diff --git a/.github/workflows/diff-pr.yaml b/.github/workflows/diff-pr.yaml index 93f113e..f061f97 100644 --- a/.github/workflows/diff-pr.yaml +++ b/.github/workflows/diff-pr.yaml @@ -52,6 +52,11 @@ jobs: with: extra_nix_config: | experimental-features = nix-command flakes + extra-platforms = aarch64-linux + - name: Register binfmt + run: | + docker run --rm --privileged multiarch/qemu-user-static --reset -p yes + - name: Garbage collect build dependencies run: nix-collect-garbage diff --git a/.taskfiles/nix/Taskfile.yaml b/.taskfiles/nix/Taskfile.yaml index a0cd6e4..c3f637c 100644 --- a/.taskfiles/nix/Taskfile.yaml +++ b/.taskfiles/nix/Taskfile.yaml @@ -1,20 +1,19 @@ --- +# yaml-language-server: $schema=https://taskfile.dev/schema.json version: "3" vars: host: $HOSTNAME tasks: - apply: + switch: desc: Build and apply nix configuration silent: true requires: vars: - host cmds: - - task: build - vars: - host: "{{ .host }}" + - echo "This will switch your config." - task: .prompt_to_continue - sudo nixos-rebuild switch --flake "{{.ROOT_DIR}}/#{{.host}}" --impure preconditions: @@ -23,6 +22,39 @@ tasks: - sh: which nixos-rebuild msg: "nixos-rebuild not found" + test: + desc: Build and apply nix configuration + silent: true + requires: + vars: + - host + cmds: + - echo "This will test your config." + - task: .prompt_to_continue + - sudo nixos-rebuild test --flake "{{.ROOT_DIR}}/#{{.host}}" --impure + preconditions: + - sh: which nix + msg: "nix not found" + - sh: which nixos-rebuild + msg: "nixos-rebuild not found" + + dry-run: + desc: Build and apply nix configuration + silent: true + requires: + vars: + - host + cmds: + - echo "This will dry-run your config and add your untracked git files." + - git add . + - nixos-rebuild dry-run --flake "{{.ROOT_DIR}}/#{{.host}}" --impure + preconditions: + - sh: which nix + msg: "nix not found" + - sh: which nixos-rebuild + msg: "nixos-rebuild not found" + + build: desc: Build nix configuration silent: true @@ -30,6 +62,7 @@ tasks: vars: - host cmds: + - git add . - nixos-rebuild build --flake "{{.ROOT_DIR}}/#{{.host}}" --impure - nvd diff /run/current-system result preconditions: diff --git a/.taskfiles/pre-commit/Taskfile.yaml b/.taskfiles/pre-commit/Taskfile.yaml index 1a86675..637d1b1 100644 --- a/.taskfiles/pre-commit/Taskfile.yaml +++ b/.taskfiles/pre-commit/Taskfile.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://taskfile.dev/schema.json version: "3" vars: diff --git a/.taskfiles/sops/Taskfile.yaml b/.taskfiles/sops/Taskfile.yaml index 115a287..3c1ef8a 100644 --- a/.taskfiles/sops/Taskfile.yaml +++ b/.taskfiles/sops/Taskfile.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://taskfile.dev/schema.json version: "3" tasks: diff --git a/README.md b/README.md index df90fe3..676f057 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,8 @@ To Install - [ ] WSL - [ ] JJY emulator Raspi4 - [ ] Documentation! +- [ ] ssh_config build from computers? +- [ ] Modularise host to allow vm builds and hw builds - [ ] Add license - [ ] Add taskfiles @@ -66,6 +68,21 @@ cd ~/dotfiles nixos-rebuild switch --flake .#nameOfMachine --target-host machineToSshInto --use-remote-sudo ``` +## Hacking at nix files + +Eval config to see what keys are being set. + +```bash +nix eval .#nixosConfigurations.rickenbacker.config.security.sudo.WheelNeedsPassword +nix eval .#nixosConfigurations.rickenbacker.config.mySystem.security.wheelNeedsPassword +``` + +Quickly run a flake to see what the next error message is as you hack. + +```bash +nixos-rebuild dry-run --flake . --fast --impure +``` + ## Links & References - [Misterio77/nix-starter-config](https://github.com/Misterio77/nix-starter-configs) diff --git a/docs/vm/faq.md b/docs/vm/faq.md new file mode 100644 index 0000000..7319a55 --- /dev/null +++ b/docs/vm/faq.md @@ -0,0 +1,3 @@ +## Why not recurse the module folder + +Imports are special in NIX and its important that they are definet at runtime for lazy evaluation - if you do optional/coded imports not everything is avaliable for evaluating. diff --git a/flake.nix b/flake.nix index 5274eef..6a9d31c 100644 --- a/flake.nix +++ b/flake.nix @@ -35,107 +35,124 @@ , sops-nix , ... } @ inputs: + let inherit (self) outputs; forAllSystems = nixpkgs.lib.genAttrs [ "aarch64-linux" - # "i686-linux" "x86_64-linux" - # "aarch64-darwin" - # "x86_64-darwin" + ]; in - with inputs; rec { + rec { # Use nixpkgs-fmt for 'nix fmt' formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt); + nixosModules = import ./nixos/modules/nixos; + nixosConfigurations = + with self.lib; let defaultModules = - # (builtins.attrValues nixosModules) ++ + (builtins.attrValues nixosModules) ++ [ sops-nix.nixosModules.sops ]; specialArgs = { inherit inputs outputs; }; + + # generate a base nixos configuration with the + # specified overlays, hardware modules, and any extraModules applied + mkNixosConfig = + { hostname + , system ? "x86_64-linux" + , nixpkgs ? inputs.nixpkgs + , hardwareModules ? [ ] + , baseModules ? [ + sops-nix.nixosModules.sops + ./nixos/profiles/global.nix + ./nixos/modules/nixos + ./nixos/hosts/${hostname} + ] + , profileModules ? [ ] + }: + nixpkgs.lib.nixosSystem { + inherit system; + modules = baseModules ++ hardwareModules ++ profileModules; + specialArgs = { inherit self inputs nixpkgs; }; + }; in { - nixosvm = nixpkgs.lib.nixosSystem { - inherit specialArgs; + + "rickenbacker" = mkNixosConfig { + # NixOS laptop (dualboot windows, dunno why i kept it) + hostname = "rickenbacker"; system = "x86_64-linux"; - modules = defaultModules ++ [ - ./nixos/hosts/nixosvm + hardwareModules = [ + ./nixos/profiles/hw-thinkpad-e14-amd.nix + inputs.nixos-hardware.nixosModules.lenovo-thinkpad-e14-amd + ]; + profileModules = [ + ./nixos/profiles/role-worstation.nix + ]; }; - rickenbacker = nixpkgs.lib.nixosSystem { - inherit specialArgs; + "citadel" = mkNixosConfig { + # Gaming PC (dualboot windows) + + hostname = "citadel"; system = "x86_64-linux"; - modules = defaultModules ++ [ - ./nixos/hosts/rickenbacker + hardwareModules = [ + ./nixos/profiles/hw-gaming-desktop.nix ]; + profileModules = [ + ./nixos/profiles/role-worstation.nix + ]; + }; - citadel = nixpkgs.lib.nixosSystem { - inherit specialArgs; - system = "x86_64-linux"; - modules = defaultModules ++ [ - ./nixos/hosts/citadel - ]; - }; + "dns01" = mkNixosConfig { + # Rpi for DNS and misc services - dns01 = nixpkgs.lib.nixosSystem { - inherit specialArgs; + hostname = "dns01"; system = "aarch64-linux"; - modules = defaultModules ++ [ - ./nixos/hosts/dns01 + hardwareModules = [ + ./nixos/profiles/hw-rpi4.nix + inputs.nixos-hardware.nixosModules.raspberry-pi-4 + ]; + profileModules = [ + ./nixos/profiles/role-server.nix ]; }; - # dns02 = nixpkgs.lib.nixosSystem { + + # # nix build .#images.rpi4 + # rpi4 = nixpkgs.lib.nixosSystem { # inherit specialArgs; - # system = "aarch64-linux"; + # modules = defaultModules ++ [ - # ./nixos/hosts/dns02 + # "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" + # ./nixos/hosts/images/sd-image # ]; # }; - - # isoimage = nixpkgs.lib.nixosSystem { - # system = "x86_64-linux"; + # # nix build .#images.iso + # iso = nixpkgs.lib.nixosSystem { # inherit specialArgs; + # modules = defaultModules ++ [ - # "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix" - # { isoImage.squashfsCompression = "gzip -Xcompression-level 1"; } - # ./nixos/iso + # "${nixpkgs}/nixos/modules/installer/cd-dvd/channel.nix" + # "${nixpkgs}/nixos/modules/installer/cd-dvd/iso-image.nix" + # ./nixos/hosts/images/cd-dvd # ]; # }; - - # nix build .#images.rpi4 - rpi4 = nixpkgs.lib.nixosSystem { - inherit specialArgs; - - modules = defaultModules ++ [ - "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" - ./nixos/hosts/images/sd-image - ]; - }; - # nix build .#images.iso - iso = nixpkgs.lib.nixosSystem { - inherit specialArgs; - - modules = defaultModules ++ [ - "${nixpkgs}/nixos/modules/installer/cd-dvd/channel.nix" - "${nixpkgs}/nixos/modules/installer/cd-dvd/iso-image.nix" - ./nixos/hosts/images/cd-dvd - ]; - }; }; # simple shortcut to allow for easier referencing of correct # key for building images # > nix build .#images.rpi4 - images.rpi4 = nixosConfigurations.rpi4.config.system.build.sdImage; - images.iso = nixosConfigurations.iso.config.system.build.isoImage; + # images.rpi4 = nixosConfigurations.rpi4.config.system.build.sdImage; + # images.iso = nixosConfigurations.iso.config.system.build.isoImage; # deploy-rs deploy.nodes = @@ -147,7 +164,7 @@ inherit (configuration.config.nixpkgs.hostPlatform) system; in { - path = deploy-rs.lib."${system}".activate.nixos configuration; + path = inputs.deploy-rs.lib."${system}".activate.nixos configuration; sshUser = "truxnell"; user = "root"; sshOpts = [ "-t" ]; @@ -158,11 +175,13 @@ in { dns01 = mkDeployConfig "10.8.10.11" self.nixosConfigurations.dns01; + rickenbacker = mkDeployConfig "rickenbacker" self.nixosConfigurations.rickenbacker; + # dns02 = mkDeployConfig "dns02.natallan.com" self.nixosConfigurations.dns02; }; # deploy-rs: This is highly advised, and will prevent many possible mistakes - checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; + checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib; # Convenience output that aggregates the outputs for home, nixos, and darwin configurations. # Also used in ci to build targets generally. diff --git a/nixos/hosts/citadel/default.nix b/nixos/hosts/citadel/default.nix index ec7df51..35e7ff2 100644 --- a/nixos/hosts/citadel/default.nix +++ b/nixos/hosts/citadel/default.nix @@ -6,140 +6,31 @@ , pkgs , ... }: { - imports = [ - # Host-specific - ./hardware-configuration.nix - # Common imports - ../common/nixos - ../common/nixos/users/truxnell - ../common/optional/fish.nix - ../common/optional/monitoring.nix - ../common/optional/reboot-required.nix - ../common/optional/gnome.nix - ../common/optional/editors/vscode - ../common/optional/firefox.nix - ../common/optional/sops-nix.nix - ]; + config = { + mySystem = { + services.openssh.enable = true; + security.wheelNeedsSudoPassword = false; + }; - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation + networking.hostName = "citadel"; # Define your hostname. - networking.hostName = "citadel"; # Define your hostname. + fileSystems."