Trolli Schmittlauch
e0e455721f
otherwise reboot checks for remote machines were stuck waiting for the jump host socket. quick fix, could be nicer, introduces code duplication
144 lines
3.6 KiB
Nix
144 lines
3.6 KiB
Nix
{
|
|
pkgs,
|
|
inputs,
|
|
config,
|
|
system,
|
|
lib,
|
|
...
|
|
}:
|
|
|
|
with pkgs;
|
|
let
|
|
unstable = inputs.nixos-unstable.legacyPackages.${system};
|
|
in
|
|
{
|
|
imports = [ ./modules/llm.nix ];
|
|
|
|
schmittlauch.packages = {
|
|
graphics = true;
|
|
multimedia = true;
|
|
nixHelpers = true;
|
|
devTools = true;
|
|
pythonTools = true;
|
|
};
|
|
|
|
home.packages = [
|
|
wireshark # on NixOS systems enabled via system config
|
|
_1password-cli
|
|
# also TODO: color schemes nix-darwin
|
|
];
|
|
|
|
# pinning theme is necessary until iTerm 3.5, because despite the dark terminal background, bat detects light mode and adapts theme
|
|
programs.bat.config.theme = "Visual Studio Dark+";
|
|
|
|
programs.ssh = {
|
|
enable = true;
|
|
# defaults in bottom match block "*"
|
|
# TODO: common config for desktop as well
|
|
serverAliveInterval = 10;
|
|
serverAliveCountMax = 2; # 2 strikes and you're out
|
|
# ssh host config
|
|
matchBlocks = {
|
|
|
|
# early catchall to enforce agent socket usage. **NOT** the place for fallback defaults.
|
|
"*" = {
|
|
extraOptions = {
|
|
IdentityAgent = "\"~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock\"";
|
|
};
|
|
};
|
|
|
|
"hydra01" = lib.hm.dag.entryAfter [ "*" ] {
|
|
hostname = "hydra01.access.whq.gocept.net";
|
|
user = "os";
|
|
};
|
|
"fcio-whq-jump" = lib.hm.dag.entryAfter [ "*" ] {
|
|
hostname = "vpn-whq.services.fcio.net";
|
|
extraOptions = {
|
|
LogLevel = "Verbose";
|
|
AddressFamily = "inet";
|
|
ControlMaster = "auto";
|
|
# not too long, due to the frequent keepalives
|
|
ControlPersist = "1h";
|
|
};
|
|
|
|
};
|
|
"fcio-rzob-jump" = lib.hm.dag.entryAfter [ "*" ] {
|
|
# multiplexer, e.g. to avoid rate limiting on jumphost usage
|
|
hostname = "vpn-rzob.services.fcio.net";
|
|
extraOptions = {
|
|
LogLevel = "Verbose";
|
|
AddressFamily = "inet";
|
|
ControlMaster = "auto";
|
|
# not too long, due to the frequent keepalives
|
|
ControlPersist = "1h";
|
|
};
|
|
|
|
};
|
|
};
|
|
};
|
|
|
|
programs.git =
|
|
let
|
|
contacts = import "${inputs.mysecrets}/contacts.nix" { inherit lib; };
|
|
in
|
|
{
|
|
includes = [
|
|
{
|
|
condition = "gitdir:~/src/schmittlauch/";
|
|
contents = {
|
|
user = {
|
|
inherit (contacts.schmittlauch) name email;
|
|
};
|
|
};
|
|
}
|
|
]
|
|
# set default name for several other common locations
|
|
++ map (dir: {
|
|
condition = "gitdir:${dir}";
|
|
contents = {
|
|
user = {
|
|
inherit (contacts.work) name email;
|
|
};
|
|
};
|
|
}) [ "~/" ];
|
|
};
|
|
|
|
# some extra shell scripts
|
|
programs.zsh.initContent = lib.mkAfter (
|
|
import ./scripts/reporsync.nix { inherit pkgs lib; }
|
|
+ import ./scripts/ssh-loop-fc.nix { inherit pkgs lib; }
|
|
);
|
|
|
|
# separate proxied browser using the DHCP-supplied DNS for accessing captive portals
|
|
programs.captive-browser = {
|
|
enable = true;
|
|
interface = "en0";
|
|
};
|
|
launchd.agents.hydra_proxy = {
|
|
enable = true;
|
|
config = {
|
|
ProgramArguments = [
|
|
"${lib.getExe pkgs.autossh}"
|
|
"-M"
|
|
"0"
|
|
"-D"
|
|
"1080"
|
|
"-oServerAliveInterval=30"
|
|
"-oControlMaster=no"
|
|
"-N"
|
|
"vpn-whq.services.fcio.net"
|
|
];
|
|
# TODO: consider socket activation instead
|
|
KeepAlive = true;
|
|
ThrottleInterval = 60;
|
|
};
|
|
};
|
|
nixpkgs.config.allowUnfreePredicate =
|
|
pkg:
|
|
builtins.elem (lib.getName pkg) [
|
|
"1password-cli"
|
|
"claude-code"
|
|
]; # nixpkgs.config merging is unfortunately broken
|
|
|
|
home.stateVersion = "22.05";
|
|
}
|