# SPDX-FileCopyrightText: 2020 Luke Granger-Brown # # SPDX-License-Identifier: Apache-2.0 { pkgs, config, depot, lib, rebuilder, ... }@args: let inherit (lib) mkDefault; in { imports = [ ../../../third_party/home-manager/nixos ]; options.my.home-manager.imports = lib.mkOption { type = lib.types.listOf lib.types.path; default = [ ./home-manager/common.nix ]; }; options.my.home-manager.system = lib.mkOption { type = lib.types.nullOr lib.types.anything; default = null; }; options.my.ip.tailscale = lib.mkOption { type = lib.types.nullOr lib.types.string; default = null; }; config = { hardware.enableRedistributableFirmware = true; networking.hosts = depot.ops.nixos.tailscaleIPs; nix = { nixPath = [ "depot=/home/lukegb/depot/" "nixpkgs=/home/lukegb/depot/third_party/nixpkgs/" ]; trustedUsers = [ "root" "@wheel" ]; binaryCaches = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ]; trustedBinaryCaches = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ]; envVars = { AWS_ACCESS_KEY_ID = "${depot.ops.secrets.nixCache.AWS_ACCESS_KEY_ID}"; AWS_SECRET_ACCESS_KEY = "${depot.ops.secrets.nixCache.AWS_SECRET_ACCESS_KEY}"; }; }; nixpkgs.config = depot.third_party.nixpkgsConfig; i18n.defaultLocale = "en_GB.UTF-8"; console.keyMap = "us"; time.timeZone = mkDefault "Etc/UTC"; zramSwap = { enable = true; memoryMax = 4 * 1024 * 1024 * 1024; }; environment.systemPackages = with pkgs; [ vim rxvt_unicode.terminfo tmux rebuilder tailscale rsync libarchive tcpdump restic (mercurial.overridePythonAttrs (origAttrs: { propagatedBuildInputs = origAttrs.propagatedBuildInputs ++ [python3Packages.hg-evolve depot.nix.pkgs.hg-git]; })) ]; networking.firewall = { allowPing = true; }; environment.homeBinInPath = true; security.pam.enableSSHAgentAuth = true; users.mutableUsers = false; users.users = let secrets = depot.ops.secrets; in { root.hashedPassword = secrets.passwordHashes.root; lukegb = { isNormalUser = true; uid = 1000; extraGroups = [ "wheel" ]; hashedPassword = secrets.passwordHashes.lukegb; openssh.authorizedKeys.keyFiles = [ ../../secrets/lukegb_totoro.pub ../../secrets/lukegb_termius.pub ../../secrets/lukegb_porcorosso_win.pub ../../secrets/lukegb_porcorosso_wsl.pub ../../secrets/lukegb_porcorosso_linux.pub ../../secrets/lukegb_red_solo.pub ]; }; deployer = { isSystemUser = true; uid = 1001; hashedPassword = "!"; useDefaultShell = true; home = "/var/lib/deployer"; createHome = true; openssh.authorizedKeys.keyFiles = [ ../../secrets/deployer_ed25519.pub ]; }; }; security.sudo.extraRules = [{ users = [ "deployer" ]; commands = [{ command = "${rebuilder}/bin/rebuilder"; options = [ "NOPASSWD" ]; }]; }]; security.sudo.extraConfig = '' Defaults:deployer !requiretty ''; programs.mtr.enable = true; services.openssh.enable = true; services.tailscale.enable = true; networking.firewall.interfaces.tailscale0 = { # Just allow anything in on tailscale0. allowedTCPPortRanges = [{ from = 0; to = 65535; }]; allowedUDPPortRanges = [{ from = 0; to = 65535; }]; }; boot = { kernelModules = [ "tcp_bbr" ]; kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr"; kernel.sysctl."net.core.default_qdisc" = "fq_codel"; }; # Clean up daily. nix.gc = { automatic = lib.mkDefault true; dates = "*-*-* 05:00:00"; }; home-manager.useUserPackages = true; home-manager.useGlobalPkgs = true; systemd.services."home-manager-lukegb" = { before = [ "display-manager.service" ]; wantedBy = [ "multi-user.target" ]; }; home-manager.users.lukegb = { pkgs, ... }: ({ imports = [ ({ _module.args = args; })] ++ config.my.home-manager.imports ++ ( lib.optional (config.my.home-manager.system != null) config.my.home-manager.system ); }); services.prometheus.exporters.node.enable = true; }; }