flake: overhaul presets
This commit is contained in:
parent
63e6aa1b81
commit
e690cf05ec
46 changed files with 348 additions and 194 deletions
|
@ -24,8 +24,6 @@
|
|||
"librewolf"
|
||||
"google-chrome"
|
||||
|
||||
"steam"
|
||||
|
||||
"activate" # koekeishiya/formulae
|
||||
];
|
||||
taps = [
|
||||
|
|
7
darwin/presets/desktop/gaming.nix
Normal file
7
darwin/presets/desktop/gaming.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
homebrew.casks = [
|
||||
"steam"
|
||||
];
|
||||
}
|
27
flake.nix
27
flake.nix
|
@ -168,12 +168,22 @@
|
|||
system = "x86_64-linux";
|
||||
specialArgs = { inherit inputs; };
|
||||
modules = [
|
||||
./nixos/presets/gaming.nix # OS-specific (with presets)
|
||||
./users/guanranwang/nixos/presets/gaming.nix # User-specific (with presets)
|
||||
./machines/nixos/81fw-lenovo-legion-y7000 # Hardware-specific
|
||||
./machines/nixos/81fw-lenovo-legion-y7000/machine-1 # Machine-specific
|
||||
./nixos/presets/desktop.nix # OS preset
|
||||
./nixos/presets/core/no-bootloader-menu.nix # Addtional, opt-in OS preset(s)
|
||||
./nixos/presets/desktop/gaming.nix
|
||||
./nixos/presets/desktop/virtualbox.nix
|
||||
./nixos/presets/desktop/wayland.nix
|
||||
|
||||
./users/guanranwang/nixos/presets/desktop.nix # User preset
|
||||
./users/guanranwang/nixos/presets/core/clash-meta-client.nix # Addtional, opt-in user preset(s)
|
||||
|
||||
./machines/nixos/81fw-lenovo-legion-y7000 # Hardware
|
||||
./machines/nixos/81fw-lenovo-legion-y7000/machine-1 # Machine
|
||||
|
||||
{
|
||||
# extra home-manager stuff
|
||||
home-manager.users.guanranwang = import ./users/guanranwang/home-manager/nixos/presets/desktop/gaming.nix;
|
||||
|
||||
networking.hostName = "81FW-NixOS"; # Hostname
|
||||
time.timeZone = "Asia/Shanghai"; # Timezone
|
||||
}
|
||||
|
@ -188,11 +198,14 @@
|
|||
system = "x86_64-darwin";
|
||||
specialArgs = { inherit inputs; };
|
||||
modules = [
|
||||
./darwin
|
||||
./users/guanranwang/darwin/presets/desktop.nix
|
||||
./machines/darwin/imac-2017
|
||||
./darwin/presets/desktop.nix # OS preset
|
||||
./users/guanranwang/darwin/presets/desktop.nix # User preset
|
||||
./users/guanranwang/darwin/presets/core/proxy.nix # Addtional user preset(s)
|
||||
./machines/darwin/imac-2017 # Hardware
|
||||
|
||||
{
|
||||
#home-manager.users.guanranwang = import ./users/guanranwang/home-manager/darwin/presets/desktop/gaming.nix;
|
||||
|
||||
networking.hostName = "iMac-macOS";
|
||||
time.timeZone = "Asia/Shanghai";
|
||||
}
|
||||
|
|
|
@ -1,11 +1,9 @@
|
|||
{ lib, ... }:
|
||||
|
||||
{
|
||||
# NOTE: secureboot enabled in flake.nix
|
||||
boot = {
|
||||
consoleLogLevel = lib.mkDefault 3;
|
||||
loader = {
|
||||
timeout = 0;
|
||||
efi.canTouchEfiVariables = true;
|
||||
systemd-boot = {
|
||||
enable = lib.mkDefault true; # mkDefault for Lanzaboote
|
||||
|
|
|
@ -3,7 +3,6 @@
|
|||
{
|
||||
imports = [
|
||||
./boot.nix
|
||||
./kernel.nix
|
||||
./plymouth.nix
|
||||
./sysctl.nix
|
||||
];
|
||||
|
|
|
@ -1,9 +0,0 @@
|
|||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
boot = {
|
||||
#kernelPackages = pkgs.linuxPackages_latest; # latest linux kernel
|
||||
kernelPackages = pkgs.linuxPackages_zen; # latest linux-zen kernel
|
||||
#kernelPackages = pkgs.linuxKernel.Packages.linux_6_1; # linux 6.1 LTS kernel
|
||||
};
|
||||
}
|
|
@ -2,11 +2,8 @@
|
|||
|
||||
{
|
||||
imports = [
|
||||
./dns
|
||||
./network-manager
|
||||
|
||||
./dhcp.nix
|
||||
./dns.nix
|
||||
./firewall.nix
|
||||
./proxy.nix
|
||||
./iwd.nix
|
||||
];
|
||||
}
|
||||
|
|
|
@ -1,5 +0,0 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
#networking.useDHCP = false;
|
||||
}
|
11
nixos/networking/dns.nix
Normal file
11
nixos/networking/dns.nix
Normal file
|
@ -0,0 +1,11 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
networking.nameservers = [
|
||||
### Google DNS
|
||||
"8.8.8.8"
|
||||
"8.8.4.4"
|
||||
"2001:4860:4860::8888"
|
||||
"2001:4860:4860::8844"
|
||||
];
|
||||
}
|
|
@ -1,8 +0,0 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./dns.nix
|
||||
#./systemd-resolved.nix # Returns NXDOMAIN in China Mainland, will investegate...