/" = + { + device = "/dev/disk/by-uuid/701fc943-ede7-41ed-8a53-3cc38fc68fe5"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/1D5B-36D3"; + fsType = "vfat"; + }; + + swapDevices = [ ]; - # Enable OpenGL - hardware.opengl = { - enable = true; - driSupport = true; - driSupport32Bit = true; }; - # Load nvidia driver for Xorg and Wayland - services.xserver.videoDrivers = [ "nvidia" ]; # or "nvidiaLegacy470 etc. - hardware.nvidia = { - - # Modesetting is required. - modesetting.enable = true; - - # Nvidia power management. Experimental, and can cause sleep/suspend to fail. - # Enable this if you have graphical corruption issues or application crashes after waking - # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead - # of just the bare essentials. - powerManagement.enable = false; - - # Fine-grained power management. Turns off GPU when not in use. - # Experimental and only works on modern Nvidia GPUs (Turing or newer). - powerManagement.finegrained = false; - - # Use the NVidia open source kernel module (not to be confused with the - # independent third-party "nouveau" open source driver). - # Support is limited to the Turing and later architectures. Full list of - # supported GPUs is at: - # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus - # Only available from driver 515.43.04+ - # Currently alpha-quality/buggy, so false is currently the recommended setting. - open = false; - - # Enable the Nvidia settings menu, - # accessible via `nvidia-settings`. - nvidiaSettings = true; - - # Optionally, you may need to select the appropriate driver version for your specific GPU. - package = config.boot.kernelPackages.nvidiaPackages.stable; - }; - - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - # i18n.defaultLocale = "en_US.UTF-8"; - # console = { - # font = "Lat2-Terminus16"; - # keyMap = "us"; - # useXkbConfig = true; # use xkb.options in tty. - # }; - - # Enable the X11 windowing system. - # services.xserver.enable = true; - - # Configure keymap in X11 - # services.xserver.xkb.layout = "us"; - # services.xserver.xkb.options = "eurosign:e,caps:escape"; - - # Enable CUPS to print documents. - # services.printing.enable = true; - - # Enable sound. - # sound.enable = true; - # hardware.pulseaudio.enable = true; - - # Enable touchpad support (enabled default in most desktopManager). - # services.xserver.libinput.enable = true; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - - # List services that you want to enable: - - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - - # Copy the NixOS configuration file and link it from the resulting system - # (/run/current-system/configuration.nix). This is useful in case you - # accidentally delete configuration.nix. - # system.copySystemConfiguration = true; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "23.11"; # Did you read the comment? } diff --git a/nixos/hosts/common/nixos/auto-upgrade.nix b/nixos/hosts/common/nixos/auto-upgrade.nix deleted file mode 100644 index 3f04099..0000000 --- a/nixos/hosts/common/nixos/auto-upgrade.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config -, inputs -, ... -}: -let - inherit (config.networking) hostName; - # Only enable auto upgrade if current config came from a clean tree - # This avoids accidental auto-upgrades when working locally. - isClean = inputs.self ? rev; -in -{ - system.autoUpgrade = { - enable = isClean; - dates = "hourly"; - flags = [ - "--refresh" - ]; - flake = "github:truxnell/nix-config"; - }; -} diff --git a/nixos/hosts/common/nixos/default.nix b/nixos/hosts/common/nixos/default.nix deleted file mode 100644 index 9ba22d3..0000000 --- a/nixos/hosts/common/nixos/default.nix +++ /dev/null @@ -1,71 +0,0 @@ -{ inputs -, outputs -, config -, sops-nix -, ... -}: { - imports = - [ - # inputs.home-manager.nixosModules.home-manager - #inputs.sops-nix.nixosModules.sops - ./locale.nix - ./nix.nix - ./openssh.nix - ./packages.nix - ] - ++ (builtins.attrValues { }); - - # home-manager.extraSpecialArgs = { inherit inputs outputs; }; TODO Home-manager - - nixpkgs = { - # Configure your nixpkgs instance - config = { - # Disable if you don't want unfree packages - allowUnfree = true; - }; - }; - - # TODO Shared sops location, probably in home-manager? - # sops.age.keyFile = "/var/lib/sops-nix/key.txt"; - - # Increase open file limit for sudoers - security.pam.loginLimits = [ - { - domain = "@wheel"; - item = "nofile"; - type = "soft"; - value = "524288"; - } - { - domain = "@wheel"; - item = "nofile"; - type = "hard"; - value = "1048576"; - } - ]; - - # sops.secrets.msmtp = { - # sopsFile = ./secret.sops.yaml; - # } - - # # TODO Email settings - # programs.msmtp = { - # enable = true; - # accounts.default = { - # host = "maddy.home.tld"; - # from = "${config.networking.hostName}@trux.dev"; - # }; - # defaults = { - # aliases = "/etc/aliases"; - # }; - # }; - - environment.etc = { - "aliases" = { - text = '' - root: ${config.networking.hostName}@trux.dev - ''; - mode = "0644"; - }; - }; -} diff --git a/nixos/hosts/common/nixos/locale.nix b/nixos/hosts/common/nixos/locale.nix deleted file mode 100644 index a96135a..0000000 --- a/nixos/hosts/common/nixos/locale.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ lib, ... }: { - i18n = { - defaultLocale = lib.mkDefault "en_US.UTF-8"; - }; - time.timeZone = lib.mkDefault "Australia/Melbourne"; -} diff --git a/nixos/hosts/common/nixos/nix.nix b/nixos/hosts/common/nixos/nix.nix deleted file mode 100644 index e1f7877..0000000 --- a/nixos/hosts/common/nixos/nix.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ inputs -, lib -, pkgs -, config -, ... -}: { - nix = { - settings = { - experimental-features = [ "nix-command" "flakes" ]; - substituters = [ - "https://nix-community.cachix.org" - "https://cache.garnix.io" - ]; - trusted-public-keys = [ - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" - ]; - trusted-users = [ "root" "@wheel" ]; - auto-optimise-store = lib.mkDefault true; - warn-dirty = false; - - }; - - gc = { - automatic = true; - dates = "weekly"; - # Delete older generations too - options = "--delete-older-than 5d"; - }; - }; - - # This will add each flake input as a registry - # To make nix3 commands consistent with your flake - nix.registry = (lib.mapAttrs (_: flake: { inherit flake; })) ((lib.filterAttrs (_: lib.isType "flake")) inputs); - - # This will additionally add your inputs to the system's legacy channels - # Making legacy nix commands consistent as well, awesome! - nix.nixPath = [ "/etc/nix/path" ]; - environment.etc = - lib.mapAttrs' - (name: value: { - name = "nix/path/${name}"; - value.source = value.flake; - }) - config.nix.registry; - - # Enable printing changes on nix build etc with nvd - system.activationScripts.report-changes = '' - PATH=$PATH:${lib.makeBinPath [ pkgs.nvd pkgs.nix ]} - nvd diff $(ls -dv /nix/var/nix/profiles/system-*-link | tail -2) - ''; -} diff --git a/nixos/hosts/common/nixos/openssh.nix b/nixos/hosts/common/nixos/openssh.nix deleted file mode 100644 index 8d3c10e..0000000 --- a/nixos/hosts/common/nixos/openssh.nix +++ /dev/null @@ -1,26 +0,0 @@ -_: - -{ - - services.openssh = { - enable = true; - settings = { - # Harden - PasswordAuthentication = false; - PermitRootLogin = "no"; - # Automatically remove stale sockets - StreamLocalBindUnlink = "yes"; - # Allow forwarding ports to everywhere - GatewayPorts = "clientspecified"; - # Don't allow home-directory authorized_keys - # authorizedKeysFiles = lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ]; - }; - }; - - # TODO fix pam, wheel no pass is a bit of a hack - # security.pam.enableSSHAgentAuth = true; - - # TODO remove this hack - security.sudo.wheelNeedsPassword = false; - -} diff --git a/nixos/hosts/common/nixos/packages.nix b/nixos/hosts/common/nixos/packages.nix deleted file mode 100644 index c0c556c..0000000 --- a/nixos/hosts/common/nixos/packages.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ config -, pkgs -, lib -, ... -}: { - environment.systemPackages = with pkgs; [ - bat - jq - yq - btop - neovim - vim - git - dnsutils - nvd - gh - nix - - # TODO Move - nil - nixpkgs-fmt - statix - ]; - - programs.direnv = { - # TODO move to home-manager - enable = true; - nix-direnv.enable = true; - }; - programs.mtr.enable = true; -} diff --git a/nixos/hosts/common/optional/chrony.nix b/nixos/hosts/common/optional/chrony.nix deleted file mode 100644 index e9a42cf..0000000 --- a/nixos/hosts/common/optional/chrony.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ inputs -, outputs -, config -, ... -}: { - # Time - networking.timeServers = [ "10.8.10.1" ]; - services.chrony = { - enable = true; - }; -} diff --git a/nixos/hosts/common/optional/cloudflare-dyndns.nix b/nixos/hosts/common/optional/cloudflare-dyndns.nix deleted file mode 100644 index f93b2ff..0000000 --- a/nixos/hosts/common/optional/cloudflare-dyndns.