reidlab/nix-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

whole entire revamp

Browse source
This commit is contained in:
Reid 2023-08-22 21:49:15 -07:00
parent 7b3e28f66d
commit 1c86119fbb
21 changed files with 652 additions and 272 deletions
Download patch file Download diff file Expand all files Collapse all files

17
default.nix Normal file
View file

@ -0,0 +1,17 @@
{ config, inputs, lib, pkgs, ... }:
let
inherit (lib) filterAttrs _;
in {
imports =
[ inputs.home-manager.nixosModules.home-manager ]
++ _.mapModulesRec' ./modules import;
environment.systemPackages = with pkgs; [
curl git
];
i18n.defaultLocale = "en_US.UTF-8";
system.stateVersion = lib.mkDefault "23.11";
}

37
flake.lock generated
View file

@ -1,6 +1,40 @@
{ {
"nodes": { "nodes": {
"home-manager": {
"inputs": {
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1692720545,
"narHash": "sha256-DQDremUH7lRxiZEIVh6C6kQusuPe1vUKtiVl29nmP0E=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "8eb8c212e50e2fd95af5849585a2eb819add0a1e",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": {
"lastModified": 1692447944,
"narHash": "sha256-fkJGNjEmTPvqBs215EQU4r9ivecV5Qge5cF/QDLVn3U=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d680ded26da5cf104dd2735a51e88d2d8f487b4d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1691654369, "lastModified": 1691654369,
"narHash": "sha256-gSILTEx1jRaJjwZxRlnu3ZwMn1FVNk80qlwiCX8kmpo=", "narHash": "sha256-gSILTEx1jRaJjwZxRlnu3ZwMn1FVNk80qlwiCX8kmpo=",
@ -18,7 +52,8 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs" "home-manager": "home-manager",
"nixpkgs": "nixpkgs_2"
} }
} }
}, },

36
flake.nix
View file

@ -3,25 +3,31 @@
inputs = { inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
home-manager.url = "github:nix-community/home-manager";
}; };
outputs = { self, nixpkgs }: outputs = inputs @ { self, nixpkgs, ... }:
let let
system = "aarch64-linux"; system = "aarch64-linux";
pkgs = import nixpkgs { lib = import ./lib { inherit pkgs inputs; lib = nixpkgs.lib; };
allowUnfree = true; inherit (lib._) mapModules mapModulesRec mkHost;
};
in
{
nixosConfigurations = {
server = nixpkgs.lib.nixosSystem {
specialArgs = { inherit system; };
modules = [ mkPkgs = pkgs: overlays: import pkgs {
./hosts/server/configuration.nix inherit system;
]; config.allowUnfree = true;
overlays = overlays ++ (lib.attrValues self.overlays);
}; };
pkgs = mkPkgs nixpkgs [ self.overlay ];
in {
packages."${system}" = mapModules ./packages (p: pkgs.callPackage p {});
overlay = final: prev: {
_ = self.packages."${system}";
};
overlays = mapModules ./overlays import;
nixosModules = (mapModulesRec ./modules import);
nixosConfigurations = mapModules ./hosts (host: mkHost host { inherit system; });
}; };
};
} }

