chore(global): more NixOS module porting chaos and some fixes bts

+1

hosts/lairland/configuration.nix

··· 100 100 }; 101 101 102 102 # agenix stuff 103 + nixops-config.secretOps.agenix.enable = true; 103 104 age.reky.hostPubkey = with import ../../shared/ssh-keys.nix; hosts.lairland; 104 105 }; 105 106 }

+66 -69

hosts/live-cd/base.nix

··· 1 - { pkgs, nixpkgs, lib, config, ... }: 1 + { pkgs, nixpkgs, lib, config, self, ... }: 2 2 3 3 { 4 4 imports = [ 5 - ../../shared/nix.nix 6 - ../../shared/gnupg.nix 7 - ../../shared/locale.nix 8 - ../../shared/networking.nix 9 - ../../shared/systemd.nix 10 - ../../shared/shells/bash.nix 11 - ../../shared/shells/custom-prompts.nix 12 - ../../shared/1password.nix 13 - ../../shared/vscode/server.nix 14 - ../../shared/server/tailscale.nix 15 - ../../shared/desktop/yubikey.nix 5 + "${self}/shared/meta.nix" 16 6 "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix" 17 7 "${nixpkgs}/nixos/modules/installer/cd-dvd/latest-kernel.nix" 18 8 ]; 19 - isoImage.showConfiguration = lib.mkDefault true; 20 - isoImage.configurationName = lib.mkDefault "(Linux ${config.boot.kernelPackages.kernel.version})"; 21 - #system.nixos.tags = [ "livecd" ]; 22 - #system.nixos.release = "unstable-rolling"; 23 - #system.nixos.codeName = "Rolling unstable Live CD builds via CI"; 24 9 25 - networking = { 26 - hostName = "multichaos-livecd"; 27 - networkmanager.enable = true; 28 - }; 10 + config = { 11 + isoImage.showConfiguration = lib.mkDefault true; 12 + isoImage.configurationName = lib.mkDefault "(Linux ${config.boot.kernelPackages.kernel.version})"; 13 + #system.nixos.tags = [ "livecd" ]; 14 + #system.nixos.release = "unstable-rolling"; 15 + #system.nixos.codeName = "Rolling unstable Live CD builds via CI"; 29 16 30 - # Enable sshd by default here 31 - systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ]; 17 + networking = { 18 + hostName = "multichaos-livecd"; 19 + networkmanager.enable = true; 20 + }; 32 21 33 - # Some of them are from different shared configs, but tweaked for general use 34 - # in the Live CD setup. 35 - environment.defaultPackages = with pkgs; [ 36 - # nix utils 37 - direnv 38 - cachix 39 - devbox 40 - nixfmt 41 - nixfmt-tree 42 - nil 43 - nixd 22 + # Enable sshd by default here 23 + systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ]; 44 24 45 - # git tools 46 - gitFull 47 - gh 48 - glab 49 - fjo 25 + # Some of them are from different shared configs, but tweaked for general use 26 + # in the Live CD setup. 27 + environment.defaultPackages = with pkgs; [ 28 + # nix utils 29 + direnv 30 + cachix 31 + devbox 32 + nixfmt 33 + nixfmt-tree 34 + nil 35 + nixd 36 + 37 + # git tools 38 + gitFull 39 + gh 40 + glab 41 + fjo 50 42 51 - # dev utils 52 - wakatime-cli 53 - doppler 43 + # dev utils 44 + wakatime-cli 45 + doppler 54 46 55 - # system utils 56 - fastfetch 57 - byobu 58 - tmux 59 - htop 60 - btop 61 - ]; 47 + # system utils 48 + fastfetch 49 + byobu 50 + tmux 51 + htop 52 + btop 53 + ]; 62 54 63 - users.users.nixos = { 64 - description = "live CD user"; 65 - openssh = { 66 - authorizedKeys.keys = with import ../../shared/ssh-keys.nix; [ 67 - personal.y2022 68 - personal.campus-comlab 69 - personal.passwordless 70 - personal.rp.gildedguy 71 - work.recaptime-dev.crew 72 - sshid.personal.stellapent-cier 73 - sshid.personal.zarc 74 - fido2Keys.hackclub_yubikey.main 75 - fido2Keys.hackclub_yubikey.backup 76 - ]; 55 + users.users.nixos = { 56 + description = "live CD user"; 57 + openssh = { 58 + authorizedKeys.keys = with import ../../shared/ssh-keys.nix; [ 59 + personal.y2022 60 + personal.campus-comlab 61 + personal.passwordless 62 + personal.rp.gildedguy 63 + work.recaptime-dev.crew 64 + sshid.personal.stellapent-cier 65 + sshid.personal.zarc 66 + fido2Keys.hackclub_yubikey.main 67 + fido2Keys.hackclub_yubikey.backup 68 + ]; 69 + }; 77 70 }; 78 - }; 79 71 80 - services.tailscale.extraDaemonFlags = [ 81 - "--verbose=3" 82 - "--state=mem:" 83 - ]; 72 + services.tailscale.extraDaemonFlags = [ 73 + "--verbose=3" 74 + "--state=mem:" 75 + ]; 84 76 85 - networking.networkmanager.wifi.powersave = false; 77 + networking.networkmanager.wifi.powersave = false; 78 + 79 + # Custom configs here 80 + nixops-config.secretOps.gnupg.enable = lib.mkDefault true; 81 + nixops-config.secretOps.agenix.enable = lib.mkForce false; 82 + }; 86 83 }

