dunkirk.sh / dots
Kieran's opinionated (and probably slightly dumb) nix config
fork atom
dots / machines / terebithia / default.nix
at c142e45529bfaccb1a6bc7ef6d8048c1f714f781 5.6 kB view raw
1{ 2 inputs, 3 lib, 4 config, 5 pkgs, 6 ... 7}: 8{ 9 imports = [ 10 ./disk-config.nix 11 ./home-manager.nix 12 13 (inputs.import-tree ../../modules/nixos) 14 ]; 15 16 nixpkgs = { 17 hostPlatform = "aarch64-linux"; 18 config = { 19 allowUnfree = true; 20 }; 21 }; 22 23 nix = 24 let 25 flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs; 26 in 27 { 28 settings = { 29 experimental-features = "nix-command flakes"; 30 flake-registry = ""; 31 nix-path = config.nix.nixPath; 32 trusted-users = [ 33 "kierank" 34 ]; 35 }; 36 channel.enable = false; 37 optimise.automatic = true; 38 registry = lib.mapAttrs (_: flake: { inherit flake; }) flakeInputs; 39 nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs; 40 }; 41 42 time.timeZone = "America/New_York"; 43 44 environment.systemPackages = with pkgs; [ 45 # core 46 coreutils 47 screen 48 bc 49 jq 50 psmisc 51 # cli_utils 52 direnv 53 zsh 54 gum 55 vim 56 # networking 57 xh 58 curl 59 wget 60 dogdns 61 inetutils 62 mosh 63 # nix_tools 64 inputs.nixvim.packages.aarch64-linux.default 65 nixd 66 nil 67 nixfmt-rfc-style 68 inputs.agenix.packages.aarch64-linux.default 69 # security 70 openssl 71 gpgme 72 gnupg 73 # dev_langs 74 nodejs_22 75 unstable.bun 76 python3 77 go 78 gopls 79 gotools 80 go-tools 81 gcc 82 # misc 83 neofetch 84 git 85 ]; 86 87 programs.nh = { 88 enable = true; 89 clean.enable = true; 90 clean.extraArgs = "--keep-since 4d --keep 3"; 91 flake = "/home/kierank/dots"; 92 }; 93 94 age.identityPaths = [ 95 "/home/kierank/.ssh/id_rsa" 96 "/etc/ssh/id_rsa" 97 ]; 98 age.secrets = { 99 wakatime = { 100 file = ../../secrets/wakatime.age; 101 path = "/home/kierank/.wakatime.cfg"; 102 owner = "kierank"; 103 }; 104 cachet = { 105 file = ../../secrets/cachet.age; 106 owner = "cachet"; 107 }; 108 hn-alerts = { 109 file = ../../secrets/hn-alerts.age; 110 owner = "hn-alerts"; 111 }; 112 cloudflare = { 113 file = ../../secrets/cloudflare.age; 114 owner = "caddy"; 115 }; 116 }; 117 118 environment.sessionVariables = { 119 XDG_CACHE_HOME = "$HOME/.cache"; 120 XDG_CONFIG_HOME = "$HOME/.config"; 121 XDG_DATA_HOME = "$HOME/.local/share"; 122 XDG_STATE_HOME = "$HOME/.local/state"; 123 EDITOR = "nvim"; 124 SYSTEMD_EDITOR = "nvim"; 125 VISUAL = "nvim"; 126 }; 127 128 atelier = { 129 authentication.enable = true; 130 }; 131 132 networking = { 133 hostName = "terebithia"; 134 networkmanager.enable = true; 135 }; 136 137 programs.zsh.enable = true; 138 programs.direnv.enable = true; 139 140 users.users = { 141 kierank = { 142 initialPassword = "changeme"; 143 isNormalUser = true; 144 shell = pkgs.zsh; 145 openssh.authorizedKeys.keys = [ 146 "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzEEjvbL/ttqmYoDjxYQmDIq36BabROJoXgQKeh9liBxApwp+2PmgxROzTg42UrRc9pyrkq5kVfxG5hvkqCinhL1fMiowCSEs2L2/Cwi40g5ZU+QwdcwI8a4969kkI46PyB19RHkxg54OUORiIiso/WHGmqQsP+5wbV0+4riSnxwn/JXN4pmnE//stnyAyoiEZkPvBtwJjKb3Ni9n3eNLNs6gnaXrCtaygEZdebikr9kS2g9mM696HvIFgM6cdR/wZ7DcLbG3IdTXuHN7PC3xxL+Y4ek5iMreQIPmuvs4qslbthPGYoYbYLUQiRa9XO5s/ksIj5Z14f7anHE6cuTQVpvNWdGDOigyIVS5qU+4ZF7j+rifzOXVL48gmcAvw/uV68m5Wl/p0qsC/d8vI3GYwEsWG/EzpAlc07l8BU2LxWgN+d7uwBFaJV9VtmUDs5dcslsh8IbzmtC9gq3OLGjklxTfIl6qPiL8U33oc/UwqzvZUrI2BlbagvIZYy6rP+q0= kierank@mockingjay" 147 ]; 148 extraGroups = [ 149 "wheel" 150 "networkmanager" 151 "services" 152 ]; 153 }; 154 root.openssh.authorizedKeys.keys = [ 155 "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzEEjvbL/ttqmYoDjxYQmDIq36BabROJoXgQKeh9liBxApwp+2PmgxROzTg42UrRc9pyrkq5kVfxG5hvkqCinhL1fMiowCSEs2L2/Cwi40g5ZU+QwdcwI8a4969kkI46PyB19RHkxg54OUORiIiso/WHGmqQsP+5wbV0+4riSnxwn/JXN4pmnE//stnyAyoiEZkPvBtwJjKb3Ni9n3eNLNs6gnaXrCtaygEZdebikr9kS2g9mM696HvIFgM6cdR/wZ7DcLbG3IdTXuHN7PC3xxL+Y4ek5iMreQIPmuvs4qslbthPGYoYbYLUQiRa9XO5s/ksIj5Z14f7anHE6cuTQVpvNWdGDOigyIVS5qU+4ZF7j+rifzOXVL48gmcAvw/uV68m5Wl/p0qsC/d8vI3GYwEsWG/EzpAlc07l8BU2LxWgN+d7uwBFaJV9VtmUDs5dcslsh8IbzmtC9gq3OLGjklxTfIl6qPiL8U33oc/UwqzvZUrI2BlbagvIZYy6rP+q0= kierank@mockingjay" 156 ]; 157 }; 158 159 services.openssh = { 160 enable = true; 161 openFirewall = true; 162 settings = { 163 PermitRootLogin = "no"; 164 PasswordAuthentication = false; 165 }; 166 }; 167 168 networking.firewall = { 169 enable = true; 170 allowedTCPPorts = [ 22 80 443 ]; 171 logRefusedConnections = false; 172 rejectPackets = true; 173 }; 174 175 services.tailscale = { 176 enable = true; 177 useRoutingFeatures = "client"; 178 }; 179 180 services.caddy = { 181 enable = true; 182 package = pkgs.caddy.withPlugins { 183 plugins = [ "github.com/caddy-dns/cloudflare@v0.2.2" ]; 184 hash = "sha256-Z8nPh4OI3/R1nn667ZC5VgE+Q9vDenaQ3QPKxmqPNkc="; 185 }; 186 email = "me@dunkirk.sh"; 187 globalConfig = '' 188 acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN} 189 ''; 190 extraConfig = '' 191 # Default response for unhandled domains 192 :80 { 193 respond "404 - Looks like this bridge doesn't have an end" 404 194 } 195 :443 { 196 respond "404 - Looks like this bridge doesn't have an end" 404 197 } 198 ''; 199 }; 200 201 systemd.services.caddy.serviceConfig = { 202 EnvironmentFile = config.age.secrets.cloudflare.path; 203 }; 204 205 atelier.services.cachet = { 206 enable = true; 207 domain = "cachet.dunkirk.sh"; 208 secretsFile = config.age.secrets.cachet.path; 209 }; 210 211 atelier.services.hn-alerts = { 212 enable = true; 213 domain = "hn.dunkirk.sh"; 214 secretsFile = config.age.secrets.hn-alerts.path; 215 }; 216 217 boot.loader.systemd-boot.enable = true; 218 boot.loader.efi.canTouchEfiVariables = true; 219 boot.kernelParams = [ "console=ttyS0" ]; 220 221 system.stateVersion = "23.05"; 222}