amaury_joly/nix-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

reformat

Browse Source
This commit is contained in:
Amaury JOLY
2026-04-02 14:10:16 +02:00
parent 6c9ba6ea88
commit 6105c58cda
23 changed files with 230 additions and 233 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
config.nix
View File

@@ -1,19 +1,18 @@
# Central Configuration
# Define user-specific and system-specific values here
# This file should be imported in flake.nix as specialArgs
{
# User configuration
username = "alice";
userEmail = "amaury.joly";
# System paths
configFlakePath = /etc/nixos;
# Timezone and locale
timezone = "Europe/Paris";
locale = "fr_FR.UTF-8";
# Hostname
hostname = "nixos";
}

11
configuration-vmgaming.nix
View File

@@ -1,6 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}: {
imports = [
./hosts/vmgaming/configuration.nix
@@ -24,7 +27,7 @@
};
boot.loader.efi.canTouchEfiVariables = false;
boot.blacklistedKernelModules = [ "nouveau" ];
boot.blacklistedKernelModules = ["nouveau"];
services.spice-vdagentd.enable = true;
services.qemuGuest.enable = true;
@@ -49,7 +52,7 @@
# NVIDIA passthrough guest defaults.
# If you pass through an AMD GPU instead, replace with:
services.xserver.videoDrivers = [ "nvidia" ];
services.xserver.videoDrivers = ["nvidia"];
hardware.nvidia = {
modesetting.enable = true;

22
configuration.nix
View File

@@ -1,10 +1,12 @@
{ config, pkgs, ... }:
{
config,
pkgs,
...
}: {
imports = [
# Hardware configuration
./hosts/laptop/configuration.nix
# NixOS base modules
./modules/nixos/base.nix
./modules/nixos/yubikey.nix
@@ -12,7 +14,7 @@
./modules/nixos/net.nix
./modules/nixos/wireless-networks.nix
./modules/nixos/parsec.nix
# Laptop-specific modules
./modules/laptop/default.nix
./modules/laptop/fingerprint.nix
@@ -20,7 +22,7 @@
./modules/laptop/home-manager.nix
./modules/laptop/bluetooth.nix
./modules/laptop/zwift.nix
# Optional feature modules (with options)
./modules/laptop/gaming.nix
./modules/laptop/virtualization.nix
@@ -35,10 +37,10 @@
# Enable optional features via custom options
custom.gaming.enable = true;
custom.gaming.enableXpadneo = true;
custom.virtualization.docker.enable = true;
custom.virtualization.virtualbox.enable = true;
custom.printing.enable = true;
custom.printing.printers = [
{
@@ -52,12 +54,12 @@
}
];
custom.printing.defaultPrinter = "TOSHIBA_5eme_Luminy";
custom.power.enable = true;
custom.power.cpuGovernor = "powersave";
custom.bluetooth.enable = true;
custom.bluetooth.powerOnBoot = true;
custom.zwift.enable = true;
}

