danmax/tuxcord.nix
1
0
Fork 0
forked from tuxcord/tuxcord.nix
Code Pull Requests Activity

treewide: initial commit

Browse Source
This commit is contained in:
Ryan
2026-04-18 16:28:25 -04:00
commit 75532a931c
18 changed files with 1237 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nixos/common.nix
+120
View File
@@ -0,0 +1,120 @@
{
inputs',
inputs,
lib,
pkgs,
self,
...
}:
let
inherit (lib)
mkDefault
mkIf
;
in
{
imports = with inputs; [
agenix.nixosModules.default
impermanence.nixosModules.default
nix-index-database.nixosModules.nix-index
./hardware.nix
./impermanence.nix
./modules
./programs.nix
./users.nix
];
nix = {
package = inputs'.nix-super.packages.default;
settings = {
auto-optimise-store = true;
experimental-features = [
"ca-derivations"
"flakes"
"nix-command"
];
log-lines = 500;
show-trace = true;
trusted-users = [
"@wheel"
];
min-free = 10 * 1024 * 1024 * 1024;
max-free = 50 * 1024 * 1024 * 1024;
};
registry =
let
mappedRegistry = lib.mapAttrs' (name: flake: lib.nameValuePair name { inherit flake; }) inputs;
in
mappedRegistry // { default = mappedRegistry.nixpkgs; };
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 90d";
};
};
boot = {
loader = {
grub = {
enable = mkDefault true;
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
splashImage = null;
configurationLimit = 100;
};
timeout = 5;
};
kernelParams = [
"boot.shell_on_fail"
"zswap.enabled=0"
];
binfmt = {
emulatedSystems = mkIf pkgs.stdenv.hostPlatform.isx86 [ "aarch64-linux" ];
preferStaticEmulators = true;
};
supportedFilesystems = [ "nfs" ];
};
networking = {
networkmanager.enable = true;
firewall = {
enable = true;
allowedTCPPorts = [
22
];
};
};
services = {
openssh.enable = true;
};
virtualisation.podman.enable = true;
zramSwap = {
enable = true;
algorithm = mkDefault "lzo-rle";
memoryPercent = 100;
};
nixpkgs.config.allowUnfree = true;
environment.etc."nixos/current".source = lib.cleanSource ./..;
system = {
configurationRevision = self.rev or self.dirtyRev;
stateVersion = "25.11";
};
}
nixos/default.nix
+35
View File
@@ -0,0 +1,35 @@
{
inputs,
self,
withSystem,
...
}:
let
mkSystem =
name: system:
withSystem system (
{ inputs', self', ... }:
inputs.nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = {
inherit
inputs
inputs'
self
self'
;
};
modules = [
"${self}/nixos/common.nix"
"${self}/nixos/hosts/${name}"
{ host = { inherit name; }; }
];
}
);
in
{
flake.nixosConfigurations = {
tuxcord-ca = mkSystem "tuxcord-ca" "x86_64-linux";
};
}
nixos/hardware.nix
+26
View File
@@ -0,0 +1,26 @@
{
boot = {
initrd.availableKernelModules = [
"nvme"
"usbhid"
"ahci"
"ehci_pci"
"rtsx_pci_sdmmc"
"sd_mod"
"sr_mod"
"usb_storage"
"virtio_blk"
"virtio_pci"
"virtio_scsi"
"xhci_pci"
];
kernelModules = [ "kvm-intel" ];
};
hardware = {
i2c.enable = true;
enableRedistributableFirmware = true;
};
}
nixos/hosts/tuxcord-ca/default.nix
+8
View File
@@ -0,0 +1,8 @@
{
imports = [
./hardware.nix
./storage.nix
];
time.timeZone = "Canada/Eastern";
}
nixos/hosts/tuxcord-ca/hardware.nix
+7
View File
@@ -0,0 +1,7 @@
{
boot.initrd.availableKernelModules = [
"ata_piix"
"sr_mod"
"xen_blkfront"
];
}
nixos/hosts/tuxcord-ca/storage.nix
+37
View File
@@ -0,0 +1,37 @@
{
fileSystems =
let
defaultOptions = [ "compress=zstd" ];
in
{
"/boot" = {
device = "/dev/xvda1";
fsType = "vfat";
options = [ "umask=0077" ];
};
"/" = {
device = "/dev/xvda2";
fsType = "btrfs";
options = [ "subvol=@" ] ++ defaultOptions;
};
"/nix" = {
device = "/dev/xvda2";
fsType = "btrfs";
options = [ "subvol=@nix" ] ++ defaultOptions;
};
"/home" = {
device = "/dev/xvda2";
fsType = "btrfs";
options = [ "subvol=@home" ] ++ defaultOptions;
};
"/persist" = {
device = "/dev/xvda2";
fsType = "btrfs";
options = [ "subvol=@persist" ] ++ defaultOptions;
};
};
}
nixos/impermanence.nix
+94
View File
@@ -0,0 +1,94 @@
{
config,
lib,
pkgs,
...
