feat: initial commit

2024-03-13 22:55:17 +11:00 · 2024-03-13 22:55:17 +11:00 · bbfe9d4a2a
commit bbfe9d4a2a
parent 83635bc30b
27 changed files with 907 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
--- a/README.md
+++ b/README.md
@ -0,0 +1,65 @@
 # Truxnell's homelab
 [![NixOS](https://img.shields.io/badge/NixOS-23.11-blue?style=flat&logo=nixos&logoColor=white)](https://nixos.org)
 Leveraging nix, nix-os to apply machine and home configurations
 ## Background
 Having used a variety of infracture as code solutions - and having found them lacking in some areas, it is time to give nix a go.
 Frustrations with other methods tend to be bitrot and config drift - very annoying to want to do a quick disaster recovery and find your have different versions of modules/utilities, breaking changes in code you didnt catch, etc.
 ## Getting started
 TBC
 ## Goals
 - [ ] Learn nix
 - [ ] Mostly reproduce features from my existing homelab
 - [ ] Replace existing ubuntu-based 'NAS'
 - [ ] Expand usage to other shell environments such as WSL, etc
 - [ ] handle secrets - decide between sweet and simple SOPS or re-use my doppler setup.
 ## TODO
 - [ ] Github Actions update fly.io instances (Bitwarden)
 - [ ] Bring over hosts
  - [ ] DNS01 Raspi4
  - [ ] DNS02 Raspi4
  - [ ] NAS
  - [ ] Latop
  - [ ] WSL
  - [ ] JJY emulator Raspi4
 - [ ] Documentation!
 - [ ] Add license
 - [ ] Add taskfiles
 ## Network map
 TBC
 ## Hardware
 TBC
 ## Applying configuration changes on a local machine can be done as follows:
 ```sh
 cd ~/dotfiles
 sudo nixos-rebuild switch --flake .
 # This will automatically pick the configuration name based on the hostname
 ```
 Applying configuration changes to a remote machine can be done as follows:
 ```sh
 cd ~/dotfiles
 nixos-rebuild switch --flake .#nameOfMachine --target-host machineToSshInto --use-remote-sudo
 ```
 ## Links & References
 - [Misterio77/nix-starter-config](https://github.com/Misterio77/nix-starter-configs)
 - [billimek/dotfiles](https://github.com/billimek/dotfiles/)
 - [Erase your Darlings](https://grahamc.com/blog/erase-your-darlings/)
 - [NixOS Flakes](https://www.tweag.io/blog/2020-07-31-nixos-flakes/)
--- a/docs/vm/installing.md
+++ b/docs/vm/installing.md
@ -0,0 +1,83 @@
 ## Installing a playground VM
 I've used gnome-boxes from my current Fedora laptop for running playground vm's.
 Settings:
 ISO: nixos-minimal
 Hard drive: 32GB
 RAM: 2GB
 EFI: Enable
 Expose port 22 to allow ssh into vm (host port 3022, guest 22)
 ```sh
 # set temp root passwd
 sudo su
 passwd
 ```
 `sshd` is already running, so you can now ssh into the vm remotely for the rest of the setup.
 `ssh root@127.0.0.1 -p 3022`
 ```sh
 # Partitioning
 parted /dev/sda -- mklabel gpt
 parted /dev/sda -- mkpart root ext4 512MB -8GB
 parted /dev/sda -- mkpart swap linux-swap -8GB 100%
 parted /dev/sda -- mkpart ESP fat32 1MB 512MB
 parted /dev/sda -- set 3 esp on
 # Formatting
 mkfs.ext4 -L nixos /dev/sda1
 mkswap -L swap /dev/sda2
 mkfs.fat -F 32 -n boot /dev/sda3
 # Mounting disks for installation
 mount /dev/disk/by-label/nixos /mnt
 mkdir -p /mnt/boot
 mount /dev/disk/by-label/boot /mnt/boot
 swapon /dev/sda2
 # Generating default configuration
 nixos-generate-config --root /mnt
 ```
 From this config copy the bootstrap configuration and fetch the hardware configuration.
 ```sh
 scp -P 3022 nixos/hosts/bootstrap/configuration.nix root@127.0.0.1:/mnt/etc/nixos/configuration.nix
 scp -P 3022 root@127.0.0.1:/mnt/etc/nixos/hardware-configuration.nix nixos/hosts/nixosvm/hardware-configuration.nix
 ```
 Then back to the VM
 ```sh
 nixos-install
 reboot
 nixos-rebuild switch
 ```
 Set the password for the user that was created.