66
flake.lock generated
View File

@@ -1,28 +1,5 @@
{
"nodes": {
"claude-desktop": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1764098187,
"narHash": "sha256-H6JjWXhKqxZ8QLMoqndZx9e5x0Sv5AiipSmqvIxIbgo=",
"owner": "k3d3",
"repo": "claude-desktop-linux-flake",
"rev": "b2b040cb68231d2118906507d9cc8fd181ca6308",
"type": "github"
},
"original": {
"owner": "k3d3",
"repo": "claude-desktop-linux-flake",
"type": "github"
}
},
"fenix": {
"inputs": {
"nixpkgs": [
@@ -32,11 +9,11 @@
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1773646590,
"narHash": "sha256-qwnecNC3DB0hSu6MvU27xh/Mg9uPbmmg7d1wBOtO7ds=",
"lastModified": 1774857716,
"narHash": "sha256-z05BKQ6F9/6H2/ecIYEXuq54JCUEiOpdYXTQIijB/wM=",
"owner": "nix-community",
"repo": "fenix",
"rev": "350a4df2afc34c1ae115173e0509cec7067a06c9",
"rev": "9ad9c53e902485e006c07ae54a7dd4ad55a8c4d8",
"type": "github"
},
"original": {
@@ -88,11 +65,11 @@
]
},
"locked": {
"lastModified": 1774007980,
"narHash": "sha256-FOnZjElEI8pqqCvB6K/1JRHTE8o4rer8driivTpq2uo=",
"lastModified": 1775104157,
"narHash": "sha256-rm/7k0D2J9SP30pyZ2C1HqarDncZDN6KAUI0gzgg4TA=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "9670de2921812bc4e0452f6e3efd8c859696c183",
"rev": "41e6e2ab37763c09db4e639033392cf40900440a",
"type": "github"
},
"original": {
@@ -125,11 +102,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1773821835,
"narHash": "sha256-TJ3lSQtW0E2JrznGVm8hOQGVpXjJyXY2guAxku2O9A4=",
"lastModified": 1775036866,
"narHash": "sha256-ZojAnPuCdy657PbTq5V0Y+AHKhZAIwSIT2cb8UgAz/U=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b40629efe5d6ec48dd1efba650c797ddbd39ace0",
"rev": "6201e203d09599479a3b3450ed24fa81537ebc4e",
"type": "github"
},
"original": {
@@ -164,11 +141,11 @@
"poetry2nix": "poetry2nix"
},
"locked": {
"lastModified": 1773927313,
"narHash": "sha256-2XjQPMd79Z5hOS67rjCuDyiIW4I7XpBe/7yYRSyhA8k=",
"lastModified": 1774890105,
"narHash": "sha256-nrbMvz/M3Yidq9oag9A4E2yctUn+S07GN2zf1JLsRA0=",
"owner": "FirelightFlagboy",
"repo": "parsec-cloud-nix",
"rev": "b45bbf594b3031583c5b2c9609f6c5ebdc4df903",
"rev": "7f1f18378e63ad82d138c756a75e721d08d9a6a2",
"type": "github"
},
"original": {
@@ -204,7 +181,6 @@
},
"root": {
"inputs": {
"claude-desktop": "claude-desktop",
"flake-utils": "flake-utils",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs",
@@ -216,11 +192,11 @@
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1773543526,
"narHash": "sha256-CKmkYqUi2pI1uDGDfpK0mkZbRLyjUKCpYDU3eMHtmks=",
"lastModified": 1774787924,
"narHash": "sha256-Cbpmf0+1pqi/zbpub2vkp5lTPx3QdVtDkkagDwQzHHg=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "90c8906e6443e7cee18cece9c2621a8b1c10794c",
"rev": "f1297b21119565c626320c1ffc248965fffb2527",
"type": "github"
},
"original": {
@@ -237,11 +213,11 @@
]
},
"locked": {
"lastModified": 1773889674,
"narHash": "sha256-+ycaiVAk3MEshJTg35cBTUa0MizGiS+bgpYw/f8ohkg=",
"lastModified": 1774910634,
"narHash": "sha256-B+rZDPyktGEjOMt8PcHKYmgmKoF+GaNAFJhguktXAo0=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "29b6519f3e0780452bca0ac0be4584f04ac16cc5",
"rev": "19bf3d8678fbbfbc173beaa0b5b37d37938db301",
"type": "github"
},
"original": {
@@ -322,11 +298,11 @@
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1773655023,
"narHash": "sha256-89jAxVhDIm6nFTBX3eM53NjLm36egOXYJGoPDogN4iE=",
"lastModified": 1774885989,
"narHash": "sha256-BhBjT/jts56x+6GArrYHhGzg4TM7et+wAKknvJvGfK0=",
"owner": "netbrain",
"repo": "zwift",
"rev": "a015de248bac88a3eec734b6565a86e10214a486",
"rev": "2ed245f8f481e60709f9aa719e246ab5d61facd2",
"type": "github"
},
"original": {

