banananetwork
/
server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Activity

add nix files

Browse Source
secrix-issue25
Felix Stupp 1 year ago
commit b562cd4d30
Signed by: zocker
GPG Key ID: 93E1BD26F6B02FB7
20 changed files with 2090 additions and 0 deletions
Show Stats Download Patch File Download Diff File

81
flake.lock
Unescape Escape View File

@ -0,0 +1,81 @@
{
"nodes": {
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1723399884,
"narHash": "sha256-97wn0ihhGqfMb8WcUgzzkM/TuAxce2Gd20A8oiruju4=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "086f619dd991a4d355c07837448244029fc2d9ab",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"impermanence": {
"locked": {
"lastModified": 1719091691,
"narHash": "sha256-AxaLX5cBEcGtE02PeGsfscSb/fWMnyS7zMWBXQWDKbE=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "23c1f06316b67cb5dabdfe2973da3785cfe9c34a",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "impermanence",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1723400035,
"narHash": "sha256-WoKZDlBEdMhP+hjquBAh0BhUJbcH2+U8g2mHOr1mv8I=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "a731b45590a5169542990c36ffcde6cebd9a3356",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_unstable": {
"locked": {
"lastModified": 1723362943,
"narHash": "sha256-dFZRVSgmJkyM0bkPpaYRtG/kRMRTorUIDj8BxoOt1T4=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "a58bc8ad779655e790115244571758e8de055e3d",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"home-manager": "home-manager",
"impermanence": "impermanence",
"nixpkgs": "nixpkgs",
"nixpkgs_unstable": "nixpkgs_unstable"
}
}
},
"root": "root",
"version": 7
}

69
flake.nix
Unescape Escape View File

@ -0,0 +1,69 @@
{
description = "banananet.work Server & Deployment Controller environment";
inputs = {
# packages repositories
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
nixpkgs_unstable.url = "github:nixos/nixpkgs/nixos-unstable";
# required submodules
home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs";
};
impermanence.url = "github:nix-community/impermanence";
};
outputs = { self, ... }@inputs:
let
inherit (self) outputs;
# constants
system = "x86_64-linux";
# package repositories
pkgs = import inputs.nixpkgs { inherit system; };
pkgs_unstable = import inputs.nixpkgs_unstable { inherit system; };
in
{
nixosModules = {
# this one includes all of my modules
# - most of them only change things when enabled (e.g. x-banananetwork.*.enable)
# - others only introduce small, reasonable changes if other modules options are set, as reasonable defaults (if I intend to upstream them)
# however, use on your own discretion
banananetwork = import ./nix/nixos-modules;
# this one also includes required dependencies from flake inputs
withDepends = {
imports = [
inputs.home-manager.nixosModules.home-manager
inputs.impermanence.nixosModules.impermanence
outputs.nixosModules.banananetwork
];
};
};
devShells."${system}".default =
let
pkgs = pkgs_unstable;
in
pkgs.mkShell
{
packages = with pkgs; [
curl
rsync
opentofu
terranix
];
};
};
}

9
nix/README.md
Unescape Escape View File

@ -0,0 +1,9 @@
This directory contains all nix-related (esp. NixOS) files.
Normally, I would have placed these directories on the same level as flake.nix, but:
- I want ./flake.nix at root for easier imports
- As this is a git-monorepo for my WHOLE server setup,
(i.e. also including systems without NixOS)
it also contains files for different systems.
These should be separated from nix files, in general.

0
nix/home-manager-modules/default.nix
Unescape Escape View File

24
nix/home-manager-modules/frontend/base.nix
Unescape Escape View File

@ -0,0 +1,24 @@
# this stuff replaces all settings which would be configured by the corresponding frontend NixOS module
{ config
, lib
, pkgs
, ...
}:
let
cfg = config.x-banananetwork.frontend;
in
{
config = lib.mkIf (cfg.enable && !cfg.nixosModuleCompat) {
assertions = [
{
assertion = !cfg.nixosModuleCompat;
message = "missing implementation of base stuff";
}
];
};
}

35
nix/home-manager-modules/frontend/default.nix
Unescape Escape View File

@ -0,0 +1,35 @@
{ config
, lib
, pkgs
, ...
}: {
imports = [
./base.nix
./extension.nix
];
options = {
x-banananetwork.frontend = {
enable = lib.mkEnableOption ''
settings for frontend configuration in Home-Manager
'';
nixosModuleCompat = lib.mkEnableOption ''
compatibility to the corresponding frontend NixOS configuration.
This is created by opting out to configure stuff
which is already configured by the corresponding NixOS module.
'';
};
};
}

7
nix/home-manager-modules/frontend/extension.nix
Unescape Escape View File

@ -0,0 +1,7 @@
# this stuff must all be compatible to settings already configured by the corresponding frontend NixOS module
{ config
, lib
, pkgs
, ...
}: { }

