oceanbox/platform
6
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Ups, remove merge mistakes

Browse Source
This commit is contained in:
Simen Kirkvik
2025-11-28 16:51:42 +01:00
parent d068384a44
commit ecf934e979
7 changed files with 0 additions and 884 deletions
Download Patch File Download Diff File Expand all files Collapse all files

215
modules/desktop.nix
View File

@@ -1,215 +0,0 @@
{
pkgs,
config,
lib,
...
}:
with lib;
let
cfg = config.features.desktop;
configuration = {
hardware.bluetooth.enable = true;
services.pulseaudio = {
enable = false;
extraModules = [ ];
extraConfig = ''
load-module module-bluetooth-policy
load-module module-bluetooth-discover
'';
};
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa = {
enable = true;
support32Bit = true;
};
pulse.enable = true;
wireplumber = {
enable = true;
# Need to generate lua config for bluetooth codecs
configPackages = [
(pkgs.writeTextDir "share/wireplumber/bluetooth.lua.d/51-bluez-config.lua" ''
bluez_monitor.properties = {
["bluez5.enable-sbc-xq"] = true,
["bluez5.enable-msbc"] = true,
["bluez5.enable-hw-volume"] = true,
["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]"
}
'')
];
};
# TODO: Is this needed?
jack.enable = true;
};
environment.systemPackages = with pkgs; [
pamixer # pulseaudio sound mixer
pavucontrol # pulseaudio volume control
];
powerManagement = {
enable = false;
cpuFreqGovernor = "ondemand";
};
programs.dconf.enable = true;
security.pam.services.login.enableGnomeKeyring = true;
services.dbus.enable = true;
services.dbus.packages = [
pkgs.gnome-keyring
pkgs.gcr
];
services.blueman.enable = true;
services.upower.enable = true;
services.displayManager = {
enable = true;
logToFile = true;
};
fonts.packages = with pkgs; [
ubuntu-sans
ubuntu-classic
vollkorn
font-awesome
caladea
carlito
cantarell-fonts
comic-relief
liberation_ttf
fira
fira-mono
fira-code
fira-code-symbols
dejavu_fonts
powerline-fonts
unifont
siji
tamsyn
noto-fonts
noto-fonts-emoji
material-icons
nerd-fonts.jetbrains-mono
nerd-fonts._0xproto
nerd-fonts.droid-sans-mono
];
security.pam.services.swaylock = {
text = ''
auth include login
'';
};
};
x11 = {
services.xserver = {
enable = true;
enableCtrlAltBackspace = true;
xkb = {
layout = "us";
variant = "altgr-intl";
options = "eurosign:e";
};
desktopManager.xterm.enable = true;
displayManager.gdm.enable = !(cfg.wayland.enable);
wacom.enable = false;
};
};
wayland = {
services.xserver.desktopManager.xterm.enable = false;
services.xserver.displayManager.gdm.enable = true;
services.xserver.displayManager.gdm.wayland = true;
programs.regreet = {
enable = true;
cageArgs = [
"-s"
"-m"
"extend"
];
settings = {
background = {
path = "${pkgs.nixos-artwork.wallpapers.mosaic-blue}/share/backgrounds/nixos/nix-wallpaper-mosaic-blue.png";
fit = "Fill"; # Contain, Cover
};
GTK = {
application_prefer_dark_theme = false;
};
appearance = {
greeting_msg = "May the foo be with you.";
};
};
};
programs.sway.enable = true;
# programs.river.enable = true;
};
hyprland = {
environment.sessionVariables = {
NIXOS_OZONE_WL = "1";
};
programs = {
hyprland.enable = true;
hyprlock.enable = true;
waybar.enable = true;
};
security = {
pam.services.hyprlock = {
text = ''
auth include login
'';
};
};
};
plasma = {
services = {
blueman.enable = lib.mkForce false;
upower.enable = lib.mkForce false;
displayManager.sddm = {
enable = true;
wayland.enable = true;
};
desktopManager.plasma6 = {
enable = true;
};
};
environment.systemPackages = with pkgs; [
pinentry-qt
wl-clipboard
];
environment.sessionVariables = {
MOZ_ENABLE_WAYLAND = "1";
};
};
in
{
options.features.desktop = {
enable = mkEnableOption "Enable desktop configs";
x11.enable = mkEnableOption "Enable X11";
wayland.enable = mkEnableOption "Enable Wayland";
hyprland.enable = mkEnableOption "Enable Hyprland";
plasma.enable = mkEnableOption "Enable KDE Plasma";
};
config = mkMerge [
(mkIf cfg.enable configuration)
(mkIf (cfg.enable && cfg.x11.enable) x11)
(mkIf (cfg.enable && cfg.wayland.enable) wayland)
(mkIf (cfg.enable && cfg.hyprland.enable) hyprland)
(mkIf (cfg.enable && cfg.plasma.enable) plasma)
];
}