|
||||
];
|
||||
}
|
|
@ -1,16 +0,0 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
networking = {
|
||||
nameservers = [
|
||||
"223.5.5.5"
|
||||
"223.6.6.6"
|
||||
"2400:3200::1"
|
||||
"2400:3200:baba::1"
|
||||
#"223.5.5.5#dns.alidns.com"
|
||||
#"223.6.6.6#dns.alidns.com"
|
||||
#"2400:3200::1#dns.alidns.com"
|
||||
#"2400:3200:baba::1#dns.alidns.com"
|
||||
];
|
||||
};
|
||||
}
|
|
@ -1,12 +0,0 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
networking.networkmanager.dns = "systemd-resolved";
|
||||
services.resolved = {
|
||||
enable = true;
|
||||
dnssec = "true";
|
||||
domains = [ "~." ];
|
||||
fallbackDns = [ "8.8.8.8#dns.google" "8.8.4.4#dns.google" "2001:4860:4860::8888#dns.google" "2001:4860:4860::8844#dns.google" ];
|
||||
extraConfig = "DNSOverTLS=yes";
|
||||
};
|
||||
}
|
5
nixos/networking/iwd.nix
Normal file
5
nixos/networking/iwd.nix
Normal file
|
@ -0,0 +1,5 @@
|
|||
{ lib, ... }:
|
||||
|
||||
{
|
||||
networking.wireless.iwd.enable = lib.mkDefault true;
|
||||
}
|
|
@ -1,8 +0,0 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
#./networkmanager.nix
|
||||
./iwd.nix
|
||||
];
|
||||
}
|
|
@ -1,8 +0,0 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
networking = {
|
||||
wireless.iwd.enable = true;
|
||||
networkmanager.wifi.backend = "iwd";
|
||||
};
|
||||
}
|
|
@ -1,9 +0,0 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
networking.networkmanager = {
|
||||
enable = true;
|
||||
#ethernet.macAddress = "random";
|
||||
#wifi.macAddress = "random";
|
||||
};
|
||||
}
|
|
@ -2,8 +2,9 @@
|
|||
|
||||
{
|
||||
imports = [
|
||||
./hardware.nix
|
||||
./hardware.nix # TODO: move this somewhere else?