160
nix/nixos-modules/allCommon.nix
Unescape Escape View File

@ -0,0 +1,160 @@
# applies to all of my machines
# examples: PCs, laptops, VMs, hypervisors, ...
{
config,
lib,
pkgs,
...
}: let
cfg = config.x-banananetwork.allCommon;
in {
options = {
x-banananetwork.allCommon = {
enable = lib.mkEnableOption ''
settings common to all systems
a set of opionated options to make systems useable & debugable for users.
This means e.g. adding common, useful tools and add documentation.
'';
};
};
config = lib.mkIf cfg.enable {
documentation = {
man.mandoc.settings.output = {
paper = lib.mkDefault "a4";
};
};
i18n = {
# inspired by https://wiki.archlinux.org/title/Locale
defaultLocale = lib.mkDefault "en_US.UTF-8";
extraLocaleSettings = {
LANGUAGE = lib.mkDefault "en_US:en:C:de_DE";
LC_COLLATE = lib.mkDefault "C"; # language independent sorting
LC_MEASUREMENT = "de_DE.UTF-8"; # metric
LC_PAPER = "de_DE.UTF-8"; # metric
LC_TELEPHONE = "de_DE.UTF-8";
LC_TIME = lib.mkDefault "en_DK.UTF-8"; # ISO 8601
};
};
nix = {
channel.enable = false;
settings = {
allowed-users = [
"root"
"@wheel"
];
auto-optimise-store = true;
experimental-features = [
"flakes"
"nix-command"
];
hashed-mirrors = [
"https://tarballs.nixos.org/"
];
trusted-users = [
"root"
];
};
};
systemd.services.nix-daemon.serviceConfig = {
CPUSchedulingPolicy = "batch";
OOMScoreAdjust = lib.mkDefault 250;
};
# well-known public keys
programs.ssh = {
hostKeyAlgorithms = [
"ssh-ed25519"
"ssh-rsa"
];
knownHosts = {
"git.banananet.work".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE854AkY/LYJ8kMe1olR+OsAxKIgvZ/JK+G+e0mMVWdH";
"git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
"github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
"gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
};
};
security = {
pki = {
# in general, these are not blacklisted because those are problematic
# its more about reducing attack vectors where it is possible
# and I (most probably) do not rely on services using these CAs
caCertificateBlacklist = lib.mkDefault [
# Agence Nationale de Certification Electronique (TN)
"TunTrust Root CA"
# BEJING CERTIFICATE AUTHORITY (CN)
"BJCA Global Root CA1"
"BJCA Global Root CA2"
# China Financial Certification Authority (CN)
"CFCA EV ROOT"
# Chunghwa Telecom Co., Ltd. (TW)
"HiPKI Root CA - G1"
"ePKI Root Certification Authority"
# GUANG DONG CERTIFICATE AUTHORITY CO.,LTD. (CN)
"GDCA TrustAUTH R5 ROOT"
# Hongkong Post (HK)
"Hongkong Post Root CA 3"
# iTrusChina Co.,Ltd. (CN)
"vTrus ECC Root CA"
"vTrus Root CA"
# TAIWAN-CA (TW)
"TWCA Root Certification Authority"
"TWCA Global Root CA"
# TrustAsia Technologies, Inc.
"TrustAsia Global Root CA G3"
"TrustAsia Global Root CA G4"
# Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK (TR)
"TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
# UniTrust (CA)
"UCA Global G2 Root"
"UCA Extended Validation Root"
];
};
};
system.activationScripts.diff = {
supportsDryActivation = true;
text = ''
if [[ -e /run/current-system ]]; then
echo "--- diff to current-system"
${pkgs.nvd}/bin/nvd --nix-bin-dir=${config.nix.package}/bin diff /run/current-system "$systemConfig"
echo "---"
'';
};
time = {
hardwareClockInLocalTime = lib.mkDefault false;
timeZone = lib.mkDefault "Etc/UTC";
};
};
}

100
nix/nixos-modules/autoUnfree.nix
Unescape Escape View File

@ -0,0 +1,100 @@
{ config
, lib
, pkgs
, ...
}:
let
cfg = config.x-banananetwork.autoUnfree;
in
{
options = {
x-banananetwork.autoUnfree = {
enable = lib.mkEnableOption ''
automatically allowing unfree packages
based on other NixOS modules options.
This should make it easier to allow unfree packages,
being kind of a replacement of generelly enabling
option{nixpkgs.config.allowUnfree}.
Through this module aims to be more restrictive
as it only enables packages used by modules
which are enabled in the hosts configuration.
Be aware that this module may not support all modules installed in nixpkgs.
And be aware that this module blocks the option
option{nixpkgs.config.allowUnfreePredicate} for other uses.
Other modules can add support on their own
by using the option{x-banananetwork.autoUnfree.packages} option.
'';
packages = lib.mkOption {
description = ''
Lists all packages which should be allowed to be installed
despite of them being unfree.
Only works when option{x-banananetwork.autoUnfree.enable} is set to true.
This option is mainly intended to be used by other module developers
to add support for this on their own.
Users may also use this additionally allow packages on their own.
'';
type = lib.types.listOf lib.types.package;
default = [ ];
example = lib.literalText ''
with pkgs; [
vscode
] ++ with lib.lists; flatten [
# just as an example, this is already supported internally
(optional config.programs.steam.enable config.programs.steam.package)
]
'';
};
};
};
config = {
nixpkgs.config = {
allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) (map lib.getName cfg.packages);
};
# TODO add alternative for allowUnfreePredicate for users
x-banananetwork.autoUnfree.packages =
let
inherit (lib.lists) flatten optional;
# supported (ordered by long option name)
amd = config.hardware.cpu.amd;
intel = config.hardware.cpu.intel;
steam = config.programs.steam;
in
flatten [
# hardware.cpu
# TODO in nixpkgs, create {amd,intel}.microcodePackage options
# TODO test if this is really required
#(optional amd.updateMicrocode pkgs.microcodeAmd)
#(optional intel.updateMicrocode pkgs.microcodeIntel)
# programs
(optional
steam.enable
steam.package)
];
};
}

92
nix/nixos-modules/debugMinimal.nix
Unescape Escape View File

@ -0,0 +1,92 @@
{ config
, lib
, pkgs
, ...
}:
let
cfg = config.x-banananetwork.debugMinimal;
in
{
options = {
x-banananetwork.debugMinimal = {
enable = lib.mkEnableOption ''
a set of opionated options to make systems a little bit easier to debug.
'';
};
};
config = lib.mkIf cfg.enable {
programs = {
bash = {
enableCompletion = true;
enableLsColors = true;
vteIntegration = true;
};
htop = {
enable = true;
settings = {
hide_kernel_threads = true;
hide_userland_threads = true;
};
};
neovim = {
enable = true;
defaultEditor = true;
viAlias = true;
vimAlias = true;
configure = {
customRC = ''
set shiftwidth=2 expandtab tabstop=8 softtabstop=0
'';
};
};
tmux = {
aggressiveResize = true;
clock24 = true;
customPaneNavigationAndResize = true;
enable = true;
extraConfig = ''
# Enable true color support
set-option -ga terminal-overrides ",xterm*:Tc:smcup@:rmcup@"
set-option -ga terminal-overrides ",screen*:Tc:smcup@:rmcup@"
set-option -ga terminal-overrides ",tmux*:Tc:smcup@:rmcup@"
# Enable mouse by default
set-option -g mouse on
# join pane shortcut
unbind j
bind-key j command-prompt -p "send pane to:" "join-pane -t '%%'"
# sync shortcut
unbind Space
#bind-key Space set-window-option synchronize-panes
bind-key Space set-window-option synchronize-panes\; display-message "synchronize-panes is now #{?pane_synchronized,on,off}"
# hide bar shortcut
unbind h
bind-key h set-option -g status
# spawn new window
unbind-key C
unbind-key C-c
bind-key C command-prompt -p "command:" "new-window -d '%%'"
bind-key C-c command-prompt -p "command:" "new-window -d '%%'"
'';
};
};
};
}

