Initial commit

modules/nixos/common/default.nix

@@ -0,0 +1,15 @@
+{
+  imports = [
+    ./environment.nix
+    ./htop.nix
+    ./nationalization.nix
+    ./networking.nix
+    ./nix.nix
+    ./sudo.nix
+    ./well-known.nix
+    ./zsh.nix
+
+    ./shared
+    ./overlays.nix
+  ];
+}

modules/nixos/common/environment.nix

@@ -0,0 +1,63 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  inherit (lib) mkDefault optionals;
+in
+{
+  environment.systemPackages =
+    with pkgs;
+    [
+      cryptsetup
+      curl
+      dig
+      dnsutils
+      fzf
+      gptfdisk
+      iproute2
+      jq
+      lm_sensors
+      lsof
+      netcat-openbsd
+      nettools
+      nixos-container
+      nmap
+      nurl
+      p7zip
+      pciutils
+      psmisc
+      rclone
+      rsync
+      tcpdump
+      tmux
+      tree
+      unzip
+      usbutils
+      wget
+      xxd
+      zip
+
+      (callPackage ../../../apps/rebuild { })
+    ]
+    ++ optionals (pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) [
+      pkgs.kitty.terminfo
+    ];
+
+  environment.shellAliases = {
+    l = "ls -lh";
+    ll = "ls -lAh";
+    ports = "ss -tulpn";
+    publicip = "curl ifconfig.me/all";
+    sudo = "sudo "; # make aliases work with `sudo`
+  };
+
+  # saves one instance of nixpkgs.
+  environment.ldso32 = null;
+
+  boot.tmp.cleanOnBoot = mkDefault true;
+  boot.initrd.systemd.enable = mkDefault (!config.boot.swraid.enable && !config.boot.isContainer);
+}

modules/nixos/common/htop.nix

@@ -0,0 +1,8 @@
+{
+  programs.htop = {
+    enable = true;
+    settings = {
+      highlight_base_name = 1;
+    };
+  };
+}

modules/nixos/common/nationalization.nix

@@ -0,0 +1,31 @@
+{ lib, ... }:
+
+let
+  de = "de_DE.UTF-8";
+  en = "en_US.UTF-8";
+
+  inherit (lib) mkDefault;
+in
+{
+  i18n = {
+    defaultLocale = mkDefault en;
+    extraLocaleSettings = {
+      LC_ADDRESS = mkDefault de;
+      LC_IDENTIFICATION = mkDefault de;
+      LC_MEASUREMENT = mkDefault de;
+      LC_MONETARY = mkDefault de;
+      LC_NAME = mkDefault de;
+      LC_NUMERIC = mkDefault de;
+      LC_PAPER = mkDefault de;
+      LC_TELEPHONE = mkDefault de;
+      LC_TIME = mkDefault en;
+    };
+  };
+
+  console = {
+    font = mkDefault "Lat2-Terminus16";
+    keyMap = mkDefault "de";
+  };
+
+  time.timeZone = mkDefault "Europe/Berlin";
+}

modules/nixos/common/networking.nix

@@ -0,0 +1,40 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  inherit (lib) mkDefault;
+  inherit (lib.utils) isNotEmptyStr;
+in
+{
+  config = {
+    assertions = [
+      {
+        assertion = isNotEmptyStr config.networking.domain;
+        message = "synix/nixos/common: config.networking.domain cannot be empty.";
+      }
+      {
+        assertion = isNotEmptyStr config.networking.hostName;
+        message = "synix/nixos/common: config.networking.hostName cannot be empty.";
+      }
+    ];
+
+    networking = {
+      domain = mkDefault "${config.networking.hostName}.local";
+      hostId = mkDefault "8425e349"; # same as NixOS install ISO and nixos-anywhere
+
+      # NetworkManager
+      useDHCP = false;
+      networkmanager = {
+        enable = true;
+        plugins = with pkgs; [
+          networkmanager-openconnect
+          networkmanager-openvpn
+        ];
+      };
+    };
+  };
+}

modules/nixos/common/nix.nix

@@ -0,0 +1,19 @@
+{
+  config,
+  lib,
+  ...
+}:
+
+let
+  inherit (lib) mkDefault;
+in
+{
+  nix = {
+    # use flakes
+    channel.enable = mkDefault false;
+
+    # De-duplicate store paths using hardlinks except in containers
+    # where the store is host-managed.
+    optimise.automatic = mkDefault (!config.boot.isContainer);
+  };
+}

