From c7c690d7b828be730edeed3f2f12912f268e80a1 Mon Sep 17 00:00:00 2001 From: truxnell <19149206+truxnell@users.noreply.github.com> Date: Sat, 23 Mar 2024 10:57:18 +1100 Subject: [PATCH 01/28] initial testing --- flake.nix | 4 ++- nixos/hosts/common/nixos/default.nix | 2 +- nixos/hosts/nixosvm/default.nix | 1 + nixos/modules/nixos/default.nix | 5 ++++ nixos/modules/nixos/system/defaut.nix | 5 ++++ nixos/modules/nixos/system/openssh.nix | 40 ++++++++++++++++++++++++++ 6 files changed, 55 insertions(+), 2 deletions(-) create mode 100644 nixos/modules/nixos/default.nix create mode 100644 nixos/modules/nixos/system/defaut.nix create mode 100644 nixos/modules/nixos/system/openssh.nix diff --git a/flake.nix b/flake.nix index 2697a9c..772e4bd 100644 --- a/flake.nix +++ b/flake.nix @@ -49,10 +49,12 @@ # Use nixpkgs-fmt for 'nix fmt' formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt); + nixosModules = import ./nixos/modules/nixos; + nixosConfigurations = let defaultModules = - # (builtins.attrValues nixosModules) ++ + (builtins.attrValues nixosModules) ++ [ sops-nix.nixosModules.sops ]; diff --git a/nixos/hosts/common/nixos/default.nix b/nixos/hosts/common/nixos/default.nix index 9ba22d3..9c91935 100644 --- a/nixos/hosts/common/nixos/default.nix +++ b/nixos/hosts/common/nixos/default.nix @@ -10,7 +10,7 @@ #inputs.sops-nix.nixosModules.sops ./locale.nix ./nix.nix - ./openssh.nix + # ./openssh.nix ./packages.nix ] ++ (builtins.attrValues { }); diff --git a/nixos/hosts/nixosvm/default.nix b/nixos/hosts/nixosvm/default.nix index 59781f4..6901270 100644 --- a/nixos/hosts/nixosvm/default.nix +++ b/nixos/hosts/nixosvm/default.nix @@ -29,6 +29,7 @@ networking.hostName = "nixosvm"; # Define your hostname. + modules.services.openssh = true; # Pick only one of the below networking options. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. diff --git a/nixos/modules/nixos/default.nix b/nixos/modules/nixos/default.nix new file mode 100644 index 0000000..2ad14a5 --- /dev/null +++ b/nixos/modules/nixos/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./system + ]; +} diff --git a/nixos/modules/nixos/system/defaut.nix b/nixos/modules/nixos/system/defaut.nix new file mode 100644 index 0000000..4619942 --- /dev/null +++ b/nixos/modules/nixos/system/defaut.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./openssh.nix + ]; +} diff --git a/nixos/modules/nixos/system/openssh.nix b/nixos/modules/nixos/system/openssh.nix new file mode 100644 index 0000000..0ded042 --- /dev/null +++ b/nixos/modules/nixos/system/openssh.nix @@ -0,0 +1,40 @@ +{ lib +, config +, ... +}: +let + cfg = config.modules.services.openssh; +in +{ + options.modules.services.openssh = { + enable = lib.mkEnableOption "openssh"; + }; + + config = lib.mkIf cfg.enable { + services.openssh = { + enable = true; + # TODO: Enable this when option becomes available + # Don't allow home-directory authorized_keys + # authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"]; + settings = { + # Harden + PasswordAuthentication = false; + PermitRootLogin = "no"; + # Automatically remove stale sockets + StreamLocalBindUnlink = "yes"; + # Allow forwarding ports to everywhere + GatewayPorts = "clientspecified"; + }; + }; + + # Passwordless sudo when SSH'ing with keys + security.pam.enableSSHAgentAuth = true; + # TODO: Enable this when option becomes available + # security.pam.sshAgentAuth = { + # enable = true; + # authorizedKeysFiles = [ + # "/etc/ssh/authorized_keys.d/%u" + # ]; + # }; + }; +} From 858db415b599494d7f8f4fccb83b06ae08fcd767 Mon Sep 17 00:00:00 2001 From: truxnell <19149206+truxnell@users.noreply.github.com> Date: Sat, 23 Mar 2024 11:44:50 +1100 Subject: [PATCH 02/28] docs: idea --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index b96723c..74b800d 100644 --- a/README.md +++ b/README.md @@ -35,6 +35,7 @@ To Install - [ ] WSL - [ ] JJY emulator Raspi4 - [ ] Documentation! +- [ ] ssh_config build from computers? - [ ] Add license - [ ] Add taskfiles From d27d81b420b89c28881037b843de8308fdb4e7f5 Mon Sep 17 00:00:00 2001 From: truxnell <19149206+truxnell@users.noreply.github.com> Date: Sat, 23 Mar 2024 20:44:27 +1100 Subject: [PATCH 03/28] docs: idas --- nixos/hosts/common/optional/gnome.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/nixos/hosts/common/optional/gnome.nix b/nixos/hosts/common/optional/gnome.nix index cae9eeb..bc59cbf 100644 --- a/nixos/hosts/common/optional/gnome.nix +++ b/nixos/hosts/common/optional/gnome.nix @@ -19,7 +19,10 @@ # And dconf programs.dconf.enable = true; - # dconf write /org/gnome/mutter/experimental-features "['scale-monitor-framebuffer']" + + # https://github.com/NixOS/nixpkgs/issues/114514 + # dconf write /org/gnome/mutter/experimental-features "['scale-monitor-framebuffer']" TODO hack for GNOME 45 + # Exclude default GNOME packages that dont interest me. environment.gnome.excludePackages = From 5923c726bd5afa33aa5d744c4b1d664ba3db2724 Mon Sep 17 00:00:00 2001 From: truxnell <19149206+truxnell@users.noreply.github.com> Date: Sat, 23 Mar 2024 20:45:09 +1100 Subject: [PATCH 04/28] docs: ideas --- flake.nix | 62 +++++++++++++++++-- .../optional/editors/vscode/default.nix | 1 + nixos/modules/README.md | 14 +++++ 3 files changed, 72 insertions(+), 5 deletions(-) create mode 100644 nixos/modules/README.md diff --git a/flake.nix b/flake.nix index 772e4bd..eda0fb3 100644 --- a/flake.nix +++ b/flake.nix @@ -49,7 +49,7 @@ # Use nixpkgs-fmt for 'nix fmt' formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt); - nixosModules = import ./nixos/modules/nixos; + # nixosModules = import ./nixos/modules/nixos; nixosConfigurations = let @@ -61,6 +61,27 @@ specialArgs = { inherit inputs outputs; }; + + # generate a base nixos configuration with the + # specified overlays, hardware modules, and any extraModules applied + mkNixosConfig = + { hostname + , system ? "x86_64-linux" + , nixpkgs ? inputs.nixpkgs + , hardwareModules + , baseModules ? [ + # home-manager.nixosModules.home-manager + # ./modules/nixos + sops-nix.nixosModules.sops + ./nixos/hosts/${hostname} + ] + , extraModules ? [ ] + }: + nixpkgs.lib.nixosSystem { + inherit system; + modules = baseModules ++ hardwareModules ++ extraModules; + specialArgs = { inherit self inputs nixpkgs; }; + }; in { nixosvm = nixpkgs.lib.nixosSystem { @@ -71,14 +92,45 @@ ]; }; - rickenbacker = nixpkgs.lib.nixosSystem { - inherit specialArgs; + # rickenbacker = nixpkgs.lib.nixosSystem { + # inherit specialArgs; + # system = "x86_64-linux"; + # modules = defaultModules ++ [ + # ./nixos/hosts/rickenbacker + # ]; + # }; + + "rickenbacker" = mkNixosConfig { + hostname = "rickenbacker"; system = "x86_64-linux"; - modules = defaultModules ++ [ - ./nixos/hosts/rickenbacker + hardwareModules = [ + # ./modules/hardware/phil.nix + + ]; + extraModules = [ + # ./profiles/personal.nix ]; }; + "citadel" = mkNixosConfig { + hostname = "citadel"; + system = "x86_64-linux"; + hardwareModules = [ + # ./modules/hardware/phil.nix + + ]; + extraModules = [ + # ./profiles/personal.nix + ]; + }; + + # "kclejeune@aarch64-linux" = mkNixosConfig { + # system = "aarch64-linux"; + # hardwareModules = [./modules/hardware/phil.nix]; + # extraModules = [./profiles/personal.nix]; + # }; + + dns01 = nixpkgs.lib.nixosSystem { inherit specialArgs; system = "aarch64-linux"; diff --git a/nixos/hosts/common/optional/editors/vscode/default.nix b/nixos/hosts/common/optional/editors/vscode/default.nix index 59fd27d..5a3f682 100644 --- a/nixos/hosts/common/optional/editors/vscode/default.nix +++ b/nixos/hosts/common/optional/editors/vscode/default.nix @@ -3,6 +3,7 @@ , lib , ... }: { + # TODO add USER settings.json # Enable vscode & addons environment.systemPackages = with pkgs; [ (vscode-with-extensions.override { diff --git a/nixos/modules/README.md b/nixos/modules/README.md new file mode 100644 index 0000000..fe8ab4a --- /dev/null +++ b/nixos/modules/README.md @@ -0,0 +1,14 @@ +Profiles: + +Global: Settings for entire site - time local, chrony, timeservers, dns +Role: What the role is of the device - graphical/server +Hardware: Specifics of hardware (hw overlays, rpi4, etc) +Host: Host-specific (services, user setup) + +nixos +system +locale +time +openssh +fish +chrony From 923b2a02e0e5091c3f9089cce57547da7337b7d9 Mon Sep 17 00:00:00 2001 From: truxnell <19149206+truxnell@users.noreply.github.com> Date: Sat, 23 Mar 2024 20:46:05 +1100 Subject: [PATCH 05/28] chore: move locale --- nixos/modules/nixos/system/locale.nix | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 nixos/modules/nixos/system/locale.nix diff --git a/nixos/modules/nixos/system/locale.nix b/nixos/modules/nixos/system/locale.nix new file mode 100644 index 0000000..a96135a --- /dev/null +++ b/nixos/modules/nixos/system/locale.nix @@ -0,0 +1,6 @@ +{ lib, ... }: { + i18n = { + defaultLocale = lib.mkDefault "en_US.UTF-8"; + }; + time.timeZone = lib.mkDefault "Australia/Melbourne"; +} From c6f32af795eb54a547ca52207d9b85f4e976427e Mon Sep 17 00:00:00 2001 From: truxnell <19149206+truxnell@users.noreply.github.com> Date: Sat, 23 Mar 2024 20:58:14 +1100 Subject: [PATCH 06/28] wip --- .sops.yaml | 4 +- nixos/hosts/citadel/default.nix | 145 ++++++++++++++++++ .../hosts/citadel/hardware-configuration.nix | 38 +++++ .../optional/cloudflare-dyndns.sops.yaml | 57 ++++--- .../common/optional/dnscrypt-proxy2.sops.yaml | 55 ++++--- nixos/hosts/common/optional/maddy.sops.yaml | 55 ++++--- .../rickenbacker/hardware-configuration.nix | 10 +- 7 files changed, 288 insertions(+), 76 deletions(-) create mode 100644 nixos/hosts/citadel/default.nix create mode 100644 nixos/hosts/citadel/hardware-configuration.nix diff --git a/.sops.yaml b/.sops.yaml index 638fb8f..ef7e25c 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,7 +3,8 @@ keys: - &nixosvm age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn - &nixosvm2 age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz - &dns01 age1y399g6q8cg0efzqdywrswp5uugsfeuxg54ptp3vacrvaknl5dunq22wt5x - - &rickenbacker age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk + - &citadel age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk + - &rickenbacker age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc creation_rules: - path_regex: .*\.sops\.yaml$ @@ -12,4 +13,5 @@ creation_rules: - *nixosvm - *nixosvm2 - *dns01 + - *citadel - *rickenbacker diff --git a/nixos/hosts/citadel/default.nix b/nixos/hosts/citadel/default.nix new file mode 100644 index 0000000..3838124 --- /dev/null +++ b/nixos/hosts/citadel/default.nix @@ -0,0 +1,145 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). +{ config +, lib +, pkgs +, ... +}: { + imports = [ + # Host-specific + ./hardware-configuration.nix + + # Common imports + ../common/nixos + ../common/nixos/users/truxnell + ../common/optional/fish.nix + ../common/optional/monitoring.nix + ../common/optional/reboot-required.nix + ../common/optional/gnome.nix + ../common/optional/editors/vscode + ../common/optional/firefox.nix + ../common/optional/sops-nix.nix + + ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation + + networking.hostName = "citadel"; # Define your hostname. + + # Enable OpenGL + hardware.opengl = { + enable = true; + driSupport = true; + driSupport32Bit = true; + }; + + # Load nvidia driver for Xorg and Wayland + services.xserver.videoDrivers = ["nvidia"]; # or "nvidiaLegacy470 etc. + + hardware.nvidia = { + + # Modesetting is required. + modesetting.enable = true; + + # Nvidia power management. Experimental, and can cause sleep/suspend to fail. + # Enable this if you have graphical corruption issues or application crashes after waking + # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead + # of just the bare essentials. + powerManagement.enable = false; + + # Fine-grained power management. Turns off GPU when not in use. + # Experimental and only works on modern Nvidia GPUs (Turing or newer). + powerManagement.finegrained = false; + + # Use the NVidia open source kernel module (not to be confused with the + # independent third-party "nouveau" open source driver). + # Support is limited to the Turing and later architectures. Full list of + # supported GPUs is at: + # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus + # Only available from driver 515.43.04+ + # Currently alpha-quality/buggy, so false is currently the recommended setting. + open = false; + + # Enable the Nvidia settings menu, + # accessible via `nvidia-settings`. + nvidiaSettings = true; + + # Optionally, you may need to select the appropriate driver version for your specific GPU. + package = config.boot.kernelPackages.nvidiaPackages.stable; + }; + + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + # i18n.defaultLocale = "en_US.UTF-8"; + # console = { + # font = "Lat2-Terminus16"; + # keyMap = "us"; + # useXkbConfig = true; # use xkb.options in tty. + # }; + + # Enable the X11 windowing system. + # services.xserver.enable = true; + + # Configure keymap in X11 + # services.xserver.xkb.layout = "us"; + # services.xserver.xkb.options = "eurosign:e,caps:escape"; + + # Enable CUPS to print documents. + # services.printing.enable = true; + + # Enable sound. + # sound.enable = true; + # hardware.pulseaudio.enable = true; + + # Enable touchpad support (enabled default in most desktopManager). + # services.xserver.libinput.enable = true; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + # system.copySystemConfiguration = true; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/nixos/hosts/citadel/hardware-configuration.nix b/nixos/hosts/citadel/hardware-configuration.nix new file mode 100644 index 0000000..09462b7 --- /dev/null +++ b/nixos/hosts/citadel/hardware-configuration.nix @@ -0,0 +1,38 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/701fc943-ede7-41ed-8a53-3cc38fc68fe5"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/C634-F571"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp12s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp13s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/nixos/hosts/common/optional/cloudflare-dyndns.sops.yaml b/nixos/hosts/common/optional/cloudflare-dyndns.sops.yaml index 2c545e6..2682311 100644 --- a/nixos/hosts/common/optional/cloudflare-dyndns.sops.yaml +++ b/nixos/hosts/common/optional/cloudflare-dyndns.sops.yaml @@ -1,8 +1,8 @@ system: networking: - #ENC[AES256_GCM,data:pZhhqGtwLJ4JiBm9056d8HQnzvQZeAghKkOButPkbnjXmXxzKWSZVJhbqU0Hc+XBs+EcUOCcvsSDd+Pkue9sxEwJoTmWIc8WzvUTHw==,iv:bKt6g8YBlsMxXcKaPW+5uMNbTh93YxnHxjOW4gwPrhY=,tag:kx7grZBcgSvYn2TBpDiAnQ==,type:comment] + #ENC[AES256_GCM,data:JFRHRwBs7Qdlsjp5cJyPo7xey9vwDKI4lsaWwOVLGuAeSWcIUXmoF6jkZkutKI+txyjQoxqrXtvab+M6DDBG9jCC3/qcQxiljvK6+Q==,iv:tK+9bBVgDe2T5wDArr3IrSuTND16VUdMtsfbQ9OipT8=,tag:baChOJUpTAk05LRSxwNfqQ==,type:comment] cloudflare-dyndns: - apiTokenFile: ENC[AES256_GCM,data:HCPDP3uDBchxKBT0iu5obiLK8echeVyWfhBJ2ejq2cyZV00Uwh/t+usEMzmkrXdBGHUpafMIkUkAcOhCJYa8f9bEFYcJVowbE+nff3GsBtm4rA7Hx0ZVgHOjSyEVo6vPtWgX1y8EwUrAKSZYCoiG7uI/Gg==,iv:BZWwztLfSjg5n57gTsXiVZ5sn9mJzizS15KGkCHnalg=,tag:9INru4xTAH8gMXZcqHS0uA==,type:str] + apiTokenFile: ENC[AES256_GCM,data:CG4KyihV3MQ9/JPmKnRAwUbOQb1IrM9yKtWeIbXtjRDjxENIcJC+tId4S9WnQ0u6WwtyDPIEbjNcZXd4pckL41mBb9E4j8Cap+ocEmuWyP4xOu/a46+yVF+Ai2mzehIx1xzx5+HsHzdh2W0WXq/T5Vi/Tg==,iv:PVQVajn/ZaA0mJEOWp+9aKECkSV0ZuQdd0U2nKw/sHI=,tag:Jj/uotKuagQa9cj7OOrcFg==,type:str] sops: kms: [] gcp_kms: [] @@ -12,41 +12,50 @@ sops: - recipient: age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOSlhOUWRldTVEaVg2Vk9L - eDVXaExqbWRtSVlaVXBCdXpGek1oVXZ2a0ZzClpOUEtjMEE0KzNobmFCLzg0S0Vh - WnhKeDFUOXdvZ25ndjhuVitWWE0vVlEKLS0tIG9zZzNvWU9KZ2c0SEsxN3oybjFw - Q3RTL1Y2MjYrQW40UnZMZlZVUncwVEkK7Sh4kSeSxgtbclAdQdITzOVpSBbF3t4R - tvUEEun08V5FO01QzyNuTBC9q5geGwRgjvtWSX3lECSD1AaG7VuNCA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxQnZRaVB1eWlBRTlMNlUv + WVZxd0VSMUxlT2prY0hQSllVZWgxSFhXY0Y0CkdBNnpieTdXZ2lWUUNYSTNVUEVk + OEpUaGNHNFVYcFJEVE82RWVFZzl5MUUKLS0tIHQyT3lxZzdHNkpINTNTN3ZwQ0ZM + WVl1aHphTCtiM3FlbzBoMWMyaS9oT1UK73PSRG50mZ8S6FajvllQFt9Ye8BoJJUe + iOw1H2tYr4V7QjHOaE5yCvQJTMUtc4EI+PfkmiiKRtsKbfibO1IylQ== -----END AGE ENCRYPTED FILE----- - recipient: age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVWsyR2JqSHA2NEQrV3k1 - SkFjV21oMERJR0Vra0pvalpMNlBVVTY3eVRRCnNtOVhiTkpGY1hwYW9RYW83TldX - aWxhZTRWKzNQYy9DWnpwbCtmWWMrbzAKLS0tIGpRazhEZHpRUVVmWFh5QnVlcGVn - citoYmdhRUlNODdlaVdwbmE5ejV2RlkKJh/ZHEnDe5yjY88mzXFHE2rQgIjybEgC - EnbmboDKby/Ns4Rts8M/qS9AUcbk+3B5Ls0IM4zPIGPH1UflKbFbJA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBieUlpT2ZHYXY3bm1TUGc2 + c2NlM1V2V2pZbFI2SjFXdnF6Z2JqS21jblRnCm5hdzJIenB4WXRweEVGV1dsUzY0 + bVZDQjExZzdWVmlkaXdiQzhsaEhRcEkKLS0tIG03aXEzbXB6VWRxcmFZQ2IvK3lR + Q1RRL2pIT0Q4bk4zQUszYkhFTU54MU0KUCr7lwMzu2FNxmDkWsNxpiJ5F/DaAOWj + GhU0TFPJP8jEBDHJKXPJ9IMkXtyLU4F14pZBQGk6cVmQ7Ll7ABAW5g== -----END AGE ENCRYPTED FILE----- - recipient: age1y399g6q8cg0efzqdywrswp5uugsfeuxg54ptp3vacrvaknl5dunq22wt5x enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ZzdmQXdLZnl1dWhnN3Mv - ZmRtRE85ZFhqYkpGbTQ5ZjRuN3IyWjE5UVJnCnNFT1NqQ0hGMjFHNmlPVmxYOWYx - N3BXOC9Ic09hTTVydHhPYzg5U3NwWTQKLS0tIEw4eFpDc25HeW5GK1NBZUpHYWdL - NEtGMXZabVlzejhMOHRBVDNoeTVkbmcKbx3mHeCwfjWB1RfsGV2fsGgr+A6ObkhG - 4Ki+HkGB1XkU/gkU6PwyAq3/9wF/h7otoGHNcvKuMVZNj8AbtSy15g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiL1BjMUswTkMrU2kvRDNx + MGYrY25mbS9rWThvQ05lc1VnWExpRk9LQjNZCkF3REt6bGIrZTNKTGpnalZycVdi + R1NSOTNoeGdCcVZCQW0rM1B3cENHT2MKLS0tIFIwQzk5cFIyNkwvZm5rQkNnVU1y + ZEZEaWUydmV6VXVFdEpubkZRcjNvbUkKMuX2cuewaVDQh3WcEvTq3b/OT9D4eLQ8 + dP6e2umiDuWO7xjSDtN2hMvAtwzJ2ac0hpGCl0yVFAcDeCP17O9alA== -----END AGE ENCRYPTED FILE----- - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBISTF6ZGt5L0dDNHp1cFRK - SUVMVnlmOHFKR2hEMW43OHl2WVc0T0xnOVhNCjFlZHJjUEIvT1NYMHdGSS9xMkNY - dFgyeHQwRWRIbzFPREU2M0Vjb3FObTAKLS0tIGxuSHF3RWtiZE1KZG80K3BlMWh5 - M0x2SzNYa2QvZlJ5aW16UWRGMU1RYU0KTJIhjRj5g5yiSqxHupbPVSUsuasCgmST - OG3iofre+AVi5WfWTaSArfpTCm/y1z2UGbSK+KmJ0SM4xayyTvLbIQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaNjcvMFpXbkJDZnoyT01D + Mmc5L09KMCtxVFhWWW9YWkh2YSs5c1RscnlvCm9BbmJWZkQ0UmFuVWFrSVJMY0da + TFNLUXVKWFV6bzN4RXg3Q3hoaW5UdTAKLS0tIEZzWVd0d1hFZ0xPczE1NUt1SWl4 + Z0hZcTl2OWNsRU9ncWhjMW1CNGtuQUEKDGSbGS4CTWWZuyH2DqcMd+SmH8Mmgn6Z + jqEfzCWcV0eUWN+89ic75I/Yy9JpBPvhyNnTatMeEOk6gypebgk6GQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-21T11:56:33Z" - mac: ENC[AES256_GCM,data:afQFkMRxfYsBKPfoAYSH1sNkGWDZRMH51PREmCnBb5UyZ4dEIPaLeZfnnOVY5+91EsJDURpXO7Moks6NV1zm36IdrBBkUG/2kHYQDbsrO7OQ+Lpuqk/e+Mp80oAkisWVIjytEDdzrHH4xs6YVj2/ihbTA2pVnqiBNMViEx2mGN0=,iv:w65sp9n/iqy6c2By90xCEjJKL6KwbZiB8fIb9RsEeAw=,tag:au3SnXULfI2TXsRuYQMNIw==,type:str] + - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzNHdwTHVGWGNWajdGTHVp + aTdndkl6SlE5TWM4dm5QOVZJMkxiL0VRaFhRCnlOSE1HdCtxbmlEak44VDloa0U4 + ekIzSFV5bldldnZ0eVNnV0t5MzllUjAKLS0tIFdwRjZIT21FR3VDeVV1V3VnRDZu + YjYrckxVRFFQcDNHVDNTNTVjVUZWV2cKkGTwaweH584hootSwsldyoiHfBFYMaNO + K4PuA8SHQMBP5obqljiplFx+ld+cFii10BLKbuNLx97oRJy5WyRqzA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-23T09:42:43Z" + mac: ENC[AES256_GCM,data:9B0TsfNaVnt7WrO0jkP4dd37Ys3JKj94d4Js31wCsPw5JZbfb+eC5meqIti1PJhw19xRG1BdpXLXGQ6XEpVPY7mU+BiVNpgaGv9+tYlxibie7+oHuCuVhnQUnqh3/FllDlq1U3jwtwHjXrEkJyKD85afPdegFrkbVozMCoNE7Cg=,iv:8tHw/5A+6IHnFURCDwsw8Kune0vNilN3CBz1e3T7Mpk=,tag:8ZRnkOd/DfoPzkEjwhK+iQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/hosts/common/optional/dnscrypt-proxy2.sops.yaml b/nixos/hosts/common/optional/dnscrypt-proxy2.sops.yaml index 240acdc..8b354ac 100644 --- a/nixos/hosts/common/optional/dnscrypt-proxy2.sops.yaml +++ b/nixos/hosts/common/optional/dnscrypt-proxy2.sops.yaml @@ -1,7 +1,7 @@ system: networking: dnscrypt-proxy2: - forwarding-rules: ENC[AES256_GCM,data:pQ/4p670nxLQB2aVenFag/Ngk+SgGXDSW8GZJDYCRxsv7A/2qtuhw5qQ+x7Gmx4OonJy9futOg9EsylfztelUnGSve09Yx/KuQUAd5ctnfBnLWqOtX1snpm3oHD0eRYOEzo/UUJlAo26qTwOhn0t56ATv+LemIsn94wCjiWA2mg91T2VuIPWRoHfpZB5JxAV5/9vUfiGdLka4TugxDzsEvFtYAGuta3pJuQJ8Fv3O+idTsF9izU/JZKNTDe1kwngT5paMQTpAi2dqLq0MgjaXbhJsTBpYwctRy7Qs2/Q5AjNvXTfrmtIHy9wo9dD9MWRoYHC27wsMiuMlwrfNSZpt1mMVFddsS+GhpEfTwp1XPub8Cavc74VmYzQLL20e0/2jH4Swjq+mCtBGnnW+qA4ZMCbh/NDpNhm6Am5hPB49d+Vxfdhp/QeNOis55usD1aYAAoM5FFCH9NzOWCHcturqxc=,iv:FmjGnacQU17+/SFHzauuj//R94uKPhTv87rcL4QvVjk=,tag:lGFrCyZ6Dl/n9HIIdZZf4Q==,type:str] + forwarding-rules: ENC[AES256_GCM,data:/Bmttk/FpmpN7IvxUgR2Hv/x0nqXP/YxGVSssYQUEcSIq0P5D5biyXK86yrbEsqUJzhH3kr2SjRHIWnZbJbtcYp/SfvqmktBfACmraYsrwO8uYkZq9dcMjBLO6T+UUeZzbD3nRF6TSgxpFYR7SWCn7P/DejcfSFT8wUJyLCqYMtkkilgOPXIzfYMH+982fmRHxQeswTuMUPXk/iczvAfQ6F85ZhFbJojzvf7eXZ3uxUwkGRE7kjsqguA5GUkYzQXsiXD2Tg2iAco5V2fQqmOEvdK/a0NCPogijIdPxgxJZENG/7ssz7k1U0egToCbPy9DcC/n3FEH+5hCEvHt5ErlrR63QBfwAf8K3TJHygCpWx5qMx//+JIUfPtWsS1y6tzvZ+2eQYscolZBQSIPkgD8KbHjEAkIlUtNqYPgGxwvyGCiucEWWc8BQImUYm+OpZwFiM1tfOAewB0W8v8o7b8PTY=,iv:MBq6w9o8iHQ51C53uLh34D5C7D1wMSGkwXQtb09y3tI=,tag:vZ5SQWmm72ytJr1zOqVgCA==,type:str] sops: kms: [] gcp_kms: [] @@ -11,41 +11,50 @@ sops: - recipient: age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0TCtBSTMxVGZGbDlqV1JX - V1JtWTRTaXFKdlhvaW9oaXozN2hPanpNdDJzClQ5MVcxcytRMERiZjRGRmZ6MTlK - SWxpQWhGdk5FVVZtUEJMYnpEdFcvRGcKLS0tIDlwc2x2aGdCZkNWM2FIQXBBTzg4 - OFFPeWVIWGI2NWhxMEhjWGtHeVl2bGcKL8r6ktx/OfboZGy8FPJqLXrschvhatMe - BEtT4vbCGw7Zj6KjaZeJoMIdHtIcC1wi7N4sB6oIvCyxBpQajfFfCQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOaUkyWnhXZDNBWUx6VXZx + c1h0S0dJKzVlTkdkVTRsVlg1Z2w3c3pOS2xrCk9TTGpsbyszRUg2N2RzZG4yYWYx + Sk9zaEFCbjJQb082Zm9La1hLN1h0QjgKLS0tIDNmUUcybFdiOVhLZXY2bUlmeXpx + eGRkRDl2MlhJeEJLdXBYcE9XSFgxVnMKx6nlTItqsde0ZzudnNyy3IcWyE9OfyDM + Iq7S1xNyMxFNKoj7ZQ9O+WKpf4/A7nCgB93qdKi8dyFcQsNL+7z2/A== -----END AGE ENCRYPTED FILE----- - recipient: age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhekpvRzZHSkxEcFFPVjZh - b2p4SCtrRnp5UzZlU3NLb04wQzRXY3NWT2pVClJFM0dVNVFDWkErWDdRL2Q5NEth - NThEako2L2JrT3VBajBwdUVJd0Q5Z00KLS0tIGNGekF1Um1xQlJYMmc2Y2c1Mlhl - ak16ZVFMVnBwZ0dJRkNzRFRoanE2L1kKW4Oxl4WniSVQuQTxTfEBwUOY7FBsJKp/ - FZwpti7hhdX6Fc7YAXj59KClyGBzyzOBVboY0bQzMD4XuoRkgd5aDA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4ZnFldVp2Y2NzR0dyQVVZ + b3pxdUExcDExUWg3YkVYZVBOTm1IKzRwYUVZCkxNUitNK0syS1JjU1N6NWNlYVk5 + UFV4Wk55cEd1bWZ2WTJjaHB5NVg3K0UKLS0tIDV2bGtPZ1FhVjNVRUE5VWdQSktQ + aHJEa3hVSy90U3ZicnluS2dxMXU0L2cKGLPwOid+L7IWZtKgQ8lF2pPrAOrxZBFA + ctYXJHi31T0U2MDBrOsarmRhMd1ofvUQnz/lemgIG2F2HxTad7R2Rg== -----END AGE ENCRYPTED FILE----- - recipient: age1y399g6q8cg0efzqdywrswp5uugsfeuxg54ptp3vacrvaknl5dunq22wt5x enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBha0pRZlczNHd3SlJmVDBU - aTZaT29mbW9oZkJGL3hpNDZFbkpsSGk5dmtrCno1aFU1ZGsyYUZETUFtNHBzL2tU - bHpZVE1Jb2R6Z0QxYUc3cGNpR3N1MzQKLS0tIFFUc2VhM2tTNHRSanYxOVZmNVpK - Yi9GemV4c0hMNWRNWnplVnNVcnBjUm8KF3NraIgrWU18VlWpiPC1l2iaUqwrPNkS - L8geWFzOPa16/0tLbFJc22v4z8XJor59msEqZtBHTSjKCk6SrA2mhg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyWTVma1hMN2NHMithazJI + YjNYRHRDcnZ1VnUrOWxnczZ3Q2QrdjNpcHdFClQvb2ZJMDFKRlVabUk0Mmc1NE5E + NjdRcmh3ZG1lN0FrMDJZU2RndW5nM2MKLS0tIE01cnpJMXRZY25waWdaa00wbWxP + RmJWVld2Yyt0OXdZVzRQeFBQTDdQZ0EKewL6evla5/CrqsSoDgK5TbQv2B26Unc/ + /WU+Zi/bo0bd4iDfbUPdtxg9hUqsnP4cjnX0bFR9PP1IHcbTaS3cMw== -----END AGE ENCRYPTED FILE----- - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1Qk9WK0IwY2hjQkIxMm9F - NWhiQWV4WjlpK2p3Q3NrblBROG5xa0oyYjNNCjVqRys5dGxabkl3eUVWNWNCOHpx - N2RiWThzNGovMFlVcmhrZjVHR09pelkKLS0tIGRFemo3NVh4dGFxNm1JOGM5TXFK - YmVhVU4vT2JWdjJyWkRsL3h0VjJESFEKMVOK8FxLJJyYIPF5i31QoULTJRjq8s+8 - 0T4tZXvJV9WgKG8qWTo4pGfnQDDp6QdqSzb2b02WQJEexmaeR979fw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNbmltMUd4OWpzL3VDVk8y + N202YlIrWXg1QnprdjNJRUtiaXZvVVBOdWlrCitoQnQvbUxLN3E5VEhaZlh0OTln + eXlhV1YzMUFVK0hzNTdyQ2gwSUxzZEkKLS0tIDFaWTU2WUR1aWhxM0M5am9sOFVQ + VjJnbE1SQ285MVJHeExxbnpwV0c3Z0EKZsw0o7hZgswaqVh/K3kDORJiSxkGK9Zr + cJHnA2e7osm7F4wrkc++GXCEsjvdM1V8uXp8bHrrvBwlbBJA4C09HA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-21T11:56:33Z" - mac: ENC[AES256_GCM,data:7i10h+RJUJamnPvFIcORQrDukNudtXHLXeNkQqGHCCWsRPnXOtP8Yw8/l0QR9TH5BIxT/u7mjJnz7WfmhghkYSnKPqyHEmYtoLgmq4AsrpSoXUgbBdMDgm6UZr8NqkE2J0EUDI1AhzAH9JCakRBsrO07qRsHyjiH5Q01w0oLYTM=,iv:4gqb0eHHsHkLNLZ0jTqGRp8OGad/49VKmhINLQwlc4M=,tag:13noyAbETQkj7uVSCRD8pg==,type:str] + - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdXU5N1FyUHdZNmI1UEhX + NDcwR29UNE9hd2dsMHlDSjV4b0Qyd0lhelZVCjdhd3hnWFZncGlyTVJxdHZabXFN + dExUMmdRSm43UWtIYmhzZ3hTd29WRzgKLS0tIFVjZy9LbGMzR1VJTGs1eFFzZG1B + OUVlYXh5MENVZ1YxempVYlQzeUQwMXMKn5AzTMxMGCbQUGdtsOt9d4yxK1R6Vb0G + +IwgbUNS6+djhuW5TMoW7Avc/b3JbQ3oc6VgXLxTG5X2qBqasKw6Xg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-23T09:42:43Z" + mac: ENC[AES256_GCM,data:U7y0kd6xcz2S/1X0/FDqk4kq29K6nGE38WAfnmpgbfYXUQnbbe4dBPTbyo47tKRZiY05baYSi4cqUwYiGU9LX6KvfZSq3bYJRLiqKGrk5AMUyrzygWvceOaO2yYhjRHKU7J0rNq9pbXwtn/vjbKfzDQxXnWkAQ+/SIJbDebMlB8=,iv:5lTN4qd7XaRK0H/S6bYTMQJ3XIRGsoTVS2oK9MDBfOI=,tag:wgdr6/XA1vO3/ZqbvlPVEQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/hosts/common/optional/maddy.sops.yaml b/nixos/hosts/common/optional/maddy.sops.yaml index c6c2aa7..b4e854e 100644 --- a/nixos/hosts/common/optional/maddy.sops.yaml +++ b/nixos/hosts/common/optional/maddy.sops.yaml @@ -1,7 +1,7 @@ system: mail: maddy: - envFile: ENC[AES256_GCM,data:VFqV/ZqnOlJeJKNZ0YGf1ORPQGn61GFqaSyHnRwh2aH/Xe67FJEsUsY1HW8hsZ3nKssmk5kbvvUZ39kqwUpqQtwhkE//YOhFCdYzW1hsT2nc/Nfm8pSGSiy+VTKehp1/QBsm+p9n4kgvlIwZaneerMQH+Z3B/1d9285wckZWrFuMxWw=,iv:lj9OGG5vEgF1osQIpnxYHEYwVQMAZaeWqSXfES2ESVI=,tag:H1PTFWs3iNwInXUe0e5aFA==,type:str] + envFile: ENC[AES256_GCM,data:Tl3ho1MPmjdoDnCF7it3zFsVpv7l7D9nzFFKWfyqhBYmk41kq8SXIFsHBci0tAc8ON628/zb4D1rwXtj1N3AVcCEQeM8snjwo0wd6pc6yoCLnkf3mRITZAftLEgLPJbAsb/OAtDQY7IKiPYubZwBCDjbsQrWez1ZYMO5WpsPD+2VOTI=,iv:HhZCs4uiJK2iXJiAupMQ0NQq0xs0WRiBJchc19UbgQM=,tag:t1SbqqItK5wX9Wbli2V4Aw==,type:str] sops: kms: [] gcp_kms: [] @@ -11,41 +11,50 @@ sops: - recipient: age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvWXFWT0ZJaHVwMSt2by9Z - cXEyWDBmb3Q5VEEydlZoMU9PdGt5cFM5TWdJCmg4VC91NXlMdHg2OXFZeGlTK0ZJ - eE5IY1V3N1pNTHRpZGQ4YjlrU1Q3KzAKLS0tIGxFbkdoRU81b0o1UGlHeFJ4eWkr - Q2VjY243REx4ZzlVd2M5TlhFSjBCTm8KlVvxg9WvhEvhhKozS03hCz5doU3YnIal - erRZggFlxzdpG5Nk/tfEaQhGL6HeeF5j8uBO/x9E7DMYpxtMxwA5BA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZZU9rU2JsWVF5OEVsbTBF + QlJLVDFWU3BISzl1SWk4SUUwL3VCNFZQY1VvCk5nTXJlazFQNXo1ZVhJMEpTRnVE + VlNaalRqTUtTUlBVeWVVaTFvMmJKVVUKLS0tIFM5SEIyOURhUWFHa3RrbVBSRFlT + VS9WaGhGUWpMcEJ0UUVsRVR2S2FtR2cKhePhqrlZ9KpD9CQOJ7tObqLOXWCxIxUv + X5jPf2gEsWSPnrVPehSbLjsyAFlMOVCgEcc1o5qec+cFgqwN3HcuAw== -----END AGE ENCRYPTED FILE----- - recipient: age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEREVkRmJGRTdiUlhhMGQ2 - aytPZnM3NnNFcWtrRHJqVWlCZ0FGY29JVDM0CmZSbWhsVlBPTXZxL00wUHl1Q3pn - aHFnQWQzNllZaDF0MUIweVVFVlhoMG8KLS0tIFpaOXl0TU93Z0Nkbng4L08xbU1Z - VzhGdEwzTDh2QVlZVVhJbkYxV1pJbncKcx51Llv2qiX2hTHx9P3+STFYhuG9SKqM - P0JLENehLDU4pYF3qva92dr47msBAEPmnVTs4C4Lj6aycoc4WXhjcA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSTBWVXlyN1U4dE80MnpR + UWNFYjZycUlFR1FETEJLRDdiNnZ1NzRZOEF3Cnd3QkI4TlBZRkxmL2kwaTl5eUVC + UGNGbnc2T1hPcWxOZjNBTTlrWDdnTTgKLS0tIEFjR3BFMyt1NUhhRUdmMzlMNHow + RVlqSmhZQVZXcXZFOVBhTEdDMVQvTzQK2ZMfPvX7plEopZH1mXLvc1cxa6SD/GM7 + EBaUbiRM4IccKf+6Q9w4Zna/3naHgr2EyDhJnXiNx6C5sMPpx+0Npw== -----END AGE ENCRYPTED FILE----- - recipient: age1y399g6q8cg0efzqdywrswp5uugsfeuxg54ptp3vacrvaknl5dunq22wt5x enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkSnlXSUJ1cFlVNVdobVBQ - Z3lYMW5VY0NKMFlZOC94WWtyWUdDdnZjZFVFCnZJeFUyWlpCbGdzOHpNbzdOcEVF - Uk9XTE92ZjhiVGNuaTN0SDgwU1F4dkkKLS0tIFdVNjl3c3VQaWY5eDUxRG9LT2w3 - Ti9HYmplcW8vQnJObk5zU2VjcXlwRGsKDhUS5CF7CXK8ZxdJ4qpZx2ZV8LAYsiUw - x+W8bmsyUlMRGX6qxi/U834t25k8/49eDWkjQXMHvIO9oYXEUak1iA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwQ2tiTUdTcjcxS3VIdDN0 + NXBqT3Vsc21CaTBxaWRMcDRDOEFhNDIwZXdJCkdtY0VyWGVPTk5VQXhJQXV3RWtt + Wkg0SWI3M0VzclM0TFliNmtBT0U0akkKLS0tIGxWZG9BelVHSzNROVVUQ0VJLzdF + OEphZmdxN0kvc2tpUlJYTXZ0M0ZPem8K3xHBOjygxjQsyXUFh8kK5YPWLDPUAJho + AiVmd5EtWzFJikz4MW9a6P7eeUUzdVEBa4KGI9VdJ8JDFtLGZmmG+A== -----END AGE ENCRYPTED FILE----- - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0QW5aeEJnY0R5SmNnYldM - UTNZaUZCWDdMMVQ2bWZCWk5TZ29KVEhWa2tzCjdSc1h2K1cycllFbTZqb1VteHhs - N0l1K2hkem51ZGx3TlZDQ1J6SVRDR28KLS0tIG1UaGVBNzl5NUtocFNzYVlUWkUz - K0lDVE10a0hZZ0xQcDljWnZmc1U1L1UKyjf60ujEGDMJ2/RNRjT3y3eot83UOdKY - cbQBKcKrUHs2JeVpcFQk8jy7CaPXSGJePmp8jicArw1nGJvCReaGEQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnN3VrcFZZSXp0eHVaZXpz + R0RWUkpTOXVTb1Z3ZVdRK0N4Q2NsNTE1cmwwCkxWd3BRWDNpYXFrNG52S01paFdh + U2VwSDNVaDdySDh6dTcwQWszU1dBSlUKLS0tIG5XVWkxUFhhZTMvL1pOYnZwdWJI + NE1ldE5lbDRKZzd0clhSMEl0dUM4d1kKa1EJEG5Vs7MAlCjJJN7rE/9u18enxjdM + noJCoHviMHymGL5SR7BccPyrsJ3V3wH6BTEYQ6iVbC5wV2jkRFH+tg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-21T11:56:33Z" - mac: ENC[AES256_GCM,data:hJxB91k91sDyZjmIntzCakFnSiLr7+qBPeneV8RmPJBod8Z3cFwHJ0pv5LyO7wIFhleW2kH+NM8b0Go4uiz7G683wfc9QTUxiUh5tR92a4xK5QnoMQ5S/AgDM9FDWYQ2cRWutqIdMA/TbGsfrwNLCdiGli5N4Ie98y3BXlGyuIY=,iv:NldyFeAF/hJEdg4VVymtHEebfbJD/GaxGaP55F/vKY4=,tag:e709To5PwxJJvDPVJhJecw==,type:str] + - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBveFZjREFtdnFSaWFmdlh1 + OTRhdElyS2l2LzhxK1A3WXVYYUdHanFZVlRnCjIvZ1JkTU1haWVoa3BjUWhyVTQr + ZnFLUnUvVS92N05UYU5KNitDVGVnV3MKLS0tIHJ6TWE1M0NaL2lSOUZEek9STDMr + eUphaFNjN3lBTnBJeFcvTGlMRG1VTVkKA6NMCTagSRvGP9buvAcHrkBlvAH48JDF + bRc92UqgD4PjK4uwjyQX25t81MBMAhcCBcVxSAIQwhRol1WXa2k7ZA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-23T09:42:43Z" + mac: ENC[AES256_GCM,data:c9u1+jT/GYCckbdGACGATi9gBRFW5YBjz74vUBMYUkz609BxMG0IQdQSCLNvF/3WM3MDABW6qooxsArVu7Cofq2peD59x5DJVM6Q2Q6SHhqOZAgg1YketI+LFrpuS0eL20EwrgQStRDrbPR0kk5KLlAYyWEfSK4HOqY50IKrPYc=,iv:pzPrtQ2vzyajmGlNqFI+NKrIrqbqoYFsxdAFebSgq0c=,tag:3D7EOXAiV0VWjj3abofyjw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/hosts/rickenbacker/hardware-configuration.nix b/nixos/hosts/rickenbacker/hardware-configuration.nix index 09462b7..3e84390 100644 --- a/nixos/hosts/rickenbacker/hardware-configuration.nix +++ b/nixos/hosts/rickenbacker/hardware-configuration.nix @@ -8,18 +8,18 @@ [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "/dev/disk/by-uuid/701fc943-ede7-41ed-8a53-3cc38fc68fe5"; + { device = "/dev/disk/by-uuid/fe728106-aaf8-46e6-ab46-1610f1f4398a"; fsType = "ext4"; }; fileSystems."/boot" = - { device = "/dev/disk/by-uuid/C634-F571"; + { device = "/dev/disk/by-uuid/44D0-91EC"; fsType = "vfat"; }; @@ -30,8 +30,8 @@ # still possible to use this option, but it's recommended to use it in conjunction # with explicit per-interface declarations with `networking.interfaces..useDHCP`. networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp12s0.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp13s0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; From 4e3302f999b68ee6b172bdfc97ff147d449b464a Mon Sep 17 00:00:00 2001 From: Truxnell <9149206+truxnell@users.noreply.github.com> Date: Sun, 24 Mar 2024 18:34:14 +1100 Subject: [PATCH 07/28] feat: initial global profile refactor --- README.md | 1 + flake.nix | 21 +++++----- lib/default.nix | 24 +++++++++++ nixos/hosts/common/nixos/default.nix | 2 +- nixos/hosts/rickenbacker/default.nix | 42 ++++--------------- nixos/modules/README.md | 19 ++++----- nixos/modules/default.nix | 5 +++ .../nixos/system/{defaut.nix => default.nix} | 2 + nixos/modules/nixos/system/locale.nix | 6 --- nixos/modules/nixos/system/openssh.nix | 39 ++++++++++------- nixos/modules/nixos/system/security.nix | 26 ++++++++++++ nixos/modules/nixos/system/time.nix | 25 +++++++++++ nixos/profiles/README.md | 19 +++++++++ nixos/profiles/default.nix | 13 ++++++ nixos/profiles/global.nix | 17 ++++++++ 15 files changed, 182 insertions(+), 79 deletions(-) create mode 100644 lib/default.nix create mode 100644 nixos/modules/default.nix rename nixos/modules/nixos/system/{defaut.nix => default.nix} (54%) delete mode 100644 nixos/modules/nixos/system/locale.nix create mode 100644 nixos/modules/nixos/system/security.nix create mode 100644 nixos/modules/nixos/system/time.nix create mode 100644 nixos/profiles/README.md create mode 100644 nixos/profiles/default.nix create mode 100644 nixos/profiles/global.nix diff --git a/README.md b/README.md index 74b800d..da70126 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,7 @@ To Install - [ ] JJY emulator Raspi4 - [ ] Documentation! - [ ] ssh_config build from computers? +- [ ] Modularise host to allow vm builds and hw builds - [ ] Add license - [ ] Add taskfiles diff --git a/flake.nix b/flake.nix index eda0fb3..8f39fd5 100644 --- a/flake.nix +++ b/flake.nix @@ -35,26 +35,27 @@ , sops-nix , ... } @ inputs: + let inherit (self) outputs; forAllSystems = nixpkgs.lib.genAttrs [ "aarch64-linux" - # "i686-linux" "x86_64-linux" - # "aarch64-darwin" - # "x86_64-darwin" + ]; in - with inputs; rec { + rec { # Use nixpkgs-fmt for 'nix fmt' formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt); - # nixosModules = import ./nixos/modules/nixos; + lib = import ./lib { inherit inputs; } // inputs.nixpkgs.lib; + nixosConfigurations = + with self.lib; let defaultModules = - (builtins.attrValues nixosModules) ++ + (builtins.attrValues lib.nixosModules) ++ [ sops-nix.nixosModules.sops ]; @@ -70,8 +71,8 @@ , nixpkgs ? inputs.nixpkgs , hardwareModules , baseModules ? [ - # home-manager.nixosModules.home-manager - # ./modules/nixos + ./nixos/modules/nixos + ./nixos/profiles sops-nix.nixosModules.sops ./nixos/hosts/${hostname} ] @@ -193,7 +194,7 @@ inherit (configuration.config.nixpkgs.hostPlatform) system; in { - path = deploy-rs.lib."${system}".activate.nixos configuration; + path = inputs.deploy-rs.lib."${system}".activate.nixos configuration; sshUser = "truxnell"; user = "root"; sshOpts = [ "-t" ]; @@ -208,7 +209,7 @@ }; # deploy-rs: This is highly advised, and will prevent many possible mistakes - checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; + checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib; }; } diff --git a/lib/default.nix b/lib/default.nix new file mode 100644 index 0000000..d43a07e --- /dev/null +++ b/lib/default.nix @@ -0,0 +1,24 @@ +{ inputs, ... }: + +with inputs.nixpkgs.lib; +let + strToPath = x: path: + if builtins.typeOf x == "string" + then builtins.toPath ("${toString path}/${x}") + else x; + strToFile = x: path: + if builtins.typeOf x == "string" + then builtins.toPath ("${toString path}/${x}.nix") + else x; +in +rec { + + firstOrDefault = first: default: if !isNull first then first else default; + + existsOrDefault = x: set: default: if hasAttr x set then getAttr x set else default; + + mkIfElse = p: yes: no: mkMerge [ + (mkIf p yes) + (mkIf (!p) no) + ]; +} diff --git a/nixos/hosts/common/nixos/default.nix b/nixos/hosts/common/nixos/default.nix index 9c91935..93114c0 100644 --- a/nixos/hosts/common/nixos/default.nix +++ b/nixos/hosts/common/nixos/default.nix @@ -8,7 +8,7 @@ [ # inputs.home-manager.nixosModules.home-manager #inputs.sops-nix.nixosModules.sops - ./locale.nix + # ./locale.nix ./nix.nix # ./openssh.nix ./packages.nix diff --git a/nixos/hosts/rickenbacker/default.nix b/nixos/hosts/rickenbacker/default.nix index 63631fa..f88927b 100644 --- a/nixos/hosts/rickenbacker/default.nix +++ b/nixos/hosts/rickenbacker/default.nix @@ -23,13 +23,19 @@ ]; + mySystem.services.openssh.enable = true; + mySystem.security.wheelNeedsSudoPassword = false; + boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation + boot.initrd.kernelModules = [ "amdgpu" ]; + + boot.plymouth.enable = true; networking.hostName = "rickenbacker"; # Define your hostname. - # Enable OpenGL + # Enable OpenGL hardware.opengl = { enable = true; driSupport = true; @@ -37,39 +43,7 @@ }; # Load nvidia driver for Xorg and Wayland - services.xserver.videoDrivers = ["nvidia"]; # or "nvidiaLegacy470 etc. - - hardware.nvidia = { - - # Modesetting is required. - modesetting.enable = true; - - # Nvidia power management. Experimental, and can cause sleep/suspend to fail. - # Enable this if you have graphical corruption issues or application crashes after waking - # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead - # of just the bare essentials. - powerManagement.enable = false; - - # Fine-grained power management. Turns off GPU when not in use. - # Experimental and only works on modern Nvidia GPUs (Turing or newer). - powerManagement.finegrained = false; - - # Use the NVidia open source kernel module (not to be confused with the - # independent third-party "nouveau" open source driver). - # Support is limited to the Turing and later architectures. Full list of - # supported GPUs is at: - # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus - # Only available from driver 515.43.04+ - # Currently alpha-quality/buggy, so false is currently the recommended setting. - open = false; - - # Enable the Nvidia settings menu, - # accessible via `nvidia-settings`. - nvidiaSettings = true; - - # Optionally, you may need to select the appropriate driver version for your specific GPU. - package = config.boot.kernelPackages.nvidiaPackages.stable; - }; + services.xserver.videoDrivers = [ "amdgpu" ]; # or "nvidiaLegacy470 etc. # Pick only one of the below networking options. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. diff --git a/nixos/modules/README.md b/nixos/modules/README.md index fe8ab4a..59f655c 100644 --- a/nixos/modules/README.md +++ b/nixos/modules/README.md @@ -1,14 +1,9 @@ -Profiles: +## Modules -Global: Settings for entire site - time local, chrony, timeservers, dns -Role: What the role is of the device - graphical/server -Hardware: Specifics of hardware (hw overlays, rpi4, etc) -Host: Host-specific (services, user setup) +A set of 'custom' modules with the aim to enable easy on/off/settings to build up a system modulary to my 'specs'. -nixos -system -locale -time -openssh -fish -chrony +The main goal is to build up a `mySystem` options key which is easy to read and toggle functionality on and off. + +This option key will largely be manipulated by a profile to build up a host to a base, then toggle specific options from there. + +I will _try_ and only do modules for things I want to be able to configure, and just use nixos config directly for some simple static things. diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix new file mode 100644 index 0000000..8d1b7d9 --- /dev/null +++ b/nixos/modules/default.nix @@ -0,0 +1,5 @@ +{ + + mySystem = import ./nixos; + +} diff --git a/nixos/modules/nixos/system/defaut.nix b/nixos/modules/nixos/system/default.nix similarity index 54% rename from nixos/modules/nixos/system/defaut.nix rename to nixos/modules/nixos/system/default.nix index 4619942..933dabe 100644 --- a/nixos/modules/nixos/system/defaut.nix +++ b/nixos/modules/nixos/system/default.nix @@ -1,5 +1,7 @@ { imports = [ ./openssh.nix + ./time.nix + ./security.nix ]; } diff --git a/nixos/modules/nixos/system/locale.nix b/nixos/modules/nixos/system/locale.nix deleted file mode 100644 index a96135a..0000000 --- a/nixos/modules/nixos/system/locale.