251
hosts/server/configuration.nix
View file

@ -1,251 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports =
[
./hardware-configuration.nix
];
# Git
environment.systemPackages = [
pkgs.git
];
# Bootloader
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
# Enable flakes
nix.settings.experimental-features = [ "nix-command" "flakes" ];
# Networking
networking.hostName = "nixos-server-reid";
networking.wireless.environmentFile = "/run/secrets/wireless.env";
networking.wireless = {
enable = true;
userControlled.enable = true;
networks = {
Ryan = {
psk = "@password@";
};
};
};
# Set your time zone.
time.timeZone = "America/Los_Angeles";
# Editors
# Editors - Nano
programs.nano = {
syntaxHighlight = true;
nanorc = ''
set mouse
'';
};
# Users
users.groups.dotfiles = {};
# Users - reidlab
users.users.reidlab = {
isNormalUser = true;
extraGroups = [ "wheel" "dotfiles" ];
packages = with pkgs; [
tree bat
];
};
# Programs
# Programs - Mosh
programs.mosh.enable = true;
# Services
# Services - Openssh
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = true;
};
};
# Services - Nginx
services.nginx = {
package = pkgs.openresty;
enable = true;
logError = "stderr warn";
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
};
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
};
services.nginx.commonHttpConfig = let
lua-resty-template = pkgs.fetchFromGitHub {
owner = "bungle";
repo = "lua-resty-template";
rev = "v2.0";
sha256 = "1gpyjq3ms5ib8xiz6k9z97cjifx9zp1dyjkr58b2s034xksy2vb1";
};
lua-resty-redis = pkgs.fetchFromGitHub {
owner = "openresty";
repo = "lua-resty-redis";
rev = "v0.29";
sha256 = "089ishx4482ybfsv10ig8h3cpsdw6rvgy0w874h1c7m1gk2fd7r9";
};
lua-resty-websocket = pkgs.fetchFromGitHub {
owner = "openresty";
repo = "lua-resty-websocket";
rev = "v0.10";
sha256 = "0zpprfi5qc3066ab7g7nyr18jwlk3n8y0006maj4nlx38rl24vfh";
};
realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from ${x};");
fileToList = x: lib.strings.splitString "\n" (builtins.readFile x);
cfipv4 = fileToList (pkgs.fetchurl {
url = "https://www.cloudflare.com/ips-v4";
sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h";
});
cfipv6 = fileToList (pkgs.fetchurl {
url = "https://www.cloudflare.com/ips-v6";
sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy";
});
in ''
# Lua path
lua_package_path "/var/www/reidlab.online/lua/?.lua;;${lua-resty-template}/lib/?.lua;;${lua-resty-redis}/lib/?.lua;;${lua-resty-websocket}/lib/?.lua;;";
# Realip
${realIpsFromList cfipv4}
${realIpsFromList cfipv6}
real_ip_header CF-Connecting-IP;
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
# add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# ^ this above is breaking forgejo
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# Enable XSS protection of the browser.
# May be unnecessary when CSP is configured properly (see above)
add_header X-XSS-Protection "1; mode=block";
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
services.nginx.virtualHosts."reidlab.online" = {
forceSSL = true;
enableACME = true;
root = "/var/www/reidlab.online/public";
extraConfig = ''
error_page 404 /errors/404.html;
error_page 403 /errors/403.html;
error_page 500 /errors/500.html;
location = /errors/404.html { root /var/www/reidlab.online/public/; internal; }
location = /errors/403.html { root /var/www/reidlab.online/public/; internal; }
location = /errors/500.html { root /var/www/reidlab.online/public/; internal; }
location / {
try_files $uri @main;
}
location /chat {
access_by_lua_file /var/www/reidlab.online/lua/chat.lua;
}
location @main {
content_by_lua '
require("main").handle_request()
';
}
'';
};
# Services - Forgejo
services.gitea = {
enable = true;
package = pkgs.forgejo;
stateDir = "/var/lib/git.reidlab.online";
appName = "reidlab's git instance";
database = {
type = "postgres";
name = "gitea";
};
settings = {
"security" = {
INSTALL_LOCK = true;
PASSWORD_HASH_ALGO = "argon2";
PASSWORD_CHECK_PWN = true;
};
"ui.meta" = {
AUTHOR = "reidlab";
DESCRIPTION = "reidlab's git instance";
};
"server" = {
DOMAIN = "git.reidlab.online";
HTTP_PORT = 3000;
ROOT_URL = "https://git.reidlab.online/";
};
"repository" = {
DEFAULT_BRANCH = "main";
};
"picture" = {
DISABLE_GRAVATAR = false;
ENABLE_FEDERATED_AVATAR = true;
};
"service" = {
ENABLE_CAPTCHA = false;
REGISTER_EMAIL_CONFIRM = false;
DEFAULT_KEEP_EMAIL_PRIVATE = true;
DEFAULT_ENABLE_TIMETRACKING = true;
DISABLE_REGISTRATION = true;
};
"federation" = {
ENABLED = true;
};
};
};
services.nginx.virtualHosts."git.reidlab.online" = {
forceSSL = true;
enableACME = true;
locations."/".extraConfig = ''
proxy_pass "http://127.0.0.1:3000";
'';
};
# Services - Postgres
services.postgresql.enable = true;
# Services - Redis
services.redis.servers."".enable = true;
# Security
security = {
protectKernelImage = true;
};
security.acme = {
acceptTerms = true;
defaults.email = "reidlab325@gmail.com";
};
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "23.11"; # Did you read the comment?
}

