diff --git a/common/syncthing.nix b/common/syncthing.nix new file mode 100644 index 0000000..647ee15 --- /dev/null +++ b/common/syncthing.nix @@ -0,0 +1,14 @@ +{ config, ... }: +let + inherit (config.networking) hostName; +in +{ + services.syncthing = { + enable = true; + systemService = true; + openDefaultPorts = true; + guiAddress = "${hostName}.tailnet.helveticanonstandard.net:4000"; + overrideDevices = false; + overrideFolders = false; + }; +} diff --git a/common/tailscale.nix b/common/tailscale.nix new file mode 100644 index 0000000..915d195 --- /dev/null +++ b/common/tailscale.nix @@ -0,0 +1,12 @@ +{ config, ... }: +{ + services.tailscale = { + enable = true; + openFirewall = true; + useRoutingFeatures = "both"; # TODO + }; + + networking.firewall.trustedInterfaces = [ + config.services.tailscale.interfaceName + ]; +} diff --git a/common/users.nix b/common/users.nix index 28567a3..c20abcb 100644 --- a/common/users.nix +++ b/common/users.nix @@ -1,6 +1,29 @@ { + inputs, + config, + ... +}: +let + inherit (config.users) mainUser; +in +{ + age.secrets."user-${mainUser}".file = inputs.self + /secrets/users/${mainUser}.age; + users = { mutableUsers = false; - users.root.hashedPassword = "!"; + + mainUser = "helvetica"; + + users = { + root.hashedPassword = "!"; + ${mainUser} = { + description = "Helvetica"; + uid = 1000; + isNormalUser = true; + hashedPasswordFile = config.age.secrets."user-${mainUser}".path; + openssh.authorizedKeys.keys = builtins.attrValues config.pubkeys.users; + extraGroups = [ "wheel" ]; # TODO remove + }; + }; }; } diff --git a/flake.lock b/flake.lock index 404c1a0..021e004 100644 --- a/flake.lock +++ b/flake.lock @@ -171,6 +171,22 @@ } }, "flake-compat_8": { + "flake": false, + "locked": { + "lastModified": 1746162366, + "narHash": "sha256-5SSSZ/oQkwfcAz/o/6TlejlVGqeK08wyREBQ5qFFPhM=", + "owner": "nix-community", + "repo": "flake-compat", + "rev": "0f158086a2ecdbb138cd0429410e44994f1b7e4b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_9": { "flake": false, "locked": { "lastModified": 1696426674, @@ -680,7 +696,7 @@ }, "hooks_6": { "inputs": { - "flake-compat": "flake-compat_8", + "flake-compat": "flake-compat_9", "gitignore": "gitignore_7", "nixpkgs": [ "xenumenu", @@ -849,6 +865,27 @@ "type": "github" } }, + "nixos-cosmic": { + "inputs": { + "flake-compat": "flake-compat_8", + "nixpkgs": "nixpkgs_9", + "nixpkgs-stable": "nixpkgs-stable_2", + "rust-overlay": "rust-overlay_2" + }, + "locked": { + "lastModified": 1751591814, + "narHash": "sha256-A4lgvuj4v+Pr8MniXz1FBG0DXOygi8tTECR+j53FMhM=", + "owner": "lilyinstarlight", + "repo": "nixos-cosmic", + "rev": "fef2d0c78c4e4d6c600a88795af193131ff51bdc", + "type": "github" + }, + "original": { + "owner": "lilyinstarlight", + "repo": "nixos-cosmic", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1745391562, @@ -1001,6 +1038,22 @@ "type": "github" } }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1751048012, + "narHash": "sha256-MYbotu4UjWpTsq01wglhN5xDRfZYLFtNk7SBY0BcjkU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a684c58d46ebbede49f280b653b9e56100aa3877", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_10": { "locked": { "lastModified": 1750365781, @@ -1131,11 +1184,11 @@ }, "nixpkgs_9": { "locked": { - "lastModified": 1751984180, - "narHash": "sha256-LwWRsENAZJKUdD3SpLluwDmdXY9F45ZEgCb0X+xgOL0=", + "lastModified": 1751011381, + "narHash": "sha256-krGXKxvkBhnrSC/kGBmg5MyupUUT5R6IBCLEzx9jhMM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9807714d6944a957c2e036f84b0ff8caf9930bc0", + "rev": "30e2e2857ba47844aa71991daa6ed1fc678bcbb7", "type": "github" }, "original": { @@ -1256,7 +1309,11 @@ "myphps": "myphps", "nini": "nini", "nix-index-database": "nix-index-database", - "nixpkgs": "nixpkgs_9", + "nixos-cosmic": "nixos-cosmic", + "nixpkgs": [ + "nixos-cosmic", + "nixpkgs" + ], "treefmt": "treefmt_5", "xenumenu": "xenumenu" } @@ -1282,6 +1339,27 @@ "type": "github" } }, + "rust-overlay_2": { + "inputs": { + "nixpkgs": [ + "nixos-cosmic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1751251399, + "narHash": "sha256-y+viCuy/eKKpkX1K2gDvXIJI/yzvy6zA3HObapz9XZ0=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "b22d5ee8c60ed1291521f2dde48784edd6bf695b", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 8940943..c605177 100644 --- a/flake.nix +++ b/flake.nix @@ -15,6 +15,8 @@ agenix.url = "github:ryantm/agenix"; hardware.url = "github:NixOS/nixos-hardware"; + nixos-cosmic.url = "github:lilyinstarlight/nixos-cosmic"; + nixpkgs.follows = "nixos-cosmic/nixpkgs"; nix-index-database = { url = "github:nix-community/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/hosts/abacus/profiles.nix b/hosts/abacus/profiles.nix index c8eb6b6..92e505a 100644 --- a/hosts/abacus/profiles.nix +++ b/hosts/abacus/profiles.nix @@ -1,6 +1,3 @@ { - profiles = { - server.enable = true; - trusted.enable = true; - }; + profiles.server.enable = true; } diff --git a/hosts/abacus/static-sites.nix b/hosts/abacus/static-sites.nix index bbd88f4..b47d33a 100644 --- a/hosts/abacus/static-sites.nix +++ b/hosts/abacus/static-sites.nix @@ -1,4 +1,5 @@ { + config, lib, ... }: @@ -24,7 +25,7 @@ lib.mkMerge ( }; systemd.tmpfiles.settings."10-static-sites".${root}.d = { - user = "helvetica"; + user = config.users.mainUser; group = "users"; mode = "0755"; }; diff --git a/hosts/abacus/users.nix b/hosts/abacus/users.nix deleted file mode 100644 index cd7a56d..0000000 --- a/hosts/abacus/users.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, inputs, ... }: -{ - age.secrets.user-helvetica.file = inputs.self + /secrets/users/helvetica.age; - - users.users.helvetica = { - description = "Helvetica"; - uid = 1000; - isNormalUser = true; - hashedPasswordFile = config.age.secrets.user-helvetica.path; - openssh.authorizedKeys.keys = builtins.attrValues config.pubkeys.users; - extraGroups = [ "wheel" ]; # TODO remove - }; -} diff --git a/hosts/flamingo/profiles.nix b/hosts/flamingo/profiles.nix index b90db95..cf3a004 100644 --- a/hosts/flamingo/profiles.nix +++ b/hosts/flamingo/profiles.nix @@ -6,6 +6,5 @@ gaming.enable = true; piracy.enable = true; productivity.enable = true; - trusted.enable = true; }; } diff --git a/hosts/flamingo/users.nix b/hosts/flamingo/users.nix deleted file mode 100644 index cd7a56d..0000000 --- a/hosts/flamingo/users.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, inputs, ... }: -{ - age.secrets.user-helvetica.file = inputs.self + /secrets/users/helvetica.age; - - users.users.helvetica = { - description = "Helvetica"; - uid = 1000; - isNormalUser = true; - hashedPasswordFile = config.age.secrets.user-helvetica.path; - openssh.authorizedKeys.keys = builtins.attrValues config.pubkeys.users; - extraGroups = [ "wheel" ]; # TODO remove - }; -} diff --git a/hosts/glacier/beets.nix b/hosts/glacier/beets.nix deleted file mode 100644 index 2470a61..0000000 --- a/hosts/glacier/beets.