schmittlauch/nixconfigs
2
0
Fork 0
Code Issues 2 Pull requests Releases Wiki Activity
nixconfigs/home/workmac.nix

237 lines
6.9 KiB
Nix
Raw Blame History

{
pkgs,
inputs,
config,
lib,
...
}:
with pkgs;
let
unstable = inputs.nixos-unstable.legacyPackages.${pkgs.stdenv.hostPlatform.system};
in
{
imports = [ ./modules/llm.nix ];
schmittlauch.packages = {
graphics = true;
multimedia = true;
nixHelpers = true;
devTools = true;
pythonTools = true;
};
targets.darwin = {
linkApps.enable = false; # spotlight ignores symlinks
copyApps.enable = true;
};
home.packages = [
wireshark # on NixOS systems enabled via system config
_1password-cli
rectangle
# also TODO: color schemes nix-darwin
];
# pinning theme is necessary until iTerm 3.5, because despite the dark terminal background, bat detects light mode and adapts theme
programs.bat.config.theme = "Visual Studio Dark+";
programs.ssh = {
enable = true;
enableDefaultConfig = false; # deprecated
package = pkgs.openssh;
# TODO: common config for desktop as well
# early catchall to enforce agent socket usage. **NOT** the place for fallback defaults.
extraOptionOverrides = {
IdentityAgent = "\"~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock\"";
CanonicalizeHostname = "yes";
CanonicalDomains = "fcio.net gocept.net";
CanonicalizeFallbackLocal = "yes";
};
# ssh host config
matchBlocks = {
# --- Host blocks (order matters: specific before wildcard) --------
# Hosts are only accessible via bastion host
#"switch1.example.com switch2.example.com" =
# lib.hm.dag.entryBefore [ "*.example.com" ] {
# extraOptions = {
# Tag = "proxyjump";
# };
# };
# TODO: these site-specific information are currently also publicly available elsewhere, so having them here in plain is fine.
# For adding more topology-related specific rules, consider moving this into secrets like SOPS or so.
# Hostname wildcard for management network, also accessed via bastion host
"*.mgm.whq.fcio.net *.mgm.whq.gocept.net" =
lib.hm.dag.entryBefore [ "*.fcio.net *.gocept.net" ] {
extraOptions = {
Tag = "proxyjump-whq";
};
};
"*.mgm.rzob.fcio.net *.mgm.rzob.gocept.net" =
lib.hm.dag.entryBefore [ "*.fcio.net *.gocept.net" ] {
extraOptions = {
Tag = "proxyjump-rzob";
};
};
# Fallback for all other FCIO hosts
"*.fcio.net *.gocept.net" = {
extraOptions = {
Tag = "direct-rzob";
};
};
# --- Match blocks (OpenSSH 9.4+ tags) ----------------------------
# Connect to hosts directly, or if that fails (e.g. IPv4-only network)
# use the bastion host as a jump host.
"tagged-direct-rzob" =
lib.hm.dag.entryAfter [ "*.fcio.net *.gocept.net" ] {
match = ''tagged="direct-rzob"'';
proxyCommand = "${lib.getExe pkgs.fc-scripts.ssh-multi-proxy} -p connect -i master,direct -j vpn-rzob.services.fcio.net %h %p";
extraOptions = {
ProxyUseFdpass = "yes";
};
};
"tagged-direct-whq" =
lib.hm.dag.entryAfter [ "*.fcio.net *.gocept.net" ] {
match = ''tagged="direct-whq"'';
proxyCommand = "${lib.getExe pkgs.fc-scripts.ssh-multi-proxy} -p connect -i master,direct -j vpn-whq.services.fcio.net %h %p";
extraOptions = {
ProxyUseFdpass = "yes";
};
};
# Don't connect directly, always use the bastion host as a jump host.
"tagged-proxyjump-whq" =
lib.hm.dag.entryAfter [ "tagged-direct" ] {
match = ''tagged="proxyjump-whq"'';
proxyCommand = "ssh-multi-proxy -p connect -ni all -j kenny12.fe.whq.fcio.net %h %p";
extraOptions = {
ProxyUseFdpass = "yes";
};
};
"tagged-proxyjump-rzob" =
lib.hm.dag.entryAfter [ "tagged-direct" ] {
match = ''tagged="proxyjump"'';
proxyCommand = "ssh-multi-proxy -p connect -ni all -j kenny09.fe.rzob.fcio.net %h %p";
extraOptions = {
ProxyUseFdpass = "yes";
};
};
# default, gets placed last by home-manager
"*" = {
serverAliveInterval = 10;
serverAliveCountMax = 2; # 2 strikes and you're out
forwardAgent = false;
addKeysToAgent = "no";
compression = false;
hashKnownHosts = false;
userKnownHostsFile = "~/.ssh/known_hosts";
controlMaster = "no";
controlPath = "~/.ssh/master-%r@%n:%p";
controlPersist = "no";
};
"hydra01" = {
hostname = "hydra01.access.whq.gocept.net";
user = "os";
};
"fcio-whq-jump" = lib.hm.dag.entryAfter [ "*" ] {
hostname = "vpn-whq.services.fcio.net";
extraOptions = {
LogLevel = "Verbose";
AddressFamily = "inet";
ControlMaster = "auto";
# not too long, due to the frequent keepalives
ControlPersist = "1h";
};
};
"fcio-rzob-jump" = {
# multiplexer, e.g. to avoid rate limiting on jumphost usage
hostname = "vpn-rzob.services.fcio.net";
extraOptions = {
LogLevel = "Verbose";
AddressFamily = "inet";
ControlMaster = "auto";
# not too long, due to the frequent keepalives
ControlPersist = "1h";
};
};
};
};
programs.git =
let
contacts = import "${inputs.mysecrets}/contacts.nix" { inherit lib; };
in
{
includes = [
{
condition = "gitdir:~/src/schmittlauch/";
contents = {
user = {
inherit (contacts.schmittlauch) name email;
};
};
}
]
# set default name for several other common locations
++ map (dir: {
condition = "gitdir:${dir}";
contents = {
user = {
inherit (contacts.work) name email;
};
};
}) [ "~/" ];
};
# some extra shell scripts
programs.zsh.initContent = lib.mkAfter (
import ./scripts/reporsync.nix { inherit pkgs lib; }
+ import ./scripts/ssh-loop-fc.nix { inherit pkgs lib; }
);
# separate proxied browser using the DHCP-supplied DNS for accessing captive portals
programs.captive-browser = {
enable = true;
interface = "en0";
};
launchd.agents.hydra_proxy = {
enable = true;
config = {
ProgramArguments = [
"${lib.getExe pkgs.autossh}"
"-M"
"0"
"-D"
"1080"
"-oServerAliveInterval=30"
"-oControlMaster=no"
"-N"
"vpn-whq.services.fcio.net"
];
# TODO: consider socket activation instead
KeepAlive = true;
ThrottleInterval = 60;
};
};
nixpkgs.config.allowUnfreePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"1password-cli"
"claude-code"
]; # nixpkgs.config merging is unfortunately broken
home.stateVersion = "22.05";
}
Reference in a new issue View git blame Copy permalink