Initial commit

modules/global/bash.nix

@@ -0,0 +1,45 @@
+{ config, pkgs, ... }: {
+  globals.hm.programs.carapace = {
+    enable = true;
+    enableBashIntegration = true;
+  };
+
+  globals.hm.programs.bash = {
+    enable = true;
+    shellAliases = config.n.misc.aliases;
+    enableCompletion = true;
+
+    initExtra = ''
+      #colorscript -e square
+      _fix_cursor() {
+        echo -ne '\e[5 q'
+      }
+      precmd_functions+=(_fix_cursor)
+      export TERM="xterm-256color"
+      PS1="\e[1;32m\u@\h\e[m \e[1;34m[\t]\e[m [\w]\n\e[0;34m-> %\e[m \e[0;32m"
+    '';
+  };
+
+  environment.systemPackages = with pkgs; [
+    wget
+    curl
+    tree
+    htop
+    killall
+    jq
+    p7zip
+    tldr
+    unzip
+    mtr
+    iperf3
+    lsd
+    bat
+    ncdu
+    ripgrep
+    dig
+    pwgen
+    inxi
+    alejandra
+    tokei
+  ];
+}

modules/global/dnscrypt-proxy.nix

@@ -0,0 +1,17 @@
+{ ... }: {
+  services.dnscrypt-proxy2 = {
+    enable = true;
+    settings = {
+      # listen_addresses = [ "127.0.0.1:53" ];
+      listen_addresses = [ "0.0.0.0:53" ];
+      max_clients = 200;
+      force_tcp = true;
+      netprobe_address = "192.168.1.1:53";
+      server_names = [ "libredns-noads" "njalla-doh" ];
+    };
+  };
+
+  networking = {
+    nameservers = [ "127.0.0.1" ];
+  };
+}

modules/global/firewall.nix

@@ -0,0 +1,6 @@
+{ ... }: {
+  networking.firewall = {
+    allowedTCPPorts = [];
+    allowedUDPPorts = [];
+  };
+}

modules/global/git.nix

@@ -0,0 +1,29 @@
+{ pkgs, lib, ... }: {
+  hm.programs.git.enable = true;
+  environment.systemPackages = [ pkgs.git ];
+
+  hm.programs.git = {
+    userEmail = "thary@riseup.net";
+    userName = "Thary";
+    signing = {
+      signByDefault = true;
+    };
+  };
+
+  nodes.phoenix.hm = {
+    programs.git.extraConfig = {
+      commit.gpgsign = true;
+      gpg.format = "ssh";
+      gpg.ssh.allowedSignersFile = "~/.ssh/allowed_signers";
+      user.signingkey = "~/.ssh/id_ed25519.pub";
+    };
+    home.file.".ssh/allowed_signers".text =
+      # "* ${builtins.readFile /home/${username}/.ssh/id_ed25519.pub}";
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDEDqpSiQpbSsClh6UGb7Z2DA1Hy+EyePzTy+5hEVD/A";
+  };
+
+  lib.n.misc.shellAliases = {
+    gc = "${lib.getExe pkgs.git} commit -m";
+    ga = "${lib.getExe pkgs.git} add";
+  };
+}

modules/global/home-manager.nix

@@ -0,0 +1,26 @@
+{ lib, username, config, inputs, ... }:
+with lib;
+{
+  imports = [
+    inputs.home-manager.nixosModules.home-manager
+    (lib.mkAliasOptionModule [ "hm" ] [
+      "home-manager"
+      "users"
+      username
+    ])
+  ];
+  
+  options.globals.hm = mkOption { type = types.attrs; };
+  config = {
+    home-manager = {
+      useGlobalPkgs = true;
+      useUserPackages = true;
+      # backupFileExtension = "hm-backup-" + pkgs.lib.readFile "${pkgs.runCommand "timestamp" {} "echo -n `date '+%Y%m%d%H%M%S'` > $out"}";
+      backupFileExtension = "hm-backup-$(date \"+%Y%m%d%H%M%S\")";
+      sharedModules = [ config.globals.hm ];
+    };
+    hm.home = {
+      inherit (config.system) stateVersion;
+    };
+  };
+}

modules/global/locales.nix

@@ -0,0 +1,23 @@
+{ ... }: 
+let 
+  locales = "en_US.UTF-8";
+  timezone = "Europe/Minsk";
+in {
+  time.timeZone = timezone;
+
+  i18n = {
+    defaultLocale = locales;
+    extraLocaleSettings = {
+      # LC_ADDRESS = locales;
+      # LC_MEASUREMENT = locales;
+      # LC_MONETARY = locales;
+      # LC_NAME = locales;
+      # LC_NUMERIC = locales;
+      # LC_PAPER = locales;
+      # LC_TELEPHONE = locales;
+      # LC_TIME = locales;
+      LANGUAGE = locales;
+      LC_ALL = locales;
+    };
+  };
+}

modules/global/networking.nix

@@ -0,0 +1,8 @@
+{ ... }: {
+  # nodes.cepheus.networking.interfaces.ens18 = {
+  #   ipv4.addresses = [{
+  #     address = "158.220.126.56";
+  #     prefixLength = 24;
+  #   }];
+  # };
+}