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config -, lib -, ... -}: { - # Current nixpkgs cf-ddns only supports using a env file for the apitoken - # but not for domains, which makes them hard to find. - # To circumvent this, I put both in the 'apiTokenFile' var - # so my secret is: - - # apiTokenFile: |- - # CLOUDFLARE_API_TOKEN=derp - # CLOUDFLARE_DOMAINS=derp.herp.xyz derp1.herp.xyz - - # init secret - config.sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".sopsFile = ./cloudflare-dyndns.sops.yaml; - - # Restart when secret changes - config.sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".restartUnits = [ "cloudflare-dyndns" ]; - - # Cloudflare dynamic dns to keep my DNS records pointed at home - config.services.cloudflare-dyndns = { - enable = true; - ipv6 = false; - proxied = true; - apiTokenFile = config.sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".path; - domains = [ ]; - }; -} diff --git a/nixos/hosts/common/optional/dnscrypt-proxy2.nix b/nixos/hosts/common/optional/dnscrypt-proxy2.nix deleted file mode 100644 index 9c8ebeb..0000000 --- a/nixos/hosts/common/optional/dnscrypt-proxy2.nix +++ /dev/null @@ -1,41 +0,0 @@ -# Ref: https://nixos.wiki/wiki/Encrypted_DNS#dnscrypt-proxy2 -{ inputs -, outputs -, pkgs -, config -, ... -}: { - # Disable resolvd to ensure it doesnt re-write /etc/resolv.conf - config.services.resolved.enable = false; - - # Fix this devices DNS resolv.conf else resolvd will point it to dnscrypt - # causing a risk of no dns if service fails. - config.networking = { - nameservers = [ "10.8.10.1" ]; # TODO make varible IP - - dhcpcd.extraConfig = "nohook resolv.conf"; - }; - - # configure secret for forwarding rules - config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml; - config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0444"; # This is world-readable but theres nothing security related in the file - - # Restart dnscrypt when secret changes - config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2" ]; - - config.services.dnscrypt-proxy2 = { - enable = true; - settings = { - require_dnssec = true; - forwarding_rules = config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".path; - listen_addresses = [ "0.0.0.0:53" ]; - server_names = [ "NextDNS" ]; - - static = { - "NextDNS" = { - stamp = "sdns://AgEAAAAAAAAAAAAOZG5zLm5leHRkbnMuaW8HL2Y2ZmUzNQ"; - }; - }; - }; - }; -} diff --git a/nixos/hosts/common/optional/editors/vscode/default.nix b/nixos/hosts/common/optional/editors/vscode/default.nix deleted file mode 100644 index 59fd27d..0000000 --- a/nixos/hosts/common/optional/editors/vscode/default.nix +++ /dev/null @@ -1,138 +0,0 @@ -{ config -, pkgs -, lib -, ... -}: { - # Enable vscode & addons - environment.systemPackages = with pkgs; [ - (vscode-with-extensions.override { - vscode = vscodium; - vscodeExtensions = with vscode-extensions; - [ - bbenoist.nix - mkhl.direnv - - ] - ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [ - { - name = "prettier-vscode"; - publisher = "esbenp"; - version = "10.1.0"; - sha256 = "01s0vi2h917mqfpdrhqhp2ijwkibw95yk2js0l587wvajbbry2s9"; - } - - { - name = "vscode-docker"; - publisher = "ms-azuretools"; - version = "1.28.0"; - sha256 = "0nmc3pdgxpmr6k2ksdczkv9bbwszncfczik0xjympqnd2k0ra9h0"; - } - - { - name = "gitlens"; - publisher = "eamodio"; - version = "14.7.0"; - sha256 = "07f9fryaci8lsrdahgll5yhlzf5rhscpy1zd258hi211ymvkxlmy"; - } - - { - name = "remote-containers"; - publisher = "ms-vscode-remote"; - version = "0.327.0"; - sha256 = "0asswm55bx5gpz08cgpmgfvnb0494irj0gsvzx5nwknqfzpj07lz"; - } - - { - name = "remote-ssh"; - publisher = "ms-vscode-remote"; - version = "0.107.1"; - sha256 = "1q9xp8id9afhjx67zc7a61zb572f296apvdz305xd5v4brqd9xrf"; - } - - { - name = "vscode-yaml"; - publisher = "redhat"; - version = "1.14.0"; - sha256 = "0pww9qndd2vsizsibjsvscz9fbfx8srrj67x4vhmwr581q674944"; - } - - { - name = "todo-tree"; - publisher = "gruntfuggly"; - version = "0.0.226"; - sha256 = "0yrc9qbdk7zznd823bqs1g6n2i5xrda0f9a7349kknj9wp1mqgqn"; - } - - { - name = "path-autocomplete"; - publisher = "ionutvmi"; - version = "1.25.0"; - sha256 = "0jjqh3p456p1aafw1gl6xgxw4cqqzs3hssr74mdsmh77bjizcgcb"; - } - - { - name = "even-better-toml"; - publisher = "tamasfe"; - version = "0.19.2"; - sha256 = "0q9z98i446cc8bw1h1mvrddn3dnpnm2gwmzwv2s3fxdni2ggma14"; - } - - { - name = "linter"; - publisher = "fnando"; - version = "0.0.19"; - sha256 = "13bllbxd7sy4qlclh37qvvnjp1v13al11nskcf2a8pmnmj455v4g"; - } - - { - name = "catppuccin-vsc"; - publisher = "catppuccin"; - version = "3.11.0"; - sha256 = "12bzx1pv9pxbm08dhvl8pskpz1vg2whxmasl0qk2x54swa2rhi4d"; - } - - { - name = "catppuccin-vsc-icons"; - publisher = "catppuccin"; - version = "1.8.0"; - sha256 = "12sw9f00vnmppmvhwbamyjcap3acjs1f67mdmyv6ka52mav58z8z"; - } - - { - name = "nix-ide"; - publisher = "jnoortheen"; - version = "0.2.2"; - sha256 = "1264027sjh9a112si0y0p3pk3y36shj5b4qkpsj207z7lbxqq0wg"; - } - - { - name = "vscode-swissknife"; - publisher = "luisfontes19"; - version = "1.8.1"; - sha256 = "1rpk8zayzkn2kg4jjdd2fy6xl50kib71dqg73v46326cr4dwxa7c"; - } - - { - name = "pre-commit-helper"; - publisher = "elagil"; - version = "0.5.0"; - sha256 = "05cs1ndnha9dgv1ys23z81ajk300wpixqmks0lfmrj1zwyjg2wlj"; - } - - { - name = "sops-edit"; - publisher = "shipitsmarter"; - version = "1.0.0"; - sha256 = "0b2z9khiwrpf6gxdb9y315ayqkibvgixmvx82in5rlp8pndb6sq4"; - } - - { - name = "json5-for-vscode"; - publisher = "tudoudou"; - version = "0.0.3"; - sha256 = "1d1c18mr91ll5fsp0l0aszyi7nx0ad352ssm0fm40z81m4dmzm0w"; - } - ]; - }) - ]; -} diff --git a/nixos/hosts/common/optional/editors/vscode/extensions.nix b/nixos/hosts/common/optional/editors/vscode/extensions.nix deleted file mode 100644 index a84a0cd..0000000 --- a/nixos/hosts/common/optional/editors/vscode/extensions.nix +++ /dev/null @@ -1,174 +0,0 @@ -# Warning, this file is autogenerated by nix4vscode. Don't modify this manually. -{ pkgs }: -let - inherit (pkgs) vscode-utils; -in -{ - "ms-python"."python" = vscode-utils.extensionFromVscodeMarketplace { - name = "python"; - publisher = "ms-python"; - version = "2024.0.0"; - sha256 = "0sy1z2r6b0m1lkivjyrcf41dbgj9m5zkjy6yncpji1hisjcbgq6n"; - }; - - "ms-python"."vscode-pylance" = vscode-utils.extensionFromVscodeMarketplace { - name = "vscode-pylance"; - publisher = "ms-python"; - version = "2023.12.1"; - sha256 = "03fr9zanhdsf3wirv65vb41swvdnxxaz8lviyjdbmzcw9yihf8dv"; - }; - - "esbenp"."prettier-vscode" = vscode-utils.extensionFromVscodeMarketplace { - name = "prettier-vscode"; - publisher = "esbenp"; - version = "10.1.0"; - sha256 = "01s0vi2h917mqfpdrhqhp2ijwkibw95yk2js0l587wvajbbry2s9"; - }; - - "ms-azuretools"."vscode-docker" = vscode-utils.extensionFromVscodeMarketplace { - name = "vscode-docker"; - publisher = "ms-azuretools"; - version = "1.28.0"; - sha256 = "0nmc3pdgxpmr6k2ksdczkv9bbwszncfczik0xjympqnd2k0ra9h0"; - }; - - "eamodio"."gitlens" = vscode-utils.extensionFromVscodeMarketplace { - name = "gitlens"; - publisher = "eamodio"; - version = "14.7.0"; - sha256 = "07f9fryaci8lsrdahgll5yhlzf5rhscpy1zd258hi211ymvkxlmy"; - }; - - "ms-vscode-remote"."remote-containers" = vscode-utils.extensionFromVscodeMarketplace { - name = "remote-containers"; - publisher = "ms-vscode-remote"; - version = "0.327.0"; - sha256 = "0asswm55bx5gpz08cgpmgfvnb0494irj0gsvzx5nwknqfzpj07lz"; - }; - - "ms-vscode-remote"."remote-ssh" = vscode-utils.extensionFromVscodeMarketplace { - name = "remote-ssh"; - publisher = "ms-vscode-remote"; - version = "0.107.1"; - sha256 = "1q9xp8id9afhjx67zc7a61zb572f296apvdz305xd5v4brqd9xrf"; - }; - - "redhat"."vscode-yaml" = vscode-utils.extensionFromVscodeMarketplace { - name = "vscode-yaml"; - publisher = "redhat"; - version = "1.14.0"; - sha256 = "0pww9qndd2vsizsibjsvscz9fbfx8srrj67x4vhmwr581q674944"; - }; - - "github"."copilot" = vscode-utils.extensionFromVscodeMarketplace { - name = "copilot"; - publisher = "github"; - version = "1.156.0"; - sha256 = "16nzwazfbh895kmc2887b17zzbbcjyk8fhiphk5xmy1nm9qxszk0"; - }; - - "golang"."go" = vscode-utils.extensionFromVscodeMarketplace { - name = "go"; - publisher = "golang"; - version = "0.40.3"; - sha256 = "15kicpv9xpn7l3w9mbmsjdzjmavh88p3skkim0a9prg9p40bsq0m"; - }; - - "gruntfuggly"."todo-tree" = vscode-utils.extensionFromVscodeMarketplace { - name = "todo-tree"; - publisher = "gruntfuggly"; - version = "0.0.226"; - sha256 = "0yrc9qbdk7zznd823bqs1g6n2i5xrda0f9a7349kknj9wp1mqgqn"; - }; - - "ms-kubernetes-tools"."vscode-kubernetes-tools" = vscode-utils.extensionFromVscodeMarketplace { - name = "vscode-kubernetes-tools"; - publisher = "ms-kubernetes-tools"; - version = "1.3.15"; - sha256 = "1x6npc90p6b1wx5sd1hd0x0djahmffr6lw9cxh2zg10rbpq48w8i"; - }; - - "hashicorp"."terraform" = vscode-utils.extensionFromVscodeMarketplace { - name = "terraform"; - publisher = "hashicorp"; - version = "2.29.3"; - sha256 = "sha256-cYYtBZaWgtT6vS6In+tbpLfp/GdyWodBXyHsxn8ZZrU="; - }; - - "ionutvmi"."path-autocomplete" = vscode-utils.extensionFromVscodeMarketplace { - name = "path-autocomplete"; - publisher = "ionutvmi"; - version = "1.25.0"; - sha256 = "0jjqh3p456p1aafw1gl6xgxw4cqqzs3hssr74mdsmh77bjizcgcb"; - }; - - "tamasfe"."even-better-toml" = vscode-utils.extensionFromVscodeMarketplace { - name = "even-better-toml"; - publisher = "tamasfe"; - version = "0.19.2"; - sha256 = "0q9z98i446cc8bw1h1mvrddn3dnpnm2gwmzwv2s3fxdni2ggma14"; - }; - - "redhat"."ansible" = vscode-utils.extensionFromVscodeMarketplace { - name = "ansible"; - publisher = "redhat"; - version = "2.9.118"; - sha256 = "0yndj2r0w2zxc5firxgfrykkc5ajy9gsmrfmkz80kfhwk33n9y1p"; - }; - - "fnando"."linter" = vscode-utils.extensionFromVscodeMarketplace { - name = "linter"; - publisher = "fnando"; - version = "0.0.19"; - sha256 = "13bllbxd7sy4qlclh37qvvnjp1v13al11nskcf2a8pmnmj455v4g"; - }; - - "catppuccin"."catppuccin-vsc" = vscode-utils.extensionFromVscodeMarketplace { - name = "catppuccin-vsc"; - publisher = "catppuccin"; - version = "3.11.0"; - sha256 = "12bzx1pv9pxbm08dhvl8pskpz1vg2whxmasl0qk2x54swa2rhi4d"; - }; - - "catppuccin"."catppuccin-vsc-icons" = vscode-utils.extensionFromVscodeMarketplace { - name = "catppuccin-vsc-icons"; - publisher = "catppuccin"; - version = "1.8.0"; - sha256 = "12sw9f00vnmppmvhwbamyjcap3acjs1f67mdmyv6ka52mav58z8z"; - }; - - "jnoortheen"."nix-ide" = vscode-utils.extensionFromVscodeMarketplace { - name = "nix-ide"; - publisher = "jnoortheen"; - version = "0.2.2"; - sha256 = "1264027sjh9a112si0y0p3pk3y36shj5b4qkpsj207z7lbxqq0wg"; - }; - - "luisfontes19"."vscode-swissknife" = vscode-utils.extensionFromVscodeMarketplace { - name = "vscode-swissknife"; - publisher = "luisfontes19"; - version = "1.8.1"; - sha256 = "1rpk8zayzkn2kg4jjdd2fy6xl50kib71dqg73v46326cr4dwxa7c"; - }; - - "elagil"."pre-commit-helper" = vscode-utils.extensionFromVscodeMarketplace { - name = "pre-commit-helper"; - publisher = "elagil"; - version = "0.5.0"; - sha256 = "05cs1ndnha9dgv1ys23z81ajk300wpixqmks0lfmrj1zwyjg2wlj"; - }; - - "shipitsmarter"."sops-edit" = vscode-utils.extensionFromVscodeMarketplace { - name = "sops-edit"; - publisher = "shipitsmarter"; - version = "1.0.0"; - sha256 = "0b2z9khiwrpf6gxdb9y315ayqkibvgixmvx82in5rlp8pndb6sq4"; - }; - - "tudoudou"."json5-for-vscode" = vscode-utils.extensionFromVscodeMarketplace { - name = "json5-for-vscode"; - publisher = "tudoudou"; - version = "0.0.3"; - sha256 = "1d1c18mr91ll5fsp0l0aszyi7nx0ad352ssm0fm40z81m4dmzm0w"; - }; -} diff --git a/nixos/hosts/common/optional/firefox.nix b/nixos/hosts/common/optional/firefox.nix deleted file mode 100644 index e15318c..0000000 --- a/nixos/hosts/common/optional/firefox.