55
flake.nix
View File

@@ -8,52 +8,52 @@
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
flake-utils.url = "github:numtide/flake-utils";
parsec-cloud-nix = {
url = "github:FirelightFlagboy/parsec-cloud-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
claude-desktop = {
url = "github:k3d3/claude-desktop-linux-flake";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
zwift.url = "github:netbrain/zwift";
};
outputs = { self, nixpkgs, sops-nix, home-manager, zwift, flake-utils, parsec-cloud-nix, claude-desktop, ... }:
let
customConfig = import ./config.nix;
in
flake-utils.lib.eachDefaultSystem (system:
let
pkgs = import nixpkgs {
inherit system;
config.allowUnfree = true;
};
in {
}) //
{
outputs = {
self,
nixpkgs,
sops-nix,
home-manager,
zwift,
flake-utils,
parsec-cloud-nix,
...
}: let
customConfig = import ./config.nix;
in
flake-utils.lib.eachDefaultSystem (system: let
pkgs = import nixpkgs {
inherit system;
config.allowUnfree = true;
};
in {
})
// {
nixosConfigurations.laptop = nixpkgs.lib.nixosSystem {
modules = [
sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager
zwift.nixosModules.zwift
./configuration.nix
({ pkgs, lib, ...}:
{
environment.systemPackages = with pkgs; [
claude-desktop.packages.${pkgs.stdenv.hostPlatform.system}.claude-desktop-with-fhs
];
({
pkgs,
lib,
...
}: {
})
];
specialArgs = {
inherit customConfig;
parsec-cloud-nix = parsec-cloud-nix;
claude-desktop = claude-desktop;
};
};
@@ -65,7 +65,6 @@
specialArgs = {
inherit customConfig;
parsec-cloud-nix = parsec-cloud-nix;
claude-desktop = claude-desktop;
};
};
};

48
hosts/laptop/configuration.nix
View File

@@ -1,40 +1,42 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usb_storage" "usbhid" "sd_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/e9209e4f-94b4-45ef-bed6-9435c96ee864";
fsType = "ext4";
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/e9209e4f-94b4-45ef-bed6-9435c96ee864";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/E59B-B8FC";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/E59B-B8FC";
fsType = "vfat";
options = ["fmask=0077" "dmask=0077"];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/e8cd6918-bc63-4d24-b8eb-6a1170844a80"; }
];
swapDevices = [
{device = "/dev/disk/by-uuid/e8cd6918-bc63-4d24-b8eb-6a1170844a80";}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp0s20f3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

21
hosts/vmgaming/configuration.nix
View File

@@ -1,17 +1,20 @@
# Do not modify this file directly on every rebuild. It should contain host
# specific hardware/VM configuration for VMGaming (Proxmox guest).
{ config, lib, modulesPath, ... }:
{
config,
lib,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = with config.boot.kernelPackages; [ xone ];
boot.kernelParams = [ "console=ttyS0,115200" ];
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sr_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = with config.boot.kernelPackages; [xone];
boot.kernelParams = ["console=ttyS0,115200"];
services.getty.autologinUser = null;
boot.extraModprobeConfig = ''
@@ -27,10 +30,10 @@
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/2919-0F27";
fsType = "vfat";
# options = [ "fmask=0077" "dmask=0077" ];
# options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices = [ ];
swapDevices = [];
networking.useDHCP = lib.mkDefault true;
services.qemuGuest.enable = true;

11
modules/laptop/bluetooth.nix
View File

@@ -1,13 +1,14 @@
# Module: Bluetooth Configuration
# Description: Enables Bluetooth with dual controller mode and experimental features
# Services: bluetooth, blueman (GUI manager)
{ config, lib, ... }:
{
config,
lib,
...
}: {
options.custom.bluetooth = {
enable = lib.mkEnableOption "Bluetooth support with blueman GUI";
powerOnBoot = lib.mkOption {
type = lib.types.bool;
default = true;
@@ -30,4 +31,4 @@
};
services.blueman.enable = true;
};
}
}