19
nix/nixos-modules/default.nix
Unescape Escape View File

@ -0,0 +1,19 @@
# ../../flakes.nix expects this to just be a NixOS module
{
imports = [
# directories
./frontend
# files
./allCommon.nix
./autoUnfree.nix
./convertable.nix
./graphics.nix
./hwCommon.nix
./privacy.nix
./sshSecurity.nix
./useable.nix
./vmCommon.nix
];
}

404
nix/nixos-modules/frontend/default.nix
Unescape Escape View File

@ -0,0 +1,404 @@
{ config
, lib
, pkgs
, ...
}:
let
cfg = config.x-banananetwork.frontend;
in
{
options = {
x-banananetwork.frontend = {
enable = lib.mkEnableOption "frontend specific settings (highly opionated / customized)";
convertable = lib.mkEnableOption "convertable specific settings";
username = lib.mkOption {
description = "username of ego-centric single main primary user";
type = lib.types.string;
default = "zocker";
example = "username";
};
};
};
config = lib.mkIf cfg.enable {
# TODO copy modem-manager overlay (for now)
# NixOS configuration
console = {
useXkbConfig = true;
};
environment = {
pathsToLink = [
"/share/zsh" # required for Home-Manager ZSH autocompletion, see https://github.com/nix-community/home-manager/blob/e1391fb22e18a36f57e6999c7a9f966dc80ac073/modules/programs/zsh.nix#L353
];
plasma6.excludePackages = with pkgs.kdePackages; [
baloo # do not need an indexer, which runs at arbitarily times
];
};
hardware = {
bluetooth = {
enable = true;
powerOnBoot = true;
};
bolt.enable = true; # Thunderbolt
graphics.required = true;
opengl = {
enable = true;
driSupport = true;
};
usb-modeswitch.enable = true; # for specific WLAN/WWAN cards
};
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
extraSpecialArgs = {
nixosConfig = config;
};
users."${cfg.username}" = import ./home.nix;
};
networking = {
firewall = {
trustedInterfaces = with lib.lists; flatten [
(optional config.services.tailscale.enable "tailscale0")
];
};
networkmanager.enable = true;
nftables.enable = true;
};
nix.settings = {
builders-use-substitutes = lib.mkDefault true;
};
nixpkgs.config = {
allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) (
map lib.getName (with lib.lists; flatten [
(optional config.programs.steam.enable config.programs.steam.package)
])
);
};
programs = {
firefox = {
enable = true;
policies = {
Cookies = {
Behavior = "reject-tracker-and-partition-foreign";
BehaviorPrivateBrowsing = "reject-tracker-and-partition-foreign";
Locked = true;
};
DisablePocket = true;
EnableTrackingProjection = {
Value = true;
Locked = true;
Cryptomining = true;
Fingerprinting = true;
};
EncryptedMediaExtensions = {
Enabled = true;
};
ExtensionSettings = {
"uBlock0@raymondhill.net" = {
installation_mode = "force_installed";
install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi";
};
"7esoorv3@alefvanoon.anonaddy.me" = {
# TODO probably just for a test
installation_mode = "allowed";
};
};
FirefoxHome = {
Search = true;
TopSites = true;
SponsoredTopSites = false;
Highlights = false;
Pocket = false;
SponsoredPocket = false;
Snippets = true;
Locked = true;
};
HttpsOnlyMode = "enabled";
OfferToSaveLogins = false;
SearchEngines = {
# TODO setting search engines here only works on ESR
Default = "DuckDuckGo";
};
};
preferences = {
"browser.startup.page" = 3; # restore previous session
"browser.search.suggest.enabled" = false;
"browser.urlbar.showSearchSuggestionsFirst" = false;
};
};
gamemode = {
enable = true;
enableRenice = true;
settings = {
general = {
renice = 5;
};
};
};
kdeconnect = {
enable = true;
package = pkgs.kdePackages.kdeconnect-kde; # for Plasma 6 & higher
};
light.enable = true;
mosh = {
# requires testing & so on
enable = true;
openFirewall = false; # technically requires this
};
nix-index = {
enable = true;
};
printing = {
enable = true;
cups-pdf = {
enable = true;
};
stateless = true; # test
};
rust-motd = {
enable = true;
order = [
"banner"
"uptime"
"memory"
"filesystems"
"service_status"
"last_login"
];
settings = {
banner =
let
hostname = config.networking.hostname;
figlit = lib.runCommandLocal "echo '${hostname}' | ${pkgs.figlit}/bin/figlit -f slant > $out";
in
{
color = lib.mkDefault "red";
command = "cat ${figlit}";
};
filesystems = {
root = "/";
home = "/home";
nix = "/nix";
};
last_login = {
"${cfg.username}" = 3;
};
memory.swap_pos = "beside";
service_status = {
# TODO automate
Tailscale = "tailscale.service";
};
uptime.prefix = "Up";
};
};
steam = {
enable = true;
localNetworkGameTransfers.openFirewall = true;
remotePlay.openFirewall = true;
};
tmux = {
plugins = with pkgs.tmuxPlugins; [
# custom plugins, TODO overlay
mkTmuxPlugin
{
pluginName = "zocker";
version = "unstable-2019-11-07";
src = fetchFromGitea {
host = "git.banananet.work";
owner = "zocker";