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ config -, pkgs -, lib -, ... -}: { - programs.firefox = { - enable = true; - }; -} diff --git a/nixos/hosts/common/optional/fish.nix b/nixos/hosts/common/optional/fish.nix deleted file mode 100644 index e53f255..0000000 --- a/nixos/hosts/common/optional/fish.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ - programs.fish = { - enable = true; - vendor = { - completions.enable = true; - config.enable = true; - functions.enable = true; - }; - }; -} diff --git a/nixos/hosts/common/optional/gnome.nix b/nixos/hosts/common/optional/gnome.nix deleted file mode 100644 index cae9eeb..0000000 --- a/nixos/hosts/common/optional/gnome.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ config -, pkgs -, lib -, ... -}: { - # Ref: https://nixos.wiki/wiki/GNOME - - # GNOME plz - services.xserver = { - enable = true; - desktopManager.gnome.enable = true; - displayManager = { - gdm.enable = true; - defaultSession = "gnome"; # TODO move to config overlay - autoLogin.user = "truxnell"; # TODO move to config overlay - }; - layout = "us"; # `localctl` will give you - }; - - # And dconf - programs.dconf.enable = true; - # dconf write /org/gnome/mutter/experimental-features "['scale-monitor-framebuffer']" - - # Exclude default GNOME packages that dont interest me. - environment.gnome.excludePackages = - (with pkgs; [ - gnome-photos - gnome-tour - ]) - ++ (with pkgs.gnome; [ - cheese # webcam tool - gnome-music - gnome-terminal - gedit # text editor - epiphany # web browser - geary # email reader - evince # document viewer - gnome-characters - totem # video player - tali # poker game - iagno # go game - hitori # sudoku game - atomix # puzzle game - ]); -} diff --git a/nixos/hosts/common/optional/maddy.nix b/nixos/hosts/common/optional/maddy.nix deleted file mode 100644 index 6043ae1..0000000 --- a/nixos/hosts/common/optional/maddy.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ inputs -, outputs -, config -, ... -}: { - # init secret - config.sops.secrets."system/mail/maddy/envFile" = { - sopsFile = ./maddy.sops.yaml; - owner = "maddy"; - group = "maddy"; - }; - - # Restart dnscrypt when secret changes - config.sops.secrets."system/mail/maddy/envFile".restartUnits = [ "maddy" ]; - - # - config.services.maddy = { - enable = true; - secrets = [ config.sops.secrets."system/mail/maddy/envFile".path ]; - config = builtins.readFile ./maddy.conf; - }; -} diff --git a/nixos/hosts/common/optional/monitoring.nix b/nixos/hosts/common/optional/monitoring.nix deleted file mode 100644 index 4dd7631..0000000 --- a/nixos/hosts/common/optional/monitoring.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ config -, pkgs -, lib -, ... -}: { - services.prometheus.exporters = { - node = { - enable = true; - enabledCollectors = [ - "diskstats" - "filesystem" - "loadavg" - "meminfo" - "netdev" - "stat" - "time" - "uname" - "systemd" - ]; - }; - smartctl = { - enable = true; - }; - }; - - networking.firewall.allowedTCPPorts = [ - config.services.prometheus.exporters.node.port - config.services.prometheus.exporters.smartctl.port - ]; -} diff --git a/nixos/hosts/common/optional/reboot-required.nix b/nixos/hosts/common/optional/reboot-required.nix deleted file mode 100644 index 607c86c..0000000 --- a/nixos/hosts/common/optional/reboot-required.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ config -, pkgs -, ... -}: { - systemd.timers."reboot-required-check" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - # start at boot - OnBootSec = "0m"; - # check every hour - OnUnitActiveSec = "1h"; - Unit = "reboot-required-check.service"; - }; - }; - - systemd.services."reboot-required-check" = { - script = '' - #!/usr/bin/env bash - - # compare current system with booted sysetm to determine if a reboot is required - if [[ "$(readlink /run/booted-system/{initrd,kernel,kernel-modules})" == "$(readlink /run/current-system/{initrd,kernel,kernel-modules})" ]]; then - # check if the '/var/run/reboot-required' file exists and if it does, remove it - if [[ -f /var/run/reboot-required ]]; then - rm /var/run/reboot-required || { echo "Failed to remove /var/run/reboot-required"; exit 1; } - fi - else - echo "reboot required" - touch /var/run/reboot-required || { echo "Failed to create /var/run/reboot-required"; exit 1; } - fi - ''; - serviceConfig = { - Type = "oneshot"; - User = "root"; - }; - }; -} diff --git a/nixos/hosts/common/optional/sops-nix.nix b/nixos/hosts/common/optional/sops-nix.nix deleted file mode 100644 index d06a35a..0000000 --- a/nixos/hosts/common/optional/sops-nix.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ inputs -, outputs -, config -, ... -}: { - # SOPS settings - # https://github.com/Mic92/sops-nix - - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; -} diff --git a/nixos/hosts/dns01/default.nix b/nixos/hosts/dns01/default.nix index 5c41b53..ddb6605 100644 --- a/nixos/hosts/dns01/default.nix +++ b/nixos/hosts/dns01/default.nix @@ -7,104 +7,27 @@ , ... }: { imports = [ - # Host-specific - ./hardware-configuration.nix - # Common imports - ../common/nixos - ../common/nixos/users/truxnell - ../common/optional/fish.nix - ../common/optional/monitoring.nix - ../common/optional/reboot-required.nix - ../common/optional/sops-nix.nix - ../common/optional/dnscrypt-proxy2.nix - ../common/optional/cloudflare-dyndns.nix - ../common/optional/maddy.nix ]; - # Use the extlinux boot loader. (NixOS wants to enable GRUB by default) - boot.loader.grub.enable = false; - # Enables the generation of /boot/extlinux/extlinux.conf - boot.loader.generic-extlinux-compatible.enable = true; + mySystem.services = { + maddy.enable = true; + dnscrypt-proxy.enable = true; + cfDdns.enable = true; + }; networking.hostName = "dns01"; # Define your hostname. + networking.useDHCP = lib.mkDefault true; - console.enable = false; - environment.systemPackages = with pkgs; [ - libraspberrypi - raspberrypi-eeprom - ]; + fileSystems."/" = + { + device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; + fsType = "ext4"; + }; - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + swapDevices = [ ]; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - # Select internationalisation properties. - # i18n.defaultLocale = "en_US.UTF-8"; - # console = { - # font = "Lat2-Terminus16"; - # keyMap = "us"; - # useXkbConfig = true; # use xkb.options in tty. - # }; - # Enable the X11 windowing system. - # services.xserver.enable = true; - - # Configure keymap in X11 - # services.xserver.xkb.layout = "us"; - # services.xserver.xkb.options = "eurosign:e,caps:escape"; - - # Enable CUPS to print documents. - # services.printing.enable = true; - - # Enable sound. - # sound.enable = true; - # hardware.pulseaudio.enable = true; - - # Enable touchpad support (enabled default in most desktopManager). - # services.xserver.libinput.enable = true; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - - # List services that you want to enable: - - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - - # Copy the NixOS configuration file and link it from the resulting system - # (/run/current-system/configuration.nix). This is useful in case you - # accidentally delete configuration.nix. - # system.copySystemConfiguration = true; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "23.11"; # Did you read the comment? } diff --git a/nixos/hosts/dns01/hardware-configuration.nix b/nixos/hosts/dns01/hardware-configuration.nix deleted file mode 100644 index cb81550..0000000 --- a/nixos/hosts/dns01/hardware-configuration.nix +++ /dev/null @@ -1,34 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "usb_storage" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { - device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; - fsType = "ext4"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.end0.useDHCP = lib.mkDefault true; - # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; -} diff --git a/nixos/hosts/nixosvm/default.nix b/nixos/hosts/nixosvm/default.nix deleted file mode 100644 index 59781f4..0000000 --- a/nixos/hosts/nixosvm/default.nix +++ /dev/null @@ -1,104 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). -{ config -, lib -, pkgs -, ... -}: { - imports = [ - # Host-specific - ./hardware-configuration.nix - - # Common imports - ../common/nixos - ../common/nixos/users/truxnell - ../common/optional/fish.nix - ../common/optional/monitoring.nix - ../common/optional/reboot-required.nix - ../common/optional/gnome.nix - ../common/optional/editors/vscode - ../common/optional/firefox.nix - ../common/optional/sops-nix.nix - - ]; - - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation - - networking.hostName = "nixosvm"; # Define your hostname. - - - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - # i18n.defaultLocale = "en_US.UTF-8"; - # console = { - # font = "Lat2-Terminus16"; - # keyMap = "us"; - # useXkbConfig = true; # use xkb.options in tty. - # }; - - # Enable the X11 windowing system. - # services.xserver.enable = true; - - # Configure keymap in X11 - # services.xserver.xkb.layout = "us"; - # services.xserver.xkb.options = "eurosign:e,caps:escape"; - - # Enable CUPS to print documents. - # services.printing.enable = true; - - # Enable sound. - # sound.enable = true; - # hardware.pulseaudio.enable = true; - - # Enable touchpad support (enabled default in most desktopManager). - # services.xserver.libinput.enable = true; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - - # List services that you want to enable: - - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - - # Copy the NixOS configuration file and link it from the resulting system - # (/run/current-system/configuration.nix). This is useful in case you - # accidentally delete configuration.nix. - # system.copySystemConfiguration = true; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "23.11"; # Did you read the comment? -} diff --git a/nixos/hosts/nixosvm/hardware-configuration.nix b/nixos/hosts/nixosvm/hardware-configuration.nix deleted file mode 100644 index b54e6cf..0000000 --- a/nixos/hosts/nixosvm/hardware-configuration.nix +++ /dev/null @@ -1,40 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config -, lib -, pkgs -, modulesPath -, ... -}: { - imports = [ ]; - - boot.initrd.availableKernelModules = [ "ata_piix" "mptspi" "uhci_hcd" "ehci_pci" "sd_mod" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/dev/disk/by-label/nixos"; - fsType = "ext4"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-label/boot"; - fsType = "vfat"; - }; - - swapDevices = [{ device = "/dev/sda2"; }]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.ens33.