basic users and wireguard setup

This commit is contained in:
Sky Hearn 2024-03-03 16:17:28 -08:00
parent cd9946699d
commit 5001614445
4 changed files with 116 additions and 297 deletions

3
canary.txt Normal file
View File

@ -0,0 +1,3 @@
This document exists to inform users that Sky Hearn has not been served with a secret government subpoena in any of their hardware, their software, or their services.
2024-03-03

BIN
canary.txt.sig Normal file

Binary file not shown.

View File

@ -8,6 +8,7 @@
imports = imports =
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
./users.nix
<home-manager/nixos> <home-manager/nixos>
]; ];
@ -15,318 +16,84 @@
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
# amdgpu stuffs # use network manager and set hostname
boot.initrd.kernelModules = [ "amdgpu" ]; networking.networkmanager.enable = true;
services.xserver.videoDrivers = [ "amdgpu" ]; networking.hostName = "rackserver";
# opengl support
hardware.opengl.enable = true;
# opengl packages
hardware.opengl.extraPackages = with pkgs; [
rocm-opencl-icd
rocm-opencl-runtime
vaapiVdpau
libvdpau-va-gl
];
hardware.opengl.driSupport = true;
networking.hostName = "sky-laptop"; # Define your hostname. # wireguard server setup
# Pick only one of the below networking options.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
# Set your time zone. # enable NAT
time.timeZone = "America/Los_Angeles"; networking.nat.enable = true;
networking.nat.externalInterface = "eth0";
# Configure network proxy if necessary networking.nat.internalInterfaces = [ "wg0" ];
# networking.proxy.default = "http://user:password@proxy:port/"; networking.firewall = {
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; allowedUDPPorts = [ 51820 ];
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
#keyMap = "us";
useXkbConfig = true; # use xkb.options in tty.
}; };
# Enable the X11 windowing system networking.wireguard.interfaces = {
services.xserver.enable = true; # "wg0" is the network interface name. You can name the interface arbitrarily.
services.xserver.displayManager.sessionCommands = '' wg0 = {
slstatus & # Determines the IP address and subnet of the server's end of the tunnel interface.
nitrogen --restore & ips = [ "10.100.0.1/24" ];
clipcatd &
'';
# Configure keymap in X11 # The port that WireGuard listens to. Must be accessible by the client.
services.xserver.xkb.layout = "us"; listenPort = 51820;
# services.xserver.xkb.options = "eurosign:e,caps:escape";
# Enable CUPS to print documents. # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
# services.printing.enable = true; # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
postSetup = ''
# Enable sound. ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
sound.enable = true;
hardware.pulseaudio.enable = true;
# Enable touchpad support (enabled default in most desktopManager).
services.xserver.libinput.enable = true;
# Enable dwm
services.xserver.windowManager.dwm.package = pkgs.dwm.overrideAttrs {
src = ./dwm;
};
services.xserver.windowManager.dwm.enable = true;
# Sky User
users.users.sky.isNormalUser = true;
users.users.sky.extraGroups = [ "wheel" ]; # Enable sudo for the user.
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [
"obsidian"
];
nixpkgs.config.permittedInsecurePackages =
lib.optional (pkgs.obsidian.version == "1.4.16") "electron-25.9.0";
home-manager.useGlobalPkgs = true;
# Home Manager for Sky
home-manager.users.sky = {pkgs, ...}: {
home.packages = with pkgs; [
obsidian
(callPackage (./rolldice/default.nix) {})
clang-tools
rclone
trash-cli
