From a9a55470068e60ed53337a51054213a37f4c93a2 Mon Sep 17 00:00:00 2001 From: Fiscal Velvet Poet Date: Thu, 7 Oct 2021 12:13:48 +1000 Subject: [PATCH] jfdic: initial deployment --- deployments/jfdic-ops.nix | 19 +++ hardware/linode_vm.nix | 41 +++++ hosts/toscano.nix | 19 +++ networks/linode-common.nix | 37 +++++ networks/linode.nix | 11 ++ profiles/bash.nix | 19 +++ profiles/chrony.nix | 11 ++ profiles/gitea.nix | 90 +++++++++++ profiles/host_common.nix | 109 ++++++++++++++ profiles/logrotate.nix | 11 ++ profiles/neovim.nix | 300 +++++++++++++++++++++++++++++++++++++ profiles/nix-direnv.nix | 29 ++++ profiles/openssh.nix | 21 +++ profiles/server_common.nix | 19 +++ profiles/starship.nix | 7 + profiles/tmux.nix | 47 ++++++ profiles/zsh.nix | 42 ++++++ 17 files changed, 832 insertions(+) create mode 100644 deployments/jfdic-ops.nix create mode 100644 hardware/linode_vm.nix create mode 100644 hosts/toscano.nix create mode 100644 networks/linode-common.nix create mode 100644 networks/linode.nix create mode 100644 profiles/bash.nix create mode 100644 profiles/chrony.nix create mode 100644 profiles/gitea.nix create mode 100644 profiles/host_common.nix create mode 100644 profiles/logrotate.nix create mode 100644 profiles/neovim.nix create mode 100644 profiles/nix-direnv.nix create mode 100644 profiles/openssh.nix create mode 100644 profiles/server_common.nix create mode 100644 profiles/starship.nix create mode 100644 profiles/tmux.nix create mode 100644 profiles/zsh.nix diff --git a/deployments/jfdic-ops.nix b/deployments/jfdic-ops.nix new file mode 100644 index 0000000..eb3832f --- /dev/null +++ b/deployments/jfdic-ops.nix @@ -0,0 +1,19 @@ +# NixOps configuration for the jfdic-ops nodes + +{ + network = { + description = "jfdic-ops nodes"; + enableRollback = true; + }; + + resources.sshKeyPairs.ssh-key = {}; + + defaults = + { config, pkgs, lib, ... }: + + { + system.autoUpgrade.enable = false; # Disabled as it conflicts with NixOps + }; + + toscano = import ../hosts/toscano.nix; +} diff --git a/hardware/linode_vm.nix b/hardware/linode_vm.nix new file mode 100644 index 0000000..729eff6 --- /dev/null +++ b/hardware/linode_vm.nix @@ -0,0 +1,41 @@ +# Configuration common to all JFDIC Linode VMs + +{ config, pkgs, lib, ... }: + +{ + imports = [ + # Import the NixOS Qemu guest settings + + ]; + + boot.initrd.availableKernelModules = [ "virtio_pci" "ahci" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + boot.kernelParams = [ "console=ttyS0,19200n8" ]; + boot.loader = { + grub = { + extraConfig = '' + serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1; + terminal_input serial; + terminal_output serial + ''; + device = "nodev"; + }; + timeout = 10; + }; + + # File systems configuration for the Linode VMs + fileSystems."/" = + { device = "/dev/sda"; + fsType = "ext4"; + }; + + swapDevices = [ + { + device = "/dev/sdb"; + } + ]; + + nix.maxJobs = lib.mkDefault 4; +} diff --git a/hosts/toscano.nix b/hosts/toscano.nix new file mode 100644 index 0000000..a350169 --- /dev/null +++ b/hosts/toscano.nix @@ -0,0 +1,19 @@ +# NixOps configuration for toscano + +{ config, pkgs, lib, ... }: + +{ + + imports = + [ + ../networks/linode.nix + ../profiles/gitea.nix + ../secrets/gitea.nix + ]; + + deployment.targetHost = "45.79.236.198"; + + networking.hostName = "toscano"; + + system.stateVersion = "21.05"; # The version of NixOS originally installed +} diff --git a/networks/linode-common.nix b/networks/linode-common.nix new file mode 100644 index 0000000..b1564cd --- /dev/null +++ b/networks/linode-common.nix @@ -0,0 +1,37 @@ +# NixOps configuration common to Linode VMs + +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ../profiles/host_common.nix + ../profiles/server_common.nix + ]; + + # Ensure the right package architecture is used + nixpkgs.localSystem = { + system = "x86_64-linux"; + config = "x86_64-unknown-linux-gnu"; + }; + + # Tools that Linode support like to have install if you need them. + environment.systemPackages = with pkgs; [ + inetutils + mtr + sysstat + ]; + + # Configure firewall defaults: + networking = { + usePredictableInterfaceNames = false; # As per Linode's networking guidlines + domain = "jfdic.org"; + interfaces.eth0.useDHCP = true; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + trustedInterfaces = [ "lo" ]; + }; + }; + +} diff --git a/networks/linode.nix b/networks/linode.nix new file mode 100644 index 0000000..1be35e3 --- /dev/null +++ b/networks/linode.nix @@ -0,0 +1,11 @@ +# NixOps configuration for the Linode VMs + +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ../hardware/linode_vm.nix + ./linode-common.nix + ]; +} diff --git a/profiles/bash.nix b/profiles/bash.nix new file mode 100644 index 0000000..bfc06e4 --- /dev/null +++ b/profiles/bash.nix @@ -0,0 +1,19 @@ +# Configuration common to all JFDIC servers + +{ config, ... }: + +{ + + # Program defaults for all hosts + programs.bash = { + interactiveShellInit = '' + export TERM="xterm-256color" + test -r ~/.dir_colors && eval $(dircolors ~/.dir_colors) + ''; + promptInit = '' + eval "$(starship init bash)" + ''; + vteIntegration = true; + }; + +} diff --git a/profiles/chrony.nix b/profiles/chrony.nix new file mode 100644 index 0000000..596b47d --- /dev/null +++ b/profiles/chrony.nix @@ -0,0 +1,11 @@ +# NixOps configuration for the hosts running a Chrony service + +{ config, ... }: + +{ + + services.chrony = { + enable = true; # Enable Chrony + }; + +} diff --git a/profiles/gitea.nix b/profiles/gitea.nix new file mode 100644 index 0000000..4315854 --- /dev/null +++ b/profiles/gitea.nix @@ -0,0 +1,90 @@ +# NixOps configuration for the hosts running Gitea + +{ config, pkgs, lib, ... }: + +{ + + services.gitea = { + enable = true; # Enable Gitea + appName = "JFDI Collective: Gitea Service"; # Give the site a name + database = { + type = "postgres"; # Database type + passwordFile = "/run/keys/gitea-dbpass"; # Where to find the password + }; + disableRegistration = true; + domain = "source.jfdic.org"; # Domain name + rootUrl = "https://source.jfdic.org/"; # Root web URL + httpPort = 3002; # Provided unique port + settings = let + docutils = + pkgs.python37.withPackages (ps: with ps; [ + docutils # Provides rendering of ReStructured Text files + pygments # Provides syntax highlighting + ]); + in { + mailer = { + ENABLED = true; + FROM = "source@jfdic.org"; + }; + repository = { + DEFAULT_BRANCH = "consensus"; + }; + service = { + REGISTER_EMAIL_CONFIRM = true; + }; + "markup.restructuredtext" = { + ENABLED = true; + FILE_EXTENSIONS = ".rst"; + RENDER_COMMAND = "${docutils}/bin/rst2html.py"; + IS_INPUT_FILE = false; + }; + ui = { + DEFAULT_THEME = "gitea"; # Set the default theme + }; + }; + }; + + services.postgresql = { + enable = true; # Ensure postgresql is enabled + authentication = '' + local gitea all ident map=gitea-users + ''; + identMap = # Map the gitea user to postgresql + '' + gitea-users gitea gitea + ''; + ensureDatabases = [ "gitea" ]; # Ensure the database persists + ensureUsers = [ + { + name = "gitea"; # Ensure the database user persists + ensurePermissions = { # Ensure the database permissions persist + "DATABASE gitea" = "ALL PRIVILEGES"; + "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; + }; + } + ]; + }; + + services.nginx = { + enable = true; # Enable Nginx + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts."source.jfdic.org" = { # Gitea hostname + enableACME = true; # Use ACME certs + forceSSL = true; # Force SSL + locations."