From 2ecd3a122ac0fe079b1daa8997382196d337c802 Mon Sep 17 00:00:00 2001 From: System administrator Date: Tue, 29 Dec 2020 06:43:07 +0100 Subject: [PATCH] initial commit --- config/base.nix | 45 +++++++++++ config/gnome.nix | 20 +++++ config/grsec.nix | 27 +++++++ config/gui.nix | 82 ++++++++++++++++++++ config/i3.nix | 48 ++++++++++++ config/laptop.nix | 15 ++++ config/screenlock.nix | 36 +++++++++ config/unify.nix | 10 +++ config/users.nix | 15 ++++ configuration.nix | 1 + configuration.nix.bak | 112 +++++++++++++++++++++++++++ hardware-configuration.nix | 32 ++++++++ hosts/dynamix.nix | 152 +++++++++++++++++++++++++++++++++++++ 13 files changed, 595 insertions(+) create mode 100755 config/base.nix create mode 100755 config/gnome.nix create mode 100755 config/grsec.nix create mode 100755 config/gui.nix create mode 100755 config/i3.nix create mode 100755 config/laptop.nix create mode 100755 config/screenlock.nix create mode 100755 config/unify.nix create mode 100755 config/users.nix create mode 120000 configuration.nix create mode 100644 configuration.nix.bak create mode 100644 hardware-configuration.nix create mode 100755 hosts/dynamix.nix diff --git a/config/base.nix b/config/base.nix new file mode 100755 index 0000000..5b1e0f0 --- /dev/null +++ b/config/base.nix @@ -0,0 +1,45 @@ +# base.nix: basic have-this-everywhere nixos config + +{ config, lib, pkgs, ... }: + +{ + imports = [ + ../hardware-configuration.nix + ./users.nix + ]; + + # Select internationalisation properties. + i18n.defaultLocale = "de_DE.UTF-8"; + console.font = "Lat2-Terminus16"; + console.keyMap = "de"; + + time.timeZone = "Europe/Berlin"; + services.timesyncd.enable = true; + + environment.systemPackages = with pkgs; [ + pkgs.vim_configurable + pkgs.neovim + pkgs.zsh + pkgs.wget + pkgs.curl + pkgs.rsync + pkgs.git + pkgs.git-hub + pkgs.python3 + pkgs.pciutils + pkgs.dmidecode + pkgs.cpufrequtils + pkgs.binutils + pkgs.mc + pkgs.git + pkgs.htop + pkgs.bpytop + ]; + + networking.firewall = { + enable = true; + allowPing = true; + }; + services.openssh.enable = true; + +} diff --git a/config/gnome.nix b/config/gnome.nix new file mode 100755 index 0000000..dc7ffa2 --- /dev/null +++ b/config/gnome.nix @@ -0,0 +1,20 @@ +# gnome.nix: install gnome + + { config, pkgs, ... }: + + { + services.xserver.desktopManager.gnome3.enable = true; + environment.gnome3.excludePackages = with pkgs.gnome3; [ + epiphany + evolution + gnome-maps + gnome-music + gnome-photos + gedit + totem + gnome-calendar + gnome-weather + accerciser + gnome-software + ]; + } diff --git a/config/grsec.nix b/config/grsec.nix new file mode 100755 index 0000000..2f4bcb3 --- /dev/null +++ b/config/grsec.nix @@ -0,0 +1,27 @@ +# grsec.nix: NIXOS used HARDEN! NIXOS's DEFENSE ROSE! + +{ config, lib, pkgs, ... }: + +{ + + # if you're an acer c710 (i know i am sometimes) you might also want: + # CHROME_PLATFORMS y + # CHROMEOS_LAPTOP m + # CHROMEOS_PSTORE m + + nixpkgs.config.packageOverrides = pkgs: { + linux_grsec_nixos = pkgs.linux_grsec_nixos.override { + extraConfig = '' + PAX y + GRKERNSEC y + GRKERNSEC_CONFIG_AUTO y + GRKERNSEC_CONFIG_DESKTOP y + GRKERNSEC_CONFIG_SECURE y + GRKERNSEC_CONFIG_VIRT_EPT y + ''; + }; + }; + + security.grsecurity.enable = true; + +} diff --git a/config/gui.nix b/config/gui.nix new file mode 100755 index 0000000..ab72972 --- /dev/null +++ b/config/gui.nix @@ -0,0 +1,82 @@ +# gui.nix: configure x11 stuff common to any wm/de + +{ config, pkgs, ... }: + +{ + #imports = [ ./base.nix ]; + + networking.wireless.enable = false; + networking.networkmanager.enable = true; + + environment.systemPackages = with pkgs; [ + pkgs.powerline-fonts + + pkgs.gtk3 + pkgs.gtk_engines + pkgs.gnome2.gnome_icon_theme + pkgs.shared_mime_info + pkgs.arc-theme + pkgs.arc-icon-theme + pkgs.hicolor_icon_theme + pkgs.elementary-xfce-icon-theme + + pkgs.rxvt_unicode + pkgs.redshift + pkgs.xorg.xbacklight + # internet / communication stuff + pkgs.pulseaudioFull + pkgs.pamixer + pkgs.pulsemixer + pkgs.google-chrome + pkgs.chromium + pkgs.firefox + #pkgs.flashplayer + pkgs.discord + pkgs.tdesktop + pkgs.thunderbird + pkgs.keepassxc + pkgs.xorg.xkill + pkgs.nextcloud-client + pkgs.rxvt_unicode + pkgs.networkmanager_openvpn + pkgs.networkmanager_vpnc + pkgs.networkmanager_strongswan + pkgs.networkmanagerapplet + pkgs.signal-desktop + pkgs.anydesk + pkgs.keybase + pkgs.keybase-gui + pkgs.kbfs + #stable.spotify + pkgs.pavucontrol + pkgs.gnupg + pkgs.libsecret +# pkgs.gnome3.gnome-keyring + ]; + + services.xserver = { + enable = true; + layout = "de"; + displayManager.lightdm.enable = true; + }; + services.gnome3.gnome-keyring = { + enable = true; + }; + + fonts = { + enableFontDir = true; + enableGhostscriptFonts = true; + fonts = with pkgs; [ + corefonts + roboto + inconsolata + ubuntu_font_family + unifont + terminus_font + powerline-fonts + ]; + }; +# security.pam.enableGnomeKeyring = { +# enable = true; +# }; +} diff --git a/config/i3.nix b/config/i3.nix new file mode 100755 index 0000000..ea0b86f --- /dev/null +++ b/config/i3.nix @@ -0,0 +1,48 @@ +# i3.nix: use i3 as the desktop manager + +{ config, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + # window manager + basic essentials + pkgs.lightdm + pkgs.i3 + pkgs.i3status + pkgs.i3status-rust + pkgs.i3lock-fancy + pkgs.xautolock + pkgs.dmenu + pkgs.j4-dmenu-desktop + pkgs.powerline-fonts + pkgs.font-awesome + pkgs.font-awesome-ttf + pkgs.font-awesome_5 + pkgs.font-awesome_4 + pkgs.lxappearance + + pkgs.xfce.exo + pkgs.xfce.gvfs + pkgs.xfce.thunar + pkgs.xfce.thunar_volman + pkgs.xfce.thunar-archive-plugin + pkgs.xfce.xfce4icontheme + pkgs.xfce.terminal + # internet / communication stuff + pkgs.tdesktop + pkgs.rofi + pkgs.maim + pkgs.pasystray + pkgs.feh + pkgs.networkmanager_dmenu + pkgs.udiskie + pkgs.inconsolata + pkgs.termite + ]; + + services.xserver = { + windowManager.i3.enable = true; + }; + services.gnome3.at-spi2-core.enable = true; + services.dbus.socketActivated = true; + +} diff --git a/config/laptop.nix b/config/laptop.nix new file mode 100755 index 0000000..1b9c39c --- /dev/null +++ b/config/laptop.nix @@ -0,0 +1,15 @@ +# laptop.nix: basic laptop config, power management, etc + +{ config, pkgs, ... }: + +{ + + environment.systemPackages = with pkgs; [ + pkgs.powertop + pkgs.acpi + pkgs.upower + ]; + + services.upower.enable = true; + +} diff --git a/config/screenlock.nix b/config/screenlock.nix new file mode 100755 index 0000000..d92e031 --- /dev/null +++ b/config/screenlock.nix @@ -0,0 +1,36 @@ +{ pkgs, config, ... }: + +#with import ; + +let + cfg = config.screenlock; + + out = { + options.screenlock = api; + }; + + api = { + enable = mkEnableOption "screenlock"; + command = mkOption { + type = types.str; + default = "${pkgs.xlockmore}/bin/i3lock-fancy"; + }; + }; + + imp = { + systemd.services.screenlock = { + before = [ "sleep.target" ]; + wantedBy = [ "sleep.target" ]; + environment = { + DISPLAY = ":${toString config.services.xserver.display}"; + }; + serviceConfig = { + SyslogIdentifier = "screenlock"; + ExecStart = cfg.command; + Type = "simple"; + User = "templis"; + }; + }; + }; + +in out diff --git a/config/unify.nix b/config/unify.nix new file mode 100755 index 0000000..b3d5790 --- /dev/null +++ b/config/unify.nix @@ -0,0 +1,10 @@ + # unify.nix: config for unify network devices + + { config, lib, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + pkgs.unifi + ]; +services.unifi.enable = true; +} diff --git a/config/users.nix b/config/users.nix new file mode 100755 index 0000000..20d59e9 --- /dev/null +++ b/config/users.