diff options
author | Azat Bahawi <azat@bahawi.net> | 2023-03-11 12:51:58 +0300 |
---|---|---|
committer | Azat Bahawi <azat@bahawi.net> | 2023-03-11 12:51:58 +0300 |
commit | 0ef23d4501592a192ba020a2ac34abb1a3d8fc5e (patch) | |
tree | 17f0377d71f7c645acf8502c769a0ade76cbc901 /modules | |
parent | 2023-02-20 (diff) |
2023-03-11
Diffstat (limited to '')
-rw-r--r-- | modules/common/common/nix/default.nix | 1 | ||||
-rw-r--r-- | modules/common/default.nix | 1 | ||||
-rw-r--r-- | modules/common/emacs/default.nix | 5 | ||||
-rw-r--r-- | modules/common/git.nix | 2 | ||||
-rw-r--r-- | modules/common/openconnect.nix | 83 | ||||
-rw-r--r-- | modules/nixos/beets.nix (renamed from modules/common/beets.nix) | 0 | ||||
-rw-r--r-- | modules/nixos/default.nix | 3 | ||||
-rw-r--r-- | modules/nixos/k3s.nix | 29 | ||||
-rw-r--r-- | modules/nixos/murmur.nix | 28 | ||||
-rw-r--r-- | modules/nixos/profiles/headful.nix | 22 |
10 files changed, 76 insertions, 98 deletions
diff --git a/modules/common/common/nix/default.nix b/modules/common/common/nix/default.nix index 378cd36..9f80838 100644 --- a/modules/common/common/nix/default.nix +++ b/modules/common/common/nix/default.nix @@ -130,7 +130,6 @@ with lib; { tor-browser = tor-browser-bundle-bin; })) agenix.overlays.default - emacs-overlay.overlay nur.overlay ]; diff --git a/modules/common/default.nix b/modules/common/default.nix index e6040cd..b722cae 100644 --- a/modules/common/default.nix +++ b/modules/common/default.nix @@ -3,7 +3,6 @@ _: { ./alacritty.nix ./aria2.nix ./bat.nix - ./beets.nix ./chromium.nix ./common ./curl.nix diff --git a/modules/common/emacs/default.nix b/modules/common/emacs/default.nix index 268d77d..2dbe53f 100644 --- a/modules/common/emacs/default.nix +++ b/modules/common/emacs/default.nix @@ -46,6 +46,7 @@ in { asmfmt # :editor format bash-language-server # :lang (sh +lsp) clang-tools # :lang (cc +lsp) :editor format + cmake # :term vterm cmake-format # :lang cc :editor format cmigemo # :lang japanese css-language-server # :lang (web +lsp) @@ -53,6 +54,7 @@ in { dockerfile-language-server # :tools (docker +lsp) editorconfig # :tools editorconfig fd # doom! + gcc # :tools magit :term vterm gnuplot # :lang (org +gnuplot) gnutls # doom! go-language-server # :lang (go +lsp) @@ -65,6 +67,7 @@ in { html-tidy # :lang web jre # :lang plantuml json-language-server # :lang (json +lsp) + libtool # :term vterm nix-language-server # :lang (nix +lsp) nixfmt # :lang nix :editor format nodePackages.eslint # :lang (json +lsp) @@ -73,6 +76,7 @@ in { nodePackages.stylelint # :lang web nodejs # :tools debugger pandoc # :lang org markdown latex + perl # term vterm pinentry-emacs # doom! pre-commit # :tools magit ripgrep # doom! @@ -175,7 +179,6 @@ in { programs.emacs = { enable = true; package = pkgs.emacs28; # Pin to avoid surprises. - extraPackages = p: with p; [vterm]; }; }; }; diff --git a/modules/common/git.nix b/modules/common/git.nix index c3ebafc..ce4e505 100644 --- a/modules/common/git.nix +++ b/modules/common/git.nix @@ -68,6 +68,8 @@ in { }; init.defaultBranch = "master"; status.submoduleSummary = true; + github.user = my.username; + gitlab.user = my.username; } // mapAttrs' (n: v: nameValuePair ''url "git@${v}:"'' {insteadOf = "${n}:";}) { diff --git a/modules/common/openconnect.nix b/modules/common/openconnect.nix deleted file mode 100644 index 936c9d1..0000000 --- a/modules/common/openconnect.nix +++ /dev/null @@ -1,83 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -with lib; let - cfg = config.nixfiles.modules.openconnect; -in { - options.nixfiles.modules.openconnect.enable = - mkEnableOption "OpenConnect VPN"; - - config = mkIf cfg.enable { - assertions = [ - { - assertion = config.networking.networkmanager.enable; - message = "NetworkManager is required"; - } - ]; - - # Spent three days trying to make this work but still getting "No SSO - # handler" even on the HEAD version that 100% has SSO support baked in. - # It's all so tiresome[1]... aaand KDE is not supported[2]. - # - # I fucking hate AnyConnect, truly an example of how shit is is non-free - # software. SAML also sucks balls. I also hate my company for using this - # shit, guess I have no other choice but to use the absolute dogshit laptop - # they gave me. - # - # [1]: https://gitlab.gnome.org/GNOME/NetworkManager-openconnect - # [1]: https://gitlab.com/openconnect/openconnect/-/issues/424 - # [2]: https://groups.google.com/g/linux.debian.bugs.dist/c/lK8u-LMY7n4 - # [2]: https://bugs.kde.org/show_bug.cgi?id=448153 - - networking.networkmanager.plugins = with pkgs; [ - ((networkmanager-openconnect.override { - withGnome = false; - openconnect = openconnect.overrideAttrs (_: _: { - version = "unstable-2022-10-23"; - src = fetchFromGitLab { - owner = "openconnect"; - repo = "openconnect"; - rev = "acdfc753f7885b2a539f99036ac41ba1b78cc7ae"; - hash = "sha256-ub+Z4WFD77h5YMQTb+TLc7EyY2KjBWglF1QVTirCHJM="; - }; - }); - }) - .overrideAttrs (_: super: { - version = "unstable-2022-09-10"; - src = fetchFromGitLab { - domain = "gitlab.gnome.org"; - owner = "GNOME"; - repo = "NetworkManager-openconnect"; - rev = "3c1590786518e9acca33c250660ad21cae565acd"; - hash = "sha256-YTUN46QHsHkXPAhImPG/MMLMqjlSRknapVO8u43nnWk="; - }; - buildInputs = - super.buildInputs - ++ [ - (webkitgtk_4_1.override { - inherit (gnome) libsoup; - }) - ]; - nativeBuildInputs = - super.nativeBuildInputs - ++ [ - autoreconfHook - ]; - postPatch = '' - substituteInPlace configure.ac \ - --replace "PKG_CHECK_MODULES(LIBSECRET, libsecret-1 >= 0.18)" "" - ''; - preAutoreconf = '' - autoupdate - ''; - preConfigure = '' - NOCONFIGURE=x ./autogen.sh - touch gtk4/nm-openconnect-dialog.ui - ''; - })) - ]; - }; -} diff --git a/modules/common/beets.nix b/modules/nixos/beets.nix index 83cbff1..83cbff1 100644 --- a/modules/common/beets.nix +++ b/modules/nixos/beets.nix diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 850d93e..8ac9a29 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -3,6 +3,7 @@ _: { ./acme.nix ./alertmanager.nix ./android.nix + ./beets.nix ./bluetooth.nix ./common ./discord.nix @@ -21,6 +22,7 @@ _: { ./grafana.nix ./hydra.nix ./ipfs.nix + ./k3s.nix ./kde.nix ./libvirtd.nix ./lidarr.nix @@ -29,6 +31,7 @@ _: { ./matrix ./monitoring ./mpd.nix + ./murmur.nix ./nextcloud.nix ./nginx.nix ./node-exporter.nix diff --git a/modules/nixos/k3s.nix b/modules/nixos/k3s.nix new file mode 100644 index 0000000..dcbd052 --- /dev/null +++ b/modules/nixos/k3s.nix @@ -0,0 +1,29 @@ +{ + config, + lib, + ... +}: +with lib; let + cfg = config.nixfiles.modules.k3s; +in { + options.nixfiles.modules.k3s = { + enable = mkEnableOption "K3s"; + }; + + config = mkIf cfg.enable { + ark.directories = [ + "/etc/rancher/k3s" + "/var/lib/rancher/k3s" + ]; + + services.k3s = { + enable = true; + role = "server"; + }; + + systemd.services.k3s.environment = { + K3S_KUBECONFIG_OUTPUT = "/etc/rancher/k3s/k3s.yaml"; + K3S_KUBECONFIG_MODE = "600"; + }; + }; +} diff --git a/modules/nixos/murmur.nix b/modules/nixos/murmur.nix new file mode 100644 index 0000000..cbd90d4 --- /dev/null +++ b/modules/nixos/murmur.nix @@ -0,0 +1,28 @@ +{ + config, + inputs, + lib, + ... +}: +with lib; let + cfg = config.nixfiles.modules.murmur; +in { + options.nixfiles.modules.murmur.enable = mkEnableOption "Murmur"; + + config = mkIf cfg.enable { + secrets.murmur-environment = { + file = "${inputs.self}/secrets/murmur-environment"; + owner = "murmur"; + group = "murmur"; + }; + + services.murmur = { + enable = true; + openFirewall = true; + logDays = -1; + registerName = mkDefault my.domain.shire; + password = "$MURMUR_PASSWORD"; + environmentFile = config.secrets."murmur-environment".path; + }; + }; +} diff --git a/modules/nixos/profiles/headful.nix b/modules/nixos/profiles/headful.nix index d0ca777..67bec29 100644 --- a/modules/nixos/profiles/headful.nix +++ b/modules/nixos/profiles/headful.nix @@ -22,6 +22,7 @@ in { home.packages = with pkgs; [ calibre imv + mumble neochat tdesktop tor-browser @@ -33,18 +34,15 @@ in { boot = { kernelPackages = mkDefault pkgs.linuxPackages_latest; - # There are (arguably) not a lot of reasons to keep mitigations enabled - # for on machine that is not web-facing. First of all, to completely - # mitigate any possible Spectre holes one would need to disable - # Hyperthreading altogether which will essentially put one's computer into - # the stone age by not being able to to effectively utilise multi-core its - # multicore capabilities. Secondly, by enabling mitigations, we introduce - # a plethora of performance overheads[1], which, albeit small, but still - # contribute to the overall speed of things. This is however still poses a - # security risk, which I am willing to take. - # - # [1]: https://www.phoronix.com/scan.php?page=article&item=spectre-meltdown-2&num=11 - kernelParams = ["mitigations=off"]; + kernelParams = [ + # https://wiki.archlinux.org/title/improving_performance#Watchdogs + "nowatchdog" + "kernel.nmi_watchdog=0" + # A security risk I'm willing to take for a reason[1]. + # + # [1]: https://www.phoronix.com/scan.php?page=article&item=spectre-meltdown-2&num=11 + "mitigations=off" + ]; loader = { efi.canTouchEfiVariables = true; |