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ lib, ... }: { - i18n = { - defaultLocale = lib.mkDefault "en_US.UTF-8"; - }; - time.timeZone = lib.mkDefault "Australia/Melbourne"; -} diff --git a/nixos/modules/nixos/system/openssh.nix b/nixos/modules/nixos/system/openssh.nix index 0ded042..592c3ea 100644 --- a/nixos/modules/nixos/system/openssh.nix +++ b/nixos/modules/nixos/system/openssh.nix @@ -1,25 +1,41 @@ { lib , config +, self , ... }: +with lib; let - cfg = config.modules.services.openssh; + cfg = config.mySystem.services.openssh; in { - options.modules.services.openssh = { - enable = lib.mkEnableOption "openssh"; + options.mySystem.services.openssh = { + enable = mkEnableOption "openssh"; + passwordAuthentication = mkOption + { + type = lib.types.bool; + description = "If password can be accepted for ssh (commonly disable for security hardening)"; + default = false; + + }; + permitRootLogin = mkOption + { + type = types.enum [ "yes" "without-password" "prohibit-password" "forced-commands-only" "no" ]; + description = "If root can login via ssh (commonly disable for security hardening)"; + default = "no"; + + }; }; - config = lib.mkIf cfg.enable { + config = mkIf cfg.enable { services.openssh = { enable = true; # TODO: Enable this when option becomes available # Don't allow home-directory authorized_keys - # authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"]; + # authorizedKeysFiles = mkForce ["/etc/ssh/authorized_keys.d/%u"]; settings = { # Harden - PasswordAuthentication = false; - PermitRootLogin = "no"; + PasswordAuthentication = cfg.passwordAuthentication; + PermitRootLogin = cfg.permitRootLogin; # Automatically remove stale sockets StreamLocalBindUnlink = "yes"; # Allow forwarding ports to everywhere @@ -27,14 +43,5 @@ in }; }; - # Passwordless sudo when SSH'ing with keys - security.pam.enableSSHAgentAuth = true; - # TODO: Enable this when option becomes available - # security.pam.sshAgentAuth = { - # enable = true; - # authorizedKeysFiles = [ - # "/etc/ssh/authorized_keys.d/%u" - # ]; - # }; }; } diff --git a/nixos/modules/nixos/system/security.nix b/nixos/modules/nixos/system/security.nix new file mode 100644 index 0000000..bd9b9df --- /dev/null +++ b/nixos/modules/nixos/system/security.nix @@ -0,0 +1,26 @@ +{ lib +, config +, ... +}: +let + cfg = config.mySystem.security; +in +{ + options.mySystem.security.sshAgentAuth = { + enable = lib.mkEnableOption "openssh"; + }; + options.mySystem.security.wheelNeedsSudoPassword = lib.mkOption { + type = lib.types.bool; + description = "If wheel group users need password for sudo"; + default = true; + }; + + config = + { + security.pam.enableSSHAgentAuth = lib.mkIf cfg.sshAgentAuth.enable true; + security.sudo.wheelNeedsPassword = lib.mkIf cfg.wheelNeedsSudoPassword true; + + }; + + +} diff --git a/nixos/modules/nixos/system/time.nix b/nixos/modules/nixos/system/time.nix new file mode 100644 index 0000000..0f3c7a2 --- /dev/null +++ b/nixos/modules/nixos/system/time.nix @@ -0,0 +1,25 @@ +{ lib +, config +, ... +}: +let + cfg = config.mySystem.time; +in +{ + options.mySystem.time = { + timeZone = lib.mkOption { + type = lib.types.str; + description = "Timezone of system"; + default = "Australia/Melbourne"; + }; + hwClockLocalTime = lib.mkOption { + type = lib.types.bool; + description = "If hardware clock is set to local time (useful for windows dual boot)"; + default = false; + }; + }; + config = { + time.timeZone = cfg.timeZone; + time.hardwareClockInLocalTime = cfg.hwClockLocalTime; + }; +} diff --git a/nixos/profiles/README.md b/nixos/profiles/README.md new file mode 100644 index 0000000..ab3717d --- /dev/null +++ b/nixos/profiles/README.md @@ -0,0 +1,19 @@ +## Profiles + +Here is the profiles that each host picks from to build up a system. + +My headspace for this to have be able to have a set of modular components pull together on a granular system from this nix, from 'Everything will have this set' to per-device config. +Where possible ill use the `mySystem` option list to configure defaults via these profiles, so they _can_ be overridden later. If its not worth writing a custom module for a nixos feature I may just set it directly in the profile. + +## Global + +Default global settings that will apply to every device. Things like locale, timezone, etc that wont change machine to machine + +## Hardware + +Hardware settings so I can apply per set of machines as standard- i.e. all Raspi4's may benefit from a specific set of additions/hardware overlays. + +## Role + +The role the machine have. Machines may have multiple roles +i.e. servers will want to have bare minimal, remote build settings, where as main desktop/laptop will have full blow GUIs. diff --git a/nixos/profiles/default.nix b/nixos/profiles/default.nix new file mode 100644 index 0000000..4e4914c --- /dev/null +++ b/nixos/profiles/default.nix @@ -0,0 +1,13 @@ +{ lib, ... }: + +{ + imports = [ + ./global.nix + # ./desktop.nix + # ./development.nix + # ./extended.nix + ]; + + +} + diff --git a/nixos/profiles/global.nix b/nixos/profiles/global.nix new file mode 100644 index 0000000..ea809c1 --- /dev/null +++ b/nixos/profiles/global.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, ... }: + +with lib; +let cfg = config.mySystem.profiles.global; +in +{ + options.mySystem.profiles.global.enable = mkEnableOption "Global profile" // { default = true; }; + + config = mkIf cfg.enable + { + mySystem.time.timeZone = "Australia/Melbourne"; + + i18n = { + defaultLocale = lib.mkDefault "en_AU.UTF-8"; + }; + }; +} From 85e8b4774d3d05ead05e2837c91d594d55c71f0c Mon Sep 17 00:00:00 2001 From: Truxnell <9149206+truxnell@users.noreply.github.com> Date: Sun, 24 Mar 2024 18:50:38 +1100 Subject: [PATCH 08/28] fix: wheelsudo --- README.md | 15 +++++++++++++++ nixos/modules/nixos/system/security.nix | 4 ++-- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index da70126..f7ab5b2 100644 --- a/README.md +++ b/README.md @@ -63,6 +63,21 @@ cd ~/dotfiles nixos-rebuild switch --flake .#nameOfMachine --target-host machineToSshInto --use-remote-sudo ``` +## Hacking at nix files + +Eval config to see what keys are being set. + +```bash +nix eval .#nixosConfigurations.rickenbacker.config.security.sudo.WheelNeedsPassword +nix eval .#nixosConfigurations.rickenbacker.config.mySystem.security.wheelNeedsPassword +``` + +Quickly run a flake to see what the next error message is as you hack. + +```bash +nixos-rebuild dry-run --flake . --fast --impure +``` + ## Links & References - [Misterio77/nix-starter-config](https://github.com/Misterio77/nix-starter-configs) diff --git a/nixos/modules/nixos/system/security.nix b/nixos/modules/nixos/system/security.nix index bd9b9df..1ad617e 100644 --- a/nixos/modules/nixos/system/security.nix +++ b/nixos/modules/nixos/system/security.nix @@ -17,8 +17,8 @@ in config = { - security.pam.enableSSHAgentAuth = lib.mkIf cfg.sshAgentAuth.enable true; - security.sudo.wheelNeedsPassword = lib.mkIf cfg.wheelNeedsSudoPassword true; + security.pam.enableSSHAgentAuth = cfg.sshAgentAuth.enable; + security.sudo.wheelNeedsPassword = cfg.wheelNeedsSudoPassword; }; From ca7d1c7a2ba6a4d6e9a4dce37c28147f8ff72507 Mon Sep 17 00:00:00 2001 From: Truxnell <9149206+truxnell@users.noreply.github.com> Date: Sun, 24 Mar 2024 23:21:13 +1100 Subject: [PATCH 09/28] feat: continued refactor --- flake.nix | 100 ++++---------- nixos/hosts/common/nixos/auto-upgrade.nix | 20 --- nixos/hosts/common/nixos/default.nix | 71 ---------- nixos/hosts/common/nixos/locale.nix | 6 - nixos/hosts/common/nixos/nix.nix | 50 ------- nixos/hosts/common/nixos/openssh.nix | 27 ---- nixos/hosts/common/nixos/packages.nix | 31 ----- nixos/hosts/common/optional/sops-nix.nix | 10 -- nixos/hosts/dns01/default.nix | 1 - nixos/hosts/nixosvm/default.nix | 105 --------------- .../hosts/nixosvm/hardware-configuration.nix | 40 ------ nixos/hosts/rickenbacker/default.nix | 118 +++------------- .../rickenbacker/hardware-configuration.nix | 38 ------ nixos/modules/nixos/system/security.nix | 25 +++- nixos/profiles/default.nix | 13 -- nixos/profiles/global.nix | 126 ++++++++++++++++-- nixos/profiles/hw-thinkpad-e14-amd.nix | 22 +++ nixos/profiles/role-worstation.nix | 25 ++++ 18 files changed, 231 insertions(+), 597 deletions(-) delete mode 100644 nixos/hosts/common/nixos/auto-upgrade.nix delete mode 100644 nixos/hosts/common/nixos/default.nix delete mode 100644 nixos/hosts/common/nixos/locale.nix delete mode 100644 nixos/hosts/common/nixos/nix.nix delete mode 100644 nixos/hosts/common/nixos/openssh.nix delete mode 100644 nixos/hosts/common/nixos/packages.nix delete mode 100644 nixos/hosts/common/optional/sops-nix.nix delete mode 100644 nixos/hosts/nixosvm/default.nix delete mode 100644 nixos/hosts/nixosvm/hardware-configuration.nix delete mode 100644 nixos/hosts/rickenbacker/hardware-configuration.nix delete mode 100644 nixos/profiles/default.nix create mode 100644 nixos/profiles/hw-thinkpad-e14-amd.nix create mode 100644 nixos/profiles/role-worstation.nix diff --git a/flake.nix b/flake.nix index 8f39fd5..a70cae1 100644 --- a/flake.nix +++ b/flake.nix @@ -48,14 +48,14 @@ # Use nixpkgs-fmt for 'nix fmt' formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt); + nixosModules = import ./nixos/modules/nixos; lib = import ./lib { inherit inputs; } // inputs.nixpkgs.lib; - nixosConfigurations = with self.lib; let defaultModules = - (builtins.attrValues lib.nixosModules) ++ + (builtins.attrValues nixosModules) ++ [ sops-nix.nixosModules.sops ]; @@ -69,11 +69,11 @@ { hostname , system ? "x86_64-linux" , nixpkgs ? inputs.nixpkgs - , hardwareModules + , hardwareModules ? [ ] , baseModules ? [ - ./nixos/modules/nixos - ./nixos/profiles sops-nix.nixosModules.sops + ./nixos/profiles/global.nix + ./nixos/modules/nixos ./nixos/hosts/${hostname} ] , extraModules ? [ ] @@ -85,104 +85,52 @@ }; in { - nixosvm = nixpkgs.lib.nixosSystem { - inherit specialArgs; - system = "x86_64-linux"; - modules = defaultModules ++ [ - ./nixos/hosts/nixosvm - ]; - }; - - # rickenbacker = nixpkgs.lib.nixosSystem { - # inherit specialArgs; - # system = "x86_64-linux"; - # modules = defaultModules ++ [ - # ./nixos/hosts/rickenbacker - # ]; - # }; "rickenbacker" = mkNixosConfig { hostname = "rickenbacker"; system = "x86_64-linux"; hardwareModules = [ - # ./modules/hardware/phil.nix - - ]; - extraModules = [ - # ./profiles/personal.nix + ./nixos/profiles/hw-thinkpad-e14-amd.nix + inputs.nixos-hardware.nixosModules.lenovo-thinkpad-e14-amd ]; }; "citadel" = mkNixosConfig { hostname = "citadel"; system = "x86_64-linux"; - hardwareModules = [ - # ./modules/hardware/phil.nix - - ]; - extraModules = [ - # ./profiles/personal.nix - ]; }; - # "kclejeune@aarch64-linux" = mkNixosConfig { - # system = "aarch64-linux"; - # hardwareModules = [./modules/hardware/phil.nix]; - # extraModules = [./profiles/personal.nix]; - # }; - - - dns01 = nixpkgs.lib.nixosSystem { - inherit specialArgs; - system = "aarch64-linux"; - modules = defaultModules ++ [ - ./nixos/hosts/dns01 - ]; + "dns01" = mkNixosConfig { + hostname = "dns01"; + system = "x86_64-linux"; }; - # dns02 = nixpkgs.lib.nixosSystem { + + # # nix build .#images.rpi4 + # rpi4 = nixpkgs.lib.nixosSystem { # inherit specialArgs; - # system = "aarch64-linux"; + # modules = defaultModules ++ [ - # ./nixos/hosts/dns02 + # "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" + # ./nixos/hosts/images/sd-image # ]; # }; - - # isoimage = nixpkgs.lib.nixosSystem { - # system = "x86_64-linux"; + # # nix build .#images.iso + # iso = nixpkgs.lib.nixosSystem { # inherit specialArgs; + # modules = defaultModules ++ [ - # "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix" - # { isoImage.squashfsCompression = "gzip -Xcompression-level 1"; } - # ./nixos/iso + # "${nixpkgs}/nixos/modules/installer/cd-dvd/channel.nix" + # "${nixpkgs}/nixos/modules/installer/cd-dvd/iso-image.nix" + # ./nixos/hosts/images/cd-dvd # ]; # }; - - # nix build .#images.rpi4 - rpi4 = nixpkgs.lib.nixosSystem { - inherit specialArgs; - - modules = defaultModules ++ [ - "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" - ./nixos/hosts/images/sd-image - ]; - }; - # nix build .#images.iso - iso = nixpkgs.lib.nixosSystem { - inherit specialArgs; - - modules = defaultModules ++ [ - "${nixpkgs}/nixos/modules/installer/cd-dvd/channel.nix" - "${nixpkgs}/nixos/modules/installer/cd-dvd/iso-image.nix" - ./nixos/hosts/images/cd-dvd - ]; - }; }; # simple shortcut to allow for easier referencing of correct # key for building images # > nix build .#images.rpi4 - images.rpi4 = nixosConfigurations.rpi4.config.system.build.sdImage; - images.iso = nixosConfigurations.iso.config.system.build.isoImage; + # images.rpi4 = nixosConfigurations.rpi4.config.system.build.sdImage; + # images.iso = nixosConfigurations.iso.config.system.build.isoImage; # deploy-rs deploy.nodes = diff --git a/nixos/hosts/common/nixos/auto-upgrade.nix b/nixos/hosts/common/nixos/auto-upgrade.nix deleted file mode 100644 index 3f04099..0000000 --- a/nixos/hosts/common/nixos/auto-upgrade.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config -, inputs -, ... -}: -let - inherit (config.networking) hostName; - # Only enable auto upgrade if current config came from a clean tree - # This avoids accidental auto-upgrades when working locally. - isClean = inputs.self ? rev; -in -{ - system.autoUpgrade = { - enable = isClean; - dates = "hourly"; - flags = [ - "--refresh" - ]; - flake = "github:truxnell/nix-config"; - }; -} diff --git a/nixos/hosts/common/nixos/default.nix b/nixos/hosts/common/nixos/default.nix deleted file mode 100644 index 93114c0..0000000 --- a/nixos/hosts/common/nixos/default.nix +++ /dev/null @@ -1,71 +0,0 @@ -{ inputs -, outputs -, config -, sops-nix -, ... -}: { - imports = - [ - # inputs.home-manager.nixosModules.home-manager - #inputs.sops-nix.nixosModules.sops - # ./locale.nix - ./nix.nix - # ./openssh.nix - ./packages.nix - ] - ++ (builtins.attrValues { }); - - # home-manager.extraSpecialArgs = { inherit inputs outputs; }; TODO Home-manager - - nixpkgs = { - # Configure your nixpkgs instance - config = { - # Disable if you don't want unfree packages - allowUnfree = true; - }; - }; - - # TODO Shared sops location, probably in home-manager? - # sops.age.keyFile = "/var/lib/sops-nix/key.txt"; - - # Increase open file limit for sudoers - security.pam.loginLimits = [ - { - domain = "@wheel"; - item = "nofile"; - type = "soft"; - value = "524288"; - } - { - domain = "@wheel"; - item = "nofile"; - type = "hard"; - value = "1048576"; - } - ]; - - # sops.secrets.msmtp = { - # sopsFile = ./secret.sops.yaml; - # } - - # # TODO Email settings - # programs.msmtp = { - # enable = true; - # accounts.default = { - # host = "maddy.home.tld"; - # from = "${config.networking.hostName}@trux.dev"; - # }; - # defaults = { - # aliases = "/etc/aliases"; - # }; - # }; - - environment.etc = { - "aliases" = { - text = '' - root: ${config.networking.hostName}@trux.dev - ''; - mode = "0644"; - }; - }; -} diff --git a/nixos/hosts/common/nixos/locale.nix b/nixos/hosts/common/nixos/locale.nix deleted file mode 100644 index a96135a..0000000 --- a/nixos/hosts/common/nixos/locale.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ lib, ... }: { - i18n = { - defaultLocale = lib.mkDefault "en_US.UTF-8"; - }; - time.timeZone = lib.mkDefault "Australia/Melbourne"; -} diff --git a/nixos/hosts/common/nixos/nix.nix b/nixos/hosts/common/nixos/nix.nix deleted file mode 100644 index eb09966..0000000 --- a/nixos/hosts/common/nixos/nix.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ inputs -, lib -, pkgs -, config -, ... -}: { - nix = { - settings = { - experimental-features = [ "nix-command" "flakes" ]; - substituters = [ - "https://nix-community.cachix.org" - ]; - trusted-public-keys = [ - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - ]; - trusted-users = [ "root" "@wheel" ]; - auto-optimise-store = lib.mkDefault true; - warn-dirty = false; - - }; - - gc = { - automatic = true; - dates = "weekly"; - # Delete older generations too - options = "--delete-older-than 5d"; - }; - }; - - # This will add each flake input as a registry - # To make nix3 commands consistent with your flake - nix.registry = (lib.mapAttrs (_: flake: { inherit flake; })) ((lib.filterAttrs (_: lib.isType "flake")) inputs); - - # This will additionally add your inputs to the system's legacy channels - # Making legacy nix commands consistent as well, awesome! - nix.nixPath = [ "/etc/nix/path" ]; - environment.etc = - lib.mapAttrs' - (name: value: { - name = "nix/path/${name}"; - value.source = value.flake; - }) - config.nix.registry; - - # Enable printing changes on nix build etc with nvd - system.activationScripts.report-changes = '' - PATH=$PATH:${lib.makeBinPath [ pkgs.nvd pkgs.nix ]} - nvd diff $(ls -dv /nix/var/nix/profiles/system-*-link | tail -2) - ''; -} diff --git a/nixos/hosts/common/nixos/openssh.nix b/nixos/hosts/common/nixos/openssh.nix deleted file mode 100644 index b852733..0000000 --- a/nixos/hosts/common/nixos/openssh.nix +++ /dev/null @@ -1,27 +0,0 @@ -{... -}: - -{ - - services.openssh = { - enable = true; - settings = { - # Harden - PasswordAuthentication = false; - PermitRootLogin = "no"; - # Automatically remove stale sockets - StreamLocalBindUnlink = "yes"; - # Allow forwarding ports to everywhere - GatewayPorts = "clientspecified"; - # Don't allow home-directory authorized_keys - # authorizedKeysFiles = lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ]; - }; - }; - - # TODO fix pam, wheel no pass is a bit of a hack - # security.pam.enableSSHAgentAuth = true; - - # TODO remove this hack - security.sudo.wheelNeedsPassword = false; - -} diff --git a/nixos/hosts/common/nixos/packages.nix b/nixos/hosts/common/nixos/packages.nix deleted file mode 100644 index c0c556c..0000000 --- a/nixos/hosts/common/nixos/packages.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ config -, pkgs -, lib -, ... -}: { - environment.systemPackages = with pkgs; [ - bat - jq - yq - btop - neovim - vim - git - dnsutils - nvd - gh - nix - - # TODO Move - nil - nixpkgs-fmt - statix - ]; - - programs.direnv = { - # TODO move to home-manager - enable = true; - nix-direnv.enable = true; - }; - programs.mtr.enable = true; -} diff --git a/nixos/hosts/common/optional/sops-nix.nix b/nixos/hosts/common/optional/sops-nix.nix deleted file mode 100644 index d06a35a..0000000 --- a/nixos/hosts/common/optional/sops-nix.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ inputs -, outputs -, config -, ... -}: { - # SOPS settings - # https://github.com/Mic92/sops-nix - - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; -} diff --git a/nixos/hosts/dns01/default.nix b/nixos/hosts/dns01/default.nix index 5c41b53..0f8a191 100644 --- a/nixos/hosts/dns01/default.nix +++ b/nixos/hosts/dns01/default.nix @@ -11,7 +11,6 @@ ./hardware-configuration.nix # Common imports - ../common/nixos ../common/nixos/users/truxnell ../common/optional/fish.nix ../common/optional/monitoring.nix diff --git a/nixos/hosts/nixosvm/default.nix b/nixos/hosts/nixosvm/default.nix deleted file mode 100644 index 6901270..0000000 --- a/nixos/hosts/nixosvm/default.nix +++ /dev/null @@ -1,105 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). -{ config -, lib -, pkgs -, ... -}: { - imports = [ - # Host-specific - ./hardware-configuration.nix - - # Common imports - ../common/nixos - ../common/nixos/users/truxnell - ../common/optional/fish.nix - ../common/optional/monitoring.nix - ../common/optional/reboot-required.nix - ../common/optional/gnome.nix - ../common/optional/editors/vscode - ../common/optional/firefox.nix - ../common/optional/sops-nix.nix - - ]; - - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation - - networking.hostName = "nixosvm"; # Define your hostname. - - modules.services.openssh = true; - - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - # i18n.defaultLocale = "en_US.UTF-8"; - # console = { - # font = "Lat2-Terminus16"; - # keyMap = "us"; - # useXkbConfig = true; # use xkb.options in tty. - # }; - - # Enable the X11 windowing system. - # services.xserver.enable = true; - - # Configure keymap in X11 - # services.xserver.xkb.layout = "us"; - # services.xserver.xkb.options = "eurosign:e,caps:escape"; - - # Enable CUPS to print documents. - # services.printing.enable = true; - - # Enable sound. - # sound.enable = true; - # hardware.pulseaudio.enable = true; - - # Enable touchpad support (enabled default in most desktopManager). - # services.xserver.libinput.enable = true; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - - # List services that you want to enable: - - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - - # Copy the NixOS configuration file and link it from the resulting system - # (/run/current-system/configuration.nix). This is useful in case you - # accidentally delete configuration.nix. - # system.copySystemConfiguration = true; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "23.11"; # Did you read the comment? -} diff --git a/nixos/hosts/nixosvm/hardware-configuration.nix b/nixos/hosts/nixosvm/hardware-configuration.nix deleted file mode 100644 index b54e6cf..0000000 --- a/nixos/hosts/nixosvm/hardware-configuration.nix +++ /dev/null @@ -1,40 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config -, lib -, pkgs -, modulesPath -, ... -}: { - imports = [ ]; - - boot.initrd.availableKernelModules = [ "ata_piix" "mptspi" "uhci_hcd" "ehci_pci" "sd_mod" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/dev/disk/by-label/nixos"; - fsType = "ext4"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-label/boot"; - fsType = "vfat"; - }; - - swapDevices = [{ device = "/dev/sda2"; }]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.ens33.