flake: overhaul presets

This commit is contained in:
Guanran Wang 2023-11-04 18:02:11 +08:00
parent 63e6aa1b81
commit e690cf05ec
Signed by: nyancat
SSH key fingerprint: SHA256:8oWGKciPALWut/6WA27oFKofX+6Wtc0gQnsefXLQx/8
46 changed files with 348 additions and 194 deletions

View file

@ -24,8 +24,6 @@
"librewolf"
"google-chrome"
"steam"
"activate" # koekeishiya/formulae
];
taps = [

View file

@ -0,0 +1,7 @@
{ ... }:
{
homebrew.casks = [
"steam"
];
}

View file

@ -168,12 +168,22 @@
system = "x86_64-linux";
specialArgs = { inherit inputs; };
modules = [
./nixos/presets/gaming.nix # OS-specific (with presets)
./users/guanranwang/nixos/presets/gaming.nix # User-specific (with presets)
./machines/nixos/81fw-lenovo-legion-y7000 # Hardware-specific
./machines/nixos/81fw-lenovo-legion-y7000/machine-1 # Machine-specific
./nixos/presets/desktop.nix # OS preset
./nixos/presets/core/no-bootloader-menu.nix # Addtional, opt-in OS preset(s)
./nixos/presets/desktop/gaming.nix
./nixos/presets/desktop/virtualbox.nix
./nixos/presets/desktop/wayland.nix
./users/guanranwang/nixos/presets/desktop.nix # User preset
./users/guanranwang/nixos/presets/core/clash-meta-client.nix # Addtional, opt-in user preset(s)
./machines/nixos/81fw-lenovo-legion-y7000 # Hardware
./machines/nixos/81fw-lenovo-legion-y7000/machine-1 # Machine
{
# extra home-manager stuff
home-manager.users.guanranwang = import ./users/guanranwang/home-manager/nixos/presets/desktop/gaming.nix;
networking.hostName = "81FW-NixOS"; # Hostname
time.timeZone = "Asia/Shanghai"; # Timezone
}
@ -188,11 +198,14 @@
system = "x86_64-darwin";
specialArgs = { inherit inputs; };
modules = [
./darwin
./users/guanranwang/darwin/presets/desktop.nix
./machines/darwin/imac-2017
./darwin/presets/desktop.nix # OS preset
./users/guanranwang/darwin/presets/desktop.nix # User preset
./users/guanranwang/darwin/presets/core/proxy.nix # Addtional user preset(s)
./machines/darwin/imac-2017 # Hardware
{
#home-manager.users.guanranwang = import ./users/guanranwang/home-manager/darwin/presets/desktop/gaming.nix;
networking.hostName = "iMac-macOS";
time.timeZone = "Asia/Shanghai";
}

View file

@ -1,11 +1,9 @@
{ lib, ... }:
{
# NOTE: secureboot enabled in flake.nix
boot = {
consoleLogLevel = lib.mkDefault 3;
loader = {
timeout = 0;
efi.canTouchEfiVariables = true;
systemd-boot = {
enable = lib.mkDefault true; # mkDefault for Lanzaboote

View file

@ -3,7 +3,6 @@
{
imports = [
./boot.nix
./kernel.nix
./plymouth.nix
./sysctl.nix
];

View file

@ -1,9 +0,0 @@
{ pkgs, ... }:
{
boot = {
#kernelPackages = pkgs.linuxPackages_latest; # latest linux kernel
kernelPackages = pkgs.linuxPackages_zen; # latest linux-zen kernel
#kernelPackages = pkgs.linuxKernel.Packages.linux_6_1; # linux 6.1 LTS kernel
};
}

View file

@ -2,11 +2,8 @@
{
imports = [
./dns
./network-manager
./dhcp.nix
./dns.nix
./firewall.nix
./proxy.nix
./iwd.nix
];
}

View file

@ -1,5 +0,0 @@
{ ... }:
{
#networking.useDHCP = false;
}

11
nixos/networking/dns.nix Normal file
View file

@ -0,0 +1,11 @@
{ ... }:
{
networking.nameservers = [
### Google DNS
"8.8.8.8"
"8.8.4.4"
"2001:4860:4860::8888"
"2001:4860:4860::8844"
];
}

View file

@ -1,8 +0,0 @@
{ ... }:
{
imports = [
./dns.nix
#./systemd-resolved.nix # Returns NXDOMAIN in China Mainland, will investegate...
];
}

View file

@ -1,16 +0,0 @@
{ ... }:
{
networking = {
nameservers = [
"223.5.5.5"
"223.6.6.6"
"2400:3200::1"
"2400:3200:baba::1"
#"223.5.5.5#dns.alidns.com"
#"223.6.6.6#dns.alidns.com"
#"2400:3200::1#dns.alidns.com"
#"2400:3200:baba::1#dns.alidns.com"
];
};
}

