diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/README.md b/README.md new file mode 100644 index 0000000..c54ad69 --- /dev/null +++ b/README.md @@ -0,0 +1,65 @@ +# Truxnell's homelab + +[![NixOS](https://img.shields.io/badge/NixOS-23.11-blue?style=flat&logo=nixos&logoColor=white)](https://nixos.org) +Leveraging nix, nix-os to apply machine and home configurations + +## Background + +Having used a variety of infracture as code solutions - and having found them lacking in some areas, it is time to give nix a go. +Frustrations with other methods tend to be bitrot and config drift - very annoying to want to do a quick disaster recovery and find your have different versions of modules/utilities, breaking changes in code you didnt catch, etc. + +## Getting started + +TBC + +## Goals + +- [ ] Learn nix +- [ ] Mostly reproduce features from my existing homelab +- [ ] Replace existing ubuntu-based 'NAS' +- [ ] Expand usage to other shell environments such as WSL, etc +- [ ] handle secrets - decide between sweet and simple SOPS or re-use my doppler setup. + +## TODO + +- [ ] Github Actions update fly.io instances (Bitwarden) +- [ ] Bring over hosts + - [ ] DNS01 Raspi4 + - [ ] DNS02 Raspi4 + - [ ] NAS + - [ ] Latop + - [ ] WSL + - [ ] JJY emulator Raspi4 +- [ ] Documentation! +- [ ] Add license +- [ ] Add taskfiles + +## Network map + +TBC + +## Hardware + +TBC + +## Applying configuration changes on a local machine can be done as follows: + +```sh +cd ~/dotfiles +sudo nixos-rebuild switch --flake . +# This will automatically pick the configuration name based on the hostname +``` + +Applying configuration changes to a remote machine can be done as follows: + +```sh +cd ~/dotfiles +nixos-rebuild switch --flake .#nameOfMachine --target-host machineToSshInto --use-remote-sudo +``` + +## Links & References + +- [Misterio77/nix-starter-config](https://github.com/Misterio77/nix-starter-configs) +- [billimek/dotfiles](https://github.com/billimek/dotfiles/) +- [Erase your Darlings](https://grahamc.com/blog/erase-your-darlings/) +- [NixOS Flakes](https://www.tweag.io/blog/2020-07-31-nixos-flakes/) diff --git a/docs/vm/installing.md b/docs/vm/installing.md new file mode 100644 index 0000000..e2e25c9 --- /dev/null +++ b/docs/vm/installing.md @@ -0,0 +1,83 @@ +## Installing a playground VM + +I've used gnome-boxes from my current Fedora laptop for running playground vm's. + +Settings: +ISO: nixos-minimal +Hard drive: 32GB +RAM: 2GB +EFI: Enable + +Expose port 22 to allow ssh into vm (host port 3022, guest 22) + +```sh +# set temp root passwd +sudo su +passwd +``` + +`sshd` is already running, so you can now ssh into the vm remotely for the rest of the setup. +`ssh root@127.0.0.1 -p 3022` + +```sh +# Partitioning +parted /dev/sda -- mklabel gpt +parted /dev/sda -- mkpart root ext4 512MB -8GB +parted /dev/sda -- mkpart swap linux-swap -8GB 100% +parted /dev/sda -- mkpart ESP fat32 1MB 512MB +parted /dev/sda -- set 3 esp on + +# Formatting +mkfs.ext4 -L nixos /dev/sda1 +mkswap -L swap /dev/sda2 +mkfs.fat -F 32 -n boot /dev/sda3 + +# Mounting disks for installation +mount /dev/disk/by-label/nixos /mnt +mkdir -p /mnt/boot +mount /dev/disk/by-label/boot /mnt/boot +swapon /dev/sda2 + +# Generating default configuration +nixos-generate-config --root /mnt +``` + +From this config copy the bootstrap configuration and fetch the hardware configuration. + +```sh +scp -P 3022 nixos/hosts/bootstrap/configuration.nix root@127.0.0.1:/mnt/etc/nixos/configuration.nix +scp -P 3022 root@127.0.0.1:/mnt/etc/nixos/hardware-configuration.nix nixos/hosts/nixosvm/hardware-configuration.nix +``` + +Then back to the VM + +```sh +nixos-install +reboot +nixos-rebuild switch +``` + +Set the password for the user that was created. + +```sh +passwd truxnell +``` + +Login as user, copy nix git + +```sh +mkdir .local +cd .local +git clone https://github.com/szinn/nix-config.git +cd nix-config +``` + +Apply config to bootstrapped device +First time around, MUST APPLY with name of host in ./hosts/ +This is because `.. --flake .