+3 -7

hosts/live-cd/kde-plasma.nix

··· 1 - { config, pkgs, lib, nixpkgs, ... }: 1 + { config, pkgs, lib, nixpkgs, self, ... }: 2 2 3 3 { 4 4 imports = [ ··· 8 8 9 9 specialisation.plasma.configuration = { 10 10 imports = [ 11 - ../../shared/appimages.nix 12 - ../../shared/1password.nix 13 - ../../shared/desktop/fonts.nix 14 11 "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-plasma6.nix" 15 - ../../shared/desktop/kde-plasma.nix 16 - ../../shared/desktop/firefox.nix 17 - ../../shared/vscode/main.nix 12 + "${self}/shared/desktop/kde-plasma.nix" 13 + "${self}/shared/vscode/main.nix" 18 14 ]; 19 15 isoImage.configurationName = "Plasma (Linux ${config.boot.kernelPackages.kernel.version})"; 20 16 };

+4

hosts/portable/amd64/configuration.nix

··· 101 101 102 102 system.nixos.tags = [ "portable-configs" "portable-amd64" ]; 103 103 }; 104 + 105 + # Custom configs here 106 + nixops-config.secretOps.gnupg.enable = true; 107 + nixops-config.secretOps.agenix.enable = true; 104 108 }

+2

hosts/stellapent-cier/configuration.nix

··· 118 118 programs.mtr.enable = true; 119 119 120 120 # agenix stuff 121 + nixops-config.secretOps.agenix.enable = true; 121 122 age.reky.hostPubkey = with import ../../shared/ssh-keys.nix; hosts.stellapent-cier; 123 + nixops-config.secretOps.gnupg.enable = lib.mkDefault true; 122 124 }

+2 -1

shared/1password.nix

··· 2 2 config, 3 3 lib, 4 4 pkgs, 5 + self, 5 6 ... 6 7 }: 7 8 { 8 9 imports = [ 9 - ../options.nix 10 + "${self}/shared/options.nix" 10 11 ]; 11 12 config = { 12 13 programs._1password.enable = true;

+3 -4

shared/desktop/browsers.nix

··· 1 1 { pkgs, config, lib, ... }: 2 2 3 3 { 4 + imports = [ 5 + ./firefox.nix # firefox and friends go here 6 + ]; 4 7 config = { 5 - imports = [ 6 - ./firefox.nix # firefox and friends go here 7 - ]; 8 - 9 8 environment.systemPackages = with pkgs; [ 10 9 google-chrome 11 10 # Commented out MS Edge due to sync issues with M365 school accounts atm