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - virtualisation.vmware.guest.enable = true; - virtualisation.virtualbox.guest.enable = true; - virtualisation.virtualbox.guest.x11 = true; -} diff --git a/nixos/hosts/rickenbacker/default.nix b/nixos/hosts/rickenbacker/default.nix index f88927b..fcac0e4 100644 --- a/nixos/hosts/rickenbacker/default.nix +++ b/nixos/hosts/rickenbacker/default.nix @@ -1,119 +1,43 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). { config , lib , pkgs , ... }: { + + # hardware-configuration.nix is missing as I've abstracted out the parts + # into various areas like my global/hardware profiles, etc. imports = [ - # Host-specific - ./hardware-configuration.nix # Common imports - ../common/nixos ../common/nixos/users/truxnell ../common/optional/fish.nix - ../common/optional/monitoring.nix - ../common/optional/reboot-required.nix ../common/optional/gnome.nix ../common/optional/editors/vscode ../common/optional/firefox.nix - ../common/optional/sops-nix.nix ]; - - mySystem.services.openssh.enable = true; - mySystem.security.wheelNeedsSudoPassword = false; - - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation - boot.initrd.kernelModules = [ "amdgpu" ]; - - boot.plymouth.enable = true; - - networking.hostName = "rickenbacker"; # Define your hostname. - - # Enable OpenGL - hardware.opengl = { - enable = true; - driSupport = true; - driSupport32Bit = true; + config.mySystem = { + services.openssh.enable = true; + security.wheelNeedsSudoPassword = false; }; - # Load nvidia driver for Xorg and Wayland - services.xserver.videoDrivers = [ "amdgpu" ]; # or "nvidiaLegacy470 etc. + # TODO build this in from flake host names + config.networking.hostName = "rickenbacker"; - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + config = { - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + fileSystems."/" = + { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + }; - # Select internationalisation properties. - # i18n.defaultLocale = "en_US.UTF-8"; - # console = { - # font = "Lat2-Terminus16"; - # keyMap = "us"; - # useXkbConfig = true; # use xkb.options in tty. - # }; + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/44D0-91EC"; + fsType = "vfat"; + }; - # Enable the X11 windowing system. - # services.xserver.enable = true; - - # Configure keymap in X11 - # services.xserver.xkb.layout = "us"; - # services.xserver.xkb.options = "eurosign:e,caps:escape"; - - # Enable CUPS to print documents. - # services.printing.enable = true; - - # Enable sound. - # sound.enable = true; - # hardware.pulseaudio.enable = true; - - # Enable touchpad support (enabled default in most desktopManager). - # services.xserver.libinput.enable = true; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - - # List services that you want to enable: - - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - - # Copy the NixOS configuration file and link it from the resulting system - # (/run/current-system/configuration.nix). This is useful in case you - # accidentally delete configuration.nix. - # system.copySystemConfiguration = true; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "23.11"; # Did you read the comment? + swapDevices = [ ]; + }; } diff --git a/nixos/hosts/rickenbacker/hardware-configuration.nix b/nixos/hosts/rickenbacker/hardware-configuration.nix deleted file mode 100644 index 3e84390..0000000 --- a/nixos/hosts/rickenbacker/hardware-configuration.nix +++ /dev/null @@ -1,38 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/fe728106-aaf8-46e6-ab46-1610f1f4398a"; - fsType = "ext4"; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/44D0-91EC"; - fsType = "vfat"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/nixos/modules/nixos/system/security.nix b/nixos/modules/nixos/system/security.nix index 1ad617e..69bb1a2 100644 --- a/nixos/modules/nixos/system/security.nix +++ b/nixos/modules/nixos/system/security.nix @@ -2,6 +2,7 @@ , config , ... }: +with lib; let cfg = config.mySystem.security; in @@ -14,13 +15,33 @@ in description = "If wheel group users need password for sudo"; default = true; }; + options.mySystem.security.increaseWheelLoginLimits = lib.mkOption { + type = lib.types.bool; + description = "If wheel group users receive increased login limits"; + default = true; + }; config = { - security.pam.enableSSHAgentAuth = cfg.sshAgentAuth.enable; security.sudo.wheelNeedsPassword = cfg.wheelNeedsSudoPassword; + security.pam.enableSSHAgentAuth = cfg.sshAgentAuth.enable; + + # Increase open file limit for sudoers + security.pam.loginLimits = mkIf cfg.increaseWheelLoginLimits [ + { + domain = "@wheel"; + item = "nofile"; + type = "soft"; + value = "524288"; + } + { + domain = "@wheel"; + item = "nofile"; + type = "hard"; + value = "1048576"; + } + ]; }; - } diff --git a/nixos/profiles/default.nix b/nixos/profiles/default.nix deleted file mode 100644 index 4e4914c..0000000 --- a/nixos/profiles/default.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ lib, ... }: - -{ - imports = [ - ./global.nix - # ./desktop.nix - # ./development.nix - # ./extended.nix - ]; - - -} - diff --git a/nixos/profiles/global.nix b/nixos/profiles/global.nix index ea809c1..8be3570 100644 --- a/nixos/profiles/global.nix +++ b/nixos/profiles/global.nix @@ -1,17 +1,123 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, imports, modulesPath, ... }: with lib; -let cfg = config.mySystem.profiles.global; -in { - options.mySystem.profiles.global.enable = mkEnableOption "Global profile" // { default = true; }; + # Generated by nixos-config-generate + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - config = mkIf cfg.enable - { - mySystem.time.timeZone = "Australia/Melbourne"; + mySystem = { - i18n = { - defaultLocale = lib.mkDefault "en_AU.UTF-8"; - }; + # basics for all devices + time.timeZone = "Australia/Melbourne"; + security.increaseWheelLoginLimits = true; + }; + + i18n = { + defaultLocale = lib.mkDefault "en_AU.UTF-8"; + }; + + # TODO refactor this shit out wow + nix = { + settings = { + trusted-substituters = [ + "https://nix-community.cachix.org" + "https://numtide.cachix.org" + ]; + + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE=" + ]; + + trusted-users = [ "root" "@wheel" ]; + + # hardlink duplicates of builds + auto-optimise-store = lib.mkDefault true; + + + + # Fallback quickly if substituters are not available. + connect-timeout = 5; + + # Enable flakes + experimental-features = [ + "nix-command" + "flakes" + ]; + + warn-dirty = false; + + # The default at 10 is rarely enough. + log-lines = lib.mkDefault 25; + + # Avoid copying unnecessary stuff over SSH + builders-use-substitutes = true; }; + + # automatically garbage collect nix store + gc = { + # garbage collection + automatic = true; + options = "--delete-older-than 30d"; + persistent = true; + }; + + }; + + # SOPS settings + # https://github.com/Mic92/sops-nix + + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + + + nixpkgs = { + # Configure your nixpkgs instance + config = { + # Disable if you don't want unfree packages + allowUnfree = true; + }; + }; + + system = { + # Enable printing changes on nix build etc with nvd + activationScripts.report-changes = '' + PATH=$PATH:${lib.makeBinPath [ pkgs.nvd pkgs.nix ]} + nvd diff $(ls -dv /nix/var/nix/profiles/system-*-link | tail -2) + ''; + # Do not change unless you know what you are doing + stateVersion = "23.11"; # THERE BE DRAGONS + }; + + networking.useDHCP = lib.mkDefault true; + + environment.systemPackages = with pkgs; [ + jq + yq + btop + vim + git + dnsutils + nix + + # TODO Move + nil + nixpkgs-fmt + statix + nvd + gh + ]; + + programs.direnv = { + # TODO move to home-manager + enable = true; + nix-direnv.enable = true; + }; + programs.mtr.enable = true; + } + + + diff --git a/nixos/profiles/hw-thinkpad-e14-amd.nix b/nixos/profiles/hw-thinkpad-e14-amd.nix new file mode 100644 index 0000000..2c2244b --- /dev/null +++ b/nixos/profiles/hw-thinkpad-e14-amd.nix @@ -0,0 +1,22 @@ +{ config, lib, pkgs, imports, boot, ... }: + +with lib; +{ + boot = { + + initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; + initrd.kernelModules = [ "amdgpu" ]; + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + }; + + # set xserver videodrivers if used + services.xserver.videoDrivers = [ "amdgpu" ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + +} diff --git a/nixos/profiles/role-worstation.nix b/nixos/profiles/role-worstation.nix new file mode 100644 index 0000000..c0194bc --- /dev/null +++ b/nixos/profiles/role-worstation.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, imports, boot, ... }: +# Role for workstations +# Covers desktops/laptops, expected to have a GUI and do worloads +# Will have home-manager installs + +with lib; +{ + boot = { + + binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation + plymouth.enable = true; + }; + + nix.settings = { + # TODO factor out into mySystem + # Avoid disk full issues + max-free = lib.mkDefault (1000 * 1000 * 1000); + min-free = lib.mkDefault (128 * 1000 * 1000); + }; + + + + + +} From 17247bbb0d68bf3d13965a76b10b6081ab28a323 Mon Sep 17 00:00:00 2001 From: Truxnell <9149206+truxnell@users.noreply.github.com> Date: Sun, 24 Mar 2024 23:21:41 +1100 Subject: [PATCH 10/28] chore: why not --- nixos/hosts/common/nixos/users/truxnell/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/hosts/common/nixos/users/truxnell/default.nix b/nixos/hosts/common/nixos/users/truxnell/default.nix index b6ec4d4..7d536ab 100644 --- a/nixos/hosts/common/nixos/users/truxnell/default.nix +++ b/nixos/hosts/common/nixos/users/truxnell/default.nix @@ -18,6 +18,7 @@ in ++ ifTheyExist [ "network" "samba-users" + "docker" ]; openssh.authorizedKeys.keys = [ From f7895a7b5a09b9f5aa8636e5c5eff7866eaadbab Mon Sep 17 00:00:00 2001 From: Truxnell <9149206+truxnell@users.noreply.github.com> Date: Mon, 25 Mar 2024 09:23:35 +1100 Subject: [PATCH 11/28] chore: continued refactor --- flake.nix | 8 ++- nixos/modules/nixos/system/nix.nix | 81 +++++++++++++++++++++++++ nixos/profiles/global.nix | 54 +++-------------- nixos/profiles/global/nix.nix | 84 ++++++++++++++++++++++++++ nixos/profiles/hw-thinkpad-e14-amd.nix | 5 +- nixos/profiles/role-worstation.nix | 7 ++- 6 files changed, 189 insertions(+), 50 deletions(-) create mode 100644 nixos/modules/nixos/system/nix.nix create mode 100644 nixos/profiles/global/nix.nix diff --git a/flake.nix b/flake.nix index a70cae1..9f496f6 100644 --- a/flake.nix +++ b/flake.nix @@ -76,11 +76,11 @@ ./nixos/modules/nixos ./nixos/hosts/${hostname} ] - , extraModules ? [ ] + , profileModules ? [ ] }: nixpkgs.lib.nixosSystem { inherit system; - modules = baseModules ++ hardwareModules ++ extraModules; + modules = baseModules ++ hardwareModules ++ profileModules; specialArgs = { inherit self inputs nixpkgs; }; }; in @@ -93,6 +93,10 @@ ./nixos/profiles/hw-thinkpad-e14-amd.nix inputs.nixos-hardware.nixosModules.lenovo-thinkpad-e14-amd ]; + profileModules = [ + ./nixos/profiles/role-worstation.nix + + ]; }; "citadel" = mkNixosConfig { diff --git a/nixos/modules/nixos/system/nix.nix b/nixos/modules/nixos/system/nix.nix new file mode 100644 index 0000000..f75c7e1 --- /dev/null +++ b/nixos/modules/nixos/system/nix.nix @@ -0,0 +1,81 @@ +{ lib +, config +, self +, ... +}: +with lib; +let + cfg = config.mySystem.nix; +in +{ + options.mySystem.nix = { + autoOptimiseStore = mkOption + { + type = lib.types.bool; + description = "If we want to auto optimise store"; + default = true; + + }; + gc = { + enabled = mkEnableOption "automatic garbage collection" // { + default = true; + }; + persistent = mkOption + { + type = lib.types.bool; + description = "Persistent timer for gc, runs at startup if timer missed"; + default = true; + + }; + }; + + }; + + nix = { + settings = { + # Enable flakes + experimental-features = [ + "nix-command" + "flakes" + ]; + + # Substitutions + trusted-substituters = [ + "https://nix-community.cachix.org" + "https://numtide.cachix.org" + ]; + + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE=" + ]; + + # Fallback quickly if substituters are not available. + connect-timeout = 5; + # Avoid copying unnecessary stuff over SSH + builders-use-substitutes = true; + + + trusted-users = [ "root" "@wheel" ]; + + warn-dirty = false; + + # The default at 10 is rarely enough. + log-lines = lib.mkDefault 25; + + }; + + optimise.automatic = cfg.autoOptimiseStore; + + # automatically garbage collect nix store + gc = mkIf cfg.gc.enabled { + # garbage collection + automatic = cfg.gc.enabled; + options = "--delete-older-than 30d"; + persistent = cfg.gc.persistent; + }; + + }; + + +} diff --git a/nixos/profiles/global.nix b/nixos/profiles/global.nix index 8be3570..be82a63 100644 --- a/nixos/profiles/global.nix +++ b/nixos/profiles/global.nix @@ -2,10 +2,18 @@ with lib; { + # NOTE + # Some 'global' areas have defaults set in their respective modules. + # These will be applied when the modules are loaded + # Not the global role. + # Not sure at this point a good way to manage globals in one place + # without mono-repo config. + # Generated by nixos-config-generate imports = [ (modulesPath + "/installer/scan/not-detected.nix") + ./global/nix.nix ]; mySystem = { @@ -20,52 +28,6 @@ with lib; }; # TODO refactor this shit out wow - nix = { - settings = { - trusted-substituters = [ - "https://nix-community.cachix.org" - "https://numtide.cachix.org" - ]; - - trusted-public-keys = [ - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE=" - ]; - - trusted-users = [ "root" "@wheel" ]; - - # hardlink duplicates of builds - auto-optimise-store = lib.mkDefault true; - - - - # Fallback quickly if substituters are not available. - connect-timeout = 5; - - # Enable flakes - experimental-features = [ - "nix-command" - "flakes" - ]; - - warn-dirty = false; - - # The default at 10 is rarely enough. - log-lines = lib.mkDefault 25; - - # Avoid copying unnecessary stuff over SSH - builders-use-substitutes = true; - }; - - # automatically garbage collect nix store - gc = { - # garbage collection - automatic = true; - options = "--delete-older-than 30d"; - persistent = true; - }; - - }; # SOPS settings # https://github.com/Mic92/sops-nix diff --git a/nixos/profiles/global/nix.nix b/nixos/profiles/global/nix.nix new file mode 100644 index 0000000..618eaf5 --- /dev/null +++ b/nixos/profiles/global/nix.nix @@ -0,0 +1,84 @@ +{ lib, ... }: +{ + nix = { + nix = { + settings = { + # Enable flakes + experimental-features = [ + "nix-command" + "flakes" + ]; + + # Substitutions + trusted-substituters = [ + "https://nix-community.cachix.org" + "https://numtide.cachix.org" + ]; + + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE=" + ]; + + # Fallback quickly if substituters are not available. + connect-timeout = 5; + # Avoid copying unnecessary stuff over SSH + builders-use-substitutes = true; + + + trusted-users = [ "root" "@wheel" ]; + + warn-dirty = false; + + # The default at 10 is rarely enough. + log-lines = lib.mkDefault 25; + + }; + + }; + + settings = { + # Enable flakes + experimental-features = [ + "nix-command" + "flakes" + ]; + + # Substitutions + trusted-substituters = [ + "https://nix-community.cachix.org" + "https://numtide.cachix.org" + ]; + + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE=" + ]; + + # Fallback quickly if substituters are not available. + connect-timeout = 5; + # Avoid copying unnecessary stuff over SSH + builders-use-substitutes = true; + + + trusted-users = [ "root" "@wheel" ]; + + warn-dirty = false; + + # The default at 10 is rarely enough. + log-lines = lib.mkDefault 25; + + }; + + optimise.automatic = cfg.autoOptimiseStore; + + # automatically garbage collect nix store + gc = mkIf cfg.gc.enabled { + # garbage collection + automatic = cfg.gc.enabled; + options = "--delete-older-than 30d"; + persistent = cfg.gc.persistent; + }; + + }; +} diff --git a/nixos/profiles/hw-thinkpad-e14-amd.nix b/nixos/profiles/hw-thinkpad-e14-amd.nix index 2c2244b..d7a0686 100644 --- a/nixos/profiles/hw-thinkpad-e14-amd.nix +++ b/nixos/profiles/hw-thinkpad-e14-amd.nix @@ -11,10 +11,13 @@ with lib; loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; + # why not ensure we can memtest workstatons easily? + grub.memtest86.enable = true; + }; }; - # set xserver videodrivers if used + # set xserver videodrivers for amp gpu services.xserver.videoDrivers = [ "amdgpu" ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; diff --git a/nixos/profiles/role-worstation.nix b/nixos/profiles/role-worstation.nix index c0194bc..a40e66a 100644 --- a/nixos/profiles/role-worstation.nix +++ b/nixos/profiles/role-worstation.nix @@ -18,8 +18,13 @@ with lib; min-free = lib.mkDefault (128 * 1000 * 1000); }; + # set xserver videodrivers if used + services.xserver.enable = true; - + # Laptop so ill likely use wireles + # very likely to be set by GUI packages but lets + # be declarative. + networking.networkmanager.enable = true; } From 32e6a709282d9e5099499289cd5e8fbef25baa7b Mon Sep 17 00:00:00 2001 From: Truxnell <9149206+truxnell@users.noreply.github.com> Date: Mon, 25 Mar 2024 12:01:03 +1100 Subject: [PATCH 12/28] chore: more factor --- nixos/modules/nixos/system/nix.nix | 33 ---------- nixos/profiles/global.nix | 4 +- nixos/profiles/global/nix.nix | 99 +++++++++--------------------- 3 files changed, 30 insertions(+), 106 deletions(-) diff --git a/nixos/modules/nixos/system/nix.nix b/nixos/modules/nixos/system/nix.nix index f75c7e1..51a9002 100644 --- a/nixos/modules/nixos/system/nix.nix +++ b/nixos/modules/nixos/system/nix.nix @@ -25,45 +25,12 @@ in type = lib.types.bool; description = "Persistent timer for gc, runs at startup if timer missed"; default = true; - }; }; }; nix = { - settings = { - # Enable flakes - experimental-features = [ - "nix-command" - "flakes" - ]; - - # Substitutions - trusted-substituters = [ - "https://nix-community.cachix.org" - "https://numtide.cachix.org" - ]; - - trusted-public-keys = [ - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE=" - ]; - - # Fallback quickly if substituters are not available. - connect-timeout = 5; - # Avoid copying unnecessary stuff over SSH - builders-use-substitutes = true; - - - trusted-users = [ "root" "@wheel" ]; - - warn-dirty = false; - - # The default at 10 is rarely enough. - log-lines = lib.mkDefault 25; - - }; optimise.automatic = cfg.autoOptimiseStore; diff --git a/nixos/profiles/global.nix b/nixos/profiles/global.nix index be82a63..5d0c2f6 100644 --- a/nixos/profiles/global.nix +++ b/nixos/profiles/global.nix @@ -9,10 +9,10 @@ with lib; # Not sure at this point a good way to manage globals in one place # without mono-repo config. - # Generated by nixos-config-generate + imports = [ - (modulesPath + "/installer/scan/not-detected.nix") + (modulesPath + "/installer/scan/not-detected.nix") # Generated by nixos-config-generate ./global/nix.nix ]; diff --git a/nixos/profiles/global/nix.nix b/nixos/profiles/global/nix.nix index 618eaf5..11a2614 100644 --- a/nixos/profiles/global/nix.nix +++ b/nixos/profiles/global/nix.nix @@ -1,84 +1,41 @@ -{ lib, ... }: +{ lib, config, ... }: { - nix = { - nix = { - settings = { - # Enable flakes - experimental-features = [ - "nix-command" - "flakes" - ]; - - # Substitutions - trusted-substituters = [ - "https://nix-community.cachix.org" - "https://numtide.cachix.org" - ]; - - trusted-public-keys = [ - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE=" - ]; - - # Fallback quickly if substituters are not available. - connect-timeout = 5; - # Avoid copying unnecessary stuff over SSH - builders-use-substitutes = true; - trusted-users = [ "root" "@wheel" ]; + nix.settings = { + # Enable flakes + experimental-features = [ + "nix-command" + "flakes" + ]; - warn-dirty = false; + # Substitutions + trusted-substituters = [ + "https://nix-community.cachix.org" + "https://numtide.cachix.org" + ]; - # The default at 10 is rarely enough. - log-lines = lib.mkDefault 25; + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE=" + ]; - }; - - }; - - settings = { - # Enable flakes - experimental-features = [ - "nix-command" - "flakes" - ]; - - # Substitutions - trusted-substituters = [ - "https://nix-community.cachix.org" - "https://numtide.cachix.org" - ]; - - trusted-public-keys = [ - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE=" - ]; - - # Fallback quickly if substituters are not available. - connect-timeout = 5; - # Avoid copying unnecessary stuff over SSH - builders-use-substitutes = true; + # Fallback quickly if substituters are not available. + connect-timeout = 5; + # Avoid copying unnecessary stuff over SSH + builders-use-substitutes = true; - trusted-users = [ "root" "@wheel" ]; + trusted-users = [ "root" "@wheel" ]; - warn-dirty = false; + warn-dirty = false; - # The default at 10 is rarely enough. - log-lines = lib.mkDefault 25; - - }; - - optimise.automatic = cfg.autoOptimiseStore; - - # automatically garbage collect nix store - gc = mkIf cfg.gc.enabled { - # garbage collection - automatic = cfg.gc.enabled; - options = "--delete-older-than 30d"; - persistent = cfg.gc.persistent; - }; + # The default at 10 is rarely enough. + log-lines = lib.mkDefault 25; }; + + + + } From e5311a77b436a566fa7acd6b12245e912e089cde Mon Sep 17 00:00:00 2001 From: truxnell <19149206+truxnell@users.noreply.github.com> Date: Mon, 25 Mar 2024 13:56:47 +1100 Subject: [PATCH 13/28] feat: citadel boots in new config --- flake.nix | 8 + nixos/hosts/citadel/default.nix | 139 +++--------------- .../hosts/citadel/hardware-configuration.nix | 14 +- nixos/hosts/common/optional/gnome.nix | 32 +++- nixos/profiles/hw-gaming-desktop.nix | 64 ++++++++ 5 files changed, 121 insertions(+), 136 deletions(-) create mode 100644 nixos/profiles/hw-gaming-desktop.nix diff --git a/flake.nix b/flake.nix index 9f496f6..d3f766f 100644 --- a/flake.nix +++ b/flake.nix @@ -102,6 +102,14 @@ "citadel" = mkNixosConfig { hostname = "citadel"; system = "x86_64-linux"; + hardwareModules = [ + ./nixos/profiles/hw-gaming-desktop.nix + ]; + profileModules = [ + ./nixos/profiles/role-worstation.nix + + ]; + }; "dns01" = mkNixosConfig { diff --git a/nixos/hosts/citadel/default.nix b/nixos/hosts/citadel/default.nix index 3838124..70367c1 100644 --- a/nixos/hosts/citadel/default.nix +++ b/nixos/hosts/citadel/default.nix @@ -7,139 +7,38 @@ , ... }: { imports = [ - # Host-specific - ./hardware-configuration.nix # Common imports - ../common/nixos ../common/nixos/users/truxnell ../common/optional/fish.nix - ../common/optional/monitoring.nix - ../common/optional/reboot-required.nix ../common/optional/gnome.nix ../common/optional/editors/vscode ../common/optional/firefox.nix - ../common/optional/sops-nix.nix ]; + config = { + mySystem = { + services.openssh.enable = true; + security.wheelNeedsSudoPassword = false; + }; - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation + networking.hostName = "citadel"; # Define your hostname. - networking.hostName = "citadel"; # Define your hostname. + fileSystems."