5 files changed, 276 insertions, 0 deletions

diff --git a/nodes/work/configuration.nix b/nodes/work/configuration.nix
new file mode 100644
index 0000000..6d970b2
--- /dev/null
+++ b/nodes/work/configuration.nix
@@ -0,0 +1,55 @@
+{ lib, pkgs, inputs, ... }:
+{
+  imports = [
+    inputs.home-manager.nixosModules.home-manager
+    inputs.agenix.nixosModules.default
+    inputs.disko.nixosModules.disko
+    inputs.update-systemd-resolved.nixosModules.update-systemd-resolved
+
+    ../../modules/core
+    ../../modules/hyprland.nix
+
+    ./hardware-configuration.nix
+    ./home-manager.nix
+    ./networking.nix
+    ./secrets.nix
+  ];
+
+  system.stateVersion = "24.05"; # Do NOT change before reading configuration.nix
+
+  users.users.jras.extraGroups = [ "networkmanager" "docker" ];
+  security.sudo.wheelNeedsPassword = lib.mkForce true;
+
+  time.timeZone = "Europe/Amsterdam";
+
+  virtualisation.docker = {
+    enable = true;
+    enableOnBoot = true;
+  };
+
+  virtualisation.virtualbox = {
+    host.enable = true;
+    host.enableKvm = false;
+  };
+
+  users.extraGroups.vboxusers.members = [ "jras" ];
+
+
+  hardware.bluetooth.enable = true;
+  hardware.bluetooth.powerOnBoot = true;
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  services.libinput.mouse.accelProfile = "flat";
+  services.libinput.mouse.accelSpeed = "-5";
+  services.upower.enable = true;
+
+  services.xserver.xkb = {
+    layout = "us";
+    variant = "";
+  };
+
+  programs.gnupg.agent.enable = true;
+  programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gnome3;
+}
diff --git a/nodes/work/hardware-configuration.nix b/nodes/work/hardware-configuration.nix
new file mode 100644
index 0000000..9c8c4b1
--- /dev/null
+++ b/nodes/work/hardware-configuration.nix
@@ -0,0 +1,41 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/df469cf1-1acc-4bf4-86e1-ec368e5a96a1";
+      fsType = "ext4";
+    };
+
+  boot.initrd.luks.devices."luks-0f6e3603-084c-4438-9749-36b31b6f226a".device = "/dev/disk/by-uuid/0f6e3603-084c-4438-9749-36b31b6f226a";
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/F0E6-4DF3";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0f0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/nodes/work/home-manager.nix b/nodes/work/home-manager.nix
new file mode 100644
index 0000000..c0d94bf
--- /dev/null
+++ b/nodes/work/home-manager.nix
@@ -0,0 +1,80 @@
+{ lib, pkgs, inputs, ... }:
+{
+  home-manager.useGlobalPkgs = true;
+  home-manager.useUserPackages = true;
+  home-manager.extraSpecialArgs = { inherit inputs; };
+  home-manager.users.jras = {
+    imports = [
+      ../../modules/home-manager/core
+      ../../modules/home-manager/hyprland.nix
+      ../../modules/home-manager/hostnet.nix
+      ../../modules/home-manager/php.nix
+      ../../modules/home-manager/ansible.nix
+      ../../modules/home-manager/python.nix
+    ];
+
+    home.username = "jras";
+    home.homeDirectory = "/home/jras";
+    home.stateVersion = "22.11";
+    home.sessionPath = [ "$HOME/.local/bin" ];
+
+    home.packages = with pkgs; [
+      slack
+      moonlight-qt
+      brightnessctl
+      google-chrome
+    ];
+
+    programs.git = {
+      userName = "Jasper Ras";
+      userEmail = lib.mkForce "jras@hostnet.nl";
+      extraConfig = { gitreview.username = "jrasper"; };
+      ignores = [
+        ".direnv"
+        ".envrc"
+        ".project"
+        ".settings/"
+        ".buildpath"
+        "tags"
+        ".hhconfig"
+        ".DS_Store"
+        ".idea/"
+        ".vagrant/"
+        "*.swp"
+        "clover.xml"
+        "yarn-error.log"
+        "gsuite-auth.json"
+        "venv/"
+        "shell.nix"
+
+        ".devenv*"
+        "devenv*"
+        ".pre-commit-config.yaml"
+      ];
+    };
+
+    programs.zsh.initExtra = ''
+      eval "$(dircolors)"
+    '';
+    programs.zsh.shellAliases = {
+      ssh = "TERM=xterm-256color ssh";