+13 -11

shared/desktop/firefox.nix

··· 1 1 { pkgs, zen-browser, config, lib, ... }: 2 2 3 3 { 4 - programs.firefox = { 5 - enable = true; 6 - nativeMessagingHosts.packages = with pkgs; [ 7 - firefoxpwa 8 - # _1password-gui 9 - # gnupg 4 + config = { 5 + programs.firefox = { 6 + enable = true; 7 + nativeMessagingHosts.packages = with pkgs; [ 8 + firefoxpwa 9 + # _1password-gui 10 + # gnupg 11 + ]; 12 + package = pkgs.firefox; 13 + }; 14 + 15 + environment.systemPackages = [ 16 + zen-browser.packages.${pkgs.system}.default 10 17 ]; 11 - package = pkgs.firefox; 12 18 }; 13 - 14 - environment.systemPackages = [ 15 - zen-browser.packages.${pkgs.system}.default 16 - ]; 17 19 }

+23 -21

shared/desktop/firewall.nix

··· 1 1 { config, pkgs, lib, ... }: 2 2 3 3 { 4 - # Open ports in the firewall. 5 - networking.firewall.allowedTCPPortRanges = [ 6 - { from = 1714; to = 1764; } # used by KDE Connect 7 - { from = 3000; to = 3999; } 8 - { from = 8000; to = 8999; } 9 - ]; 10 - networking.firewall.allowedUDPPortRanges = [ 11 - { from = 1714; to = 1764; } # used by KDE Connect 12 - { from = 3000; to = 3999; } 13 - { from = 8000; to = 8999; } 14 - ]; 15 - networking.firewall.allowedTCPPorts = [ 16 - 22 17 - 80 18 - 443 19 - ]; 20 - networking.firewall.allowedUDPPorts = [ 21 - 22 22 - 80 23 - 443 24 - ]; 4 + config = { 5 + # Open ports in the firewall. 6 + networking.firewall.allowedTCPPortRanges = [ 7 + { from = 1714; to = 1764; } # used by KDE Connect 8 + { from = 3000; to = 3999; } 9 + { from = 8000; to = 8999; } 10 + ]; 11 + networking.firewall.allowedUDPPortRanges = [ 12 + { from = 1714; to = 1764; } # used by KDE Connect 13 + { from = 3000; to = 3999; } 14 + { from = 8000; to = 8999; } 15 + ]; 16 + networking.firewall.allowedTCPPorts = [ 17 + 22 18 + 80 19 + 443 20 + ]; 21 + networking.firewall.allowedUDPPorts = [ 22 + 22 23 + 80 24 + 443 25 + ]; 26 + }; 25 27 }

+14 -12

shared/desktop/fonts.nix

··· 1 - { pkgs, ... }: 1 + { pkgs, config, ... }: 2 2 3 3 { 4 - # enable font dirs 5 - fonts = { 6 - fontDir.enable = true; 7 - packages = with pkgs; [ 8 - dejavu_fonts 9 - cascadia-code 4 + config = { 5 + # enable font dirs 6 + fonts = { 7 + fontDir.enable = true; 8 + packages = with pkgs; [ 9 + dejavu_fonts 10 + cascadia-code 10 11 11 - # nerd fonts (requires setting system.stateVersion to 25.05+) 12 - nerd-fonts.fira-code 13 - nerd-fonts.caskaydia-mono 14 - nerd-fonts.caskaydia-cove 15 - ]; 12 + # nerd fonts (requires setting system.stateVersion to 25.05+) 13 + nerd-fonts.fira-code 14 + nerd-fonts.caskaydia-mono 15 + nerd-fonts.caskaydia-cove 16 + ]; 17 + }; 16 18 }; 17 19 }

