rpqt/flocon
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
Romain Paquet
2025-01-29 21:33:37 +01:00
commit a2247c5b26
30 changed files with 1036 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.helix/languages.toml Normal file
View File

@@ -0,0 +1,4 @@
[[language]]
name = "nix"
auto-format = true
formatter = { command = "nixfmt" }

307
flake.lock generated Normal file
View File

@@ -0,0 +1,307 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1736955230,
"narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
"owner": "ryantm",
"repo": "agenix",
"rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"deploy-rs": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
},
"locked": {
"lastModified": 1727447169,
"narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
"type": "github"
},
"original": {
"owner": "serokell",
"repo": "deploy-rs",
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1736711425,
"narHash": "sha256-8hKhPQuMtXfJi+4lPvw3FBk/zSJVHeb726Zo0uF1PP8=",
"owner": "nix-community",
"repo": "disko",
"rev": "f720e64ec37fa16ebba6354eadf310f81555cc07",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1736785676,
"narHash": "sha256-TY0jUwR3EW0fnS0X5wXMAVy6h4Z7Y6a3m+Yq++C9AyE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "fc52a210b60f2f52c74eac41a8647c1573d2071d",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"impermanence": {
"locked": {
"lastModified": 1736688610,
"narHash": "sha256-1Zl9xahw399UiZSJ9Vxs1W4WRFjO1SsNdVZQD4nghz0=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "c64bed13b562fc3bb454b48773d4155023ac31b7",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "impermanence",
"type": "github"
}
},
"nixlib": {
"locked": {
"lastModified": 1736643958,
"narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixos-generators": {
"inputs": {
"nixlib": "nixlib",
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1737057290,
"narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-generators",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1737751639,
"narHash": "sha256-ZEbOJ9iT72iwqXsiEMbEa8wWjyFvRA9Ugx8utmYbpz4=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "dfad538f751a5aa5d4436d9781ab27a6128ec9d4",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "master",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1736657626,
"narHash": "sha256-FWlPMUzp0lkQBdhKlPqtQdqmp+/C+1MBiEytaYfrCTY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "2f9e2f85cb14a46410a1399aa9ea7ecf433e422e",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1736883708,
"narHash": "sha256-uQ+NQ0/xYU0N1CnXsa2zghgNaOPxWpMJXSUJJ9W7140=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "eb62e6aa39ea67e0b8018ba8ea077efe65807dc8",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"deploy-rs": "deploy-rs",
"disko": "disko",
"home-manager": "home-manager_2",
"impermanence": "impermanence",
"nixos-generators": "nixos-generators",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_2"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

149
flake.nix Normal file
View File

@@ -0,0 +1,149 @@
{
description = "rpqt's Nix configs";
outputs =
inputs@{
nixpkgs,
deploy-rs,
home-manager,
impermanence,
nixos-generators,
nixos-hardware,
self,
...
}:
{
nixosConfigurations = {
# Hetzner VPS
crocus = nixpkgs.lib.nixosSystem {
specialArgs = {
inherit inputs;
inherit (import ./parts) keys;
};
system = "x86_64-linux";
modules = [
./hosts/crocus
./system
];
};
# Raspberry Pi 4
genepi = nixpkgs.lib.nixosSystem {
specialArgs = {
inherit inputs;
inherit (import ./parts) keys;
};
system = "aarch64-linux";
modules = [
home-manager.nixosModules.home-manager
./system
./hosts/genepi
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.rpqt = ./hosts/genepi/home.nix;
}
];
};
};
# Raspberry Pi 4 installer ISO.
packages.aarch64-linux.installer-sd-image = nixos-generators.nixosGenerate {
specialArgs = {
inherit inputs;
inherit (import ./parts) keys;
};
system = "aarch64-linux";
format = "sd-aarch64-installer";
modules = [
nixos-hardware.nixosModules.raspberry-pi-4
./system/core
./hosts/genepi/network.nix
./hosts/genepi/hardware.nix
{
nixpkgs.overlays = [
(final: super: {
makeModulesClosure = x: super.makeModulesClosure (x // { allowMissing = true; });
})
];
}
];
};
homeConfigurations = {
"rpqt@haze" = home-manager.lib.homeManagerConfiguration {
extraSpecialArgs = {
inherit inputs;
};
pkgs = nixpkgs.legacyPackages.x86_64-linux;
modules = [
./hosts/haze/home.nix
];
};
};
deploy.nodes.crocus = {
hostname = "crocus";
profiles = {
system = {
user = "root";
sshUser = "rpqt";
path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.crocus;
};
};
};
deploy.nodes.genepi = {
hostname = "genepi";
profiles = {
system = {
user = "root";
sshUser = "rpqt";
path = deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.genepi;
remoteBuild = true;
};
};
};
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
};
inputs = {
nixpkgs = {
url = "github:nixos/nixpkgs?ref=nixos-unstable";
};
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
deploy-rs = {
url = "github:serokell/deploy-rs";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs";
};
impermanence = {
url = "github:nix-community/impermanence";
};
nixos-hardware = {
url = "github:NixOS/nixos-hardware/master";
};
nixos-generators = {
url = "github:nix-community/nixos-generators";
};
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
nixConfig = {
substituters = [
"https://cache.nixos.org"
];
};
}

