireless/home".path = "/var/lib/iwd/wangxiaobo.psk"; # Home wifi password
"nix-access-tokens" = {
group = config.users.groups."nix-access-tokens".name;
mode = "0440";
};
};
};
}

32
nixos/networking/proxy.nix → users/guanranwang/nixos/presets/core/clash-meta-client.nix
View file

@ -1,6 +1,21 @@
{ pkgs, config, inputs, ... }: { pkgs, config, inputs, ... }:
let
etcDirectory = "clash-meta";
in
{ {
imports = [
../../../../../flakes/nixos/sops-nix.nix
];
### sops-nix
sops.secrets."clash-config" = {
owner = config.users.users."clash-meta".name;
group = config.users.groups."clash-meta".name;
restartUnits = [ "clash-meta.service" ];
path = "/etc/${etcDirectory}/config.yaml";
};
### System proxy settings ### System proxy settings
networking.proxy.default = "http://127.0.0.1:7890/"; networking.proxy.default = "http://127.0.0.1:7890/";
@ -13,24 +28,27 @@
### Proxy service ### Proxy service
systemd.services."clash-meta" = { systemd.services."clash-meta" = {
wantedBy = [ "multi-user.target" ]; description = "Clash.Meta Client";
after = [ "network-online.target" ]; after = [ "network-online.target" ];
description = "Clash.Meta Daemon";
wantedBy = [ "multi-user.target" ];
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "simple";
WorkingDirectory = "/etc/clash-meta"; WorkingDirectory = "/etc/${etcDirectory}";
User = [ config.users.users."clash-meta".name ]; User = [ config.users.users."clash-meta".name ];
ExecStart = "${pkgs.clash-meta}/bin/clash-meta -d /etc/clash-meta"; Group = [ config.users.groups."clash-meta".name ];
ExecStart = "${pkgs.clash-meta}/bin/clash-meta -d /etc/${etcDirectory}";
Restart = "on-failure"; Restart = "on-failure";
CapabilityBoundingSet = [ CapabilityBoundingSet = [
"CAP_NET_RAW"
"CAP_NET_ADMIN" "CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE" "CAP_NET_BIND_SERVICE"
"CAP_NET_RAW"
]; ];
AmbientCapabilities = [ AmbientCapabilities = [
"CAP_NET_RAW"
"CAP_NET_ADMIN" "CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE" "CAP_NET_BIND_SERVICE"
"CAP_NET_RAW"
]; ];
}; };
}; };
@ -45,5 +63,5 @@
# - https://yacd.haishan.me # - https://yacd.haishan.me
# - clash-dashboard (buggy): # - clash-dashboard (buggy):
# - https://clash.razord.top # - https://clash.razord.top
environment.etc."clash-meta/metacubexd".source = inputs.metacubexd; environment.etc."${etcDirectory}/metacubexd".source = inputs.metacubexd;
} }

59
users/guanranwang/nixos/presets/core/hysteria2-server.nix Normal file
View file

@ -0,0 +1,59 @@
{ pkgs, config, ... }:
let
etcDirectory = "hysteria";
port = 43956;
in
{
imports = [
../../../../../flakes/nixos/sops-nix.nix
];
### Firewall
networking.firewall = {
allowedTCPPorts = [ port 80 443 ];
allowedUDPPorts = [ port 80 443 ];
};
#### sops-nix
sops.secrets."hysteria-config" = {
owner = config.users.users."hysteria".name;
group = config.users.groups."hysteria".name;
restartUnits = [ "hysteria-server.service" ];
path = "/etc/${etcDirectory}/config.yaml";
};
### User running proxy service
users.groups."hysteria" = {};
users.users."hysteria" = {
isSystemUser = true;
group = config.users.groups."hysteria".name;
};
### Proxy service
systemd.services."hysteria-server" = {
description = "Hysteria Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
WorkingDirectory = "/etc/${etcDirectory}";
User = [ config.users.users."hysteria".name ];
Group = [ config.users.groups."hysteria".name ];
ExecStart = "${pkgs.hysteria}/bin/hysteria server --config /etc/${etcDirectory}/config.yaml";
Restart = "on-failure";
CapabilityBoundingSet = [
"CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE"
"CAP_NET_RAW"
];
AmbientCapabilities = [
"CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE"
"CAP_NET_RAW"
];
};
};
}

