diff --git a/modules/base/group-base.nix b/modules/base/group-base.nix new file mode 100644 index 0000000..f5e8caa --- /dev/null +++ b/modules/base/group-base.nix @@ -0,0 +1,24 @@ +{ inputs, config, ... }: { + flake.nixosModules.base-sys-group = { + imports = with inputs.self.nixosModules; [ + base-sys-boot + base-sys-firmware + base-sys-hm + base-sys-locale + base-sys-network + base-sys-nix-settings + base-sys-rtkit + base-sys-shellapps + base-sys-sshd + base-sys-version + base-sys-zsh + ]; + }; + + flake.homeModules.base-usr-group = { ... }: { + imports = with config.flake.homeModules; [ + base-usr-git-all + base-usr-zsh-all + ]; + }; +} diff --git a/modules/base/sys/boot.nix b/modules/base/sys/boot.nix new file mode 100644 index 0000000..7941c8d --- /dev/null +++ b/modules/base/sys/boot.nix @@ -0,0 +1,13 @@ +{ ... }: { + flake.nixosModules.base-sys-boot = { + boot.loader.systemd-boot.enable = true; + boot.loader.systemd-boot.consoleMode = "max"; + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.timeout = 1; + boot.consoleLogLevel = 0; + boot.initrd.verbose = false; + boot.initrd.enable = true; + boot.plymouth.enable = true; + boot.plymouth.theme = "bgrt"; + }; +} diff --git a/modules/base/sys/firmware.nix b/modules/base/sys/firmware.nix new file mode 100644 index 0000000..e12c676 --- /dev/null +++ b/modules/base/sys/firmware.nix @@ -0,0 +1,6 @@ +{ ... }: { + flake.nixosModules.base-sys-firmware = { + services.fwupd.enable = true; + hardware.enableAllFirmware = true; + }; +} diff --git a/modules/base/sys/hm.nix b/modules/base/sys/hm.nix new file mode 100644 index 0000000..1c0f859 --- /dev/null +++ b/modules/base/sys/hm.nix @@ -0,0 +1,21 @@ +{ inputs, config, ... }: +{ + flake.nixosModules.base-sys-hm = { + imports = [ + inputs.home-manager.nixosModules.home-manager + ( + { lib, ... }: + { + home-manager = { + verbose = true; + useUserPackages = true; + useGlobalPkgs = true; + backupFileExtension = "backup"; + backupCommand = "rm"; + overwriteBackup = true; + }; + } + ) + ]; + }; +} diff --git a/modules/base/sys/locale.nix b/modules/base/sys/locale.nix new file mode 100644 index 0000000..b508baf --- /dev/null +++ b/modules/base/sys/locale.nix @@ -0,0 +1,19 @@ +{ ... }: { + flake.nixosModules.base-sys-locale = { + time.timeZone = "Europe/Berlin"; + i18n.defaultLocale = "de_DE.UTF-8"; + console.keyMap = "de"; + services.xserver.xkb.layout = "de"; + i18n.extraLocaleSettings = { + LC_ADDRESS = "de_DE.UTF-8"; + LC_IDENTIFICATION = "de_DE.UTF-8"; + LC_MEASUREMENT = "de_DE.UTF-8"; + LC_MONETARY = "de_DE.UTF-8"; + LC_NAME = "de_DE.UTF-8"; + LC_NUMERIC = "de_DE.UTF-8"; + LC_PAPER = "de_DE.UTF-8"; + LC_TELEPHONE = "de_DE.UTF-8"; + LC_TIME = "de_DE.UTF-8"; + }; + }; +} diff --git a/modules/base/sys/network.nix b/modules/base/sys/network.nix new file mode 100644 index 0000000..2241b84 --- /dev/null +++ b/modules/base/sys/network.nix @@ -0,0 +1,7 @@ +{ ... }: { + flake.nixosModules.base-sys-network = {lib, host, ... }:{ + networking.firewall.enable = true; + networking.networkmanager.enable = true; + networking.hostName = host; + }; +} diff --git a/modules/base/sys/nix-settings.nix