flake/configs/common.nix

{
  lib,
  pkgs,
  config,
  _utils,
  camasca,
  nixpkgs,
  agenix,
  home-manager,
  ...
}: let
  username = "leo";
  stateVersion = "24.11";

  rootPassword = _utils.setupSingleSecret config "rootPassword" {};
  secrets = _utils.setupSharedSecrets config {
    secrets = ["userPassword" "tailscaleKey"];
  };
in {
  imports = [
    agenix.nixosModules.default
    home-manager.nixosModules.home-manager

    (lib.mkAliasOptionModule ["hm"] ["home-manager" "users" username])

    rootPassword.generate
    secrets.generate

    ../programs/fish.nix
    ../programs/git.nix
    ../programs/rust.nix
    ../programs/starship
  ];

  age = {
    ageBin = lib.getExe pkgs.rage;
    identityPaths = ["/etc/age/key"];
  };

  boot = {
    kernelPackages = pkgs.linuxPackages; # use lts
    kernelParams = ["quiet" "loglevel=3"];

    # faster tcp !!!
    kernel.sysctl = {
      "net.core.default_qdisc" = "fq";
      "net.ipv4.tcp_congestion_control" = "bbr";
    };

    tmp.cleanOnBoot = true;
  };

  console.keyMap = "fr";

  environment = {
    systemPackages = with pkgs; [
      neovim
      git
      curl
      wget
      htop
      ripgrep
    ];

    variables = {
      EDITOR = lib.getExe pkgs.neovim;
    };
  };

  hm = {
    home = {inherit stateVersion;};

    programs.ssh = {
      enable = true;
      addKeysToAgent = "yes";
      forwardAgent = true;
    };

    services.ssh-agent.enable = true;
  };

  home-manager = {
    useGlobalPkgs = true;
    useUserPackages = true;
  };

  i18n.defaultLocale = "en_US.UTF-8";

  networking = {
    useNetworkd = lib.mkDefault true;
    nameservers = ["1.1.1.1" "1.0.0.1"];
  };

  nix = {
    package = pkgs.lix;
    channel.enable = false;

    gc = {
      automatic = true;
      dates = "weekly";
      options = "-d";
    };

    registry = {
      n.flake = nixpkgs;
      nixpkgs.flake = nixpkgs;
      u.flake = camasca;
    };

    # give nix daemon lower priority
    daemonCPUSchedPolicy = "batch";
    daemonIOSchedClass = "idle";

    settings = {
      auto-optimise-store = true;
      experimental-features = ["nix-command" "flakes"];
      trusted-users = ["root" "@wheel"];
      connect-timeout = 5; # fail fast if substituters are not available
      builders-use-substitutes = true;
      log-lines = 25;
      min-free = 512 * 1024 * 1024; # if free space drops under min, gc

      substituters = [
        "https://uku3lig.cachix.org"
        "https://ghostty.cachix.org"
      ];

      trusted-public-keys = [
        "uku3lig.cachix.org-1:C1/9DNUadh2pueAo+LUkVNUKyIVjF/CREd9RS9E+F2A="
        "ghostty.cachix.org-1:QB389yTa6gTyneehvqG58y0WnHjQOqgnA+wBnpWWxns="
      ];
    };
  };

  nixpkgs = {
    config.allowUnfree = true;
    overlays = [(import ../exprs/overlay.nix)];
  };

  programs = {
    direnv.enable = true;

    command-not-found.enable = false;
    nix-index = {
      enable = true;
      enableFishIntegration = true;
    };
  };

  security = {
    rtkit.enable = true;
    polkit.enable = true;

    sudo = {
      execWheelOnly = true;
      extraConfig = ''
        Defaults lecture = never
      '';
    };
  };

  services = {
    openssh = {
      enable = true;
      openFirewall = lib.mkDefault false;
    };

    resolved = {
      enable = true;
      dnssec = "allow-downgrade";
      dnsovertls = "true";
    };

    tailscale = {
      enable = true;
      useRoutingFeatures = "both";
      extraUpFlags = ["--ssh" "--stateful-filtering"];
      authKeyFile = secrets.get "tailscaleKey";
    };
  };

  system.switch = {
    enable = false;
    enableNg = true;
  };

  systemd = {
    services.NetworkManager-wait-online.enable = lib.mkForce false;