12
modules/laptop/default.nix
View File

@@ -3,16 +3,12 @@
# Services: sops-nix
# Dependencies: sops-nix for secrets management
# Note: Other laptop features (gaming, virtualization, etc.) are in separate modules
{ customConfig, ... }:
let
{customConfig, ...}: let
userHome = "/home/${customConfig.username}";
in
{
in {
sops.validateSopsFiles = false;
sops.age.keyFile = "${userHome}/.config/sops/age/keys.txt";
# WiFi networks configuration - entire network list encrypted
sops.secrets.wifi-networks = {
path = "/run/secrets/wifi-networks.conf";
@@ -33,4 +29,4 @@ in
};
services.xserver.xkb.layout = "fr";
}
}

4
modules/laptop/fingerprint.nix
View File

@@ -1,6 +1,4 @@
{ pkgs, ... }:
{
{pkgs, ...}: {
services.fprintd.enable = true;
services.fprintd.tod.enable = true;
services.fprintd.tod.driver = pkgs.libfprint-2-tod1-goodix-550a;

14
modules/laptop/gaming.nix
View File

@@ -1,13 +1,15 @@
# Module: Gaming Support
# Description: Enables Steam and gamepad drivers (xpadneo for Xbox controllers)
# Services: Steam, steam-hardware
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}: {
options.custom.gaming = {
enable = lib.mkEnableOption "gaming support (Steam, gamepad drivers)";
enableXpadneo = lib.mkOption {
type = lib.types.bool;
default = true;
@@ -17,11 +19,11 @@
config = lib.mkIf config.custom.gaming.enable {
hardware.steam-hardware.enable = true;
programs.steam = {
enable = true;
};
boot.extraModulePackages = lib.mkIf config.custom.gaming.enableXpadneo [
pkgs.linuxPackages.xpadneo
];

11
modules/laptop/home-manager.nix
View File

@@ -1,6 +1,8 @@
{ lib, customConfig, ... }:
let
{
lib,
customConfig,
...
}: let
username = customConfig.username;
dotconfigPath = ../../dotconfig;
dotconfigEntries = lib.filterAttrs (name: _: !(lib.hasPrefix "." name)) (builtins.readDir dotconfigPath);
@@ -15,8 +17,7 @@ let
recursive = true;
}
);
in
{
in {
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.backupFileExtension = "hm-backup";

9
modules/laptop/power.nix
View File

@@ -1,13 +1,14 @@
# Module: Power Management
# Description: CPU frequency governor and power management settings
# Services: powerManagement
{ config, lib, ... }:
{
config,
lib,
...
}: {
options.custom.power = {
enable = lib.mkEnableOption "power management configuration";
cpuGovernor = lib.mkOption {
type = lib.types.str;
default = "powersave";

16
modules/laptop/printing.nix
View File

@@ -1,19 +1,20 @@
# Module: Printing Configuration
# Description: CUPS printing service with configured printers
# Services: printing (CUPS)
{ config, lib, ... }:
{
config,
lib,
...
}: {
options.custom.printing = {
enable = lib.mkEnableOption "printing support (CUPS)";
printers = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
default = [];
description = "List of printers to configure";
};
defaultPrinter = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
@@ -23,10 +24,11 @@
config = lib.mkIf config.custom.printing.enable {
services.printing.enable = true;
hardware.printers = lib.mkIf (config.custom.printing.printers != []) {
ensurePrinters = config.custom.printing.printers;
ensureDefaultPrinter = lib.mkIf (config.custom.printing.defaultPrinter != null)
ensureDefaultPrinter =
lib.mkIf (config.custom.printing.defaultPrinter != null)
config.custom.printing.defaultPrinter;
};
};