` looks for a `nixosConfigurations` key with the machines hostname +The bootstrap machine will be called 'nixos-bootstrap' so the flake by default would resolve `nixosConfigurations.nixos-bootstrap` +Subsequent rebuilds can be called with the default command as after first build the machines hostname will be changed to the desired machine + +```sh +nixos-rebuild switch --flake .# +``` diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..7bf6b84 --- /dev/null +++ b/flake.nix @@ -0,0 +1,53 @@ +{ + description = "My machines"; + + inputs = { + # Nixpkgs and unstable + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + + # sops-nix + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + # VSCode community extensions + nix-vscode-extensions = { + url = "github:nix-community/nix-vscode-extensions"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + + }; + outputs = { self, nixpkgs, ... }@inputs: + with inputs; + { + + # Use nixpkgs-fmt for 'nix fmt' + formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; + + # Each subdirectory in ./machines is a host. Add them all to + # nixosConfigurations. Host configurations need a file called + # configuration.nix that will be read first + nixosConfigurations = builtins.listToAttrs (map + (x: { + name = x; + value = nixpkgs.lib.nixosSystem { + + # Make inputs and the flake itself accessible as module parameters. + # Technically, adding the inputs is redundant as they can be also + # accessed with flake-self.inputs.X, but adding them individually + # allows to only pass what is needed to each module. + specialArgs = { flake-self = self; } // inputs; + + system = "x86_64-linux"; + + modules = [ + (./nixos/hosts + "/${x}/default.nix") + ]; + }; + }) + (builtins.attrNames (builtins.readDir ./nixos/hosts))); +}; +} \ No newline at end of file diff --git a/nixos/home-manager/.gitkeep b/nixos/home-manager/.gitkeep new file mode 100644 index 0000000..81d3fab --- /dev/null +++ b/nixos/home-manager/.gitkeep @@ -0,0 +1,59 @@ +My home infrastructure, + +![](https://imgur.com/ISNnzgN.png) + +## Structure + +- [flake.nix](flake.nix) (Entrypoint for rebuilding via nixos-rebuild or home-manager) +- [flake.lock](flake.lock) (lockfile for current nix flake state, updated daily via [github action](.github/workflows/main.yml)) + - [home-manager](home-manager) (User level configuration per machine via home-manager) + - [hosts](hosts/README.md) - (Definition of physical/virutal hosts) + - [common](hosts/common) (Role definitions [Desktop, Laptop, Server]) + - [darwin](hosts/common/darwin) (global host configuration used across all darwin hosts) + - [nixos](hosts/common/nixos) (global host configuration used across all NixOS hosts) + - [optional](hosts/common/optional) (optional host configuration used as-needed per host) + - [nas](hosts/nas/README.md) (NixOS NAS server) + - [home](hosts/home/README.md) (NixOS VM running in NAS) + - [cloud](hosts/cloud/README.md) (NixOS VM running in Oracle Cloud) + - [k3s-f](hosts/k3s-f/README.md) (NixOS running on an N100 tiny PC as a k3s node) + - [k3s-g](hosts/k3s-g/README.md) (NixOS running on an N100 tiny PC as a k3s node) + - [k3s-h](hosts/k3s-h/README.md) (NixOS running on an N100 tiny PC as a k3s node) + - [jeffs_laptop](hosts/jeffs_laptop/README.md) (nix-darwin running on