/" = + { + device = "/dev/disk/by-label/701fc943-ede7-41ed-8a53-3cc38fc68fe5"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/C634-F571"; + fsType = "vfat"; + }; + + swapDevices = [ ]; - # Enable OpenGL - hardware.opengl = { - enable = true; - driSupport = true; - driSupport32Bit = true; }; - # Load nvidia driver for Xorg and Wayland - services.xserver.videoDrivers = ["nvidia"]; # or "nvidiaLegacy470 etc. - hardware.nvidia = { - - # Modesetting is required. - modesetting.enable = true; - - # Nvidia power management. Experimental, and can cause sleep/suspend to fail. - # Enable this if you have graphical corruption issues or application crashes after waking - # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead - # of just the bare essentials. - powerManagement.enable = false; - - # Fine-grained power management. Turns off GPU when not in use. - # Experimental and only works on modern Nvidia GPUs (Turing or newer). - powerManagement.finegrained = false; - - # Use the NVidia open source kernel module (not to be confused with the - # independent third-party "nouveau" open source driver). - # Support is limited to the Turing and later architectures. Full list of - # supported GPUs is at: - # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus - # Only available from driver 515.43.04+ - # Currently alpha-quality/buggy, so false is currently the recommended setting. - open = false; - - # Enable the Nvidia settings menu, - # accessible via `nvidia-settings`. - nvidiaSettings = true; - - # Optionally, you may need to select the appropriate driver version for your specific GPU. - package = config.boot.kernelPackages.nvidiaPackages.stable; - }; - - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - # i18n.defaultLocale = "en_US.UTF-8"; - # console = { - # font = "Lat2-Terminus16"; - # keyMap = "us"; - # useXkbConfig = true; # use xkb.options in tty. - # }; - - # Enable the X11 windowing system. - # services.xserver.enable = true; - - # Configure keymap in X11 - # services.xserver.xkb.layout = "us"; - # services.xserver.xkb.options = "eurosign:e,caps:escape"; - - # Enable CUPS to print documents. - # services.printing.enable = true; - - # Enable sound. - # sound.enable = true; - # hardware.pulseaudio.enable = true; - - # Enable touchpad support (enabled default in most desktopManager). - # services.xserver.libinput.enable = true; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - - # List services that you want to enable: - - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - - # Copy the NixOS configuration file and link it from the resulting system - # (/run/current-system/configuration.nix). This is useful in case you - # accidentally delete configuration.nix. - # system.copySystemConfiguration = true; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "23.11"; # Did you read the comment? } diff --git a/nixos/hosts/citadel/hardware-configuration.nix b/nixos/hosts/citadel/hardware-configuration.nix index 09462b7..14883d8 100644 --- a/nixos/hosts/citadel/hardware-configuration.nix +++ b/nixos/hosts/citadel/hardware-configuration.nix @@ -4,22 +4,17 @@ { config, lib, pkgs, modulesPath, ... }: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; - boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "/dev/disk/by-uuid/701fc943-ede7-41ed-8a53-3cc38fc68fe5"; + { + device = "/dev/disk/by-uuid/701fc943-ede7-41ed-8a53-3cc38fc68fe5"; fsType = "ext4"; }; fileSystems."/boot" = - { device = "/dev/disk/by-uuid/C634-F571"; + { + device = "/dev/disk/by-uuid/C634-F571"; fsType = "vfat"; }; @@ -33,6 +28,5 @@ # networking.interfaces.enp12s0.useDHCP = lib.mkDefault true; # networking.interfaces.wlp13s0.useDHCP = lib.mkDefault true; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/nixos/hosts/common/optional/gnome.nix b/nixos/hosts/common/optional/gnome.nix index bc59cbf..5259b79 100644 --- a/nixos/hosts/common/optional/gnome.nix +++ b/nixos/hosts/common/optional/gnome.nix @@ -8,18 +8,38 @@ # GNOME plz services.xserver = { enable = true; - desktopManager.gnome.enable = true; - displayManager = { - gdm.enable = true; - defaultSession = "gnome"; # TODO move to config overlay - autoLogin.user = "truxnell"; # TODO move to config overlay + displayManager = + { + gdm.enable = true; + defaultSession = "gnome"; # TODO move to config overlay + + autoLogin.enable = true; + autoLogin.user = "truxnell"; # TODO move to config overlay + }; + desktopManager = { + # GNOME + gnome.enable = true; }; + layout = "us"; # `localctl` will give you }; + # TODO remove this when possible + # workaround for GNOME autologin + # https://github.com/NixOS/nixpkgs/issues/103746#issuecomment-945091229 + systemd.services."getty@tty1".enable = false; + systemd.services."autovt@tty1".enable = false; + + # TODO tidy this + # port forward for GNOME when using RDP***REMOVED*** + + networking.firewall.allowedTCPPorts = [ + 3389 + ]; + # And dconf programs.dconf.enable = true; - + # https://github.com/NixOS/nixpkgs/issues/114514 # dconf write /org/gnome/mutter/experimental-features "['scale-monitor-framebuffer']" TODO hack for GNOME 45 diff --git a/nixos/profiles/hw-gaming-desktop.nix b/nixos/profiles/hw-gaming-desktop.nix new file mode 100644 index 0000000..0b108b6 --- /dev/null +++ b/nixos/profiles/hw-gaming-desktop.nix @@ -0,0 +1,64 @@ +{ config, lib, pkgs, imports, boot, ... }: + +with lib; +{ + boot = { + initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + # why not ensure we can memtest workstatons easily? + grub.memtest86.enable = true; + + }; + }; + + # set xserver videodrivers for NVIDIA 4080 gpu + services.xserver.videoDrivers = [ "nvidia" ]; + + + # ref: https://nixos.wiki/wiki/Nvidia + # Enable OpenGL + hardware.opengl = { + enable = true; + driSupport = true; + driSupport32Bit = true; + }; + + hardware.nvidia = { + + # Modesetting is required. + modesetting.enable = true; + + # Nvidia power management. Experimental, and can cause sleep/suspend to fail. + # Enable this if you have graphical corruption issues or application crashes after waking + # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead + # of just the bare essentials. + powerManagement.enable = false; + + # Fine-grained power management. Turns off GPU when not in use. + # Experimental and only works on modern Nvidia GPUs (Turing or newer). + powerManagement.finegrained = false; + + # Use the NVidia open source kernel module (not to be confused with the + # independent third-party "nouveau" open source driver). + # Support is limited to the Turing and later architectures. Full list of + # supported GPUs is at: + # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus + # Only available from driver 515.43.04+ + # Currently alpha-quality/buggy, so false is currently the recommended setting. + open = false; + + # Enable the Nvidia settings menu, + # accessible via `nvidia-settings`. + nvidiaSettings = true; + + # Optionally, you may need to select the appropriate driver version for your specific GPU. + package = config.boot.kernelPackages.nvidiaPackages.stable; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + +} From 3416303a07fae744c9e725c04c2eb4d178281453 Mon Sep 17 00:00:00 2001 From: truxnell <19149206+truxnell@users.noreply.github.com> Date: Mon, 25 Mar 2024 16:47:43 +1100 Subject: [PATCH 14/28] chore: hack hack hack --- flake.nix | 3 +- nixos/hosts/citadel/default.nix | 1 - nixos/hosts/rickenbacker/default.nix | 1 - nixos/modules/README.md | 2 +- nixos/modules/nixos/system/systempackages.nix | 26 ++++++++++ nixos/profiles/global.nix | 24 +++------- nixos/profiles/global/nix.nix | 20 ++++++-- nixos/profiles/global/nixpkgs.nix | 10 ++++ nixos/profiles/global/sops.nix | 6 +++ nixos/profiles/global/system.nix | 47 +++++++++++++++++++ .../default.nix => profiles/global/users.nix} | 2 +- 11 files changed, 116 insertions(+), 26 deletions(-) create mode 100644 nixos/modules/nixos/system/systempackages.nix create mode 100644 nixos/profiles/global/nixpkgs.nix create mode 100644 nixos/profiles/global/sops.nix create mode 100644 nixos/profiles/global/system.nix rename nixos/{hosts/common/nixos/users/truxnell/default.nix => profiles/global/users.nix} (94%) diff --git a/flake.nix b/flake.nix index d3f766f..94c69f3 100644 --- a/flake.nix +++ b/flake.nix @@ -107,7 +107,6 @@ ]; profileModules = [ ./nixos/profiles/role-worstation.nix - ]; }; @@ -165,6 +164,8 @@ in { dns01 = mkDeployConfig "10.8.10.11" self.nixosConfigurations.dns01; + rickenbacker = mkDeployConfig "rickenbacker" self.nixosConfigurations.rickenbacker; + # dns02 = mkDeployConfig "dns02.natallan.com" self.nixosConfigurations.dns02; }; diff --git a/nixos/hosts/citadel/default.nix b/nixos/hosts/citadel/default.nix index 70367c1..2088616 100644 --- a/nixos/hosts/citadel/default.nix +++ b/nixos/hosts/citadel/default.nix @@ -9,7 +9,6 @@ imports = [ # Common imports - ../common/nixos/users/truxnell ../common/optional/fish.nix ../common/optional/gnome.nix ../common/optional/editors/vscode diff --git a/nixos/hosts/rickenbacker/default.nix b/nixos/hosts/rickenbacker/default.nix index fcac0e4..34c9c97 100644 --- a/nixos/hosts/rickenbacker/default.nix +++ b/nixos/hosts/rickenbacker/default.nix @@ -9,7 +9,6 @@ imports = [ # Common imports - ../common/nixos/users/truxnell ../common/optional/fish.nix ../common/optional/gnome.nix ../common/optional/editors/vscode diff --git a/nixos/modules/README.md b/nixos/modules/README.md index 59f655c..add72bf 100644 --- a/nixos/modules/README.md +++ b/nixos/modules/README.md @@ -6,4 +6,4 @@ The main goal is to build up a `mySystem` options key which is easy to read and This option key will largely be manipulated by a profile to build up a host to a base, then toggle specific options from there. -I will _try_ and only do modules for things I want to be able to configure, and just use nixos config directly for some simple static things. +I will _try_ and only do modules for things I want to be able to configure, and just use nixos config directly for some simple static things. \ No newline at end of file diff --git a/nixos/modules/nixos/system/systempackages.nix b/nixos/modules/nixos/system/systempackages.nix new file mode 100644 index 0000000..c23f202 --- /dev/null +++ b/nixos/modules/nixos/system/systempackages.nix @@ -0,0 +1,26 @@ +{ lib +, config +, self +, ... +}: +with lib; +let + cfg = config.mySystem.system; +in +{ + options.mySystem.system.packages = { + autoOptimiseStore = mkOption + { + type = lib.types.list; + description = "List of system level package installs"; + default = [ ]; + }; + }; + + # System packages deployed globally. + # This is NixOS so lets keep this liiight? + # Ideally i'd keep most of it to home-manager user only stuff + # and keep server role as light as possible + config.environment.system.packages = cfg.packages; + +} diff --git a/nixos/profiles/global.nix b/nixos/profiles/global.nix index 5d0c2f6..7ee1bb5 100644 --- a/nixos/profiles/global.nix +++ b/nixos/profiles/global.nix @@ -14,6 +14,10 @@ with lib; [ (modulesPath + "/installer/scan/not-detected.nix") # Generated by nixos-config-generate ./global/nix.nix + ./global/users.nix + ./global/sops.nix + ./global/nixpkgs.nix + ./global/system.nix ]; mySystem = { @@ -32,26 +36,12 @@ with lib; # SOPS settings # https://github.com/Mic92/sops-nix - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - nixpkgs = { - # Configure your nixpkgs instance - config = { - # Disable if you don't want unfree packages - allowUnfree = true; - }; - }; - system = { - # Enable printing changes on nix build etc with nvd - activationScripts.report-changes = '' - PATH=$PATH:${lib.makeBinPath [ pkgs.nvd pkgs.nix ]} - nvd diff $(ls -dv /nix/var/nix/profiles/system-*-link | tail -2) - ''; - # Do not change unless you know what you are doing - stateVersion = "23.11"; # THERE BE DRAGONS - }; + + + networking.useDHCP = lib.mkDefault true; diff --git a/nixos/profiles/global/nix.nix b/nixos/profiles/global/nix.nix index 11a2614..2e537a2 100644 --- a/nixos/profiles/global/nix.nix +++ b/nixos/profiles/global/nix.nix @@ -1,8 +1,23 @@ -{ lib, config, ... }: +{ lib, config, pkgs, nixpkgs, ... }: { + ## Below is to align shell/system to flake's nixpkgs + ## ref: https://nixos-and-flakes.thiscute.world/best-practices/nix-path-and-flake-registry + + # make `nix run nixpkgs#nixpkgs` use the same nixpkgs as the one used by this flake. + nix.registry.nixpkgs.flake = nixpkgs; + nix.channel.enable = false; # remove nix-channel related tools & configs, we use flakes instead. + + # but NIX_PATH is still used by many useful tools, so we set it to the same value as the one used by this flake. + # Make `nix repl ''` use the same nixpkgs as the one used by this flake. + environment.etc."nix/inputs/nixpkgs".source = "${nixpkgs}"; + # https://github.com/NixOS/nix/issues/9574 + nix.settings.nix-path = lib.mkForce "nixpkgs=/etc/nix/inputs/nixpkgs"; + + ### nix.settings = { + # Enable flakes experimental-features = [ "nix-command" @@ -35,7 +50,4 @@ }; - - - } diff --git a/nixos/profiles/global/nixpkgs.nix b/nixos/profiles/global/nixpkgs.nix new file mode 100644 index 0000000..e4e4c71 --- /dev/null +++ b/nixos/profiles/global/nixpkgs.nix @@ -0,0 +1,10 @@ +{ config, ... }: +{ + nixpkgs = { + # Configure your nixpkgs instance + config = { + # Disable if you don't want unfree packages + allowUnfree = true; + }; + }; +} diff --git a/nixos/profiles/global/sops.nix b/nixos/profiles/global/sops.nix new file mode 100644 index 0000000..543aa98 --- /dev/null +++ b/nixos/profiles/global/sops.nix @@ -0,0 +1,6 @@ +{ config, ... }: +{ + + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + +} diff --git a/nixos/profiles/global/system.nix b/nixos/profiles/global/system.nix new file mode 100644 index 0000000..bd12372 --- /dev/null +++ b/nixos/profiles/global/system.nix @@ -0,0 +1,47 @@ +{ config, lib, pkgs, ... }: +with lib; +{ + system = { + # Enable printing changes on nix build etc with nvd + activationScripts.report-changes = '' + PATH=$PATH:${lib.makeBinPath [ pkgs.nvd pkgs.nix ]} + nvd diff $(ls -dv /nix/var/nix/profiles/system-*-link | tail -2) + ''; + + # Do not change unless you know what you are doing + stateVersion = "23.11"; # THERE BE DRAGONS + + # (This one comes in the niiiiight) ::: + # :: :::. + # \/, .::::: + # \), \`-._ :::888 + # /\ \ `-. ::88888 + # / \ | .( ::88 + # /,. \ ; ( ` .:8888 + # ), \ / ;`` :::888 + # /_ \ __/_(_ :88 + # `. ,`..-' `-._ \ / :8 + # )__ `. `._ .\/. + # / `. ` `-._______m _, + # ,-=====-.-;' , ___________/ _,-_,'"`/__,-. + # C =-- ; `.`._ V V V -=-'"#==-._ + # :, \ ,| UuUu _,......__ `-.__A_A_ -. ._ ,--._ ",`` `- + # || |`---' : uUuUu,' `'--...____/ `" `". ` + # |` : \ UuUu: + # : / \ UuUu`-._ + # \(_ `._ uUuUu `-. + # (_3 `._ uUu `._ + # ``-._ `. + # `-._ `. + # `. \ + # ) ; + # / / + # `. |\ ,' / + # ",_A_/\-| ` ,' + # `--..,_|_,-'\ + # | \ + # | \__ + # |__ + + }; +} diff --git a/nixos/hosts/common/nixos/users/truxnell/default.nix b/nixos/profiles/global/users.nix similarity index 94% rename from nixos/hosts/common/nixos/users/truxnell/default.nix rename to nixos/profiles/global/users.nix index 7d536ab..676041b 100644 --- a/nixos/hosts/common/nixos/users/truxnell/default.nix +++ b/nixos/profiles/global/users.nix @@ -25,7 +25,7 @@ in "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZS9J1ydflZ4iJdJgO8+vnN8nNSlEwyn9tbWU9OcysW truxnell@home" ]; - packages = [ pkgs.home-manager ]; + # packages = [ pkgs.home-manager ]; }; # home-manager.users.taylor = import ../../../../../home-manager/taylor_${config.networking.hostName}.nix; TODO home-manager? From 787fd6fee2655bf4fc88f3b9eb476c6eaac4e84c Mon Sep 17 00:00:00 2001 From: Truxnell <9149206+truxnell@users.noreply.github.com> Date: Mon, 25 Mar 2024 17:06:14 +1100 Subject: [PATCH 15/28] feat: flesh out nix tasks --- .taskfiles/nix/Taskfile.yaml | 39 +++++++++++++++++++++++++++++++----- 1 file changed, 34 insertions(+), 5 deletions(-) diff --git a/.taskfiles/nix/Taskfile.yaml b/.taskfiles/nix/Taskfile.yaml index a0cd6e4..fdbb466 100644 --- a/.taskfiles/nix/Taskfile.yaml +++ b/.taskfiles/nix/Taskfile.yaml @@ -5,16 +5,14 @@ vars: host: $HOSTNAME tasks: - apply: + switch: desc: Build and apply nix configuration silent: true requires: vars: - host cmds: - - task: build - vars: - host: "{{ .host }}" + - echo "This will switch your config." - task: .prompt_to_continue - sudo nixos-rebuild switch --flake "{{.ROOT_DIR}}/#{{.host}}" --impure preconditions: @@ -23,6 +21,38 @@ tasks: - sh: which nixos-rebuild msg: "nixos-rebuild not found" + test: + desc: Build and apply nix configuration + silent: true + requires: + vars: + - host + cmds: + - echo "This will test your config." + - task: .prompt_to_continue + - sudo nixos-rebuild test --flake "{{.ROOT_DIR}}/#{{.host}}" --impure + preconditions: + - sh: which nix + msg: "nix not found" + - sh: which nixos-rebuild + msg: "nixos-rebuild not found" + + dry-run: + desc: Build and apply nix configuration + silent: true + requires: + vars: + - host + cmds: + - echo "This will dry-run your config." + - nixos-rebuild dry-run --flake "{{.ROOT_DIR}}/#{{.host}}" --impure + preconditions: + - sh: which nix + msg: "nix not found" + - sh: which nixos-rebuild + msg: "nixos-rebuild not found" + + build: desc: Build nix configuration silent: true @@ -31,7 +61,6 @@ tasks: - host cmds: - nixos-rebuild build --flake "{{.ROOT_DIR}}/#{{.host}}" --impure - - nvd diff /run/current-system result preconditions: - sh: which nix msg: "nix not found" From 0a9f9f28e341f48b64764a3cbcacb84bdae91b41 Mon Sep 17 00:00:00 2001 From: Truxnell <9149206+truxnell@users.noreply.github.com> Date: Mon, 25 Mar 2024 20:12:45 +1100 Subject: [PATCH 16/28] feat: add yaml-lang tags --- .taskfiles/nix/Taskfile.yaml | 1 + .taskfiles/pre-commit/Taskfile.yaml | 1 + .taskfiles/sops/Taskfile.yaml | 1 + nixos/profiles/hw-rpi4.nix | 29 +++++++++++++++++++++++++++++ 4 files changed, 32 insertions(+) create mode 100644 nixos/profiles/hw-rpi4.nix diff --git a/.taskfiles/nix/Taskfile.yaml b/.taskfiles/nix/Taskfile.yaml index fdbb466..5ab4a44 100644 --- a/.taskfiles/nix/Taskfile.yaml +++ b/.taskfiles/nix/Taskfile.