modules/nixos/common/overlays.nix

@@ -0,0 +1,10 @@
+{ outputs, ... }:
+
+{
+  nixpkgs.overlays = [
+    outputs.overlays.local-packages
+    outputs.overlays.modifications
+    outputs.overlays.old-stable-packages
+    outputs.overlays.unstable-packages
+  ];
+}

modules/nixos/common/shared/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./nix.nix
+  ];
+}

modules/nixos/common/shared/nix.nix

@@ -0,0 +1,85 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  inherit (lib)
+    mkDefault
+    optional
+    versionOlder
+    versions
+    ;
+in
+{
+  nix.package = mkDefault pkgs.nix;
+
+  # for `nix run synix#foo`, `nix build synix#bar`, etc
+  nix.registry = {
+    synix = {
+      from = {
+        id = "synix";
+        type = "indirect";
+      };
+      to = {
+        owner = "sid";
+        repo = "synix";
+        host = "git.sid.ovh";
+        type = "gitea";
+      };
+    };
+  };
+
+  # fallback quickly if substituters are not available.
+  nix.settings.connect-timeout = mkDefault 5;
+  nix.settings.fallback = true;
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ]
+  ++ optional (
+    config.nix.package != null && versionOlder (versions.majorMinor config.nix.package.version) "2.22"
+  ) "repl-flake";
+
+  nix.settings.log-lines = mkDefault 25;
+
+  # avoid disk full issues
+  nix.settings.max-free = mkDefault (3000 * 1024 * 1024);
+  nix.settings.min-free = mkDefault (512 * 1024 * 1024);
+
+  # avoid copying unnecessary stuff over SSH
+  nix.settings.builders-use-substitutes = true;
+
+  # workaround for https://github.com/NixOS/nix/issues/9574
+  nix.settings.nix-path = config.nix.nixPath;
+
+  nix.settings.download-buffer-size = 524288000; # 500 MiB
+
+  # add all wheel users to the trusted-users group
+  nix.settings.trusted-users = [
+    "@wheel"
+  ];
+
+  # binary caches
+  nix.settings.substituters = [
+    "https://cache.nixos.org"
+    "https://nix-community.cachix.org"
+    "https://cache.garnix.io"
+    "https://numtide.cachix.org"
+  ];
+  nix.settings.trusted-public-keys = [
+    "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+    "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
+    "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
+  ];
+
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 30d";
+  };
+}

modules/nixos/common/sudo.nix

@@ -0,0 +1,26 @@
+{ config, ... }:
+
+{
+  security.sudo = {
+    enable = true;
+    execWheelOnly = true;
+    extraConfig = ''
+      Defaults lecture = never
+    '';
+  };
+
+  assertions =
+    let
+      validUsers = users: users == [ ] || users == [ "root" ];
+      validGroups = groups: groups == [ ] || groups == [ "wheel" ];
+      validUserGroups = builtins.all (
+        r: validUsers (r.users or [ ]) && validGroups (r.groups or [ ])
+      ) config.security.sudo.extraRules;
+    in
+    [
+      {
+        assertion = config.security.sudo.execWheelOnly -> validUserGroups;
+        message = "Some definitions in `security.sudo.extraRules` refer to users other than 'root' or groups other than 'wheel'. Disable `config.security.sudo.execWheelOnly`, or adjust the rules.";
+      }
+    ];
+}

modules/nixos/common/well-known.nix

@@ -0,0 +1,17 @@
+{
+  # avoid TOFU MITM
+  programs.ssh.knownHosts = {
+    "github.com".hostNames = [ "github.com" ];
+    "github.com".publicKey =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+
+    "gitlab.com".hostNames = [ "gitlab.com" ];
+    "gitlab.com".publicKey =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
+
+    "git.sr.ht".hostNames = [ "git.sr.ht" ];
+    "git.sr.ht".publicKey =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
+  };
+  # TODO: add synix
+}

modules/nixos/common/zsh.nix

@@ -0,0 +1,26 @@
+{
+  programs.zsh = {
+    enable = true;
+    syntaxHighlighting = {
+      enable = true;
+      highlighters = [
+        "main"
+        "brackets"
+        "cursor"
+        "pattern"
+      ];
+      patterns = {
+        "rm -rf" = "fg=white,bold,bg=red";
+        "rm -fr" = "fg=white,bold,bg=red";
+      };
+    };
+    autosuggestions = {
+      enable = true;
+      strategy = [
+        "completion"
+        "history"
+      ];
+    };
+    enableLsColors = true;
+  };
+}