From e8dbb049452e014fe89df34cb8f29e7c21c37666 Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Mon, 30 Jan 2023 01:48:52 +0300 Subject: 2023-01-30 --- flake.lock | 159 +++++++++++++++++++----------- flake.nix | 42 ++++---- modules/nixfiles/aria2.nix | 3 +- modules/nixfiles/common/nix/default.nix | 1 - modules/nixfiles/common/shell/default.nix | 8 +- modules/nixfiles/firefox/default.nix | 18 +--- modules/nixfiles/mpv.nix | 4 - modules/nixos/bluetooth.nix | 2 + modules/nixos/common/ark.nix | 56 +++++++++++ modules/nixos/common/default.nix | 1 + modules/nixos/common/networking.nix | 8 +- modules/nixos/common/nix.nix | 4 +- modules/nixos/common/secrets.nix | 2 +- modules/nixos/common/security.nix | 12 ++- modules/nixos/common/systemd.nix | 6 ++ modules/nixos/common/users.nix | 3 + modules/nixos/games/minecraft.nix | 64 +++++++++--- modules/nixos/libvirtd.nix | 2 + modules/nixos/openssh.nix | 27 ++++- modules/nixos/profiles/default.nix | 3 + nixosConfigurations/eonwe/default.nix | 47 ++++----- nixosConfigurations/varda/default.nix | 7 ++ 22 files changed, 317 insertions(+), 162 deletions(-) create mode 100644 modules/nixos/common/ark.nix diff --git a/flake.lock b/flake.lock index 17afe17..2a7560b 100644 --- a/flake.lock +++ b/flake.lock @@ -262,11 +262,11 @@ ] }, "locked": { - "lastModified": 1665870395, - "narHash": "sha256-Tsbqb27LDNxOoPLh0gw2hIb6L/6Ow/6lIBvqcHzEKBI=", + "lastModified": 1675021904, + "narHash": "sha256-jkg8ZwPi0aYKxtaGvGXzxz14kGkGxMrdJZj2gGxRo3E=", "owner": "ryantm", "repo": "agenix", - "rev": "a630400067c6d03c9b3e0455347dc8559db14288", + "rev": "6d3a415637981b966f3bdb813aefcff405630a7f", "type": "github" }, "original": { @@ -299,11 +299,11 @@ ] }, "locked": { - "lastModified": 1672673185, - "narHash": "sha256-wnEJOjhwgoSHFnBQfGHkPefuUSvTegRYed6BUOguk9g=", + "lastModified": 1674385484, + "narHash": "sha256-sZ78pRCF5SXWq8/lIQ5bqED6wTQxY5waUBn+Jbu9J10=", "owner": "dwarfmaster", "repo": "arkenfox-nixos", - "rev": "b46b140fe8631e4bc26f80d04477691df2d84af2", + "rev": "9e799c371416daf163a8a54829aef4c1ae85c7bc", "type": "github" }, "original": { @@ -353,11 +353,11 @@ ] }, "locked": { - "lastModified": 1672753581, - "narHash": "sha256-EIi2tqHoje5cE9WqH23ZghW28NOOWSUM7tcxKE1U9KI=", + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", "owner": "LnL7", "repo": "nix-darwin", - "rev": "3db1d870b04b13411f56ab1a50cd32b001f56433", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", "type": "github" }, "original": { @@ -434,11 +434,11 @@ ] }, "locked": { - "lastModified": 1672852603, - "narHash": "sha256-i5QlHEHG/T4Pp150a6cZe76EcgW/IePPiaRGcIyTBrE=", + "lastModified": 1675015755, + "narHash": "sha256-4orQ2IM5xKueh3lV9HUdM0P/0DBRo6TZEAVo73/dZSk=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "ed0045366fc3bcc7ecd3dccdbf66c2cfa979fe18", + "rev": "1d2409effbdebad47fb887ff6305f3da1fea5965", "type": "github" }, "original": { @@ -547,11 +547,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1668681692, - "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", "owner": "edolstra", "repo": "flake-compat", - "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", "type": "github" }, "original": { @@ -564,11 +564,11 @@ "flake-registry": { "flake": false, "locked": { - "lastModified": 1661161594, - "narHash": "sha256-tu1KKNLw+v7ZOIUPGDE66tn9vEyhIAWiiJYZRGGev8E=", + "lastModified": 