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://taskfile.dev/schema.json version: "3" vars: diff --git a/.taskfiles/pre-commit/Taskfile.yaml b/.taskfiles/pre-commit/Taskfile.yaml index 1a86675..637d1b1 100644 --- a/.taskfiles/pre-commit/Taskfile.yaml +++ b/.taskfiles/pre-commit/Taskfile.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://taskfile.dev/schema.json version: "3" vars: diff --git a/.taskfiles/sops/Taskfile.yaml b/.taskfiles/sops/Taskfile.yaml index 115a287..3c1ef8a 100644 --- a/.taskfiles/sops/Taskfile.yaml +++ b/.taskfiles/sops/Taskfile.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://taskfile.dev/schema.json version: "3" tasks: diff --git a/nixos/profiles/hw-rpi4.nix b/nixos/profiles/hw-rpi4.nix new file mode 100644 index 0000000..ad2d4c1 --- /dev/null +++ b/nixos/profiles/hw-rpi4.nix @@ -0,0 +1,29 @@ +{ config, lib, pkgs, imports, boot, ... }: + +with lib; +{ + boot = { + + initrd.availableKernelModules = [ "xhci_pci" "usb_storage" ]; + initrd.kernelModules = [ ]; + kernelModules = [ ]; + extraModulePackages = [ ]; + + loader = { + # Use the extlinux boot loader. (NixOS wants to enable GRUB by default) + grub.enable = false; + # Enables the generation of /boot/extlinux/extlinux.conf + generic-extlinux-compatible.enable = true; + }; + }; + + console.enable = false; + mySystem.system.packages = with pkgs; [ + libraspberrypi + raspberrypi-eeprom + ]; + + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; + +} From 57d59e5f691a8e9e5483bdad3b9833054c7320c4 Mon Sep 17 00:00:00 2001 From: Truxnell <9149206+truxnell@users.noreply.github.com> Date: Mon, 25 Mar 2024 20:12:54 +1100 Subject: [PATCH 17/28] chore: hacking --- nixos/hosts/dns01/default.nix | 93 ++----------------- nixos/hosts/dns01/hardware-configuration.nix | 32 ------- nixos/modules/nixos/system/default.nix | 2 + nixos/modules/nixos/system/nix.nix | 2 +- nixos/modules/nixos/system/systempackages.nix | 8 +- nixos/profiles/global.nix | 1 + nixos/profiles/hw-gaming-desktop.nix | 2 + nixos/profiles/hw-thinkpad-e14-amd.nix | 3 +- 8 files changed, 20 insertions(+), 123 deletions(-) delete mode 100644 nixos/hosts/dns01/hardware-configuration.nix diff --git a/nixos/hosts/dns01/default.nix b/nixos/hosts/dns01/default.nix index 0f8a191..fb7913a 100644 --- a/nixos/hosts/dns01/default.nix +++ b/nixos/hosts/dns01/default.nix @@ -3,107 +3,30 @@ # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). { config , lib -, pkgs +, pkgs , ... }: { imports = [ - # Host-specific - ./hardware-configuration.nix - - # Common imports - ../common/nixos/users/truxnell ../common/optional/fish.nix ../common/optional/monitoring.nix ../common/optional/reboot-required.nix - ../common/optional/sops-nix.nix ../common/optional/dnscrypt-proxy2.nix ../common/optional/cloudflare-dyndns.nix ../common/optional/maddy.nix ]; - # Use the extlinux boot loader. (NixOS wants to enable GRUB by default) - boot.loader.grub.enable = false; - # Enables the generation of /boot/extlinux/extlinux.conf - boot.loader.generic-extlinux-compatible.enable = true; - networking.hostName = "dns01"; # Define your hostname. + networking.useDHCP = lib.mkDefault true; - console.enable = false; - environment.systemPackages = with pkgs; [ - libraspberrypi - raspberrypi-eeprom - ]; + fileSystems."/" = + { + device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; + fsType = "ext4"; + }; - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + swapDevices = [ ]; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - # Select internationalisation properties. - # i18n.defaultLocale = "en_US.UTF-8"; - # console = { - # font = "Lat2-Terminus16"; - # keyMap = "us"; - # useXkbConfig = true; # use xkb.options in tty. - # }; - # Enable the X11 windowing system. - # services.xserver.enable = true; - - # Configure keymap in X11 - # services.xserver.xkb.layout = "us"; - # services.xserver.xkb.options = "eurosign:e,caps:escape"; - - # Enable CUPS to print documents. - # services.printing.enable = true; - - # Enable sound. - # sound.enable = true; - # hardware.pulseaudio.enable = true; - - # Enable touchpad support (enabled default in most desktopManager). - # services.xserver.libinput.enable = true; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - - # List services that you want to enable: - - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - - # Copy the NixOS configuration file and link it from the resulting system - # (/run/current-system/configuration.nix). This is useful in case you - # accidentally delete configuration.nix. - # system.copySystemConfiguration = true; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "23.11"; # Did you read the comment? } diff --git a/nixos/hosts/dns01/hardware-configuration.nix b/nixos/hosts/dns01/hardware-configuration.nix deleted file mode 100644 index e2b253d..0000000 --- a/nixos/hosts/dns01/hardware-configuration.nix +++ /dev/null @@ -1,32 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "usb_storage" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; - fsType = "ext4"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.end0.useDHCP = lib.mkDefault true; - # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; -} diff --git a/nixos/modules/nixos/system/default.nix b/nixos/modules/nixos/system/default.nix index 933dabe..57e42b9 100644 --- a/nixos/modules/nixos/system/default.nix +++ b/nixos/modules/nixos/system/default.nix @@ -3,5 +3,7 @@ ./openssh.nix ./time.nix ./security.nix + ./systempackages.nix + ./nix.nix ]; } diff --git a/nixos/modules/nixos/system/nix.nix b/nixos/modules/nixos/system/nix.nix index 51a9002..22e0d7a 100644 --- a/nixos/modules/nixos/system/nix.nix +++ b/nixos/modules/nixos/system/nix.nix @@ -30,7 +30,7 @@ in }; - nix = { + config.nix = { optimise.automatic = cfg.autoOptimiseStore; diff --git a/nixos/modules/nixos/system/systempackages.nix b/nixos/modules/nixos/system/systempackages.nix index c23f202..49969d1 100644 --- a/nixos/modules/nixos/system/systempackages.nix +++ b/nixos/modules/nixos/system/systempackages.nix @@ -8,10 +8,10 @@ let cfg = config.mySystem.system; in { - options.mySystem.system.packages = { - autoOptimiseStore = mkOption + options.mySystem.system = { + packages = mkOption { - type = lib.types.list; + type = with types; listOf package; description = "List of system level package installs"; default = [ ]; }; @@ -21,6 +21,6 @@ in # This is NixOS so lets keep this liiight? # Ideally i'd keep most of it to home-manager user only stuff # and keep server role as light as possible - config.environment.system.packages = cfg.packages; + config.environment.systemPackages = cfg.packages; } diff --git a/nixos/profiles/global.nix b/nixos/profiles/global.nix index 7ee1bb5..f544622 100644 --- a/nixos/profiles/global.nix +++ b/nixos/profiles/global.nix @@ -25,6 +25,7 @@ with lib; # basics for all devices time.timeZone = "Australia/Melbourne"; security.increaseWheelLoginLimits = true; + system.packages = [ pkgs.bat ]; }; i18n = { diff --git a/nixos/profiles/hw-gaming-desktop.nix b/nixos/profiles/hw-gaming-desktop.nix index 0b108b6..066b5d0 100644 --- a/nixos/profiles/hw-gaming-desktop.nix +++ b/nixos/profiles/hw-gaming-desktop.nix @@ -3,9 +3,11 @@ with lib; { boot = { + initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; kernelModules = [ "kvm-amd" ]; extraModulePackages = [ ]; + loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; diff --git a/nixos/profiles/hw-thinkpad-e14-amd.nix b/nixos/profiles/hw-thinkpad-e14-amd.nix index d7a0686..2486db9 100644 --- a/nixos/profiles/hw-thinkpad-e14-amd.nix +++ b/nixos/profiles/hw-thinkpad-e14-amd.nix @@ -5,9 +5,10 @@ with lib; boot = { initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; + initrd.kernelModules = [ "amdgpu" ]; kernelModules = [ "kvm-amd" ]; extraModulePackages = [ ]; - initrd.kernelModules = [ "amdgpu" ]; + loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; From e6243b48ba1d9c7be807f22f296c13a6524626c0 Mon Sep 17 00:00:00 2001 From: truxnell <19149206+truxnell@users.noreply.github.com> Date: Mon, 25 Mar 2024 22:51:18 +1100 Subject: [PATCH 18/28] chore: hax --- docs/vm/faq.md | 3 ++ nixos/hosts/citadel/default.nix | 5 +- .../hosts/citadel/hardware-configuration.nix | 32 ------------- nixos/hosts/common/optional/fish.nix | 10 ---- nixos/hosts/dns01/default.nix | 1 - nixos/hosts/rickenbacker/default.nix | 1 - nixos/modules/nixos/default.nix | 2 + nixos/modules/nixos/programs/default.nix | 5 ++ .../modules/nixos/programs/shell/default.nix | 5 ++ nixos/modules/nixos/programs/shell/fish.nix | 46 +++++++++++++++++++ nixos/modules/nixos/system/nix.nix | 6 +-- nixos/profiles/global.nix | 12 +++-- nixos/profiles/global/default.nix | 9 ++++ nixos/profiles/global/nix.nix | 2 + nixos/profiles/hw-gaming-desktop.nix | 8 ++++ nixos/profiles/hw-thinkpad-e14-amd.nix | 6 +++ nixos/profiles/role-worstation.nix | 11 +++-- 17 files changed, 104 insertions(+), 60 deletions(-) create mode 100644 docs/vm/faq.md delete mode 100644 nixos/hosts/citadel/hardware-configuration.nix delete mode 100644 nixos/hosts/common/optional/fish.nix create mode 100644 nixos/modules/nixos/programs/default.nix create mode 100644 nixos/modules/nixos/programs/shell/default.nix create mode 100644 nixos/modules/nixos/programs/shell/fish.nix create mode 100644 nixos/profiles/global/default.nix diff --git a/docs/vm/faq.md b/docs/vm/faq.md new file mode 100644 index 0000000..7319a55 --- /dev/null +++ b/docs/vm/faq.md @@ -0,0 +1,3 @@ +## Why not recurse the module folder + +Imports are special in NIX and its important that they are definet at runtime for lazy evaluation - if you do optional/coded imports not everything is avaliable for evaluating. diff --git a/nixos/hosts/citadel/default.nix b/nixos/hosts/citadel/default.nix index 2088616..8b7687a 100644 --- a/nixos/hosts/citadel/default.nix +++ b/nixos/hosts/citadel/default.nix @@ -9,7 +9,6 @@ imports = [ # Common imports - ../common/optional/fish.nix ../common/optional/gnome.nix ../common/optional/editors/vscode ../common/optional/firefox.nix @@ -25,13 +24,13 @@ fileSystems."/" = { - device = "/dev/disk/by-label/701fc943-ede7-41ed-8a53-3cc38fc68fe5"; + device = "/dev/disk/by-uuid/701fc943-ede7-41ed-8a53-3cc38fc68fe5"; fsType = "ext4"; }; fileSystems."/boot" = { - device = "/dev/disk/by-uuid/C634-F571"; + device = "/dev/disk/by-uuid/1D5B-36D3"; fsType = "vfat"; }; diff --git a/nixos/hosts/citadel/hardware-configuration.nix b/nixos/hosts/citadel/hardware-configuration.nix deleted file mode 100644 index 14883d8..0000000 --- a/nixos/hosts/citadel/hardware-configuration.nix +++ /dev/null @@ -1,32 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - - - fileSystems."/" = - { - device = "/dev/disk/by-uuid/701fc943-ede7-41ed-8a53-3cc38fc68fe5"; - fsType = "ext4"; - }; - - fileSystems."/boot" = - { - device = "/dev/disk/by-uuid/C634-F571"; - fsType = "vfat"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp12s0.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp13s0.useDHCP = lib.mkDefault true; - - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/nixos/hosts/common/optional/fish.nix b/nixos/hosts/common/optional/fish.nix deleted file mode 100644 index e53f255..0000000 --- a/nixos/hosts/common/optional/fish.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ - programs.fish = { - enable = true; - vendor = { - completions.enable = true; - config.enable = true; - functions.enable = true; - }; - }; -} diff --git a/nixos/hosts/dns01/default.nix b/nixos/hosts/dns01/default.nix index fb7913a..9298d3e 100644 --- a/nixos/hosts/dns01/default.nix +++ b/nixos/hosts/dns01/default.nix @@ -7,7 +7,6 @@ , ... }: { imports = [ - ../common/optional/fish.nix ../common/optional/monitoring.nix ../common/optional/reboot-required.nix diff --git a/nixos/hosts/rickenbacker/default.nix b/nixos/hosts/rickenbacker/default.nix index 34c9c97..3a99a2c 100644 --- a/nixos/hosts/rickenbacker/default.nix +++ b/nixos/hosts/rickenbacker/default.nix @@ -9,7 +9,6 @@ imports = [ # Common imports - ../common/optional/fish.nix ../common/optional/gnome.nix ../common/optional/editors/vscode ../common/optional/firefox.nix diff --git a/nixos/modules/nixos/default.nix b/nixos/modules/nixos/default.nix index 2ad14a5..916039f 100644 --- a/nixos/modules/nixos/default.nix +++ b/nixos/modules/nixos/default.nix @@ -1,5 +1,7 @@ { imports = [ ./system + ./programs + ]; } diff --git a/nixos/modules/nixos/programs/default.nix b/nixos/modules/nixos/programs/default.nix new file mode 100644 index 0000000..5cf8372 --- /dev/null +++ b/nixos/modules/nixos/programs/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./shell + ]; +} diff --git a/nixos/modules/nixos/programs/shell/default.nix b/nixos/modules/nixos/programs/shell/default.nix new file mode 100644 index 0000000..56cb916 --- /dev/null +++ b/nixos/modules/nixos/programs/shell/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./fish.nix + ]; +} diff --git a/nixos/modules/nixos/programs/shell/fish.nix b/nixos/modules/nixos/programs/shell/fish.nix new file mode 100644 index 0000000..de8316e --- /dev/null +++ b/nixos/modules/nixos/programs/shell/fish.nix @@ -0,0 +1,46 @@ +{ lib +, config +, self +, pkgs +, ... +}: +with lib; +let + cfg = config.mySystem.shell.fish; +in +{ + options.mySystem.shell.fish = + { + enable = mkEnableOption "Fish"; + enablePlugins = mkOption + { + type = lib.types.bool; + description = "If we want to add fish plugins"; + default = true; + + }; + + } + + # Install fish systemwide + config.programs.fish = mkIf cfg.enable { + enable = true; + vendor = { + completions.enable = true; + config.enable = true; + functions.enable = true; + }; +}; + +# Install fish plugins systemwide +config.mySystem.system.packages = with pkgs; mkIf cfg.enable [ +fishPlugins.done +fishPlugins.fzf-fish +fishPlugins.forgit +fishPlugins.hydro +fzf +fishPlugins.grc +grc +]; + +} diff --git a/nixos/modules/nixos/system/nix.nix b/nixos/modules/nixos/system/nix.nix index 22e0d7a..0604425 100644 --- a/nixos/modules/nixos/system/nix.nix +++ b/nixos/modules/nixos/system/nix.nix @@ -17,7 +17,7 @@ in }; gc = { - enabled = mkEnableOption "automatic garbage collection" // { + enable = mkEnableOption "automatic garbage collection" // { default = true; }; persistent = mkOption @@ -35,9 +35,9 @@ in optimise.automatic = cfg.autoOptimiseStore; # automatically garbage collect nix store - gc = mkIf cfg.gc.enabled { + gc = mkIf cfg.gc.enable { # garbage collection - automatic = cfg.gc.enabled; + automatic = cfg.gc.enable; options = "--delete-older-than 30d"; persistent = cfg.gc.persistent; }; diff --git a/nixos/profiles/global.nix b/nixos/profiles/global.nix index f544622..43f1c97 100644 --- a/nixos/profiles/global.nix +++ b/nixos/profiles/global.nix @@ -13,11 +13,7 @@ with lib; imports = [ (modulesPath + "/installer/scan/not-detected.nix") # Generated by nixos-config-generate - ./global/nix.nix - ./global/users.nix - ./global/sops.nix - ./global/nixpkgs.nix - ./global/system.nix + ./global ]; mySystem = { @@ -26,8 +22,14 @@ with lib; time.timeZone = "Australia/Melbourne"; security.increaseWheelLoginLimits = true; system.packages = [ pkgs.bat ]; + + # Lets see if fish everywhere is OK on the pi's + # TODO decide if i drop to bash on pis? + shell.fish.enable = true; + # But wont enable plugins globally, leave them for workstations }; + i18n = { defaultLocale = lib.mkDefault "en_AU.UTF-8"; }; diff --git a/nixos/profiles/global/default.nix b/nixos/profiles/global/default.nix new file mode 100644 index 0000000..506ca28 --- /dev/null +++ b/nixos/profiles/global/default.nix @@ -0,0 +1,9 @@ +{ + imports = [ + ./nix.nix + ./nixpkgs.nix + ./sops.nix + ./system.nix + ./users.nix + ]; +} diff --git a/nixos/profiles/global/nix.nix b/nixos/profiles/global/nix.nix index 2e537a2..f6b767b 100644 --- a/nixos/profiles/global/nix.nix +++ b/nixos/profiles/global/nix.nix @@ -26,6 +26,7 @@ # Substitutions trusted-substituters = [ + "https://cache.garnix.io" "https://nix-community.cachix.org" "https://numtide.cachix.org" ]; @@ -33,6 +34,7 @@ trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE=" + "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" ]; # Fallback quickly if substituters are not available. diff --git a/nixos/profiles/hw-gaming-desktop.nix b/nixos/profiles/hw-gaming-desktop.nix index 066b5d0..86cf9c7 100644 --- a/nixos/profiles/hw-gaming-desktop.nix +++ b/nixos/profiles/hw-gaming-desktop.nix @@ -2,12 +2,20 @@ with lib; { + + mySystem.system.packages = with pkgs; [ + ntfs3g + ]; + boot = { initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; kernelModules = [ "kvm-amd" ]; extraModulePackages = [ ]; + # for managing/mounting ntfs + supportedFilesystems = [ "ntfs" ]; + loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; diff --git a/nixos/profiles/hw-thinkpad-e14-amd.nix b/nixos/profiles/hw-thinkpad-e14-amd.nix index 2486db9..678111d 100644 --- a/nixos/profiles/hw-thinkpad-e14-amd.nix +++ b/nixos/profiles/hw-thinkpad-e14-amd.nix @@ -9,6 +9,9 @@ with lib; kernelModules = [ "kvm-amd" ]; extraModulePackages = [ ]; + # for managing/mounting ntfs + supportedFilesystems = [ "ntfs" ]; + loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; @@ -21,6 +24,9 @@ with lib; # set xserver videodrivers for amp gpu services.xserver.videoDrivers = [ "amdgpu" ]; + # As this is a laptop explicitly enable nmcli (likely enabled by GUI anyway) + networking.networkmanager.enable = true; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/nixos/profiles/role-worstation.nix b/nixos/profiles/role-worstation.nix index a40e66a..0c4555a 100644 --- a/nixos/profiles/role-worstation.nix +++ b/nixos/profiles/role-worstation.nix @@ -5,13 +5,15 @@ with lib; { - boot = { + + config.mySystem.shell.fish.plugins = true; + config.boot = { binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation - plymouth.enable = true; + plymouth.enable = true; # hide console with splash screen }; - nix.settings = { + config.nix.settings = { # TODO factor out into mySystem # Avoid disk full issues max-free = lib.mkDefault (1000 * 1000 * 1000); @@ -19,12 +21,11 @@ with lib; }; # set xserver videodrivers if used - services.xserver.enable = true; + config.services.xserver.enable = true; # Laptop so ill likely use wireles # very likely to be set by GUI packages but lets # be declarative. - networking.networkmanager.enable = true; } From e46eba32a617428dba5cacbd1e4d9f7ce09b94c9 Mon Sep 17 00:00:00 2001 From: truxnell <19149206+truxnell@users.noreply.github.com> Date: Mon, 25 Mar 2024 22:55:12 +1100 Subject: [PATCH 19/28] chore: fix tpyo --- nixos/modules/nixos/programs/shell/fish.nix | 29 +++++++-------------- nixos/profiles/role-worstation.nix | 1 - 2 files changed, 9 insertions(+), 21 deletions(-) diff --git a/nixos/modules/nixos/programs/shell/fish.nix b/nixos/modules/nixos/programs/shell/fish.nix index de8316e..ac0acec 100644 --- a/nixos/modules/nixos/programs/shell/fish.nix +++ b/nixos/modules/nixos/programs/shell/fish.nix @@ -20,27 +20,16 @@ in }; - } + }; - # Install fish systemwide - config.programs.fish = mkIf cfg.enable { - enable = true; - vendor = { - completions.enable = true; - config.enable = true; - functions.enable = true; + # Install fish systemwide + config.programs.fish = mkIf cfg.enable { + enable = true; + vendor = { + completions.enable = true; + config.enable = true; + functions.enable = true; + }; }; -}; - -# Install fish plugins systemwide -config.mySystem.system.packages = with pkgs; mkIf cfg.enable [ -fishPlugins.done -fishPlugins.fzf-fish -fishPlugins.forgit -fishPlugins.hydro -fzf -fishPlugins.grc -grc -]; } diff --git a/nixos/profiles/role-worstation.nix b/nixos/profiles/role-worstation.nix index 0c4555a..12bb03d 100644 --- a/nixos/profiles/role-worstation.nix +++ b/nixos/profiles/role-worstation.nix @@ -6,7 +6,6 @@ with lib; { - config.mySystem.shell.fish.plugins = true; config.boot = { binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation From 1a4d6ecd2ac2bfcddacd6c04a5c12fb08808a912 Mon Sep 17 00:00:00 2001 From: truxnell <19149206+truxnell@users.noreply.github.com> Date: Mon, 25 Mar 2024 23:37:21 +1100 Subject: [PATCH 20/28] hax --- flake.nix | 14 ++++- nixos/hosts/citadel/default.nix | 2 + .../common/optional/cloudflare-dyndns.nix | 28 ---------- nixos/hosts/common/optional/monitoring.nix | 30 ----------- .../hosts/common/optional/reboot-required.nix | 36 ------------- nixos/hosts/dns01/default.nix | 7 +-- nixos/modules/nixos/default.nix | 3 +- .../cloudflare-dyndns.sops.yaml | 0 .../services/cloudflare-dyndns/default.nix | 39 ++++++++++++++ nixos/modules/nixos/services/default.nix | 7 +++ nixos/modules/nixos/services/monitoring.nix | 46 ++++++++++++++++ .../nixos/services/reboot-required-check.nix | 54 +++++++++++++++++++ nixos/modules/nixos/template.nix | 20 +++++++ nixos/profiles/role-server.nix | 24 +++++++++ 14 files changed, 209 insertions(+), 101 deletions(-) delete mode 100644 nixos/hosts/common/optional/cloudflare-dyndns.nix delete mode 100644 nixos/hosts/common/optional/monitoring.nix delete mode 100644 nixos/hosts/common/optional/reboot-required.nix rename nixos/{hosts/common/optional => modules/nixos/services/cloudflare-dyndns}/cloudflare-dyndns.sops.yaml (100%) create mode 100644 nixos/modules/nixos/services/cloudflare-dyndns/default.nix create mode 100644 nixos/modules/nixos/services/default.nix create mode 100644 nixos/modules/nixos/services/monitoring.nix create mode 100644 nixos/modules/nixos/services/reboot-required-check.nix create mode 100644 nixos/modules/nixos/template.nix create mode 100644 nixos/profiles/role-server.nix diff --git a/flake.nix b/flake.nix index 94c69f3..2c0e3e2 100644 --- a/flake.nix +++ b/flake.nix @@ -87,6 +87,7 @@ { "rickenbacker" = mkNixosConfig { + # NixOS laptop (dualboot windows, dunno why i kept it) hostname = "rickenbacker"; system = "x86_64-linux"; hardwareModules = [ @@ -100,6 +101,8 @@ }; "citadel" = mkNixosConfig { + # Gaming PC (dualboot windows) + hostname = "citadel"; system = "x86_64-linux"; hardwareModules = [ @@ -112,8 +115,17 @@ }; "dns01" = mkNixosConfig { + # Rpi for DNS and misc services + hostname = "dns01"; - system = "x86_64-linux"; + system = "aarch64-linux"; + hardwareModules = [ + ./nixos/profiles/hw-rpi4.nix + inputs.nixos-hardware.nixosModules.raspberry-pi-4 + ]; + profileModules = [ + ./nixos/profiles/role-server.nix + ]; }; diff --git a/nixos/hosts/citadel/default.nix b/nixos/hosts/citadel/default.nix index 8b7687a..dedbcfb 100644 --- a/nixos/hosts/citadel/default.nix +++ b/nixos/hosts/citadel/default.nix @@ -14,6 +14,8 @@ ../common/optional/firefox.nix ]; + + config = { mySystem = { services.openssh.enable = true; diff --git a/nixos/hosts/common/optional/cloudflare-dyndns.nix b/nixos/hosts/common/optional/cloudflare-dyndns.nix deleted file mode 100644 index f93b2ff..0000000 --- a/nixos/hosts/common/optional/cloudflare-dyndns.