 ```sh
 passwd truxnell
 ```
 Login as user, copy nix git
 ```sh
 mkdir .local
 cd .local
 git clone https://github.com/szinn/nix-config.git
 cd nix-config
 ```
 Apply config to bootstrapped device
 First time around, MUST APPLY <machinename> with name of host in ./hosts/
 This is because `.. --flake .` looks for a `nixosConfigurations` key with the machines hostname
 The bootstrap machine will be called 'nixos-bootstrap' so the flake by default would resolve `nixosConfigurations.nixos-bootstrap`
 Subsequent rebuilds can be called with the default command as after first build the machines hostname will be changed to the desired machine
 ```sh
 nixos-rebuild switch --flake .#<machinename>
 ```
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,53 @@
 {
  description = "My machines";
  inputs = {
    # Nixpkgs and unstable
    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
    # sops-nix
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # VSCode community extensions
    nix-vscode-extensions = {
      url = "github:nix-community/nix-vscode-extensions";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs = { self, nixpkgs, ... }@inputs:
    with inputs;
    {
      # Use nixpkgs-fmt for 'nix fmt'
      formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
       # Each subdirectory in ./machines is a host. Add them all to
      # nixosConfigurations. Host configurations need a file called
      # configuration.nix that will be read first
      nixosConfigurations = builtins.listToAttrs (map
        (x: {
          name = x;
          value = nixpkgs.lib.nixosSystem {
            # Make inputs and the flake itself accessible as module parameters.
            # Technically, adding the inputs is redundant as they can be also
            # accessed with flake-self.inputs.X, but adding them individually
            # allows to only pass what is needed to each module.
            specialArgs = { flake-self = self; } // inputs;
            system = "x86_64-linux";
            modules = [
              (./nixos/hosts + "/${x}/default.nix")
            ];
          };
        })
        (builtins.attrNames (builtins.readDir ./nixos/hosts)));
 };
 }
--- a/nixos/home-manager/.gitkeep
+++ b/nixos/home-manager/.gitkeep
@ -0,0 +1,59 @@
 My home infrastructure, 
 ![](https://imgur.com/ISNnzgN.png)
 ## Structure
 - [flake.nix](flake.nix) (Entrypoint for rebuilding via nixos-rebuild or home-manager)
 - [flake.lock](flake.lock) (lockfile for current nix flake state, updated daily via [github action](.github/workflows/main.yml))
  - [home-manager](home-manager) (User level configuration per machine via home-manager)
  - [hosts](hosts/README.md) - (Definition of physical/virutal hosts)
    - [common](hosts/common) (Role definitions [Desktop, Laptop, Server])
      - [darwin](hosts/common/darwin) (global host configuration used across all darwin hosts)
      - [nixos](hosts/common/nixos) (global host configuration used across all NixOS hosts)
      - [optional](hosts/common/optional) (optional host configuration used as-needed per host)
    - [nas](hosts/nas/README.md) (NixOS NAS server)
    - [home](hosts/home/README.md) (NixOS VM running in NAS)
    - [cloud](hosts/cloud/README.md) (NixOS VM running in Oracle Cloud)
    - [k3s-f](hosts/k3s-f/README.md) (NixOS running on an N100 tiny PC as a k3s node)
    - [k3s-g](hosts/k3s-g/README.md) (NixOS running on an N100 tiny PC as a k3s node)
    - [k3s-h](hosts/k3s-h/README.md) (NixOS running on an N100 tiny PC as a k3s node)
    - [jeffs_laptop](hosts/jeffs_laptop/README.md) (nix-darwin running on a MacBook Pro)
    - [jens_laptop](hosts/jens_laptop/README.md) (nix-darwin running on a MacBook Air)
    - [work_laptop](hosts/work_laptop/README.md) (nix-darwin running on a MacBook Pro)
  - [modules](modules) (Custom NixOS and home-manager modules)
  - [overlays](overlays) (Custom overlays, primarily used for packages currently)
  - [pkgs](pkgs) (Custom Packages, mainly items not yet in official nixpkgs) 
 - [shell.nix](shell.nix) (Shell for bootstrapping flake-enabled nix and home-manager)
 - [nixpkgs.nix](nixpkgs.nix) (Used by shell.nix - useful to avoid using channels when using legacy nix commands)
 ## Background
 Everyone keeps gushing about how amazing Nix is and I want to get in on the hype cycle
 ## Goals
 - [x] Learn nix
 - [x] Mostly reproduce features from my existing [dotfiles](https://github.com/billimek/dotfiles)
 - [x] Replace existing ubunut-based 'home VM'
 - [x] Expand usage to other shell environments such as WSL, Macbook, etc
 - [x] handle secrets - ideally using 1Password and not SOPS - using git-crypt for now
 - [x] try agenix for secrets handling
 - [ ] introduce the concept of [impermanence](https://github.com/nix-community/impermanence) where appropriate