View file

@ -1,12 +0,0 @@
{ ... }:
{
networking.networkmanager.dns = "systemd-resolved";
services.resolved = {
enable = true;
dnssec = "true";
domains = [ "~." ];
fallbackDns = [ "8.8.8.8#dns.google" "8.8.4.4#dns.google" "2001:4860:4860::8888#dns.google" "2001:4860:4860::8844#dns.google" ];
extraConfig = "DNSOverTLS=yes";
};
}

5
nixos/networking/iwd.nix Normal file
View file

@ -0,0 +1,5 @@
{ lib, ... }:
{
networking.wireless.iwd.enable = lib.mkDefault true;
}

View file

@ -1,8 +0,0 @@
{ ... }:
{
imports = [
#./networkmanager.nix
./iwd.nix
];
}

View file

@ -1,8 +0,0 @@
{ ... }:
{
networking = {
wireless.iwd.enable = true;
networkmanager.wifi.backend = "iwd";
};
}

View file

@ -1,9 +0,0 @@
{ ... }:
{
networking.networkmanager = {
enable = true;
#ethernet.macAddress = "random";
#wifi.macAddress = "random";
};
}

View file

@ -2,8 +2,9 @@
{
imports = [
./hardware.nix
./hardware.nix # TODO: move this somewhere else?
# TODO: should this be considered user-specific?
./overlays
./unfree
];

View file

@ -4,7 +4,6 @@
imports = [
./display-server
#./flatpak.nix
./fonts.nix
./gnome-keyring.nix
./graphical.nix

View file

@ -4,6 +4,5 @@
imports = [
./display-server.nix
./input.nix
./wayland.nix
];
}

View file

@ -59,10 +59,10 @@
# i want to run it manually
#beesd.filesystems = {
# root = {
# spec = "UUID=6288ce7a-a153-4302-a4de-5dc71f58da79";
# spec = "UUID=3e10ff73-e1f7-4b39-88f5-7f31dcc8f38c";
# hashTableSizeMB = 2048;
# verbosity = "crit";
# extraOptions = [ "--loadavg-target" "5.0" ];
# #extraOptions = [ "--loadavg-target" "5.0" ];
# };
#};
};

View file

@ -0,0 +1,9 @@
{ ... }:
{
boot.loader = {
grub.enable = true;
grub.device = "/dev/vda"; # or "nodev" for efi only
systemd-boot.enable = false;
};
}

View file

@ -0,0 +1,10 @@
{ ... }:
{
networking.networkmanager = {
enable = true;
wifi.backend = "iwd";
ethernet.macAddress = "random";
wifi.macAddress = "random";
};
}

View file

@ -0,0 +1,12 @@
{ ... }:
{
networking = {
networkmanager = {
enable = true;
ethernet.macAddress = "random";
wifi.macAddress = "random";
};
wireless.iwd.enable = false;
};
}

View file

@ -0,0 +1,5 @@
{ ... }:
{
boot.loader.timeout = 0;
}

View file

@ -0,0 +1,20 @@
{ ... }:
{
### systemd-resolved
services.resolved = {
enable = true;
dnssec = "true";
domains = [ "~." ];
fallbackDns = [
"8.8.8.8#dns.google"
"8.8.4.4#dns.google"
"2001:4860:4860::8888#dns.google"
"2001:4860:4860::8844#dns.google"
];
extraConfig = "DNSOverTLS=yes";
};
### NetworkManager integration
networking.networkmanager.dns = "systemd-resolved";
}

View file

@ -1,8 +1,10 @@
{ ... }:
{ pkgs, ... }:
{
imports = [
./core.nix
../packages/graphical
];
boot.kernelPackages = pkgs.linuxPackages_zen;
}

View file

@ -1,9 +1,6 @@
{ pkgs, ... }:
{
imports = [
./desktop.nix
];
programs.gamemode = {
enable = true;
settings.custom = {

View file

@ -0,0 +1,5 @@
{ ... }:
{
virtualisation.virtualbox.host.enable = true;
}

View file

@ -0,0 +1,14 @@
{ pkgs, ... }:
{
users = {
knownUsers = [ "guanranwang" ];
users."guanranwang" = {
createHome = true;
description = "Guanran Wang";
home = "/Users/guanranwang";
shell = pkgs.fish;
uid = 501;
};
};
}