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config -, lib -, ... -}: { - # Current nixpkgs cf-ddns only supports using a env file for the apitoken - # but not for domains, which makes them hard to find. - # To circumvent this, I put both in the 'apiTokenFile' var - # so my secret is: - - # apiTokenFile: |- - # CLOUDFLARE_API_TOKEN=derp - # CLOUDFLARE_DOMAINS=derp.herp.xyz derp1.herp.xyz - - # init secret - config.sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".sopsFile = ./cloudflare-dyndns.sops.yaml; - - # Restart when secret changes - config.sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".restartUnits = [ "cloudflare-dyndns" ]; - - # Cloudflare dynamic dns to keep my DNS records pointed at home - config.services.cloudflare-dyndns = { - enable = true; - ipv6 = false; - proxied = true; - apiTokenFile = config.sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".path; - domains = [ ]; - }; -} diff --git a/nixos/hosts/common/optional/monitoring.nix b/nixos/hosts/common/optional/monitoring.nix deleted file mode 100644 index 4dd7631..0000000 --- a/nixos/hosts/common/optional/monitoring.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ config -, pkgs -, lib -, ... -}: { - services.prometheus.exporters = { - node = { - enable = true; - enabledCollectors = [ - "diskstats" - "filesystem" - "loadavg" - "meminfo" - "netdev" - "stat" - "time" - "uname" - "systemd" - ]; - }; - smartctl = { - enable = true; - }; - }; - - networking.firewall.allowedTCPPorts = [ - config.services.prometheus.exporters.node.port - config.services.prometheus.exporters.smartctl.port - ]; -} diff --git a/nixos/hosts/common/optional/reboot-required.nix b/nixos/hosts/common/optional/reboot-required.nix deleted file mode 100644 index 607c86c..0000000 --- a/nixos/hosts/common/optional/reboot-required.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ config -, pkgs -, ... -}: { - systemd.timers."reboot-required-check" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - # start at boot - OnBootSec = "0m"; - # check every hour - OnUnitActiveSec = "1h"; - Unit = "reboot-required-check.service"; - }; - }; - - systemd.services."reboot-required-check" = { - script = '' - #!/usr/bin/env bash - - # compare current system with booted sysetm to determine if a reboot is required - if [[ "$(readlink /run/booted-system/{initrd,kernel,kernel-modules})" == "$(readlink /run/current-system/{initrd,kernel,kernel-modules})" ]]; then - # check if the '/var/run/reboot-required' file exists and if it does, remove it - if [[ -f /var/run/reboot-required ]]; then - rm /var/run/reboot-required || { echo "Failed to remove /var/run/reboot-required"; exit 1; } - fi - else - echo "reboot required" - touch /var/run/reboot-required || { echo "Failed to create /var/run/reboot-required"; exit 1; } - fi - ''; - serviceConfig = { - Type = "oneshot"; - User = "root"; - }; - }; -} diff --git a/nixos/hosts/dns01/default.nix b/nixos/hosts/dns01/default.nix index 9298d3e..e7cda43 100644 --- a/nixos/hosts/dns01/default.nix +++ b/nixos/hosts/dns01/default.nix @@ -3,18 +3,15 @@ # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). { config , lib -, pkgs +, pkgs , ... }: { imports = [ - ../common/optional/monitoring.nix - ../common/optional/reboot-required.nix ../common/optional/dnscrypt-proxy2.nix - ../common/optional/cloudflare-dyndns.nix ../common/optional/maddy.nix ]; - + mySystem.services.cfddns.enable = true; networking.hostName = "dns01"; # Define your hostname. networking.useDHCP = lib.mkDefault true; diff --git a/nixos/modules/nixos/default.nix b/nixos/modules/nixos/default.nix index 916039f..e1f6e80 100644 --- a/nixos/modules/nixos/default.nix +++ b/nixos/modules/nixos/default.nix @@ -1,7 +1,8 @@ { imports = [ ./system - ./programs + ./programs + ./services ]; } diff --git a/nixos/hosts/common/optional/cloudflare-dyndns.sops.yaml b/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml similarity index 100% rename from nixos/hosts/common/optional/cloudflare-dyndns.sops.yaml rename to nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml diff --git a/nixos/modules/nixos/services/cloudflare-dyndns/default.nix b/nixos/modules/nixos/services/cloudflare-dyndns/default.nix new file mode 100644 index 0000000..40fe5ea --- /dev/null +++ b/nixos/modules/nixos/services/cloudflare-dyndns/default.nix @@ -0,0 +1,39 @@ +{ lib +, config +, ... +}: + +with lib; +let + cfg = config.mySystem.services.cfDdns; +in +{ + options.mySystem.services.cfDdns.enable = mkEnableOption "Cloudflare ddns"; + + config = mkIf cfg.enable { + # Current nixpkgs cf-ddns only supports using a env file for the apitoken + # but not for domains, which makes them hard to find. + # To circumvent this, I put both in the 'apiTokenFile' var + # so my secret is: + + # apiTokenFile: |- + # CLOUDFLARE_API_TOKEN=derp + # CLOUDFLARE_DOMAINS=derp.herp.xyz derp1.herp.xyz + + # TODO add notifications on IP change + # init secret + config.sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".sopsFile = ./cloudflare-dyndns.sops.yaml; + + # Restart when secret changes + config.sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".restartUnits = [ "cloudflare-dyndns" ]; + + # Cloudflare dynamic dns to keep my DNS records pointed at home + config.services.cloudflare-dyndns = { + enable = true; + ipv6 = false; + proxied = true; + apiTokenFile = config.sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".path; + domains = [ ]; + }; + }; +} diff --git a/nixos/modules/nixos/services/default.nix b/nixos/modules/nixos/services/default.nix new file mode 100644 index 0000000..f9ea679 --- /dev/null +++ b/nixos/modules/nixos/services/default.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ./monitoring.nix + ./reboot-required-check.nix + ./cloudflare-dyndns + ]; +} diff --git a/nixos/modules/nixos/services/monitoring.nix b/nixos/modules/nixos/services/monitoring.nix new file mode 100644 index 0000000..df2086b --- /dev/null +++ b/nixos/modules/nixos/services/monitoring.nix @@ -0,0 +1,46 @@ +{ lib +, config +, self +, ... +}: +with lib; +let + cfg = config.mySystem.services.promMonitoring; +in +{ + options.mySystem.services.promMonitoring.enable = mkEnableOption "Prometheus Monitoring"; + + config = mkIf cfg.enable { + + services.prometheus.exporters = { + node = { + enable = true; + enabledCollectors = [ + "diskstats" + "filesystem" + "loadavg" + "meminfo" + "netdev" + "stat" + "time" + "uname" + "systemd" + ]; + }; + smartctl = { + enable = true; + }; + + + }; + + # ensure ports are open + networking.firewall.allowedTCPPorts = mkIf cfg.enable [ + config.services.prometheus.exporters.node.port + config.services.prometheus.exporters.smartctl.port + ]; + + }; + + +} diff --git a/nixos/modules/nixos/services/reboot-required-check.nix b/nixos/modules/nixos/services/reboot-required-check.nix new file mode 100644 index 0000000..7ceacfe --- /dev/null +++ b/nixos/modules/nixos/services/reboot-required-check.nix @@ -0,0 +1,54 @@ +{ lib +, config +, self +, ... +}: +with lib; +let + cfg = config.mySystem.services.rebootRequiredCheck; +in +{ + options.mySystem.services.rebootRequiredCheck.enable = mkEnableOption "Reboot required check"; + + config = mkIf cfg.enable { + + # Enable timer + systemd.timers."reboot-required-check" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + # start at boot + OnBootSec = "0m"; + # check every hour + OnUnitActiveSec = "1h"; + Unit = "reboot-required-check.service"; + }; + }; + + # Below script will check if initrd, kernel, kernel-modules that were booted match the current system + # i.e. if a nixos-rebuild switch has upgraded anything + systemd.services."reboot-required-check" = { + script = '' + #!/usr/bin/env bash + + # compare current system with booted sysetm to determine if a reboot is required + if [[ "$(readlink /run/booted-system/{initrd,kernel,kernel-modules})" == "$(readlink /run/current-system/{initrd,kernel,kernel-modules})" ]]; then + # check if the '/var/run/reboot-required' file exists and if it does, remove it + if [[ -f /var/run/reboot-required ]]; then + rm /var/run/reboot-required || { echo "Failed to remove /var/run/reboot-required"; exit 1; } + fi + else + echo "reboot required" + touch /var/run/reboot-required || { echo "Failed to create /var/run/reboot-required"; exit 1; } + fi + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; + + + }; + + +} diff --git a/nixos/modules/nixos/template.nix b/nixos/modules/nixos/template.nix new file mode 100644 index 0000000..d901e8a --- /dev/null +++ b/nixos/modules/nixos/template.nix @@ -0,0 +1,20 @@ +{ lib +, config +, ... +}: + +with lib; +let + cfg = config.mySystem.xx.yy; +in +{ + options.mySystem.xx.yy.enable = mkEnableOption ""; + + config = mkIf cfg.enable { + + # CONFIG HERE + + }; + + +} diff --git a/nixos/profiles/role-server.nix b/nixos/profiles/role-server.nix new file mode 100644 index 0000000..22d6361 --- /dev/null +++ b/nixos/profiles/role-server.nix @@ -0,0 +1,24 @@ +{ config, lib, pkgs, imports, boot, ... }: +# Role for headless servers +# covers raspi's, sbc, NUC etc, anything +# that is headless and minimal for running services + +with lib; +{ + config = { + + # Enable monitoring for remote scraiping + mySystem.services.promMonitoring.enable = true; + mySystem.services.rebootRequiredCheck.enable = true; + + nix.settings = { + # TODO factor out into mySystem + # Avoid disk full issues + max-free = lib.mkDefault (1000 * 1000 * 1000); + min-free = lib.mkDefault (128 * 1000 * 1000); + }; + }; + + + +} From b44499c92e15d7c7e558b65b2844656afe92a6bf Mon Sep 17 00:00:00 2001 From: truxnell <19149206+truxnell@users.noreply.github.com> Date: Tue, 26 Mar 2024 21:11:56 +1100 Subject: [PATCH 21/28] fix: finish hax? --- .taskfiles/nix/Taskfile.yaml | 5 +- dns01.qcow2 | Bin 0 -> 1441792 bytes nixos/hosts/citadel/default.nix | 8 - nixos/hosts/common/optional/chrony.nix | 11 -- .../hosts/common/optional/dnscrypt-proxy2.nix | 41 ----- .../optional/editors/vscode/default.nix | 139 -------------- .../optional/editors/vscode/extensions.nix | 174 ------------------ nixos/hosts/common/optional/firefox.nix | 9 - nixos/hosts/common/optional/gnome.nix | 68 ------- nixos/hosts/common/optional/maddy.nix | 22 --- nixos/hosts/dns01/default.nix | 11 +- nixos/hosts/rickenbacker/default.nix | 10 +- nixos/modules/nixos/browser/default.nix | 5 + nixos/modules/nixos/browser/firefox.nix | 22 +++ nixos/modules/nixos/de/default.nix | 6 + nixos/modules/nixos/de/gnome.nix | 81 ++++++++ nixos/modules/nixos/default.nix | 3 + nixos/modules/nixos/editor/default.nix | 6 + nixos/modules/nixos/editor/vscodium.nix | 154 ++++++++++++++++ .../services/cloudflare-dyndns/default.nix | 6 +- nixos/modules/nixos/services/default.nix | 2 + .../services/dnscrypt-proxy2/default.nix | 48 +++++ .../dnscrypt-proxy2.sops.yaml | 0 .../modules/nixos/services/maddy/default.nix | 30 +++ .../nixos/services/maddy}/maddy.conf | 0 .../nixos/services/maddy}/maddy.sops.yaml | 0 nixos/profiles/role-worstation.nix | 12 +- 27 files changed, 381 insertions(+), 492 deletions(-) create mode 100644 dns01.qcow2 delete mode 100644 nixos/hosts/common/optional/chrony.nix delete mode 100644 nixos/hosts/common/optional/dnscrypt-proxy2.nix delete mode 100644 nixos/hosts/common/optional/editors/vscode/default.nix delete mode 100644 nixos/hosts/common/optional/editors/vscode/extensions.nix delete mode 100644 nixos/hosts/common/optional/firefox.nix delete mode 100644 nixos/hosts/common/optional/gnome.nix delete mode 100644 nixos/hosts/common/optional/maddy.nix create mode 100644 nixos/modules/nixos/browser/default.nix create mode 100644 nixos/modules/nixos/browser/firefox.nix create mode 100644 nixos/modules/nixos/de/default.nix create mode 100644 nixos/modules/nixos/de/gnome.nix create mode 100644 nixos/modules/nixos/editor/default.nix create mode 100644 nixos/modules/nixos/editor/vscodium.nix create mode 100644 nixos/modules/nixos/services/dnscrypt-proxy2/default.nix rename nixos/{hosts/common/optional => modules/nixos/services/dnscrypt-proxy2}/dnscrypt-proxy2.sops.yaml (100%) create mode 100644 nixos/modules/nixos/services/maddy/default.nix rename nixos/{hosts/common/optional => modules/nixos/services/maddy}/maddy.conf (100%) rename nixos/{hosts/common/optional => modules/nixos/services/maddy}/maddy.sops.yaml (100%) diff --git a/.taskfiles/nix/Taskfile.yaml b/.taskfiles/nix/Taskfile.yaml index 5ab4a44..c3f637c 100644 --- a/.taskfiles/nix/Taskfile.yaml +++ b/.taskfiles/nix/Taskfile.yaml @@ -45,7 +45,8 @@ tasks: vars: - host cmds: - - echo "This will dry-run your config." + - echo "This will dry-run your config and add your untracked git files." + - git add . - nixos-rebuild dry-run --flake "{{.ROOT_DIR}}/#{{.host}}" --impure preconditions: - sh: which nix @@ -61,7 +62,9 @@ tasks: vars: - host cmds: + - git add . - nixos-rebuild build --flake "{{.ROOT_DIR}}/#{{.host}}" --impure + - nvd diff /run/current-system result preconditions: - sh: which nix msg: "nix not found" diff --git a/dns01.qcow2 b/dns01.qcow2 new file mode 100644 index 0000000000000000000000000000000000000000..22c5606b60318796d5f90e530c471a98dc261d6f GIT binary patch literal 1441792 zcmeI)U65C0ekbtXIdlsGzKt-B62sq!A;d677~>c2+9GQA=J`Rbf&w!OA@@$Mz_wr|}y{Lske=DKfm89nUNX7n8S zXlUiGohxtLwQX?On{QmdXSk}C$LxvoO*>|OR;5JG(rLEG6nYLGar2;yJJIQT_dwdr zJ?P3Ke&%s;^5rGR#cO)W9)ZUPh6a0fZ4w|rfB*pkCy2mf+0JJ&-OTXF{`vL9PrzS( zx^L(H`HNOf#jtzV^gYeF$1~4ny7}|$=xF}H8`E=dV(HwwaB_31^%HqwN2c5S;9U;A zf6o_F-8Xss$=rA@(>7F|I{PFjn)yQ{V z-PiY~Joxd4Q=M^~009C72oNAZfB*pk1llN2mz?1$Ri@5NYhx3&i2wlt1PBlyK!5-N z0t5)0@B-6H#I&scr)B*=P5pnuj|Tt*2oNAZfB*pk1PBly&`yDYl7Ic1_5VQD{{!m( zun-_XfB*pk1PBlyK!5;&HVO=u{EPRj{|B@FA5{Ohv5U2d009C72oNAZfB*pk1PH`Q zB{Ef}&iMO(LxKPS0t5&UAV7cs0RjXFv{7Js$$zmw>;LIl|4&!{x3P=0i2wlt1PBly zK!5-N0t5)ej1rkDQ)kTo8xjNv5FkK+009C72oNAZpp612mxzth6Diu1PBlyK!5-N0t5&UXrsWa5-}_5|5;i8 z&r<)lv5U2d009C72oNAZfB*pk1PH|J5}7JfXUzW_5(EekAV7cs0RjXF5FkLHjRL2X zh*PruKPBt`Q`G-$>|$*qK!5-N0t5&UAV7cs0RnMqiA!1OWmB z2oNAZfB*pk1PBmlqre#@;*6~S&&c}!4E28-yI7kD5FkK+009C72oNAZfIxh!M5fBr z8T0>!1OWmB2oNAZfB*pk1PBmlqrjOZ;>@i7&&>M&O!a>oyI7kD5FkK+009C72oNAZ zfI!SCk*P9u#{9n_L4W`O0t5&UAV7cs0RjZtC@{A~%+30LZr1;E)&FhmVr?QofB*pk z1PBlyK!5-N0`ctNq_1PBlyK!5-N0t5&UAV8pv0%w(ov$Fm_E9?KW)cNq_1PBlyK!5-N0t5&UAV8pv0%wOqHoK=Kl=|0t5&UAV7cs0RjXF5FpS- zfq5ljUe^Efvi_f^{%>O!YZCzi1PBlyK!5-N0t5&Uh~FxasWNrO{J$YVfB*pk1PBly zK!5-N0tDJ9aBhh>H|zg%v;IF<{olqe)+Pc32oNAZfB*pk1PBly5Wig_Q)TLm`F}%# z009C72oNAZfB*pk1PHWIV19|1pY{LztpDe$|J&Hb+C+c=0RjXF5FkK+009C7qEjMM zW$KLie?x)*0RjXF5FkK+009C72((e)yb^I<*8k^a{ePbNzl~k2O#}!KAV7cs0RjXF z5FkJxey2pH%G4S2|Aqts0t5&UAV7cs0RjXF5NM;o`6c4~tpCr?`u}|Oe;d14n+Omf zK!5-N0t5&UAV7dXEGUtwGIhrMzac?@009C72oNAZfB*pk1llNYL5a8^>;DU~{=Y!| z-^MQ1CISQq5FkK+009C72oN9;zgr?xW$KLie?x)*0RjXF5FkK+009C72((dPVTo9n z_5Z@G{}-zN+t|h0M1TMR0t5&UAV7cs0RjZ#_ex}{Or0_RZ%7azK!5-N0t5&UAV7cs zfi?;(DiMpa{$G^!|04B&8@pJW2oNAZfB*pk1PBlyK!8B}eu+$#sWayP4G97S2oNAZ zfB*pk1PBly&_;m^OT>j)|6iE(|Ap%RHg>T#5g#xB+-0t5&UAV7cs0RjXF5FilW zEs?1*b;kU^Awhru0RjXF5FkK+009C7+9+^QiMS~1|BJHzzexSx#xB+-0t5&UAV7cs z0RjXF5FikLSRzwp>Wuk+LxKPS0t5&UAV7cs0RjXFv{B&V5^-_X{}*Tdf3f<%ja{rw z1PBlyK!5-N0t5&UAV46Nl*m+>I%EFdkRU*S009C72oNAZfB*pkZ4_8qB9>|$*qK!5-N0t5&UAV7cs0Rr*;5}7JfXUzW_5(Eek zAV7cs0RjXF5FkLHjRKdIh|9A6zbxzj%hdmE>|$*qK!5-N0t5&UAV7cs0Rr*IB{Ef} z&Y1r|$*qK!5-N z0t5&UAV7cs0Rr(SB{Ef}&Y1rWv$W)m+WB%WeAV7cs0RjXF5FkK+009DR6u7EHT$T0z zRayUErT%YY7i$v%0t5&UAV7cs0RjXF5Qsl5k*P9u#{9n_L4W`O0t5&UAV7cs0RjZt zC~$R&xH{|qtF!*UTK(U~F4iUj1PBlyK!5-N0t5&UAQ0D-$W)m+WB%WeAV7cs0RjXF z5FkK+009DR6u7oTT$}a(wORjPtNw3e7i$v%0t5&UAV7cs0RjXF5Qra?$W)m+WB%We zAV7cs0RjXF5FkK+009DR6u7QLT$lC#by@#kr~Yqa7i$v%0t5&UAV7cs0RjXF5Qytb zWU5S^G5>E!5FkK+009C72oNAZfB=Cu3fxd4ZpixohOGZ@Q2)2Fi?xXW0RjXF5FkK+ z009C72*iygGF7I|nEy8<2oNAZfB*pk1PBlyK!89S1#T)4H)Z{QQ`Y}CssG#9#o9!G z009C72oNAZfB*pk1mcG!GF7I|nEy8<2oNAZfB*pk1PBlyK!89S1#T`8H)s8SbJqVi ztN+{B#o9!G009C72oNAZfB*pk1me$1WU5S^G5>E!5FkK+009C72oNAZfB=Cu3fxj6 zZpr%pmaPA8QUABGi?xXW0RjXF5FkK+009C72*jV4$W)m+WB%WeAV7cs0RjXF5FkK+ z009DR6u7lS+?w_Oty%xys{U_d7i$v%0t5&UAV7cs0RjXF5Qx7hk*P9u#{9n_L4W`O z0t5&UAV7cs0RjZtD6pbLtjPL*Mb`f-)ci;%&u{IGPK!5-N z0t5&UAV7csf%vNunJQCf%>Nq_1PBlyK!5-N0t5&UAV8pv0(X>%JF@=2BkTV=)cO!YZCzi1PBlyK!5-N0t5&Uh`UN;s!W|R|8GbT zAV7cs0RjXF5FkK+0D(3NtSJ#|vi@I__5T|6e;d14n+OmfK!5-N0t5&UAV7dX{HR2x z%G4S2|Aqts0t5&UAV7cs0RjXF5NM;o+7hug>;JV`|F2d5x3P=0i2wlt1PBlyK!5-N z0t5)e-6b+rrp`i;%&u{IGPK!5-N0t5&UAV7csf%r*@OqHoK=Kl=|0t5&UAV7cs z0RjXF5FpS-fk#TjBU%4HlJ);1>i;%&u{IGPK!5-N0t5&UAV7csf%y9pnJQCf%>Nq_ z1PBlyK!5-N0t5&UAV8pv0*{u6N3;HaH0%FI)&FhmVr?QofB*pk1PBlyK!5-N0`U(e zGF7I|nEy8<2oNAZfB*pk1PBlyK!89S1x8E6Xx9IuS^tl!|J&Hb+C+c=0RjXF5FkK+ z009C7qLj!~nL1Y5FkK+009C72oPwmz%N@bxSjw30t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXFoX7$@ zUa!|p=4d(m`}IfbNmD=Pe_oa6PLG&ud$S(DdRojF+Zg{k^Rp@jdOoJg?QY)pt1N>X zB0BMd!QRjK#q)cQwsZS`f3KbG`ns(;_dk5yE8BV9inrR?uCLpw$Nt;bz4F(0U3n}& z`)AAheE+NB-_HEip8Lun-yfUrnY~N>S@Zqx+szyNd^y_R|Hj%MQ6K*Ozj@mx{lEX` zi|0}|U;e+B7r)=Mf9N~CA8@qW-}~&Ny*=-zNBfD#*7N@PUw`xO^Ruh+9hUd|`KKNq z;!}+O=4YXw9`gV1U$!;>bW$_^KRaj?oJiyUm-TWz0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB=D`El}qJXGc|k zH`n9ab^YDknU(whdfLo-!^q|>7p@z5aO2%a`^`L$009C72oNAZfB*pk1PBoLRRv~8 ze6r}u6;CyFesBH%-%lH_|9{obcRv9F1PBlyK!5-N0t5&UAn=wjF+yvhGM z?Kl5E-hcoB0t5&UAV7cs0RjXF5cuW=n)-k3f`3`se6srgoA>pJ1PBlyK!5-N0t5&U zAVA<)5K#Xg3%%eS2oNAZfB*pk1PBlyK!CunSD?54Z~ooCX_ZXJ^jI%**^%=G@G0XXa-*ne#Hg zlQ}=LAag%H)6CVGYckhnevr8?bA9H9%#E3wGC$1RocXiNEtx;h z+?x4|%!~))@AO= z{5Uh5xi_;uvmtX|W@Ba~bART6%%;rd%$Cf9nZL_y%{-KOIP;UtBbmR?Jev83%xI=$ zECdJ;AV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBmlk3f}88HlAzBZl6e7W)s3x2(=plPDAEd$aH7+d;Wsm{qF5Owk>yFZ0>J<5ph`iKi|-M zZNKg9dGMu7_teSfkH7z{M!xgvzJB*K$3FgWsxyugAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkKcDuF6b48+o<5kv1!i~R@2 zud8#_B+5iOxz1(B>-D;b0|!>@jcD#1-yb_Qw%=^cYQ9v{;)-0on;)`%AY%0=TjqRq z&NbU!