diff options
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/desktop.nix | 173 | ||||
| -rw-r--r-- | roles/development-server.nix | 124 |
2 files changed, 297 insertions, 0 deletions
diff --git a/roles/desktop.nix b/roles/desktop.nix new file mode 100644 index 0000000..838df28 --- /dev/null +++ b/roles/desktop.nix @@ -0,0 +1,173 @@ +{ + me, + pkgs, + auxiliaryPkgs, + unstablePkgs, + ... +}: + +let + inherit (builtins) filter elem; + + filterUnsupportedPackages = + packages: filter (p: elem me.system (p.meta.platforms or [ me.system ])) packages; +in +{ + imports = [ + ./nix.nix + ./user.nix + ./locale.nix + ./vim.nix + ./tmux.nix + ./gnome.nix + ./fonts.nix + ./flatpak.nix + ./libreoffice.nix + ./electronics.nix + ./hardware-keys.nix + ./nix-ld.nix + ]; + + services.envfs.enable = true; + + virtualisation = { + libvirtd.enable = true; + docker.enable = true; + }; + + # fish enables this by default, + # it makes every nixos rebuild very slow. + documentation.man.generateCaches = false; + documentation = { + info.enable = true; + doc.enable = true; + dev.enable = true; + nixos = { + enable = true; + includeAllModules = true; + }; + }; + + networking.hostName = me.name; + # use corsac dns server + networking.nameservers = + let + corsacTailnet = "100.64.100.100"; + in + [ corsacTailnet ]; + + services.resolved.enable = true; + + services = { + acpid.enable = true; + sysprof.enable = true; + tailscale = { + enable = true; + useRoutingFeatures = "both"; + extraUpFlags = [ "--ssh" ]; + }; + + # sometimes needed for gnupg + pcscd.enable = true; + }; + + programs = { + # steam requires the i386 package set, which obviously does not work on ARM. + # TODO: pull out gaming related configuration (like steam) into a seperate module. + # steam = { + # enable = true; + # remotePlay.openFirewall = true; + # }; + virt-manager.enable = true; + fish.enable = true; + git.enable = true; + + ghidra = { + enable = true; + package = auxiliaryPkgs.ghidra; + gdb = true; + }; + + wireshark = { + enable = true; + dumpcap.enable = true; + usbmon.enable = true; + }; + + adb.enable = true; + + gnupg.agent = { + enable = true; + enableSSHSupport = true; + pinentryPackage = pkgs.pinentry-gnome3; + }; + }; + + # on desktop machines (a.k.a. minerals) we only use tailscale ssh + # for access, so we don't generally have normal host keys, and + # have to grab the ones tailscale uses. + age.identityPaths = [ "/var/lib/tailscale/ssh/ssh_host_ed25519_key" ]; + + # TODO: the filter already does some good work, but we need some way to + # pick out x86-only packages, so it is not as opaque as it currently is. + # (who knows if muse-sounds-manager is actually installed, for example?) + environment.systemPackages = (with pkgs; filterUnsupportedPackages [ + file unzip jq dig htop wget screen dive + gnupg pinentry-gnome3 age agenix minisign openssl cryptsetup pamtester + bitwarden-desktop bitwarden-cli + inetutils pciutils usbutils lshw lsof inxi iw pmutils acpi acpid + minicom miniserve netcat-gnu socat tcpdump nmap iftop iperf mtr arp-scan ethtool + sysprof wireshark seer mitmproxy hardinfo2 btrfs-assistant remmina trayscale + vlc celluloid foliate calibre + yt-dlp ffmpeg_7-full imagemagick handbrake mpv helvum + gimp3 krita mypaint aseprite rnote fontforge-gtk + blender inkscape obs-studio darktable davinci-resolve + orca-slicer + renderdoc + audacity musescore muse-sounds-manager reaper + # bitwigs bubblewrap configuration requires some non-ARM package sets. + # bitwig-studio + ungoogled-chromium librewolf lagrange + senpai signal-desktop alpaca newsflash + qemu_full virtiofsd + + openvpn openvpn3 update-resolv-conf + transmission_4-gtk fragments + + xorg.xeyes wl-clipboard + + ripgrep hyperfine parallel just