+14 -12

shared/desktop/kde-plasma.nix

··· 7 7 ./base.nix 8 8 ]; 9 9 10 - # Enable the KDE Plasma Desktop Environment. 11 - services.displayManager.sddm.enable = true; 12 - services.desktopManager.plasma6.enable = true; 10 + config = { 11 + # Enable the KDE Plasma Desktop Environment. 12 + services.displayManager.sddm.enable = true; 13 + services.desktopManager.plasma6.enable = true; 13 14 14 - # Also enable KDE Connect 15 - programs.kdeconnect.enable = true; 15 + # Also enable KDE Connect 16 + programs.kdeconnect.enable = true; 16 17 17 - # Manual override for pinentryPackage 18 - programs.gnupg.agent.pinentryPackage = pkgs.pinentry-qt; 18 + # Manual override for pinentryPackage 19 + nixops-config.secretOps.gnupg.pinentryPkg = pkgs.pinentry-qt; 19 20 20 - environment.systemPackages = with pkgs; [ 21 - kdePackages.krfb 22 - pinentry-qt 23 - kdePackages.kate 24 - ]; 21 + environment.systemPackages = with pkgs; [ 22 + kdePackages.krfb 23 + pinentry-qt 24 + kdePackages.kate 25 + ]; 26 + }; 25 27 }

+1 -1

shared/gnupg.nix

··· 6 6 { 7 7 config = lib.mkIf cfg.enable { 8 8 programs.gnupg.agent = { 9 - agent = true; 9 + enable = true; 10 10 enableSSHSupport = cfg.sshAgentIntegration; 11 11 pinentryPackage = cfg.pinentryPkg; 12 12 };

-3

shared/options/agenix.nix

··· 1 1 { lib, config, options, pkgs, ... }: 2 2 3 3 { 4 - imports = [ 5 - ../options.nix 6 - ]; 7 4 options.nixops-config.secretOps.agenix = { 8 5 enable = lib.mkOption { 9 6 description = "Enable agenix and agenix-reky for this NixOS or home-manager config. Requires `rekey.hostPubkey` to be set.";

+6 -2

shared/server/ssh.nix

··· 5 5 config, 6 6 pkgs, 7 7 lib, 8 + self, 8 9 ... 9 10 }: 10 11 11 12 { 12 13 imports = [ 13 - ../options.nix 14 + "${self}/shared/options.nix" 14 15 ]; 15 16 config = { 16 17 services.openssh = { ··· 31 32 "hmac-sha2-256" # required for Cloudflare Access SSH via Browser Rendering 32 33 ]; 33 34 }; 34 - startAgent = true; 35 35 }; 36 + # Enable OpenSSH agent on login 37 + # https://search.nixos.org/options?channel=unstable&query=programs.ssh.&show=programs.ssh.startAgent 38 + programs.ssh.startAgent = true; 36 39 40 + # mosh support 37 41 programs.mosh.enable = true; 38 42 39 43 # disable hibernation and hybrid sleep

+3 -3

shared/systemd.nix

··· 21 21 boot.initrd.systemd = { 22 22 enable = true; 23 23 extraBin = { 24 - bash = "${pkgs.bash}/bin/bash"; 25 - utils = "${pkgs.busybox}/bin/busybox"; 26 - umount = "${pkgs.util-linux}/bin/umount"; 24 + bash = lib.mkForce "${pkgs.bash}/bin/bash"; 25 + utils = lib.mkForce "${pkgs.busybox}/bin/busybox"; 26 + umount = lib.mkForce "${pkgs.util-linux}/bin/umount"; 27 27 nano = "${pkgs.nano}/bin/nano"; 28 28 }; 29 29 };

+2 -1

shared/vscode/main.nix

··· 2 2 config, 3 3 lib, 4 4 pkgs, 5 + self, 5 6 ... 6 7 }: 7 8 ··· 14 15 { 15 16 imports = [ 16 17 ./server.nix 17 - ../options.nix 18 + "${self}/shared/options.nix" 18 19 ]; 19 20 20 21 config = {

+2 -1

shared/vscode/server.nix

··· 2 2 config, 3 3 pkgs, 4 4 inputs, 5 + self, 5 6 ... 6 7 }: 7 8 8 9 { 9 10 imports = [ 10 - ../options.nix 11 + "${self}/shared/options.nix" 11 12 ]; 12 13 config = { 13 14 services.vscode-server = {

Configure Feed

Configure Feed