+q-!8l6l*=ZXAASWOH-fH@b`-_GvSEj(jw2=XnCiaC<4@+sbD8c*{ht5U z^2zI_T0fO1p3iifUliQcJby4ZBHk|frSsk^&33=#oe##3KAo!$)s&o}g5+i!b&9(*a&J$3T=Wt$A2oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBo5 zFHoApXZAnmC;L}F5bOl-uA5l|{#|aQ1K!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UATX6cl_v&b>C%Xy_ov1F1LN1# zxoQ$+BAs04vg7r7UBrO{EA~b-caHCmof_M3wq`Y7s_Ah>uHMZLSw9f5`jahlzB=cc zZLjTJynD&K?OQhvKQywrx$YZXMi2Y689hfn8d|w)=gJ#*Z5v$n<{Q`V8Lq13F?-^C z(~g;+RVmT4beiokg`R^)+&t*wPIUU-J&7LZ@`EM Date: Tue, 26 Mar 2024 21:11:59 +1100 Subject: [PATCH 22/28] hax --- flake.nix | 1 - lib/default.nix | 24 ------- nixos/hosts/dns01/default.nix | 8 +-- nixos/hosts/rickenbacker/default.nix | 24 ++++--- .../services/dnscrypt-proxy2/default.nix | 12 ++-- nixos/modules/nixos/system/nix.nix | 2 +- nixos/modules/nixos/system/security.nix | 62 +++++++++-------- nixos/profiles/global/nix.nix | 69 ++++++++++--------- nixos/profiles/role-worstation.nix | 8 ++- 9 files changed, 99 insertions(+), 111 deletions(-) delete mode 100644 lib/default.nix diff --git a/flake.nix b/flake.nix index 2c0e3e2..275e3ac 100644 --- a/flake.nix +++ b/flake.nix @@ -49,7 +49,6 @@ formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt); nixosModules = import ./nixos/modules/nixos; - lib = import ./lib { inherit inputs; } // inputs.nixpkgs.lib; nixosConfigurations = with self.lib; diff --git a/lib/default.nix b/lib/default.nix deleted file mode 100644 index d43a07e..0000000 --- a/lib/default.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ inputs, ... }: - -with inputs.nixpkgs.lib; -let - strToPath = x: path: - if builtins.typeOf x == "string" - then builtins.toPath ("${toString path}/${x}") - else x; - strToFile = x: path: - if builtins.typeOf x == "string" - then builtins.toPath ("${toString path}/${x}.nix") - else x; -in -rec { - - firstOrDefault = first: default: if !isNull first then first else default; - - existsOrDefault = x: set: default: if hasAttr x set then getAttr x set else default; - - mkIfElse = p: yes: no: mkMerge [ - (mkIf p yes) - (mkIf (!p) no) - ]; -} diff --git a/nixos/hosts/dns01/default.nix b/nixos/hosts/dns01/default.nix index dc87959..ddb6605 100644 --- a/nixos/hosts/dns01/default.nix +++ b/nixos/hosts/dns01/default.nix @@ -11,10 +11,10 @@ ]; - mySystem = { - services.maddy.enable = true; - services.dnscrypt-proxy.enable = true; - services.cfDdns.enable = true; + mySystem.services = { + maddy.enable = true; + dnscrypt-proxy.enable = true; + cfDdns.enable = true; }; networking.hostName = "dns01"; # Define your hostname. diff --git a/nixos/hosts/rickenbacker/default.nix b/nixos/hosts/rickenbacker/default.nix index bafde50..96771a6 100644 --- a/nixos/hosts/rickenbacker/default.nix +++ b/nixos/hosts/rickenbacker/default.nix @@ -3,19 +3,20 @@ , pkgs , ... }: { - - # hardware-configuration.nix is missing as I've abstracted out the parts - - config.mySystem = { - services.openssh.enable = true; - security.wheelNeedsSudoPassword = false; - }; - - # TODO build this in from flake host names - config.networking.hostName = "rickenbacker"; - config = { + # hardware-configuration.nix is missing as I've abstracted out the parts + + mySystem = { + services.openssh.enable = true; + security.wheelNeedsSudoPassword = false; + }; + + # TODO build this in from flake host names + networking.hostName = "rickenbacker"; + + + fileSystems."/" = { device = "/dev/disk/by-label/nixos"; @@ -29,5 +30,6 @@ }; swapDevices = [ ]; + }; } diff --git a/nixos/modules/nixos/services/dnscrypt-proxy2/default.nix b/nixos/modules/nixos/services/dnscrypt-proxy2/default.nix index de96e6c..99431f9 100644 --- a/nixos/modules/nixos/services/dnscrypt-proxy2/default.nix +++ b/nixos/modules/nixos/services/dnscrypt-proxy2/default.nix @@ -21,13 +21,15 @@ in dhcpcd.extraConfig = "nohook resolv.conf"; }; + sops.secrets = { - # configure secret for forwarding rules - sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml; - sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0444"; # This is world-readable but theres nothing security related in the file + # configure secret for forwarding rules + "system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml; + "system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0444"; # This is world-readable but theres nothing security related in the file - # Restart dnscrypt when secret changes - sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2" ]; + # Restart dnscrypt when secret changes + "system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2" ]; + }; services.dnscrypt-proxy2 = { enable = true; diff --git a/nixos/modules/nixos/system/nix.nix b/nixos/modules/nixos/system/nix.nix index 0604425..d13b293 100644 --- a/nixos/modules/nixos/system/nix.nix +++ b/nixos/modules/nixos/system/nix.nix @@ -39,7 +39,7 @@ in # garbage collection automatic = cfg.gc.enable; options = "--delete-older-than 30d"; - persistent = cfg.gc.persistent; + inherit (cfg.gc) persistent; }; }; diff --git a/nixos/modules/nixos/system/security.nix b/nixos/modules/nixos/system/security.nix index 69bb1a2..5730385 100644 --- a/nixos/modules/nixos/system/security.nix +++ b/nixos/modules/nixos/system/security.nix @@ -7,41 +7,45 @@ let cfg = config.mySystem.security; in { - options.mySystem.security.sshAgentAuth = { - enable = lib.mkEnableOption "openssh"; - }; - options.mySystem.security.wheelNeedsSudoPassword = lib.mkOption { - type = lib.types.bool; - description = "If wheel group users need password for sudo"; - default = true; - }; - options.mySystem.security.increaseWheelLoginLimits = lib.mkOption { - type = lib.types.bool; - description = "If wheel group users receive increased login limits"; - default = true; + options.mySystem.security = { + + sshAgentAuth.enable = lib.mkEnableOption "openssh"; + + wheelNeedsSudoPassword = lib.mkOption { + type = lib.types.bool; + description = "If wheel group users need password for sudo"; + default = true; + }; + increaseWheelLoginLimits = lib.mkOption { + type = lib.types.bool; + description = "If wheel group users receive increased login limits"; + default = true; + }; }; config = { - security.sudo.wheelNeedsPassword = cfg.wheelNeedsSudoPassword; + security = { + sudo.wheelNeedsPassword = cfg.wheelNeedsSudoPassword; - security.pam.enableSSHAgentAuth = cfg.sshAgentAuth.enable; + pam.enableSSHAgentAuth = cfg.sshAgentAuth.enable; - # Increase open file limit for sudoers - security.pam.loginLimits = mkIf cfg.increaseWheelLoginLimits [ - { - domain = "@wheel"; - item = "nofile"; - type = "soft"; - value = "524288"; - } - { - domain = "@wheel"; - item = "nofile"; - type = "hard"; - value = "1048576"; - } - ]; + # Increase open file limit for sudoers + pam.loginLimits = mkIf cfg.increaseWheelLoginLimits [ + { + domain = "@wheel"; + item = "nofile"; + type = "soft"; + value = "524288"; + } + { + domain = "@wheel"; + item = "nofile"; + type = "hard"; + value = "1048576"; + } + ]; + }; }; } diff --git a/nixos/profiles/global/nix.nix b/nixos/profiles/global/nix.nix index f6b767b..15095c6 100644 --- a/nixos/profiles/global/nix.nix +++ b/nixos/profiles/global/nix.nix @@ -4,52 +4,55 @@ ## Below is to align shell/system to flake's nixpkgs ## ref: https://nixos-and-flakes.thiscute.world/best-practices/nix-path-and-flake-registry - # make `nix run nixpkgs#nixpkgs` use the same nixpkgs as the one used by this flake. - nix.registry.nixpkgs.flake = nixpkgs; - nix.channel.enable = false; # remove nix-channel related tools & configs, we use flakes instead. - - # but NIX_PATH is still used by many useful tools, so we set it to the same value as the one used by this flake. # Make `nix repl ''` use the same nixpkgs as the one used by this flake. environment.etc."nix/inputs/nixpkgs".source = "${nixpkgs}"; - # https://github.com/NixOS/nix/issues/9574 - nix.settings.nix-path = lib.mkForce "nixpkgs=/etc/nix/inputs/nixpkgs"; + nix = { - ### + # make `nix run nixpkgs#nixpkgs` use the same nixpkgs as the one used by this flake. + registry.nixpkgs.flake = nixpkgs; + channel.enable = false; # remove nix-channel related tools & configs, we use flakes instead. - nix.settings = { + # but NIX_PATH is still used by many useful tools, so we set it to the same value as the one used by this flake. + # https://github.com/NixOS/nix/issues/9574 + settings.nix-path = lib.mkForce "nixpkgs=/etc/nix/inputs/nixpkgs"; - # Enable flakes - experimental-features = [ - "nix-command" - "flakes" - ]; + ### - # Substitutions - trusted-substituters = [ - "https://cache.garnix.io" - "https://nix-community.cachix.org" - "https://numtide.cachix.org" - ]; + settings = { - trusted-public-keys = [ - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE=" - "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" - ]; + # Enable flakes + experimental-features = [ + "nix-command" + "flakes" + ]; - # Fallback quickly if substituters are not available. - connect-timeout = 5; - # Avoid copying unnecessary stuff over SSH - builders-use-substitutes = true; + # Substitutions + trusted-substituters = [ + "https://cache.garnix.io" + "https://nix-community.cachix.org" + "https://numtide.cachix.org" + ]; + + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE=" + "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" + ]; + + # Fallback quickly if substituters are not available. + connect-timeout = 5; + # Avoid copying unnecessary stuff over SSH + builders-use-substitutes = true; - trusted-users = [ "root" "@wheel" ]; + trusted-users = [ "root" "@wheel" ]; - warn-dirty = false; + warn-dirty = false; - # The default at 10 is rarely enough. - log-lines = lib.mkDefault 25; + # The default at 10 is rarely enough. + log-lines = lib.mkDefault 25; + }; }; } diff --git a/nixos/profiles/role-worstation.nix b/nixos/profiles/role-worstation.nix index 909d6f2..efe68fb 100644 --- a/nixos/profiles/role-worstation.nix +++ b/nixos/profiles/role-worstation.nix @@ -5,10 +5,12 @@ with config; { + mySystem = { - mySystem.de.gnome.enable = true; - mySystem.editor.vscodium.enable = true; - mySystem.browser.firefox.enable = true; + de.gnome.enable = true; + editor.vscodium.enable = true; + browser.firefox.enable = true; + }; boot = { From 5c1c348d75beb2fae3580b4c732c6227b70e67d3 Mon Sep 17 00:00:00 2001 From: truxnell <19149206+truxnell@users.noreply.github.com> Date: Tue, 26 Mar 2024 22:00:33 +1100 Subject: [PATCH 23/28] lolnothx --- dns01.qcow2 | Bin 1441792 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 dns01.qcow2 diff --git a/dns01.qcow2 b/dns01.qcow2 deleted file mode 100644 index 22c5606b60318796d5f90e530c471a98dc261d6f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1441792 zcmeI)U65C0ekbtXIdlsGzKt-B62sq!A;d677~>c2+9GQA=J`Rbf&w!OA@@$Mz_wr|}y{Lske=DKfm89nUNX7n8S zXlUiGohxtLwQX?On{QmdXSk}C$LxvoO*>|OR;5JG(rLEG6nYLGar2;yJJIQT_dwdr zJ?P3Ke&%s;^5rGR#cO)W9)ZUPh6a0fZ4w|rfB*pkCy2mf+0JJ&-OTXF{`vL9PrzS( zx^L(H`HNOf#jtzV^gYeF$1~4ny7}|$=xF}H8`E=dV(HwwaB_31^%HqwN2c5S;9U;A zf6o_F-8Xss$=rA@(>7F|I{PFjn)yQ{V z-PiY~Joxd4Q=M^~009C72oNAZfB*pk1llN2mz?1$Ri@5NYhx3&i2wlt1PBlyK!5-N z0t5)0@B-6H#I&scr)B*=P5pnuj|Tt*2oNAZfB*pk1PBly&`yDYl7Ic1_5VQD{{!m( zun-_XfB*pk1PBlyK!5;&HVO=u{EPRj{|B@FA5{Ohv5U2d009C72oNAZfB*pk1PH`Q zB{Ef}&iMO(LxKPS0t5&UAV7cs0RjXFv{7Js$$zmw>;LIl|4&!{x3P=0i2wlt1PBly zK!5-N0t5)ej1rkDQ)kTo8xjNv5FkK+009C72oNAZpp612mxzth6Diu1PBlyK!5-N0t5&UXrsWa5-}_5|5;i8 z&r<)lv5U2d009C72oNAZfB*pk1PH|J5}7JfXUzW_5(EekAV7cs0RjXF5FkLHjRL2X zh*PruKPBt`Q`G-$>|$*qK!5-N0t5&UAV7cs0RnMqiA!1OWmB z2oNAZfB*pk1PBmlqre#@;*6~S&&c}!4E28-yI7kD5FkK+009C72oNAZfIxh!M5fBr z8T0>!1OWmB2oNAZfB*pk1PBmlqrjOZ;>@i7&&>M&O!a>oyI7kD5FkK+009C72oNAZ zfI!SCk*P9u#{9n_L4W`O0t5&UAV7cs0RjZtC@{A~%+30LZr1;E)&FhmVr?QofB*pk z1PBlyK!5-N0`ctNq_1PBlyK!5-N0t5&UAV8pv0%w(ov$Fm_E9?KW)cNq_1PBlyK!5-N0t5&UAV8pv0%wOqHoK=Kl=|0t5&UAV7cs0RjXF5FpS- zfq5ljUe^Efvi_f^{%>O!YZCzi1PBlyK!5-N0t5&Uh~FxasWNrO{J$YVfB*pk1PBly zK!5-N0tDJ9aBhh>H|zg%v;IF<{olqe)+Pc32oNAZfB*pk1PBly5Wig_Q)TLm`F}%# z009C72oNAZfB*pk1PHWIV19|1pY{LztpDe$|J&Hb+C+c=0RjXF5FkK+009C7qEjMM zW$KLie?x)*0RjXF5FkK+009C72((e)yb^I<*8k^a{ePbNzl~k2O#}!KAV7cs0RjXF z5FkJxey2pH%G4S2|Aqts0t5&UAV7cs0RjXF5NM;o`6c4~tpCr?`u}|Oe;d14n+Omf zK!5-N0t5&UAV7dXEGUtwGIhrMzac?@009C72oNAZfB*pk1llNYL5a8^>;DU~{=Y!| z-^MQ1CISQq5FkK+009C72oN9;zgr?xW$KLie?x)*0RjXF5FkK+009C72((dPVTo9n z_5Z@G{}-zN+t|h0M1TMR0t5&UAV7cs0RjZ#_ex}{Or0_RZ%7azK!5-N0t5&UAV7cs zfi?;(DiMpa{$G^!|04B&8@pJW2oNAZfB*pk1PBlyK!8B}eu+$#sWayP4G97S2oNAZ zfB*pk1PBly&_;m^OT>j)|6iE(|Ap%RHg>T#5g#xB+-0t5&UAV7cs0RjXF5FilW zEs?1*b;kU^Awhru0RjXF5FkK+009C7+9+^QiMS~1|BJHzzexSx#xB+-0t5&UAV7cs z0RjXF5FikLSRzwp>Wuk+LxKPS0t5&UAV7cs0RjXFv{B&V5^-_X{}*Tdf3f<%ja{rw z1PBlyK!5-N0t5&UAV46Nl*m+>I%EFdkRU*S009C72oNAZfB*pkZ4_8qB9>|$*qK!5-N0t5&UAV7cs0Rr*;5}7JfXUzW_5(Eek zAV7cs0RjXF5FkLHjRKdIh|9A6zbxzj%hdmE>|$*qK!5-N0t5&UAV7cs0Rr*IB{Ef} z&Y1r|$*qK!5-N z0t5&UAV7cs0Rr(SB{Ef}&Y1rWv$W)m+WB%WeAV7cs0RjXF5FkK+009DR6u7EHT$T0z zRayUErT%YY7i$v%0t5&UAV7cs0RjXF5Qsl5k*P9u#{9n_L4W`O0t5&UAV7cs0RjZt zC~$R&xH{|qtF!*UTK(U~F4iUj1PBlyK!5-N0t5&UAQ0D-$W)m+WB%WeAV7cs0RjXF z5FkK+009DR6u7oTT$}a(wORjPtNw3e7i$v%0t5&UAV7cs0RjXF5Qra?$W)m+WB%We zAV7cs0RjXF5FkK+009DR6u7QLT$lC#by@#kr~Yqa7i$v%0t5&UAV7cs0RjXF5Qytb zWU5S^G5>E!5FkK+009C72oNAZfB=Cu3fxd4ZpixohOGZ@Q2)2Fi?xXW0RjXF5FkK+ z009C72*iygGF7I|nEy8<2oNAZfB*pk1PBlyK!89S1#T)4H)Z{QQ`Y}CssG#9#o9!G z009C72oNAZfB*pk1mcG!GF7I|nEy8<2oNAZfB*pk1PBlyK!89S1#T`8H)s8SbJqVi ztN+{B#o9!G009C72oNAZfB*pk1me$1WU5S^G5>E!5FkK+009C72oNAZfB=Cu3fxj6 zZpr%pmaPA8QUABGi?xXW0RjXF5FkK+009C72*jV4$W)m+WB%WeAV7cs0RjXF5FkK+ z009DR6u7lS+?w_Oty%xys{U_d7i$v%0t5&UAV7cs0RjXF5Qx7hk*P9u#{9n_L4W`O z0t5&UAV7cs0RjZtD6pbLtjPL*Mb`f-)ci;%&u{IGPK!5-N z0t5&UAV7csf%vNunJQCf%>Nq_1PBlyK!5-N0t5&UAV8pv0(X>%JF@=2BkTV=)cO!YZCzi1PBlyK!5-N0t5&Uh`UN;s!W|R|8GbT zAV7cs0RjXF5FkK+0D(3NtSJ#|vi@I__5T|6e;d14n+OmfK!5-N0t5&UAV7dX{HR2x z%G4S2|Aqts0t5&UAV7cs0RjXF5NM;o+7hug>;JV`|F2d5x3P=0i2wlt1PBlyK!5-N z0t5)e-6b+rrp`i;%&u{IGPK!5-N0t5&UAV7csf%r*@OqHoK=Kl=|0t5&UAV7cs z0RjXF5FpS-fk#TjBU%4HlJ);1>i;%&u{IGPK!5-N0t5&UAV7csf%y9pnJQCf%>Nq_ z1PBlyK!5-N0t5&UAV8pv0*{u6N3;HaH0%FI)&FhmVr?QofB*pk1PBlyK!5-N0`U(e zGF7I|nEy8<2oNAZfB*pk1PBlyK!89S1x8E6Xx9IuS^tl!|J&Hb+C+c=0RjXF5FkK+ z009C7qLj!~nL1Y5FkK+009C72oPwmz%N@bxSjw30t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXFoX7$@ zUa!|p=4d(m`}IfbNmD=Pe_oa6PLG&ud$S(DdRojF+Zg{k^Rp@jdOoJg?QY)pt1N>X zB0BMd!QRjK#q)cQwsZS`f3KbG`ns(;_dk5yE8BV9inrR?uCLpw$Nt;bz4F(0U3n}& z`)AAheE+NB-_HEip8Lun-yfUrnY~N>S@Zqx+szyNd^y_R|Hj%MQ6K*Ozj@mx{lEX` zi|0}|U;e+B7r)=Mf9N~CA8@qW-}~&Ny*=-zNBfD#*7N@PUw`xO^Ruh+9hUd|`KKNq z;!}+O=4YXw9`gV1U$!;>bW$_^KRaj?oJiyUm-TWz0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB=D`El}qJXGc|k zH`n9ab^YDknU(whdfLo-!^q|>7p@z5aO2%a`^`L$009C72oNAZfB*pk1PBoLRRv~8 ze6r}u6;CyFesBH%-%lH_|9{obcRv9F1PBlyK!5-N0t5&UAn=wjF+yvhGM z?Kl5E-hcoB0t5&UAV7cs0RjXF5cuW=n)-k3f`3`se6srgoA>pJ1PBlyK!5-N0t5&U zAVA<)5K#Xg3%%eS2oNAZfB*pk1PBlyK!CunSD?54Z~ooCX_ZXJ^jI%**^%=G@G0XXa-*ne#Hg zlQ}=LAag%H)6CVGYckhnevr8?bA9H9%#E3wGC$1RocXiNEtx;h z+?x4|%!~))@AO= z{5Uh5xi_;uvmtX|W@Ba~bART6%%;rd%$Cf9nZL_y%{-KOIP;UtBbmR?Jev83%xI=$ zECdJ;AV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBmlk3f}88HlAzBZl6e7W)s3x2(=plPDAEd$aH7+d;Wsm{qF5Owk>yFZ0>J<5ph`iKi|-M zZNKg9dGMu7_teSfkH7z{M!xgvzJB*K$3FgWsxyugAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkKcDuF6b48+o<5kv1!i~R@2 zud8#_B+5iOxz1(B>-D;b0|!>@jcD#1-yb_Qw%=^cYQ9v{;)-0on;)`%AY%0=TjqRq z&NbU!+q-!8l6l*=ZXAASWOH-fH@b`-_GvSEj(jw2=XnCiaC<4@+sbD8c*{ht5U z^2zI_T0fO1p3iifUliQcJby4ZBHk|frSsk^&33=#oe##3KAo!$)s&o}g5+i!b&9(*a&J$3T=Wt$A2oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBo5 zFHoApXZAnmC;L}F5bOl-uA5l|{#|aQ1K!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UATX6cl_v&b>C%Xy_ov1F1LN1# zxoQ$+BAs04vg7r7UBrO{EA~b-caHCmof_M3wq`Y7s_Ah>uHMZLSw9f5`jahlzB=cc zZLjTJynD&K?OQhvKQywrx$YZXMi2Y689hfn8d|w)=gJ#*Z5v$n<{Q`V8Lq13F?-^C z(~g;+RVmT4beiokg`R^)+&t*wPIUU-J&7LZ@`EM Date: Tue, 26 Mar 2024 11:47:46 +0000 Subject: [PATCH 24/28] ci(github-action)!: Update cachix/install-nix-action action to v26 | datasource | package | from | to | | ----------- | ------------------------- | ---- | --- | | github-tags | cachix/install-nix-action | v23 | v26 | | github-tags | cachix/install-nix-action | v25 | v26 | --- .github/workflows/build-raspi4.yaml | 2 +- .github/workflows/diff-pr.yaml | 2 +- .github/workflows/nix-lint.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-raspi4.yaml b/.github/workflows/build-raspi4.yaml index 22122a7..e75a64f 100644 --- a/.github/workflows/build-raspi4.yaml +++ b/.github/workflows/build-raspi4.yaml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4.1.1 - - uses: cachix/install-nix-action@v23 + - uses: cachix/install-nix-action@v26 with: nix_path: nixpkgs=channel:nixos-23.05 extra_nix_config: | diff --git a/.github/workflows/diff-pr.yaml b/.github/workflows/diff-pr.yaml index 6874af0..420a2c9 100644 --- a/.github/workflows/diff-pr.yaml +++ b/.github/workflows/diff-pr.yaml @@ -50,7 +50,7 @@ jobs: fetch-depth: 0 - name: Install nix - uses: cachix/install-nix-action@v25 + uses: cachix/install-nix-action@v26 with: extra_nix_config: | experimental-features = nix-command flakes diff --git a/.github/workflows/nix-lint.yaml b/.github/workflows/nix-lint.yaml index c7338f7..8bbca8d 100644 --- a/.github/workflows/nix-lint.yaml +++ b/.github/workflows/nix-lint.yaml @@ -14,7 +14,7 @@ jobs: uses: actions/checkout@v2 - name: Install Nix - uses: cachix/install-nix-action@v23 + uses: cachix/install-nix-action@v26 with: nix_path: nixpkgs=channel:nixos-unstable From c1aab5ec91afddccdcda351a3f0624d78779eac1 Mon Sep 17 00:00:00 2001 From: truxnell <19149206+truxnell@users.noreply.github.com> Date: Tue, 26 Mar 2024 23:26:32 +1100 Subject: [PATCH 25/28] fix --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 0f0f70f..6a9d31c 100644 --- a/flake.nix +++ b/flake.nix @@ -181,7 +181,7 @@ }; # deploy-rs: This is highly advised, and will prevent many possible mistakes - checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; + checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib; # Convenience output that aggregates the outputs for home, nixos, and darwin configurations. # Also used in ci to build targets generally. From 8c650fa7953a7b4a1c0103e44be37c030241d331 Mon Sep 17 00:00:00 2001 From: truxnell <19149206+truxnell@users.noreply.github.com> Date: Tue, 26 Mar 2024 23:31:41 +1100 Subject: [PATCH 26/28] fix: fix aarch64 --- .github/workflows/diff-pr.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/diff-pr.yaml b/.github/workflows/diff-pr.yaml index 93f113e..f061f97 100644 --- a/.github/workflows/diff-pr.yaml +++ b/.github/workflows/diff-pr.yaml @@ -52,6 +52,11 @@ jobs: with: extra_nix_config: | experimental-features = nix-command flakes + extra-platforms = aarch64-linux + - name: Register binfmt + run: | + docker run --rm --privileged multiarch/qemu-user-static --reset -p yes + - name: Garbage collect build dependencies run: nix-collect-garbage From 0525b5b195d07df76d776913803168a87915978d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 26 Mar 2024 12:46:11 +0000 Subject: [PATCH 27/28] ci(github-action)!: Update actions/upload-artifact action to v4 (#15) | datasource | package | from | to | | ----------- | ----------------------- | ---- | -- | | github-tags | actions/upload-artifact | v3 | v4 | Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/build-raspi4.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-raspi4.yaml b/.github/workflows/build-raspi4.yaml index e75a64f..96281dc 100644 --- a/.github/workflows/build-raspi4.yaml +++ b/.github/workflows/build-raspi4.yaml @@ -32,7 +32,7 @@ jobs: - name: Build SD Image run: | nix build .#images.${{ github.event.inputs.image }} - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: rpi4.img path: ./result/sd-image/*.img* From 1db0c9c05874801e49640ee92d011fea546cc463 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 26 Mar 2024 20:44:31 +0000 Subject: [PATCH 28/28] ci(github-action)!: Update actions/checkout action to v4 (#14) | datasource | package | from | to | | ----------- | ---------------- | ---- | -- | | github-tags | actions/checkout | v2 | v4 | Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Truxnell <19149206+truxnell@users.noreply.github.com> --- .github/workflows/nix-lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/nix-lint.yaml b/.github/workflows/nix-lint.yaml index 8bbca8d..0cda545 100644 --- a/.github/workflows/nix-lint.yaml +++ b/.github/workflows/nix-lint.yaml @@ -11,7 +11,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Install Nix uses: cachix/install-nix-action@v26