repo = "tmux-custom";
rev = "f9bafb8b29fad4b1ba77994540f069a49bb10e38";
sha256 = ""; # TODO
};
}
];
};
usbtop.enable = true;
wireshark.enable = true;
ydotool.enable = true;
};
security = {
rtkit.enable = lib.mkIf config.services.pipewire.enable true;
};
services = {
fail2ban = {
# SSH managed by default
enable = true;
ignoreIP = lib.mkIf config.services.tailscale.enable [
"100.64.0.0/10"
"fd7a:115c:a1e0::/96"
];
bantime = "10m";
bantime-increment = {
enable = true;
maxtime = "48h";
overalljails = true;
};
};
openssh = {
enable = true;
authorizedKeysInHomedir = true;
authorizedKeysOnly = true;
openFirewall = true;
settings = {
PermitRootLogin = "no";
};
};
pipewire = {
enable = true;
audio.enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
tailscale = {
enable = true;
useRoutingFeatures = "client";
extraUpFlags = [
# TODO with next upgrade, use extraSetFlags
"--operator=${cfg.username}"
"--accept-dns=true"
"--accept-routes=true"
"--exit-node=prox-vm134"
"--exit-node-allow-lan-access=true"
];
};
udisks2 = {
enable = true;
};
xserver = {
enable = true;
xkb = {
layout = "de";
variant = "neo_qwertz";
};
};
};
users = {
users."${cfg.username}" = {
description = "${cfg.username}";
extraGroups = with lib.lists; flatten [
(optional cfg.services.networkmanager.enable "networkmanger")
"wheel"
];
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDPRH3HSoCpoeqsovMuHOMvFxRFnCTxRIM2mUlAHo+Ef72F7103OeqwgL59rEFOWD8XS3sJhJ/k/dkLvvrANMDWiu5ofaJgA/SAwZzeC4Nh+1r+NWvuwlqvMWvka6Jg0U7l8ZLXD6s9Mmc7+kt4HYnF7xMcuaYBXyCj43eSG+EaiPDMW1Td3MdpzSYI6TvZN+iuhzpWNEemxAouyJvuKFggJM2XhrMHaPufabMIxVjekmMXce4uTeJ6ySaeXrIKEYofkvTC/3dqHQRlTvDGX0Jiy2T2CxX+24EdWlFdxWYBN0mPhimvwfdIynOUsvqn/1JTtj5JnYVG0MCygTUi9xJ2/0Djx+ecbbUXSROtUN+V4MHVUrg/43nkTBPVW5mRHQPpb42MeHw2AXbLJEXASdRivaJ9bpIffvGD11jiMrIKDS0Hh7nek0Y0qoGuT/04O/fZSbJiyRQqrk6FZNWzwO4xfUhD8oKjGeAypjJlOty3Krc4ivE1IzE1I4ELKRTZYt2pJln1nHCd/9ELik54JYm+viitAa/yhU4Rg+Qhhtzq5rw6MonUfhLRgmvt2oq4JQWlqFz/qXEdtx3OOKMNZDbzlbFzDRAgP/Jqt7sx2QvivKI5kGpmlk9NXKaH/ucpTFbOkGFcx/bLOov6YfyrrRbwqHi7ZkUPT2BCo5KWvjr/cM5sRQc6Qs+aXD5Bye1Nd3SWMOj1izXd36RxCBqtfzXi5rkPE59qlB7gJ0Q1I49C1WyKUgd15Aw7CubHLpKZRXu8ko5xJ3JQhe15lIrLqMUUATb45DIrsVb3kueA5v8AMSiJkFhyxAjgvZ9V9+zCp8ElCBsjdqZb5/meu44pM/SBlpcntTFb/5BEFhjxdBEXoV6j0ZvkhcLcfWcR8rRnVpoK0CXzF5/xMCWxxM/OUfQ9xUKs0JdhDBWqhK0UWc1dCi48g9FTYXXApfoN/I52ec/3nHHj22FucIePsViw7+AOJm42DO9RJGQBIqRquasrH5uuJqEAufYFr4jSQCWPvdjBhCJIOGNHiu3jRjuEaIUoqH2fNDth69gUok588JvRypM7no2KpdMHvQdgpvqPU0Nuvm4/xnIhmu6jsamoHDObSLj2fagmzwptd5qw1rlqzwMfYtRX3Oj1NQW4qbE+bDozav4d9Pu243gn71ybmsJ5awGHAW/fW0nL5gsYhh9VNefY7Nst4+/KQZBDHppJZY+Cok9yUcnOVjH3qZFQTvIuljkk6IhCjgP5lfELUg3EIimADSJT9gnzE1jfs95CZTwFUhIXucC3CwYnIlPUPSU2DaS0hfopYeiBMxX4A7xvdUohOcY+cbnPHu8HtKIzYWsVg28gLaA+8YDXMHNoyaaD zocker Backup Key 2018-05-28"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGKs41V0h0S4cXtodCUwyY7mKk2sMVdTOu2OKm9a1tT24rk2q3khVb+GkS5HetN54qDbylmxBk4egX46jizAsDh1DZnxE2AKTYK2fXrYAFgHZR++Gpjw6pUeFi//gNUh8XHT/5xFlYO5ftysIB4FEBED8Epy3pET1OvXI9/RSppmeQ2yB+cI7gMHDAqrlzdlXkqK1rNFihFtSF4u12b1Bze5tAON+QFDHbkyN+pvj2b2pZ/3FcBb+fvVqZAlM0qEFiRoz7+fYYvZBqFL6OeYvIlas9FcJzycxX9TbVPsfjBlKya0v3MA+LcEOGPTwUnva9og8WQZAuPB0OKkMA46wyw+XwWJvOlIplt6OnYrT8nZ7J+gJGDDGMzCx8jckojoNBPiir0DJFaOhiPsJeW/3LW6yQib8OfgQ6R6RqUmEEKgjcM1tdnZxsrYGtF2q63ZcL4DB24nvGcLAw77Gyi9F0FU4H1uf096NIPM5Rmgvw48ZNkg4+kJ2PsVFO5H+wAmV23/dmIBz12Qltx+l5N9rSwyrIVplVulpd3B2lLm+Av6Jhn65qc5uEBH/0FyBz+HoXI9OBhFRRV+q5LqfTXrjWC8LhljjKHzWo4pPsQJp5TKOsoSLconeQG+ByP/iy1wfmXh+MLTK191Dw4Th2hZUHEMlek7y9SIKm/RY2buPxuQ== 93e1bd26f6b02fb@keys.banananet.work"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOBdtHoYx74Dp2P/Th72JpY/vnSL8LUDG10HGoU+I162 zocker@thinkie.khitomer.banananet.work 2019-06-04"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ322iTs4HagYWO5C/O8t2smxBOJNW68amar99H7f0kq zocker@zockerpc 2018-07-22"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAEaWqcgeNh3BjyDXCg0DQfbuPg5VLVYlt8ucYu7VZNr zocker@x13yz 2024-07-04"
];
packages = with pkgs; lib.lists.flatten [
kdePackages.kate
(lib.lists.optional cfg.convertable [
maliit-keyboard # on-screen keyboard (should just work, see https://discuss.kde.org/t/how-to-enable-virtual-keyboard-included-in-kde/264/2)
])
];
};
};
x-banananetwork = {
allCommon.enable = true;
autoUnfree.enable = true;
hwCommon.enable = true;
vmCommon.enable = false;
usuable.enable = true;
};
# TODO move KDE Connect to same level as plasma6 (either nixos or hm)
# TODO wishlist:
# - enable & disable touch keyboard automatically based on convertable status
# - programs.captive-browser
# - https://github.com/cynicsketch/nix-mineral (NixOS hardening)
# - programs.mepo
# - programs.autojump
# - programs.yubikey-touch-detector
};
}

