steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

steveej-t14: init #76

Merged
steveej merged 3 commits from pr/init-steveej-t14 into master 2020-12-23 17:47:00 +00:00
Conversation 10 Commits 3 Files changed 11 +227 -2
11 changed files with 227 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -55,4 +55,7 @@ just --list
* boot with an install media and go through setup * boot with an install media and go through setup
#### Post-Install Setup #### Post-Install Setup
* `chmod --recursive g-rwx,o-rwx ~/.gnupg`
* `gpg2 --edit-card; fetch` * `gpg2 --edit-card; fetch`
* clone password-manager and infra repositories
* gpg2: ultimately trust my own key

3
nix/home-manager/profiles/qtile-desktop.nix
View file

@ -316,7 +316,8 @@ in {
enableScDaemon = true; enableScDaemon = true;
enableSshSupport = true; enableSshSupport = true;
grabKeyboardAndMouse = true; grabKeyboardAndMouse = true;
extraConfig = "pinentry-program ${pkgs.pinentry-gtk2}/bin/pinentry"; pinentryFlavor = "gtk2";
extraConfig = "";
}; };
flameshot.enable = true; flameshot.enable = true;
}; };

8
nix/os/devices/steveej-t14/boot.nix Normal file
View file

@ -0,0 +1,8 @@
{ lib
, ...
}:
{
boot.loader.grub.efiInstallAsRemovable = lib.mkForce true;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
}

14
nix/os/devices/steveej-t14/configuration.nix Normal file
View file

@ -0,0 +1,14 @@
{ ... }:
{
imports = [
../../profiles/common/configuration.nix
../../profiles/graphical/configuration.nix
../../modules/encryptedDisk.nix
./system.nix
./hw.nix
./pkg.nix
./user.nix
];
}

30
nix/os/devices/steveej-t14/hw.nix Normal file
View file

@ -0,0 +1,30 @@
{ ... }:
let
stage1Modules = [
"aesni_intel"
"kvm-intel"
"aes_x86_64"
"nvme"
"nvme_core"
"pcieport"
"thunderbolt"
"e1000e"
"xhci_pci"
"hxci_hcd"
];
in
{
# TASK: new device
hardware.encryptedDisk = {
enable = true;
diskId = "nvme-SKHynix_HFS001TD9TNI-L2B0B_CJ0AN89731030AV3Q";
};
# boot.initrd.availableKernelModules = stage1Modules;
boot.initrd.kernelModules = stage1Modules;
boot.extraModprobeConfig = ''
'';
}

12
nix/os/devices/steveej-t14/pkg.nix Normal file
View file

@ -0,0 +1,12 @@
{ pkgs
, ...
}:
{
nixpkgs.config.packageOverrides = pkgs: with pkgs; {
nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath;
};
home-manager.users.steveej = import ../../../home-manager/configuration/graphical-fullblown.nix { inherit pkgs; };
services.teamviewer.enable = true;
system.stateVersion = "20.09";
}

79
nix/os/devices/steveej-t14/system.nix Normal file
View file

@ -0,0 +1,79 @@
{ pkgs
, lib
, config
, ... }:
let
keys = import ../../../variables/keys.nix;
in {
# TASK: new device
networking.hostName = "steveej-t14"; # Define your hostname.
networking.bridges."virbr1".interfaces = [];
networking.interfaces."virbr1".ipv4.addresses = [
{ address = "10.254.254.254"; prefixLength = 24; }
];
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [
# syncthing
22000
# iperf3
5201
];
networking.firewall.logRefusedConnections = false;
networking.usePredictableInterfaceNames = false;
services.printing = {
enable = true;
drivers = with pkgs; [
hplip
mfcl3770cdw.driver
mfcl3770cdw.cupswrapper
];
};
services.fprintd.enable = true;
security.pam.services = {
login.fprintAuth = true;
sudo.fprintAuth = true;
};
# virtualization
virtualisation = {
libvirtd = {
enable = true;
};
virtualbox.host = {
enable = false ;
addNetworkInterface = false;
};
docker = {
enable = true;
extraOptions = "--experimental";
};
};
security.pki.certificateFiles = [
"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
];
services.xserver.videoDrivers = [ "modesetting" ];
services.xserver.serverFlagsSection = ''
Option "BlankTime" "0"
Option "StandbyTime" "0"
Option "SuspendTime" "0"
Option "OffTime" "0"
'';
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
hardware.ledger.enable = true;
}