 ## References
 - [Misterio77/nix-starter-config](https://github.com/Misterio77/nix-starter-configs)
 - [How to learn Nix](https://ianthehenry.com/posts/how-to-learn-nix/)
 - [home-manager](https://github.com/nix-community/home-manager)
 - [Zero to Nix: Everything I Know About Nix & NixOS](https://chetanbhasin.com/articles/zero-to-nix-everything-i-know-about-nix-nixos)
 - [Walkthrough of Nix Install and Setup on MacOS (YouTube)](https://www.youtube.com/watch?v=LE5JR4JcvMg)
 - [NixOS as a server, part 1: Impermanence](https://guekka.github.io/nixos-server-1/)
 - [budimanjojo/dotfiles](https://github.com/budimanjojo/dotfiles/tree/master/nixos)
 - [wrmilling/nixos-configuration](https://github.com/wrmilling/nixos-configuration)
 - [gshpychka/dotfiles-nix](https://github.com/gshpychka/dotfiles-nix)
 - [wimpysworld/nix-config](https://github.com/wimpysworld/nix-config)
 ## Old Dotfiles
 Old dotfiles are still accessible in [archive branch](https://github.com/billimek/dotfiles/tree/archive)
--- a/nixos/hosts/bootstrap/configuration.nix
+++ b/nixos/hosts/bootstrap/configuration.nix
@ -0,0 +1,144 @@
 # Edit this configuration file to define what should be installed on
 # your system. Help is available in the configuration.nix(5) man page, on
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
 { config, lib, pkgs, ... }:
 {
  imports =
    [ 
      # Host-specific
      ./hardware-configuration.nix
    ];
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking = {
    hostName = "nixos-bootstrap";
    dhcpcd.enable = true;
  };
  # Pick only one of the below networking options.
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  # networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
  # Set your time zone.
  time.timeZone = "Australia/Melbourne";
  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
  # Select internationalisation properties.
  # i18n.defaultLocale = "en_US.UTF-8";
  # console = {
  #   font = "Lat2-Terminus16";
  #   keyMap = "us";
  #   useXkbConfig = true; # use xkb.options in tty.
  # };
  # Enable the X11 windowing system.
  # services.xserver.enable = true;
  # Configure keymap in X11
  # services.xserver.xkb.layout = "us";
  # services.xserver.xkb.options = "eurosign:e,caps:escape";
  # Enable CUPS to print documents.
  # services.printing.enable = true;
  # Enable sound.
  # sound.enable = true;
  # hardware.pulseaudio.enable = true;
  # Enable touchpad support (enabled default in most desktopManager).
  # services.xserver.libinput.enable = true;
  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.users.truxnell = {
    isNormalUser = true;
    extraGroups = ["wheel"]; # Enable ‘sudo’ for the user.
    packages = with pkgs; [
    ];
  };
  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
    btop
    git
    curl
    wget
  ];
  nix = {
    settings = {
      experimental-features = ["nix-command" "flakes"];
      warn-dirty = false;
    };
  };
  nixpkgs = {
    # overlays = builtins.attrValues outputs.overlays;
    config = {
      allowUnfree = true;
    };
  };
  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  # programs.gnupg.agent = {
  #   enable = true;
  #   enableSSHSupport = true;
  # };
  # List services that you want to enable:
  # Enable the OpenSSH daemon.
  # TODO Harden SSH
  services.openssh.enable = true;
  users.users.root.openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZS9J1ydflZ4iJdJgO8+vnN8nNSlEwyn9tbWU9OcysW truxnell@home"
  ];
  # may fix issues with network service failing during a nixos-rebuild
  systemd.services.NetworkManager-wait-online.enable = lib.mkForce false;
  systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false;
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # Copy the NixOS configuration file and link it from the resulting system
  # (/run/current-system/configuration.nix). This is useful in case you
  # accidentally delete configuration.nix.
  # system.copySystemConfiguration = true;
  # This option defines the first version of NixOS you have installed on this particular machine,
  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
  #
  # Most users should NEVER change this value after the initial install, for any reason,
  # even if you've upgraded your system to a new NixOS release.
  #
  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
  # so changing it will NOT upgrade your system.
  #
  # This value being lower than the current NixOS release does NOT mean your system is
  # out of date, out of support, or vulnerable.
  #
  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
  # and migrated your data accordingly.
  #
  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
  system.stateVersion = "23.11"; # Did you read the comment?