21
modules/laptop/users.nix
View File

@@ -2,15 +2,16 @@
# Description: Defines the main user 'alice' with groups, permissions, and user packages
# Packages: Browsers (Firefox), Office (LibreOffice), Development (VSCode, Git),
# Media (VLC, Spotify), Communication (Slack, Thunderbird), and more
{ pkgs, customConfig, ... }:
{
pkgs,
customConfig,
...
}: {
users.users."${customConfig.username}" = {
isNormalUser = true;
home = "/home/${customConfig.username}";
# Base groups - docker/vboxusers are added by virtualization.nix if enabled
extraGroups = [ "wheel" "audio" "dialout" "plugdev" ];
extraGroups = ["wheel" "audio" "dialout" "plugdev"];
packages = with pkgs; [
# Browsers & Web
firefox
@@ -30,6 +31,8 @@
tcpdump
pandoc
libsecret
nixd
alejandra
# Communication
slack
@@ -43,10 +46,10 @@
pympress
# Gaming & Entertainment
prismlauncher # Minecraft launcher
widelands # Strategy game
wasistlos # Game
moonlight-qt # Game streaming
prismlauncher # Minecraft launcher
# widelands # Strategy game
wasistlos # Game
moonlight-qt # Game streaming
# System & Cloud
rclone
@@ -57,7 +60,7 @@
age
];
openssh.authorizedKeys.keys = [
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCMzLza+1iFSUgZaPzEwpRNW/CvcsbXh8vJ9RevwFntNZdZIVc/j5OLRy+GOojlZdar070PkKDO+Pmtqu1uQ4XE+onqmsxom5JGyYaSScB3l33CLL2jBT7mBqBOVDuTBj3ACLT8fS1eUolI7erShvIH9VUvrg83bZ2CvgA/DjJLHfVCpvx9EsG0Q00k27LNU7yXga8sjK1YikA+o1bKTWavCGOWkZMFXOVeEDR+arOQ440s6f6eg7C+30V02ijRLA6pWFAkj2/fMaD+44IPMVjOj96vvPUJrlL1N7BDPxBlj1rrB35+pUkpVIN4B0etqnkrJIV+IxtmSpkNHr52Y7nkTu3mOWn1P0DcOdR5OA8JZRbSkbL/QW4GzFWs3eN7CMOMwKQdO+1J/wL4U7qrmKEYwcNaprqlDF0SIPp0+l/VWNMe6uK0r5iZwp355PUSR+Zc5skf74wMsZ1LokUlihdI+E6TNGvmDgjqKx6OrI3dyP/eW7xtR7KvbdoaUjy8AE8= alice@nixos"
];
};

23
modules/laptop/virtualization.nix
View File

@@ -1,21 +1,24 @@
# Module: Virtualization
# Description: Docker and VirtualBox virtualization support
# Services: Docker daemon, VirtualBox
{ config, lib, pkgs, customConfig, ... }:
{
config,
lib,
pkgs,
customConfig,
...
}: {
options.custom.virtualization = {
docker = {
enable = lib.mkEnableOption "Docker container runtime";
dnsServers = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ "172.17.0.1" ];
default = ["172.17.0.1"];
description = "DNS servers for Docker containers (points to dnscrypt-proxy)";
};
};
virtualbox = {
enable = lib.mkEnableOption "VirtualBox virtualization";
};
@@ -30,13 +33,13 @@
dns = config.custom.virtualization.docker.dnsServers;
};
};
users.users."${customConfig.username}".extraGroups = [ "docker" ];
users.users."${customConfig.username}".extraGroups = ["docker"];
})
(lib.mkIf config.custom.virtualization.virtualbox.enable {
virtualisation.virtualbox.host.enable = true;
users.users."${customConfig.username}".extraGroups = [ "vboxusers" ];
users.users."${customConfig.username}".extraGroups = ["vboxusers"];
})
];
}