67
hosts/server/default.nix Executable file
View file

@ -0,0 +1,67 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
./webapps/default.nix
];
user = {
packages = with pkgs; [
git
curl
];
};
users.groups.dotfiles = {};
normalUsers = {
reidlab = {
conf = {
packages = with pkgs; [ bat tree ];
extraGroups = [ "wheel" "dotfiles" ];
};
homeConf.home = {
sessionVariables = {
EDITOR = "nano";
};
};
};
};
keyboard = {
locale = "en_US.UTF-8";
variant = "qwerty";
};
modules = {
services = {
ssh = {
enable = true;
requirePassword = true;
};
postgres.enable = true;
redis.enable = true;
mosh.enable = true;
};
};
time.timeZone = "America/Los_Angeles";
networking = {
hostName = "nixos-server-reid";
wireless = {
environmentFile = "/run/secrets/wireless.env";
enable = true;
userControlled.enable = true;
networks.Ryan.psk = "@password@";
};
};
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
}

17
hosts/server/hardware-configuration.nix
View file

@ -1,6 +1,7 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
# 🤓☝
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
@ -8,10 +9,18 @@
[ (modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ]; boot = {
boot.initrd.kernelModules = [ ]; loader = {
boot.kernelModules = [ ]; grub.enable = false;
boot.extraModulePackages = [ ]; generic-extlinux-compatible.enable = true;
};
initrd = {
availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";

54
hosts/server/webapps/default.nix Normal file
View file

@ -0,0 +1,54 @@
{ config, lib, pkgs, ... }:
with lib;
let
in {
config = {
modules = {
services = {
forgejo = {
enable = true;
domain = "git.reidlab.online";
port = 3000;
};
nginx-config = {
enable = true;
defaultLuaPackagePath = /var/www/reidlab.online/lua;
};
};
};
services = {
nginx.virtualHosts = {
"reidlab.online" = {
forceSSL = true;
enableACME = true;
root = "/var/www/reidlab.online/public";
extraConfig = ''
error_page 404 /errors/404.html;
error_page 403 /errors/403.html;
error_page 500 /errors/500.html;
location = /errors/404.html { root /var/www/reidlab.online/public/; internal; }
location = /errors/403.html { root /var/www/reidlab.online/public/; internal; }
location = /errors/500.html { root /var/www/reidlab.online/public/; internal; }
location / {
try_files $uri @main;
}
location /chat {
access_by_lua_file /var/www/reidlab.online/lua/chat.lua;
}
location @main {
content_by_lua '
require("main").handle_request()
';
}
'';
};
};
};
};
}

15
lib/default.nix Normal file
View file

@ -0,0 +1,15 @@
{ inputs, lib, pkgs, ... }:
lib.extend (self: super:
let
inherit (lib) attrValues foldr;
inherit (modules) mapModules;
modules = import ./modules.nix { inherit lib; };
in {
_ = foldr (a: b: a // b) {} (attrValues (mapModules ./. (file: import file {
inherit pkgs inputs;
lib = self;
})));
}
)

27
lib/modules.nix Normal file
View file

@ -0,0 +1,27 @@
{ lib, ... }:
let
inherit (builtins) attrValues readDir pathExists;
inherit (lib) id filterAttrs hasPrefix hasSuffix nameValuePair removeSuffix mapAttrs' trace fix fold isAttrs;
in rec {
mapModules' = dir: fn: dirfn:
filterAttrs
(name: type: type != null && !(hasPrefix "_" name))
(mapAttrs'
(name: type:
let path = "${toString dir}/${name}"; in
if type == "directory"
then nameValuePair name (dirfn path)
else if
type == "regular" &&
name != "default.nix" &&
hasSuffix ".nix" name
then nameValuePair (removeSuffix ".nix" name) (fn path)
else nameValuePair "" null
)
(readDir dir));
mapModules = dir: fn: mapModules' dir fn (path: if pathExists "${path}/default.nix" then fn path else null);
mapModulesRec = dir: fn: mapModules' dir fn (path: mapModulesRec path fn);
mapModulesRec' = dir: fn: fix (f: attrs: fold (x: xs: (if isAttrs x then f x else [x]) ++ xs) [] (attrValues attrs)) (mapModulesRec dir fn);
}

21
lib/nixos.nix Normal file
View file

@ -0,0 +1,21 @@
{ inputs, lib, pkgs, ... }:
with lib;
{
mkHost = path: attrs@{ system, ... }:
nixosSystem {
inherit system;
specialArgs = { inherit lib inputs system; };
modules = [
{
nixpkgs.pkgs = pkgs;
networking.hostName = mkDefault (removeSuffix ".nix" (baseNameOf path));
}
(filterAttrs (n: v: !elem n [ "system" ]) attrs)
../.
(import path)
];
};
}

17
modules/keyboard.nix Normal file
View file

@ -0,0 +1,17 @@
{ config, lib, pkgs, options, ... }:
with lib;
let
cfg = config.keyboard;
in {
options.keyboard = {
locale = mkOption {
type = types.str;
default = "en_US.UTF-8";
};
variant = mkOption {
type = types.str;
default = "";
};
};
}

