diff --git a/default.nix b/default.nix index 47c528e..275d5aa 100755 --- a/default.nix +++ b/default.nix @@ -15,6 +15,7 @@ in { package = pkgs.nix; # flake registry and nix path pinning + # might not be needed? see: https://github.com/NixOS/nixpkgs/commit/e456032addae76701eb17e6c03fc515fd78ad74f nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; registry.nixpkgs.flake = inputs.nixpkgs; @@ -32,6 +33,9 @@ in { }; }; + # set our git revision inside `nixos-version` + system.configurationRevision = with inputs; mkIf (self ? rev) self.rev; + time.timeZone = mkDefault "America/Los_Angeles"; i18n.defaultLocale = mkDefault "en_US.UTF-8"; diff --git a/flake.lock b/flake.lock index 586528d..f566bec 100755 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1709485962, - "narHash": "sha256-rmFB4uE10+LJbcVE4ePgiuHOBlUIjQOeZt4VQVJTU8M=", + "lastModified": 1710164657, + "narHash": "sha256-l64+ZjaQAVkHDVaK0VHwtXBdjcBD6nLBD+p7IfyBp/w=", "owner": "nix-community", "repo": "home-manager", - "rev": "d579633ff9915a8f4058d5c439281097e92380a8", + "rev": "017b12de5b899ef9b64e2c035ce257bfe95b8ae2", "type": "github" }, "original": { @@ -22,11 +22,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1709237383, - "narHash": "sha256-cy6ArO4k5qTx+l5o+0mL9f5fa86tYUX3ozE1S+Txlds=", + "lastModified": 1709961763, + "narHash": "sha256-6H95HGJHhEZtyYA3rIQpvamMKAGoa8Yh2rFV29QnuGw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "1536926ef5621b09bba54035ae2bb6d806d72ac8", + "rev": "3030f185ba6a4bf4f18b87f345f104e6a6961f34", "type": "github" }, "original": { diff --git a/hosts/server/default.nix b/hosts/server/default.nix index 7608a91..4757588 100755 --- a/hosts/server/default.nix +++ b/hosts/server/default.nix @@ -4,20 +4,18 @@ let in { imports = [ - ./hardware-configuration.nix + ./hardware.nix ./webapps/default.nix ]; users.groups.dotfiles = {}; - # HACK HACK HACK - services.logrotate.checkConfig = false; - # HACK HACK HACK - normalUsers = { reidlab = { conf = { - packages = with pkgs; [ bat tree micro duf ]; + packages = with pkgs; [ + bat btop duf file micro nix-output-monitor tree which + ]; extraGroups = [ "wheel" "dotfiles" ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmwWuwS+a1GzYFSNOkgk/zF5bolXqat1RP5FXJv+vto reidlab@rei-pc" @@ -33,11 +31,6 @@ in { }; }; - keyboard = { - locale = "en_US.UTF-8"; - variant = "qwerty"; - }; - modules = { services = { ssh = { @@ -55,6 +48,7 @@ in { security.useDoas = false; }; + # enable networking networking = { hostName = "nixos-server-reid"; networkmanager.enable = true; diff --git a/hosts/server/hardware-configuration.nix b/hosts/server/hardware.nix similarity index 81% rename from hosts/server/hardware-configuration.nix rename to hosts/server/hardware.nix index b880e8d..83a985a 100755 --- a/hosts/server/hardware-configuration.nix +++ b/hosts/server/hardware.nix @@ -7,10 +7,12 @@ ]; boot = { - initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ]; + initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ]; initrd.kernelModules = [ ]; - kernelPackages = pkgs.linuxPackages_latest; kernelModules = [ ]; + extraModulePackages = [ ]; + # TODO: move bootloader, networking, boot speed to another file? + kernelPackages = pkgs.linuxPackages_latest; loader = { # use u-boot over grub grub.enable = lib.mkForce false; @@ -18,14 +20,13 @@ }; }; - fileSystems = { - "/" = { + fileSystems."/" = { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; fsType = "ext4"; }; - }; - swapDevices = [ ]; + swapDevices = + [ ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/modules/keyboard.nix b/modules/keyboard.nix deleted file mode 100755 index 7c39e8d..0000000 --- a/modules/keyboard.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, lib, pkgs, options, ... }: - -with lib; -let - cfg = config.keyboard; -in { - options.keyboard = { - locale = mkOption { - type = types.str; - default = "en_US.UTF-8"; - }; - variant = mkOption { - type = types.str; - default = ""; - }; - }; -} diff --git a/modules/security.nix b/modules/security.nix index 474b50c..1c6ba49 100755 --- a/modules/security.nix +++ b/modules/security.nix @@ -49,7 +49,10 @@ in { }; security = { + # prevents replacing the kernel without a reboot protectKernelImage = true; + # allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot) + polkit.enable = true; rtkit.enable = true; }; } // (mkIf cfg.useDoas { diff --git a/readme.md b/readme.md index f17cb1b..c94c78a 100755 --- a/readme.md +++ b/readme.md @@ -20,9 +20,10 @@ before committing, please run `nix flake check` and make sure everything is ok ## todo -- remove the lua static stuff from nginx + maybe cloudflare ips too +- remove the lua static stuff from nginx + maybe cloudflare ips too + redis - per-host architecture selection, atm it is hardcoded to `aarch64` - some weird perl error abt locales when building using doas - `keepEnv` might fix this -- fix the logrotate error, only patchable with the hack displayed in [`hosts/server/default.nix`](./hosts/server/default.nix) +- move common config such as bootloader and networking settings to [`default.nix`](./default.nix) +- swap back to hardened kernel - leverage nixos-hardware -- somehow add desktop evironments and per-user dotfiles while keeping a multi-user setup +- somehow add desktop evironments and per-user dotfiles while keeping a multi-user setup - we can always give this up if needed