amaury_joly/nix-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

reformat

Browse Source
This commit is contained in:
Amaury JOLY
2026-04-02 14:10:16 +02:00
parent 6c9ba6ea88
commit 6105c58cda
23 changed files with 230 additions and 233 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
modules/nixos/base.nix
View File

@@ -2,12 +2,13 @@
# Description: Core NixOS configuration with Nix settings, base packages, fonts,
# localization (FR), Fish shell, and security (GPG)
# Services: gvfs, udisks2, gnupg-agent
{ pkgs, customConfig, ... }:
{
pkgs,
customConfig,
...
}: {
nix.settings = {
experimental-features = [ "nix-command" "flakes" ];
experimental-features = ["nix-command" "flakes"];
substituters = [
"https://cache.nixos.org/"
"https://parsec-cloud.cachix.org"
@@ -65,4 +66,4 @@
# WARNING: DO NOT CHANGE this value after installation!
# See: https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion
system.stateVersion = "24.05";
}
}

10
modules/nixos/desktop-i3.nix
View File

@@ -2,17 +2,13 @@
# Description: Enables X11 with i3 window manager and associated desktop tools
# Services: xserver with i3
# Packages: alacritty (terminal), tint2 (panel), rofi (launcher), i3lock, dunst
{ pkgs, ... }:
let
{pkgs, ...}: let
updatescreen = pkgs.writeShellScript "updatescreens.sh" ''
#!/bin/sh
i3-msg restart
feh --bg-fill --no-xinerama Downloads/fire1.png
'';
in
{
in {
services.xserver.enable = true;
services.xserver.windowManager.i3.enable = true;
services.xserver.autorun = true;
@@ -95,4 +91,4 @@ in
};
};
};
}
}

47
modules/nixos/net.nix
View File

@@ -3,14 +3,17 @@
# configuration via wpa_supplicant, and hostname settings
# Services: dnscrypt-proxy (primary + backup), wpa_supplicant
# Security: WiFi credentials stored via sops-nix secrets
{ config, lib, pkgs, customConfig, ... }:
let
{
config,
lib,
pkgs,
customConfig,
...
}: let
backupToml = pkgs.writeText "dnscrypt-proxy-backup.toml" ''
listen_addresses = ["127.0.0.2:53"]
server_names = ["dns0-eu"]
[sources.public-resolvers]
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md']
cache_file = '/var/lib/dnscrypt-proxy-backup/public-resolvers.md'
@@ -19,17 +22,15 @@ let
'';
userHome = "/home/${customConfig.username}";
in
{
in {
networking.nftables.enable = true;
networking.firewall = {
enable = true;
allowPing = true;
# allowedTCPPorts = [ ... ]; # keep closed by default
interfaces.docker0 = {
allowedUDPPorts = [ 53 ];
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [53];
allowedTCPPorts = [53];
};
};
@@ -49,16 +50,22 @@ in
# systemd.services.wpa_supplicant.after = [ "sops-install-secrets.service" ];
# systemd.services.wpa_supplicant.requires = [ "sops-install-secrets.service" ];
# You can also define networks in Nix if you prefer (less secure - names visible):
# networking.wireless.networks = { ... };
networking.interfaces.lo.ipv4.addresses = [
{ address = "127.0.0.1"; prefixLength = 8; }
{ address = "127.0.0.2"; prefixLength = 8; }
{
address = "127.0.0.1";
prefixLength = 8;
}
{
address = "127.0.0.2";
prefixLength = 8;
}
];
networking.nameservers = [ "127.0.0.1" "127.0.0.2" ];
networking.nameservers = ["127.0.0.1" "127.0.0.2"];
# networking.networkmanager.dns = "none";
services.resolved.enable = false;
@@ -66,12 +73,12 @@ in
services.dnscrypt-proxy = {
enable = true;
settings = {
listen_addresses = [ "127.0.0.1:53" "172.17.0.1:53" ];
server_names = [ "amaury" ];
listen_addresses = ["127.0.0.1:53" "172.17.0.1:53"];
server_names = ["amaury"];
bootstrap_resolvers = [];
sources = {};
static = {
"amaury".stamp = "sdns://AgcAAAAAAAAADTgyLjY0LjIzNy4yNDYADWFtYXVyeWpvbHkuZnIUL2Rucy1xdWVyeS9pZC1hbWF1cnk";
"amaury".stamp = "sdns://AgcAAAAAAAAADTgyLjY0LjIzNy4yNDYADWFtYXVyeWpvbHkuZnIUL2Rucy1xdWVyeS9pZC1hbWF1cnk";
};
cache = true;
ignore_system_dns = true;
@@ -81,8 +88,8 @@ in
systemd.services."dnscrypt-proxy-backup" = {
description = "dnscrypt-proxy backup (dns0-eu)";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
after = ["network.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
ExecStart = "${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy -config ${backupToml}";
Restart = "on-failure";
@@ -95,4 +102,4 @@ in
systemd.services.dnscrypt-proxy.serviceConfig = {
StateDirectory = "dnscrypt-proxy";
};
}
}

12
modules/nixos/parsec.nix
View File

@@ -2,10 +2,11 @@
# Description: Installs Parsec Cloud client (v3) with CLI and GUI
# Dependencies: parsec-cloud-nix flake input
# Note: Requires increased Node.js heap size during build (workaround)
{ pkgs, parsec-cloud-nix, ... }:
let
{
pkgs,
parsec-cloud-nix,
...
}: let
pc = parsec-cloud-nix.packages.${pkgs.stdenv.hostPlatform.system};
# WORKAROUND: Parsec build runs out of memory without increased heap size
@@ -19,8 +20,7 @@ let
};
parsecCli = pc.parsec-cloud.v3.cli;
in
{
in {
environment.systemPackages = [
parsecClientPatched
parsecCli

10
modules/nixos/wireless-networks.nix
View File

@@ -3,14 +3,16 @@
# Security: Network names, SSIDs, and all configuration stored in encrypted secrets
# Files: ~/.config/secrets/wifi-networks.yaml (encrypted with sops)
# Note: The actual networks are loaded at runtime from the encrypted file
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}: {
# WiFi networks are loaded from encrypted file at runtime
# The file is in wpa_supplicant.conf format and gets included by wpa_supplicant
# This approach keeps network names and configuration completely private
# Note: If wifi-networks secret doesn't exist yet, this won't cause errors
# You can still use the old method (networking.wireless.networks in Nix) if needed
}

7
modules/nixos/yubikey.nix
View File

@@ -1,13 +1,10 @@
# Module: YubiKey Authentication
# Description: Enables YubiKey-based PAM auth for login and sudo across systems
{ pkgs, ... }:
{
{pkgs, ...}: {
security.pam.services = {
login.u2fAuth = true;
sudo.u2fAuth = true;
};
services.udev.packages = [ pkgs.yubikey-personalization ];
services.udev.packages = [pkgs.yubikey-personalization];
}