a MacBook Pro) + - [jens_laptop](hosts/jens_laptop/README.md) (nix-darwin running on a MacBook Air) + - [work_laptop](hosts/work_laptop/README.md) (nix-darwin running on a MacBook Pro) + - [modules](modules) (Custom NixOS and home-manager modules) + - [overlays](overlays) (Custom overlays, primarily used for packages currently) + - [pkgs](pkgs) (Custom Packages, mainly items not yet in official nixpkgs) +- [shell.nix](shell.nix) (Shell for bootstrapping flake-enabled nix and home-manager) +- [nixpkgs.nix](nixpkgs.nix) (Used by shell.nix - useful to avoid using channels when using legacy nix commands) + +## Background + +Everyone keeps gushing about how amazing Nix is and I want to get in on the hype cycle + +## Goals + +- [x] Learn nix +- [x] Mostly reproduce features from my existing [dotfiles](https://github.com/billimek/dotfiles) +- [x] Replace existing ubunut-based 'home VM' +- [x] Expand usage to other shell environments such as WSL, Macbook, etc +- [x] handle secrets - ideally using 1Password and not SOPS - using git-crypt for now +- [x] try agenix for secrets handling +- [ ] introduce the concept of [impermanence](https://github.com/nix-community/impermanence) where appropriate + +## References + +- [Misterio77/nix-starter-config](https://github.com/Misterio77/nix-starter-configs) +- [How to learn Nix](https://ianthehenry.com/posts/how-to-learn-nix/) +- [home-manager](https://github.com/nix-community/home-manager) +- [Zero to Nix: Everything I Know About Nix & NixOS](https://chetanbhasin.com/articles/zero-to-nix-everything-i-know-about-nix-nixos) +- [Walkthrough of Nix Install and Setup on MacOS (YouTube)](https://www.youtube.com/watch?v=LE5JR4JcvMg) +- [NixOS as a server, part 1: Impermanence](https://guekka.github.io/nixos-server-1/) +- [budimanjojo/dotfiles](https://github.com/budimanjojo/dotfiles/tree/master/nixos) +- [wrmilling/nixos-configuration](https://github.com/wrmilling/nixos-configuration) +- [gshpychka/dotfiles-nix](https://github.com/gshpychka/dotfiles-nix) +- [wimpysworld/nix-config](https://github.com/wimpysworld/nix-config) + +## Old Dotfiles + +Old dotfiles are still accessible in [archive branch](https://github.com/billimek/dotfiles/tree/archive) diff --git a/nixos/hosts/bootstrap/configuration.nix b/nixos/hosts/bootstrap/configuration.nix new file mode 100644 index 0000000..b69a308 --- /dev/null +++ b/nixos/hosts/bootstrap/configuration.nix @@ -0,0 +1,144 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ config, lib, pkgs, ... }: + +{ + imports = + [ + # Host-specific + ./hardware-configuration.nix + + ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking = { + hostName = "nixos-bootstrap"; + dhcpcd.enable = true; + }; + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + + # Set your time zone. + time.timeZone = "Australia/Melbourne"; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + # i18n.defaultLocale = "en_US.UTF-8"; + # console = { + # font = "Lat2-Terminus16"; + # keyMap = "us"; + # useXkbConfig = true; # use xkb.options in tty. + # }; + + # Enable the X11 windowing system. + # services.xserver.enable = true; + + # Configure keymap in X11 + # services.xserver.xkb.layout = "us"; + # services.xserver.xkb.options = "eurosign:e,caps:escape"; + + # Enable CUPS to print documents. + # services.printing.enable = true; + + # Enable sound. + # sound.enable = true; + # hardware.pulseaudio.enable = true; + + # Enable touchpad support (enabled default in most desktopManager). + # services.xserver.libinput.