Initial commit

.gitignore

@@ -0,0 +1,3 @@
+hardware.nix
+local.nix
+result

configuration.nix

@@ -0,0 +1,58 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [
+      ./hardware.nix
+      ./local.nix
+      ./includes/cli
+      ./includes/desktop
+      ./includes/local-dns
+      ./includes/kubernetes
+    ];
+
+  nixpkgs.config.allowUnfree = true;
+
+  networking.networkmanager.enable = true;
+
+  i18n = {
+    consoleFont = "Lat2-Terminus16";
+    consoleKeyMap = "us";
+    defaultLocale = "en_US.UTF-8";
+  };
+
+  # Set your time zone.
+  time.timeZone = "Asia/Tokyo";
+
+  # Enable sound.
+  sound.enable = true;
+  hardware.pulseaudio.enable = true;
+
+  virtualisation.libvirtd = {
+    enable = true;
+    onBoot = "ignore";
+  };
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.thomas = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" "video" "networkmanager" "libvirt" ];
+    shell = pkgs.zsh;
+  };
+
+  nix.gc = {
+    automatic = true;
+    options = "--delete-older-then 14d";
+  };
+  systemd.timers.nix-gc.timerConfig.Persistent = true;
+
+  # This value determines the NixOS release with which your system is to be
+  # compatible, in order to avoid breaking some software such as database
+  # servers. You should change this only after NixOS release notes say you
+  # should.
+  system.stateVersion = "19.09"; # Did you read the comment?
+}

includes/cli/default.nix

@@ -0,0 +1,45 @@
+{ config, pkgs, ... }:
+
+{
+  programs.zsh.enable = true;
+  programs.mtr.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    curl
+    vim
+    neovim
+    neovim-remote
+    git
+    git-lfs
+    feh
+    ripgrep
+    jq
+    yq
+    tree
+    fzf
+    dnsutils
+    httpie
+    htop
+    bc
+    pv
+    openssl
+    pwgen
+    gnupg
+    whois
+    traceroute
+    gnumake
+    tig
+    unzip
+    zip
+    shellcheck
+    any-nix-shell
+    tmux-cssh
+    
+    # work
+    awscli
+    docker
+    docker_compose
+    amazon-ecr-credential-helper
+    python37Packages.cfn-lint
+  ];
+}

includes/desktop/default.nix

@@ -0,0 +1,98 @@
+{ config, pkgs, ... }:
+
+let
+  waybar = pkgs.waybar.override {
+    pulseSupport = true;
+  };
+in
+{
+  programs.sway = {
+    enable = true;
+    extraPackages = with pkgs; [
+      swaylock
+      swayidle
+      wl-clipboard
+      qt5.qtwayland
+      waybar
+      mako
+      bemenu
+      grim
+      slurp
+      xwayland
+      lxqt.lxqt-openssh-askpass
+      xorg.xrdb
+
+      libnotify
+      gnome3.networkmanagerapplet
+      gnome3.networkmanager_openvpn
+      gvfs
+
+      qt5ct
+      libsForQt5.qtstyleplugin-kvantum
+      gnome_themes_standard
+      adapta-gtk-theme
+      hicolor-icon-theme
+      arc-icon-theme
+      vanilla-dmz
+    ];
+
+    extraSessionCommands = ''
+      export SSH_ASKPASS=lxqt-openssh-askpass
+      export MOZ_ENABLE_WAYLAND=1
+      export QT_QPA_PLATFORM=wayland
+      export QT_QPA_PLATFORMTHEME=qt5ct
+      export QT_WAYLAND_DISABLE_WINDOWDECORATION=1
+      export SDL_VIDEODRIVER=wayland
+      export _JAVA_AWT_WM_NONREPARENTING=1
+      export BEMENU_BACKEND=wayland
+    '';
+  };
+
+  fonts.fonts = with pkgs; [
+    noto-fonts
+    noto-fonts-cjk
+    fira-mono
+    fira-code
+    fira-code-symbols
+  ];
+
+  environment.etc."dconf/profile/user".text = ''
+    user-db:user
+    system-db:system-wide
+  '';
+
+  environment.etc."dconf/db/system-wide.d/gnome".text = ''
+    [org/gnome/desktop/interface]
+    cursor-theme='Vanilla-DMZ'
+    gtk-theme='Adapta'
+    icon-theme='Arc'
+    font-name='Noto Sans 10'
+  '';
+
+  programs.firejail = {
+    enable = true;
+    wrappedBinaries = {
+      firefox = "${pkgs.firefox}/bin/firefox";
+      chromium = "${pkgs.chromium}/bin/chromium";
+    };
+  };
+  
+  programs.light.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    pcmanfm
+    lxappearance
+    pavucontrol
+    pamixer
+    gnumeric
+    mpv
+    keepassxc
+    deadbeef
+    lxqt.qterminal
+    syncthing-gtk
+    virtmanager
+  ];
+
+  i18n.inputMethod.enabled = "fcitx";
+  i18n.inputMethod.fcitx.engines = with pkgs.fcitx-engines ; [ mozc ];
+}