|
||||
|
||||
# TODO: should this be considered user-specific?
|
||||
./overlays
|
||||
./unfree
|
||||
];
|
||||
|
|
|
@ -4,7 +4,6 @@
|
|||
imports = [
|
||||
./display-server
|
||||
|
||||
#./flatpak.nix
|
||||
./fonts.nix
|
||||
./gnome-keyring.nix
|
||||
./graphical.nix
|
||||
|
|
|
@ -4,6 +4,5 @@
|
|||
imports = [
|
||||
./display-server.nix
|
||||
./input.nix
|
||||
./wayland.nix
|
||||
];
|
||||
}
|
||||
|
|
|
@ -59,10 +59,10 @@
|
|||
# i want to run it manually
|
||||
#beesd.filesystems = {
|
||||
# root = {
|
||||
# spec = "UUID=6288ce7a-a153-4302-a4de-5dc71f58da79";
|
||||
# spec = "UUID=3e10ff73-e1f7-4b39-88f5-7f31dcc8f38c";
|
||||
# hashTableSizeMB = 2048;
|
||||
# verbosity = "crit";
|
||||
# extraOptions = [ "--loadavg-target" "5.0" ];
|
||||
# #extraOptions = [ "--loadavg-target" "5.0" ];
|
||||
# };
|
||||
#};
|
||||
};
|
||||
|
|
9
nixos/presets/core/legacy-boot.nix
Executable file
9
nixos/presets/core/legacy-boot.nix
Executable file
|
@ -0,0 +1,9 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
boot.loader = {
|
||||
grub.enable = true;
|
||||
grub.device = "/dev/vda"; # or "nodev" for efi only
|
||||
systemd-boot.enable = false;
|
||||
};
|
||||
}
|
10
nixos/presets/core/networkmanager-iwd.nix
Normal file
10
nixos/presets/core/networkmanager-iwd.nix
Normal file
|
@ -0,0 +1,10 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
networking.networkmanager = {
|
||||
enable = true;
|
||||
wifi.backend = "iwd";
|
||||
ethernet.macAddress = "random";
|
||||
wifi.macAddress = "random";
|
||||
};
|
||||
}
|
12
nixos/presets/core/networkmanager.nix
Normal file
12
nixos/presets/core/networkmanager.nix
Normal file
|
@ -0,0 +1,12 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
networking = {
|
||||
networkmanager = {
|
||||
enable = true;
|
||||
ethernet.macAddress = "random";
|
||||
wifi.macAddress = "random";
|
||||
};
|
||||
wireless.iwd.enable = false;
|
||||
};
|
||||
}
|
5
nixos/presets/core/no-bootloader-menu.nix
Normal file
5
nixos/presets/core/no-bootloader-menu.nix
Normal file
|
@ -0,0 +1,5 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
boot.loader.timeout = 0;
|
||||
}
|
20
nixos/presets/core/systemd-resolved.nix
Normal file
20
nixos/presets/core/systemd-resolved.nix
Normal file
|
@ -0,0 +1,20 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
### systemd-resolved
|
||||
services.resolved = {
|
||||
enable = true;
|
||||
dnssec = "true";
|
||||
domains = [ "~." ];
|
||||
fallbackDns = [
|
||||
"8.8.8.8#dns.google"
|
||||
"8.8.4.4#dns.google"
|
||||
"2001:4860:4860::8888#dns.google"
|
||||
"2001:4860:4860::8844#dns.google"
|
||||
];
|
||||
extraConfig = "DNSOverTLS=yes";
|
||||
};
|
||||
|
||||
### NetworkManager integration
|
||||
networking.networkmanager.dns = "systemd-resolved";
|
||||
}
|
|
@ -1,8 +1,10 @@
|
|||
{ ... }:
|
||||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./core.nix
|
||||
../packages/graphical
|
||||
];
|
||||
|
||||
boot.kernelPackages = pkgs.linuxPackages_zen;
|
||||
}
|
|
@ -1,9 +1,6 @@
|
|||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./desktop.nix
|
||||
];
|
||||
programs.gamemode = {
|
||||
enable = true;
|
||||
settings.custom = {
|
5
nixos/presets/desktop/virtualbox.nix
Normal file
5
nixos/presets/desktop/virtualbox.nix
Normal file
|
@ -0,0 +1,5 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
virtualisation.virtualbox.host.enable = true;
|
||||
}
|
14
users/guanranwang/darwin/presets/core.nix
Normal file
14
users/guanranwang/darwin/presets/core.nix
Normal file
|
@ -0,0 +1,14 @@
|
|||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
users = {
|
||||
knownUsers = [ "guanranwang" ];
|
||||
users."guanranwang" = {
|
||||
createHome = true;
|
||||
description = "Guanran Wang";
|
||||
home = "/Users/guanranwang";
|
||||
shell = pkgs.fish;
|
||||
uid = 501;
|
||||
};
|
||||
};
|
||||
}
|
|
@ -10,8 +10,6 @@
|
|||
#
|
||||
|
||||
{
|
||||
#environment.systemPackages = with pkgs; [ clash-meta ];