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.truxnell = { + isNormalUser = true; + extraGroups = ["wheel"]; # Enable ‘sudo’ for the user. + packages = with pkgs; [ + ]; + }; + + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + btop + git + curl + wget + ]; + + nix = { + settings = { + experimental-features = ["nix-command" "flakes"]; + warn-dirty = false; + }; + }; + + nixpkgs = { + # overlays = builtins.attrValues outputs.overlays; + config = { + allowUnfree = true; + }; + }; + + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + # TODO Harden SSH + services.openssh.enable = true; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZS9J1ydflZ4iJdJgO8+vnN8nNSlEwyn9tbWU9OcysW truxnell@home" + ]; + + # may fix issues with network service failing during a nixos-rebuild + systemd.services.NetworkManager-wait-online.enable = lib.mkForce false; + systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + # system.copySystemConfiguration = true; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "23.11"; # Did you read the comment? + +} + diff --git a/nixos/hosts/common/nixos/auto-upgrade.nix b/nixos/hosts/common/nixos/auto-upgrade.nix new file mode 100644 index 0000000..3619869 --- /dev/null +++ b/nixos/hosts/common/nixos/auto-upgrade.nix @@ -0,0 +1,19 @@ +{ + config, + inputs, + ... +}: let + inherit (config.networking) hostName; + # Only enable auto upgrade if current config came from a clean tree + # This avoids accidental auto-upgrades when working locally. + isClean = inputs.self ? rev; +in { + system.autoUpgrade = { + enable = isClean; + dates = "hourly"; + flags = [ + "--refresh" + ]; + flake = "github:truxnell/nix-config"; + }; +} diff --git a/nixos/hosts/common/nixos/default.nix b/nixos/hosts/common/nixos/default.nix new file mode 100644 index 0000000..55bc781 --- /dev/null +++ b/nixos/hosts/common/nixos/default.nix @@ -0,0 +1,64 @@ +{ inputs, outputs, config, sops-nix, ... }: { + imports = [ + # inputs.home-manager.nixosModules.home-manager + #inputs.sops-nix.nixosModules.sops + ./locale.nix + ./nix.nix + ./openssh.nix + ./packages.nix + ] ++ (builtins.attrValues {}); + + # home-manager.extraSpecialArgs = { inherit inputs outputs; }; TODO Home-manager + + nixpkgs = { + # Configure your nixpkgs instance + config = { + # Disable if you don't want unfree packages + allowUnfree = true; + }; + }; + + # TODO Shared sops location + # sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + + # Increase open file limit for sudoers + security.pam.loginLimits = [ + { + domain = "@wheel"; + item = "nofile"; + type = "soft"; + value = "524288"; + } + { + domain = "@wheel"; + item = "nofile"; + type = "hard"; + value = "1048576"; + } + ]; + + # sops.secrets.msmtp = { + # sopsFile = ./secret.sops.yaml; + # } + + # # TODO Email settings + # programs.msmtp = { + # enable = true; + # accounts.default = { + # host = "smtp-relay.mcbadass.local"; + # from = "${config.networking.hostName}@trux.dev"; + # }; + # defaults = { + # aliases = "/etc/aliases"; + # }; + # }; + + environment.etc = { + "aliases" = { + text = '' + root: ${config.networking.hostName}@trux.dev + ''; + mode = "0644"; + }; + }; +} diff --git a/nixos/hosts/common/nixos/locale.nix b/nixos/hosts/common/nixos/locale.nix new file mode 100644 index 0000000..a96135a --- /dev/null +++ b/nixos/hosts/common/nixos/locale.nix @@ -0,0 +1,6 @@ +{ lib, ... }: { + i18n = { + defaultLocale = lib.mkDefault "en_US.UTF-8"; + }; + time.timeZone = lib.mkDefault "Australia/Melbourne"; +} diff --git a/nixos/hosts/common/nixos/nix.nix b/nixos/hosts/common/nixos/nix.nix new file mode 100644 index 0000000..a0bece8 --- /dev/null +++ b/nixos/hosts/common/nixos/nix.nix @@ -0,0 +1,14 @@ +{ inputs, lib, ... }: +{ + nix = { + settings = { + experimental-features = [ "nix-command" "flakes" ]; + }; + gc = { + automatic = true; + dates = "weekly"; + # Delete older generations too + options = "--delete-older-than 5d"; + }; + }; +} diff --git a/nixos/hosts/common/nixos/openssh.nix b/nixos/hosts/common/nixos/openssh.nix new file mode 100644 index 0000000..41380ae --- /dev/null +++ b/nixos/hosts/common/nixos/openssh.nix @@ -0,0 +1,24 @@ +{ outputs, lib, config, ... }: + +let + inherit (config.networking) hostName; + hosts = outputs.nixosConfigurations; + +in +{ + services.openssh = { + enable = true; + settings = { + # Harden + PasswordAuthentication = false; + PermitRootLogin = "no"; + # Automatically remove stale sockets + StreamLocalBindUnlink = "yes"; + # Allow forwarding ports to everywhere + GatewayPorts = "clientspecified"; + }; + }; + + # Passwordless sudo when SSH'ing with keys + security.pam.enableSSHAgentAuth = true; +} diff --git a/nixos/hosts/common/nixos/packages.nix b/nixos/hosts/common/nixos/packages.nix new file mode 100644 index 0000000..d4d0385 --- /dev/null +++ b/nixos/hosts/common/nixos/packages.nix @@ -0,0 +1,15 @@ +{ config, pkgs, lib, ... }: +{ + environment.systemPackages = with pkgs; [ + bat + jq + yq + btop + neovim + vim + git + dnsutils + ]; + + programs.mtr.enable = true; +} diff --git a/nixos/hosts/common/nixos/users/truxnell/default.nix b/nixos/hosts/common/nixos/users/truxnell/default.nix new file mode 100644 index 0000000..8af66c1 --- /dev/null +++ b/nixos/hosts/common/nixos/users/truxnell/default.nix @@ -0,0 +1,25 @@ +{ pkgs, config, ... }: +let ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups; +in +{ + users.users.truxnell = { + isNormalUser = true; + shell = pkgs.fish; + # passwordFile = config.sops.secrets.taylor-password.path; + # initialHashedPassword = ""; # TODO add key + extraGroups = [ + "wheel" + ] ++ ifTheyExist [ + "network" + "samba-users" + ]; + + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZS9J1ydflZ4iJdJgO8+vnN8nNSlEwyn9tbWU9OcysW truxnell@home" + ]; + + packages = [ pkgs.home-manager ]; + }; + + # home-manager.users.taylor = import ../../../../../home-manager/taylor_${config.networking.hostName}.nix; TODO home-manager? +} diff --git a/nixos/hosts/common/optional/chrony.nix b/nixos/hosts/common/optional/chrony.nix new file mode 100644 index 0000000..27af2a9 --- /dev/null +++ b/nixos/hosts/common/optional/chrony.nix @@ -0,0 +1,7 @@ +{ inputs, outputs, config, ... }: { +# Time + networking.timeServers = ["10.8.10.1"]; + services.chrony = { + enable = true; + }; +} \ No newline at end of file diff --git a/nixos/hosts/common/optional/dnscrypt-proxy2.nix b/nixos/hosts/common/optional/dnscrypt-proxy2.nix new file mode 100644 index 0000000..f1d63cc --- /dev/null +++ b/nixos/hosts/common/optional/dnscrypt-proxy2.nix @@ -0,0 +1,44 @@ +# Ref: https://nixos.wiki/wiki/Encrypted_DNS#dnscrypt-proxy2 + +{ inputs, outputs, pkgs, config, ... }: { + + # Disable resolvd to ensure it doesnt re-write /etc/resolv.conf + services.resolved.enable = false; + + # Fix this devices DNS resolv.conf + networking = { + nameservers = [ "10.8.10.1" ]; + + dhcpcd.extraConfig = "nohook resolv.conf"; + }; + + services.dnscrypt-proxy2 = { + enable = true; + settings = { + require_dnssec = true; + + forwarding_rules = pkgs.writeText "forwarding-rules.txt" '' + natallan.com 10.8.10.1 + sonarr.trux.dev 10.8.20.11 + radarr.trux.dev 10.8.20.11 + lidarr.trux.dev 10.8.20.11 + qbittorrent.trux.dev 10.8.20.11 + qbittorrent-lidarr.trux.dev 10.8.20.11 + syncthing.trux.dev 10.8.20.11 + qbittorrent-readarr.trux.dev 10.8.20.11 + filebrowser.trux.dev 10.8.20.11 + minio.trux.dev 10.8.20.11 + sabnzbd.trux.dev 10.8.20.11 + trux.dev 10.8.20.203 + ''; + + server_names = ["NextDNS-f6fe35"]; + + static = { + "NextDNS-f6fe35" = { + stamp = "sdns://AgEAAAAAAAAAAAAOZG5zLm5leHRkbnMuaW8HL2Y2ZmUzNQ"; + }; + }; + }; + }; +} diff --git a/nixos/hosts/common/optional/fish.nix b/nixos/hosts/common/optional/fish.nix new file mode 100644 index 0000000..e53f255 --- /dev/null +++ b/nixos/hosts/common/optional/fish.nix @@ -0,0 +1,10 @@ +{ + programs.fish = { + enable = true; + vendor = { + completions.enable = true; + config.enable = true; + functions.enable = true; + }; + }; +} diff --git a/nixos/hosts/common/optional/monitoring.nix b/nixos/hosts/common/optional/monitoring.nix new file mode 100644 index 0000000..f504edd --- /dev/null +++ b/nixos/hosts/common/optional/monitoring.nix @@ -0,0 +1,29 @@ +{ config, pkgs, lib, ... }: + +{ + services.prometheus.exporters = { + node = { + enable = true; + enabledCollectors = [ + "diskstats" + "filesystem" + "loadavg" + "meminfo" + "netdev" + "stat" + "time" + "uname" + "systemd" + ]; + }; + smartctl = { + enable = true; + }; + }; + + networking.firewall.allowedTCPPorts = [ + config.services.prometheus.exporters.node.port + config.services.prometheus.exporters.smartctl.port + ]; + +} \ No newline at end of file diff --git a/nixos/hosts/common/optional/reboot-required.nix b/nixos/hosts/common/optional/reboot-required.nix new file mode 100644 index 0000000..8a82672 --- /dev/null +++ b/nixos/hosts/common/optional/reboot-required.nix @@ -0,0 +1,37 @@ +{ + config, + pkgs, + ... +}: { + systemd.timers."reboot-required-check" = { + wantedBy = ["timers.target"]; + timerConfig = { + # start at boot + OnBootSec = "0m"; + # check every hour + OnUnitActiveSec = "1h"; + Unit = "reboot-required-check.service"; + }; + }; + + systemd.services."reboot-required-check" = { + script = '' + #!/usr/bin/env bash + + # compare current system with booted sysetm to determine if a reboot is required + if [[ "$(readlink /run/booted-system/{initrd,kernel,kernel-modules})" == "$(readlink /run/current-system/{initrd,kernel,kernel-modules})" ]]; then + # check if the '/var/run/reboot-required' file exists and if it does, remove it + if [[ -f /var/run/reboot-required ]]; then + rm /var/run/reboot-required || { echo "Failed to remove /var/run/reboot-required"; exit 1; } + fi + else + echo "reboot required" + touch /var/run/reboot-required || { echo "Failed to create /var/run/reboot-required"; exit 1; } + fi + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; +} diff --git a/nixos/hosts/nixosvm/default.nix b/nixos/hosts/nixosvm/default.nix new file mode 100644 index 0000000..2eb1f61 --- /dev/null +++ b/nixos/hosts/nixosvm/default.nix @@ -0,0 +1,105 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ config, lib, pkgs, ... }: + +{ + imports = + [ + # Host-specific + ./hardware-configuration.nix + + # Common imports + ../common/nixos + ../common/nixos/users/truxnell + ../common/optional/fish.nix + ../common/optional/monitoring.nix + ../common/optional/reboot-required.nix + ../common/optional/dnscrypt-proxy2.nix + + ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "nixosvm"; # Define your hostname. + + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + # i18n.defaultLocale = "en_US.UTF-8"; + # console = { + # font = "Lat2-Terminus16"; + # keyMap = "us"; + # useXkbConfig = true; # use xkb.options in tty. + # }; + + # Enable the X11 windowing system. + # services.xserver.enable = true; + + + + + # Configure keymap in X11 + # services.xserver.xkb.layout = "us"; + # services.xserver.xkb.options = "eurosign:e,caps:escape"; + + # Enable CUPS to print documents. + # services.printing.enable = true; + + # Enable sound. + # sound.enable = true; + # hardware.pulseaudio.enable = true; + + # Enable touchpad support (enabled default in most