15
nix/os/devices/steveej-t14/user.nix Normal file
View file

@ -0,0 +1,15 @@
{ config
, pkgs
, ... }:
let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix { }) mkUser;
in {
users.extraUsers.steveej2 = mkUser {
uid = 1001;
openssh.authorizedKeys.keys = keys.users.steveej.openssh;
};
}

30
nix/os/devices/steveej-t14/versions.nix Normal file
View file

@ -0,0 +1,30 @@
let
nixpkgs = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-20.09";
rev = "3d2d8f281a27d466fa54b469b5993f7dde198375";
};
in
{
inherit nixpkgs;
nixos = nixpkgs // {
suffix = "/nixos";
};
"channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-unstable";
rev = "e9158eca70ae59e73fae23be5d13d3fa0cfc78b4";
};
"nixpkgs-master" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "master";
rev = "2a058487cb7a50e7650f1657ee0151a19c59ec3b";
};
"home-manager-module" = {
url = "https://github.com/nix-community/home-manager";
ref = "release-20.09";
rev = "63f299b3347aea183fc5088e4d6c4a193b334a41";
};
}

30
nix/os/devices/steveej-t14/versions.tmpl.nix Normal file
View file

@ -0,0 +1,30 @@
let
nixpkgs = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-20.09";
rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-20.09 | awk '{ print $1 }' | tr -d '\n' -%>";
};
in
{
inherit nixpkgs;
nixos = nixpkgs // {
suffix = "/nixos";
};
"channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-unstable";
rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d '\n' -%>";
};
"nixpkgs-master" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "master";
rev = "<% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d '\n' -%>";
};
"home-manager-module" = {
url = "https://github.com/nix-community/home-manager";
ref = "release-20.09";
rev = "<% git ls-remote https://github.com/nix-community/home-manager.git release-20.09 | awk '{ print $1 }' | tr -d '\n' -%>";
};
}

5
nix/os/profiles/graphical/system.nix
View file

@ -20,7 +20,7 @@
# hardware related services # hardware related services
services.illum.enable = true; services.illum.enable = true;
services.pcscd.enable = true; services.pcscd.enable = false;
hardware = { hardware = {
bluetooth.enable = true; bluetooth.enable = true;
pulseaudio = { pulseaudio = {
@ -109,6 +109,9 @@
SUBSYSTEM=="usb", ATTR{idVendor}=="047f", ATTR{idProduct}=="011a", GROUP="users", MODE="0777" SUBSYSTEM=="usb", ATTR{idVendor}=="047f", ATTR{idProduct}=="011a", GROUP="users", MODE="0777"
SUBSYSTEM=="usb", ATTR{idVendor}=="047f", ATTR{idProduct}=="fffe", GROUP="users", MODE="0777" SUBSYSTEM=="usb", ATTR{idVendor}=="047f", ATTR{idProduct}=="fffe", GROUP="users", MODE="0777"
SUBSYSTEM=="usb", ATTR{idVendor}=="047f", ATTR{idProduct}=="0001", GROUP="users", MODE="0777" SUBSYSTEM=="usb", ATTR{idVendor}=="047f", ATTR{idProduct}=="0001", GROUP="users", MODE="0777"
# Yubikey 4/5 U2F+CCID
SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0406", ENV{ID_SECURITY_TOKEN}="1", GROUP="wheel"
''; '';