    # NixOS/nixpkgs#267101
    tmpfiles.rules = [
      "L /usr/lib/locale/locale-archive - - - - /run/current-system/sw/lib/locale/locale-archive"
    ];
  };

  time.timeZone = "Europe/Paris";

  users.users = {
    "${username}" = {
      isNormalUser = true;
      shell = pkgs.fish;
      extraGroups = ["networkmanager" "wheel" "video" "libvirtd"];
      hashedPasswordFile = secrets.get "userPassword";
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+7+KfdOrhcnHayxvOENUeMx8rE4XEIV/AxMHiaNUP8"
      ];
    };

    root = {
      shell = pkgs.fish;
      hashedPasswordFile = rootPassword.path;
    };
  };

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = lib.mkDefault stateVersion; # Did you read the comment?
}
-												move systems into a separate directory

											
										
										
											2023-11-14 18:29:14 +01:00
+								{
-												add virt-manager and libvirtd

											
										
										
											2023-11-15 01:00:35 +01:00
+								  lib,
-												move systems into a separate directory

											
										
										
											2023-11-14 18:29:14 +01:00
+								  pkgs,
-												add tailscale

											
										
										
											2024-01-10 17:48:50 +01:00
+								  config,
-												feat: add utility functions

											
										
										
											2024-07-29 10:58:43 +02:00
+								  _utils,
-												feat: switch to camasca

											
										
										
											2024-08-29 01:10:47 +02:00
+								  camasca,
-												move systems into a separate directory

											
										
										
											2023-11-14 18:29:14 +01:00
+								  nixpkgs,
-												switch back ONCE AGAIN to agenix

											
										
										
											2024-01-18 17:55:21 +01:00
+								  agenix,
-												chore: refactor systems

											
										
										
											2024-06-26 19:30:41 +02:00
+								  home-manager,
-												move systems into a separate directory

											
										
										
											2023-11-14 18:29:14 +01:00
+								  ...
-												move stuff into common config

											
										
										
											2024-02-14 15:59:20 +01:00
+								}: let
 								  username = "leo";
-												feat: bump stateVersion to 24.11

											
										
										
											2024-09-09 18:21:42 +02:00
+								  stateVersion = "24.11";
-												feat: add utility functions

											
										
										
											2024-07-29 10:58:43 +02:00
 								  rootPassword = _utils.setupSingleSecret config "rootPassword" {};
-												feat(secrets): add shared secrets

											
										
										
											2024-07-29 23:47:05 +02:00
+								  secrets = _utils.setupSharedSecrets config {
 								    secrets = ["userPassword" "tailscaleKey"];
 								  };
-												move stuff into common config

											
										
										
											2024-02-14 15:59:20 +01:00
+								in {
 								  imports = [
-												chore: refactor systems

											
										
										
											2024-06-26 19:30:41 +02:00
+								    agenix.nixosModules.default
 								    home-manager.nixosModules.home-manager
-												move stuff into common config

											
										
										
											2024-02-14 15:59:20 +01:00
+								    (lib.mkAliasOptionModule ["hm"] ["home-manager" "users" username])
-												feat: add utility functions

											
										
										
											2024-07-29 10:58:43 +02:00
+								    rootPassword.generate
-												feat(secrets): add shared secrets

											
										
										
											2024-07-29 23:47:05 +02:00
+								    secrets.generate
-												feat: add utility functions

											
										
										
											2024-07-29 10:58:43 +02:00
-												move stuff into common config

											
										
										
											2024-02-14 15:59:20 +01:00
+								    ../programs/fish.nix
 								    ../programs/git.nix
-												feat: switch to gnome!

											
										
										
											2024-06-06 11:51:03 +02:00
+								    ../programs/rust.nix
-												move stuff into common config

											
										
										
											2024-02-14 15:59:20 +01:00
+								    ../programs/starship
 								  ];
-												chore: switch to rage and update agenix

											
										
										
											2024-09-01 16:31:54 +02:00
+								  age = {
 								    ageBin = lib.getExe pkgs.rage;
 								    identityPaths = ["/etc/age/key"];
 								  };
-												reorder keys alphabetically

i am crazy

											
										
										
											2024-01-18 15:45:42 +01:00
-												move some desktop stuff into common

											
										
										
											2024-01-18 15:36:37 +01:00
+								  boot = {
-												feat(fuji): switch to nvidia 555

											
										
