From 574da5b3416e2376c4ffe20a53ddb1dc2c02b6ce Mon Sep 17 00:00:00 2001 From: Jasper Ras Date: Mon, 3 Feb 2025 22:04:02 +0100 Subject: move around work host config --- configuration/work/default.nix | 152 ++++++++++++++++++++++++++ configuration/work/hardware-configuration.nix | 41 +++++++ flake.nix | 6 +- hosts/hardware-configuration/work.nix | 41 ------- hosts/work.nix | 152 -------------------------- 5 files changed, 195 insertions(+), 197 deletions(-) create mode 100644 configuration/work/default.nix create mode 100644 configuration/work/hardware-configuration.nix delete mode 100644 hosts/hardware-configuration/work.nix delete mode 100644 hosts/work.nix diff --git a/configuration/work/default.nix b/configuration/work/default.nix new file mode 100644 index 0000000..ebb26f5 --- /dev/null +++ b/configuration/work/default.nix @@ -0,0 +1,152 @@ +{ config, pkgs, inputs, ... }: +{ + imports = [ ./hardware-configuration.nix ]; + + age.secrets.ghostnet-cert.file = ../../secrets/ghostnet-cert.age; + age.secrets.ghostnet-key.file = ../../secrets/ghostnet-key.age; + age.secrets.ghostnet-ca.file = ../../secrets/ghostnet-ca.age; + age.secrets.ghostnet-tls-auth.file = ../../secrets/ghostnet-tls-auth.age; + age.secrets.ghostnet-auth-user-pass.file = ../../secrets/ghostnet-auth-user-pass.age; + + age.secrets.systems-cert.file = ../../secrets/systems-cert.age; + age.secrets.systems-key.file = ../../secrets/systems-key.age; + age.secrets.systems-ca.file = ../../secrets/systems-ca.age; + age.secrets.systems-tls-auth.file = ../../secrets/systems-tls-auth.age; + + environment.systemPackages = with pkgs; [ + slack + git-review + hexchat + apacheHttpd + moonlight-qt + brightnessctl + hugo + google-chrome + ]; + + hardware.bluetooth.enable = true; + hardware.bluetooth.powerOnBoot = true; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "work"; + networking.networkmanager.enable = true; + networking.networkmanager.dns = "systemd-resolved"; + networking.nameservers = [ "1.1.1.1" ]; + networking.firewall.allowedTCPPorts = []; + + time.timeZone = "Europe/Amsterdam"; + + i18n.defaultLocale = "en_US.UTF-8"; + i18n.extraLocaleSettings = { + LC_ADDRESS = "nl_NL.UTF-8"; + LC_IDENTIFICATION = "nl_NL.UTF-8"; + LC_MEASUREMENT = "nl_NL.UTF-8"; + LC_MONETARY = "nl_NL.UTF-8"; + LC_NAME = "nl_NL.UTF-8"; + LC_NUMERIC = "nl_NL.UTF-8"; + LC_PAPER = "nl_NL.UTF-8"; + LC_TELEPHONE = "nl_NL.UTF-8"; + LC_TIME = "nl_NL.UTF-8"; + }; + + services.libinput.mouse.accelProfile = "flat"; + services.libinput.mouse.accelSpeed = "-5"; + services.upower.enable = true; + services.openssh.enable = true; + services.openvpn.servers = { + ghostnet = { + config = '' + client + remote 185.57.9.6 1194 + cert ${config.age.secrets.ghostnet-cert.path} + key ${config.age.secrets.ghostnet-key.path} + ca ${config.age.secrets.ghostnet-ca.path} + auth-user-pass ${config.age.secrets.ghostnet-auth-user-pass.path} + reneg-sec 0 + cipher AES-256-CBC + comp-lzo adaptive + dev tun + proto udp + remote-cert-tls server + tls-auth ${config.age.secrets.ghostnet-tls-auth.path} 1 + nobind + auth-nocache + script-security 2 + persist-key + persist-tun + user nm-openvpn + group nm-openvpn + ''; + updateResolvConf = false; + autoStart = false; + }; + systems = { + config = '' + client + remote 'vpn-v2.one.com' + cert '${config.age.secrets.systems-cert.path}' + key '${config.age.secrets.systems-key.path}' + ca '${config.age.secrets.systems-ca.path}' + cipher AES-128-CBC + comp-lzo adaptive + dev tun + proto udp + port 1200 + remote-cert-tls server + tls-auth '${config.age.secrets.systems-tls-auth.path}' 1 + nobind + auth-nocache + script-security 2 + persist-key + persist-tun + user nm-openvpn + group nm-openvpn + ''; + updateResolvConf = false; + autoStart = false; + }; + }; + + programs.update-systemd-resolved.servers = { + ghostnet = { + includeAutomatically = true; + settings = { + routeOnlyDomains = [ "hostnetbv.nl." ]; + defaultRoute = false; + multicastDNS = "no"; + dnsOverTLS = "opportunistic"; + dnssec = "no"; + }; + }; + }; + + services.resolved = { + enable = true; + dnssec = "true"; + domains = [ "~." ]; + fallbackDns = [ "1.1.1.1" ]; + dnsovertls = "opportunistic"; + llmnr = "true"; + }; + + services.xserver.xkb = { + layout = "us"; + variant = ""; + }; + + users.users.jras = { + isNormalUser = true; + description = "Jasper Ras"; + extraGroups = [ "networkmanager" "wheel" "docker" ]; + packages = with pkgs; [ git ]; + }; + + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.users.jras = import ../../home-manager/entrypoints/work.nix; + home-manager.extraSpecialArgs = { inherit inputs; monitor-names = ["eDP-1" "HDMI-A-1" "DP-10"]; }; + + system.stateVersion = "24.05"; # Do NOT change before reading configuration.nix +} diff --git a/configuration/work/hardware-configuration.nix b/configuration/work/hardware-configuration.nix new file mode 100644 index 0000000..9c8c4b1 --- /dev/null +++ b/configuration/work/hardware-configuration.nix @@ -0,0 +1,41 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/df469cf1-1acc-4bf4-86e1-ec368e5a96a1"; + fsType = "ext4"; + }; + + boot.initrd.luks.devices."luks-0f6e3603-084c-4438-9749-36b31b6f226a".device = "/dev/disk/by-uuid/0f6e3603-084c-4438-9749-36b31b6f226a"; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/F0E6-4DF3"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0f0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/flake.nix b/flake.nix index fdd5e8b..f2245d1 100644 --- a/flake.nix +++ b/flake.nix @@ -45,13 +45,14 @@ system = "x86_64-linux"; specialArgs = { inherit inputs; }; modules = [ - ./hosts/work.nix update-systemd-resolved.nixosModules.update-systemd-resolved { environment.systemPackages = [ agenix.packages."x86_64-linux".default ]; } home-manager.nixosModules.home-manager agenix.nixosModules.default + + ./configuration/work ./config/shared.nix { @@ -64,9 +65,6 @@ nixosConfigurations.tarrel = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - # config = { - # allowUnfree = true; - # }; specialArgs = { inherit inputs; }; modules = [ ./hosts/tarrel.nix diff --git a/hosts/hardware-configuration/work.nix b/hosts/hardware-configuration/work.nix deleted file mode 100644 index 9c8c4b1..0000000 --- a/hosts/hardware-configuration/work.nix +++ /dev/null @@ -1,41 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/df469cf1-1acc-4bf4-86e1-ec368e5a96a1"; - fsType = "ext4"; - }; - - boot.initrd.luks.devices."luks-0f6e3603-084c-4438-9749-36b31b6f226a".device = "/dev/disk/by-uuid/0f6e3603-084c-4438-9749-36b31b6f226a"; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/F0E6-4DF3"; - fsType = "vfat"; - options = [ "fmask=0077" "dmask=0077" ]; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp1s0f0.