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - virtualisation.vmware.guest.enable = true; - virtualisation.virtualbox.guest.enable = true; - virtualisation.virtualbox.guest.x11 = true; -} diff --git a/nixos/hosts/rickenbacker/default.nix b/nixos/hosts/rickenbacker/default.nix index aa5ecf1..96771a6 100644 --- a/nixos/hosts/rickenbacker/default.nix +++ b/nixos/hosts/rickenbacker/default.nix @@ -1,115 +1,35 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). { config , lib , pkgs , ... }: { - imports = [ - # Host-specific - ./hardware-configuration.nix + config = { - # Common imports - ../common/nixos - ../common/nixos/users/truxnell - ../common/optional/fish.nix - ../common/optional/monitoring.nix - ../common/optional/reboot-required.nix - ../common/optional/gnome.nix - ../common/optional/editors/vscode - ../common/optional/firefox.nix - ../common/optional/sops-nix.nix + # hardware-configuration.nix is missing as I've abstracted out the parts - ]; + mySystem = { + services.openssh.enable = true; + security.wheelNeedsSudoPassword = false; + }; - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation - boot.initrd.kernelModules = [ "amdgpu" ]; + # TODO build this in from flake host names + networking.hostName = "rickenbacker"; - networking.hostName = "rickenbacker"; # Define your hostname. - # Enable OpenGL - hardware.opengl = { - enable = true; - driSupport = true; - driSupport32Bit = true; + + fileSystems."/" = + { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/44D0-91EC"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + }; - - # Load nvidia driver for Xorg and Wayland - services.xserver.videoDrivers = [ "amdgpu" ]; # or "nvidiaLegacy470 etc. - - - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - # i18n.defaultLocale = "en_US.UTF-8"; - # console = { - # font = "Lat2-Terminus16"; - # keyMap = "us"; - # useXkbConfig = true; # use xkb.options in tty. - # }; - - # Enable the X11 windowing system. - # services.xserver.enable = true; - - # Configure keymap in X11 - # services.xserver.xkb.layout = "us"; - # services.xserver.xkb.options = "eurosign:e,caps:escape"; - - # Enable CUPS to print documents. - # services.printing.enable = true; - - # Enable sound. - # sound.enable = true; - # hardware.pulseaudio.enable = true; - - # Enable touchpad support (enabled default in most desktopManager). - # services.xserver.libinput.enable = true; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - - # List services that you want to enable: - - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - - # Copy the NixOS configuration file and link it from the resulting system - # (/run/current-system/configuration.nix). This is useful in case you - # accidentally delete configuration.nix. - # system.copySystemConfiguration = true; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "23.11"; # Did you read the comment? } diff --git a/nixos/hosts/rickenbacker/hardware-configuration.nix b/nixos/hosts/rickenbacker/hardware-configuration.nix deleted file mode 100644 index 0e3b9a1..0000000 --- a/nixos/hosts/rickenbacker/hardware-configuration.nix +++ /dev/null @@ -1,41 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { - device = "/dev/disk/by-uuid/fe728106-aaf8-46e6-ab46-1610f1f4398a"; - fsType = "ext4"; - }; - - fileSystems."/boot" = - { - device = "/dev/disk/by-uuid/44D0-91EC"; - fsType = "vfat"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/nixos/modules/README.md b/nixos/modules/README.md new file mode 100644 index 0000000..add72bf --- /dev/null +++ b/nixos/modules/README.md @@ -0,0 +1,9 @@ +## Modules + +A set of 'custom' modules with the aim to enable easy on/off/settings to build up a system modulary to my 'specs'. + +The main goal is to build up a `mySystem` options key which is easy to read and toggle functionality on and off. + +This option key will largely be manipulated by a profile to build up a host to a base, then toggle specific options from there. + +I will _try_ and only do modules for things I want to be able to configure, and just use nixos config directly for some simple static things. \ No newline at end of file diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix new file mode 100644 index 0000000..8d1b7d9 --- /dev/null +++ b/nixos/modules/default.nix @@ -0,0 +1,5 @@ +{ + + mySystem = import ./nixos; + +} diff --git a/nixos/modules/nixos/browser/default.nix b/nixos/modules/nixos/browser/default.nix new file mode 100644 index 0000000..1c7c3ee --- /dev/null +++ b/nixos/modules/nixos/browser/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./firefox.nix + ]; +} diff --git a/nixos/modules/nixos/browser/firefox.nix b/nixos/modules/nixos/browser/firefox.nix new file mode 100644 index 0000000..58b22a3 --- /dev/null +++ b/nixos/modules/nixos/browser/firefox.nix @@ -0,0 +1,22 @@ +{ lib +, config +, ... +}: + +with lib; +let + cfg = config.mySystem.browser.firefox; +in +{ + options.mySystem.browser.firefox.enable = mkEnableOption "Firefox"; + + config = mkIf cfg.enable { + + programs.firefox = { + enable = true; + }; + + }; + + +} diff --git a/nixos/modules/nixos/de/default.nix b/nixos/modules/nixos/de/default.nix new file mode 100644 index 0000000..6ce4870 --- /dev/null +++ b/nixos/modules/nixos/de/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./gnome.nix + + ]; +} diff --git a/nixos/modules/nixos/de/gnome.nix b/nixos/modules/nixos/de/gnome.nix new file mode 100644 index 0000000..9301423 --- /dev/null +++ b/nixos/modules/nixos/de/gnome.nix @@ -0,0 +1,81 @@ +{ lib +, config +, pkgs +, ... +}: + +with lib; +let + cfg = config.mySystem.de.gnome; +in +{ + options.mySystem.de.gnome.enable = mkEnableOption "GNOME"; + + config = mkIf cfg.enable { + + # Ref: https://nixos.wiki/wiki/GNOME + + # GNOME plz + services.xserver = { + enable = true; + displayManager = + { + gdm.enable = true; + defaultSession = "gnome"; # TODO move to config overlay + + autoLogin.enable = true; + autoLogin.user = "truxnell"; # TODO move to config overlay + }; + desktopManager = { + # GNOME + gnome.enable = true; + }; + + layout = "us"; # `localctl` will give you + }; + + # TODO remove this when possible + # workaround for GNOME autologin + # https://github.com/NixOS/nixpkgs/issues/103746#issuecomment-945091229 + systemd.services."getty@tty1".enable = false; + systemd.services."autovt@tty1".enable = false; + + # TODO tidy this + # port forward for GNOME when using RDP***REMOVED*** + + networking.firewall.allowedTCPPorts = [ + 3389 + ]; + + # And dconf + programs.dconf.enable = true; + + # https://github.com/NixOS/nixpkgs/issues/114514 + # dconf write /org/gnome/mutter/experimental-features "['scale-monitor-framebuffer']" TODO hack for GNOME 45 + + + # Exclude default GNOME packages that dont interest me. + environment.gnome.excludePackages = + (with pkgs; [ + gnome-photos + gnome-tour + ]) + ++ (with pkgs.gnome; [ + cheese # webcam tool + gnome-music + gnome-terminal + gedit # text editor + epiphany # web browser + geary # email reader + evince # document viewer + gnome-characters + totem # video player + tali # poker game + iagno # go game + hitori # sudoku game + atomix # puzzle game + ]); + }; + + +} diff --git a/nixos/modules/nixos/default.nix b/nixos/modules/nixos/default.nix new file mode 100644 index 0000000..08ba128 --- /dev/null +++ b/nixos/modules/nixos/default.nix @@ -0,0 +1,11 @@ +{ + imports = [ + ./system + ./programs + ./services + ./browser + ./de + ./editor + + ]; +} diff --git a/nixos/modules/nixos/editor/default.nix b/nixos/modules/nixos/editor/default.nix new file mode 100644 index 0000000..20df622 --- /dev/null +++ b/nixos/modules/nixos/editor/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./vscodium.nix + + ]; +} diff --git a/nixos/modules/nixos/editor/vscodium.nix b/nixos/modules/nixos/editor/vscodium.nix new file mode 100644 index 0000000..2e055bf --- /dev/null +++ b/nixos/modules/nixos/editor/vscodium.nix @@ -0,0 +1,154 @@ +{ lib +, config +, pkgs + +, ... +}: + +with lib; +let + cfg = config.mySystem.editor.vscodium; +in +{ + options.mySystem.editor.vscodium.enable = mkEnableOption "Vscodium"; + + config = mkIf cfg.enable { + + # TODO add USER settings.json + # Enable vscode & addons + environment.systemPackages = with pkgs; [ + (vscode-with-extensions.override { + vscode = vscodium; + vscodeExtensions = with vscode-extensions; + [ + bbenoist.nix + mkhl.direnv + + ] + ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [ + { + name = "prettier-vscode"; + publisher = "esbenp"; + version = "10.1.0"; + sha256 = "01s0vi2h917mqfpdrhqhp2ijwkibw95yk2js0l587wvajbbry2s9"; + } + + { + name = "vscode-docker"; + publisher = "ms-azuretools"; + version = "1.28.0"; + sha256 = "0nmc3pdgxpmr6k2ksdczkv9bbwszncfczik0xjympqnd2k0ra9h0"; + } + + { + name = "gitlens"; + publisher = "eamodio"; + version = "14.7.0"; + sha256 = "07f9fryaci8lsrdahgll5yhlzf5rhscpy1zd258hi211ymvkxlmy"; + } + + { + name = "remote-containers"; + publisher = "ms-vscode-remote"; + version = "0.327.0"; + sha256 = "0asswm55bx5gpz08cgpmgfvnb0494irj0gsvzx5nwknqfzpj07lz"; + } + + { + name = "remote-ssh"; + publisher = "ms-vscode-remote"; + version = "0.107.1"; + sha256 = "1q9xp8id9afhjx67zc7a61zb572f296apvdz305xd5v4brqd9xrf"; + } + + { + name = "vscode-yaml"; + publisher = "redhat"; + version = "1.14.0"; + sha256 = "0pww9qndd2vsizsibjsvscz9fbfx8srrj67x4vhmwr581q674944"; + } + + { + name = "todo-tree"; + publisher = "gruntfuggly"; + version = "0.0.226"; + sha256 = "0yrc9qbdk7zznd823bqs1g6n2i5xrda0f9a7349kknj9wp1mqgqn"; + } + + { + name = "path-autocomplete"; + publisher = "ionutvmi"; + version = "1.25.0"; + sha256 = "0jjqh3p456p1aafw1gl6xgxw4cqqzs3hssr74mdsmh77bjizcgcb"; + } + + { + name = "even-better-toml"; + publisher = "tamasfe"; + version = "0.19.2"; + sha256 = "0q9z98i446cc8bw1h1mvrddn3dnpnm2gwmzwv2s3fxdni2ggma14"; + } + + { + name = "linter"; + publisher = "fnando"; + version = "0.0.19"; + sha256 = "13bllbxd7sy4qlclh37qvvnjp1v13al11nskcf2a8pmnmj455v4g"; + } + + { + name = "catppuccin-vsc"; + publisher = "catppuccin"; + version = "3.11.0"; + sha256 = "12bzx1pv9pxbm08dhvl8pskpz1vg2whxmasl0qk2x54swa2rhi4d"; + } + + { + name = "catppuccin-vsc-icons"; + publisher = "catppuccin"; + version = "1.8.0"; + sha256 = "12sw9f00vnmppmvhwbamyjcap3acjs1f67mdmyv6ka52mav58z8z"; + } + + { + name = "nix-ide"; + publisher = "jnoortheen"; + version = "0.2.2"; + sha256 = "1264027sjh9a112si0y0p3pk3y36shj5b4qkpsj207z7lbxqq0wg"; + } + + { + name = "vscode-swissknife"; + publisher = "luisfontes19"; + version = "1.8.1"; + sha256 = "1rpk8zayzkn2kg4jjdd2fy6xl50kib71dqg73v46326cr4dwxa7c"; + } + + { + name = "pre-commit-helper"; + publisher = "elagil"; + version = "0.5.0"; + sha256 = "05cs1ndnha9dgv1ys23z81ajk300wpixqmks0lfmrj1zwyjg2wlj"; + } + + { + name = "sops-edit"; + publisher = "shipitsmarter"; + version = "1.0.0"; + sha256 = "0b2z9khiwrpf6gxdb9y315ayqkibvgixmvx82in5rlp8pndb6sq4"; + } + + { + name = "json5-for-vscode"; + publisher = "tudoudou"; + version = "0.0.3"; + sha256 = "1d1c18mr91ll5fsp0l0aszyi7nx0ad352ssm0fm40z81m4dmzm0w"; + } + ]; + }) + ]; + + }; + + +} diff --git a/nixos/modules/nixos/programs/default.nix b/nixos/modules/nixos/programs/default.nix new file mode 100644 index 0000000..5cf8372 --- /dev/null +++ b/nixos/modules/nixos/programs/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./shell + ]; +} diff --git a/nixos/modules/nixos/programs/shell/default.nix b/nixos/modules/nixos/programs/shell/default.nix new file mode 100644 index 0000000..56cb916 --- /dev/null +++ b/nixos/modules/nixos/programs/shell/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./fish.nix + ]; +} diff --git a/nixos/modules/nixos/programs/shell/fish.nix b/nixos/modules/nixos/programs/shell/fish.nix new file mode 100644 index 0000000..ac0acec --- /dev/null +++ b/nixos/modules/nixos/programs/shell/fish.nix @@ -0,0 +1,35 @@ +{ lib +, config +, self +, pkgs +, ... +}: +with lib; +let + cfg = config.mySystem.shell.fish; +in +{ + options.mySystem.shell.fish = + { + enable = mkEnableOption "Fish"; + enablePlugins = mkOption + { + type = lib.types.bool; + description = "If we want to add fish plugins"; + default = true; + + }; + + }; + + # Install fish systemwide + config.programs.fish = mkIf cfg.enable { + enable = true; + vendor = { + completions.enable = true; + config.enable = true; + functions.enable = true; + }; + }; + +} diff --git a/nixos/hosts/common/optional/cloudflare-dyndns.sops.yaml b/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml similarity index 97% rename from nixos/hosts/common/optional/cloudflare-dyndns.sops.yaml rename to nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml index 3f0c333..53453dc 100644 --- a/nixos/hosts/common/optional/cloudflare-dyndns.sops.yaml +++ b/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml @@ -27,7 +27,7 @@ sops: V285bFUwdXgzUy9Ndi8yTCtsYlRHVGsKzSx+eyIrJKgZCL2VoS4fEcp6iVpDiqF6 7czaNhQhT0doqRm3QddMlD+o/7t7xOGhQEraq4q+i/JD4iYkSQp4zw== -----END AGE ENCRYPTED FILE----- - - recipient: age190fm3dlfxtf5smttyqxtrht4ac2ldfhkap7luppc0aap8w6r940qvjyc8t + - recipient: age1y399g6q8cg0efzqdywrswp5uugsfeuxg54ptp3vacrvaknl5dunq22wt5x enc: | -----BEGIN AGE ENCRYPTED FILE----- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnR0JCdUJubzRLRFY1ZGdp diff --git a/nixos/modules/nixos/services/cloudflare-dyndns/default.nix b/nixos/modules/nixos/services/cloudflare-dyndns/default.nix new file mode 100644 index 0000000..4334f3c --- /dev/null +++ b/nixos/modules/nixos/services/cloudflare-dyndns/default.nix @@ -0,0 +1,39 @@ +{ lib +, config +, ... +}: + +with lib; +let + cfg = config.mySystem.services.cfDdns; +in +{ + options.mySystem.services.cfDdns.enable = mkEnableOption "Cloudflare ddns"; + + config = mkIf cfg.enable { + # Current nixpkgs cf-ddns only supports using a env file for the apitoken + # but not for domains, which makes them hard to find. + # To circumvent this, I put both in the 'apiTokenFile' var + # so my secret is: + + # apiTokenFile: |- + # CLOUDFLARE_API_TOKEN=derp + # CLOUDFLARE_DOMAINS=derp.herp.xyz derp1.herp.xyz + + # TODO add notifications on IP change + # init secret + sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".sopsFile = ./cloudflare-dyndns.sops.yaml; + + # Restart when secret changes + sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".restartUnits = [ "cloudflare-dyndns" ]; + + # Cloudflare dynamic dns to keep my DNS records pointed at home + services.cloudflare-dyndns = { + enable = true; + ipv6 = false; + proxied = true; + apiTokenFile = config.sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".path; + domains = [ ]; + }; + }; +} diff --git a/nixos/modules/nixos/services/default.nix b/nixos/modules/nixos/services/default.nix new file mode 100644 index 0000000..7871bb5 --- /dev/null +++ b/nixos/modules/nixos/services/default.nix @@ -0,0 +1,9 @@ +{ + imports = [ + ./monitoring.nix + ./reboot-required-check.nix + ./cloudflare-dyndns + ./maddy + ./dnscrypt-proxy2 + ]; +} diff --git a/nixos/modules/nixos/services/dnscrypt-proxy2/default.nix b/nixos/modules/nixos/services/dnscrypt-proxy2/default.nix new file mode 100644 index 0000000..99431f9 --- /dev/null +++ b/nixos/modules/nixos/services/dnscrypt-proxy2/default.nix @@ -0,0 +1,50 @@ +{ lib +, config +, ... +}: + +with lib; +let + cfg = config.mySystem.services.dnscrypt-proxy; +in +{ + options.mySystem.services.dnscrypt-proxy.enable = mkEnableOption "Cloudflare ddns"; + + config = mkIf cfg.enable { + # Disable resolvd to ensure it doesnt re-write /etc/resolv.conf + services.resolved.enable = false; + + # Fix this devices DNS resolv.conf else resolvd will point it to dnscrypt + # causing a risk of no dns if service fails. + networking = { + nameservers = [ "10.8.10.1" ]; # TODO make varible IP + + dhcpcd.extraConfig = "nohook resolv.conf"; + }; + sops.secrets = { + + # configure secret for forwarding rules + "system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml; + "system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0444"; # This is world-readable but theres nothing security related in the file + + # Restart dnscrypt when secret changes + "system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2" ]; + }; + + services.dnscrypt-proxy2 = { + enable = true; + settings = { + require_dnssec = true; + forwarding_rules = config.sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".path; + listen_addresses = [ "0.0.0.0:53" ]; + server_names = [ "NextDNS" ]; + + static = { + "NextDNS" = { + stamp = "sdns://AgEAAAAAAAAAAAAOZG5zLm5leHRkbnMuaW8HL2Y2ZmUzNQ"; + }; + }; + }; + }; + }; +} diff --git a/nixos/hosts/common/optional/dnscrypt-proxy2.sops.yaml b/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml similarity index 97% rename from nixos/hosts/common/optional/dnscrypt-proxy2.sops.yaml rename to nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml index 33687c2..cdba971 100644 --- a/nixos/hosts/common/optional/dnscrypt-proxy2.sops.yaml +++ b/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml @@ -26,7 +26,7 @@ sops: VjhyZ3FqSkhtZHZ3S0xPVXZBNEtZOHMKCW9YMMwPXaDO23WdbW+NMmYVYau6Nw3i I4J+xRLDe8N8Ty8sVql7xPYmA2UtI/Vf12sJxrH+YZA3x7Ip1RnM5A== -----END AGE ENCRYPTED FILE----- - - recipient: age190fm3dlfxtf5smttyqxtrht4ac2ldfhkap7luppc0aap8w6r940qvjyc8t + - recipient: age1y399g6q8cg0efzqdywrswp5uugsfeuxg54ptp3vacrvaknl5dunq22wt5x enc: | -----BEGIN AGE ENCRYPTED FILE----- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyR1h3aDZqMmtWYkE4ZFBo diff --git a/nixos/modules/nixos/services/maddy/default.nix b/nixos/modules/nixos/services/maddy/default.nix new file mode 100644 index 0000000..37cc87e --- /dev/null +++ b/nixos/modules/nixos/services/maddy/default.nix @@ -0,0 +1,30 @@ +{ lib +, config +, ... +}: + +with lib; +let + cfg = config.mySystem.services.maddy; +in +{ + options.mySystem.services.maddy.enable = mkEnableOption "Maddy SMTP Client (Relay)"; + + config = mkIf cfg.enable { + + sops.secrets."system/mail/maddy/envFile" = { + sopsFile = ./maddy.sops.yaml; + owner = "maddy"; + group = "maddy"; + }; + + sops.secrets."system/mail/maddy/envFile".restartUnits = [ "maddy" ]; + + services.maddy = { + enable = true; + secrets = [ config.sops.secrets."system/mail/maddy/envFile".path ]; + config = builtins.readFile ./maddy.conf; + }; + + }; +} diff --git a/nixos/hosts/common/optional/maddy.conf b/nixos/modules/nixos/services/maddy/maddy.conf similarity index 100% rename from nixos/hosts/common/optional/maddy.conf rename to nixos/modules/nixos/services/maddy/maddy.conf diff --git a/nixos/hosts/common/optional/maddy.sops.yaml b/nixos/modules/nixos/services/maddy/maddy.sops.yaml similarity index 97% rename from nixos/hosts/common/optional/maddy.sops.yaml rename to nixos/modules/nixos/services/maddy/maddy.sops.yaml index a71a4b6..28d59e3 100644 --- a/nixos/hosts/common/optional/maddy.sops.yaml +++ b/nixos/modules/nixos/services/maddy/maddy.sops.yaml @@ -26,7 +26,7 @@ sops: bVoxd0FvWjEyeHlKM2IyS1c2ajlhMncKJjDktmjOisjdUecV/bhI00fp6jA2puGD mOuASUhxGGN1c805vLmLnJA0llLtaN8C2iQC/H14IjG1U7QObbnrEA== -----END AGE ENCRYPTED FILE----- - - recipient: age190fm3dlfxtf5smttyqxtrht4ac2ldfhkap7luppc0aap8w6r940qvjyc8t + - recipient: age1y399g6q8cg0efzqdywrswp5uugsfeuxg54ptp3vacrvaknl5dunq22wt5x enc: | -----BEGIN AGE ENCRYPTED FILE----- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPMjkrcHFZTXQ3QjZKWksw diff --git a/nixos/modules/nixos/services/monitoring.nix b/nixos/modules/nixos/services/monitoring.nix new file mode 100644 index 0000000..df2086b --- /dev/null +++ b/nixos/modules/nixos/services/monitoring.nix @@ -0,0 +1,46 @@ +{ lib +, config +, self +, ... +}: +with lib; +let + cfg = config.mySystem.services.promMonitoring; +in +{ + options.mySystem.services.promMonitoring.enable = mkEnableOption "Prometheus Monitoring"; + + config = mkIf cfg.enable { + + services.prometheus.exporters = { + node = { + enable = true; + enabledCollectors = [ + "diskstats" + "filesystem" + "loadavg" + "meminfo" + "netdev" + "stat" + "time" + "uname" + "systemd" + ]; + }; + smartctl = { + enable = true; + }; + + + }; + + # ensure ports are open + networking.firewall.allowedTCPPorts = mkIf cfg.enable [ + config.services.prometheus.exporters.node.port + config.services.prometheus.exporters.smartctl.port + ]; + + }; + + +} diff --git a/nixos/modules/nixos/services/reboot-required-check.nix b/nixos/modules/nixos/services/reboot-required-check.nix new file mode 100644 index 0000000..7ceacfe --- /dev/null +++ b/nixos/modules/nixos/services/reboot-required-check.nix @@ -0,0 +1,54 @@ +{ lib +, config +, self +, ... +}: +with lib; +let + cfg = config.mySystem.services.rebootRequiredCheck; +in +{ + options.mySystem.services.rebootRequiredCheck.enable = mkEnableOption "Reboot required check"; + + config = mkIf cfg.enable { + + # Enable timer + systemd.timers."reboot-required-check" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + # start at boot + OnBootSec = "0m"; + # check every hour + OnUnitActiveSec = "1h"; + Unit = "reboot-required-check.service"; + }; + }; + + # Below script will check if initrd, kernel, kernel-modules that were booted match the current system + # i.e. if a nixos-rebuild switch has upgraded anything + systemd.services."reboot-required-check" = { + script = '' + #!