1674218164, + "narHash": "sha256-oLNWhwrV252kiy2tGQwwJNKFR+iG0fjsw0GSE/XVTR8=", "owner": "NixOS", "repo": "flake-registry", - "rev": "8634fb4e1db6c76ce037bc00ef80f9ebd2616476", + "rev": "507c028d8d189b6647592dfd10ee677578de45a1", "type": "github" }, "original": { @@ -642,11 +642,11 @@ ] }, "locked": { - "lastModified": 1672780900, - "narHash": "sha256-DxuSn6BdkZapIbg76xzYx1KhVPEZeBexMkt1q/sMVPA=", + "lastModified": 1674928308, + "narHash": "sha256-elVU4NUZEl11BdT4gC+lrpLYM8Ccxqxs19Ix84HTI9o=", "owner": "nix-community", "repo": "home-manager", - "rev": "54245e1820caabd8a0b53ce4d47e4d0fefe04cd4", + "rev": "08a778d80308353f4f65c9dcd3790b5da02d6306", "type": "github" }, "original": { @@ -656,6 +656,22 @@ "type": "github" } }, + "impermanence": { + "locked": { + "lastModified": 1668668915, + "narHash": "sha256-QjY4ZZbs9shwO4LaLpvlU2bO9J1juYhO9NtV3nrbnYQ=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "5df9108b346f8a42021bf99e50de89c9caa251c3", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "impermanence", + "type": "github" + } + }, "libnbtplusplus": { "flake": false, "locked": { @@ -675,11 +691,11 @@ "master": { "flake": false, "locked": { - "lastModified": 1670682948, - "narHash": "sha256-yFg8U4D+qD9UQXhpAXrl9Ksj16zrCLOgahMtT9QS2Y8=", + "lastModified": 1673196505, + "narHash": "sha256-YsQbH6bqp2I52meYf0X0DQpwLlDdu5pK9XHMT/9RqOg=", "owner": "arkenfox", "repo": "user.js", - "rev": "7135907b2fe13fa55eb8ebf162603037f83e353c", + "rev": "62a68f08147123b0c2c288ffdecc3f03e4ab1ae8", "type": "github" }, "original": { @@ -725,11 +741,11 @@ "ws-butler": "ws-butler" }, "locked": { - "lastModified": 1671758850, - "narHash": "sha256-B6us/CLIIPJRJgjn/hVp7N07j90kil4HmjUVj8TBhKE=", + "lastModified": 1674782939, + "narHash": "sha256-mf+RaqdCqqLraVVOQ5c8LRj+9ChnVzsUNlOjJSPdBbc=", "owner": "nix-community", "repo": "nix-doom-emacs", - "rev": "85a48dbec84e9c26785b58fecdefa1cfc580aea7", + "rev": "e92e5b6021b1ad4290e051111010ba51921507cd", "type": "github" }, "original": { @@ -739,6 +755,30 @@ "type": "github" } }, + "nix-minecraft": { + "inputs": { + "flake-utils": [ + "flake-utils" + ], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1674956856, + "narHash": "sha256-u1DZQpUE3VepKxaEpcM6qz+bDCTb9muFPf0AcRdnuPI=", + "owner": "Infinidoge", + "repo": "nix-minecraft", + "rev": "0fe27d63d2801eb5fa430b534d6776d290450c6f", + "type": "github" + }, + "original": { + "owner": "Infinidoge", + "ref": "master", + "repo": "nix-minecraft", + "type": "github" + } + }, "nix-straight": { "flake": false, "locked": { @@ -757,11 +797,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1672644464, - "narHash": "sha256-RYlvRMcQNT7FDoDkViijQBHg9g+blsB+U6AvL/gAsPI=", + "lastModified": 1674550793, + "narHash": "sha256-ljJlIFQZwtBbzWqWTmmw2O5BFmQf1A/DspwMOQtGXHk=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "ca29e25c39b8e117d4d76a81f1e229824a9b3a26", + "rev": "b7ac0a56029e4f9e6743b9993037a5aaafd57103", "type": "github" }, "original": { @@ -773,11 +813,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1672756850, - "narHash": "sha256-Smbq3+fitwA13qsTMeaaurv09/KVbZfW7m7lINwzDGA=", + "lastModified": 1674958881, + "narHash": "sha256-p1E20TGSgzs+EUhRPMe6fyZIxUV6CbcwilZEzy+XmAk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "298add347c2bbce14020fcb54051f517c391196b", + "rev": "a0feb36dc510bfa8f8809980a8230617fb9eb618", "type": "github" }, "original": { @@ -789,11 +829,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1672874841, - "narHash": "sha256-CKr3mOiSYm8H5bg7q1hb0TE9tDHSmqZPNzVAfNmmazE=", + "lastModified": 1675023360, + "narHash": "sha256-IGXCr47L9OQaZkzyogT/4SlljkueU/+on5u8VOeKQ78=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "62f7bf5a13149097694e84cff1e928a97a39741b", + "rev": "dc9441ccc34a5cb56d09ebbe82aa4225a2e3d91d", "type": "github" }, "original": { @@ -805,11 +845,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1672844754, - "narHash": "sha256-o26WabuHABQsaHxxmIrR3AQRqDFUEdLckLXkVCpIjSU=", + "lastModified": 1675018232, + "narHash": "sha256-sN98tnO63DXhDX1BAfrLu+7z1ZEW51jEsk3ErmMmUaI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e9ade2c8240e00a4784fac282a502efff2786bdc", + "rev": "a296508344909b1251442a1e38d9c4080c9bf7c0", "type": "github" }, "original": { @@ -871,11 +911,11 @@ }, "nur": { "locked": { - "lastModified": 1672875891, - "narHash": "sha256-5A4e/Uc6aWQmMsYnMOffLg766weMfCakxo2AnQXrJco=", + "lastModified": 1674999880, + "narHash": "sha256-mmALt2MFFLsJj0wddOxLqTg453wtPskS00U1TD120FA=", "owner": "nix-community", "repo": "NUR", - "rev": "e14930ece703757a928cb62327d4157bb30a7a90", + "rev": "1955f5e2c384d156efcc0b4ce7a0f635c3ea0997", "type": "github" }, "original": { @@ -904,11 +944,11 @@ "org": { "flake": false, "locked": { - "lastModified": 1670680538, - "narHash": "sha256-afmN2tOY6Par235bVsqhtFHOSVyw4NBgTxI5Eo6Yk5A=", + "lastModified": 1673519709, + "narHash": "sha256-XtGk32Lw2iGDgH5Q4Rjhig0Iq5hpIM0EKQoptJ+nT3k=", "owner": "emacs-straight", "repo": "org-mode", - "rev": "42153ea2fec66f90c1623be25d6774d96ecf8062", + "rev": "ecb62e2e317b1a4b5b8a6c0f111ed7ef18413040", "type": "github" }, "original": { @@ -1007,11 +1047,11 @@ ] }, "locked": { - "lastModified": 1672734157, - "narHash": "sha256-uwUBnv0bN1SO4QVIo8KUx/jxRYCy7cW8kzZa+Qsrw9k=", + "lastModified": 1674761200, + "narHash": "sha256-v0ypL0eDhFWmgd3f5nnbffaMA5BUoOnYUiEso7fk+q0=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "d0ce0a861260493c6c21f16f59d25076f73cb931", + "rev": "8539119ba0b17b15e60de60da0348d8c73bbfdf2", "type": "github" }, "original": { @@ -1024,11 +1064,11 @@ "revealjs": { "flake": false, "locked": { - "lastModified": 1670408834, - "narHash": "sha256-2LG8/AwMC+caNK9DKDyVGw+EPT2W6ys177xQj7mdKng=", + "lastModified": 1674652670, + "narHash": "sha256-ViqeZlOjQTlY0KM7YcOOjdgkxRLPMZrRKXTqtyc1I00=", "owner": "hakimel", "repo": "reveal.js", - "rev": "4fe3946cb43de57f79aaa7b646aee7e78f4bcc75", + "rev": "b1a9842b2f4544a2fda546383db38cc7a81f6b74", "type": "github" }, "original": { @@ -1049,7 +1089,9 @@ "flake-registry": "flake-registry", "flake-utils": "flake-utils", "home-manager": "home-manager", + "impermanence": "impermanence", "nix-doom-emacs": "nix-doom-emacs", + "nix-minecraft": "nix-minecraft", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", "nixpkgs-master": "nixpkgs-master", @@ -1082,6 +1124,9 @@ "simple-nixos-mailserver": { "inputs": { "blobs": "blobs", + "flake-compat": [ + "flake-compat" + ], "nixpkgs": [ "nixpkgs" ], @@ -1093,11 +1138,11 @@ ] }, "locked": { - "lastModified": 1671659164, - "narHash": "sha256-DbpT+v1POwFOInbrDL+vMbYV3mVbTkMxmJ5j50QnOcA=", + "lastModified": 1671738303, + "narHash": "sha256-PRgqtaWf2kMSYqVmcnmhTh+UsC0RmvXRTr+EOw5VZUA=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "bc667fb6afc45f6cc2d118ab77658faf2227cffd", + "rev": "6d0d9fb966cc565a3df74d3b686f924c7615118c", "type": "gitlab" }, "original": { @@ -1126,11 +1171,11 @@ "ts-fold": { "flake": false, "locked": { - "lastModified": 1671426601, - "narHash": "sha256-NrvSK+olbi4P+9q5KOomNHGgmrRtI9cW9ZqkdU4n0Sc=", + "lastModified": 1673328482, + "narHash": "sha256-6yQ35uJDAK531QNQZgloQaOQayRa8azOlOMbO8lXsHE=", "owner": "jcs-elpa", "repo": "ts-fold", - "rev": "a64f5252a66253852bef1c627cea9e39928e6392", + "rev": "75d6f9ed317b042b5bc7cb21503596d1c7a1b8c0", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index ba845a4..4f3eacb 100644 --- a/flake.nix +++ b/flake.nix @@ -66,6 +66,13 @@ }; }; + impermanence = { + type = "github"; + owner = "nix-community"; + repo = "impermanence"; + ref = "master"; + }; + emacs-overlay = { type = "github"; owner = "nix-community"; @@ -98,30 +105,16 @@ }; }; - # nil = { - # type = "github"; - # owner = "oxalica"; - # repo = "nil"; - # ref = "main"; - # inputs = { - # flake-utils.follows = "flake-utils"; - # nixpkgs.follows = "nixpkgs"; - # }; - # }; - - # NOTE This[1] is annoying. - # - # [1]: https://github.com/NixOS/nix/pull/6983#issuecomment-1234335417 - # nix-minecraft-servers = { - # type = "github"; - # owner = "jyooru"; - # repo = "nix-minecraft-servers"; - # ref = "main"; - # inputs = { - # nixpkgs.follows = "nixpkgs"; - # utils.inputs.flake-utils.follows = "flake-utils"; - # }; - # }; + nix-minecraft = { + type = "github"; + owner = "Infinidoge"; + repo = "nix-minecraft"; + ref = "master"; + inputs = { + nixpkgs.follows = "nixpkgs"; + flake-utils.follows = "flake-utils"; + }; + }; pollymc = { type = "github"; @@ -151,6 +144,7 @@ repo = "nixos-mailserver"; ref = "master"; inputs = { + flake-compat.follows = "flake-compat"; nixpkgs-22_11.follows = "nixpkgs-stable"; nixpkgs.follows = "nixpkgs"; utils.follows = "flake-utils"; diff --git a/modules/nixfiles/aria2.nix b/modules/nixfiles/aria2.nix index 9e72176..f33acb9 100644 --- a/modules/nixfiles/aria2.nix +++ b/modules/nixfiles/aria2.nix @@ -7,8 +7,7 @@ with lib; let cfg = config.nixfiles.modules.aria2; in { - options.nixfiles.modules.aria2.enable = - mkEnableOption "aria2"; + options.nixfiles.modules.aria2.enable = mkEnableOption "aria2"; config = mkIf cfg.enable { hm.programs.aria2 = { diff --git a/modules/nixfiles/common/nix/default.nix b/modules/nixfiles/common/nix/default.nix index 436ce15..2cbb86a 100644 --- a/modules/nixfiles/common/nix/default.nix +++ b/modules/nixfiles/common/nix/default.nix @@ -119,7 +119,6 @@ with lib; { })) emacs-overlay.overlay nur.overlay - # nil.overlays.default ]; environment.systemPackages = with pkgs; diff --git a/modules/nixfiles/common/shell/default.nix b/modules/nixfiles/common/shell/default.nix index 9425578..6ed8ff0 100644 --- a/modules/nixfiles/common/shell/default.nix +++ b/modules/nixfiles/common/shell/default.nix @@ -35,8 +35,8 @@ with lib; { GRC_ALIASES=true source ${pkgs.grc}/etc/profile.d/grc.sh - if [ -z $_PROFILE_SOURCED ] && [ -f $HOME/.profile ]; then - source $HOME/.profile + if [ -z "$_PROFILE_SOURCED" ] && [ -f "$HOME/.profile" ]; then + source "$HOME/.profile" fi ''; @@ -75,9 +75,7 @@ with lib; { progressBar = optionalString this.isHeadful "--progress-bar"; in [ - (mkAlias { - command = ["cp" "--interactive" "--recursive" progressBar]; - }) + (mkAlias {command = ["cp" "--interactive" "--recursive" progressBar];}) (mkAlias {command = ["mv" "--interactive" progressBar];}) (mkAlias {command = ["rm" "--interactive=once"];}) (mkAlias {command = ["ln" "--interactive"];}) diff --git a/modules/nixfiles/firefox/default.nix b/modules/nixfiles/firefox/default.nix index cd651a6..8b51db7 100644 --- a/modules/nixfiles/firefox/default.nix +++ b/modules/nixfiles/firefox/default.nix @@ -83,23 +83,7 @@ in { }; }; }; - "0200" = { - enable = true; - "0204" = { - enable = true; - "browser.search.region" = { - enable = true; - value = "US"; - }; - }; - "0210" = { - enable = true; - "intl.accept_languages" = { - enable = true; - value = "en-US, en"; - }; - }; - }; + "0200".enable = true; "0300".enable = true; "0400" = { enable = false; diff --git a/modules/nixfiles/mpv.nix b/modules/nixfiles/mpv.nix index 2072bc6..afab1dd 100644 --- a/modules/nixfiles/mpv.nix +++ b/modules/nixfiles/mpv.nix @@ -14,8 +14,6 @@ in { mpv = { enable = true; - # This is so dumb. And people still wonder why NixOS is so inacessable - # to outsiders. package = with pkgs; wrapMpv mpv-unwrapped { scripts = with mpvScripts; [ @@ -74,7 +72,6 @@ in { cursor-autohide = 1000; force-seekable = "no"; fullscreen = true; - load-unsafe-playlists = true; msg-color = true; msg-module = true; prefetch-playlist = true; @@ -123,7 +120,6 @@ in { ytdl = true; ytdl-raw-options = ''sub-lang="${lang}",write-sub=''; - ytdl-format = "(bestvideo[height<=?1080][fps<=?60][protocol!=http_dash_segments])+(bestaudio[acodec=opus]/bestaudio)/best"; }; }; diff --git a/modules/nixos/bluetooth.nix b/modules/nixos/bluetooth.nix index 8347361..cf92179 100644 --- a/modules/nixos/bluetooth.nix +++ b/modules/nixos/bluetooth.nix @@ -11,6 +11,8 @@ in { mkEnableOption "Bluetooth support"; config = mkIf cfg.enable { + ark.directories = ["/var/lib/bluetooth"]; + hardware.bluetooth = { enable = true; settings.General.FastConnectable = true; diff --git a/modules/nixos/common/ark.nix b/modules/nixos/common/ark.nix new file mode 100644 index 0000000..3a12050 --- /dev/null +++ b/modules/nixos/common/ark.nix @@ -0,0 +1,56 @@ +{ + config, + inputs, + lib, + ... +}: +with lib; let + cfg = config.nixfiles.modules.ark; +in { + imports = [ + (mkAliasOptionModule ["ark"] ["nixfiles" "modules" "ark"]) + inputs.impermanence.nixosModules.impermanence + ]; + + options.nixfiles.modules.ark = let + mkListOfAnythingOption = mkOption { + type = with types; listOf anything; # Assumed to be matching with the upstream type. + default = []; + }; + in { + enable = mkEnableOption "persistent storage support via impermanence"; + + path = mkOption { + type = types.str; + default = "/ark"; + }; + + directories = mkListOfAnythingOption; + files = mkListOfAnythingOption; + # hm = { + # directories = mkListOfAnythingOption; + # files = mkListOfAnythingOption; + # }; + }; + + config = mkIf cfg.enable { + environment.persistence.${cfg.path} = { + hideMounts = true; + enableDebugging = false; + inherit (cfg) directories files; + }; + + # NOTE We can't reliably[1] use this, so for the time being, this will stay + # commented out. Probably forever. + # + # [1]: https://github.com/nix-community/impermanence/issues/18 + # + # hm = { + # imports = [inputs.impermanence.nixosModules.home-manager.impermanence]; + # home.persistence."