/".proxyPass = "http://localhost:3002/"; # Proxy Gitea + }; + }; + + security.acme = { + acceptTerms = true; + certs = { + "source.jfdic.org".email = "source@jfdic.org"; + }; + }; + + users.groups.keys.members = [ "gitea" ]; # Required due to NixOps issue #1204 + +} diff --git a/profiles/host_common.nix b/profiles/host_common.nix new file mode 100644 index 0000000..a718776 --- /dev/null +++ b/profiles/host_common.nix @@ -0,0 +1,109 @@ +# Configuration common to all JFDIC servers + +{ config, pkgs, lib, ... }: + +{ + + imports = [ + ../profiles/bash.nix + ../profiles/chrony.nix + ../profiles/neovim.nix + ../profiles/logrotate.nix + ../profiles/nix-direnv.nix + ../profiles/starship.nix + ../profiles/tmux.nix + ../profiles/zsh.nix + ]; + + # Common boot settings + boot = { + cleanTmpDir = true; # Clean /tmp on reboot + }; + + # Select internationalisation properties. + i18n = { + defaultLocale = "en_AU.UTF-8"; # Set the default locale + }; + + # Set the defaul console properties + console = { + keyMap = "us"; # Set the default console key map + font = "ter-powerline-v16Rv"; # Set the default console font + }; + + time.timeZone = "Etc/UTC"; + documentation.nixos.enable = false; # Disable documentation, save space + + # Set security options: + security.sudo.enable = true; + security.sudo.wheelNeedsPassword = false; + + # Configure and install required fonts + fonts.enableDefaultFonts = true; + fonts.fontDir.enable = true; + fonts.fonts = with pkgs; [ + powerline-fonts # Required for Powerline prompts + ]; + fonts.fontconfig.includeUserConf = false; + + # Adapted from gchristensen and clever + nix = { + nixPath = [ + # Ruin the config so we don't accidentally run + # nixos-rebuild switch on the host + (let + cfg = pkgs.writeText "configuration.nix" + '' + assert builtins.trace "This system is managed by NixOps." false; + {} + ''; + in "nixos-config=${cfg}") + + # Copy the channel version from the deploy host to the target + "nixpkgs=/run/current-system/nixpkgs" + ]; + gc = { + automatic = true; # Enable Nix garbage collection: + dates = "weekly"; + options = "--delete-older-than 90d"; + }; + autoOptimiseStore = true; + extraOptions = '' + show-trace = true # Enable --show-trace by default for nix + builders-use-substitutes = true # Set builders to use caches + ''; + trustedUsers = ["fiscalvelvetpoet"]; + }; + + system.extraSystemBuilderCmds = '' + ln -sv ${pkgs.path} $out/nixpkgs + ''; + environment.etc.host-nix-channel.source = pkgs.path; + + environment.variables = { + BAT_THEME="Dracula"; + }; + + # Set the system-wide environment + environment = { + systemPackages = with pkgs; [ + bat # cat clone with syntax highlighting & Git integration + byobu # text-based window manager and terminal multiplexer. + dnsutils # Bind DNS utilities + fd # A simple, fast and user-friendly alternative to find + git # Distributed version control system + htop # interactive process viewer + hwinfo # Hardware detection tool + killall # kill processes by name + lshw # Detailed information on the hardware configuration + lsof # list open files + mosh # Mobile shell (ssh replacement) + ncdu # Disk usage analyzer with an ncurses interface + nix-index # A files database for nixpkgs + ripgrep # Utility that provides usability of The Silver Searcher with the raw speed of grep + ]; + }; + + # Users common across JFDIC Ops: + users.mutableUsers = false; # Remove any users not defined in here +} diff --git a/profiles/logrotate.nix b/profiles/logrotate.nix new file mode 100644 index 0000000..f94ae59 --- /dev/null +++ b/profiles/logrotate.nix @@ -0,0 +1,11 @@ +# logrotate configuration for NixOS / NixOps + +{ config, ... }: + +{ + + services.logrotate = { + enable = true; # Enable the logrotate service + }; + +} diff --git a/profiles/neovim.nix b/profiles/neovim.nix new file mode 100644 index 0000000..5f709e8 --- /dev/null +++ b/profiles/neovim.nix @@ -0,0 +1,300 @@ +{ pkgs, ... }: +{ + environment.variables = { EDITOR = "vim"; }; + + environment.systemPackages = with pkgs; [ + (neovim.override { + vimAlias = true; + configure = { + packages.myPlugins = with pkgs.vimPlugins; { + start = [ + airline # Lean & mean status/tabline for vim that's light as air + dracula-vim # Dracula theme for vim + fugitive # Vim Git wrapper + fzf-vim # Full path fuzzy file, buffer, mru, tag, finder for Vim + haskell-vim # Syntax Highlighting and Indentation for Haskell + indentLine # Display thin vertical lines at each indentation level + neocomplete-vim # Keyword completion system + nerdcommenter # Comment functions so powerful—no comment necessary + nerdtree # File system explorer + nerdtree-git-plugin # Plugin for nerdtree showing git status + supertab # Allows you to use for all your insert completion + syntastic # Syntax checking hacks + vim-addon-nix # Scripts assisting writing .nix files + vim-autoformat # Automatically format code + vim-cue # Cue filetype plugin for Vim + vim-lastplace + vim-markdown-toc # Generate table of contents for Markdown files + vim-nix # Support for writing Nix expressions in vim + vim-numbertoggle # Toggle between relative / absolute line numbers automatically + vim-one + ]; + opt = []; + }; + customRC = '' + " Preferred global default settings: + set nocompatible + set backspace=indent,eol,start + set number relativenumber " Enable relative line numbers by default + set cursorline " Highlight the current line number + set smartindent " Automatically insert extra level of indentation + set tabstop=4 " Default tabstop + set shiftwidth=4 " Default indent spacing + set expandtab " Expand [TABS] to spaces + packadd! dracula-vim + syntax on " Enable syntax highlighting + set t_Co=256 " Use 265 colors in vim + set background=dark " Set the default background scheme + colorscheme dracula " Set the default colour scheme + "let g:one_allow_italics = 1 " I love italic for comments + set spell spelllang=en_au " Defaul spell checking language + set spellfile=~/.vim-spell.en.utf-8.add " Add the spellfile + hi clear SpellBad " Clear any unwanted default settings + hi SpellBad cterm=underline " Set the spell checking highlight style + hi SpellBad ctermbg=NONE " Set the spell checking highlight background + match ErrorMsg '\s\+$' " + + nnoremap :Files + nnoremap f :Rg + set grepprg=rg\ --vimgrep\ --smart-case\ --follow + + let g:airline_powerline_fonts = 1 " Use powerline fonts + let g:airline_theme='dracula' " Set the airline theme + + "call togglebg#map("") " Toggle background colour between dark|light + + set laststatus=2 " Set up the status line so it's coloured and always on + + " Removes trailing spaces: + function! TrimWhiteSpace() + %s/\s\+$//e + endfunction + + " Trigger for numbertoggle to switch modes + nnoremap :set relativenumber! + + " Tab settings + let g:SuperTabDefaultCompletionType = 'context' + let g:SuperTabContextTextOmniPrecedence = ['&omnifunc','&completefunc'] + let g:SuperTabRetainCompletionType=2 + + inoremap pumvisible() ? "\" : "\" + inoremap pumvisible() ? "\" : "\" + + nnoremap RemoveTrailingWhiteSpace :call TrimWhiteSpace() + autocmd FileWritePre * :call TrimWhiteSpace() + autocmd FileAppendPre * :call TrimWhiteSpace() + autocmd FilterWritePre * :call TrimWhiteSpace() + autocmd BufWritePre * :call TrimWhiteSpace() + "autocmd BufWrite * :Autoformat + + " FIXME: Currently always set to dark due to issues with Termonad Solarized theme + " Light during the day, dark during the night + let hour = strftime("%H") + if 7 <= hour && hour < 17 + "set background=dark + "hi Normal ctermbg=none " Set a transparent background + "let g:airline_solarized_bg='dark' " Set the airline background + else + "set background=dark + "hi Normal ctermbg=none " Set a transparent background + "let g:airline_solarized_bg='dark' " Set the airline background + endif + + " Transparent editing of gpg encrypted files. + " By Wouter Hanegraaff + augroup encrypted + au! + + " First make sure nothing is written to ~/.viminfo while editing an encrypted file. + autocmd BufReadPre,FileReadPre *.gpg set viminfo= + " We don't want a swap file, as it writes unencrypted data to disk + autocmd BufReadPre,FileReadPre *.gpg set noswapfile + " Switch to binary mode to read the encrypted file + autocmd BufReadPre,FileReadPre *.gpg set bin + autocmd BufReadPre,FileReadPre *.gpg let ch_save = &ch|set ch=2 + autocmd BufReadPost,FileReadPost *.gpg '[,']!gpg --decrypt 2> /dev/null + " Switch to normal mode for editing + autocmd BufReadPost,FileReadPost *.gpg set nobin + autocmd BufReadPost,FileReadPost *.gpg let &ch = ch_save|unlet ch_save + autocmd BufReadPost,FileReadPost *.gpg execute ":doautocmd BufReadPost " . expand("%:r") + + " Convert all text to encrypted text before writing + autocmd BufWritePre,FileWritePre *.gpg '[,']!gpg --default-key=A4122FF3971B6865 --default-recipient-self -ae 2>/dev/null + " Undo the encryption so we are back in the normal text, directly + " after the file has been written. + autocmd BufWritePost,FileWritePost *.gpg u + augroup END + + " Manage ISO files + augroup iso + au! + + " First make sure nothing is written to ~/.viminfo while editing an encrypted file. + autocmd BufReadPre,FileReadPre *.iso set viminfo= + " We don't want a swap file, as it writes unencrypted data to disk + autocmd BufReadPre,FileReadPre *.iso set noswapfile + " Switch to binary mode to read the encrypted file + autocmd BufReadPre,FileReadPre *.iso set bin + autocmd BufReadPre,FileReadPre *.iso let ch_save = &ch|set ch=2 + autocmd BufReadPost,FileReadPost *.iso '[,']!gpg --decrypt 2> /dev/null + " Switch to normal mode for editing + autocmd BufReadPost,FileReadPost *.iso set nobin + autocmd BufReadPost,FileReadPost *.iso let &ch = ch_save|unlet ch_save + autocmd BufReadPost,FileReadPost *.iso execute ":doautocmd BufReadPost " . expand("%:r") + + " Convert all text to encrypted text before writing + autocmd BufWritePre,FileWritePre *.iso '[,']!gpg --default-key=A4122FF3971B6865 --default-recipient-self -ae 2>/dev/null + " Undo the encryption so we are back in the normal text, directly + " after the file has been written. + autocmd BufWritePost,FileWritePost *.iso u + augroup END + + " Use persistent history. + if !isdirectory("/tmp/.vim-undo-dir") + call mkdir("/tmp/.vim-undo-dir", "", 0700) + endif + set undodir=/tmp/.vim-undo-dir + set undofile + + " JFDIC Markdown environment + function! MarkdownSettings() + set textwidth=79 + set spell spelllang=en_au + endfunction + autocmd BufNewFile,BufFilePre,BufRead *.mdwn :call MarkdownSettings() + autocmd BufNewFile,BufFilePre,BufRead *.md :call MarkdownSettings() + + " JFDIC ReStructured Text environment + function! ReStructuredSettings() + set textwidth=79 + set spell spelllang=en_au + hi clear SpellBad " Clear any unwanted default settings + hi SpellBad cterm=underline " Set the spell checking highlight style + hi SpellBad ctermbg=NONE " Set the spell checking highlight background + endfunction + autocmd BufNewFile,BufFilePre,BufRead *.rst :call ReStructuredSettings() + autocmd BufNewFile,BufFilePre,BufRead *.txt :call ReStructuredSettings() + + " JFDIC LaTeX environment: + function! LaTeXSettings() + set textwidth=79 + set spell spelllang=en_au + endfunction + autocmd BufNewFile,BufFilePre,BufRead *.tex :call LaTeXSettings() + + " Settings for JFDIC Haskell environment: + function! HaskellSettings() + set tabstop=2 + set shiftwidth=2 + set expandtab + set textwidth=79 + endfunction + autocmd BufNewFile,BufFilePre,BufRead *.hs :call HaskellSettings() + + " Settings for JFDIC Nix environment: + function! NixSettings() + set tabstop=2 + set shiftwidth=2 + set expandtab + set textwidth=79 + set filetype=nix + endfunction + autocmd BufNewFile,BufFilePre,BufRead *.nix :call NixSettings() + + " Settings for JFDIC Cue environment: + function! CueSettings() + set noexpandtab + set tabstop=2 + set shiftwidth=2 + set textwidth=79 + let g:cue_fmt_on_save = 1 + endfunction + autocmd BufNewFile,BufFilePre,BufRead *.cue :call CueSettings() + + " Settings for JFDIC Rust environment: + function! RustSettings() + set tabstop=4 + set shiftwidth=4 + set expandtab + set textwidth=79 + let g:rustfmt_autosave = 1 + endfunction + autocmd BufNewFile,BufFilePre,BufRead *.rs :call RustSettings() + + " Settings for JFDIC Crystal environment: + function! CrystalSettings() + set tabstop=2 + set shiftwidth=2 + set expandtab + set textwidth=79 + set filetype=crystal + endfunction + autocmd BufNewFile,BufFilePre,BufRead *.cr :call CrystalSettings() + + " Settings for JFDIC Golang environment: + function! GoSettings() + set tabstop=7 + set shiftwidth=7 + set noexpandtab + endfunction + autocmd BufNewFile,BufFilePre,BufRead *.go :call GoSettings() + + " Settings for JFDIC Python environment: + function! PythonSettings() + set tabstop=4 + set shiftwidth=4 + set expandtab + set textwidth=79 + set spell! + endfunction + autocmd BufNewFile,BufFilePre,BufRead *.py :call PythonSettings() + + " JFDIC Mutt environment + function! MuttSettings() + set textwidth=79 + set spell spelllang=en_au + hi clear SpellBad " Clear any unwanted default settings + hi SpellBad cterm=underline " Set the spell checking highlight style + hi SpellBad ctermbg=NONE " Set the spell checking highlight background + endfunction + autocmd BufNewFile,BufFilePre,BufRead mutt-* :call MuttSettings() + autocmd BufNewFile,BufFilePre,BufRead neomutt-* :call MuttSettings() + + " Settings for JFDIC C environment: + function! CSettings() + set tabstop=2 + set shiftwidth=2 + set expandtab + set textwidth=79 + endfunction + autocmd BufNewFile,BufFilePre,BufRead *.c :call CSettings() + + " Settings for JFDIC YAML environment: + function! YAMLSettings() + set tabstop=2 + set shiftwidth=2 + set expandtab + set textwidth=79 + set spell spelllang=en_au + hi clear SpellBad " Clear any unwanted default settings + hi SpellBad cterm=underline " Set the spell checking highlight style + hi SpellBad ctermbg=NONE " Set the spell checking highlight background + endfunction + autocmd BufNewFile,BufFilePre,BufRead *.yaml :call YAMLSettings() + autocmd BufNewFile,BufFilePre,BufRead *.yml :call YAMLSettings() + + " Settings for JFDIC Bash environment: + function! BashSettings() + set tabstop=4 + set shiftwidth=4 + set expandtab + set textwidth=79 + set spell! + endfunction + autocmd BufNewFile,BufFilePre,BufRead *.sh :call BashSettings() + ''; + }; + } + )]; +} diff --git a/profiles/nix-direnv.nix b/profiles/nix-direnv.nix new file mode 100644 index 0000000..cb1f3b0 --- /dev/null +++ b/profiles/nix-direnv.nix @@ -0,0 +1,29 @@ +# NixOps configuration nix-direnv + +{ config, pkgs, lib, ... }: + +{ + + nix = { + extraOptions = '' + keep-outputs = true + keep-derivations = true + ''; + }; + + # Set the environment + environment = { + systemPackages = with pkgs; [ + direnv # A shell extension that manages your environment + nix-direnv # A fast, persistent use_nix implementation for direnv + ]; + pathsToLink = [ + "/share/nix-direnv" + ]; + }; + + nixpkgs.overlays = [ + (self: super: { nix-direnv = super.nix-direnv.override { enableFlakes = true; }; } ) + ]; + +} diff --git a/profiles/openssh.nix b/profiles/openssh.nix new file mode 100644 index 0000000..78a25a2 --- /dev/null +++ b/profiles/openssh.nix @@ -0,0 +1,21 @@ +# SSH service configuration common to all hosts + +{ config, pkgs, lib, ... }: + +{ + + services.openssh = { + enable = true; # Enable the OpenSSH daemon. + permitRootLogin = "prohibit-password"; + challengeResponseAuthentication = false; + passwordAuthentication = false; + openFirewall = true; + hostKeys = [ + { + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + }; + +} diff --git a/profiles/server_common.nix b/profiles/server_common.nix new file mode 100644 index 0000000..81c1199 --- /dev/null +++ b/profiles/server_common.nix @@ -0,0 +1,19 @@ +# Configuration common to all JFDIC servers + +{ config, pkgs, lib, ... }: + +{ + + imports = + [ + ../profiles/openssh.nix + ../secrets/user-fiscalvelvetpoet.nix + ../secrets/user-root.nix + ]; + + programs.mosh = { + enable = true; + withUtempter = true; + }; + +} diff --git a/profiles/starship.nix b/profiles/starship.nix new file mode 100644 index 0000000..797ed08 --- /dev/null +++ b/profiles/starship.nix @@ -0,0 +1,7 @@ +{ pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + starship # A minimal, blazing fast, and extremely customizable prompt for any shell + ]; +} diff --git a/profiles/tmux.nix b/profiles/tmux.nix new file mode 100644 index 0000000..ee9e320 --- /dev/null +++ b/profiles/tmux.nix @@ -0,0 +1,47 @@ +# Common configuration for Tmux users + +{ config, pkgs, ... }: + +{ + + programs = { + tmux = { # Terminal multiplexer required by byobu + enable = true; + aggressiveResize = true; + clock24 = true; + extraConfig = '' + #POWERLINE_COMMAND="/run/current-system/sw/bin/powerline" + #POWERLINE_CONFIG_COMMAND="/run/current-system/sw/bin/powerline-config" + #run-shell "/run/current-system/sw/bin/powerline-daemon -q" + #source /run/current-system/sw/share/tmux/powerline.conf + + # Plugins + set -g @plugin 'tmux-plugins/tmux-resurrect' + set -g @plugin 'tmux-plugins/tmux-continuum' + set -g @plugin 'dracula/tmux' + + set -g @dracula-show-battery false + set -g @dracula-show-powerline true + set -g @dracula-refresh-rate 10 + + # Bind home and end keys: + bind-key -n Home send Escape "OH" + bind-key -n End send Escape "OF" + ''; + keyMode = "vi"; + newSession = true; + shortcut = "a"; + terminal = "screen-256color"; + }; + }; + + environment.systemPackages = with pkgs; [ + tmuxPlugins.continuum + tmuxPlugins.dracula + tmuxPlugins.resurrect + tmuxPlugins.sensible + tmuxPlugins.tmux-fzf + tmuxPlugins.yank + ]; + +} diff --git a/profiles/zsh.nix b/profiles/zsh.nix new file mode 100644 index 0000000..2df883b --- /dev/null +++ b/profiles/zsh.nix @@ -0,0 +1,42 @@ +# Configuration common to all JFDIC servers + +{ config, pkgs, lib, ... }: + +{ + + # Program defaults for all hosts + programs.zsh = { + enable = true; # Also enables & installs nix-zsh-completions + autosuggestions.enable = true; + interactiveShellInit = '' + export TERM="xterm-256color" + eval "$(direnv hook zsh)" + test -r ~/.dir_colors && eval $(dircolors ~/.dir_colors) + export GPG_TTY="$(tty)" + export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) + gpgconf --launch gpg-agent + if type rg &> /dev/null; then + export FZF_DEFAULT_COMMAND='rg --files' + export FZF_DEFAULT_OPTS='-m --height 50% --border' + fi + ''; + ohMyZsh = { + enable = true; + plugins = [ + "fzf" + "git" + ]; + }; + promptInit = '' + eval "$(starship init zsh)" + ''; + vteIntegration = true; + }; + + environment.systemPackages = with pkgs; [ + fzf + ]; + + users.defaultUserShell = pkgs.zsh; # Set the default shell for all users + +}