desktopManager). + # services.xserver.libinput.enable = true; + + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + # system.copySystemConfiguration = true; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "23.11"; # Did you read the comment? + +} + diff --git a/nixos/hosts/nixosvm/hardware-configuration.nix b/nixos/hosts/nixosvm/hardware-configuration.nix new file mode 100644 index 0000000..5a08a8b --- /dev/null +++ b/nixos/hosts/nixosvm/hardware-configuration.nix @@ -0,0 +1,37 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "ohci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/e9c21872-a682-4418-9fae-a5ff2a16362d"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/5572-019E"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/34d04571-5752-426a-b4bc-48c88a1a4def"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s3.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + virtualisation.virtualbox.guest.enable = true; +} diff --git a/nixos/hosts/playground/README.md b/nixos/hosts/playground/README.md new file mode 100644 index 0000000..3d884a9 --- /dev/null +++ b/nixos/hosts/playground/README.md @@ -0,0 +1,26 @@ +# Playground NixOS container + +Spin up a TTY only container using systemd nspawn to experiment with configuration. + +```bash +# Create container from configuration flake +sudo nixos-container create playground \ + --local-address 10.235.1.2 \ + --host-address 10.235.1.1 \ + --flake .#playground + +# Update container +sudo nixos-container update playground --flake .#playground + +# Start container +sudo nixos-container start playground + +# Attach to container TTY +sudo nixos-container login playground + +# Stop when done testing +sudo nixos-container stop playground + +# Destroy container +sudo nixos-container destroy playground +``` diff --git a/nixos/hosts/playground/default.nix b/nixos/hosts/playground/default.nix new file mode 100644 index 0000000..1de1b7d --- /dev/null +++ b/nixos/hosts/playground/default.nix @@ -0,0 +1,29 @@ +{ config, lib, ... }: + +{ + imports = [ ./playground.nix ]; + boot.isContainer = true; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + networking = { + hostName = "playground"; + useDHCP = false; + useHostResolvConf = false; + resolvconf.enable = true; + resolvconf.extraConfig = '' + resolv_conf_local_only=NO + name_server_blacklist=127.0.0.1 + name_servers=1.1.1.1 + ''; + }; + security.sudo.wheelNeedsPassword = false; + system.stateVersion = "22.05"; + nix.gc.automatic = false; + + mySystem.home-manager.enable = false; + + # Workaround for broken home-manager + systemd.tmpfiles.rules = [ + "d /nix/var/nix/gcroots/per-user/${config.mySystem.user} - ${config.mySystem.user} - - -" + "d /nix/var/nix/profiles/per-user/${config.mySystem.user} - ${config.mySystem.user} - - -" + ]; +} diff --git a/nixos/hosts/playground/playground.nix b/nixos/hosts/playground/playground.nix new file mode 100644 index 0000000..4ff0c98 --- /dev/null +++ b/nixos/hosts/playground/playground.nix @@ -0,0 +1,3 @@ +{ config, pkgs, lib, inputs, outputs, ... }: + +{ } diff --git a/nixos/modules/.gitkeep b/nixos/modules/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/nixos/overlays/.gitkeep b/nixos/overlays/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/nixos/overlays/default.nix b/nixos/overlays/default.nix new file mode 100644 index 0000000..9240c95 --- /dev/null +++ b/nixos/overlays/default.nix @@ -0,0 +1,9 @@ +{ inputs, ... }: +{ + unstable-packages = final: _prev: { + unstable = import inputs.nixpkgs-unstable { + system = final.system; + config.allowUnfree = true; + }; + }; +} diff --git a/nixos/pkgs/.gitkeep b/nixos/pkgs/.gitkeep new file mode 100644 index 0000000..e69de29