includes/kubernetes/default.nix

@@ -0,0 +1,63 @@
+{ config, pkgs, ... }:
+let
+  buildBinPackage = options: pkgs.stdenv.mkDerivation {
+    inherit (options) pname version;
+    src = pkgs.fetchurl {
+      inherit (options) url sha256;
+    };
+    unpackPhase = if options ? "binPath" then "unpackFile $src" else ":";
+    installPhase = let
+      binPath = if options ? "binPath" then options.binPath else "$src";
+      completionCommands = if options ? hasCompletion then ''
+        $out/bin/${options.pname} completion bash > $out/share/bash-completion/completions/${options.pname}
+        $out/bin/${options.pname} completion zsh > $out/share/zsh/site-functions/_${options.pname}
+      '' else "";
+    in ''
+      mkdir -p $out/bin $out/share/bash-completion/completions $out/share/zsh/site-functions
+      cp ${binPath} $out/bin/${options.pname}
+      chmod +x $out/bin/${options.pname}
+      ${completionCommands}
+    '';
+  };
+
+  argocd = buildBinPackage rec {
+    pname = "argocd";
+    version = "1.3.0";
+    url = "https://github.com/argoproj/argo-cd/releases/download/v${version}/argocd-linux-amd64";
+    sha256 = "1mspgjipalngbjl9rdi2pyvq3g8nh4w2sq5isz87l7fkj4cy4qvk";
+    hasCompletion = true;
+  };
+  helm = buildBinPackage rec {
+    pname = "helm";
+    version = "3.0.0";
+    url = "https://get.helm.sh/helm-v${version}-linux-amd64.tar.gz";
+    sha256 = "10e1fdcca263062b1d7b2cb93a924be1ef3dd6c381263d8151dd1a20a3d8c0dc";
+    binPath = "linux-amd64/helm";
+    hasCompletion = true;
+  };
+  eksctl = buildBinPackage rec {
+    pname = "eksctl";
+    version = "0.10.2";
+    url = "https://github.com/weaveworks/eksctl/releases/download/${version}/eksctl_Linux_amd64.tar.gz";
+    sha256 = "d3e70cd101ca4756ca9b2fbbeb6edcf580ae4783d80004c8847fa177e7d32e03";
+    binPath = "eksctl";
+    hasCompletion = true;
+  };
+  k9s = buildBinPackage rec {
+    pname = "k9s";
+    version = "0.9.3";
+    url = "https://github.com/derailed/k9s/releases/download/${version}/k9s_${version}_Linux_x86_64.tar.gz";
+    sha256 = "af3608517684e59de94573ad123486edd6f392c8c319ddbde6223d3ac2d37bd9";
+    binPath = "k9s";
+  };
+in {
+  environment.systemPackages = with pkgs; [
+    kubectl
+    kubectx
+    kops
+    argocd
+    helm
+    eksctl
+    k9s
+  ];
+}

