diff options
Diffstat (limited to 'modules/work')
| -rw-r--r-- | modules/work/default.nix | 43 | ||||
| -rw-r--r-- | modules/work/hardware-configuration.nix | 41 | ||||
| -rw-r--r-- | modules/work/home-manager.nix | 81 | ||||
| -rw-r--r-- | modules/work/networking.nix | 87 | ||||
| -rw-r--r-- | modules/work/secrets.nix | 13 |
5 files changed, 265 insertions, 0 deletions
diff --git a/modules/work/default.nix b/modules/work/default.nix new file mode 100644 index 0000000..2073ea5 --- /dev/null +++ b/modules/work/default.nix @@ -0,0 +1,43 @@ +{ lib, pkgs, ... }: +{ + imports = [ + ../core + ../hyprland.nix + + ./hardware-configuration.nix + ./home-manager.nix + ./networking.nix + ./secrets.nix + ./tailscale.nix + ]; + + system.stateVersion = "24.05"; # Do NOT change before reading configuration.nix + + users.users.jras.extraGroups = [ "networkmanager" "docker" ]; + security.sudo.wheelNeedsPassword = lib.mkForce true; + + time.timeZone = "Europe/Amsterdam"; + + virtualisation.docker = { + enable = true; + enableOnBoot = true; + }; + + hardware.bluetooth.enable = true; + hardware.bluetooth.powerOnBoot = true; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + services.libinput.mouse.accelProfile = "flat"; + services.libinput.mouse.accelSpeed = "-5"; + services.upower.enable = true; + + services.xserver.xkb = { + layout = "us"; + variant = ""; + }; + + programs.gnupg.agent.enable = true; + programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gnome3; +} diff --git a/modules/work/hardware-configuration.nix b/modules/work/hardware-configuration.nix new file mode 100644 index 0000000..9c8c4b1 --- /dev/null +++ b/modules/work/hardware-configuration.nix @@ -0,0 +1,41 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/df469cf1-1acc-4bf4-86e1-ec368e5a96a1"; + fsType = "ext4"; + }; + + boot.initrd.luks.devices."luks-0f6e3603-084c-4438-9749-36b31b6f226a".device = "/dev/disk/by-uuid/0f6e3603-084c-4438-9749-36b31b6f226a"; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/F0E6-4DF3"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0f0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/modules/work/home-manager.nix b/modules/work/home-manager.nix new file mode 100644 index 0000000..c3ee4d9 --- /dev/null +++ b/modules/work/home-manager.nix @@ -0,0 +1,81 @@ +{ lib, pkgs, inputs, ... }: +{ + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.extraSpecialArgs = { inherit inputs; }; + home-manager.users.jras = { + imports = [ + ../home-manager/core + + ../home-manager/hyprland.nix + ../home-manager/hostnet.nix + ../home-manager/php.nix + ../home-manager/ansible.nix + ../home-manager/python.nix + ]; + + home.username = "jras"; + home.homeDirectory = "/home/jras"; + home.stateVersion = "22.11"; + home.sessionPath = [ "$HOME/.local/bin" ]; + + home.packages = with pkgs; [ + slack + moonlight-qt + brightnessctl + google-chrome + ]; + + programs.git = { + userName = "Jasper Ras"; + userEmail = lib.mkForce "jras@hostnet.nl"; + extraConfig = { gitreview.username = "jrasper"; }; + ignores = [ + ".direnv" + ".envrc" + ".project" + ".settings/" + ".buildpath" + "tags" + ".hhconfig" + ".DS_Store" + ".idea/" + ".vagrant/" + "*.swp" + "clover.xml" + "yarn-error.log" + "gsuite-auth.json" + "venv/" + "shell.nix" + + ".devenv*" + "devenv*" + ".pre-commit-config.yaml" + ]; + }; + + programs.zsh.initExtra = '' + eval "$(dircolors)" + ''; + programs.zsh.shellAliases = { + ssh = "TERM=xterm-256color ssh"; + }; + + programs.pyenv.enable = true; + programs.pyenv.enableZshIntegration = true; + programs.ssh = { + controlMaster = "auto"; + controlPersist = "12h"; + serverAliveInterval = 11; + matchBlocks = { + "*.g1i.one".user = "jasras"; + "*.os1.openstack.group.one".user = "jasras"; + "*.one.com".user = "jasras"; + "91.184.16.185".port = 12345; + "*.compute.prv.vps1-testpod-cph3.one.com".forwardAgent = true; + "access.