mumble
nheko
zim
moonlight-embedded
nitrogen
firefox-bin
neofetch
ncpamixer
tree
xclip
grpc
clipcat
keepassxc
jellyfin-media-player
];
services.picom = {
enable = true;
vSync = true;
backend = "glx";
inactiveOpacity = 0.9;
settings = {
blur = {
method = "dual-kawase";
};
};
};
programs.bash = {
enable = true;
shellAliases = {
nv = "nvim";
ccm = "clipcat-menu";
};
};
programs.git = {
enable = true;
userName = "Sky Hearn";
userEmail = "sky.hearn@pm.me";
signing = {
key = "DAB485883AE426EC";
signByDefault = false;
};
};
programs.neovim = {
enable = true;
defaultEditor = true;
extraConfig = ''
set shiftwidth=2 smarttab
set expandtab
set tabstop=8 softtabstop=0
''; '';
extraPackages = with pkgs; [
# Use the project flake's language server to prevent version mismatches
# clang_12
# rust-analyzer
];
plugins = with pkgs.vimPlugins; [
{
plugin = gruvbox-nvim;
type = "viml";
# Better performance is off until I can figure out a way to make the cache outside the nix store
config = ''
if has('termguicolors')
set termguicolors
endif
colorscheme gruvbox
'';
}
{
plugin = lualine-nvim;
type = "lua";
config = ''
require'lualine'.setup {
options = {
theme = 'gruvbox'
},
sections = {
lualine_c = {'lsp_progress'}
}
}
'';
}
{
plugin = lsp-status-nvim;
type = "lua";
config = ''
require'lsp-status'.register_progress()
'';
}
{
plugin = nvim-lspconfig;
type = "lua";
config = ''
-- Mappings.
-- See `:help vim.diagnostic.*` for documentation on any of the below functions
local opts = { noremap=true, silent=true }
vim.keymap.set('n', '<space>e', vim.diagnostic.open_float, opts)
vim.keymap.set('n', '[d', vim.diagnostic.goto_prev, opts)
vim.keymap.set('n', ']d', vim.diagnostic.goto_next, opts)
vim.keymap.set('n', '<space>q', vim.diagnostic.setloclist, opts)
-- Use an on_attach function to only map the following keys # This undoes the above command
-- after the language server attaches to the current buffer postShutdown = ''
local on_attach = function(client, bufnr) ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
-- Set up status tracking
require'lsp-status'.on_attach(client)
-- Enable completion triggered by <c-x><c-o>
vim.api.nvim_buf_set_option(bufnr, 'omnifunc', 'v:lua.vim.lsp.omnifunc')
-- Mappings.
-- See `:help vim.lsp.*` for documentation on any of the below functions
local bufopts = { noremap=true, silent=true, buffer=bufnr }
vim.keymap.set('n', 'gD', vim.lsp.buf.declaration, bufopts)
vim.keymap.set('n', 'gd', vim.lsp.buf.definition, bufopts)
vim.keymap.set('n', 'K', vim.lsp.buf.hover, bufopts)
vim.keymap.set('n', 'gi', vim.lsp.buf.implementation, bufopts)
vim.keymap.set('n', '<C-k>', vim.lsp.buf.signature_help, bufopts)
vim.keymap.set('n', '<space>wa', vim.lsp.buf.add_workspace_folder, bufopts)
vim.keymap.set('n', '<space>wr', vim.lsp.buf.remove_workspace_folder, bufopts)
vim.keymap.set('n', '<space>wl', function()
print(vim.inspect(vim.lsp.buf.list_workspace_folders()))
end, bufopts)
vim.keymap.set('n', '<space>D', vim.lsp.buf.type_definition, bufopts)
vim.keymap.set('n', '<space>rn', vim.lsp.buf.rename, bufopts)
vim.keymap.set('n', '<space>ca', vim.lsp.buf.code_action, bufopts)
vim.keymap.set('n', 'gr', vim.lsp.buf.references, bufopts)
vim.keymap.set('n', '<space>f', function() vim.lsp.buf.format { async = true } end, bufopts)
end
local lsp_flags = {
-- This is the default in Nvim 0.7+
debounce_text_changes = 150,
}
local servers = { 'clangd', 'rust_analyzer' }
for _, lsp in ipairs(servers) do
require'lspconfig'[lsp].setup(
vim.tbl_extend('keep',
require('coq').lsp_ensure_capabilities({