/usr/bin/env bash + + # compare current system with booted sysetm to determine if a reboot is required + if [[ "$(readlink /run/booted-system/{initrd,kernel,kernel-modules})" == "$(readlink /run/current-system/{initrd,kernel,kernel-modules})" ]]; then + # check if the '/var/run/reboot-required' file exists and if it does, remove it + if [[ -f /var/run/reboot-required ]]; then + rm /var/run/reboot-required || { echo "Failed to remove /var/run/reboot-required"; exit 1; } + fi + else + echo "reboot required" + touch /var/run/reboot-required || { echo "Failed to create /var/run/reboot-required"; exit 1; } + fi + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; + + + }; + + +} diff --git a/nixos/modules/nixos/system/default.nix b/nixos/modules/nixos/system/default.nix new file mode 100644 index 0000000..57e42b9 --- /dev/null +++ b/nixos/modules/nixos/system/default.nix @@ -0,0 +1,9 @@ +{ + imports = [ + ./openssh.nix + ./time.nix + ./security.nix + ./systempackages.nix + ./nix.nix + ]; +} diff --git a/nixos/modules/nixos/system/nix.nix b/nixos/modules/nixos/system/nix.nix new file mode 100644 index 0000000..d13b293 --- /dev/null +++ b/nixos/modules/nixos/system/nix.nix @@ -0,0 +1,48 @@ +{ lib +, config +, self +, ... +}: +with lib; +let + cfg = config.mySystem.nix; +in +{ + options.mySystem.nix = { + autoOptimiseStore = mkOption + { + type = lib.types.bool; + description = "If we want to auto optimise store"; + default = true; + + }; + gc = { + enable = mkEnableOption "automatic garbage collection" // { + default = true; + }; + persistent = mkOption + { + type = lib.types.bool; + description = "Persistent timer for gc, runs at startup if timer missed"; + default = true; + }; + }; + + }; + + config.nix = { + + optimise.automatic = cfg.autoOptimiseStore; + + # automatically garbage collect nix store + gc = mkIf cfg.gc.enable { + # garbage collection + automatic = cfg.gc.enable; + options = "--delete-older-than 30d"; + inherit (cfg.gc) persistent; + }; + + }; + + +} diff --git a/nixos/modules/nixos/system/openssh.nix b/nixos/modules/nixos/system/openssh.nix new file mode 100644 index 0000000..592c3ea --- /dev/null +++ b/nixos/modules/nixos/system/openssh.nix @@ -0,0 +1,47 @@ +{ lib +, config +, self +, ... +}: +with lib; +let + cfg = config.mySystem.services.openssh; +in +{ + options.mySystem.services.openssh = { + enable = mkEnableOption "openssh"; + passwordAuthentication = mkOption + { + type = lib.types.bool; + description = "If password can be accepted for ssh (commonly disable for security hardening)"; + default = false; + + }; + permitRootLogin = mkOption + { + type = types.enum [ "yes" "without-password" "prohibit-password" "forced-commands-only" "no" ]; + description = "If root can login via ssh (commonly disable for security hardening)"; + default = "no"; + + }; + }; + + config = mkIf cfg.enable { + services.openssh = { + enable = true; + # TODO: Enable this when option becomes available + # Don't allow home-directory authorized_keys + # authorizedKeysFiles = mkForce ["/etc/ssh/authorized_keys.d/%u"]; + settings = { + # Harden + PasswordAuthentication = cfg.passwordAuthentication; + PermitRootLogin = cfg.permitRootLogin; + # Automatically remove stale sockets + StreamLocalBindUnlink = "yes"; + # Allow forwarding ports to everywhere + GatewayPorts = "clientspecified"; + }; + }; + + }; +} diff --git a/nixos/modules/nixos/system/security.nix b/nixos/modules/nixos/system/security.nix new file mode 100644 index 0000000..5730385 --- /dev/null +++ b/nixos/modules/nixos/system/security.nix @@ -0,0 +1,51 @@ +{ lib +, config +, ... +}: +with lib; +let + cfg = config.mySystem.security; +in +{ + options.mySystem.security = { + + sshAgentAuth.enable = lib.mkEnableOption "openssh"; + + wheelNeedsSudoPassword = lib.mkOption { + type = lib.types.bool; + description = "If wheel group users need password for sudo"; + default = true; + }; + increaseWheelLoginLimits = lib.mkOption { + type = lib.types.bool; + description = "If wheel group users receive increased login limits"; + default = true; + }; + }; + + config = + { + security = { + sudo.wheelNeedsPassword = cfg.wheelNeedsSudoPassword; + + pam.enableSSHAgentAuth = cfg.sshAgentAuth.enable; + + # Increase open file limit for sudoers + pam.loginLimits = mkIf cfg.increaseWheelLoginLimits [ + { + domain = "@wheel"; + item = "nofile"; + type = "soft"; + value = "524288"; + } + { + domain = "@wheel"; + item = "nofile"; + type = "hard"; + value = "1048576"; + } + ]; + }; + }; + +} diff --git a/nixos/modules/nixos/system/systempackages.nix b/nixos/modules/nixos/system/systempackages.nix new file mode 100644 index 0000000..49969d1 --- /dev/null +++ b/nixos/modules/nixos/system/systempackages.nix @@ -0,0 +1,26 @@ +{ lib +, config +, self +, ... +}: +with lib; +let + cfg = config.mySystem.system; +in +{ + options.mySystem.system = { + packages = mkOption + { + type = with types; listOf package; + description = "List of system level package installs"; + default = [ ]; + }; + }; + + # System packages deployed globally. + # This is NixOS so lets keep this liiight? + # Ideally i'd keep most of it to home-manager user only stuff + # and keep server role as light as possible + config.environment.systemPackages = cfg.packages; + +} diff --git a/nixos/modules/nixos/system/time.nix b/nixos/modules/nixos/system/time.nix new file mode 100644 index 0000000..0f3c7a2 --- /dev/null +++ b/nixos/modules/nixos/system/time.nix @@ -0,0 +1,25 @@ +{ lib +, config +, ... +}: +let + cfg = config.mySystem.time; +in +{ + options.mySystem.time = { + timeZone = lib.mkOption { + type = lib.types.str; + description = "Timezone of system"; + default = "Australia/Melbourne"; + }; + hwClockLocalTime = lib.mkOption { + type = lib.types.bool; + description = "If hardware clock is set to local time (useful for windows dual boot)"; + default = false; + }; + }; + config = { + time.timeZone = cfg.timeZone; + time.hardwareClockInLocalTime = cfg.hwClockLocalTime; + }; +} diff --git a/nixos/modules/nixos/template.nix b/nixos/modules/nixos/template.nix new file mode 100644 index 0000000..d901e8a --- /dev/null +++ b/nixos/modules/nixos/template.nix @@ -0,0 +1,20 @@ +{ lib +, config +, ... +}: + +with lib; +let + cfg = config.mySystem.xx.yy; +in +{ + options.mySystem.xx.yy.enable = mkEnableOption ""; + + config = mkIf cfg.enable { + + # CONFIG HERE + + }; + + +} diff --git a/nixos/profiles/README.md b/nixos/profiles/README.md new file mode 100644 index 0000000..ab3717d --- /dev/null +++ b/nixos/profiles/README.md @@ -0,0 +1,19 @@ +## Profiles + +Here is the profiles that each host picks from to build up a system. + +My headspace for this to have be able to have a set of modular components pull together on a granular system from this nix, from 'Everything will have this set' to per-device config. +Where possible ill use the `mySystem` option list to configure defaults via these profiles, so they _can_ be overridden later. If its not worth writing a custom module for a nixos feature I may just set it directly in the profile. + +## Global + +Default global settings that will apply to every device. Things like locale, timezone, etc that wont change machine to machine + +## Hardware + +Hardware settings so I can apply per set of machines as standard- i.e. all Raspi4's may benefit from a specific set of additions/hardware overlays. + +## Role + +The role the machine have. Machines may have multiple roles +i.e. servers will want to have bare minimal, remote build settings, where as main desktop/laptop will have full blow GUIs. diff --git a/nixos/profiles/global.nix b/nixos/profiles/global.nix new file mode 100644 index 0000000..43f1c97 --- /dev/null +++ b/nixos/profiles/global.nix @@ -0,0 +1,78 @@ +{ config, lib, pkgs, imports, modulesPath, ... }: + +with lib; +{ + # NOTE + # Some 'global' areas have defaults set in their respective modules. + # These will be applied when the modules are loaded + # Not the global role. + # Not sure at this point a good way to manage globals in one place + # without mono-repo config. + + + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") # Generated by nixos-config-generate + ./global + ]; + + mySystem = { + + # basics for all devices + time.timeZone = "Australia/Melbourne"; + security.increaseWheelLoginLimits = true; + system.packages = [ pkgs.bat ]; + + # Lets see if fish everywhere is OK on the pi's + # TODO decide if i drop to bash on pis? + shell.fish.enable = true; + # But wont enable plugins globally, leave them for workstations + }; + + + i18n = { + defaultLocale = lib.mkDefault "en_AU.UTF-8"; + }; + + # TODO refactor this shit out wow + + # SOPS settings + # https://github.com/Mic92/sops-nix + + + + + + + + + networking.useDHCP = lib.mkDefault true; + + environment.systemPackages = with pkgs; [ + jq + yq + btop + vim + git + dnsutils + nix + + # TODO Move + nil + nixpkgs-fmt + statix + nvd + gh + ]; + + programs.direnv = { + # TODO move to home-manager + enable = true; + nix-direnv.enable = true; + }; + programs.mtr.enable = true; + +} + + + diff --git a/nixos/profiles/global/default.nix