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: + +{ + users.extraUsers.templis = { + isNormalUser = true; + createHome = true; + uid = 1000; + group = "users"; + extraGroups = [ + "wheel" "audio" "video" "netdev" "networkmanager" "systemd-journal" + ]; + shell = "/run/current-system/sw/bin/zsh"; + }; + +} diff --git a/configuration.nix b/configuration.nix new file mode 120000 index 0000000..592620c --- /dev/null +++ b/configuration.nix @@ -0,0 +1 @@ +hosts/dynamix.nix \ No newline at end of file diff --git a/configuration.nix.bak b/configuration.nix.bak new file mode 100644 index 0000000..065f8ff --- /dev/null +++ b/configuration.nix.bak @@ -0,0 +1,112 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + # boot.loader.grub.efiSupport = true; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # Define on which hard drive you want to install Grub. + boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only + boot.initrd.availableKernelModules = [ "aes_x86_64" "aesni_intel" "cryptd" ]; + + swapDevices = [{device = "/swapfile"; size = 10000;}]; + + # networking.hostName = "nixos"; # Define your hostname. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + + # Set your time zone. + # time.timeZone = "Europe/Amsterdam"; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.eno0.useDHCP = true; + networking.interfaces.wlp2s0.useDHCP = true; + networking.interfaces.wwp0s20u4i6.useDHCP = true; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + # i18n.defaultLocale = "en_US.UTF-8"; + # console = { + # font = "Lat2-Terminus16"; + # keyMap = "us"; + # }; + + # Enable the GNOME 3 Desktop Environment. + services.xserver.enable = true; + services.xserver.displayManager.gdm.enable = true; + services.xserver.desktopManager.gnome3.enable = true; + + + # Configure keymap in X11 + # services.xserver.layout = "us"; + # services.xserver.xkbOptions = "eurosign:e"; + + # Enable CUPS to print documents. + # services.printing.enable = true; + + # Enable sound. + # sound.enable = true; + # hardware.pulseaudio.enable = true; + + # Enable touchpad support (enabled default in most desktopManager). + # services.xserver.libinput.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + # users.users.jane = { + # isNormalUser = true; + # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + # }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + wget vim + firefox + ntfs3g + ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + # services.openssh.enable = true; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "20.09"; # Did you read the comment? + +} + diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..f067545 --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,32 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/5d9455de-01c4-4e45-b89d-ec8b39c50c25"; + fsType = "btrfs"; + options = [ "subvol=nixos" ]; + }; + + boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/f116eea8-651d-4c93-bfb4-6c3fcb74a94d"; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/7d02a865-66af-4711-abbb-ac2e5741899f"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; +} diff --git a/hosts/dynamix.nix b/hosts/dynamix.nix new file mode 100755 index 0000000..5506aff --- /dev/null +++ b/hosts/dynamix.nix @@ -0,0 +1,152 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ../hardware-configuration.nix + ../config/base.nix + ../config/users.nix + ../config/laptop.nix + ../config/gui.nix + ../config/i3.nix + ../config/gnome.nix + #../config/grsec.nix + ]; + services.xserver.displayManager.defaultSession = "none+i3"; # set default WM + networking.hostName = "dynamix"; # Set Hostname + + # https://bugzilla.kernel.org/show_bug.cgi?id=1l0941 + boot.kernelParams = ["intel_pstate=no_hwp" ]; + + # Supposedly better for the SSD + fileSystems."