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = [ - pkgs.beets - ]; -} diff --git a/hosts/glacier/profiles.nix b/hosts/glacier/profiles.nix index be95c47..fbd110f 100644 --- a/hosts/glacier/profiles.nix +++ b/hosts/glacier/profiles.nix @@ -6,6 +6,5 @@ gaming.enable = true; piracy.enable = true; productivity.enable = true; - trusted.enable = true; }; } diff --git a/hosts/glacier/users.nix b/hosts/glacier/users.nix index cd7a56d..2ad58bc 100644 --- a/hosts/glacier/users.nix +++ b/hosts/glacier/users.nix @@ -1,13 +1,8 @@ -{ config, inputs, ... }: { - age.secrets.user-helvetica.file = inputs.self + /secrets/users/helvetica.age; - - users.users.helvetica = { - description = "Helvetica"; - uid = 1000; + users.users.futura = { + description = "Futura"; + uid = 1001; isNormalUser = true; - hashedPasswordFile = config.age.secrets.user-helvetica.path; - openssh.authorizedKeys.keys = builtins.attrValues config.pubkeys.users; - extraGroups = [ "wheel" ]; # TODO remove + password = "futura"; }; } diff --git a/hosts/insomniac/autologin.nix b/hosts/insomniac/cosmic.nix similarity index 100% rename from hosts/insomniac/autologin.nix rename to hosts/insomniac/cosmic.nix diff --git a/hosts/insomniac/users.nix b/hosts/insomniac/users.nix index 396510e..1d93475 100644 --- a/hosts/insomniac/users.nix +++ b/hosts/insomniac/users.nix @@ -1,14 +1,14 @@ { config, + lib, ... }: +let + inherit (config.users) mainUser; +in { - users.users.helvetica = { - description = "Insomniac"; - uid = 1000; - isNormalUser = true; - password = ""; - openssh.authorizedKeys.keys = builtins.attrValues config.pubkeys.users; - extraGroups = [ "wheel" ]; # TODO remove + users = { + mainUser = lib.mkForce "insomniac"; + users.${mainUser}.description = lib.mkForce "Insomniac"; }; } diff --git a/hosts/vessel/profiles.nix b/hosts/vessel/profiles.nix index c8eb6b6..92e505a 100644 --- a/hosts/vessel/profiles.nix +++ b/hosts/vessel/profiles.nix @@ -1,6 +1,3 @@ { - profiles = { - server.enable = true; - trusted.enable = true; - }; + profiles.server.enable = true; } diff --git a/hosts/vessel/users.nix b/hosts/vessel/users.nix deleted file mode 100644 index cd7a56d..0000000 --- a/hosts/vessel/users.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, inputs, ... }: -{ - age.secrets.user-helvetica.file = inputs.self + /secrets/users/helvetica.age; - - users.users.helvetica = { - description = "Helvetica"; - uid = 1000; - isNormalUser = true; - hashedPasswordFile = config.age.secrets.user-helvetica.path; - openssh.authorizedKeys.keys = builtins.attrValues config.pubkeys.users; - extraGroups = [ "wheel" ]; # TODO remove - }; -} diff --git a/hosts/work/users.nix b/hosts/work/users.nix index 8d585f2..078acbf 100644 --- a/hosts/work/users.nix +++ b/hosts/work/users.nix @@ -1,13 +1,14 @@ -{ config, inputs, ... }: { - age.secrets.user-lukas.file = inputs.self + /secrets/users/helvetica.age; - - users.users.lukas = { - description = "Lukas Wurzinger"; - uid = 1000; - isNormalUser = true; - hashedPasswordFile = config.age.secrets.user-lukas.path; - openssh.authorizedKeys.keys = builtins.attrValues config.pubkeys.users; - extraGroups = [ "wheel" ]; # TODO remove + config, + lib, + ... +}: +let + inherit (config.users) mainUser; +in +{ + users = { + mainUser = lib.mkForce "lukas"; + users.${mainUser}.description = lib.mkForce "Lukas Wurzinger"; }; } diff --git a/modules/main-user.nix b/modules/main-user.nix new file mode 100644 index 0000000..4123a80 --- /dev/null +++ b/modules/main-user.nix @@ -0,0 +1,14 @@ +{ lib, ... }: +let + inherit (lib) types; +in +{ + options = { + users.mainUser = lib.mkOption { + type = types.passwdEntry types.str; + description = '' + The main user. + ''; + }; + }; +} diff --git a/profiles/desktop/cosmic.nix b/profiles/desktop/cosmic.nix new file mode 100644 index 0000000..8857cc5 --- /dev/null +++ b/profiles/desktop/cosmic.nix @@ -0,0 +1,29 @@ +{ + config, + lib, + inputs, + ... +}: +let + cfg = config.profiles.desktop; +in +{ + imports = [ + inputs.nixos-cosmic.nixosModules.default + ]; + + config = lib.mkIf cfg.enable { + + nix.settings = { + substituters = [ "https://cosmic.cachix.org" ]; + trusted-public-keys = [ "cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE=" ]; + }; + + services = { + desktopManager.cosmic.enable = true; + displayManager.cosmic-greeter.enable = true; + }; + + environment.sessionVariables.COSMIC_DATA_CONTROL_ENABLED = 1; + }; +} diff --git a/profiles/desktop/mpv.nix b/profiles/desktop/mpv.nix deleted file mode 100644 index 4589648..0000000 --- a/profiles/desktop/mpv.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ inputs, pkgs, ... }: -{ - environment.systemPackages = [ - inputs.mympv.packages.${pkgs.system}.default - ]; -} diff --git a/profiles/desktop/plasma.nix b/profiles/desktop/plasma.nix deleted file mode 100644 index 3012563..0000000 --- a/profiles/desktop/plasma.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ - config, - lib, - ... -}: -let - cfg = config.profiles.desktop; -in -{ - config = lib.mkIf cfg.enable { - services = { - displayManager.sddm = { - enable = true; - wayland.enable = true; - }; - - desktopManager.plasma6.enable = true; - }; - }; -} diff --git a/profiles/trusted/default.nix b/profiles/trusted/default.nix deleted file mode 100644 index 6dabd50..0000000 --- a/profiles/trusted/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ lib, ... }: -{ - options.profiles.trusted = { - enable = lib.mkEnableOption "trusted"; - }; -} diff --git a/profiles/trusted/syncthing.nix b/profiles/trusted/syncthing.nix deleted file mode 100644 index 680bde8..0000000 --- a/profiles/trusted/syncthing.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ - config, - lib, - ... -}: -let - cfg = config.profiles.trusted; - inherit (config.networking) hostName; -in -{ - config = lib.mkIf cfg.enable { - services.syncthing = { - enable = true; - systemService = true; - openDefaultPorts = true; - guiAddress = "${hostName}.tailnet.helveticanonstandard.net:4000"; - overrideDevices = false; - overrideFolders = false; - }; - }; -} diff --git a/profiles/trusted/tailscale.nix b/profiles/trusted/tailscale.nix deleted file mode 100644 index 2d3cba9..0000000 --- a/profiles/trusted/tailscale.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ - config, - lib, - ... -}: -let - cfg = config.profiles.trusted; -in -{ - config = lib.mkIf cfg.enable { - services.tailscale = { - enable = true; - openFirewall = true; - useRoutingFeatures = "both"; # TODO - }; - - networking.firewall.trustedInterfaces = [ - config.services.tailscale.interfaceName - ]; - }; -} diff --git a/secrets/users/insomniac.age b/secrets/users/insomniac.age new file mode 100644 index 0000000..17877c2 --- /dev/null +++ b/secrets/users/insomniac.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 SFHVrw VvRWN857MXOUqUqMIAv3OCgUp7zIJgOmCDhibsfR4BM +pOwTtL357S/fuJK2n5RAKBBcCcL+tnMqt/n7o5BX/nI +-> ssh-ed25519 S+dwQQ h5Hf+yOK61iARFKtI3BvGfUuesU7JfBG73xg2OfNO3w +9a/WN5wQZ4T7ar9GD5iCjw1E9k8FafdcQCt78f3PmzE +-> ssh-ed25519 bPbvlw eeS4sFLhm/5pyPvc4A23iZY7Yx6Rr1DeZve3NmjaDyM +ZFQZDhcqMjWrncTFS/URGcOXdK/xMpbprpetdsE7gI0 +-> ssh-ed25519 8l76Rg rZlqjtuvCJthjPQ+uF7SBlz6gSioCXdmUO330IuheD0 +p85nindSGaWqthF7y/t7jLpkA1tlOIunuJcB1Jsjk00 +--- BTcCQGFBm3QhL0W+aW8Z+w85VVtcmezgBVafqt5DS5c +lK ?tglaCKͰϜjZN@nXY}T xFs< O vs6~Is}7sÞZC@ \ No newline at end of file diff --git a/secrets/users/lukas.age b/secrets/users/lukas.age new file mode 100644 index 0000000..d500ab6 Binary files /dev/null and b/secrets/users/lukas.age differ