115
modules/lan.nix
View File

@@ -1,115 +0,0 @@
{
pkgs,
config,
lib,
...
}:
with lib;
let
cfg = config.features.lan;
configuration = {
services.cntlm.netbios_hostname = config.networking.hostName;
services.samba = {
enable = true;
nmbd.enable = true;
nsswins = true;
};
networking.firewall = {
allowedTCPPorts = [
139
445
];
allowedUDPPorts = [
137
138
];
};
security.krb5 = {
enable = cfg.krb5.enable;
settings = {
libdefaults = {
default_realm = cfg.krb5.default_realm;
};
domain_realm = cfg.krb5.domain_realm;
realms = cfg.krb5.realms;
};
};
# Ugly hack because of hard coded kernel path
system.activationScripts.symlink-requestkey = ''
if [ ! -d /sbin ]; then
mkdir /sbin
fi
ln -sfn /run/current-system/sw/bin/request-key /sbin/request-key
'';
environment.systemPackages = [ pkgs.krb5 ];
# request-key expects a configuration file under /etc
environment.etc."request-key.conf" = {
text =
let
upcall = "${pkgs.cifs-utils}/bin/cifs.upcall";
keyctl = "${pkgs.keyutils}/bin/keyctl";
in
''
#OP TYPE DESCRIPTION CALLOUT_INFO PROGRAM
# -t is required for DFS share servers...
create cifs.spnego * * ${upcall} -t %k
create dns_resolver * * ${upcall} %k
# Everything below this point is essentially the default configuration,
# modified minimally to work under NixOS. Notably, it provides debug
# logging.
create user debug:* negate ${keyctl} negate %k 30 %S
create user debug:* rejected ${keyctl} reject %k 30 %c %S
create user debug:* expired ${keyctl} reject %k 30 %c %S
create user debug:* revoked ${keyctl} reject %k 30 %c %S
create user debug:loop:* * |${pkgs.coreutils}/bin/cat
create user debug:* * ${pkgs.keyutils}/share/keyutils/request-key-debug.sh %k %d %c %S
negate * * * ${keyctl} negate %k 30 %S
'';
};
};
in
{
options.features.lan = {
enable = mkEnableOption "Enable LAN configs";
domain = mkOption {
type = types.str;
default = "";
};
domainSearch = mkOption {
type = types.listOf types.str;
default = [ cfg.lan.domain ];
};
krb5 = {
enable = mkEnableOption "Enable Kerberos";
default_realm = mkOption {
type = types.str;
default = "";
};
domain_realm = mkOption {
type = types.attrs;
default = { };
};
realms = mkOption {
type = types.attrs;
default = { };
};
};
};
config = mkMerge [
(mkIf cfg.enable configuration)
];
}

60
modules/laptop.nix
View File

@@ -1,60 +0,0 @@
{
config,
pkgs,
lib,
...
}:
with lib;
let
cfg = config.features.laptop;
hibernateEnvironment = {
HIBERNATE_SECONDS = "10800";
HIBERNATE_LOCK = "/var/run/autohibernate.lock";
};
configuration = {
services.libinput.touchpad.disableWhileTyping = true;
systemd.services."awake-after-suspend-for-a-time" = {
description = "Sets up the suspend so that it'll wake for hibernation";
wantedBy = [ "suspend.target" ];
before = [ "systemd-suspend.service" ];
environment = hibernateEnvironment;
script = ''
curtime=$(date +%s)
echo "$curtime $1" >> /tmp/autohibernate.log
echo "$curtime" > $HIBERNATE_LOCK
${pkgs.utillinux}/bin/rtcwake -m no -s $HIBERNATE_SECONDS
'';
serviceConfig.Type = "simple";
};
systemd.services."hibernate-after-recovery" = {
description = "Hibernates after a suspend recovery due to timeout";
wantedBy = [ "suspend.target" ];
after = [ "systemd-suspend.service" ];
environment = hibernateEnvironment;
script = ''
curtime=$(date +%s)
sustime=$(cat $HIBERNATE_LOCK)
rm $HIBERNATE_LOCK
if [ $(($curtime - $sustime)) -ge $HIBERNATE_SECONDS ] ; then
systemctl hibernate
else
${pkgs.utillinux}/bin/rtcwake -m no -s 1
fi
'';
serviceConfig.Type = "simple";
};
};
in
{
options.features.laptop = {
enable = mkEnableOption "Enable laptop configs";
};
config = mkMerge [
(mkIf cfg.enable configuration)
];
}