b/modules/base/sys/nix-settings.nix new file mode 100644 index 0000000..7dda442 --- /dev/null +++ b/modules/base/sys/nix-settings.nix @@ -0,0 +1,6 @@ +{ ... }: { + flake.nixosModules.base-sys-nix-settings = { + nixpkgs.config.allowUnfree = true; + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + }; +} diff --git a/modules/base/sys/rtkit.nix b/modules/base/sys/rtkit.nix new file mode 100644 index 0000000..b44fb5e --- /dev/null +++ b/modules/base/sys/rtkit.nix @@ -0,0 +1,5 @@ +{ ... }: { + flake.nixosModules.base-sys-rtkit = { + security.rtkit.enable = true; + }; +} diff --git a/modules/base/sys/shellapps.nix b/modules/base/sys/shellapps.nix new file mode 100644 index 0000000..c5fd481 --- /dev/null +++ b/modules/base/sys/shellapps.nix @@ -0,0 +1,11 @@ +{ ... }: { + flake.nixosModules.base-sys-shellapps = { pkgs, ... }: { + environment.systemPackages = with pkgs; [ + wget + git + nil + yaml-language-server + tree + ]; + }; +} diff --git a/modules/base/sys/sshd.nix b/modules/base/sys/sshd.nix new file mode 100644 index 0000000..e05ffec --- /dev/null +++ b/modules/base/sys/sshd.nix @@ -0,0 +1,5 @@ +{ ... }: { + flake.nixosModules.base-sys-sshd = { config, ... }: { + services.openssh.enable = true; + }; +} diff --git a/modules/base/sys/version.nix b/modules/base/sys/version.nix new file mode 100644 index 0000000..838835c --- /dev/null +++ b/modules/base/sys/version.nix @@ -0,0 +1,5 @@ +{ ... }: { + flake.nixosModules.base-sys-version = { + system.stateVersion = "25.11"; + }; +} diff --git a/modules/base/sys/zsh.nix b/modules/base/sys/zsh.nix new file mode 100644 index 0000000..ef9851f --- /dev/null +++ b/modules/base/sys/zsh.nix @@ -0,0 +1,12 @@ +{ ... }: { + flake.nixosModules.base-sys-zsh = { pkgs, ... }: { + programs.zsh.enable = true; + programs.zsh.enableCompletion = true; + programs.zsh.syntaxHighlighting.enable = true; + programs.zsh.autosuggestions.enable = true; + programs.zsh.autosuggestions.async = true; + programs.zsh.ohMyZsh.enable = true; + programs.zsh.ohMyZsh.theme = "agnoster"; + users.defaultUserShell = pkgs.zsh; + }; +} diff --git a/modules/base/usr/dotfiles/zsh-config b/modules/base/usr/dotfiles/zsh-config new file mode 100644 index 0000000..e69de29 diff --git a/modules/base/usr/git-all.nix b/modules/base/usr/git-all.nix new file mode 100644 index 0000000..01eb595 --- /dev/null +++ b/modules/base/usr/git-all.nix @@ -0,0 +1,13 @@ +{ inputs, ... }: { + flake.homeModules.base-usr-git-all = { ... }: { + programs.git = { + enable = true; + settings.user.name = "Mohamed Chrayed"; + settings.user.email = "mohamed@chrayed.de"; + settings = { + init.defaultBranch = "main"; + core.editor = "nano"; + }; + }; + }; +} diff --git a/modules/base/usr/zsh-all.nix b/modules/base/usr/zsh-all.nix new file mode 100644 index 0000000..053f6e5 --- /dev/null +++ b/modules/base/usr/zsh-all.nix @@ -0,0 +1,5 @@ +{ ... }: { + flake.homeModules.base-usr-zsh-all = { ... }: { + home.file.".zshrc".source = ./dotfiles/zsh-config; + }; +} diff --git a/modules/desktop/group-desktop.nix b/modules/desktop/group-desktop.nix new file mode 100644 index 0000000..9427b07 --- /dev/null +++ b/modules/desktop/group-desktop.nix @@ -0,0 +1,13 @@ +{ inputs, ... }: { + flake.nixosModules.desktop-sys-group = { + imports = with inputs.self.nixosModules; [ + desktop-sys-bluetooth + desktop-sys-fonts + desktop-sys-gpu-amd + desktop-sys-input + desktop-sys-printing + desktop-sys-sound + desktop-sys-miscapps + ]; + }; +} diff --git a/modules/desktop/sys/bluetooth.nix b/modules/desktop/sys/bluetooth.nix new file mode 100644 index 0000000..58ac094 --- /dev/null +++ b/modules/desktop/sys/bluetooth.nix @@ -0,0 +1,6 @@ +{ ... }: { + flake.nixosModules.desktop-sys-bluetooth = { + hardware.bluetooth.enable = true; + hardware.bluetooth.powerOnBoot = true; + }; +} diff --git a/modules/desktop/sys/fonts.nix b/modules/desktop/sys/fonts.nix new file mode 100644 index 0000000..0d2a2d6 --- /dev/null +++ b/modules/desktop/sys/fonts.nix @@ -0,0 +1,8 @@ +{ ... }: { + flake.nixosModules.desktop-sys-fonts = { pkgs-unstable, ... }: { + environment.systemPackages = with pkgs-unstable; [ + ibm-plex + adwaita-fonts + ]; + }; +} diff --git a/modules/desktop/sys/gpu-amd.nix b/modules/desktop/sys/gpu-amd.nix new file mode 100644 index 0000000..0833091 --- /dev/null +++ b/modules/desktop/sys/gpu-amd.nix @@ -0,0 +1,16 @@ +{ ... }: { + flake.nixosModules.desktop-sys-gpu-amd = { pkgs, ... }: { + boot.initrd.kernelModules = [ "amdgpu" ]; + boot.kernelModules = [ "amdgpu" ]; + + hardware.amdgpu.initrd.enable = true; + hardware.graphics = { + enable = true; + enable32Bit = true; + }; + + environment.systemPackages = with pkgs; [ + vulkan-tools + ]; + }; +} diff --git a/modules/desktop/sys/input.nix b/modules/desktop/sys/input.nix new file mode 100644 index 0000000..07996bf --- /dev/null +++ b/modules/desktop/sys/input.nix @@ -0,0 +1,5 @@ +{ ... }: { + flake.nixosModules.desktop-sys-input = { + services.libinput.enable = true; + }; +} diff --git a/modules/desktop/sys/miscapps.nix b/modules/desktop/sys/miscapps.nix new file mode 100644 index 0000000..6e5dbb3 --- /dev/null +++ b/modules/desktop/sys/miscapps.nix @@ -0,0 +1,9 @@ +{ ... }: { + flake.nixosModules.desktop-sys-miscapps = { pkgs, ... }: { + environment.systemPackages = with pkgs; [ + vesktop + pciutils + aha + ]; + }; +} diff --git a/modules/desktop/sys/printing.nix b/modules/desktop/sys/printing.nix new file mode 100644 index 0000000..76a5593 --- /dev/null +++ b/modules/desktop/sys/printing.nix @@ -0,0 +1,5 @@ +{ ... }: { + flake.nixosModules.desktop-sys-printing = { + services.printing.enable = true; + }; +} diff --git a/modules/desktop/sys/sound.nix b/modules/desktop/sys/sound.nix new file mode 100644 index 0000000..c6b6235 --- /dev/null +++ b/modules/desktop/sys/sound.nix @@ -0,0 +1,10 @@ +{ ... }: { + flake.nixosModules.desktop-sys-sound = { ... }: { + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + }; + }; +} diff --git a/modules/disks/sys/singledisk.nix b/modules/disks/sys/singledisk.nix new file mode 100644 index 0000000..35df87d --- /dev/null +++ b/modules/disks/sys/singledisk.nix @@ -0,0 +1,19 @@ +{ ... }: { + flake.nixosModules.disks-sys-singledisk = { + fileSystems."