15
modules/laptop/zwift.nix
View File

@@ -2,10 +2,13 @@
# Description: Configures Zwift cycling simulator via Docker with proper networking
# Services: Zwift Docker container
# Ports: UDP 3022, 3024 / TCP 21587, 21588
{ config, lib, pkgs, customConfig, ... }:
{
config,
lib,
pkgs,
customConfig,
...
}: {
options.custom.zwift = {
enable = lib.mkEnableOption "Zwift cycling simulator";
};
@@ -14,7 +17,7 @@
programs.zwift = {
enable = true;
image = "docker.io/netbrain/zwift";
version = "latest"; # FIXME: Pin to specific version for reproducibility
version = "latest"; # FIXME: Pin to specific version for reproducibility
containerTool = "docker";
zwiftWorkoutDir = "/var/lib/zwift/workouts";
zwiftActivityDir = "/var/lib/zwift/activities";
@@ -28,8 +31,8 @@
};
networking.firewall = {
allowedUDPPorts = [ 3022 3024 ];
allowedTCPPorts = [ 21587 21588 ];
allowedUDPPorts = [3022 3024];
allowedTCPPorts = [21587 21588];
};
};
}

11
modules/nixos/base.nix
View File

@@ -2,12 +2,13 @@
# Description: Core NixOS configuration with Nix settings, base packages, fonts,
# localization (FR), Fish shell, and security (GPG)
# Services: gvfs, udisks2, gnupg-agent
{ pkgs, customConfig, ... }:
{
pkgs,
customConfig,
...
}: {
nix.settings = {
experimental-features = [ "nix-command" "flakes" ];
experimental-features = ["nix-command" "flakes"];
substituters = [
"https://cache.nixos.org/"
"https://parsec-cloud.cachix.org"
@@ -65,4 +66,4 @@
# WARNING: DO NOT CHANGE this value after installation!
# See: https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion
system.stateVersion = "24.05";
}
}

10
modules/nixos/desktop-i3.nix
View File

@@ -2,17 +2,13 @@
# Description: Enables X11 with i3 window manager and associated desktop tools
# Services: xserver with i3
# Packages: alacritty (terminal), tint2 (panel), rofi (launcher), i3lock, dunst
{ pkgs, ... }:
let
{pkgs, ...}: let
updatescreen = pkgs.writeShellScript "updatescreens.sh" ''
#!/bin/sh
i3-msg restart
feh --bg-fill --no-xinerama Downloads/fire1.png
'';
in
{
in {
services.xserver.enable = true;
services.xserver.windowManager.i3.enable = true;
services.xserver.autorun = true;
@@ -95,4 +91,4 @@ in
};
};
};
}
}