/".options = [ "noatime" "nodiratime" "discard" ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + #boot.loader.grub.efiSupport = true; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # Define on which hard drive you want to install Grub. + #boot.loader.grub.device = "nodev"; # or "nodev" for efi only + #boot.loader.efi.canTouchEfiVariables = true; + #boot.loader.grub.gfxmodeEfi = "1024x768"; + #boot.loader.systemd-boot.enable = true; + #boot.loader.efi.canTouchEfiVariables = true; + #boot.cleanTmpDir = true; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.availableKernelModules = [ "aes_x86_64" "aesni_intel" "cryptd" ]; + + swapDevices = [{device = "/swapfile"; size = 10000;}]; + + #networking.useNetworkd = true; # Use Networkd as default Networking Daemon - suitable on static Networks e.g. PCs + networking.networkmanager.enable = true; # Use Networkmanager as defaukt Networking Daemon - suitable on dynamic Networks e.g. Laptops + + hardware.pulseaudio.package = pkgs.pulseaudioFull; # support for bluetooth headsets + hardware.bluetooth.enable = true; + + # Have stable and unstable Packages + nixpkgs.config = { + # Allow proprietary packages + allowUnfree = true; + + # Create an alias for the unstable channel + packageOverrides = pkgs: { + unstable = import { + # pass the nixpgs config to the unstable alias + # to ensure 'allowUnfree = true;' is propagated: + config = config.nixpkgs.config; + }; + # stable = import { + # pass the nixpgs config to the unstable alias + # to ensure 'allowUnfree = true;' is propagated: + # config = config.nixpkgs.config; + # }; + }; + + #firefox.enableAdobeFlash = true; + #chromium.enablePepperFlash = true; + #google-chrome-stable.enablePepperFlash = true; + }; + + # List packages installed in system profile. To search by name, run: + # $ nix-env -qaP | grep wget + environment.systemPackages = with pkgs; [ + acpi + acpitool + ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + programs.bash.enableCompletion = true; + # programs.mtr.enable = true; + programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedUDPPorts = [ ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + networking.firewall.allowPing = true; + + services.journald.extraConfig = '' + MaxRetentionSec=4day + ''; + + # Enable CUPS to print documents. + services.printing.enable = true; + + # Enable touchpad support. + services.xserver.libinput.enable = true; + + # Enable the KDE Desktop Environment. + # services.xserver.displayManager.sddm.enable = true; + # services.xserver.desktopManager.plasma5.enable = true; + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "20.09"; # Did you read the comment? + + # Enable Autoupgrades + system.autoUpgrade.enable = true; + + # enable pulseaudio + hardware.pulseaudio.enable = true; + hardware.pulseaudio.support32Bit = true; + + # Add user to sudoers file + security.sudo.configFile = "templis ALL=(ALL) NOPASSWD: ALL"; + + programs.zsh.enable = true; + + services.acpid = { + enable = true; + lidEventCommands = '' + if grep -q closed /proc/acpi/button/lid/LID/state; then + date >> /tmp/i3lock.log + DISPLAY=":0.0" XAUTHORITY=/home/templis/.Xauthority ${pkgs.i3lock}/bin/i3lock-fancy &>> /tmp/i3lock.log + fi + ''; + }; + systemd.user.services.i3lock-sleep = { + enable = true; + description = "Automatically lock screen before going to sleep"; + wantedBy = [ "default.target" ]; + path = with pkgs; [ xss-lock i3lock-fancy getopt fontconfig ]; + serviceConfig = { + Restart = "always"; + ExecStart = "${pkgs.xss-lock}/bin/xss-lock ${pkgs.i3lock-fancy}/bin/i3lock-fancy"; + }; + }; +}