initial commit

modules/audio.nix

@@ -0,0 +1,21 @@
+{
+  security.rtkit.enable = true;
+  services.pulseaudio.enable = false;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    jack.enable = true;
+    wireplumber = {
+      enable = true;
+      extraConfig = {
+        "10-disable-camera" = {
+          "wireplumber.profiles" = {
+            main."monitor.libcamera" = "disabled";
+          };
+        };
+      };
+    };
+  };
+}

modules/direnv.nix

@@ -0,0 +1,8 @@
+{
+  programs.direnv = {
+    enable = true;
+    nix-direnv = {
+      enable = true;
+    };
+  };
+}

modules/fonts.nix

@@ -0,0 +1,25 @@
+{ pkgs, ... }:
+{
+  fonts = {
+    packages = with pkgs; [
+      roboto
+      work-sans
+      comic-neue
+      source-sans
+      comfortaa
+      inter
+      lato
+      lexend
+      jost
+      dejavu_fonts
+      noto-fonts
+      noto-fonts-cjk-sans
+      noto-fonts-color-emoji
+      nerd-fonts.fira-code
+      nerd-fonts.meslo-lg
+      openmoji-color
+      twemoji-color-font
+    ];
+    enableDefaultPackages = false;
+  };
+}

modules/home-manager.nix

@@ -0,0 +1,6 @@
+{
+  home-manager = {
+    useUserPackages = true;
+    backupFileExtension = "backup";
+  };
+}

modules/motd.nix

@@ -0,0 +1,13 @@
+{
+  hostname,
+  system,
+  ...
+}:
+{
+  users.motd = ''
+    This is a NixOS machine.
+    Machine: ${hostname} (${system})
+    Configuration: https://git.ruject.fun/RuJect/nixos-infra
+    If you administer this machine, you can run 'nixos-update' to update the configuration
+  '';
+}

modules/nh.nix

@@ -0,0 +1,8 @@
+{
+  programs.nh = {
+    enable = true;
+    clean.enable = true;
+    clean.extraArgs = "--keep-since 4d --keep 3";
+    flake = "/home/rus07tam/nixos-infra";
+  };
+}

modules/nix.nix

@@ -0,0 +1,39 @@
+{ lib, ... }:
+{
+  nixpkgs = {
+    hostPlatform = lib.mkDefault "x86_64-linux";
+    config.allowUnfree = true;
+  };
+
+  nix = {
+    channel.enable = false;
+    extraOptions = ''
+      warn-dirty = false
+    '';
+    settings = {
+      download-buffer-size = 262144000; # 250 MB
+      auto-optimise-store = true;
+      experimental-features = [
+        "nix-command"
+        "flakes"
+      ];
+      substituters = [
+        "https://cache.nixos.org?priority=10"
+        "https://hyprland.cachix.org"
+        "https://nix-community.cachix.org"
+        "https://numtide.cachix.org"
+        "https://walker-git.cachix.org"
+      ];
+      trusted-users = [
+        "root"
+        "@wheel"
+      ];
+      trusted-public-keys = [
+        "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
+        "walker-git.cachix.org-1:vmC0ocfPWh0S/vRAQGtChuiZBTAe4wiKDeyyXM0/7pM="
+      ];
+    };
+  };
+}

modules/nixos-update.nix

@@ -0,0 +1,55 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+let
+  hostname = config.networking.hostName;
+  flakeDir = "/tmp/nixos-infra-flake";
+  updateScript = pkgs.writeShellScriptBin "nixos-update" ''
+    #!/usr/bin/env bash
+    set -euo pipefail
+
+    FLAKE_URL="ssh://forgejo@git.ruject.fun/RuJect/nixos-infra.git"
+    FLAKE_DIR="${flakeDir}"
+    REBUILD_CMD="nh os switch $FLAKE_DIR -H ${hostname}"
+
+    echo "→ Updating flake from git.ruject.fun..."
+
+    if [[ ! -d "$FLAKE_DIR/.git" ]]; then
+        echo "→ Cloning $FLAKE_DIR ..."
+        git clone --depth=1 "$FLAKE_URL" "$FLAKE_DIR"
+    else
+        echo "→ Repository $FLAKE_DIR already exists, updating..."
+        git -C "$FLAKE_DIR" fetch --depth=1
+        git -C "$FLAKE_DIR" reset --hard FETCH_HEAD
+    fi
+
+    echo "→ Will run:"
+    echo "    $REBUILD_CMD"
+
+    read -r -p "→ Continue? [Y/n] " answer
+    case "$answer" in
+        [Yy]*|"")
+            echo "→ Running..."
+            $REBUILD_CMD
+            ;;
+        *)
+            echo "→ Cancelled by user."
+            exit 0
+            ;;
+    esac
+
+    echo
+    echo "→ Done."
+  '';
+in
+{
+  environment.systemPackages = [
+    updateScript
+  ];
+
+  environment.interactiveShellInit = ''
+    echo "For update system use command:  nixos-update"
+  '';
+}