179
modules/os.nix
View File

@@ -1,179 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with lib;
let
cfg = config.features.os;
configuration = {
networking = {
networkmanager = {
enable = cfg.networkmanager.enable;
unmanaged = [
"interface-name:veth*"
"interface-name:docker*"
];
};
firewall.trustedInterfaces = [
"docker0"
"cbr0"
"veth+"
];
};
users.extraUsers.admin.openssh.authorizedKeys.keys = cfg.adminAuthorizedKeys;
users.extraUsers.root.openssh.authorizedKeys.keys = cfg.adminAuthorizedKeys;
programs.vim.defaultEditor = true;
programs.vim.enable = true;
programs.fish.enable = true;
programs.tmux.enable = true;
services.openssh.enable = true;
services.gvfs.enable = true;
services.fwupd.enable = true;
security.sudo.extraConfig = ''
Defaults env_keep+=SSH_AUTH_SOCK
Defaults lecture=never
Defaults shell_noargs
root ALL=(ALL) SETENV: ALL
%wheel ALL=(ALL) NOPASSWD: ALL, SETENV: ALL
'';
security.rtkit.enable = true;
security.pam.services.sshd.googleAuthenticator.enable = true;
# $ ecryptfs-migrate-home -u <username>
# security.pam.enableEcryptfs = true;
# The NixOS release to be compatible with for stateful data such as databases.
system.stateVersion = "21.05";
system.autoUpgrade = {
enable = false;
dates = "02:00";
randomizedDelaySec = "45min";
channel = "https://nixos.org/channels/nixos-25.05";
};
nixpkgs.config.allowUnfree = true;
boot = {
tmp.cleanOnBoot = true;
# Boot animation
plymouth.enable = true;
initrd = {
checkJournalingFS = false;
# Quiet boot
verbose = false;
# Use zstd compression instead of gzip for initrd
compressor = "zstd";
# Make boot more reliable by using systemd inside initrd
systemd.enable = true;
};
};
nix = {
package = pkgs.nixVersions.stable;
# package = pkgs.nixVersions.nix_2_23;
settings = {
# Cleanup
auto-optimise-store = true;
# Keep them for debugging
keep-derivations = true;
keep-outputs = true;
experimental-features = [
"nix-command"
"flakes"
"pipe-operators"
];
};
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 14d";
};
extraOptions = ''
# See https://jackson.dev/post/nix-reasonable-defaults/
connect-timeout = 5
download-attempts = 2
log-lines = 25
warn-dirty = false
fallback = true
# Only brings pain
flake-registry = ""
'';
};
};
docker = {
virtualisation.docker.enable = cfg.docker.enable;
virtualisation.docker.autoPrune.enable = true;
virtualisation.docker.extraOptions = "--insecure-registry 10.0.0.0/8";
networking = {
nat.enable = true;
nat.internalInterfaces = [ "veth+" ];
nat.externalInterface = if cfg.externalInterface == null then [ ] else cfg.externalInterface;
};
};
nfs = {
networking = {
firewall.allowedTCPPorts = [
111
2049
];
firewall.allowedUDPPorts = [
111
2049
24007
24008
];
};
environment.systemPackages = with pkgs; [ nfs-utils ];
services.nfs.server = {
enable = true;
exports = cfg.nfs.exports;
};
};
in
{
options.features.os = {
networkmanager.enable = mkEnableOption "Enable NetworkManager";
docker.enable = mkEnableOption "Enable Docker";
externalInterface = mkOption {
type = types.nullOr types.str;
default = null;
description = "External interface (i.e. for Docker nat)";
};
adminAuthorizedKeys = mkOption {
type = types.listOf types.str;
default = [ ];
};
nfs = {
enable = mkEnableOption "Enable nfs fileserver";
exports = mkOption {
type = types.str;
default = "";
};
};
};
config = mkMerge [
configuration
(mkIf cfg.docker.enable docker)
(mkIf cfg.nfs.enable nfs)
];
}

68
modules/packages.nix
View File

@@ -1,68 +0,0 @@
{
pkgs,
config,
lib,
...
}:
with lib;
let
cfg = config.features.packages;
configuration = {
environment.systemPackages = with pkgs; [
stdenv
findutils
coreutils
psmisc
iputils
nettools
netcat
inetutils
rsync
iotop
wget
neovim-unwrapped
helix
unzip
zip
bind
file
bc
bun
sshuttle
lsof
patchelf
binutils
git
gcc
nmap
gnupg
nixos-container
nix-prefetch-git
cachix
cifs-utils
keyutils
fuse
home-manager
google-authenticator
surf
zathura
cmake
doxygen
graphviz
];
};
in
{
options.features.packages = {
enable = mkOption {
type = types.bool;
default = true;
description = "Enable default system packages";
};
};
config = mkMerge [
(mkIf cfg.enable configuration)
];
}