${cfg.path}/${config.my.home}" = { + # allowOther = false; + # inherit (cfg.hm) directories files; + # }; + # }; + }; +} diff --git a/modules/nixos/common/default.nix b/modules/nixos/common/default.nix index 8724c8b..54f8f51 100644 --- a/modules/nixos/common/default.nix +++ b/modules/nixos/common/default.nix @@ -1,5 +1,6 @@ _: { imports = [ + ./ark.nix ./console.nix ./documentation.nix ./home-manager.nix diff --git a/modules/nixos/common/networking.nix b/modules/nixos/common/networking.nix index 0c44159..8d94a4e 100644 --- a/modules/nixos/common/networking.nix +++ b/modules/nixos/common/networking.nix @@ -12,6 +12,10 @@ in { mkEnableOption "custom networking settings"; config = mkIf (!cfg.onlyDefault) { + ark.directories = with config.networking; + optional networkmanager.enable "/etc/NetworkManager/system-connections" + ++ optional wireless.iwd.enable "/var/lib/iwd"; + # TODO Support multiple interfaces and IP addresses. networking = mkMerge [ { @@ -20,8 +24,8 @@ in { hostName = this.hostname; hostId = substring 0 8 (builtins.hashString "md5" this.hostname); - # Remove default hostname mappings. This is required at least by the current - # implementation of the montoring module. + # Remove default hostname mappings. This is required at least by the + # current implementation of the monitoring module. hosts = { "127.0.0.2" = mkForce []; "::1" = mkForce []; diff --git a/modules/nixos/common/nix.nix b/modules/nixos/common/nix.nix index 71f62fd..48c52b3 100644 --- a/modules/nixos/common/nix.nix +++ b/modules/nixos/common/nix.nix @@ -21,10 +21,10 @@ in { config.allowUnfreePredicate = p: elem (getName p) cfg.allowedUnfreePackages; overlays = with inputs; [ - agenix.overlay + agenix.overlays.default + nix-minecraft.overlay pollymc.overlay xmonad-ng.overlays.default - # nix-minecraft-servers.overlays.default ]; }; diff --git a/modules/nixos/common/secrets.nix b/modules/nixos/common/secrets.nix index 4fcdc61..c229882 100644 --- a/modules/nixos/common/secrets.nix +++ b/modules/nixos/common/secrets.nix @@ -8,7 +8,7 @@ }: with lib; { imports = [ - inputs.agenix.nixosModule + inputs.agenix.nixosModules.default (mkAliasOptionModule ["secrets"] ["age" "secrets"]) ]; diff --git a/modules/nixos/common/security.nix b/modules/nixos/common/security.nix index 09c5da1..d146cee 100644 --- a/modules/nixos/common/security.nix +++ b/modules/nixos/common/security.nix @@ -9,17 +9,21 @@ with lib; { enable = true; execWheelOnly = true; wheelNeedsPassword = false; - # https://mwl.io/archives/1000 extraConfig = '' - Defaults env_keep += "SSH_CLIENT SSH_CONNECTION SSH_TTY SSH_AUTH_SOCK" + Defaults lecture=never ''; }; polkit = { enable = true; - # https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt extraConfig = '' - polkit.addRule(function (action, subject) { + /* + * Allow members of the wheel group to execute any actions + * without password authentication, similar to "sudo NOPASSWD:". + * + * https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt + */ + polkit.addRule(function(action, subject) { if (subject.isInGroup('wheel')) return polkit.Result.YES; }); diff --git a/modules/nixos/common/systemd.nix b/modules/nixos/common/systemd.nix index 5c7282d..c1b2539 100644 --- a/modules/nixos/common/systemd.nix +++ b/modules/nixos/common/systemd.nix @@ -1,4 +1,10 @@ {pkgs, ...}: { + ark = { + # FIXME Enable on a fresh system! + # files = ["/etc/machine-id"]; + directories = ["/var/lib/systemd/coredump"]; + }; + hm.systemd.user.startServices = "sd-switch"; services.journald.extraConfig = '' diff --git a/modules/nixos/common/users.nix b/modules/nixos/common/users.nix index 22e8023..400bf33 100644 --- a/modules/nixos/common/users.nix +++ b/modules/nixos/common/users.nix @@ -1,5 +1,8 @@ {lib, ...