on_attach = on_attach,
flags = lsp_flags
}) or {},
require'lsp-status'.capabilities
)
)
end
''; '';
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = "path to private key file";
peers = [
# List of allowed peers.
{ # Nub
# Public key of the peer (not a file path).
publicKey = "{}";
# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
allowedIPs = [ "10.100.0.2/32" ];
} }
{ { # Ku
plugin = coq_nvim; publicKey = "{}";
type = "lua"; allowedIPs = [ "10.100.0.3/32" ];
config = ''
vim.g.coq_settings = { auto_start = 'shut-up', xdg = true }
'';
} }
{ { # Sky Laptop
plugin = nvim-treesitter.withAllGrammars; publicKey = "{}";
type = "lua"; allowedIPs = [ "10.100.0.4/32" ];
config = ''
require'nvim-treesitter.configs'.setup {
-- TODO: Make this use stdpath("data")
-- parser_install_dir = "~/.local/share/nvim/site",
-- ensure_installed = { "nix", "help", "rust", "c", "lua" },
-- auto_install = true,
highlight = {
enable = true
},
incremental_selection = {
enable = true,
keymaps = {
init_selection = "gnn", -- set to `false` to disable one of the mappings
node_incremental = "grn",
scope_incremental = "grc",
node_decremental = "grm",
} }
}, { # Sky Desktop
indent = { publicKey = "{}";
enable = true allowedIPs = [ "10.100.0.5/32" ];
},
}
vim.cmd([[
set foldmethod=expr
set foldexpr=nvim_treesitter#foldexpr()
set nofoldenable
]])
'';
}
{
plugin = telescope-nvim;
} }
]; ];
}; };
home.stateVersion = "23.11";
}; };
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
pulseaudio
bash
vim
wget
acpi
dmenu
dunst
libnotify
(pkgs.st.overrideAttrs (_: {
src = ./st;
})
)
(pkgs.slstatus.overrideAttrs (_: {
src = ./slstatus;
})
)
libva-utils
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
programs.mtr.enable = true;
# List services that you want to enable: # List services that you want to enable:
# Enable the OpenSSH daemon. # Enable the OpenSSH daemon.
services.openssh.enable = true; services.openssh = {
enable = true;
settings = {
# Forbid root login through SSH.
PermitRootLogin = "no";
# key authentication
PasswordAuthentication = false;
};
};
# Open ports in the firewall. # Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedTCPPorts = [ ... ];
@ -356,5 +123,4 @@ clipcatd &
# #
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "23.11"; # Did you read the comment? system.stateVersion = "23.11"; # Did you read the comment?
} }

50
users.nix Normal file
View File

@ -0,0 +1,50 @@
{ config, lib, pkgs, ...};
{
imports =
[ # Include the results of the hardware scan.
<home-manager/nixos>
];
users.users.sky.isNormalUser = true;
users.users.ku.isNormalUser = true;
users.users.nub.isNormalUser = true;
users.groups.wheel.members=["sky"];
home-manager.users.sky = { pkgs, ... }: {
home.packages = [ ];
programs.bash.enable = true;
# The state version is required and should stay at the version you
# originally installed.
home.stateVersion = "23.11";
};
home-manager.users.ku = { pkgs, ... }: {
home.packages = [ ];
programs.bash.enable = true;
# The state version is required and should stay at the version you
# originally installed.
home.stateVersion = "23.11";
};
home-manager.users.nub = { pkgs, ... }: {
home.packages = [ ]; # TODO: Copy ku's nvconfig
programs.bash.enable = true;
# The state version is required and should stay at the version you
# originally installed.
home.stateVersion = "23.11";
};
home-manager.users.wg = { pkgs, ... }: {
home.packages = [ ];
programs.bash.enable = true;
# The state version is required and should stay at the version you
# originally installed.
home.stateVersion = "23.11";
};
}