										
											2024-05-26 10:20:02 +02:00
+								    kernelPackages = pkgs.linuxPackages; # use lts
-												move some desktop stuff into common

											
										
										
											2024-01-18 15:36:37 +01:00
+								    kernelParams = ["quiet" "loglevel=3"];
-												feat(vesuvio): tweak things and use systemd-boot

											
										
										
											2024-08-17 18:50:01 +02:00
-												feat: various improvements

* use tcp bbr for faster internet
* use switch-to-configuration-ng (blazing fast)
* restrict openssh kex algos
* configure watchdog and disable suspend on servers

											
										
										
											2024-08-17 19:00:00 +02:00
+								    # faster tcp !!!
 								    kernel.sysctl = {
 								      "net.core.default_qdisc" = "fq";
 								      "net.ipv4.tcp_congestion_control" = "bbr";
 								    };
-												feat(vesuvio): tweak things and use systemd-boot

											
										
										
											2024-08-17 18:50:01 +02:00
+								    tmp.cleanOnBoot = true;
-												move some desktop stuff into common

											
										
										
											2024-01-18 15:36:37 +01:00
+								  };
-												reorder keys alphabetically

i am crazy

											
										
										
											2024-01-18 15:45:42 +01:00
+								  console.keyMap = "fr";
-												set $EDITOR to neovim

											
										
										
											2023-11-25 16:28:23 +01:00
+								  environment = {
-												chore: move some things around

											
										
										
											2024-06-12 01:04:41 +02:00
+								    systemPackages = with pkgs; [
-												set $EDITOR to neovim

											
										
										
											2023-11-25 16:28:23 +01:00
+								      neovim
 								      git
 								      curl
-												fuji-wsl: init

											
										
										
											2024-02-14 12:06:23 +01:00
+								      wget
-												feat: add some packages

											
										
										
											2024-04-13 12:47:07 +02:00
+								      htop
-												feat: add ripgrep to packages

											
										
										
											2024-05-24 11:26:42 +02:00
+								      ripgrep
-												set $EDITOR to neovim

											
										
										
											2023-11-25 16:28:23 +01:00
+								    ];
 								    variables = {
 								      EDITOR = lib.getExe pkgs.neovim;
 								    };
 								  };
-												move systems into a separate directory

											
										
										
											2023-11-14 18:29:14 +01:00
-												fix: make ssh agent work

											
										
										
											2024-07-26 12:58:05 +02:00
+								  hm = {
 								    home = {inherit stateVersion;};
 								    programs.ssh = {
 								      enable = true;
 								      addKeysToAgent = "yes";
 								      forwardAgent = true;
 								    };
 								    services.ssh-agent.enable = true;
 								  };
-												move stuff into common config

											
										
										
											2024-02-14 15:59:20 +01:00
-												reorder keys alphabetically

i am crazy

											
										
										
											2024-01-18 15:45:42 +01:00
+								  home-manager = {
 								    useGlobalPkgs = true;
 								    useUserPackages = true;
 								  };
-												move some desktop stuff into common

											
										
										
											2024-01-18 15:36:37 +01:00
 								  i18n.defaultLocale = "en_US.UTF-8";
-												fix: use networkd on servers

											
										
										
											2024-08-17 18:33:34 +02:00
+								  networking = {
 								    useNetworkd = lib.mkDefault true;
 								    nameservers = ["1.1.1.1" "1.0.0.1"];
-												wsl: fix tailscale dns

											
										
										
											2024-02-14 19:04:02 +01:00
+								  };
-												move some desktop stuff into common

											
										
										
											2024-01-18 15:36:37 +01:00
-												reorder keys alphabetically

i am crazy

											
										
										
											2024-01-18 15:45:42 +01:00
+								  nix = {
-												feat: switch to lix

											
										
										
											2024-08-17 16:07:41 +02:00
+								    package = pkgs.lix;
-												feat: small adjustements to nix config

											
										
										
											2024-09-01 15:36:04 +02:00
+								    channel.enable = false;
-												feat: switch nix cli to latest

											
										
										
											2024-05-21 15:05:35 +02:00
-												reorder keys alphabetically

i am crazy

											
										
										
											2024-01-18 15:45:42 +01:00
+								    gc = {
 								      automatic = true;
 								      dates = "weekly";
 								      options = "-d";
 								    };
-												move some desktop stuff into common

											
										
										
											2024-01-18 15:36:37 +01:00
-												feat: switch to camasca

											
										