59
users/guanranwang/nixos/presets/core/juicity-server.nix Normal file
View file

@ -0,0 +1,59 @@
{ pkgs, config, ... }:
let
etcDirectory = "juicity";
port = "33829";
in
{
imports = [
../../../../../flakes/nixos/sops-nix.nix
];
### Firewall
networking.firewall = {
allowedTCPPorts = [ port ];
allowedUDPPorts = [ port ];
};
#### sops-nix
sops.secrets."juicity-config" = {
owner = config.users.users."juicity".name;
group = config.users.groups."juicity".name;
restartUnits = [ "juicity-server.service" ];
path = "/etc/${etcDirectory}/config.yaml";
};
### User running proxy service
users.groups."juicity" = {};
users.users."juicity" = {
isSystemUser = true;
group = config.users.groups."juicity".name;
};
### Proxy service
systemd.services."juicity-server" = {
description = "Juicity Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
WorkingDirectory = "/etc/${etcDirectory}";
User = [ config.users.users."juicity".name ];
Group = [ config.users.groups."juicity".name ];
ExecStart = "${pkgs.juicity}/bin/juicity-server run -c /etc/${etcDirectory}/config.json";
Restart = "on-failure";
CapabilityBoundingSet = [
"CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE"
"CAP_NET_RAW"
];
AmbientCapabilities = [
"CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE"
"CAP_NET_RAW"
];
};
};
}

42
users/guanranwang/nixos/presets/desktop.nix
View file

@ -1,46 +1,14 @@
{ pkgs, config, ... }: { ... }:
{ {
users.users."guanranwang" = {
isNormalUser = true;
description = "Guanran Wang";
extraGroups = [ "wheel" "networkmanager" "tss" "nix-access-tokens" ]; # tss = access to tpm devices
hashedPasswordFile = config.sops.secrets."hashed-passwd".path;
shell = pkgs.fish;
packages = [];
};
# Flakes
imports = [ imports = [
./core.nix
### Flakes
../../../../flakes/nixos/home-manager.nix ../../../../flakes/nixos/home-manager.nix
../../../../flakes/nixos/sops-nix.nix
../../../../flakes/nixos/hosts.nix
../../../../flakes/nixos/berberman.nix ../../../../flakes/nixos/berberman.nix
]; ];
### home-manager ### home-manager
home-manager.users.guanranwang = import ../../home-manager/nixos/presets/desktop.nix; home-manager.users.guanranwang = import ../../home-manager/nixos/presets/desktop.nix;
### sops-nix
nix.extraOptions = "!include ${config.sops.secrets.nix-access-tokens.path}";
users.groups."nix-access-tokens" = {};
sops = {
defaultSopsFile = ../../secrets/secrets.yaml;
age.sshKeyPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];
gnupg.sshKeyPaths = [];
secrets = {
"hashed-passwd".neededForUsers = true; # Hashed user password
"wireless/home".path = "/var/lib/iwd/wangxiaobo.psk"; # Home wifi password
"nix-access-tokens" = {
group = config.users.groups."nix-access-tokens".name;
mode = "0440";
};
"clash-config" = { # Clash.Meta configuration
owner = config.users.users."clash-meta".name;
group = config.users.users."clash-meta".group;
restartUnits = [ "clash-meta.service" ];
path = "/etc/clash-meta/config.yaml";
};
};
};
} }

9
users/guanranwang/nixos/presets/gaming.nix
View file

@ -1,9 +0,0 @@
{ ... }:
{
imports = [
./desktop.nix
];
home-manager.users.guanranwang = import ../../home-manager/nixos/presets/gaming.nix;
}

15
users/guanranwang/secrets/secrets.yaml
View file

File diff suppressed because one or more lines are too long