}:
{
boot.initrd.systemd = {
extraBin = {
"mkdir" = "${pkgs.coreutils}/bin/mkdir";
"date" = "${pkgs.coreutils}/bin/date";
"stat" = "${pkgs.coreutils}/bin/stat";
"mv" = "${pkgs.coreutils}/bin/mv";
"find" = lib.getExe pkgs.findutils;
"btrfs" = lib.getExe pkgs.btrfs-progs;
};
services.impermanence-btrfs-rolling-root = {
unitConfig.DefaultDependencies = false;
serviceConfig.Type = "oneshot";
requiredBy = [ "initrd.target" ];
before = [ "sysroot.mount" ];
requires = [ "initrd-root-device.target" ];
after = [
"initrd-root-device.target"
"local-fs-pre.target"
];
script = ''
mkdir /impermanence_tmp
mount /dev/disk/by-label/${config.host.name} /impermanence_tmp || mount /dev/disk/by-label/NIXOS_SD /impermanence_tmp
timestamp=$(date --date="@$(stat -c %Y /impermanence_tmp/@)" "+%Y-%m-%d_%H:%M:%S")
if [[ -e /impermanence_tmp/@ ]]; then
mkdir -p /impermanence_tmp/roots
mv /impermanence_tmp/@ "/impermanence_tmp/roots/$timestamp"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/impermanence_tmp/$i"
done
btrfs subvolume delete "$1"
}
for i in $(find /impermanence_tmp/roots/ -maxdepth 1 -mtime +30); do
delete_subvolume_recursively "$i"
done
btrfs subvolume create /impermanence_tmp/@
umount /impermanence_tmp
'';
};
};
fileSystems."/persist".neededForBoot = true;
environment.persistence."/persist" = {
enable = true;
hideMounts = true;
directories = [
"/etc/ssh"
"/export"
"/mnt"
"/var/db/sudo/lectured"
"/var/lib/nfs"
"/var/lib/nixos"
"/var/lib/systemd/coredump"
"/var/log"
];
files = [
"/etc/machine-id"
];
};
services.openssh.hostKeys =
let
statePath = config.environment.persistence."/persist".persistentStoragePath + "/etc/ssh";
in
[
{
path = statePath + "/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
{
path = statePath + "/ssh_host_ed25519_key";
type = "ed25519";
}
];
}
nixos/modules/default.nix
+9
View File
@@ -0,0 +1,9 @@
{
imports = [
./fail2ban.nix
./sysctl.nix
./host.nix
./snapper.nix
./substituters.nix
];
}
nixos/modules/fail2ban.nix
+41
View File
@@ -0,0 +1,41 @@
{ config, lib, ... }:
let
cfg = config.fail2ban;
inherit (lib)
mkEnableOption
mkIf
;
in
{
options.fail2ban = {
enable = mkEnableOption "" // {
default = true;
};
};
config = mkIf cfg.enable {
networking.firewall.logRefusedConnections = false;
services.fail2ban = {
enable = true;
maxretry = 6;
bantime = "5m";
bantime-increment = {
enable = true;
multipliers = "1 2 6 24 288 864 2016 8640";
rndtime = "5m";
};
jails = {
DEFAULT.settings.findtime = "15m";
sshd = lib.mkForce ''
enabled = true
mode = aggressive
port = ${lib.strings.concatMapStringsSep "," toString config.services.openssh.ports}
'';
};
};
};
}
nixos/modules/host.nix
+15
View File
@@ -0,0 +1,15 @@
{ config, lib, ... }:
let
cfg = config.host;
inherit (lib) mkOption types;
in
{
options.host = {
name = mkOption { type = types.str; };
};
config = {
environment.variables.HOSTNAME = cfg.name;
networking.hostName = cfg.name;
};
}
nixos/modules/snapper.nix
+61
View File
@@ -0,0 +1,61 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.snapper;
inherit (lib)
mkEnableOption
mkOption
mkIf
types
;
in
{
options.snapper = {
enable = mkEnableOption "" // {
default = true;