44
hosts/crocus/default.nix Normal file
View File

@@ -0,0 +1,44 @@
{
inputs,
modulesPath,
config,
...
}:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
inputs.disko.nixosModules.disko
./disk.nix
];
networking.hostName = "crocus";
networking.useDHCP = true;
boot.loader.grub = {
efiSupport = true;
efiInstallAsRemovable = true;
};
services.prometheus = {
enable = true;
port = 9001;
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
port = 9002;
};
};
scrapeConfigs = [
{
job_name = "crocus";
static_configs = [
{
targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ];
}
];
}
];
};
}

32
hosts/crocus/disk.nix Normal file
View File

@@ -0,0 +1,32 @@
{
disko.devices.disk.os = {
device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_48353082";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
type = "EF02";
size = "1M";
};
ESP = {
type = "EF00";
size = "512M";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
}

21
hosts/genepi/acme.nix Normal file
View File

@@ -0,0 +1,21 @@
{ config, ... }:
{
security.acme = {
acceptTerms = true;
defaults.email = "admin@rpqt.fr";
};
age.secrets.gandi.file = ../../secrets/gandi.age;
security.acme = {
certs."home.rpqt.fr" = {
group = config.services.nginx.group;
domain = "home.rpqt.fr";
extraDomainNames = [ "*.home.rpqt.fr" ];
dnsProvider = "gandiv5";
dnsPropagationCheck = true;
environmentFile = config.age.secrets.gandi.path;
};
};
}

19
hosts/genepi/boot.nix Normal file
View File

@@ -0,0 +1,19 @@
{ config, ... }:
{
boot.initrd.availableKernelModules = [
"xhci_pci"
"usbhid"
"usb_storage"
];
boot.loader = {
grub.enable = false;
generic-extlinux-compatible.enable = true;
};
boot.supportedFilesystems = [
"btrfs"
"vfat"
];
}

21
hosts/genepi/default.nix Normal file
View File

@@ -0,0 +1,21 @@
{
inputs,
...
}:
{
imports = [
inputs.disko.nixosModules.disko
inputs.nixos-hardware.nixosModules.raspberry-pi-4
inputs.agenix.nixosModules.default
inputs.impermanence.nixosModules.impermanence
./acme.nix
./boot.nix
./disk.nix
./dns.nix
./hardware.nix
./monitoring.nix
./network.nix
./nginx.nix
./persistence.nix
];
}

86
hosts/genepi/disk.nix Normal file
View File

@@ -0,0 +1,86 @@
{
disko.devices.disk.main = {
type = "disk";
device = "/dev/disk/by-id/ata-WD_Green_M.2_2280_480GB_2251E6411147";
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
start = "1M";
end = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
root = {
end = "-4G";
content = {
type = "btrfs";
extraArgs = [
"-L"
"nixos"
"-f" # Override existing partition
];
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/persist" = {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
};
};
};
swap = {
size = "100%";
content = {
type = "swap";
};
};
};
};
};
fileSystems."/persist".neededForBoot = true;
fileSystems."/var/log".neededForBoot = true;
}