|
||||
# do i even need to add it to environment.systemPackages...
|
||||
launchd.daemons."clash-meta" = {
|
||||
command = "${pkgs.clash-meta}/bin/clash-meta -d /etc/clash-meta";
|
||||
};
|
|
@ -1,19 +1,10 @@
|
|||
{ pkgs, ... }:
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
users = {
|
||||
knownUsers = [ "guanranwang" ];
|
||||
users."guanranwang" = {
|
||||
createHome = true;
|
||||
description = "Guanran Wang";
|
||||
home = "/Users/guanranwang";
|
||||
shell = pkgs.fish;
|
||||
uid = 501;
|
||||
};
|
||||
};
|
||||
|
||||
# Flakes
|
||||
imports = [
|
||||
./core
|
||||
|
||||
### Flakes
|
||||
../../../../flakes/darwin/home-manager.nix
|
||||
];
|
||||
### home-manager
|
||||
|
|
|
@ -1,9 +0,0 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./desktop.nix
|
||||
];
|
||||
### home-manager
|
||||
home-manager.users.guanranwang = import ../../home-manager/darwin/presets/gaming.nix; # NOTE: using flakes
|
||||
}
|
|
@ -1,10 +1,6 @@
|
|||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./desktop.nix
|
||||
];
|
||||
|
||||
home.packages = with pkgs; [
|
||||
prismlauncher
|
||||
];
|
|
@ -1,10 +1,6 @@
|
|||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./desktop.nix
|
||||
];
|
||||
|
||||
home.packages = with pkgs; [
|
||||
steam
|
||||
#lunar-client
|
7
users/guanranwang/nixos/networking/default.nix
Normal file
7
users/guanranwang/nixos/networking/default.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./dns.nix
|
||||
];
|
||||
}
|
11
users/guanranwang/nixos/networking/dns.nix
Normal file
11
users/guanranwang/nixos/networking/dns.nix
Normal file
|
@ -0,0 +1,11 @@
|
|||
{ lib, ... }:
|
||||
|
||||
{
|
||||
networking.nameservers = lib.mkForce [
|
||||
### AliDNS
|
||||
"223.5.5.5"
|
||||
"223.6.6.6"
|
||||
"2400:3200::1"
|
||||
"2400:3200:baba::1"
|
||||
];
|
||||
}
|
44
users/guanranwang/nixos/presets/core.nix
Normal file
44
users/guanranwang/nixos/presets/core.nix
Normal file
|
@ -0,0 +1,44 @@
|
|||
{ pkgs, config, ... }:
|
||||
|
||||
{
|
||||
users.users."guanranwang" = {
|
||||
isNormalUser = true;
|
||||
description = "Guanran Wang";
|
||||
extraGroups = [
|
||||
"wheel" # administrator
|
||||
"networkmanager" # access to networkmanager
|
||||
"tss" # access to tpm devices
|
||||
"vboxusers" # access to virtualbox
|
||||
"nix-access-tokens" # access to github tokens
|
||||
];
|
||||
hashedPasswordFile = config.sops.secrets."hashed-passwd".path;
|
||||
shell = pkgs.fish;
|
||||
packages = [];
|
||||
};
|
||||
|
||||
|
||||
|
||||
imports = [
|
||||
### Overrides (overrides global config)
|
||||
../networking
|
||||
### Flakes
|
||||
../../../../flakes/nixos/sops-nix.nix
|
||||
../../../../flakes/nixos/hosts.nix
|
||||
];
|
||||
### sops-nix
|
||||
nix.extraOptions = "!include ${config.sops.secrets.nix-access-tokens.path}";
|
||||
users.groups."nix-access-tokens" = {};
|
||||
sops = {
|
||||
defaultSopsFile = ../../secrets/secrets.yaml;
|
||||
age.sshKeyPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];
|
||||
gnupg.sshKeyPaths = [];
|
||||
secrets = {
|
||||
"hashed-passwd".neededForUsers = true; # Hashed user password
|
||||
"wireless/home".path = "/var/lib/iwd/wangxiaobo.psk"; # Home wifi password
|
||||
"nix-access-tokens" = {
|
||||
group = config.users.groups."nix-access-tokens".name;
|
||||
mode = "0440";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,6 +1,21 @@
|
|||
{ pkgs, config, inputs, ... }:
|
||||
|
||||
let
|
||||
etcDirectory = "clash-meta";
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
../../../../../flakes/nixos/sops-nix.nix
|
||||
];
|
||||
|
||||
### sops-nix
|
||||