										
											2024-08-29 01:10:47 +02:00
+								    registry = {
-												chore: refactor stuff in exprs

											
										
										
											2024-08-11 10:47:43 +02:00
+								      n.flake = nixpkgs;
-												feat: switch to camasca

											
										
										
											2024-08-29 01:10:47 +02:00
+								      nixpkgs.flake = nixpkgs;
 								      u.flake = camasca;
-												move some desktop stuff into common

											
										
										
											2024-01-18 15:36:37 +01:00
+								    };
-												reorder keys alphabetically

i am crazy

											
										
										
											2024-01-18 15:45:42 +01:00
-												feat: small adjustements to nix config

											
										
										
											2024-09-01 15:36:04 +02:00
+								    # give nix daemon lower priority
 								    daemonCPUSchedPolicy = "batch";
 								    daemonIOSchedClass = "idle";
-												reorder keys alphabetically

i am crazy

											
										
										
											2024-01-18 15:45:42 +01:00
+								    settings = {
 								      auto-optimise-store = true;
 								      experimental-features = ["nix-command" "flakes"];
-												fix: add nix trusted users again

											
										
										
											2024-07-22 15:22:42 +02:00
+								      trusted-users = ["root" "@wheel"];
-												feat: small adjustements to nix config

											
										
										
											2024-09-01 15:36:04 +02:00
+								      connect-timeout = 5; # fail fast if substituters are not available
 								      builders-use-substitutes = true;
 								      log-lines = 25;
 								      min-free = 512 * 1024 * 1024; # if free space drops under min, gc
-												fix: declare substituters better

											
										
										
											2024-06-26 19:04:44 +02:00
-												fix: actually use substituters

											
										
										
											2024-07-26 23:08:44 +02:00
+								      substituters = [
-												chore: add cachix to substituters

											
										
										
											2024-07-06 23:55:31 +02:00
+								        "https://uku3lig.cachix.org"
 								        "https://ghostty.cachix.org"
 								      ];
-												fix: actually use substituters

											
										
										
											2024-07-26 23:08:44 +02:00
-												chore: add cachix to substituters

											
										
										
											2024-07-06 23:55:31 +02:00
+								      trusted-public-keys = [
 								        "uku3lig.cachix.org-1:C1/9DNUadh2pueAo+LUkVNUKyIVjF/CREd9RS9E+F2A="
 								        "ghostty.cachix.org-1:QB389yTa6gTyneehvqG58y0WnHjQOqgnA+wBnpWWxns="
 								      ];
-												reorder keys alphabetically

i am crazy

											
										
										
											2024-01-18 15:45:42 +01:00
+								    };
 								  };
 								  nixpkgs = {
 								    config.allowUnfree = true;
 								    overlays = [(import ../exprs/overlay.nix)];
-												add tailscale

											
										
										
											2024-01-10 17:48:50 +01:00
+								  };
-												move systems into a separate directory

											
										
										
											2023-11-14 18:29:14 +01:00
+								  programs = {
 								    direnv.enable = true;
 								    command-not-found.enable = false;
 								    nix-index = {
 								      enable = true;
 								      enableFishIntegration = true;
 								    };
 								  };
-												reorder keys alphabetically

i am crazy

											
										
										
											2024-01-18 15:45:42 +01:00
+								  security = {
 								    rtkit.enable = true;
 								    polkit.enable = true;
-												feat: various improvements

* use tcp bbr for faster internet
* use switch-to-configuration-ng (blazing fast)
* restrict openssh kex algos
* configure watchdog and disable suspend on servers

											
										
										
											2024-08-17 19:00:00 +02:00
 								    sudo = {
 								      execWheelOnly = true;
 								      extraConfig = ''
 								        Defaults lecture = never
 								      '';
 								    };
-												move some desktop stuff into common

											
										
										
											2024-01-18 15:36:37 +01:00
+								  };
-												add openssh

											
										
										
											2023-11-22 14:31:25 +01:00
+								  services = {
-												feat: add vesuvio

											
										
										
											2024-03-24 14:02:03 +01:00
+								    openssh = {
 								      enable = true;
 								      openFirewall = lib.mkDefault false;
 								    };
-												wsl: fix tailscale dns

											
										
										
											2024-02-14 19:04:02 +01:00
+								    resolved = {
-												fix: use networkd on servers