fzf bat delta eza fd tokei didyoumean + universal-ctags compiledb graphviz + python3 uv ruff + nodejs_22 deno yarn + rustc rustup cargo rustfmt + go gopls delve go-task gotags golangci-lint + meson cmake gnumake ninja gdb gcc clang clang-tools + hare haredoc + jdk maven gradle + nil nixfmt-rfc-style + nixpkgs-review nixpkgs-fmt nixpkgs-lint-community + postgresql + helix alacritty ghostty + androidStudioPackages.dev + + winetricks bottles + scrcpy apfs-fuse nfs-utils + ubootTools dtc cloud-utils + borgbackup pika-backup + + prismlauncher xonotic + + man-pages man-pages-posix + ]) ++ (with unstablePkgs; [ + claude-code gemini-cli + ]) ++ (with auxiliaryPkgs; [ + # TODO: need fixes for 25.05 + # retroarch wine + + # TODO: ngfx (obviously) does not work on ARM, put it somewhere else + # ngfx + ]); + + environment.etc.openvpn.source = "${pkgs.update-resolv-conf}/libexec/openvpn"; +} diff --git a/roles/development-server.nix b/roles/development-server.nix new file mode 100644 index 0000000..b0e80e5 --- /dev/null +++ b/roles/development-server.nix @@ -0,0 +1,124 @@ +{ + me, + pkgs, + auxiliaryPkgs, + unstablePkgs, + ... +}: +{ + imports = [ + ./nix.nix + ./user.nix + ./locale.nix + ./vim.nix + ./tmux.nix + ./nix-ld.nix + ]; + + services.envfs.enable = true; + + virtualisation = { + libvirtd.enable = true; + docker = { + enable = true; + daemon.settings.dns = [ "1.1.1.1" "1.0.0.1" ]; + }; + }; + + # fish enables this by default, + # it makes every nixos rebuild very slow. + documentation.man.generateCaches = false; + documentation = { + info.enable = true; + doc.enable = true; + dev.enable = true; + nixos = { + enable = true; + includeAllModules = true; + }; + }; + + networking.hostName = me.name; + services.resolved.enable = true; + + users.users.mel.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTG/DHTkuQgwLakSBuXx3XBe+WjUmDlSgLBGzldx/ZD mel@moissanite" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDlqytVSNMFAfbB+rdiNktv3WYViVBMeK7zUO2Pjfii+ mel@corsac" + ]; + services = { + acpid.enable = true; + tailscale.enable = true; + + openssh = { + enable = true; + ports = [ 62322 ]; # listen on random port + openFirewall = true; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "no"; + }; + }; + + # annoy every ssh spammer + endlessh = { + enable = true; + port = 22; + openFirewall = true; + }; + + # ban those who found the real port + fail2ban.enable = true; + + # sometimes needed for gnupg + pcscd.enable = true; + }; + + programs = { + fish.enable = true; + git.enable = true; + + gnupg.agent = { + enable = true; + enableSSHSupport = true; + pinentryPackage = pkgs.pinentry-curses; + }; + }; + + environment.systemPackages = (with pkgs; [ + file unzip jq dig htop wget screen dive + gnupg pinentry-curses age agenix minisign openssl cryptsetup pamtester + inetutils pciutils usbutils lshw lsof inxi iw pmutils acpi acpid + minicom miniserve netcat-gnu socat tcpdump nmap iftop iperf mtr arp-scan ethtool + mitmproxy + yt-dlp ffmpeg_7-full imagemagick + senpai + qemu_full virtiofsd + + openvpn openvpn3 update-resolv-conf + + ripgrep hyperfine parallel just fzf bat delta eza fd tokei didyoumean + universal-ctags compiledb graphviz + python3 uv ruff + nodejs_22 deno yarn + rustc rustup cargo rustfmt + go gopls delve go-task gotags golangci-lint + meson cmake gnumake ninja gdb gcc clang clang-tools + hare haredoc + jdk maven gradle + nil nixfmt-rfc-style + nixpkgs-review nixpkgs-fmt nixpkgs-lint-community + postgresql + helix alacritty + + ubootTools dtc cloud-utils + borgbackup + + man-pages man-pages-posix + ]) ++ (with unstablePkgs; [ + claude-code gemini-cli + ]) ++ (with auxiliaryPkgs; [ + ]); + + environment.etc.openvpn.source = "${pkgs.update-resolv-conf}/libexec/openvpn"; +} |