81
modules/services/forgejo.nix Normal file
View file

@ -0,0 +1,81 @@
{ config, lib, pkgs, options, ... }:
with lib;
let
cfg = config.modules.services.forgejo;
in {
options.modules.services.forgejo = {
enable = mkOption {
type = types.bool;
default = false;
};
domain = mkOption {
type = types.str;
default = "git.reidlab.online";
};
port = mkOption {
type = types.int;
default = 3000;
};
package = mkOption {
type = types.package;
default = pkgs.forgejo;
};
};
config = mkIf cfg.enable {
services = {
gitea = {
enable = true;
package = cfg.package;
stateDir = "/var/lib/${cfg.domain}";
appName = "reidlab's git instance";
database = {
type = "postgres";
name = "gitea";
};
settings = {
"security" = {
INSTALL_LOCK = true;
PASSWORD_HASH_ALGO = "argon2";
PASSWORD_CHECK_PWN = true;
};
"ui.meta" = {
AUTHOR = "reidlab";
DESCRIPTION = "reidlab's git instance";
};
"server" = {
DOMAIN = cfg.domain;
HTTP_PORT = cfg.port;
ROOT_URL = "https://${cfg.domain}/";
};
"repository" = {
DEFAULT_BRANCH = "main";
};
"picture" = {
DISABLE_GRAVATAR = false;
ENABLE_FEDERATED_AVATAR = true;
};
"service" = {
ENABLE_CAPTCHA = false;
REGISTER_EMAIL_CONFIRM = false;
DEFAULT_KEEP_EMAIL_PRIVATE = true;
DEFAULT_ENABLE_TIMETRACING = true;
DISABLE_REGISTRATION = true;
};
"federation" = {
ENABLED = true;
};
};
};
nginx.virtualHosts."${cfg.domain}" = {
forceSSL = true;
enableACME = true;
locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:${toString cfg.port};
'';
};
};
};
}

19
modules/services/mosh.nix Normal file
View file

@ -0,0 +1,19 @@
{ config, lib, pkgs, options, ... }:
with lib;
let
cfg = config.modules.services.mosh;
in {
options.modules.services.mosh = {
enable = mkOption {
type = types.bool;
default = false;
};
};
config = mkIf cfg.enable {
programs.mosh = {
enable = true;
};
};
}

109
modules/services/nginx-conf.nix Normal file
View file

@ -0,0 +1,109 @@
{ config, lib, pkgs, options, ... }:
with lib;
let
cfg = config.modules.services.nginx-config;
in {
options.modules.services.nginx-config = {
enable = mkOption {
type = types.bool;
default = false;
};
package = mkOption {
type = types.package;
default = pkgs.openresty;
};
defaultLuaPackagePath = mkOption {
type = types.path;
default = null;
};
};
config = mkIf cfg.enable {
assertions = [
{ assertion = cfg.defaultLuaPackagePath != null;
description = "The defaultLuaPackagePath property *must* be explicitly specified.";
}
];
security.acme = {
acceptTerms = true;
defaults.email = "reidlab325@gmail.com";
# defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
};
services.nginx = {
enable = true;
package = cfg.package;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
logError = "stderr warn";
# TODO: clean this up oh my god like everything here :sob: im vomiting shaking and crying looking at this.
commonHttpConfig = let
# lua
lua-resty-template = pkgs.fetchFromGitHub {
owner = "bungle";
repo = "lua-resty-template";
rev = "v2.0";
sha256 = "1gpyjq3ms5ib8xiz6k9z97cjifx9zp1dyjkr58b2s034xksy2vb1";
};
lua-resty-redis = pkgs.fetchFromGitHub {
owner = "openresty";
repo = "lua-resty-redis";
rev = "v0.29";
sha256 = "089ishx4482ybfsv10ig8h3cpsdw6rvgy0w874h1c7m1gk2fd7r9";
};
lua-resty-websocket = pkgs.fetchFromGitHub {
owner = "openresty";
repo = "lua-resty-websocket";
rev = "v0.10";
sha256 = "0zpprfi5qc3066ab7g7nyr18jwlk3n8y0006maj4nlx38rl24vfh";
};
# cloudflare
realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from ${x};");
fileToList = x: lib.strings.splitString "\n" (builtins.readFile x);
cfipv4 = fileToList (pkgs.fetchurl {
url = "https://www.cloudflare.com/ips-v4";
sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h";
});
cfipv6 = fileToList (pkgs.fetchurl {
url = "https://www.cloudflare.com/ips-v6";
sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy";
});
in ''
lua_package_path "${toString cfg.defaultLuaPackagePath}/?.lua;;${lua-resty-template}/lib/?.lua;;${lua-resty-redis}/lib/?.lua;;${lua-resty-websocket}/lib/?.lua;;";
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
# add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# ^ this above breaks forgejo/gitea so
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
${realIpsFromList cfipv4}
${realIpsFromList cfipv6}
real_ip_header CF-Connecting-IP;
'';
};
networking.firewall.allowedTCPPorts = [ 443 80 ];
networking.firewall.allowedUDPPorts = [ 443 80 ];
};
}