};
interval = mkOption {
default = "daily";
type = types.str;
};
};
config = mkIf cfg.enable {
services.snapper = {
snapshotInterval = cfg.interval;
configs = {
home = {
SUBVOLUME = "/home";
TIMELINE_CREATE = true;
TIMELINE_CLEANUP = true;
TIMELINE_LIMIT_HOURLY = 24;
TIMELINE_LIMIT_DAILY = 7;
TIMELINE_LIMIT_WEEKLY = 0;
TIMELINE_LIMIT_MONTHLY = 3;
TIMELINE_LIMIT_YEARLY = 0;
};
persist = {
SUBVOLUME = "/persist";
TIMELINE_CREATE = true;
TIMELINE_CLEANUP = true;
TIMELINE_LIMIT_HOURLY = 24;
TIMELINE_LIMIT_DAILY = 7;
TIMELINE_LIMIT_WEEKLY = 0;
TIMELINE_LIMIT_MONTHLY = 3;
TIMELINE_LIMIT_YEARLY = 0;
};
};
};
environment.systemPackages = [ pkgs.snapper ];
};
}
nixos/modules/substituters.nix
+43
View File
@@ -0,0 +1,43 @@
{
config,
lib,
...
}:
let
cfg = config.substituters;
inherit (lib)
mkEnableOption
mkIf
optionals
;
in
{
options.substituters = {
enable = mkEnableOption "" // {
default = true;
};
garnix = mkEnableOption "" // {
default = true;
};
nix-community = mkEnableOption "" // {
default = true;
};
};
config = mkIf cfg.enable {
nix.settings = {
substituters =
(optionals cfg.garnix [ "https://cache.garnix.io" ])
++ (optionals cfg.nix-community [ "https://nix-community.cachix.org" ]);
trusted-public-keys =
(optionals cfg.garnix [
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
])
++ (optionals cfg.nix-community [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
]);
};
};
}
nixos/modules/sysctl.nix
+27
View File
@@ -0,0 +1,27 @@
{
config,
lib,
...
}:
let
cfg = config.sysctl;
inherit (lib)
mkEnableOption
mkIf
;
in
{
options.sysctl = {
enable = mkEnableOption "" // {
default = true;
};
};
config = mkIf cfg.enable {
boot.kernel.sysctl = {
"vm.page-cluster" = 0;
"vm.swappiness" = 100;
"vm.watermark_boost_factor" = 1;
};
};
}
nixos/programs.nix
+101
View File
@@ -0,0 +1,101 @@
{
inputs',
lib,
pkgs,
...
}:
let
inherit (lib) mkForce;
in
{
programs = {
fish = {
enable = true;
shellAliases = mkForce { };
};
zsh.enable = true;
git = {
enable = true;
lfs.enable = true;
};
gnupg.agent.enable = true;
ssh.startAgent = true;
nix-index-database.comma.enable = true;
nix-index = {
enableBashIntegration = false;
enableFishIntegration = false;
enableZshIntegration = false;
};
nix-ld.enable = true;
};
environment.systemPackages = with pkgs; [
atop
bat
btdu
compsize
croc
deadnix
delta
difftastic
dnsutils
doggo
duf
dust
efibootmgr
eza
fastfetch
fd
file
gcc
gnumake
gnupg
htop
hwatch
inputs'.agenix.packages.default
inputs'.nix-alien.packages.default
inputs'.nix-super.packages.default
inxi
jq
jujutsu
killall
lsof
man-pages
multipath-tools
ncdu
neovim
nh
nix-output-monitor
openssl
parted
perf
pinentry-curses
procs
progress
pstree
pv
python3
python3Packages.btrfs
ripgrep
screen
smartmontools
smem
socat
sshfs
statix
sysstat
tcpdump
tmux
unzip
vgrep
vim
whois
];
}
nixos/users.nix
+27
View File
@@ -0,0 +1,27 @@
{ pkgs, ... }:
{
users.users =
let
adminGroups = [
"adm"
"named"
"networkmanager"
"nginx"
"tuxcord"
"wheel"
];
in
{
error = {
isNormalUser = true;
shell = pkgs.fish;
extraGroups = adminGroups;
};
javalsai = {
isNormalUser = true;
shell = pkgs.zsh;
extraGroups = adminGroups;
};
};
}