/" = { + device = "/dev/disk/by-label/root"; + fsType = "xfs"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + + swapDevices = [{ + device = "/var/lib/swapfile"; + size = 16 * 1024; + }]; + }; +} diff --git a/modules/gaming/sys/controller.nix b/modules/gaming/sys/controller.nix new file mode 100644 index 0000000..9f6bd46 --- /dev/null +++ b/modules/gaming/sys/controller.nix @@ -0,0 +1,7 @@ +{ ... }: { + flake.nixosModules.gaming-sys-controller = { ... }: { + services.udev.extraRules = '' + ACTION=="add|change", KERNEL=="event[0-9]*", ATTRS{name}=="*Wireless Controller Touchpad", ENV{LIBINPUT_IGNORE_DEVICE}="1" + ''; + }; +} diff --git a/modules/gaming/sys/jovian.nix b/modules/gaming/sys/jovian.nix new file mode 100644 index 0000000..424b44f --- /dev/null +++ b/modules/gaming/sys/jovian.nix @@ -0,0 +1,8 @@ +{ ... }: { + flake.nixosModules.gaming-sys-jovian = { ... }:{ + jovian.steam.enable = true; + jovian.steam.autoStart = true; + jovian.steam.user = deck; + jovian.steam.desktopSession = "gnome"; + }; +} diff --git a/modules/gaming/sys/lact.nix b/modules/gaming/sys/lact.nix new file mode 100644 index 0000000..4fc4f6a --- /dev/null +++ b/modules/gaming/sys/lact.nix @@ -0,0 +1,6 @@ +{ ... }: { + flake.nixosModules.gaming-sys-lact = { + services.lact.enable = true; + hardware.amdgpu.overdrive.enable = true; + }; +} diff --git a/modules/gaming/sys/steam.nix b/modules/gaming/sys/steam.nix new file mode 100644 index 0000000..343c8e9 --- /dev/null +++ b/modules/gaming/sys/steam.nix @@ -0,0 +1,17 @@ +{ ... }: { + flake.nixosModules.gaming-sys-steam = { pkgs-unstable, ... }: { + programs.steam = { + enable = true; + extest.enable = true; + + extraCompatPackages = with pkgs-unstable; [ + proton-ge-bin + ]; + + extraPackages = with pkgs-unstable; [ + gamescope + mangohud + ]; + }; + }; +} diff --git a/modules/gnome/sys/gdm-mo.nix b/modules/gnome/sys/gdm-mo.nix new file mode 100644 index 0000000..0b8c755 --- /dev/null +++ b/modules/gnome/sys/gdm-mo.nix @@ -0,0 +1,6 @@ +{ ... }: { + flake.nixosModules.gnome-sys-gdm-mo = { ... }:{ + services.displayManager.autoLogin.enable = true; + services.displayManager.autoLogin.user = "mo"; + }; +} diff --git a/modules/gnome/sys/gdm.nix b/modules/gnome/sys/gdm.nix new file mode 100644 index 0000000..a1a7d2b --- /dev/null +++ b/modules/gnome/sys/gdm.nix @@ -0,0 +1,5 @@ +{ ... }: { + flake.nixosModules.gnome-sys-gdm = { ... }:{ + services.displayManager.gdm.enable = true; + }; +} diff --git a/modules/gnome/sys/gnome-apps.nix b/modules/gnome/sys/gnome-apps.nix new file mode 100644 index 0000000..b0d5573 --- /dev/null +++ b/modules/gnome/sys/gnome-apps.nix @@ -0,0 +1,16 @@ +{ ... }: { + flake.nixosModules.gnome-sys-gnome-apps = { pkgs-unstable, ...}:{ + environment.systemPackages = with pkgs-unstable; [ + adw-gtk3 + refine + nautilus + nautilus-python + sushi + gnome-text-editor + gnome-console + loupe + cine + tsukimi + ]; + }; +} diff --git a/modules/gnome/sys/gnome.nix b/modules/gnome/sys/gnome.nix new file mode 100644 index 0000000..8d17b57 --- /dev/null +++ b/modules/gnome/sys/gnome.nix @@ -0,0 +1,8 @@ +{ ... }: { + flake.nixosModules.gnome-sys-gnome = { pkgs, ... }: { + services.desktopManager.gnome.enable = true; + services.gnome.core-apps.enable = false; + services.gnome.core-developer-tools.enable = false; + services.gnome.games.enable = false; + }; +} diff --git a/modules/gnome/usr/gnome-mo.nix b/modules/gnome/usr/gnome-mo.nix new file mode 100644 index 0000000..6ba13f0 --- /dev/null +++ b/modules/gnome/usr/gnome-mo.nix @@ -0,0 +1,122 @@ +{ ... }: { + flake.homeModules.gnome-usr-gnome-mo = { ... }: { + dconf.settings = { + "org/gnome/shell/keybindings" = { + focus-active-notification = []; + open-new-window-application-1 = []; + open-new-window-application-2 = []; + open-new-window-application-3 = []; + open-new-window-application-4 = []; + open-new-window-application-5 = []; + open-new-window-application-6 = []; + open-new-window-application-7 = []; + open-new-window-application-8 = []; + open-new-window-application-9 = []; + toggle-message-tray = ["N"]; + }; + "org/gnome/settings-daemon/plugins/media-keys" = { + help = []; + home = ["E"]; + screenreader = []; + magnifier = []; + magnifier-zoom-in = []; + magnifier-zoom-out = []; + }; + "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0" = { + command = ["kgx --tab"]; + name = ["Console"]; + }; + "org/gnome/desktop/wm/keybindings" = { + activate-window-menu = []; + always-on-top = ["T"]; + begin-move = ["M"]; + begin-resize = ["R"]; + close = ["Q"]; + cycle-group = []; + cycle-group-backward = []; + cycle-panels = []; + cycle-panels-backward = []; + cycle-windows = []; + cycle-windows-backward = []; + lower = []; + maximize = []; + maximize-horizontally = []; + minimize = ["Down"]; + move-to-monitor-down = []; + move-to-monitor-left = []; + move-to-monitor-right = []; + move-to-monitor-up = []; + move-to-workspace-1 = []; + move-to-workspace-down = []; + move-to-workspace-last = []; + move-to-workspace-left = []; + move-to-workspace-right = []; + move-to-workspace-up = []; + show-desktop = ["D"]; + switch-applications = ["Tab"]; + switch-applications-backward = ["Tab"]; + switch-group = ["Tab"]; + switch-group-backward = ["Tab"]; + panel-run-dialog = ["Space"]; + switch-input-source = []; + switch-input-source-backward = []; + switch-panels = []; + switch-panels-backward = []; + switch-to-workspace-1 = []; + switch-to-workspace-down = []; + switch-to-workspace-last = []; + switch-to-workspace-left = []; + switch-to-workspace-right = []; + switch-to-workspace-up = []; + toggle-fullscreen = ["F"]; + toggle-maximized = ["Up"]; + toggle-on-all-workspaces = ["S"]; + unmaximize = []; + }; + "org/gnome/mutter" = { + experimental-features = ["variable-refresh-rate"]; + center-new-windows = true; + edge-tiling = true; + dynamic-workspaces = true; + }; + "org/gnome/desktop/interface" = { + font-name = "IBM Plex Sans 11"; + document-font-name = "IBM Plex Sans 11"; + monospace-font-name = "IBM Plex Mono 11"; + gtk-theme = "adw-gtk3"; + enable-hot-corners = false; + cursor-theme = "Adwaita"; + }; + "org/gnome/shell/extensions/rounded-window-corners-reborn" = { + border-width = -2; + skip-libadwaita-app = false; + }; + "org/gnome/shell/extensions/clipboard-indicator" = { + toggle-menu = ["V"]; + }; + "org/gnome/shell/extensions/azwallpaper" = { + slideshow-use-absolute-time-for-duration = true; + }; + "org/gnome/desktop/background" = { + color-shading-type = "solid"; + picture-options = "zoom"; + }; + "org/gnome/shell/extensions/nightthemeswitcher/commands" = { + enabled = true; + sunrise = "gsettings set org.gnome.desktop.interface gtk-theme 'adw-gtk3' && gsettings set org.gnome.desktop.interface color-scheme 'default'"; + sunset = "gsettings set org.gnome.desktop.interface gtk-theme 'adw-gtk3-dark' && gsettings set org.gnome.desktop.interface color-scheme 'prefer-dark'"; + }; + "org/gnome/shell" = { + enabled-extensions = [ + "light-style@gnome-shell-extensions.gcampax.github.com" + "clipboard-indicator@tudmotu.com" + "AlphabeticalAppGrid@stuarthayhurst" + "rounded-window-corners@fxgn" + "appindicatorsupport@rgcjonas.gmail.com" + "nightthemeswitcher@romainvigier.fr" + "azwallpaper@azwallpaper.gitlab.com" + ]; + }; + }; + }; +} diff --git a/modules/hosts/computer-mo/hardware.nix b/modules/hosts/computer-mo/hardware.nix new file mode 100644 index 0000000..1f88e94 --- /dev/null +++ b/modules/hosts/computer-mo/hardware.nix @@ -0,0 +1,8 @@ +{ ... }: { + flake.nixosModules.computer-mo = { system, ... }: { + boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.kernelParams = [ "quiet" "splash" "boot.shell_on_fail" "loglevel=3" "rd.systemd.show_status=false" "rd.udev.log_level=3" "udev.log_priority=3" ]; + nixpkgs.hostPlatform = system; + hardware.cpu.amd.updateMicrocode = true; + }; +} diff --git a/modules/hosts/computer-mo/imports.nix b/modules/hosts/computer-mo/imports.nix new file mode 100644 index 0000000..54a157d --- /dev/null +++ b/modules/hosts/computer-mo/imports.nix @@ -0,0 +1,25 @@ +{ inputs, config, ... }: { + flake.nixosModules.computer-mo = { ... }: { + imports = with inputs.self.nixosModules; [ + mo + base-sys-group + apps-sys-brave + gaming-sys-controller + desktop-sys-group + gnome-sys-gdm + gnome-sys-gdm-mo + gnome-sys-gnome + gnome-sys-gnome-apps + gaming-sys-lact + apps-sys-onepassword + security-sys-secureboot + disks-sys-singledisk + security-sys-sopsnix + gaming-sys-steam + ]; + home-manager.users.mo.imports = with config.flake.homeModules; [ + base-usr-group + gnome-usr-gnome-mo + ]; + }; +} diff --git a/modules/hosts/computer-mo/nixosConfigurations.nix b/modules/hosts/computer-mo/nixosConfigurations.nix new file mode 100644 index 0000000..5b3d355 --- /dev/null +++ b/modules/hosts/computer-mo/nixosConfigurations.nix @@ -0,0 +1,6 @@ +{ inputs, ... }: { + flake.nixosConfigurations."computer-mo" = inputs.self.lib.mkHost { + system = "x86_64-linux"; + host = "computer-mo"; + }; +} diff --git a/modules/platform/flake-parts.nix b/modules/platform/flake-parts.nix new file mode 100644 index 0000000..0242d20 --- /dev/null +++ b/modules/platform/flake-parts.nix @@ -0,0 +1,5 @@ +{ inputs, ... }: { + imports = [ + inputs.home-manager.flakeModules.home-manager + ]; +} diff --git a/modules/platform/mkhost.nix b/modules/platform/mkhost.nix new file mode 100644 index 0000000..c3ddd4e --- /dev/null +++ b/modules/platform/mkhost.nix @@ -0,0 +1,14 @@ +{ inputs, ... }: { + flake.lib.mkHost = { system, host, extraModules ? [] }: + inputs.nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { + inherit host system; + pkgs-unstable = import inputs.nixpkgs-unstable { + inherit system; + config.allowUnfree = true; + }; + }; + modules = [ inputs.self.nixosModules.