dunkirk.sh / dots
Kieran's opinionated (and probably slightly dumb) nix config
fork atom
dots / machines / prattle / default.nix
at 86b2de9beab578816ddeb0370ef1e514d78afcfc 5.6 kB view raw
1{ 2 inputs, 3 lib, 4 config, 5 pkgs, 6 ... 7}: 8{ 9 imports = [ 10 ./disk-config.nix 11 ./home-manager.nix 12 13 (inputs.import-tree ../../modules/nixos) 14 ]; 15 16 nixpkgs = { 17 hostPlatform = "x86_64-linux"; 18 config = { 19 allowUnfree = true; 20 }; 21 }; 22 23 nix = 24 let 25 flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs; 26 in 27 { 28 settings = { 29 experimental-features = "nix-command flakes"; 30 flake-registry = ""; 31 nix-path = config.nix.nixPath; 32 trusted-users = [ 33 "kierank" 34 ]; 35 }; 36 channel.enable = false; 37 optimise.automatic = true; 38 registry = lib.mapAttrs (_: flake: { inherit flake; }) flakeInputs; 39 nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs; 40 }; 41 42 time.timeZone = "America/New_York"; 43 44 environment.systemPackages = with pkgs; [ 45 # core 46 coreutils 47 screen 48 bc 49 jq 50 psmisc 51 # cli_utils 52 direnv 53 zsh 54 gum 55 vim 56 # networking 57 xh 58 curl 59 wget 60 dogdns 61 inetutils 62 mosh 63 # nix_tools 64 inputs.nixvim.packages.x86_64-linux.default 65 nixd 66 nil 67 nixfmt-rfc-style 68 inputs.agenix.packages.x86_64-linux.default 69 # security 70 openssl 71 gpgme 72 gnupg 73 # dev_langs 74 nodejs_22 75 python3 76 go 77 gopls 78 gotools 79 go-tools 80 gcc 81 # misc 82 neofetch 83 ]; 84 85 programs.nh = { 86 enable = true; 87 clean.enable = true; 88 clean.extraArgs = "--keep-since 4d --keep 3"; 89 flake = "/home/kierank/dots"; 90 }; 91 92 age.identityPaths = [ 93 "/home/kierank/.ssh/id_rsa" 94 "/etc/ssh/id_rsa" 95 ]; 96 age.secrets = { 97 wakatime = { 98 file = ../../secrets/wakatime.age; 99 path = "/home/kierank/.wakatime.cfg"; 100 owner = "kierank"; 101 }; 102 cloudflare = { 103 file = ../../secrets/cloudflare.age; 104 owner = "caddy"; 105 }; 106 }; 107 108 environment.sessionVariables = { 109 XDG_CACHE_HOME = "$HOME/.cache"; 110 XDG_CONFIG_HOME = "$HOME/.config"; 111 XDG_DATA_HOME = "$HOME/.local/share"; 112 XDG_STATE_HOME = "$HOME/.local/state"; 113 EDITOR = "nvim"; 114 SYSTEMD_EDITOR = "nvim"; 115 VISUAL = "nvim"; 116 }; 117 118 atelier = { 119 authentication.enable = true; 120 }; 121 122 networking = { 123 hostName = "prattle"; 124 networkmanager.enable = true; 125 }; 126 127 programs.zsh.enable = true; 128 programs.direnv.enable = true; 129 130 users.users = { 131 kierank = { 132 initialPassword = "changeme"; 133 isNormalUser = true; 134 shell = pkgs.zsh; 135 openssh.authorizedKeys.keys = [ 136 "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzEEjvbL/ttqmYoDjxYQmDIq36BabROJoXgQKeh9liBxApwp+2PmgxROzTg42UrRc9pyrkq5kVfxG5hvkqCinhL1fMiowCSEs2L2/Cwi40g5ZU+QwdcwI8a4969kkI46PyB19RHkxg54OUORiIiso/WHGmqQsP+5wbV0+4riSnxwn/JXN4pmnE//stnyAyoiEZkPvBtwJjKb3Ni9n3eNLNs6gnaXrCtaygEZdebikr9kS2g9mM696HvIFgM6cdR/wZ7DcLbG3IdTXuHN7PC3xxL+Y4ek5iMreQIPmuvs4qslbthPGYoYbYLUQiRa9XO5s/ksIj5Z14f7anHE6cuTQVpvNWdGDOigyIVS5qU+4ZF7j+rifzOXVL48gmcAvw/uV68m5Wl/p0qsC/d8vI3GYwEsWG/EzpAlc07l8BU2LxWgN+d7uwBFaJV9VtmUDs5dcslsh8IbzmtC9gq3OLGjklxTfIl6qPiL8U33oc/UwqzvZUrI2BlbagvIZYy6rP+q0= kierank@mockingjay" 137 ]; 138 extraGroups = [ 139 "wheel" 140 "networkmanager" 141 ]; 142 }; 143 root.openssh.authorizedKeys.keys = [ 144 "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzEEjvbL/ttqmYoDjxYQmDIq36BabROJoXgQKeh9liBxApwp+2PmgxROzTg42UrRc9pyrkq5kVfxG5hvkqCinhL1fMiowCSEs2L2/Cwi40g5ZU+QwdcwI8a4969kkI46PyB19RHkxg54OUORiIiso/WHGmqQsP+5wbV0+4riSnxwn/JXN4pmnE//stnyAyoiEZkPvBtwJjKb3Ni9n3eNLNs6gnaXrCtaygEZdebikr9kS2g9mM696HvIFgM6cdR/wZ7DcLbG3IdTXuHN7PC3xxL+Y4ek5iMreQIPmuvs4qslbthPGYoYbYLUQiRa9XO5s/ksIj5Z14f7anHE6cuTQVpvNWdGDOigyIVS5qU+4ZF7j+rifzOXVL48gmcAvw/uV68m5Wl/p0qsC/d8vI3GYwEsWG/EzpAlc07l8BU2LxWgN+d7uwBFaJV9VtmUDs5dcslsh8IbzmtC9gq3OLGjklxTfIl6qPiL8U33oc/UwqzvZUrI2BlbagvIZYy6rP+q0= kierank@mockingjay" 145 ]; 146 }; 147 148 services.openssh = { 149 enable = true; 150 openFirewall = true; 151 settings = { 152 PermitRootLogin = "no"; 153 PasswordAuthentication = false; 154 }; 155 }; 156 157 networking.firewall = { 158 enable = true; 159 allowedTCPPorts = [ 22 80 443 ]; 160 logRefusedConnections = false; 161 rejectPackets = true; 162 }; 163 164 services.tailscale = { 165 enable = true; 166 useRoutingFeatures = "client"; 167 }; 168 169 services.caddy = { 170 enable = true; 171 package = pkgs.caddy.withPlugins { 172 plugins = [ "github.com/caddy-dns/cloudflare@v0.2.2" ]; 173 hash = "sha256-Z8nPh4OI3/R1nn667ZC5VgE+Q9vDenaQ3QPKxmqPNkc="; 174 }; 175 email = "me@dunkirk.sh"; 176 globalConfig = '' 177 acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN} 178 ''; 179 virtualHosts."status.dunkirk.sh" = { 180 extraConfig = '' 181 tls { 182 dns cloudflare {env.CLOUDFLARE_API_TOKEN} 183 } 184 header { 185 Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" 186 } 187 reverse_proxy localhost:3001 { 188 header_up X-Forwarded-Proto {scheme} 189 header_up X-Forwarded-For {remote} 190 } 191 ''; 192 }; 193 extraConfig = '' 194 # Default response for unhandled domains 195 :80 { 196 respond "404 - Looks like this pin is unobtainable" 404 197 } 198 :443 { 199 respond "404 - Looks like this pin is unobtainable" 404 200 } 201 ''; 202 }; 203 204 systemd.services.caddy.serviceConfig = { 205 EnvironmentFile = config.age.secrets.cloudflare.path; 206 }; 207 208 services.uptime-kuma = { 209 enable = true; 210 settings = { 211 PORT = "3001"; 212 }; 213 }; 214 215 boot.loader.systemd-boot.enable = true; 216 boot.loader.efi.canTouchEfiVariables = true; 217 boot.kernelParams = [ "console=ttyS0" ]; 218 219 system.stateVersion = "23.05"; 220}