452
nix/nixos-modules/frontend/home.nix
Unescape Escape View File

@ -0,0 +1,452 @@
{ nixosConfig
, config
, lib
, pkgs
, ...
}:
let
myGpgKey = pkgs.fetchurl {
url = "https://keys.openpgp.org/vks/v1/by-fingerprint/73D09948B2392D688A45DC8393E1BD26F6B02FB7";
hash = "sha256-qVHrSLSRdcOL+pgDS1NAkmVScFdKxDA8FAm81UCYJ64=";
};
archiveGpgKey = pkgs.fetchurl {
url = "https://keys.openpgp.org/vks/v1/by-fingerprint/19C17AF30A1152D473A3849C28279F3E0A444E63";
hash = "sha256-k81wvlyx3oUJjKx1Dpmas1LLvTwKW8FN4MEbOvfRyj8=";
};
in
{
home = {
stateVersion = nixosConfig.system.stateVersion;
};
home.file = {
# TODO use generator for YAML
# TODO sptlrx player detection broken because ".instanceXXXX" suffixes
# v1.2.2 fixes this, but its test requires network, making it hard to package for NixOS
".config/sptlrx/config.yaml".text = ''
player: mpris
timerInterval: 200
updateInterval: 2000
mpris:
players:
- ncspot
'';
".ssh/connections/.keep".text = ''
# created by home-manager (to create directory)
'';
};
home.packages = with pkgs; [
# dev
neovim
podman
# media
ncspot
sptlrx # spotify subtitle generator
# TODO server with: your_spotify
# tools
fzf # fuzzy finder # TODO integrate better: https://home-manager-options.extranix.com/?query=fzf&release=master
jdupes
# UI
element-desktop
kdePackages.filelight
kdePackages.kleopatra
keepassxc
krita
wireshark
trilium-desktop
xournalpp
yubikey-manager
yubioath-flutter
# utilities
fira
(pkgs.nerdfonts.override {
fonts = [
"FiraCode"
"Hasklig"
];
})
# # You can also create simple shell scripts directly inside your
# # configuration. For example, this adds a command 'my-hello' to your
# # environment:
# (pkgs.writeShellScriptBin "my-hello" ''
# echo "Hello, ${config.home.username}!"
# '')
];
programs = {
bash = {
enable = true;
enableCompletion = true;
# fix for https://github.com/nix-community/home-manager/issues/3091, from https://github.com/NixOS/nix/issues/2033#issuecomment-1366974053
#bashrcExtra = ''
# export NIXPATH="/nix/var/nix/profiles/per-user/$USER/channels:nixos-config=/etc/nixos/configuration.nix"
#'';
};
chromium = {
dictionaries = with pkgs.hunspellDictsChromium; [
de_DE
en_US
];
enable = true;
extensions = map (id: { id = id; }) [
"cjpalhdlnbpafiamejdnhcphjbkeiagm" # uBlock Origin
"oboonakemofpalcgghocfoadofidjkkk" # KeePassXC-Browser
];
# TODO try ungoogled chromium
#package = pkgs.ungoogled-chromium;
};
eza = {
enable = true;
enableBashIntegration = true;
enableZshIntegration = true;
git = true;
icons = true;
};
git = {
enable = true;
userName = "Felix Stupp";
userEmail = "felix.stupp@banananet.work";
signing = {
key = "73D09948B2392D688A45DC8393E1BD26F6B02FB7";
signByDefault = true;
};
};
gpg = {
enable = true;
mutableKeys = false;
mutableTrust = false;
publicKeys = [
{ source = "${myGpgKey}"; trust = 5; }
{ source = "${archiveGpgKey}"; trust = 5; }
];
scdaemonSettings = {
# required because of pcscd used in parallel
disable-ccid = true;
};
};
mpv = {
enable = true;
bindings = {
MBTN_MID = "quit";
WHEEL_UP = "ignore";
WHEEL_DOWN = "ignore";
WHEEL_LEFT = "ignore";
WHEEL_RIGHT = "ignore";
};
extraInput = ''
[ ignore
] ignore
[ add speed -0.05
] add speed 0.05
{ ignore
} ignore
{ add speed -0.2
} add speed 0.2
'';
config = {
save-position-on-quit = true;
vo = "gpu"; # or: dmabuf-wayland
hwdec = "auto-safe";
gpu-context = "wayland";
alpha = "yes";
speed = 1.2;
#ytdl-format = "bestvideo[height<=?1080]+bestaudio/best";
};
scripts = with pkgs.mpvScripts; [
autoload
evafast
modernx-zydezu
mpris
quack
quality-menu
reload
sponsorblock
thumbfast
];
scriptOpts = {
modernx = {
# order by README (https://github.com/zydezu/ModernX#configurable-options)
# general
welcomescreen = true;
# interface
persistentprogress = true;
# button
timetotal = false;
downloadbutton = false;
showyoutubecomments = false;
};
};
};
vscode = {
enable = true;
enableExtensionUpdateCheck = true;
enableUpdateCheck = false;
extensions = with pkgs.vscode-extensions; [
# general
dracula-theme.theme-dracula
vscodevim.vim
# IDE-specific
jnoortheen.nix-ide
];
mutableExtensionsDir = false;
package = pkgs.vscodium;
userSettings = {
"[nix]" = {
"editor.tabSize" = 2;
};
"[python]" = {
"editor.defaultFormatter" = "ms-python.black-formatter";
};
"ansible.ansibleLint.path" = "${pkgs.ansible-lint}/bin/ansible-lint";
"dev.containers.dockerComposePath" = "${pkgs.podman-compose}/bin/podman-compose";
"dev.containers.dockerPath" = "${pkgs.podman}/bin/podman";
"diffEditor.ignoreTrimWhitespace" = false;
