243 lines
5.0 KiB
Nix
243 lines
5.0 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}:
|
|
|
|
let
|
|
mkUserService = pkgs.writeShellScriptBin "mk-user-service" ''
|
|
set -euo pipefail
|
|
|
|
if [ "$#" -lt 2 ]; then
|
|
echo "Usage: mk-user-service <name> <exec command...>" >&2
|
|
exit 1
|
|
fi
|
|
|
|
name="$1"
|
|
shift
|
|
|
|
unitDir="''${XDG_CONFIG_HOME:-$HOME/.config}/systemd/user"
|
|
unitFile="$unitDir/$name.service"
|
|
|
|
mkdir -p "$unitDir"
|
|
|
|
if [ -e "$unitFile" ]; then
|
|
echo "Refusing to overwrite existing unit: $unitFile" >&2
|
|
exit 2
|
|
fi
|
|
|
|
cat > "$unitFile" <<EOF
|
|
[Unit]
|
|
Description=$name
|
|
|
|
[Service]
|
|
Type=simple
|
|
ExecStart=$*
|
|
Restart=on-failure
|
|
RestartSec=2
|
|
|
|
[Install]
|
|
WantedBy=default.target
|
|
EOF
|
|
|
|
echo "Created $unitFile"
|
|
echo "Next steps:"
|
|
echo " systemctl --user daemon-reload"
|
|
echo " systemctl --user enable --now $name.service"
|
|
'';
|
|
in
|
|
{
|
|
imports = [
|
|
./modules/atproto-pds.nix
|
|
./modules/wafrn.nix
|
|
./modules/cloudflare.nix
|
|
./modules/tangled.nix
|
|
../../modules/force.nix
|
|
./modules/gitea.nix
|
|
./modules/vaultwarden.nix
|
|
./slop/openclaw.nix
|
|
./slop/brave.nix
|
|
];
|
|
|
|
# gcc. shit breaks. wtf
|
|
environment.sessionVariables.LD_LIBRARY_PATH = "${pkgs.gcc15}/lib";
|
|
|
|
services.vscode-server.enable = true;
|
|
|
|
services.openssh.settings = lib.mkDefault {
|
|
PubkeyAuthentication = "yes";
|
|
TrustedUserCAKeys = "/etc/ssh/ca.pub";
|
|
PermitRootLogin = lib.mkDefault "prohibit-password";
|
|
KbdInteractiveAuthentication = lib.mkDefault false;
|
|
};
|
|
|
|
services.openssh = {
|
|
enable = lib.mkForce true;
|
|
};
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
mosh
|
|
fastfetch
|
|
hyfetch
|
|
bash
|
|
jdk
|
|
steam-run
|
|
opencode
|
|
bun
|
|
nodejs
|
|
node-gyp
|
|
playwright
|
|
chromium
|
|
brave
|
|
(pkgs.callPackage ./slop/rocksky-cli.nix { })
|
|
];
|
|
|
|
users.users.ocbwoy3 = {
|
|
initialPassword = "thisisapassword42069!"; # not the type passwords i use
|
|
isNormalUser = true;
|
|
extraGroups = [
|
|
"wheel"
|
|
"networkmanager"
|
|
"docker"
|
|
];
|
|
shell = pkgs.zsh;
|
|
};
|
|
|
|
users.users.kris = {
|
|
initialPassword = "thisisapassword42069!";
|
|
isNormalUser = true;
|
|
extraGroups = [
|
|
"wheel"
|
|
"networkmanager"
|
|
"docker"
|
|
];
|
|
shell = pkgs.zsh;
|
|
packages = [
|
|
pkgs.mrpack-install
|
|
mkUserService
|
|
];
|
|
};
|
|
|
|
system.activationScripts.enableKrisLinger.text = ''
|
|
${pkgs.systemd}/bin/loginctl enable-linger kris || true
|
|
'';
|
|
|
|
nixpkgs.overlays = [
|
|
(final: prev: {
|
|
nixos-rebuild = prev.writeShellScriptBin "nixos-rebuild" ''
|
|
set -euo pipefail
|
|
|
|
action="''${1:-}"
|
|
case "$action" in
|
|
switch|boot|test|build|dry-activate)
|
|
needs_flake=1
|
|
;;
|
|
*)
|
|
needs_flake=0
|
|
;;
|
|
esac
|
|
|
|
has_flake=0
|
|
for arg in "$@"; do
|
|
case "$arg" in
|
|
--flake|--flake=*)
|
|
has_flake=1
|
|
break
|
|
;;
|
|
esac
|
|
done
|
|
|
|
if [ "$needs_flake" -eq 1 ] && [ "$has_flake" -eq 0 ]; then
|
|
cat >&2 <<'EOF'
|
|
|
|
🚨🚨🚨 WARNING: DANGEROUS SYSTEM REBUILD 🚨🚨🚨
|
|
This host is FLAKE-MANAGED. Do not attempt to rebuild the system from /etc/nixos.
|
|
|
|
Please ensure you are running THIS EXACT COMMAND inside /home/ocbwoy3/config:
|
|
|
|
sudo nixos-rebuild switch --flake /home/ocbwoy3/config#server --impure --cores 4 -L --upgrade
|
|
|
|
Aborting unsafe nixos-rebuild invocation.
|
|
EOF
|
|
exit 64
|
|
fi
|
|
|
|
exec ${prev.nixos-rebuild}/bin/nixos-rebuild "$@"
|
|
'';
|
|
})
|
|
];
|
|
|
|
virtualisation.docker = {
|
|
enable = true;
|
|
daemon.settings = {
|
|
"log-driver" = "local";
|
|
"log-opts" = {
|
|
"max-size" = "10m";
|
|
"max-file" = "3";
|
|
};
|
|
"live-restore" = true;
|
|
};
|
|
};
|
|
|
|
systemd.services.docker.serviceConfig = {
|
|
CPUQuota = "200%";
|
|
MemoryMax = "12G";
|
|
};
|
|
|
|
services.mongodb = {
|
|
enable = true;
|
|
enableAuth = false;
|
|
package = pkgs.mongodb-ce;
|
|
replSetName = "rs0"; # dangerous
|
|
bind_ip = "0.0.0.0";
|
|
};
|
|
|
|
networking.firewall = {
|
|
enable = true;
|
|
allowedTCPPorts = [
|
|
22
|
|
443
|
|
3000
|
|
3001
|
|
4067
|
|
8080
|
|
25565
|
|
];
|
|
allowedUDPPorts = [
|
|
22
|
|
443
|
|
3000
|
|
3001
|
|
4067
|
|
8080
|
|
25565
|
|
];
|
|
};
|
|
|
|
# Lock /etc/nixos to read-only mode (config lives in /home/ocbwoy3/config).
|
|
systemd.tmpfiles.rules = [
|
|
"z /etc/nixos 0555 root root - -"
|
|
];
|
|
|
|
# Force resolver config to Cloudflare only.
|
|
networking.nameservers = lib.mkForce [
|
|
"1.1.1.1"
|
|
"1.0.0.1"
|
|
];
|
|
environment.etc."resolv.conf".text = lib.mkForce ''
|
|
nameserver 1.1.1.1
|
|
nameserver 1.0.0.1
|
|
'';
|
|
|
|
catppuccin = {
|
|
enable = true;
|
|
flavor = "mocha";
|
|
accent = "blue";
|
|
gitea.enable = false;
|
|
};
|
|
|
|
system.stateVersion = "23.05"; # DO NOT TOUCH
|
|
|
|
}
|