initial commit

modules/nixos/common/default.nix

@@ -0,0 +1,14 @@
+{
+  imports = [
+    ./environment.nix
+    ./htop.nix
+    ./nationalization.nix
+    ./networking.nix
+    ./nix.nix
+    ./sudo.nix
+    ./well-known.nix
+    ./zsh.nix
+
+    ../../shared/common
+  ];
+}

modules/nixos/common/environment.nix

@@ -0,0 +1,63 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  inherit (lib) mkDefault optionals;
+in
+{
+  environment.systemPackages =
+    with pkgs;
+    [
+      cryptsetup
+      curl
+      dig
+      dnsutils
+      fzf
+      gptfdisk
+      iproute2
+      jq
+      lm_sensors
+      lsof
+      netcat-openbsd
+      nettools
+      nixos-container
+      nmap
+      nurl
+      p7zip
+      pciutils
+      psmisc
+      rclone
+      rsync
+      tcpdump
+      tmux
+      tree
+      unzip
+      usbutils
+      wget
+      xxd
+      zip
+
+      (callPackage ../../../apps/rebuild { })
+    ]
+    ++ optionals (pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) [
+      pkgs.kitty.terminfo
+    ];
+
+  environment.shellAliases = {
+    l = "ls -lh";
+    ll = "ls -lAh";
+    ports = "ss -tulpn";
+    publicip = "curl ifconfig.me/all";
+    sudo = "sudo "; # make aliases work with `sudo`
+  };
+
+  # saves one instance of nixpkgs.
+  environment.ldso32 = null;
+
+  boot.tmp.cleanOnBoot = mkDefault true;
+  boot.initrd.systemd.enable = mkDefault (!config.boot.swraid.enable && !config.boot.isContainer);
+}

modules/nixos/common/htop.nix

@@ -0,0 +1,8 @@
+{
+  programs.htop = {
+    enable = true;
+    settings = {
+      highlight_base_name = 1;
+    };
+  };
+}

modules/nixos/common/nationalization.nix

@@ -0,0 +1,31 @@
+{ lib, ... }:
+
+let
+  de = "de_DE.UTF-8";
+  en = "en_US.UTF-8";
+
+  inherit (lib) mkDefault;
+in
+{
+  i18n = {
+    defaultLocale = mkDefault en;
+    extraLocaleSettings = {
+      LC_ADDRESS = mkDefault de;
+      LC_IDENTIFICATION = mkDefault de;
+      LC_MEASUREMENT = mkDefault de;
+      LC_MONETARY = mkDefault de;
+      LC_NAME = mkDefault de;
+      LC_NUMERIC = mkDefault de;
+      LC_PAPER = mkDefault de;
+      LC_TELEPHONE = mkDefault de;
+      LC_TIME = mkDefault en;
+    };
+  };
+
+  console = {
+    font = mkDefault "Lat2-Terminus16";
+    keyMap = mkDefault "de";
+  };
+
+  time.timeZone = mkDefault "Europe/Berlin";
+}

modules/nixos/common/networking.nix

@@ -0,0 +1,40 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  inherit (lib) mkDefault;
+  inherit (lib.utils) isNotEmptyStr;
+in
+{
+  config = {
+    assertions = [
+      {
+        assertion = isNotEmptyStr config.networking.domain;
+        message = "synix/nixos/common: config.networking.domain cannot be empty.";
+      }
+      {
+        assertion = isNotEmptyStr config.networking.hostName;
+        message = "synix/nixos/common: config.networking.hostName cannot be empty.";
+      }
+    ];
+
+    networking = {
+      domain = mkDefault "${config.networking.hostName}.local";
+      hostId = mkDefault "8425e349"; # same as NixOS install ISO and nixos-anywhere
+
+      # NetworkManager
+      useDHCP = false;
+      networkmanager = {
+        enable = true;
+        plugins = with pkgs; [
+          networkmanager-openconnect
+          networkmanager-openvpn
+        ];
+      };
+    };
+  };
+}

modules/nixos/common/nix.nix

@@ -0,0 +1,19 @@
+{
+  config,
+  lib,
+  ...
+}:
+
+let
+  inherit (lib) mkDefault;
+in
+{
+  nix = {
+    # use flakes
+    channel.enable = mkDefault false;
+
+    # De-duplicate store paths using hardlinks except in containers
+    # where the store is host-managed.
+    optimise.automatic = mkDefault (!config.boot.isContainer);
+  };
+}

modules/nixos/common/sudo.nix

@@ -0,0 +1,26 @@
+{ config, ... }:
+
+{
+  security.sudo = {
+    enable = true;
+    execWheelOnly = true;
+    extraConfig = ''
+      Defaults lecture = never
+    '';
+  };
+
+  assertions =
+    let
+      validUsers = users: users == [ ] || users == [ "root" ];
+      validGroups = groups: groups == [ ] || groups == [ "wheel" ];
+      validUserGroups = builtins.all (
+        r: validUsers (r.users or [ ]) && validGroups (r.groups or [ ])
+      ) config.security.sudo.extraRules;
+    in
+    [
+      {
+        assertion = config.security.sudo.execWheelOnly -> validUserGroups;
+        message = "Some definitions in `security.sudo.extraRules` refer to users other than 'root' or groups other than 'wheel'. Disable `config.security.sudo.execWheelOnly`, or adjust the rules.";
+      }
+    ];
+}

modules/nixos/common/well-known.nix

@@ -0,0 +1,17 @@
+{
+  # avoid TOFU MITM
+  programs.ssh.knownHosts = {
+    "github.com".hostNames = [ "github.com" ];
+    "github.com".publicKey =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+
+    "gitlab.com".hostNames = [ "gitlab.com" ];
+    "gitlab.com".publicKey =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
+
+    "git.sr.ht".hostNames = [ "git.sr.ht" ];
+    "git.sr.ht".publicKey =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
+  };
+  # TODO: add synix
+}

modules/nixos/common/zsh.nix

@@ -0,0 +1,26 @@
+{
+  programs.zsh = {
+    enable = true;
+    syntaxHighlighting = {
+      enable = true;
+      highlighters = [
+        "main"
+        "brackets"
+        "cursor"
+        "pattern"
+      ];
+      patterns = {
+        "rm -rf" = "fg=white,bold,bg=red";
+        "rm -fr" = "fg=white,bold,bg=red";
+      };
+    };
+    autosuggestions = {
+      enable = true;
+      strategy = [
+        "completion"
+        "history"
+      ];
+    };
+    enableLsColors = true;
+  };
+}