}: with lib; { + # TODO Enable on a fresh system. + # ark.directories = [config.my.home]; + users = { mutableUsers = false; diff --git a/modules/nixos/games/minecraft.nix b/modules/nixos/games/minecraft.nix index 7b21195..09b9239 100644 --- a/modules/nixos/games/minecraft.nix +++ b/modules/nixos/games/minecraft.nix @@ -1,5 +1,6 @@ { config, + inputs, lib, pkgs, ... @@ -7,11 +8,19 @@ with lib; let cfg = config.nixfiles.modules.games.minecraft; in { + imports = [inputs.nix-minecraft.nixosModules.minecraft-servers]; + options.nixfiles.modules.games.minecraft = { client.enable = mkEnableOption "Minecraft client"; server = { enable = mkEnableOption "Minecraft server"; + port = mkOption { + description = "OpenSSH server port."; + type = types.port; + default = 50505; # Keeping 25565 as the default is a big security risk. + }; + memory = mkOption { description = "Amount of RAM to allocate."; type = types.str; @@ -25,26 +34,53 @@ in { hm.home.packages = with pkgs; [prismlauncher]; }) (mkIf cfg.server.enable { - # Configurations, opslist, whitelist and plugins are managed imperatively. - # TODO Make it declarative. - services.minecraft-server = { + nixfiles.modules.common.nix.allowedUnfreePackages = ["minecraft-server"]; + + ark.directories = [config.services.minecraft-servers.dataDir]; + + services.minecraft-servers = { enable = true; eula = true; - package = pkgs.minecraftServers.purpur_1_19_3; + openFirewall = true; + + servers.default = { + enable = true; + autoStart = true; + + package = pkgs.paperServers.paper-1_19_3; + + serverProperties = { + # motd = ""; + # white-list = true; + allow-flight = true; + difficulty = "hard"; + enable-command-block = true; + enforce-secure-profile = false; + enforce-whitelist = true; + gamemode = "survival"; + level-name = "default"; + max-players = 8; + online-mode = false; + previews-chat = false; + pvp = false; + server-port = cfg.server.port; + snooper-enabled = false; + }; + + whitelist = {}; # TODO Fill this. - # TODO Make a PR fixing trailing whitespace on this. - jvmOpts = - (concatStringsSep " " [ - "-Xmx${cfg.server.memory}" - "-Xms${cfg.server.memory}" - "--add-modules=jdk.incubator.vector" - ]) - + " "; + jvmOpts = + (concatStringsSep " " [ + "-Xms${cfg.server.memory}" + "-Xmx${cfg.server.memory}" + "--add-modules=jdk.incubator.vector" # Required by some plugins. + ]) + + " "; + }; }; - # Defined in /var/lib/minecraft/server.properties. - networking.firewall.allowedTCPPorts = [55565]; + my.extraGroups = [config.services.minecraft-servers.group]; }) ]; } diff --git a/modules/nixos/libvirtd.nix b/modules/nixos/libvirtd.nix index 58dfc50..a246c98 100644 --- a/modules/nixos/libvirtd.nix +++ b/modules/nixos/libvirtd.nix @@ -10,6 +10,8 @@ in { options.nixfiles.modules.libvirtd.enable = mkEnableOption "libvirtd"; config = mkIf cfg.enable { + ark.directories = ["/var/lib/libvirt"]; + hm.home.packages = with pkgs; [ qemu-utils quickemu diff --git a/modules/nixos/openssh.nix b/modules/nixos/openssh.nix index 36b85f8..0cd44bd 100644 --- a/modules/nixos/openssh.nix +++ b/modules/nixos/openssh.nix @@ -18,15 +18,36 @@ in { }; config = mkIf cfg.server.enable { + # TODO Enable on a fresh system. + # ark = { + # files = [ + # "/etc/ssh/ssh_host_ed25519_key" + # "/etc/ssh/ssh_host_ed25519_key.pub" + # "/etc/ssh/ssh_host_rsa_key" + # "/etc/ssh/ssh_host_rsa_key.pub" + # ]; + # directories = ["/etc/ssh/authorized_keys.d"]; + # }; + programs.mosh.enable = true; services = { openssh = { enable = true; ports = [cfg.server.port]; - logLevel = "VERBOSE"; # Required by fail2ban. - permitRootLogin = mkForce "no"; - passwordAuthentication = false; + settings = { + AllowUsers = my.username; + ClientAliveCountMax = 3; + ClientAliveInterval = 60; + KbdInteractiveAuthentication = false; + LogLevel = + if config.nixfiles.modules.fail2ban.enable + then "VERBOSE" + else "ERROR"; + MaxAuthTries = 3; + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; }; fail2ban.jails.sshd = '' diff --git a/modules/nixos/profiles/default.nix b/modules/nixos/profiles/default.nix index d5ab838..23eb455 100644 --- a/modules/nixos/profiles/default.nix +++ b/modules/nixos/profiles/default.nix @@ -15,6 +15,9 @@ in { ]; config = mkIf cfg.enable { + # FIXME Enable on a fresh system! + # ark.directories = ["/var/log"]; + programs.less = { enable = true; envVariables.LESSHISTFILE = "-"; diff --git a/nixosConfigurations/eonwe/default.nix b/nixosConfigurations/eonwe/default.nix index f07aad3..8889120 100644 --- a/nixosConfigurations/eonwe/default.nix +++ b/nixosConfigurations/eonwe/default.nix @@ -7,6 +7,8 @@ }: with lib; { nixfiles.modules = { + ark.enable = true; + wireguard.client.enable = true; syncthing.enable = true; @@ -23,19 +25,24 @@ with lib; { discord.enable = true; libvirtd.enable = true; qutebrowser.enable = true; + mpd.enable = true; }; - hm.programs = { - # NOTE This produces very poor performance even though RX 6750 XT should - # handle VA-API hardware decoding for all major formats (including AV1) just - # fine. - firefox.profiles.default.settings."media.ffmpeg.vaapi.enabled" = false; + hm = { + home.packages = with pkgs; [obs-studio]; + + programs = { + # NOTE This produces very poor performance even though RX 6750 XT should + # handle VA-API hardware decoding for all major formats (including AV1) just + # fine. + firefox.profiles.default.settings."media.ffmpeg.vaapi.enabled" = false; - # Mostly just placebo. :^) - mpv.config = { - hwdec = "vdpau"; - vo = "gpu"; - profile = "gpu-hq"; + # Mostly just placebo. :^) + mpv.config = { + hwdec = "vdpau"; + vo = "gpu"; + profile = "gpu-hq"; + }; }; }; @@ -49,6 +56,10 @@ with lib; { ''; boot = { + # TODO Override Xanmod kernel to support ZFS. This probably will require + # some patching and whatnot. + kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + # Silence benign MCE errors: # ``` # mce: [Hardware Error]: CPU 1: Machine Check: 0 Bank 29: ffffffffffffffff @@ -61,22 +72,6 @@ with lib; { initrd.kernelModules = ["nvme"]; }; - # TODO Immutable `/' shire on ZFS datasets and snapshots. - # - # Opt-in: - # - /etc/NetworkManager - # - /etc/ssh - # - /home - # - /var/lib/bluetooth - # - /var/lib/iwd - # - /var/lib/log - # - # Investigate: - # - /var/lib/NetworkManager - # - /var/lib/cni - # - /var/lib/containers - # - /var/lib/qemu - fileSystems = { "/boot" = { device = "/dev/disk/by-uuid/FF1E-9CFD"; diff --git a/nixosConfigurations/varda/default.nix b/nixosConfigurations/varda/default.nix index f08194e..e3a0d60 100644 --- a/nixosConfigurations/varda/default.nix +++ b/nixosConfigurations/varda/default.nix @@ -51,6 +51,13 @@ with lib; { } ]; + # TODO + services.k3s = { + enable = false; + role = "server"; + extraFlags = "--disable traefik"; + }; + zramSwap = { enable = true; memoryPercent = 25; -- cgit v1.2.3