47
modules/nixos/net.nix
View File

@@ -3,14 +3,17 @@
# configuration via wpa_supplicant, and hostname settings
# Services: dnscrypt-proxy (primary + backup), wpa_supplicant
# Security: WiFi credentials stored via sops-nix secrets
{ config, lib, pkgs, customConfig, ... }:
let
{
config,
lib,
pkgs,
customConfig,
...
}: let
backupToml = pkgs.writeText "dnscrypt-proxy-backup.toml" ''
listen_addresses = ["127.0.0.2:53"]
server_names = ["dns0-eu"]
[sources.public-resolvers]
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md']
cache_file = '/var/lib/dnscrypt-proxy-backup/public-resolvers.md'
@@ -19,17 +22,15 @@ let
'';
userHome = "/home/${customConfig.username}";
in
{
in {
networking.nftables.enable = true;
networking.firewall = {
enable = true;
allowPing = true;
# allowedTCPPorts = [ ... ]; # keep closed by default
interfaces.docker0 = {
allowedUDPPorts = [ 53 ];
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [53];
allowedTCPPorts = [53];
};
};
@@ -49,16 +50,22 @@ in
# systemd.services.wpa_supplicant.after = [ "sops-install-secrets.service" ];
# systemd.services.wpa_supplicant.requires = [ "sops-install-secrets.service" ];
# You can also define networks in Nix if you prefer (less secure - names visible):
# networking.wireless.networks = { ... };
networking.interfaces.lo.ipv4.addresses = [
{ address = "127.0.0.1"; prefixLength = 8; }
{ address = "127.0.0.2"; prefixLength = 8; }
{
address = "127.0.0.1";
prefixLength = 8;
}
{
address = "127.0.0.2";
prefixLength = 8;
}
];
networking.nameservers = [ "127.0.0.1" "127.0.0.2" ];
networking.nameservers = ["127.0.0.1" "127.0.0.2"];
# networking.networkmanager.dns = "none";
services.resolved.enable = false;
@@ -66,12 +73,12 @@ in
services.dnscrypt-proxy = {
enable = true;
settings = {
listen_addresses = [ "127.0.0.1:53" "172.17.0.1:53" ];
server_names = [ "amaury" ];
listen_addresses = ["127.0.0.1:53" "172.17.0.1:53"];
server_names = ["amaury"];
bootstrap_resolvers = [];
sources = {};
static = {
"amaury".stamp = "sdns://AgcAAAAAAAAADTgyLjY0LjIzNy4yNDYADWFtYXVyeWpvbHkuZnIUL2Rucy1xdWVyeS9pZC1hbWF1cnk";
"amaury".stamp = "sdns://AgcAAAAAAAAADTgyLjY0LjIzNy4yNDYADWFtYXVyeWpvbHkuZnIUL2Rucy1xdWVyeS9pZC1hbWF1cnk";
};
cache = true;
ignore_system_dns = true;
@@ -81,8 +88,8 @@ in
systemd.services."dnscrypt-proxy-backup" = {
description = "dnscrypt-proxy backup (dns0-eu)";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
after = ["network.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
ExecStart = "${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy -config ${backupToml}";
Restart = "on-failure";
@@ -95,4 +102,4 @@ in
systemd.services.dnscrypt-proxy.serviceConfig = {
StateDirectory = "dnscrypt-proxy";
};
}
}

12
modules/nixos/parsec.nix
View File

@@ -2,10 +2,11 @@
# Description: Installs Parsec Cloud client (v3) with CLI and GUI
# Dependencies: parsec-cloud-nix flake input
# Note: Requires increased Node.js heap size during build (workaround)
{ pkgs, parsec-cloud-nix, ... }:
let
{
pkgs,
parsec-cloud-nix,
...
}: let
pc = parsec-cloud-nix.packages.${pkgs.stdenv.hostPlatform.system};
# WORKAROUND: Parsec build runs out of memory without increased heap size
@@ -19,8 +20,7 @@ let
};
parsecCli = pc.parsec-cloud.v3.cli;
in
{
in {
environment.systemPackages = [
parsecClientPatched
parsecCli

10
modules/nixos/wireless-networks.nix
View File

@@ -3,14 +3,16 @@
# Security: Network names, SSIDs, and all configuration stored in encrypted secrets
# Files: ~/.config/secrets/wifi-networks.yaml (encrypted with sops)
# Note: The actual networks are loaded at runtime from the encrypted file
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}: {
# WiFi networks are loaded from encrypted file at runtime
# The file is in wpa_supplicant.conf format and gets included by wpa_supplicant
# This approach keeps network names and configuration completely private
# Note: If wifi-networks secret doesn't exist yet, this won't cause errors
# You can still use the old method (networking.wireless.networks in Nix) if needed
}

7
modules/nixos/yubikey.nix
View File

@@ -1,13 +1,10 @@
# Module: YubiKey Authentication
# Description: Enables YubiKey-based PAM auth for login and sudo across systems
{ pkgs, ... }:
{
{pkgs, ...}: {
security.pam.services = {
login.u2fAuth = true;
sudo.u2fAuth = true;
};
services.udev.packages = [ pkgs.yubikey-personalization ];
services.udev.packages = [pkgs.yubikey-personalization];
}