${host} ] ++ extraModules; + }; +} diff --git a/modules/platform/nixsettings.nix b/modules/platform/nixsettings.nix new file mode 100644 index 0000000..eede17e --- /dev/null +++ b/modules/platform/nixsettings.nix @@ -0,0 +1,17 @@ +{ inputs, ... }: { + systems = [ + "x86_64-linux" + ]; + + perSystem = { system, ... }: { + _module.args.pkgs = import inputs.nixpkgs { + inherit system; + config.allowUnfree = true; + }; + + _module.args.pkgs-unstable = import inputs.nixpkgs-unstable { + inherit system; + config.allowUnfree = true; + }; + }; +} diff --git a/modules/security/sys/.sops.yaml b/modules/security/sys/.sops.yaml new file mode 100644 index 0000000..de89d5e --- /dev/null +++ b/modules/security/sys/.sops.yaml @@ -0,0 +1,9 @@ +keys: + - &computer-mo age1yw3dt8myjpq3hek6gadzy8jd04l30ladgva7p74ktl7plfkwqs8qmk8c4x + - &mo age1nkqrkx782x6hnn5l8trh2e4v5pgygkx2ql4w8m20pc9jzsq244zs8d44qw +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - age: + - *computer-mo + - *mo diff --git a/modules/security/sys/secrets/secrets.yaml b/modules/security/sys/secrets/secrets.yaml new file mode 100644 index 0000000..b40f500 --- /dev/null +++ b/modules/security/sys/secrets/secrets.yaml @@ -0,0 +1,32 @@ +users: + mo: + password: ENC[AES256_GCM,data:fMGtx/NHXyw+zEeedTwnWTsW7SsiheGWAix1kGhPugVn+i9jaa4XazvIRvy4/TKR7naKHUXdeXJtpRvnNIusfZi0vxC6OT82lA==,iv:EVKCYKOj2GOE4FznqNPFXO0vMFYgJSYvTc+7xoFvMaU=,tag:NsMd2OBP4XLynSdRofkpEA==,type:str] + intern: + public: ENC[AES256_GCM,data:jbuP/i/iK/baGnHrVsXY4OQy0FYiTfOCKSXLd+8DscvMC4gndUpJBH2Jz2JOjMo/W/T5ZLvLfcqzC+d8pe1BofDN7qglc2VIT5nS4+CXq9U=,iv:7tBQilMyisvsAzWh5nAzY7Nyd/ucngt4+Wzn/0Wa8Y8=,tag:QK//7g44v0q2tO8d6VcBrA==,type:str] + extern: + public: ENC[AES256_GCM,data:Z7WsJxQWrnhLi+Lim9RIZvteyath+Z+e/17fAtvQT+2IZ4D5C1XRpmRG7D0knAMueXciK2sRPgAmkOVNAo7msDFnAqybb879Oyd7ms1dd6I=,iv:cmNClicrACt1lyvTrZRMiZv1EjbGl62GtHK/I2DVgiE=,tag:tH6nnWXowfSrJc8S9gpi+w==,type:str] + private: ENC[AES256_GCM,data:GVoLC4n6NGYzHqY6MFPsnquJmrkpmWbrGvDvjmFr8Z1aCr9I1ltKZd2RrrrRJ33KFh/U3x+vwirmdpSOXB8cDynau4XaP9cS+Hgs6LlYHMmAsWiiT5axjTmRvihgNE4mgWpIBZkeI7vrUamdiMt2Bis2JS9qXdLORxyB0Fo9ieQ0B47H17Y75t9AACfpGIRWAd9TGXtycKqxZ5yYmpwmE+Psxhh1VZCk3FPCVt/hxcwd37qmUnbaJKvcyk0J3/fD/JTn6wiNHbLsBpOrk59WclVIosGMI/UWzq24uSEP0WPd4ULyY3jOTIQmh6krsWfjuS3ytTyDJCDocT9zcOJC2GFgTOLSzOzvuQC4LegMuwxchWq7/1jMdLg/DOXG6XuaiVspHhgdsQodJGjz74z7w1TkObNRSMdm9oqbBzt1HWUf/fIYZv57QIPLprMS3H7+qTYan+DjSR7vq0xizTFNzvoMDhhWwGkDkjLROrKCNIVJPHYKWD53p+8Q+wpSnrmAKoOfYKARtsV7vGt/6A5o8z0K2fvZm1FIk9BBbRHan2zbYuqTeMeWbPwuZec5KWyyhB24omY7yMNauuQ04TJEXIUsEEh5CskjsJPW8pr6b1STvkINNZCKSsUZW48xwGi/,iv:UWwcQhaF0KR+waF7wHLEA9T0+K53TYoghs+9LrU8/jo=,tag:l4ndlXfLqdHu/zNF5e+YOw==,type:str] +sops: + age: + - recipient: age1yw3dt8myjpq3hek6gadzy8jd04l30ladgva7p74ktl7plfkwqs8qmk8c4x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDMzF6WTZXRitScFpKdG1m + aHBnaThnTmkyanYrL0pIWGlSRXhlTUVzQ1RFCnJYZXBXeHBnN3dWSjFUbDdCb2tZ + NU5ZTE82VXltMVJLT3YzSVRIRWpUWkUKLS0tIHhtcno4WmJ6d0Y2NWkrOTZiWkNS + Y2xSUE0veVdCaERFUXpVeHdoVUd5V2MKV3DDB8WfAJkZ91MdWzz5Yi0D2u8ozeEi + AQY7by2kpV4oJWG96zu6grR1FU/jNqaC+qTCtIcb3/e7pK9pHdstow== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nkqrkx782x6hnn5l8trh2e4v5pgygkx2ql4w8m20pc9jzsq244zs8d44qw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvTFcwZnB5RGNNZWQyY2JR + ekg1c05BSU9Qay9RYlkxT3pCWlB4T2VJd1VJCmpuc08yZlhZRS93cnpoS0lBeFVY + ME1xQUtIcDc0aHJqVmJjUy9BbjhCMG8KLS0tIHpsMGVLSlhKc3JUTlhnTE1HbVUv + RVVGdEM3UFg5Y0ZhQmlJTGg1eUQxU1UK0U3aR79JWeFyvQRDVVmyICh1UTDIIeai + 6E87FDE9XRhAbneR5sHw4ujnZCSyX7njfDMpN23dpWX3smRRKVIsNQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-03T15:55:44Z" + mac: ENC[AES256_GCM,data:PLOC5V43pfPcAzE1ZHAFrRedhNkxU4KXO9NU4Hw6PyrYoy9UiTN8H4bJEle5k9YH70hoqk/mAO4rM7B5UZUuz17JktoSaW0AESqi1V9H9LlWPKtJVTXlLm/OeZ456ExdHbocfZ+wKTNRwM1jVhzqqUZfAskuflRQjpIS5sOuJJ8=,iv:E8KIP+WyRt0VmpkfPHKEszYzUwoZAn4/oSShisBMqL0=,tag:Yrfg4uaqnwPirD3E9J5uSg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.1 diff --git a/modules/security/sys/secureboot.nix b/modules/security/sys/secureboot.nix new file mode 100644 index 0000000..bb93a9b --- /dev/null +++ b/modules/security/sys/secureboot.nix @@ -0,0 +1,16 @@ +{ inputs, ... }: { + flake.nixosModules.security-sys-secureboot = { pkgs, lib, ... }: { + imports = [ + inputs.lanzaboote.nixosModules.lanzaboote + ]; + + environment.systemPackages = [ pkgs.sbctl ]; + + boot.loader.systemd-boot.enable = lib.mkForce false; + + boot.lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; + }; +} diff --git a/modules/security/sys/sops-nix.nix b/modules/security/sys/sops-nix.nix new file mode 100644 index 0000000..e983a14 --- /dev/null +++ b/modules/security/sys/sops-nix.nix @@ -0,0 +1,9 @@ +{ inputs, ... }: { + flake.nixosModules.security-sys-sopsnix = { pkgs, ... }: { + imports = [ inputs.sops-nix.nixosModules.sops ]; + + environment.systemPackages = [ pkgs.age pkgs.sops ]; + + sops.defaultSopsFile = ./secrets/secrets.yaml; + }; +} diff --git a/modules/security/sys/sopsnix.nix b/modules/security/sys/sopsnix.nix new file mode 100644 index 0000000..e983a14 --- /dev/null +++ b/modules/security/sys/sopsnix.nix @@ -0,0 +1,9 @@ +{ inputs, ... }: { + flake.nixosModules.security-sys-sopsnix = { pkgs, ... }: { + imports = [ inputs.sops-nix.nixosModules.sops ]; + + environment.systemPackages = [ pkgs.age pkgs.sops ]; + + sops.defaultSopsFile = ./secrets/secrets.yaml; + }; +} diff --git a/modules/users/mo.nix b/modules/users/mo.nix new file mode 100644 index 0000000..85fd587 --- /dev/null +++ b/modules/users/mo.nix @@ -0,0 +1,23 @@ +{ inputs, ... }: { + flake.nixosModules.mo = { pkgs, config, ... }: { + home-manager.extraSpecialArgs = {}; + + sops.secrets."users/mo/password" = { + neededForUsers = true; + }; + users.mutableUsers = false; + users.users.mo = { + isNormalUser = true; + description = "Mohamed Chrayed"; + extraGroups = [ "networkmanager" "wheel" "video" "audio" ]; + shell = pkgs.zsh; + hashedPasswordFile = config.sops.secrets."users/mo/password".path; + }; + + home-manager.users.mo = { + home.username = "mo"; + home.homeDirectory = "/home/mo"; + home.stateVersion = "25.11"; + }; + }; +}