*.one.com".forwardAgent = true; + "access.*.g1i.one".forwardAgent = true; + }; + }; + }; +} diff --git a/modules/work/networking.nix b/modules/work/networking.nix new file mode 100644 index 0000000..99ba8d7 --- /dev/null +++ b/modules/work/networking.nix @@ -0,0 +1,87 @@ +{ pkgs, config, ... }: +{ + environment.systemPackages = with pkgs; [ + networkmanager-openvpn + ]; + + networking.hostName = "work"; + networking.networkmanager.enable = true; + networking.networkmanager.dns = "systemd-resolved"; + networking.nameservers = [ "1.1.1.1" ]; + + services.openvpn.servers = { + ghostnet = { + config = '' + client + remote 185.57.9.6 1194 + cert ${config.age.secrets.ghostnet-cert.path} + key ${config.age.secrets.ghostnet-key.path} + ca ${config.age.secrets.ghostnet-ca.path} + auth-user-pass ${config.age.secrets.ghostnet-auth-user-pass.path} + reneg-sec 0 + cipher AES-256-CBC + comp-lzo adaptive + dev tun + proto udp + remote-cert-tls server + tls-auth ${config.age.secrets.ghostnet-tls-auth.path} 1 + nobind + auth-nocache + script-security 2 + persist-key + persist-tun + user nm-openvpn + group nm-openvpn + ''; + updateResolvConf = false; + autoStart = false; + }; + systems = { + config = '' + client + remote 'vpn-v2.one.com' + cert '${config.age.secrets.systems-cert.path}' + key '${config.age.secrets.systems-key.path}' + ca '${config.age.secrets.systems-ca.path}' + cipher AES-128-CBC + comp-lzo adaptive + dev tun + proto udp + port 1200 + remote-cert-tls server + tls-auth '${config.age.secrets.systems-tls-auth.path}' 1 + nobind + auth-nocache + script-security 2 + persist-key + persist-tun + user nm-openvpn + group nm-openvpn + ''; + updateResolvConf = false; + autoStart = false; + }; + }; + + programs.update-systemd-resolved.servers = { + ghostnet = { + includeAutomatically = true; + settings = { + routeOnlyDomains = [ "hostnetbv.nl." ]; + defaultRoute = false; + multicastDNS = "no"; + dnsOverTLS = "opportunistic"; + dnssec = "no"; + }; + }; + }; + + services.resolved = { + enable = true; + dnssec = "true"; + domains = [ "~." ]; + fallbackDns = [ "1.1.1.1" ]; + dnsovertls = "opportunistic"; + llmnr = "true"; + }; +} diff --git a/modules/work/secrets.nix b/modules/work/secrets.nix new file mode 100644 index 0000000..d13599d --- /dev/null +++ b/modules/work/secrets.nix @@ -0,0 +1,13 @@ +{ ... }: +{ + age.secrets.ghostnet-cert.file = ../../secrets/ghostnet-cert.age; + age.secrets.ghostnet-key.file = ../../secrets/ghostnet-key.age; + age.secrets.ghostnet-ca.file = ../../secrets/ghostnet-ca.age; + age.secrets.ghostnet-tls-auth.file = ../../secrets/ghostnet-tls-auth.age; + age.secrets.ghostnet-auth-user-pass.file = ../../secrets/ghostnet-auth-user-pass.age; + + age.secrets.systems-cert.file = ../../secrets/systems-cert.age; + age.secrets.systems-key.file = ../../secrets/systems-key.age; + age.secrets.systems-ca.file = ../../secrets/systems-ca.age; + age.secrets.systems-tls-auth.file = ../../secrets/systems-tls-auth.age; +} |