210
modules/pki.nix
View File

@@ -1,210 +0,0 @@
{
pkgs,
config,
lib,
...
}:
with lib;
let
cfg = config.features.pki;
certName = attrs: {
CN = "${attrs.name}";
O = "${attrs.o}";
OU = "${attrs.name}.pki.caSpec";
L = "certmgr";
};
ca_csr = pkgs.writeText "${cfg.name}-csr.json" (
builtins.toJSON {
CN = "${cfg.name}";
key = {
algo = cfg.algo;
size = if cfg.algo == "ecdsa" then 256 else 2048;
};
names = [ (certName cfg) ];
}
);
# make ca derivation sha depend on initca cfssl output
initca = pkgs.stdenv.mkDerivation {
name = cfg.name;
src =
if cfg.ca != ./. then
cfg.ca
else
pkgs.runCommand "initca" { buildInputs = [ pkgs.cfssl ]; } ''
cfssl genkey -initca ${ca_csr} | cfssljson -bare ca;
mkdir -p $out; cp *.pem $out
'';
buildCommand = ''
mkdir -p $out;
cp -r $src/* $out
'';
};
ca = {
key = "${initca}/ca-key.pem";
cert = "${initca}/ca.pem";
};
ca-config = pkgs.writeText "ca-config.json" ''
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"default": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
}
}
}
}
'';
gencsr =
args:
let
csr = {
CN = "${args.cn}";
key = {
algo = cfg.algo;
size = if cfg.algo == "ecdsa" then 256 else 2048;
};
names = [ (certName args) ];
hosts = args.hosts;
};
in
pkgs.writeText "${args.cn}-csr.json" (builtins.toJSON csr);
# Example usage:
# gencert { cn = "test"; ca = ca; o = "test; };
gencert =
cn: attrs:
let
conf = {
inherit ca cn;
csr = gencsr {
cn = cn;
hosts = attrs.hosts;
};
};
cfssl = conf: ''
cfssl gencert -ca ${ca.cert} -ca-key ${ca.key} \
-config=${ca-config} -profile=default ${conf.csr} | \
cfssljson -bare cert; \
mkdir -p $out; cp *.pem $out
'';
in
pkgs.runCommand "${cn}" {
buildInputs = [ pkgs.cfssl ];
} (cfssl conf);
certmgr = {
services.certmgr = {
enable = true;
package = pkgs.certmgr-selfsigned;
svcManager = "command";
specs =
let
secret = name: "/var/lib/secrets/${name}.pem";
mkSpec = name: cert: {
service = name;
action = "reload";
authority = {
file.path = ca.cert;
};
certificate = {
path = secret name;
};
private_key = {
owner = "root";
group = "root";
mode = "0600";
path = secret "${name}-key";
};
request = {
CN = name;
hosts = [ name ] ++ cert.hosts;
key = {
algo = "rsa";
size = 2048;
};
names = certName cfg;
};
};
in
mapAttrs mkSpec cfg.certs;
};
};
# gencerts = {
# mapAttrs gencert cfg.certs;
# };
configuration = {
security.pki.certificateFiles = [ ca.cert ];
};
in
{
options.features.pki = {
enable = mkEnableOption "Enable default system packages";
ca = mkOption {
type = types.path;
default = ./.;
description = "Path to ca certificate to use as Root CA.";
};
algo = mkOption {
type = types.str;
default = "rsa";
};
name = mkOption {
type = types.str;
default = "ca";
};
o = mkOption {
type = types.str;
default = "NixOS";
};
certs = mkOption {
type = types.attrsOf types.attrs;
default = { };
example = {
"example.local" = {
hosts = [ ];
};
};
};
certmgr = {
enable = mkEnableOption "Enable certmgr";
domain = mkOption {
type = types.str;
default = "local";
};
};
static.enable = mkEnableOption "Generate static cert derivations";
};
config = mkMerge [
(mkIf cfg.enable configuration)
(mkIf (cfg.enable && cfg.certmgr.enable) certmgr)
# (mkIf (cfg.enable && cfg.static.enable) gencerts)
];
}

37
modules/server.nix
View File

@@ -1,37 +0,0 @@
{
pkgs,
config,
lib,
...
}:
with lib;
let
cfg = config.features.server;
configuration = {
environment.systemPackages = with pkgs; [
nmap
];
powerManagement = {
enable = false;
cpuFreqGovernor = "ondemand";
};
systemd.targets = {
sleep.enable = false;
suspend.enable = false;
hibernate.enable = false;
hybrid-sleep.enable = false;
};
};
in
{
options.features.server = {
enable = mkEnableOption "Enable server configs";
};
config = mkMerge [
(mkIf cfg.enable configuration)
];
}