modules/global/nix.nix

@@ -0,0 +1,29 @@
+{ pkgs, lib, inputs, username, config, ... }: {
+  # imp.home.dirs = [ ".local/share/nix" ]; # Nix Repl history
+  nix = {
+    package = pkgs.lix;
+    settings = {
+      allowed-users = ["root" "@wheel"];
+      trusted-users = [ "root" username ];
+      experimental-features = ["nix-command" "flakes"];
+      build-dir = "/nix/builds";
+    };
+    registry = lib.mapAttrs (_: value: {flake = value;}) inputs // { n.flake = inputs.nixpkgs; };
+    nixPath = lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry;
+  };
+
+  system.stateVersion = "23.05"; # My first nixos was 22.11
+
+  nixpkgs.overlays = [
+    (import ../../pkgs)
+  ];
+
+  # documentation = {
+  #   enable = true;
+  #   doc.enable = true;
+  #   dev.enable = true;
+  #   info.enable = true;
+  #   nixos.enable = true;
+  #   man.enable = true;
+  # };
+}

modules/global/nvim.nix

@@ -0,0 +1,44 @@
+{ config, ...}: {
+  globals.hm = {
+    programs.neovim = {
+      enable = true;
+      defaultEditor = true;
+      viAlias = true;
+      vimAlias = true;
+
+      extraLuaConfig = ''
+        local bind = vim.keymap.set
+        local opt = vim.opt
+        local g = vim.g
+        local o = vim.o
+        local cmd = vim.cmd
+
+        o.expandtab = true
+        o.smarttab = true
+        o.cindent = true
+        o.autoindent = true
+
+        o.ignorecase = true
+        o.smartcase = true
+
+        o.backup = false
+        o.writebackup = false
+        o.undofile = true
+        o.swapfile = false
+
+        opt.relativenumber = true
+        opt.number = true
+        opt.tabstop = 2
+        opt.shiftwidth = 2
+        opt.mouse = "a"
+        opt.termguicolors = true
+        opt.clipboard = "unnamedplus"
+      '';
+
+      home.sessionVariables = {
+        # EDITOR = lib.mkForce lib.getExe pkgs.neovim;
+        MANPAGER = "${config.hm.home.sessionVariables.EDITOR} +Man!";
+      };
+    };
+  };
+}

modules/global/secrets.nix

@@ -0,0 +1,38 @@
+{ inputs, host, lib, ... }:
+let
+  keys = {
+    phoenix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsrEEXQwcu4i7hOqCbpwd4EdC/+v9fAWm30MUXhVpp5";
+    cepheus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGm1PymMJ2JnE973UCaezWQFKyZi7lsAzHshUUwafa8F";
+    naos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcR9C753wDWjg/oJxn6p9kLMaiaOPJFNT0xYPICXK52";
+  };
+in {
+  environment.systemPackages = [ inputs.agenix-rekey.packages.x86_64-linux.default ];
+  imports = [
+    inputs.agenix.nixosModules.default
+    inputs.agenix-rekey.nixosModules.default
+  ];
+  
+  age.identityPaths = [ "/nix/keys/identity" ]; # default key path
+  age.rekey = {
+    masterIdentities = [
+      { identity = "/home/user/.ssh/id_ed25519";
+        pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDEDqpSiQpbSsClh6UGb7Z2DA1Hy+EyePzTy+5hEVD/A"; }
+    ];
+    storageMode = "local";
+    generatedSecretsDir = ../../secrets/generated/${host};
+    localStorageDir = ../../secrets/rekeyed/${host};
+  };
+
+  # services.openssh.enable = true;
+  services.openssh.hostKeys = [{
+    path = "/nix/keys/identity";
+    type = "ed25519";
+  }];
+
+# TODO: define key via hosts/<name>/default.nix
+
+  nodes.phoenix.age.rekey.hostPubkey = keys.phoenix;
+  nodes.cepheus.age.rekey.hostPubkey = keys.cepheus;
+  # nodes.tureis.age.rekey.hostPubkey = ""; # TODO
+  nodes.naos.age.rekey.hostPubkey = keys.naos;
+}

modules/global/security.nix

@@ -0,0 +1,26 @@
+{ username, pkgs, ... }: {
+  security = {
+    doas = {
+      enable = true;
+      wheelNeedsPassword = true;
+    };
+    sudo.enable = false;
+
+    # polkit.enable = lib.mkForce false;
+    polkit.enable = true;
+  };
+
+
+  n.misc.aliases.sudo = "doas";
+
+  security.tpm2 = {
+    enable = true;
+    pkcs11.enable = true;
+    pkcs11.package = pkgs.tpm2-pkcs11-fapi;
+    tctiEnvironment.enable = true;
+  };
+  users.users.${username}.extraGroups = [ "tss" "admin" ];
+
+  environment.systemPackages = with pkgs; [ tpm2-pkcs11-fapi clevis tpm2-tools ];
+  environment.variables.TPM2_PKCS11_BACKEND = "fapi";
+}