+    };
+
+    programs.pyenv.enable = true;
+    programs.pyenv.enableZshIntegration = true;
+    programs.ssh = {
+      controlMaster = "auto";
+      controlPersist = "12h";
+      serverAliveInterval = 11;
+      matchBlocks = {
+        "*.g1i.one".user = "jasras";
+        "*.os1.openstack.group.one".user = "jasras";
+        "*.one.com".user = "jasras";
+        "91.184.16.185".port = 12345;
+        "*.compute.prv.vps1-testpod-cph3.one.com".forwardAgent = true;
+        "access.*.one.com".forwardAgent = true;
+        "access.*.g1i.one".forwardAgent = true;
+      };
+    };
+  };
+}
diff --git a/nodes/work/networking.nix b/nodes/work/networking.nix
new file mode 100644
index 0000000..99ba8d7
--- /dev/null
+++ b/nodes/work/networking.nix
@@ -0,0 +1,87 @@
+{ pkgs, config, ... }:
+{
+	environment.systemPackages = with pkgs; [
+    networkmanager-openvpn
+  ];
+
+  networking.hostName = "work";
+  networking.networkmanager.enable = true;
+  networking.networkmanager.dns = "systemd-resolved";
+  networking.nameservers = [ "1.1.1.1" ];
+
+  services.openvpn.servers = {
+    ghostnet = {
+      config = ''
+        client
+        remote 185.57.9.6 1194
+        cert ${config.age.secrets.ghostnet-cert.path}
+        key ${config.age.secrets.ghostnet-key.path}
+        ca ${config.age.secrets.ghostnet-ca.path}
+        auth-user-pass ${config.age.secrets.ghostnet-auth-user-pass.path}
+        reneg-sec 0
+        cipher AES-256-CBC
+        comp-lzo adaptive
+        dev tun
+        proto udp
+        remote-cert-tls server
+        tls-auth ${config.age.secrets.ghostnet-tls-auth.path} 1
+        nobind
+        auth-nocache
+        script-security 2
+        persist-key
+        persist-tun
+        user nm-openvpn
+        group nm-openvpn
+      '';
+      updateResolvConf = false;
+      autoStart = false;
+    };
+    systems = {
+      config = ''
+        client
+        remote 'vpn-v2.one.com'
+        cert '${config.age.secrets.systems-cert.path}'
+        key '${config.age.secrets.systems-key.path}'
+        ca '${config.age.secrets.systems-ca.path}'
+        cipher AES-128-CBC
+        comp-lzo adaptive
+        dev tun
+        proto udp
+        port 1200
+        remote-cert-tls server
+        tls-auth '${config.age.secrets.systems-tls-auth.path}' 1
+        nobind
+        auth-nocache
+        script-security 2
+        persist-key
+        persist-tun
+        user nm-openvpn
+        group nm-openvpn
+      '';
+      updateResolvConf = false;
+      autoStart = false;
+    };
+  };
+
+  programs.update-systemd-resolved.servers = {
+    ghostnet = {
+      includeAutomatically = true;
+      settings = {
+        routeOnlyDomains = [ "hostnetbv.nl." ];
+        defaultRoute = false;
+        multicastDNS = "no";
+        dnsOverTLS = "opportunistic";
+        dnssec = "no";
+      };
+    };
+  };
+
+  services.resolved = {
+    enable = true;
+    dnssec = "true";
+    domains = [ "~." ];
+    fallbackDns = [ "1.1.1.1" ];
+    dnsovertls = "opportunistic";
+    llmnr = "true";
+  };
+}
diff --git a/nodes/work/secrets.nix b/nodes/work/secrets.nix
new file mode 100644
index 0000000..d13599d
--- /dev/null
+++ b/nodes/work/secrets.nix
@@ -0,0 +1,13 @@
+{ ... }:
+{
+  age.secrets.ghostnet-cert.file = ../../secrets/ghostnet-cert.age;
+  age.secrets.ghostnet-key.file = ../../secrets/ghostnet-key.age;
+  age.secrets.ghostnet-ca.file = ../../secrets/ghostnet-ca.age;
+  age.secrets.ghostnet-tls-auth.file = ../../secrets/ghostnet-tls-auth.age;
+  age.secrets.ghostnet-auth-user-pass.file = ../../secrets/ghostnet-auth-user-pass.age;
+
+  age.secrets.systems-cert.file = ../../secrets/systems-cert.age;
+  age.secrets.systems-key.file = ../../secrets/systems-key.age;
+  age.secrets.systems-ca.file = ../../secrets/systems-ca.age;
+  age.secrets.systems-tls-auth.file = ../../secrets/systems-tls-auth.age;
+}