"diffEditor.renderSideBySide" = false;
"editor.cursorBlinking" = "solid";
"editor.fontFamily" = "'FiraCode Nerd Font', 'Fira Code','Droid Sans Mono', 'monospace', monospace, 'Droid Sans Fallback'";
"editor.fontLigatures" = true;
"editor.formatOnSave" = true;
"editor.largeFileOptimizations" = false;
"editor.minimap.enabled" = false;
"editor.renderWhitespace" = "boundary";
"editor.suggest.localityBonus" = true;
"editor.suggestSelection" = "recentlyUsedByPrefix";
"editor.wordWrap" = "on";
"explorer.compactFolders" = true;
"explorer.confirmDelete" = false;
"extensions.ignoreRecommendations" = true;
"files.associations" = {
"*.makefile" = "makefile";
};
"files.autoSave" = "onFocusChange";
"files.exclude" = {
"**/.classpath" = true;
"**/.factorypath" = true;
"**/.mypy_cache" = true;
"**/.project" = true;
"**/.pytest_cache" = true;
"**/.settings" = true;
"**/__pycache__" = true;
"**/venv" = true;
};
"files.insertFinalNewline" = true;
"files.trimTrailingWhitespace" = true;
"files.watcherExclude" = {
"**/venv" = true;
};
"git.autofetch" = true;
"git.confirmSync" = false;
"git.enableSmartCommit" = true;
"html.format.enable" = false;
"keyboard.dispatch" = "keyCode";
"latex-workshop.message.update.show" = false;
"latex-workshop.view.pdf.viewer" = "tab";
"markdown.preview.fontFamily" = "-apple-system, BlinkMacSystemFont, 'DejaVu Sans', 'Segoe WPC', 'Segoe UI', 'HelveticaNeue-Light', 'Ubuntu', 'Droid Sans', sans-serif";
"mypy-type-checker.importStrategy" = "fromEnvironment";
"mypy.runUsingActiveInterpreter" = true;
"notebook.cellToolbarLocation" = {
default = "right";
jupyter-notebook = "left";
};
"nix.enableLanguageServer" = true;
"nix.serverPath" = "${pkgs.nil}/bin/nil";
"nix.serverSettings" = {
nil = {
formatting.command = [ "${pkgs.nixpkgs-fmt}/bin/nixpkgs-fmt" ];
};
};
"npm.fetchOnlinePackageInfo" = false;
"python.analysis.autoImportCompletions" = true;
"python.analysis.stubPath" = "./typings/";
"python.defaultInterpreterPath" = "${pkgs.python3}/bin/python";
"python.linting.enabled" = false;
"python.showStartPage" = false;
"redhat.telemetry.enabled" = false;
"scm.alwaysShowProviders" = true;
"security.workspace.trust.banner" = "never";
"telemetry.telemetryLevel" = "off";
"typescript.updateImportsOnFileMove.enabled" = "always";
"update.mode" = "none";
"update.showReleaseNotes" = false;
"vscode-neovim.neovimPath" = "${pkgs.neovim}/bin/nvim";
"vsintellicode.modify.editor.suggestSelection" = "automaticallyOverrodeDefaultValue";
"window.menuBarVisibility" = "toggle";
"window.titleBarStyle" = "native";
"workbench.colorTheme" = "Dracula";
"workbench.editorAssociations" = {
"*.ipynb" = "jupyter-notebook";
};
"workbench.enableExperiments" = false;
"workbench.settings.enableNaturalLanguageSearch" = false;
"yaml.format.enable" = false;
};
};
ssh = {
enable = true;
controlMaster = "autoask";
controlPath = "~/.ssh/connections/%r@%h:%p";
controlPersist = "10m";
matchBlocks = {
"*git*" = {
extraOptions = {
ControlMaster = "no";
ControlPersist = "no";
};
};
};
};
thunderbird = {
enable = true;
profiles.main = {
isDefault = true;
withExternalGnupg = true;
};
};
};
services = {
gpg-agent = {
defaultCacheTtl = 1800;
enable = true;
enableExtraSocket = true;
enableScDaemon = true;
enableSshSupport = true;
enableZshIntegration = true;
pinentryPackage = pkgs.pinentry-qt;
};
# manual login required
nextcloud-client.enable = true;
# manual config required
syncthing = {
enable = true;
tray.enable = true;
};
};
# TODO does not work yet (current: manual config)
#accounts.email.accounts."Mailbox Personal" = {
# primary = true;
# # general options
# address = "felix.stupp@banananet.work";
# folders = {
# # TODO check if defaults are working
# };
# gpg = {
# key = "0x93E1BD26F6B02FB7";
# };
# realName = "Felix Stupp";
# # app settings
# thunderbird = {
# enable = true;
# profiles = [ "main" ];
# };
#};
#accounts.email.accounts.kit-urwai = {
# address = "felix.stupp@student.kit.edu";
# aliases = [
# "urwai@student.kit.edu"
# ];
# folders = {
# };
#};
# ======================================
# hotfix because GUI is managed on system level (fow now)
systemd.user.targets.tray = {
Unit = {
Description = "Home Manager System Tray";
Requires = [ "graphical-session-pre.target" ];
};
};
# allow unfree limited
nixpkgs.config.allowUnfree = false;
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
# mpv plugins missing licenses
"evafast"
];
# ZSH config
programs.zsh.enable = true;
programs.zsh.antidote = {
enable = true;
plugins = [
"djui/alias-tips"
];
};
}