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/hosts/work.nix b/hosts/work.nix deleted file mode 100644 index 9256d09..0000000 --- a/hosts/work.nix +++ /dev/null @@ -1,152 +0,0 @@ -{ config, pkgs, inputs, ... }: -{ - imports = [ ./hardware-configuration/work.nix ]; - - age.secrets.ghostnet-cert.file = ../secrets/ghostnet-cert.age; - age.secrets.ghostnet-key.file = ../secrets/ghostnet-key.age; - age.secrets.ghostnet-ca.file = ../secrets/ghostnet-ca.age; - age.secrets.ghostnet-tls-auth.file = ../secrets/ghostnet-tls-auth.age; - age.secrets.ghostnet-auth-user-pass.file = ../secrets/ghostnet-auth-user-pass.age; - - age.secrets.systems-cert.file = ../secrets/systems-cert.age; - age.secrets.systems-key.file = ../secrets/systems-key.age; - age.secrets.systems-ca.file = ../secrets/systems-ca.age; - age.secrets.systems-tls-auth.file = ../secrets/systems-tls-auth.age; - - environment.systemPackages = with pkgs; [ - slack - git-review - hexchat - apacheHttpd - moonlight-qt - brightnessctl - hugo - google-chrome - ]; - - hardware.bluetooth.enable = true; - hardware.bluetooth.powerOnBoot = true; - - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - networking.hostName = "work"; - networking.networkmanager.enable = true; - networking.networkmanager.dns = "systemd-resolved"; - networking.nameservers = [ "1.1.1.1" ]; - networking.firewall.allowedTCPPorts = []; - - time.timeZone = "Europe/Amsterdam"; - - i18n.defaultLocale = "en_US.UTF-8"; - i18n.extraLocaleSettings = { - LC_ADDRESS = "nl_NL.UTF-8"; - LC_IDENTIFICATION = "nl_NL.UTF-8"; - LC_MEASUREMENT = "nl_NL.UTF-8"; - LC_MONETARY = "nl_NL.UTF-8"; - LC_NAME = "nl_NL.UTF-8"; - LC_NUMERIC = "nl_NL.UTF-8"; - LC_PAPER = "nl_NL.UTF-8"; - LC_TELEPHONE = "nl_NL.UTF-8"; - LC_TIME = "nl_NL.UTF-8"; - }; - - services.libinput.mouse.accelProfile = "flat"; - services.libinput.mouse.accelSpeed = "-5"; - services.upower.enable = true; - services.openssh.enable = true; - services.openvpn.servers = { - ghostnet = { - config = '' - client - remote 185.57.9.6 1194 - cert ${config.age.secrets.ghostnet-cert.path} - key ${config.age.secrets.ghostnet-key.path} - ca ${config.age.secrets.ghostnet-ca.path} - auth-user-pass ${config.age.secrets.ghostnet-auth-user-pass.path} - reneg-sec 0 - cipher AES-256-CBC - comp-lzo adaptive - dev tun - proto udp - remote-cert-tls server - tls-auth ${config.age.secrets.ghostnet-tls-auth.path} 1 - nobind - auth-nocache - script-security 2 - persist-key - persist-tun - user nm-openvpn - group nm-openvpn - ''; - updateResolvConf = false; - autoStart = false; - }; - systems = { - config = '' - client - remote 'vpn-v2.one.com' - cert '${config.age.secrets.systems-cert.path}' - key '${config.age.secrets.systems-key.path}' - ca '${config.age.secrets.systems-ca.path}' - cipher AES-128-CBC - comp-lzo adaptive - dev tun - proto udp - port 1200 - remote-cert-tls server - tls-auth '${config.age.secrets.systems-tls-auth.path}' 1 - nobind - auth-nocache - script-security 2 - persist-key - persist-tun - user nm-openvpn - group nm-openvpn - ''; - updateResolvConf = false; - autoStart = false; - }; - }; - - programs.update-systemd-resolved.servers = { - ghostnet = { - includeAutomatically = true; - settings = { - routeOnlyDomains = [ "hostnetbv.nl." ]; - defaultRoute = false; - multicastDNS = "no"; - dnsOverTLS = "opportunistic"; - dnssec = "no"; - }; - }; - }; - - services.resolved = { - enable = true; - dnssec = "true"; - domains = [ "~." ]; - fallbackDns = [ "1.1.1.1" ]; - dnsovertls = "opportunistic"; - llmnr = "true"; - }; - - services.xserver.xkb = { - layout = "us"; - variant = ""; - }; - - users.users.jras = { - isNormalUser = true; - description = "Jasper Ras"; - extraGroups = [ "networkmanager" "wheel" "docker" ]; - packages = with pkgs; [ git ]; - }; - - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.users.jras = import ../home-manager/entrypoints/work.nix; - home-manager.extraSpecialArgs = { inherit inputs; monitor-names = ["eDP-1" "HDMI-A-1" "DP-10"]; }; - - system.stateVersion = "24.05"; # Do NOT change before reading configuration.nix -} -- cgit v1.2.3