modules/opentablet.nix

@@ -0,0 +1,3 @@
+{
+  hardware.opentabletdriver.enable = true;
+}

modules/podman.nix

@@ -0,0 +1,19 @@
+{ pkgs, ... }:
+{
+  virtualisation = {
+    containers.enable = true;
+    oci-containers.backend = "podman";
+  };
+
+  virtualisation.podman = {
+    enable = true;
+    dockerSocket.enable = true;
+    dockerCompat = true;
+    defaultNetwork.settings.dns_enabled = false;
+  };
+
+  environment.systemPackages = with pkgs; [
+    podman
+    podman-compose
+  ];
+}

modules/remote-build.nix

@@ -0,0 +1,61 @@
+{ pkgs, ... }:
+{
+  sops.secrets = {
+    "remote-build/publicKey" = {
+      sopsFile = ./../secrets/common.yaml;
+      path = "/root/.ssh/remote-build.pub";
+      mode = "0644";
+      owner = "root";
+      group = "root";
+    };
+    "remote-build/privateKey" = {
+      sopsFile = ./../secrets/common.yaml;
+      path = "/root/.ssh/remote-build";
+      mode = "0600";
+      owner = "root";
+      group = "root";
+    };
+  };
+
+  services.openssh.settings.AllowUsers = [ "remotebuild" ];
+  users = {
+    users.remotebuild = {
+      isSystemUser = true;
+      group = "remotebuild";
+      shell = pkgs.bashInteractive;
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDGsHMycO4DL/HlkyWbzSQ6fzeWwRje/pb44NNwrwB11 remotebuild@ruject"
+      ];
+    };
+    groups.remotebuild = { };
+  };
+
+  nix = {
+    distributedBuilds = true;
+    settings = {
+      builders-use-substitutes = true;
+      trusted-users = [ "remotebuild" ];
+    };
+
+    buildMachines = [
+      {
+        hostName = "ruject.fun";
+        sshUser = "remotebuild";
+        sshKey = "/root/.ssh/remote-build";
+        protocol = "ssh";
+        system = "x86_64-linux";
+        systems = [
+          "x86_64-linux"
+        ];
+        maxJobs = 4;
+        speedFactor = 2;
+        supportedFeatures = [
+          "nixos-test"
+          "benchmark"
+          "big-parallel"
+          "kvm"
+        ];
+      }
+    ];
+  };
+}

modules/security.nix

@@ -0,0 +1,32 @@
+{
+  security.sudo = {
+    enable = true;
+    extraRules = [
+      {
+        groups = [ "wheel" ];
+        commands = [
+          {
+            command = "/run/current-system/sw/bin/nixos-rebuild";
+            options = [ "NOPASSWD" ];
+          }
+          {
+            command = "/run/current-system/sw/bin/nix";
+            options = [ "NOPASSWD" ];
+          }
+          {
+            command = "/run/current-system/sw/bin/systemctl";
+            options = [ "NOPASSWD" ];
+          }
+          {
+            command = "/run/current-system/sw/bin/reboot";
+            options = [ "NOPASSWD" ];
+          }
+          {
+            command = "/run/current-system/sw/bin/poweroff";
+            options = [ "NOPASSWD" ];
+          }
+        ];
+      }
+    ];
+  };
+}

modules/sops.nix

@@ -0,0 +1,19 @@
+{
+  pkgs,
+  config,
+  ...
+}:
+{
+  _module.args = {
+    sec = config.sops.secrets;
+  };
+
+  environment.systemPackages = with pkgs; [
+    sops
+  ];
+
+  sops = {
+    defaultSopsFile = ./../secrets/common.yaml;
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  };
+}

modules/ssh.nix

@@ -0,0 +1,11 @@
+{
+  services.openssh = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      PermitRootLogin = "no";
+    };
+  };
+}

modules/throne.nix

@@ -0,0 +1,9 @@
+{
+  programs.throne = {
+    enable = true;
+    tunMode = {
+      enable = true;
+      setuid = true;
+    };
+  };
+}

modules/tmux.nix

@@ -0,0 +1,6 @@
+{
+  programs.tmux = {
+    enable = true;
+    clock24 = true;
+  };
+}