67
nix/nixos-modules/graphics.nix
Unescape Escape View File

@ -0,0 +1,67 @@
{ config
, lib
, pkgs
, ...
}:
let
cfg = config.hardware.graphics;
in
{
options = {
hardware.graphics = {
required = lib.mkEnableOption "checks enforcing that at least one graphic driver is installed";
amd.enable = lib.mkEnableOption "AMD graphic drivers";
intel.enable = lib.mkEnableOption "Intel graphic drivers";
};
};
config = lib.mkMerge [
(
lib.mkIf
cfg.required
{
assertations = [ (cfg.amd.enable || cfg.intel.enable) ];
}
)
(
# TODO replace with drivers
lib.mkIf
cfg.amd.enable
{
assertions = [{
assertion = !cfg.amd.enable;
message = "graphics module missing support for AMD drivers";
}];
}
)
(
lib.mkIf
cfg.intel.enable
{
hardware.opengl = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver
intel-media-sdk
libvdpau-va-gl
];
};
}
)
];
}

94
nix/nixos-modules/hwCommon.nix
Unescape Escape View File

@ -0,0 +1,94 @@
# applicable to all hosts running on bare hardware
{ config
, lib
, pkgs
, ...
}:
let
cfg = config.x-banananetwork.hwCommon;
in
{
options = {
x-banananetwork.hwCommon = {
enable = lib.mkEnableOption ''
settings common to all bare hardware-based hosts
'';
cpu = lib.mkOption {
description = ''
Configures the CPU type to expect this configuration to run on
'';
type = lib.types.enum [ "amd" "intel" ];
# required
};
};
};
config = lib.mkIf cfg.enable {
hardware = {
cpu = lib.mkMerge [
(
lib.mkIf
(cfg.cpu == "amd")
{ amd.updateMicrocode = true; }
)
(
lib.mkIf
(cfg.cpu == "intel")
{ intel.updateMicrocode = true; }
)
];
enableRedistributableFirmware = true;
};
powerManagement = {
cpuFreqGovernor = "ondemand";
enable = true;
powertop.enable = true;
scsiLinkPolicy = "med_power_with_dipm";
};
services = {
fwupd = {
enable = true;
};
smartd = {
enable = true;
};
};
x-banananetwork = {
allCommon.enable = true;
vmCommon.enable = false;
usuable.enable = lib.mkDefault true; # add docs & tools for emergencies
};
};
}

47
nix/nixos-modules/privacy.nix
Unescape Escape View File

@ -0,0 +1,47 @@
{
config,
lib,
pkgs,
...
}: let
cfg = config.x-banananetwork.privacy;
in {
options = {
x-banananetwork.privacy = {
enable = lib.mkEnableOption ''
system settings which attempt to increase privacy.
'';
ipv6IncreasedPrivacy = lib.mkEnableOption ''
increased IPv6 privacy meassures.
Decreases the time IPv6 privacy extension addresses are used.
'';
};
};
config = lib.mkIf cfg.enable {
boot.kernel.sysctl = {
"net.ipv6.conf.all.temp_prefered_lft" = 1* 60*60; # = 1h
"net.ipv6.conf.all.temp_valid_lft" = 21 *60*60; # = 21h
};
networking = {
tempAddresses = "default";
};
};
}

36
nix/nixos-modules/sshSecurity.nix
Unescape Escape View File

@ -0,0 +1,36 @@
{
config,
lib,
pkgs,
...
}: let
cfg = config.services.openssh;
in {
options = {
services.openssh.authorizedKeysOnly = lib.mkEnableOption ''
only logins using ssh keys (improving over default settings)
'';
};
config = lib.mkIf cfg.enable {
services.openssh = {
settings = {
KbdInteractiveAuthentication = lib.mkIf cfg.authorizedKeysOnly false;
PasswordAuthentication = lib.mkIf cfg.authorizedKeysOnly false;
};
};
};
# TODO add tests
}