View file

@ -10,8 +10,6 @@
#
{
#environment.systemPackages = with pkgs; [ clash-meta ];
# do i even need to add it to environment.systemPackages...
launchd.daemons."clash-meta" = {
command = "${pkgs.clash-meta}/bin/clash-meta -d /etc/clash-meta";
};

View file

@ -1,19 +1,10 @@
{ pkgs, ... }:
{ ... }:
{
users = {
knownUsers = [ "guanranwang" ];
users."guanranwang" = {
createHome = true;
description = "Guanran Wang";
home = "/Users/guanranwang";
shell = pkgs.fish;
uid = 501;
};
};
# Flakes
imports = [
./core
### Flakes
../../../../flakes/darwin/home-manager.nix
];
### home-manager

View file

@ -1,9 +0,0 @@
{ ... }:
{
imports = [
./desktop.nix
];
### home-manager
home-manager.users.guanranwang = import ../../home-manager/darwin/presets/gaming.nix; # NOTE: using flakes
}

View file

@ -1,10 +1,6 @@
{ pkgs, ... }:
{
imports = [
./desktop.nix
];
home.packages = with pkgs; [
prismlauncher
];

View file

@ -1,10 +1,6 @@
{ pkgs, ... }:
{
imports = [
./desktop.nix
];
home.packages = with pkgs; [
steam
#lunar-client

View file

@ -0,0 +1,7 @@
{ ... }:
{
imports = [
./dns.nix
];
}

View file

@ -0,0 +1,11 @@
{ lib, ... }:
{
networking.nameservers = lib.mkForce [
### AliDNS
"223.5.5.5"
"223.6.6.6"
"2400:3200::1"
"2400:3200:baba::1"
];
}

View file

@ -0,0 +1,44 @@
{ pkgs, config, ... }:
{
users.users."guanranwang" = {
isNormalUser = true;
description = "Guanran Wang";
extraGroups = [
"wheel" # administrator
"networkmanager" # access to networkmanager
"tss" # access to tpm devices
"vboxusers" # access to virtualbox
"nix-access-tokens" # access to github tokens
];
hashedPasswordFile = config.sops.secrets."hashed-passwd".path;
shell = pkgs.fish;
packages = [];
};
imports = [
### Overrides (overrides global config)
../networking
### Flakes
../../../../flakes/nixos/sops-nix.nix
../../../../flakes/nixos/hosts.nix
];
### sops-nix
nix.extraOptions = "!include ${config.sops.secrets.nix-access-tokens.path}";
users.groups."nix-access-tokens" = {};
sops = {
defaultSopsFile = ../../secrets/secrets.yaml;
age.sshKeyPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];
gnupg.sshKeyPaths = [];
secrets = {
"hashed-passwd".neededForUsers = true; # Hashed user password
"wireless/home".path = "/var/lib/iwd/wangxiaobo.psk"; # Home wifi password
"nix-access-tokens" = {
group = config.users.groups."nix-access-tokens".name;
mode = "0440";
};
};
};
}

View file

@ -1,6 +1,21 @@
{ pkgs, config, inputs, ... }:
let
etcDirectory = "clash-meta";
in
{
imports = [
../../../../../flakes/nixos/sops-nix.nix
];
### sops-nix
sops.secrets."clash-config" = {
owner = config.users.users."clash-meta".name;
group = config.users.groups."clash-meta".name;
restartUnits = [ "clash-meta.service" ];
path = "/etc/${etcDirectory}/config.yaml";
};
### System proxy settings
networking.proxy.default = "http://127.0.0.1:7890/";
@ -13,24 +28,27 @@
### Proxy service
systemd.services."clash-meta" = {
wantedBy = [ "multi-user.target" ];
description = "Clash.Meta Client";
after = [ "network-online.target" ];
description = "Clash.Meta Daemon";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
WorkingDirectory = "/etc/clash-meta";
WorkingDirectory = "/etc/${etcDirectory}";
User = [ config.users.users."clash-meta".name ];
ExecStart = "${pkgs.clash-meta}/bin/clash-meta -d /etc/clash-meta";
Group = [ config.users.groups."clash-meta".name ];
ExecStart = "${pkgs.clash-meta}/bin/clash-meta -d /etc/${etcDirectory}";
Restart = "on-failure";
CapabilityBoundingSet = [
"CAP_NET_RAW"
"CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE"
"CAP_NET_RAW"
];
AmbientCapabilities = [
"CAP_NET_RAW"
"CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE"
"CAP_NET_RAW"
];
};
};
@ -45,5 +63,5 @@
# - https://yacd.haishan.me
# - clash-dashboard (buggy):
# - https://clash.razord.top
environment.etc."clash-meta/metacubexd".source = inputs.metacubexd;
environment.etc."${etcDirectory}/metacubexd".source = inputs.metacubexd;
}