22
hosts/genepi/dns.nix Normal file
View File

@@ -0,0 +1,22 @@
{ config, ... }:
{
# networking.firewall.interfaces."${config.services.tailscale.interfaceName}" = {
# allowedTCPPorts = [ 53 ];
# allowedUDPPorts = [ 53 ];
# };
services.unbound = {
enable = true;
resolveLocalQueries = false;
settings = {
server = {
interface = [ "${config.services.tailscale.interfaceName}" ];
access-control = [ "100.0.0.0/8 allow" ];
local-zone = [ ''"grafana.home.rpqt.fr." redirect'' ];
local-data = [ ''"grafana.home.rpqt.fr. IN A 100.83.123.79"'' ];
};
};
};
}

19
hosts/genepi/hardware.nix Normal file
View File

@@ -0,0 +1,19 @@
{ pkgs, ... }:
{
nixpkgs.hostPlatform = "aarch64-linux";
hardware.enableRedistributableFirmware = true;
hardware = {
raspberry-pi."4".apply-overlays-dtmerge.enable = true;
deviceTree = {
enable = true;
filter = "*rpi-4-*.dtb";
};
};
environment.systemPackages = with pkgs; [
libraspberrypi
raspberrypi-eeprom
];
}

22
hosts/genepi/home.nix Normal file
View File

@@ -0,0 +1,22 @@
{ pkgs, inputs, ... }:
{
home.username = "rpqt";
home.homeDirectory = "/home/rpqt";
home.packages = [
pkgs.helix
pkgs.ripgrep
];
# This value determines the Home Manager release that your configuration is
# compatible with. This helps avoid breakage when a new Home Manager release
# introduces backwards incompatible changes.
#
# You should not change this value, even if you update Home Manager. If you do
# want to update the value, then make sure to first check the Home Manager
# release notes.
home.stateVersion = "24.11";
# Let Home Manager install and manage itself
programs.home-manager.enable = true;
}

53
hosts/genepi/monitoring.nix Normal file
View File

@@ -0,0 +1,53 @@
{ config, ... }:
{
services.grafana = {
enable = true;
settings = {
server = {
http_port = 3000;
domain = "grafana.home.rpqt.fr";
};
};
};
services.nginx.virtualHosts.${config.services.grafana.settings.server.domain} = {
forceSSL = true;
useACMEHost = "home.rpqt.fr";
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true;
};
};
services.prometheus = {
enable = true;
port = 9001;
scrapeConfigs = [
{
job_name = "genepi";
static_configs = [
{
targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ];
}
];
}
{
job_name = "crocus";
static_configs = [
{
targets = [ "crocus:9002" ];
}
];
}
];
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
port = 9002;
};
};
};
}

4
hosts/genepi/network.nix Normal file
View File

@@ -0,0 +1,4 @@
{
networking.hostName = "genepi";
networking.useDHCP = true;
}

7
hosts/genepi/nginx.nix Normal file
View File

@@ -0,0 +1,7 @@
{
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
};
}

51
hosts/genepi/persistence.nix Normal file
View File

@@ -0,0 +1,51 @@
{ lib, ... }:
{
environment.persistence."/persist" = {
enable = true;
directories = [
"/var/lib/nixos"
];
files = [
# so that systemd doesn't think each boot is the first
"/etc/machine-id"
# ssh host keys
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/var/lib/tailscaled.state"
];
users.rpqt = {
directories = [ ];
files = [ ];
};
};
# Empty root and remove snapshots older than 30 days
boot.initrd.postDeviceCommands = lib.mkAfter ''
mkdir /btrfs_tmp
mount /dev/disk/by-label/nixos /btrfs_tmp
if [[ -e /btrfs_tmp/root ]]; then
mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
delete_subvolume_recursively "$i"
done
btrfs subvolume create /btrfs_tmp/root
umount /btrfs_tmp
rmdir /btrfs_tmp
'';
}