sops.secrets."clash-config" = {
|
||||
owner = config.users.users."clash-meta".name;
|
||||
group = config.users.groups."clash-meta".name;
|
||||
restartUnits = [ "clash-meta.service" ];
|
||||
path = "/etc/${etcDirectory}/config.yaml";
|
||||
};
|
||||
|
||||
### System proxy settings
|
||||
networking.proxy.default = "http://127.0.0.1:7890/";
|
||||
|
||||
|
@ -13,24 +28,27 @@
|
|||
|
||||
### Proxy service
|
||||
systemd.services."clash-meta" = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
description = "Clash.Meta Client";
|
||||
after = [ "network-online.target" ];
|
||||
description = "Clash.Meta Daemon";
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
WorkingDirectory = "/etc/clash-meta";
|
||||
WorkingDirectory = "/etc/${etcDirectory}";
|
||||
User = [ config.users.users."clash-meta".name ];
|
||||
ExecStart = "${pkgs.clash-meta}/bin/clash-meta -d /etc/clash-meta";
|
||||
Group = [ config.users.groups."clash-meta".name ];
|
||||
ExecStart = "${pkgs.clash-meta}/bin/clash-meta -d /etc/${etcDirectory}";
|
||||
Restart = "on-failure";
|
||||
CapabilityBoundingSet = [
|
||||
"CAP_NET_RAW"
|
||||
"CAP_NET_ADMIN"
|
||||
"CAP_NET_BIND_SERVICE"
|
||||
"CAP_NET_RAW"
|
||||
];
|
||||
AmbientCapabilities = [
|
||||
"CAP_NET_RAW"
|
||||
"CAP_NET_ADMIN"
|
||||
"CAP_NET_BIND_SERVICE"
|
||||
"CAP_NET_RAW"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
@ -45,5 +63,5 @@
|
|||
# - https://yacd.haishan.me
|
||||
# - clash-dashboard (buggy):
|
||||
# - https://clash.razord.top
|
||||
environment.etc."clash-meta/metacubexd".source = inputs.metacubexd;
|
||||
environment.etc."${etcDirectory}/metacubexd".source = inputs.metacubexd;
|
||||
}
|
59
users/guanranwang/nixos/presets/core/hysteria2-server.nix
Normal file
59
users/guanranwang/nixos/presets/core/hysteria2-server.nix
Normal file
|
@ -0,0 +1,59 @@
|
|||
{ pkgs, config, ... }:
|
||||
|
||||
let
|
||||
etcDirectory = "hysteria";
|
||||
port = 43956;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
../../../../../flakes/nixos/sops-nix.nix
|
||||
];
|
||||
|
||||
### Firewall
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = [ port 80 443 ];
|
||||
allowedUDPPorts = [ port 80 443 ];
|
||||
};
|
||||
|
||||
#### sops-nix
|
||||
sops.secrets."hysteria-config" = {
|
||||
owner = config.users.users."hysteria".name;
|
||||
group = config.users.groups."hysteria".name;
|
||||
restartUnits = [ "hysteria-server.service" ];
|
||||
path = "/etc/${etcDirectory}/config.yaml";
|
||||
};
|
||||
|
||||
### User running proxy service
|
||||
users.groups."hysteria" = {};
|
||||
users.users."hysteria" = {
|
||||
isSystemUser = true;
|
||||
group = config.users.groups."hysteria".name;
|
||||
};
|
||||
|
||||
### Proxy service
|
||||
systemd.services."hysteria-server" = {
|
||||
description = "Hysteria Server";
|
||||
after = [ "network.target" ];
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
WorkingDirectory = "/etc/${etcDirectory}";
|
||||
User = [ config.users.users."hysteria".name ];
|
||||
Group = [ config.users.groups."hysteria".name ];
|
||||
ExecStart = "${pkgs.hysteria}/bin/hysteria server --config /etc/${etcDirectory}/config.yaml";
|
||||
Restart = "on-failure";
|
||||
CapabilityBoundingSet = [
|
||||
"CAP_NET_ADMIN"
|
||||
"CAP_NET_BIND_SERVICE"
|
||||
"CAP_NET_RAW"
|
||||
];
|
||||
AmbientCapabilities = [
|
||||
"CAP_NET_ADMIN"
|
||||
"CAP_NET_BIND_SERVICE"
|
||||
"CAP_NET_RAW"
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
59
users/guanranwang/nixos/presets/core/juicity-server.nix
Normal file
59
users/guanranwang/nixos/presets/core/juicity-server.nix
Normal file
|
@ -0,0 +1,59 @@
|
|||
{ pkgs, config, ... }:
|
||||
|
||||
let
|
||||
etcDirectory = "juicity";
|
||||
port = "33829";
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
../../../../../flakes/nixos/sops-nix.nix
|
||||
];
|
||||
|
||||
### Firewall
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = [ port ];
|
||||
allowedUDPPorts = [ port ];
|
||||
};
|
||||
|
||||
#### sops-nix
|
||||
sops.secrets."juicity-config" = {
|
||||
owner = config.users.users."juicity".name;
|
||||
group = config.users.groups."juicity".name;
|
||||
restartUnits = [ "juicity-server.service" ];
|
||||
path = "/etc/${etcDirectory}/config.yaml";
|
||||
};
|
||||
|
||||
### User running proxy service
|
||||
users.groups."juicity" = {};
|
||||
users.users."juicity" = {
|
||||
isSystemUser = true;
|
||||
group = config.users.groups."juicity".name;
|
||||
};
|
||||
|
||||
### Proxy service
|
||||
systemd.services."juicity-server" = {
|
||||
description = "Juicity Server";
|
||||
after = [ "network.target" ];
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
WorkingDirectory = "/etc/${etcDirectory}";
|
||||
User = [ config.users.users."juicity".name ];
|
||||
Group = [ config.users.groups."juicity".name ];
|
||||
ExecStart = "${pkgs.juicity}/bin/juicity-server run -c /etc/${etcDirectory}/config.json";
|
||||
Restart = "on-failure";
|
||||
CapabilityBoundingSet = [
|
||||
"CAP_NET_ADMIN"
|
||||
"CAP_NET_BIND_SERVICE"
|
||||
"CAP_NET_RAW"
|
||||
];
|
||||
AmbientCapabilities = [
|
||||
"CAP_NET_ADMIN"
|
||||
"CAP_NET_BIND_SERVICE"
|
||||
"CAP_NET_RAW"
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,46 +1,14 @@
|
|||
{ pkgs, config, ... }:
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
users.users."guanranwang" = {
|
||||
isNormalUser = true;
|
||||
description = "Guanran Wang";
|
||||
extraGroups = [ "wheel" "networkmanager" "tss" "nix-access-tokens" ]; # tss = access to tpm devices
|
||||
hashedPasswordFile = config.sops.secrets."hashed-passwd".path;
|
||||
shell = pkgs.fish;
|
||||
packages = [];
|
||||
};
|
||||
|
||||
|
||||
|
||||
# Flakes
|
||||
imports = [
|
||||
./core.nix
|
||||
|
||||
### Flakes
|
||||
../../../../flakes/nixos/home-manager.nix
|
||||
../../../../flakes/nixos/sops-nix.nix
|
||||
../../../../flakes/nixos/hosts.nix
|
||||
../../../../flakes/nixos/berberman.nix
|
||||
];
|
||||
|
||||
### home-manager
|
||||
home-manager.users.guanranwang = import ../../home-manager/nixos/presets/desktop.nix;
|
||||
### sops-nix
|
||||
nix.extraOptions = "!include ${config.sops.secrets.nix-access-tokens.path}";
|
||||
users.groups."nix-access-tokens" = {};
|
||||
sops = {
|
||||
defaultSopsFile = ../../secrets/secrets.yaml;
|
||||
age.sshKeyPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];
|
||||
gnupg.sshKeyPaths = [];
|
||||
secrets = {
|
||||
"hashed-passwd".neededForUsers = true; # Hashed user password
|
||||
"wireless/home".path = "/var/lib/iwd/wangxiaobo.psk"; # Home wifi password
|
||||
"nix-access-tokens" = {
|
||||
group = config.users.groups."nix-access-tokens".name;
|
||||
mode = "0440";
|
||||
};
|
||||
"clash-config" = { # Clash.Meta configuration
|
||||
owner = config.users.users."clash-meta".name;
|
||||
group = config.users.users."clash-meta".group;
|
||||
restartUnits = [ "clash-meta.service" ];
|
||||
path = "/etc/clash-meta/config.yaml";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,9 +0,0 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./desktop.nix
|
||||
];
|
||||
|
||||
home-manager.users.guanranwang = import ../../home-manager/nixos/presets/gaming.nix;
|
||||
}
|
File diff suppressed because one or more lines are too long
Loading…
Reference in a new issue