includes/local-dns/default.nix

@@ -0,0 +1,31 @@
+{ config, pkgs, ... }:
+let
+  local-dns = pkgs.runCommand "local-dns" {} ''
+    mkdir -p $out/bin
+    cp ${./local-dns} $out/bin/local-dns
+  '';
+in
+{
+  environment.systemPackages = [ local-dns ];
+
+  services.unbound = {
+    enable = true;
+    extraConfig = ''
+      include: /var/lib/unbound/unbound-resolvconf.conf
+      remote-control:
+        control-enable: yes
+        control-interface: /var/lib/unbound/unbound.sock
+    '';
+  };
+
+  # make unbound use unbound group instead so that the control socket is secure
+  # instead of being in nogroup
+  users.users.unbound.group = "unbound";
+  users.groups.unbound = {};
+
+  # actually have openresolv update our DNS
+  networking.resolvconf.extraConfig = ''
+    unbound_conf=/var/lib/unbound/unbound-resolvconf.conf
+    unbound_restart="${pkgs.unbound}/bin/unbound-control -c /var/lib/unbound/unbound.conf reload || true"
+  '';
+}

includes/local-dns/local-dns

@@ -0,0 +1,104 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+ipv4_regex='^[.0-9]\+$'
+ipv6_regex='^[:0-9a-f]\+$'
+
+function _unbound {
+  sudo unbound-control -c /var/lib/unbound/unbound.conf "$@"
+}
+
+function _helper_list_local_zones {
+  _unbound list_local_zones | grep 'transparent$' | cut -f1 -d' '
+}
+
+function _alias {
+  domain="$1"
+  shift 1
+
+  records=$(while [ $# -gt 0 ]; do
+    target="$1"
+    if echo "$target" | grep -q "$ipv4_regex"; then
+      echo "$domain A $target"
+    elif echo "$target" | grep -q "$ipv6_regex"; then
+      echo "$domain AAAA $target"
+    else
+      if ! dig +noall +answer +nottlid "$target" \
+        | grep '\<\(A\|AAAA\)\>' \
+        | sed "s/^.*IN/$domain/" \
+      ; then
+        echo "Could not resolve $target" >&2
+        exit 1
+      fi
+    fi
+
+    shift 1
+  done)
+
+  _unbound -q local_zone_remove "$domain"
+  if [ ! -z "$records" ]; then
+    echo "$records" | _unbound -q local_datas
+  fi
+
+  if output=$(_unbound list_local_data | grep "$domain"); then
+    echo "Put the following records:"
+    echo "$output"
+  else
+    echo "Removed aliases for $domain"
+  fi
+}
+
+function _delegate {
+  domain="$1"
+  server="$2"
+  _unbound forward_add "$domain" "$server"
+}
+
+function _reset {
+  _unbound reload
+}
+
+function _list {
+  zones=$(_helper_list_local_zones)
+  for domain in $zones; do
+    _unbound list_local_data | grep "$domain"
+  done
+}
+
+function _help {
+  cat <<EOF
+Usage: $(basename $0) <command> <options>
+
+Commands:
+  list - show custom records
+  alias <domain> <target> ... - aliases a domain to another domain
+  delegate <domain> <server> - forwards all DNS requests under domain to the target server
+  reset - resets all configuration
+EOF
+  exit 1
+}
+
+if [ $# -lt 1 ]; then
+  _help
+fi
+
+command="$1"
+shift 1
+case "$command" in
+  list)
+    _list "$@"
+    ;;
+  alias)
+    _alias "$@"
+    ;;
+  delegate)
+    _delegate "$@"
+    ;;
+  reset)
+    _reset "$@"
+    ;;
+  *)
+    _help
+    ;;
+esac