											
										
										
											2024-08-17 18:33:34 +02:00
+								      enable = true;
-												wsl: fix tailscale dns

											
										
										
											2024-02-14 19:04:02 +01:00
+								      dnssec = "allow-downgrade";
-												fix(vesuvio): make dns resolution actually work

											
										
										
											2024-07-22 17:36:48 +02:00
+								      dnsovertls = "true";
-												wsl: fix tailscale dns

											
										
										
											2024-02-14 19:04:02 +01:00
+								    };
-												add tailscale

											
										
										
											2024-01-10 17:48:50 +01:00
+								    tailscale = {
 								      enable = true;
 								      useRoutingFeatures = "both";
-												fix: add missing tailscale argument

											
										
										
											2024-05-24 11:16:28 +02:00
+								      extraUpFlags = ["--ssh" "--stateful-filtering"];
-												feat(secrets): add shared secrets

											
										
										
											2024-07-29 23:47:05 +02:00
+								      authKeyFile = secrets.get "tailscaleKey";
-												add tailscale

											
										
										
											2024-01-10 17:48:50 +01:00
+								    };
-												add openssh

											
										
										
											2023-11-22 14:31:25 +01:00
+								  };
-												feat: various improvements

* use tcp bbr for faster internet
* use switch-to-configuration-ng (blazing fast)
* restrict openssh kex algos
* configure watchdog and disable suspend on servers

											
										
										
											2024-08-17 19:00:00 +02:00
+								  system.switch = {
 								    enable = false;
 								    enableNg = true;
 								  };
-												fix: make localectl work

											
										
										
											2024-09-05 11:30:57 +02:00
+								  systemd = {
 								    services.NetworkManager-wait-online.enable = lib.mkForce false;
 								    # NixOS/nixpkgs#267101
 								    tmpfiles.rules = [
 								      "L /usr/lib/locale/locale-archive - - - - /run/current-system/sw/lib/locale/locale-archive"
 								    ];
 								  };
-												disable networkmanager-wait-online

this bitch only caused stupid issues and no one is able to fix it apparently

											
										
										
											2024-03-03 16:54:35 +01:00
-												reorder keys alphabetically

i am crazy

											
										
										
											2024-01-18 15:45:42 +01:00
+								  time.timeZone = "Europe/Paris";
-												move systems into a separate directory

											
										
										
											2023-11-14 18:29:14 +01:00
-												move stuff into common config

											
										
										
											2024-02-14 15:59:20 +01:00
+								  users.users = {
 								    "${username}" = {
 								      isNormalUser = true;
 								      shell = pkgs.fish;
 								      extraGroups = ["networkmanager" "wheel" "video" "libvirtd"];
-												feat(secrets): add shared secrets

											
										
										
											2024-07-29 23:47:05 +02:00
+								      hashedPasswordFile = secrets.get "userPassword";
-												move stuff into common config

											
										
										
											2024-02-14 15:59:20 +01:00
+								      openssh.authorizedKeys.keys = [
 								        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+7+KfdOrhcnHayxvOENUeMx8rE4XEIV/AxMHiaNUP8"
 								      ];
 								    };
-												feat: set root's shell to fish

											
										
										
											2024-04-13 01:24:03 +02:00
+								    root = {
 								      shell = pkgs.fish;
-												feat: add utility functions

											
										
										
											2024-07-29 10:58:43 +02:00
+								      hashedPasswordFile = rootPassword.path;
-												feat: set root's shell to fish

											
										
										
											2024-04-13 01:24:03 +02:00
+								    };
-												move stuff into common config

											
										
										
											2024-02-14 15:59:20 +01:00
+								  };
-												rework secrets

											
										
										
											2024-01-18 16:11:18 +01:00
-												move systems into a separate directory

											
										
										
											2023-11-14 18:29:14 +01:00
+								  # This value determines the NixOS release from which the default
 								  # settings for stateful data, like file locations and database versions
 								  # on your system were taken. It‘s perfectly fine and recommended to leave
 								  # this value at the release version of the first install of this system.
 								  # Before changing this value read the documentation for this option
 								  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-												move stuff into common config

											
										
										
											2024-02-14 15:59:20 +01:00
+								  system.stateVersion = lib.mkDefault stateVersion; # Did you read the comment?
-												move systems into a separate directory

											
										
										
											2023-11-14 18:29:14 +01:00
+								}