View file

@ -0,0 +1,59 @@
{ pkgs, config, ... }:
let
etcDirectory = "hysteria";
port = 43956;
in
{
imports = [
../../../../../flakes/nixos/sops-nix.nix
];
### Firewall
networking.firewall = {
allowedTCPPorts = [ port 80 443 ];
allowedUDPPorts = [ port 80 443 ];
};
#### sops-nix
sops.secrets."hysteria-config" = {
owner = config.users.users."hysteria".name;
group = config.users.groups."hysteria".name;
restartUnits = [ "hysteria-server.service" ];
path = "/etc/${etcDirectory}/config.yaml";
};
### User running proxy service
users.groups."hysteria" = {};
users.users."hysteria" = {
isSystemUser = true;
group = config.users.groups."hysteria".name;
};
### Proxy service
systemd.services."hysteria-server" = {
description = "Hysteria Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
WorkingDirectory = "/etc/${etcDirectory}";
User = [ config.users.users."hysteria".name ];
Group = [ config.users.groups."hysteria".name ];
ExecStart = "${pkgs.hysteria}/bin/hysteria server --config /etc/${etcDirectory}/config.yaml";
Restart = "on-failure";
CapabilityBoundingSet = [
"CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE"
"CAP_NET_RAW"
];
AmbientCapabilities = [
"CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE"
"CAP_NET_RAW"
];
};
};
}

View file

@ -0,0 +1,59 @@
{ pkgs, config, ... }:
let
etcDirectory = "juicity";
port = "33829";
in
{
imports = [
../../../../../flakes/nixos/sops-nix.nix
];
### Firewall
networking.firewall = {
allowedTCPPorts = [ port ];
allowedUDPPorts = [ port ];
};
#### sops-nix
sops.secrets."juicity-config" = {
owner = config.users.users."juicity".name;
group = config.users.groups."juicity".name;
restartUnits = [ "juicity-server.service" ];
path = "/etc/${etcDirectory}/config.yaml";
};
### User running proxy service
users.groups."juicity" = {};
users.users."juicity" = {
isSystemUser = true;
group = config.users.groups."juicity".name;
};
### Proxy service
systemd.services."juicity-server" = {
description = "Juicity Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
WorkingDirectory = "/etc/${etcDirectory}";
User = [ config.users.users."juicity".name ];
Group = [ config.users.groups."juicity".name ];
ExecStart = "${pkgs.juicity}/bin/juicity-server run -c /etc/${etcDirectory}/config.json";
Restart = "on-failure";
CapabilityBoundingSet = [
"CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE"
"CAP_NET_RAW"
];
AmbientCapabilities = [
"CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE"
"CAP_NET_RAW"
];
};
};
}

View file

@ -1,46 +1,14 @@
{ pkgs, config, ... }:
{ ... }:
{
users.users."guanranwang" = {
isNormalUser = true;
description = "Guanran Wang";
extraGroups = [ "wheel" "networkmanager" "tss" "nix-access-tokens" ]; # tss = access to tpm devices
hashedPasswordFile = config.sops.secrets."hashed-passwd".path;
shell = pkgs.fish;
packages = [];
};
# Flakes
imports = [
./core.nix
### Flakes
../../../../flakes/nixos/home-manager.nix
../../../../flakes/nixos/sops-nix.nix
../../../../flakes/nixos/hosts.nix
../../../../flakes/nixos/berberman.nix
];
### home-manager
home-manager.users.guanranwang = import ../../home-manager/nixos/presets/desktop.nix;
### sops-nix
nix.extraOptions = "!include ${config.sops.secrets.nix-access-tokens.path}";
users.groups."nix-access-tokens" = {};
sops = {
defaultSopsFile = ../../secrets/secrets.yaml;
age.sshKeyPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];
gnupg.sshKeyPaths = [];
secrets = {
"hashed-passwd".neededForUsers = true; # Hashed user password
"wireless/home".path = "/var/lib/iwd/wangxiaobo.psk"; # Home wifi password
"nix-access-tokens" = {
group = config.users.groups."nix-access-tokens".name;
mode = "0440";
};
"clash-config" = { # Clash.Meta configuration
owner = config.users.users."clash-meta".name;
group = config.users.users."clash-meta".group;
restartUnits = [ "clash-meta.service" ];
path = "/etc/clash-meta/config.yaml";
};
};
};
}

View file

@ -1,9 +0,0 @@
{ ... }:
{
imports = [
./desktop.nix
];
home-manager.users.guanranwang = import ../../home-manager/nixos/presets/gaming.nix;
}

File diff suppressed because one or more lines are too long