19
modules/services/postgres.nix Normal file
View file

@ -0,0 +1,19 @@
{ config, lib, pkgs, options, ... }:
with lib;
let
cfg = config.modules.services.postgres;
in {
options.modules.services.postgres = {
enable = mkOption {
type = types.bool;
default = false;
};
};
config = mkIf cfg.enable {
services.postgresql = {
enable = true;
};
};
}

19
modules/services/redis.nix Normal file
View file

@ -0,0 +1,19 @@
{ config, lib, pkgs, options, ... }:
with lib;
let
cfg = config.modules.services.redis;
in {
options.modules.services.redis = {
enable = mkOption {
type = types.bool;
default = false;
};
};
config = mkIf cfg.enable {
services.redis.servers."" = {
enable = true;
};
};
}

35
modules/services/ssh.nix Normal file
View file

@ -0,0 +1,35 @@
{ options, config, lib, pkgs, ... }:
with lib;
let
cfg = config.modules.services.ssh;
in {
options.modules.services.ssh = {
enable = mkOption {
type = types.bool;
default = false;
description = "Provide system SSH support though OpenSSH.";
};
requirePassword = mkOption {
type = types.bool;
default = true;
};
};
config = mkIf cfg.enable {
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = cfg.requirePassword;
PermitRootLogin = "no";
};
};
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
};
}

82
modules/users.nix Normal file
View file

@ -0,0 +1,82 @@
{ options, config, lib, pkgs, ... }:
with lib;
let
in {
options = {
user = mkOption {
type = types.attrs;
default = {};
description = "Defaults to apply to all normal users in the system.";
};
normalUsers = mkOption {
type = types.attrsOf (types.submodule { options = {
conf = mkOption {
type = types.attrs;
default = {};
};
homeConf = mkOption {
type = types.attrs;
default = {};
};
};});
default = {};
};
home = {
_ = mkOption {
type = types.attrs;
default = {};
description = "Universal home-level user configuration";
};
configFile = mkOption {
type = types.attrs;
default = {};
description = "(XDG) Configuration files managed by home-manager";
};
};
configDir = mkOption {
type = types.path;
default = ../config;
};
};
config = {
home-manager.useUserPackages = true;
user = {
packages = with pkgs; [ wget ];
extraGroups = [ ];
};
home._ = {
home.stateVersion = config.system.stateVersion;
home.file = mkAliasDefinitions options.home.configFile;
xdg.enable = true;
xdg.configFile = mkAliasDefinitions options.home.configFile;
};
environment = {
sessionVariables = {
XDG_CACHE_HOME = "$HOME/.cache";
XDG_CONFIG_HOME = "$HOME/.config";
XDG_DATA_HOME = "$HOME/.local/share";
XDG_BIN_HOME = "$HOME/.local/bin";
XDG_DESKTOP_DIR = "$HOME";
};
};
users.groups = mapAttrs (_: _: {}) config.normalUsers;
users.users = mapAttrs (username: user: (mkMerge [
(mkAliasDefinitions options.user)
user.conf
{
isNormalUser = true;
group = username;
}
])) config.normalUsers;
home-manager.users = mapAttrs (username: user: (mkMerge [(mkAliasDefinitions options.home._) user.homeConf])) config.normalUsers;
};
}

0
overlays/.gitkeep Normal file
View file

0
packages/.gitkeep Normal file
View file

1
readme.md
View file

@ -5,7 +5,6 @@ Nix Flake dotfiles used on my server.
## Todo ## Todo
* Make it so our secrets consist upon reboot (currently just our wifi password, have to set every reboot) (maybe with [Agenix](https://github.com/ryantm/agenix) + [Age](https://github.com/FiloSottile/age)? * Make it so our secrets consist upon reboot (currently just our wifi password, have to set every reboot) (maybe with [Agenix](https://github.com/ryantm/agenix) + [Age](https://github.com/FiloSottile/age)?
* Make everything __modular__.
## Development ## Development