29
hosts/haze/home.nix Normal file
View File

@@ -0,0 +1,29 @@
{ pkgs, inputs, ... }:
{
home.username = "rpqt";
home.homeDirectory = "/home/rpqt";
home.packages = [
inputs.agenix.packages.x86_64-linux.default
pkgs.devenv
pkgs.direnv
pkgs.deploy-rs
pkgs.nil # Nix language server
pkgs.nixfmt-rfc-style
];
# This value determines the Home Manager release that your configuration is
# compatible with. This helps avoid breakage when a new Home Manager release
# introduces backwards incompatible changes.
#
# You should not change this value, even if you update Home Manager. If you do
# want to update the value, then make sure to first check the Home Manager
# release notes.
home.stateVersion = "24.11";
# Let Home Manager install and manage itself
programs.home-manager.enable = true;
}

3
parts/default.nix Normal file
View File

@@ -0,0 +1,3 @@
{
keys = import ./keys.nix;
}

7
parts/keys.nix Normal file
View File

@@ -0,0 +1,7 @@
{
rpqt.haze = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa8R8obgptefcp27Cdp9bc2fiyc9x0oTfMsTPFp2ktE rpqt@haze";
hosts = {
genepi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQUzjid5mfMYginIUCVWTF7rWvWz0mUZBZsl5EhDIDl root@genepi";
};
}

BIN
secrets/gandi.age Normal file
View File

Binary file not shown.

9
secrets/secrets.nix Normal file
View File

@@ -0,0 +1,9 @@
let
keys = import ../parts/keys.nix;
in
{
"gandi.age".publicKeys = [
keys.hosts.genepi
keys.rpqt.haze
];
}

25
system/core/default.nix Normal file
View File

@@ -0,0 +1,25 @@
{ lib, ... }:
{
imports = [
./users.nix
./ssh-server.nix
];
i18n = {
defaultLocale = "en_US.UTF-8";
supportedLocales = [
"en_US.UTF-8/UTF-8"
"fr_FR.UTF-8/UTF-8"
];
};
security.sudo = {
enable = true;
wheelNeedsPassword = false;
};
system.stateVersion = lib.mkDefault "24.11";
time.timeZone = lib.mkDefault "Europe/Paris";
}

15
system/core/ssh-server.nix Normal file
View File

@@ -0,0 +1,15 @@
{
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
AuthenticationMethods = "publickey";
PubkeyAuthentication = "yes";
ChallengeResponseAuthentication = "no";
UsePAM = false;
X11Forwarding = false;
};
};
}

30
system/core/users.nix Normal file
View File

@@ -0,0 +1,30 @@
{
keys,
lib,
pkgs,
...
}:
{
users.mutableUsers = lib.mkDefault false;
users.users.rpqt = {
isNormalUser = true;
createHome = true;
home = "/home/rpqt";
description = "Romain Paquet";
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [ keys.rpqt.haze ];
initialHashedPassword = "$y$j9T$.y7GZIaYYgEHt1spMsOqi/$k4O3AAKBhJF0gI.G9/Ja8ssGsVTv3VPD5WC.7ErAUD1";
extraGroups = [
"wheel"
];
};
programs.zsh.enable = true;
}

7
system/default.nix Normal file
View File

@@ -0,0 +1,7 @@
{
imports = [
./core
./network
./nix
];
}

5
system/network/default.nix Normal file
View File

@@ -0,0 +1,5 @@
{
imports = [
./tailscale.nix
];
}

11
system/network/tailscale.nix Normal file
View File

@@ -0,0 +1,11 @@
{ config, ... }:
{
networking.firewall = {
trustedInterfaces = [ config.services.tailscale.interfaceName ];
};
services.tailscale = {
enable = true;
openFirewall = true;
};
}

18
system/nix/default.nix Normal file
View File

@@ -0,0 +1,18 @@
{ pkgs, ... }:
{
imports = [
./nixpkgs.nix
./substituters.nix
];
# for flakes
environment.systemPackages = [ pkgs.git ];
nix.settings = {
auto-optimise-store = true;
builders-use-substitutes = true;
experimental-features = ["nix-command" "flakes"];
trusted-users = ["root" "@wheel"];
};
}

5
system/nix/nixpkgs.nix Normal file
View File

@@ -0,0 +1,5 @@
{
nixpkgs = {
config.allowUnfree = true;
};
}

11
system/nix/substituters.nix Normal file
View File

@@ -0,0 +1,11 @@
{
nix.settings = {
substituters = [
"https://cache.nixos.org?priority=10"
];
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
];
};
}