mirror of
https://github.com/Swarsel/.dotfiles.git
synced 2025-12-06 09:07:21 +01:00
227 lines
5.6 KiB
Nix
227 lines
5.6 KiB
Nix
{ self, lib, pkgs, config, configName, ... }:
|
|
let
|
|
inherit (config.swarselsystems) mainUser homeDir;
|
|
iwd = config.networking.networkmanager.wifi.backend == "iwd";
|
|
owner = mainUser;
|
|
sopsFile = self + /secrets/work/secrets.yaml;
|
|
in
|
|
{
|
|
options.swarselmodules.optional.work = lib.mkEnableOption "optional work settings";
|
|
options.swarselsystems = {
|
|
hostName = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = configName;
|
|
};
|
|
fqdn = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "";
|
|
};
|
|
};
|
|
config = lib.mkIf config.swarselmodules.optional.work {
|
|
sops =
|
|
let
|
|
secretNames = [
|
|
"vcuser"
|
|
"vcpw"
|
|
"govcuser"
|
|
"govcpw"
|
|
"govcurl"
|
|
"govcdc"
|
|
"govcds"
|
|
"govchost"
|
|
"govcnetwork"
|
|
"govcpool"
|
|
"baseuser"
|
|
"basepw"
|
|
];
|
|
in
|
|
{
|
|
secrets = builtins.listToAttrs (
|
|
map
|
|
(name: {
|
|
inherit name;
|
|
value = { inherit owner sopsFile; };
|
|
})
|
|
secretNames
|
|
);
|
|
templates = {
|
|
"network-manager-work.env".content = ''
|
|
BASEUSER=${config.sops.placeholder.baseuser}
|
|
BASEPASS=${config.sops.placeholder.basepw}
|
|
'';
|
|
};
|
|
};
|
|
|
|
boot.initrd = {
|
|
systemd.enable = lib.mkForce true; # make sure we are using initrd systemd even when not using Impermanence
|
|
luks = {
|
|
# disable "support" since we use systemd-cryptenroll
|
|
# make sure yubikeys are enrolled using
|
|
# sudo systemd-cryptenroll --fido2-device=auto --fido2-with-user-verification=no --fido2-with-user-presence=true --fido2-with-client-pin=no /dev/nvme0n1p2
|
|
yubikeySupport = false;
|
|
fido2Support = false;
|
|
};
|
|
};
|
|
|
|
programs = {
|
|
|
|
browserpass.enable = true;
|
|
_1password.enable = true;
|
|
_1password-gui = {
|
|
enable = true;
|
|
polkitPolicyOwners = [ "${mainUser}" ];
|
|
};
|
|
};
|
|
|
|
networking = {
|
|
inherit (config.swarselsystems) hostName fqdn;
|
|
|
|
networkmanager = {
|
|
wifi.scanRandMacAddress = false;
|
|
ensureProfiles = {
|
|
environmentFiles = [
|
|
"${config.sops.templates."network-manager-work.env".path}"
|
|
];
|
|
profiles = {
|
|
VBC = {
|
|
"802-1x" = {
|
|
eap = if (!iwd) then "ttls;" else "peap;";
|
|
identity = "$BASEUSER";
|
|
password = "$BASEPASS";
|
|
phase2-auth = "mschapv2";
|
|
};
|
|
connection = {
|
|
id = "VBC";
|
|
type = "wifi";
|
|
};
|
|
ipv4 = { method = "auto"; };
|
|
ipv6 = {
|
|
addr-gen-mode = "default";
|
|
method = "auto";
|
|
};
|
|
proxy = { };
|
|
wifi = {
|
|
cloned-mac-address = "permanent";
|
|
mac-address = "E8:65:38:52:63:FF";
|
|
mac-address-randomization = "1";
|
|
mode = "infrastructure";
|
|
band = "a";
|
|
ssid = "VBC";
|
|
};
|
|
wifi-security = {
|
|
auth-alg = "open";
|
|
key-mgmt = "wpa-eap";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
|
|
firewall = {
|
|
enable = lib.mkDefault true;
|
|
trustedInterfaces = [ "virbr0" ];
|
|
};
|
|
search = [
|
|
"vbc.ac.at"
|
|
"clip.vbc.ac.at"
|
|
"imp.univie.ac.at"
|
|
];
|
|
};
|
|
|
|
virtualisation = {
|
|
docker.enable = lib.mkIf (!config.virtualisation.podman.dockerCompat) true;
|
|
spiceUSBRedirection.enable = true;
|
|
libvirtd = {
|
|
enable = true;
|
|
qemu = {
|
|
package = pkgs.qemu_kvm;
|
|
runAsRoot = true;
|
|
swtpm.enable = true;
|
|
vhostUserPackages = with pkgs; [ virtiofsd ];
|
|
ovmf = {
|
|
enable = true;
|
|
packages = [
|
|
(pkgs.OVMFFull.override {
|
|
secureBoot = true;
|
|
tpmSupport = true;
|
|
}).fd
|
|
];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
stable24_11.python39
|
|
qemu
|
|
packer
|
|
gnumake
|
|
libisoburn
|
|
govc
|
|
terraform
|
|
opentofu
|
|
# dev.terragrunt
|
|
terragrunt
|
|
graphviz
|
|
azure-cli
|
|
|
|
# vm
|
|
virt-manager
|
|
virt-viewer
|
|
virtiofsd
|
|
spice
|
|
spice-gtk
|
|
spice-protocol
|
|
win-virtio
|
|
win-spice
|
|
|
|
powershell
|
|
gh
|
|
];
|
|
|
|
services = {
|
|
spice-vdagentd.enable = true;
|
|
openssh = {
|
|
enable = true;
|
|
extraConfig = ''
|
|
'';
|
|
};
|
|
|
|
syncthing = {
|
|
settings = {
|
|
"winters" = {
|
|
id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA";
|
|
};
|
|
"moonside@oracle" = {
|
|
id = "VPCDZB6-MGVGQZD-Q6DIZW3-IZJRJTO-TCC3QUQ-2BNTL7P-AKE7FBO-N55UNQE";
|
|
};
|
|
folders = {
|
|
"Documents" = {
|
|
path = "${homeDir}/Documents";
|
|
devices = [ "magicant" "winters" "moonside@oracle" ];
|
|
id = "hgr3d-pfu3w";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
udev.extraRules = ''
|
|
# lock screen when yubikey removed
|
|
ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.systemd}/bin/systemctl suspend"
|
|
'';
|
|
|
|
};
|
|
|
|
# cgroups v1 is required for centos7 dockers
|
|
# specialisation = {
|
|
# cgroup_v1.configuration = {
|
|
# boot.kernelParams = [
|
|
# "SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1"
|
|
# "systemd.unified_cgroup_hierarchy=0"
|
|
# ];
|
|
# };
|
|
# };
|
|
};
|
|
|
|
}
|