163
nix/nixos-modules/useable.nix
Unescape Escape View File

@ -0,0 +1,163 @@
{ config
, lib
, pkgs
, ...
}:
let
cfg = config.x-banananetwork.useable;
in
{
options = {
x-banananetwork.useable = {
enable = lib.mkEnableOption ''
a set of opionated options to make systems useable & debugable for users.
This means e.g. adding common, useful tools and add documentation.
'';
};
};
config = lib.mkIf cfg.enable {
documentation = {
enable = true;
dev.enable = true;
doc.enable = true;
info.enable = true;
man.enable = true;
man.generateCaches = true;
man-db.enable = false; # see mandoc
mandoc = {
enable = true;
};
nixos = {
enable = true;
includeAllModules = true;
};
};
environment.systemPackages = with pkgs; let
inherit (lib.lists) flatten optional optionals;
in
flatten [
(optional (config.hardware.bolt.enable && config.services.desktopManager.plasma6.enable) kdePackages.plasma-thunderbolt) # TODO upstream
(optionals config.hardware.graphics.amd.enable [
nvtopPackages.amd
])
(optionals config.hardware.graphics.intel.enable [
intel-gpu-tools
nvtopPackages.intel
])
bat
batmon # TODO only on systems wich batteries
jq # JSON
manix
massren
nethogs
reptyr
pciutils
psitop
pv
unixtools.xxd
up # ultimate plumber
usbtop
usbutils
];
programs = {
bandwhich.enable = true;
git = {
enable = true;
# TODO config
init = {
defaultBranch = "git";
};
};
iftop.enable = true;
iotop.enable = true;
less = {
enable = true;
};
liboping.enable = true;
mtr.enable = true;
nano = {
enable = true;
nanorc = ''
set nowrap
set tabtospaces
set tabsize 2
'';
syntaxHighlight = true;
};
tmux = {
plugins = with pkgs.tmuxPlugins; [
better-mouse-mode
sensible
];
secureSocket = true; # does not survive user logout
};
zsh = {
autosuggestions = {
enable = true;
strategy = [
"history"
"completion"
];
};
enable = true;
enableBashCompletion = true;
enableCompletion = true;
syntaxHighlighting = {
enable = true;
highlighters = [
"main"
"brackets"
"root"
];
};
vteIntegration = true;
};
};
x-banananetwork = {
allCommon.enable = true;
debugMinimal.enable = true;
};
# TODO withlist:
# - update tmuxPlugins.sensible in nixpkgs (e.g. https://github.com/NixOS/nixpkgs/pull/272954)
};
}

224
nix/nixos-modules/vmCommon.nix
Unescape Escape View File

@ -0,0 +1,224 @@
# applicable to all service VMs running on a hypervisor (currently Proxmox/QEMU assumed)
{ config
, lib
, pkgs
, ...
}:
let
cfg = config.x-banananetwork.vmCommon;
# Based on https://unix.stackexchange.com/questions/16578/resizable-serial-console-window
resize = pkgs.writeShellScriptBin "resize" ''
export PATH="${pkgs.coreutils}/bin"
if [ ! -t 0 ]; then
# not a interactive...
exit 0
fi
TTY="$(tty)"
if [[ "$TTY" != /dev/ttyS* ]] && [[ "$TTY" != /dev/ttyAMA* ]] && [[ "$TTY" != /dev/ttySIF* ]]; then
# probably not a known serial console, we could make this check more
# precise by using `setserial` but this would require some additional
# dependency
exit 0
fi
old=$(stty -g)
stty raw -echo min 0 time 5
printf '\0337\033[r\033[999;999H\033[6n\0338' > /dev/tty
IFS='[;R' read -r _ rows cols _ < /dev/tty
stty "$old"
stty cols "$cols" rows "$rows"
'';
in
{
options = {
x-banananetwork.vmCommon = {
enable = lib.mkEnableOption ''
settings common to all hosts running in VMs
'';
};
};
config = lib.mkIf cfg.enable {
# timing-related options
# - ordered by chronological order
system.autoUpgrade = {
rebootWindow.lower = "01:00";
dates = "01:00";
randomizedDelaySec = "45min";
rebootWindow.upper = "04:00";
};
nix.gc = {
# could take longer
dates = "04:15";
randomizedDelaySec = "30min";
};
nix.optimise = {
# should not take long because of auto-optimise-store
dates = "05:30";
};
# all other options
boot = {
kernelParams = "console=ttyS0,115200";
loader = {
efi.canTouchEfiVariables = true;
grub.enable = false;
systemd-boot = {
enable = true;
configurationLimit = 16;
editor = true; # access to VM console/KVM should be locked
};
};
};
console.keyMap = "de";
# for fast debugging of systems, keep small
environment.systemPackages = [
resize
];
networking = {
firewall = {
logRefusedConnections = false;
# TODO
};
useDHCP = true;
useNetworkd = lib.mkDefault false;
usePredictableInterfaceNames = true;
};
nix = {
gc = {
automatic = true;
options = "--delete-older-than 30d";
};
optimise = {
automatic = true;
};
settings = {
max-free = lib.mkDefault (3 * 1024 * 1024 * 1024);
min-free = lib.mkDefault (512 * 1024 * 1024);
};
};
security = {
apparmor.enable = true;
lockKernelModules = true; # after boot loading not required on VMs
sudo = {
enable = true;
execWheelOnly = lib.mkDefault true;
extraConfig = ''
Defaults lecture = never
'';
};
};
services = {
qemuGuest.enable = true;
openssh = {
enable = true;
authorizedKeysInHomedir = false;
authorizedKeysOnly = true;
openFirewall = true;
};
};
sound.enable = false;
system.autoUpgrade = {
enable = true;
allowReboot = true;
fixedRandomDelay = true;
flags = [
"--no-allow-dirty"
"--no-use-registries"
"--no-update-lock-file"
];
flake = lib.mkDefault "git+https://git.bananet.work/banananetwork/server"; #===SYNC:general/meta/repo/url===
operation = "boot"; # change only on reboots
};
systemd.services."serial-getty@".environment.TERM = "xterm-256color";
time.hardwareClockInLocalTime = false; # just to make sure
x-banananetwork = {
allCommon.enable = true;
debugMinimal.enable = true;
# TODO think about
#privacy.enable = true;
};
# TODO disko config, see https://github.com/nix-community/disko/blob/master/docs/INDEX.md
# TODO wishlist items (in prio order):
# - ntfy.sh as mailer
# own script
# or e.g. https://stetsed.xyz/posts/email-notifications-with-ntfy-and-mailrise/
# & connect to: journalwatch, smartd
# - add support for automatic boot assessment (will be added to 24.11)
# - programs.atop.enable = true
# - think about zramSwap
# - NixOS test: ssh-audit
# - networking.useNetworkd
# - networking.tcpcrypt
# environment.loginShellInit = "${resize}/bin/resize"; (see https://github.com/nix-community/srvos/blob/main/nixos/common/serial.nix)
};
}

7
nix/nixos/default.nix
Unescape Escape View File

@ -0,0 +1,7 @@
{
inputs,
outputs,
...
}@args: {
}
Write Preview
Loading…
Cancel
Save