b/nixos/profiles/global/default.nix new file mode 100644 index 0000000..506ca28 --- /dev/null +++ b/nixos/profiles/global/default.nix @@ -0,0 +1,9 @@ +{ + imports = [ + ./nix.nix + ./nixpkgs.nix + ./sops.nix + ./system.nix + ./users.nix + ]; +} diff --git a/nixos/profiles/global/nix.nix b/nixos/profiles/global/nix.nix new file mode 100644 index 0000000..15095c6 --- /dev/null +++ b/nixos/profiles/global/nix.nix @@ -0,0 +1,58 @@ +{ lib, config, pkgs, nixpkgs, ... }: +{ + + ## Below is to align shell/system to flake's nixpkgs + ## ref: https://nixos-and-flakes.thiscute.world/best-practices/nix-path-and-flake-registry + + # Make `nix repl ''` use the same nixpkgs as the one used by this flake. + environment.etc."nix/inputs/nixpkgs".source = "${nixpkgs}"; + nix = { + + # make `nix run nixpkgs#nixpkgs` use the same nixpkgs as the one used by this flake. + registry.nixpkgs.flake = nixpkgs; + channel.enable = false; # remove nix-channel related tools & configs, we use flakes instead. + + # but NIX_PATH is still used by many useful tools, so we set it to the same value as the one used by this flake. + # https://github.com/NixOS/nix/issues/9574 + settings.nix-path = lib.mkForce "nixpkgs=/etc/nix/inputs/nixpkgs"; + + ### + + settings = { + + # Enable flakes + experimental-features = [ + "nix-command" + "flakes" + ]; + + # Substitutions + trusted-substituters = [ + "https://cache.garnix.io" + "https://nix-community.cachix.org" + "https://numtide.cachix.org" + ]; + + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE=" + "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" + ]; + + # Fallback quickly if substituters are not available. + connect-timeout = 5; + # Avoid copying unnecessary stuff over SSH + builders-use-substitutes = true; + + + trusted-users = [ "root" "@wheel" ]; + + warn-dirty = false; + + # The default at 10 is rarely enough. + log-lines = lib.mkDefault 25; + + }; + }; + +} diff --git a/nixos/profiles/global/nixpkgs.nix b/nixos/profiles/global/nixpkgs.nix new file mode 100644 index 0000000..e4e4c71 --- /dev/null +++ b/nixos/profiles/global/nixpkgs.nix @@ -0,0 +1,10 @@ +{ config, ... }: +{ + nixpkgs = { + # Configure your nixpkgs instance + config = { + # Disable if you don't want unfree packages + allowUnfree = true; + }; + }; +} diff --git a/nixos/profiles/global/sops.nix b/nixos/profiles/global/sops.nix new file mode 100644 index 0000000..543aa98 --- /dev/null +++ b/nixos/profiles/global/sops.nix @@ -0,0 +1,6 @@ +{ config, ... }: +{ + + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + +} diff --git a/nixos/profiles/global/system.nix b/nixos/profiles/global/system.nix new file mode 100644 index 0000000..bd12372 --- /dev/null +++ b/nixos/profiles/global/system.nix @@ -0,0 +1,47 @@ +{ config, lib, pkgs, ... }: +with lib; +{ + system = { + # Enable printing changes on nix build etc with nvd + activationScripts.report-changes = '' + PATH=$PATH:${lib.makeBinPath [ pkgs.nvd pkgs.nix ]} + nvd diff $(ls -dv /nix/var/nix/profiles/system-*-link | tail -2) + ''; + + # Do not change unless you know what you are doing + stateVersion = "23.11"; # THERE BE DRAGONS + + # (This one comes in the niiiiight) ::: + # :: :::. + # \/, .::::: + # \), \`-._ :::888 + # /\ \ `-. ::88888 + # / \ | .( ::88 + # /,. \ ; ( ` .:8888 + # ), \ / ;`` :::888 + # /_ \ __/_(_ :88 + # `. ,`..-' `-._ \ / :8 + # )__ `. `._ .\/. + # / `. ` `-._______m _, + # ,-=====-.-;' , ___________/ _,-_,'"`/__,-. + # C =-- ; `.`._ V V V -=-'"#==-._ + # :, \ ,| UuUu _,......__ `-.__A_A_ -. ._ ,--._ ",`` `- + # || |`---' : uUuUu,' `'--...____/ `" `". ` + # |` : \ UuUu: + # : / \ UuUu`-._ + # \(_ `._ uUuUu `-. + # (_3 `._ uUu `._ + # ``-._ `. + # `-._ `. + # `. \ + # ) ; + # / / + # `. |\ ,' / + # ",_A_/\-| ` ,' + # `--..,_|_,-'\ + # | \ + # | \__ + # |__ + + }; +} diff --git a/nixos/hosts/common/nixos/users/truxnell/default.nix b/nixos/profiles/global/users.nix similarity index 92% rename from nixos/hosts/common/nixos/users/truxnell/default.nix rename to nixos/profiles/global/users.nix index b6ec4d4..676041b 100644 --- a/nixos/hosts/common/nixos/users/truxnell/default.nix +++ b/nixos/profiles/global/users.nix @@ -18,13 +18,14 @@ in ++ ifTheyExist [ "network" "samba-users" + "docker" ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZS9J1ydflZ4iJdJgO8+vnN8nNSlEwyn9tbWU9OcysW truxnell@home" ]; - packages = [ pkgs.home-manager ]; + # packages = [ pkgs.home-manager ]; }; # home-manager.users.taylor = import ../../../../../home-manager/taylor_${config.networking.hostName}.nix; TODO home-manager? diff --git a/nixos/profiles/hw-gaming-desktop.nix b/nixos/profiles/hw-gaming-desktop.nix new file mode 100644 index 0000000..86cf9c7 --- /dev/null +++ b/nixos/profiles/hw-gaming-desktop.nix @@ -0,0 +1,74 @@ +{ config, lib, pkgs, imports, boot, ... }: + +with lib; +{ + + mySystem.system.packages = with pkgs; [ + ntfs3g + ]; + + boot = { + + initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; + + # for managing/mounting ntfs + supportedFilesystems = [ "ntfs" ]; + + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + # why not ensure we can memtest workstatons easily? + grub.memtest86.enable = true; + + }; + }; + + # set xserver videodrivers for NVIDIA 4080 gpu + services.xserver.videoDrivers = [ "nvidia" ]; + + + # ref: https://nixos.wiki/wiki/Nvidia + # Enable OpenGL + hardware.opengl = { + enable = true; + driSupport = true; + driSupport32Bit = true; + }; + + hardware.nvidia = { + + # Modesetting is required. + modesetting.enable = true; + + # Nvidia power management. Experimental, and can cause sleep/suspend to fail. + # Enable this if you have graphical corruption issues or application crashes after waking + # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead + # of just the bare essentials. + powerManagement.enable = false; + + # Fine-grained power management. Turns off GPU when not in use. + # Experimental and only works on modern Nvidia GPUs (Turing or newer). + powerManagement.finegrained = false; + + # Use the NVidia open source kernel module (not to be confused with the + # independent third-party "nouveau" open source driver). + # Support is limited to the Turing and later architectures. Full list of + # supported GPUs is at: + # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus + # Only available from driver 515.43.04+ + # Currently alpha-quality/buggy, so false is currently the recommended setting. + open = false; + + # Enable the Nvidia settings menu, + # accessible via `nvidia-settings`. + nvidiaSettings = true; + + # Optionally, you may need to select the appropriate driver version for your specific GPU. + package = config.boot.kernelPackages.nvidiaPackages.stable; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + +} diff --git a/nixos/profiles/hw-rpi4.nix b/nixos/profiles/hw-rpi4.nix new file mode 100644 index 0000000..ad2d4c1 --- /dev/null +++ b/nixos/profiles/hw-rpi4.nix @@ -0,0 +1,29 @@ +{ config, lib, pkgs, imports, boot, ... }: + +with lib; +{ + boot = { + + initrd.availableKernelModules = [ "xhci_pci" "usb_storage" ]; + initrd.kernelModules = [ ]; + kernelModules = [ ]; + extraModulePackages = [ ]; + + loader = { + # Use the extlinux boot loader. (NixOS wants to enable GRUB by default) + grub.enable = false; + # Enables the generation of /boot/extlinux/extlinux.conf + generic-extlinux-compatible.enable = true; + }; + }; + + console.enable = false; + mySystem.system.packages = with pkgs; [ + libraspberrypi + raspberrypi-eeprom + ]; + + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; + +} diff --git a/nixos/profiles/hw-thinkpad-e14-amd.nix b/nixos/profiles/hw-thinkpad-e14-amd.nix new file mode 100644 index 0000000..678111d --- /dev/null +++ b/nixos/profiles/hw-thinkpad-e14-amd.nix @@ -0,0 +1,32 @@ +{ config, lib, pkgs, imports, boot, ... }: + +with lib; +{ + boot = { + + initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; + initrd.kernelModules = [ "amdgpu" ]; + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; + + # for managing/mounting ntfs + supportedFilesystems = [ "ntfs" ]; + + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + # why not ensure we can memtest workstatons easily? + grub.memtest86.enable = true; + + }; + }; + + # set xserver videodrivers for amp gpu + services.xserver.videoDrivers = [ "amdgpu" ]; + + # As this is a laptop explicitly enable nmcli (likely enabled by GUI anyway) + networking.networkmanager.enable = true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + +} diff --git a/nixos/profiles/role-server.nix b/nixos/profiles/role-server.nix new file mode 100644 index 0000000..22d6361 --- /dev/null +++ b/nixos/profiles/role-server.nix @@ -0,0 +1,24 @@ +{ config, lib, pkgs, imports, boot, ... }: +# Role for headless servers +# covers raspi's, sbc, NUC etc, anything +# that is headless and minimal for running services + +with lib; +{ + config = { + + # Enable monitoring for remote scraiping + mySystem.services.promMonitoring.enable = true; + mySystem.services.rebootRequiredCheck.enable = true; + + nix.settings = { + # TODO factor out into mySystem + # Avoid disk full issues + max-free = lib.mkDefault (1000 * 1000 * 1000); + min-free = lib.mkDefault (128 * 1000 * 1000); + }; + }; + + + +} diff --git a/nixos/profiles/role-worstation.nix b/nixos/profiles/role-worstation.nix new file mode 100644 index 0000000..efe68fb --- /dev/null +++ b/nixos/profiles/role-worstation.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, imports, boot, ... }: +# Role for workstations +# Covers desktops/laptops, expected to have a GUI and do worloads +# Will have home-manager installs + +with config; +{ + mySystem = { + + de.gnome.enable = true; + editor.vscodium.enable = true; + browser.firefox.enable = true; + }; + + boot = { + + binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation + plymouth.enable = true; # hide console with splash screen + }; + + nix.settings = { + # TODO factor out into mySystem + # Avoid disk full issues + max-free = lib.mkDefault (1000 * 1000 * 1000); + min-free = lib.mkDefault (128 * 1000 * 1000); + }; + + # set xserver videodrivers if used + services.xserver.enable = true; + + # Laptop so ill likely use wireles + # very likely to be set by GUI packages but lets + # be declarative. + + +}