 }
--- a/nixos/hosts/common/nixos/auto-upgrade.nix
+++ b/nixos/hosts/common/nixos/auto-upgrade.nix
@ -0,0 +1,19 @@
 {
  config,
  inputs,
  ...
 }: let
  inherit (config.networking) hostName;
  # Only enable auto upgrade if current config came from a clean tree
  # This avoids accidental auto-upgrades when working locally.
  isClean = inputs.self ? rev;
 in {
  system.autoUpgrade = {
    enable = isClean;
    dates = "hourly";
    flags = [
      "--refresh"
    ];
    flake = "github:truxnell/nix-config";
  };
 }
--- a/nixos/hosts/common/nixos/default.nix
+++ b/nixos/hosts/common/nixos/default.nix
@ -0,0 +1,64 @@
 { inputs, outputs, config, sops-nix, ... }: {
  imports = [
    # inputs.home-manager.nixosModules.home-manager
    #inputs.sops-nix.nixosModules.sops
    ./locale.nix
    ./nix.nix
    ./openssh.nix
    ./packages.nix
  ] ++ (builtins.attrValues {});
  # home-manager.extraSpecialArgs = { inherit inputs outputs; }; TODO Home-manager
  nixpkgs = {
    # Configure your nixpkgs instance
    config = {
      # Disable if you don't want unfree packages
      allowUnfree = true;
    };
  };
  # TODO Shared sops location
  # sops.age.keyFile = "/var/lib/sops-nix/key.txt";
  # Increase open file limit for sudoers
  security.pam.loginLimits = [
    {
      domain = "@wheel";
      item = "nofile";
      type = "soft";
      value = "524288";
    }
    {
      domain = "@wheel";
      item = "nofile";
      type = "hard";
      value = "1048576";
    }
  ];
  # sops.secrets.msmtp = {
  #   sopsFile = ./secret.sops.yaml;
  # }
  # # TODO Email settings
  # programs.msmtp = {
  #   enable = true;
  #   accounts.default = {
  #     host = "smtp-relay.mcbadass.local";
  #     from = "${config.networking.hostName}@trux.dev";
  #   };
  #   defaults = {
  #     aliases = "/etc/aliases";
  #   };
  # };
  environment.etc = {
    "aliases" = {
      text = ''
        root: ${config.networking.hostName}@trux.dev
      '';
      mode = "0644";
    };
  };
 }
--- a/nixos/hosts/common/nixos/locale.nix
+++ b/nixos/hosts/common/nixos/locale.nix
@ -0,0 +1,6 @@
 { lib, ... }: {
  i18n = {
    defaultLocale = lib.mkDefault "en_US.UTF-8";
  };
  time.timeZone = lib.mkDefault "Australia/Melbourne";
 }
--- a/nixos/hosts/common/nixos/nix.nix
+++ b/nixos/hosts/common/nixos/nix.nix
@ -0,0 +1,14 @@
 { inputs, lib, ... }:
 {
  nix = {
    settings = {
      experimental-features = [ "nix-command" "flakes" ];
    };
    gc = {
      automatic = true;
      dates = "weekly";
      # Delete older generations too
      options = "--delete-older-than 5d";
    };
  };
 }
--- a/nixos/hosts/common/nixos/openssh.nix
+++ b/nixos/hosts/common/nixos/openssh.nix
@ -0,0 +1,24 @@
 { outputs, lib, config, ... }:
 let
  inherit (config.networking) hostName;
  hosts = outputs.nixosConfigurations;
 in
 {
  services.openssh = {
    enable = true;
    settings = {
      # Harden
      PasswordAuthentication = false;
      PermitRootLogin = "no";
      # Automatically remove stale sockets
      StreamLocalBindUnlink = "yes";
      # Allow forwarding ports to everywhere
      GatewayPorts = "clientspecified";
    };
  };
  # Passwordless sudo when SSH'ing with keys
  security.pam.enableSSHAgentAuth = true;
 }
--- a/nixos/hosts/common/nixos/packages.nix
+++ b/nixos/hosts/common/nixos/packages.nix
@ -0,0 +1,15 @@
 { config, pkgs, lib, ... }:
 {
  environment.systemPackages = with pkgs; [
    bat
    jq
    yq
    btop
    neovim
    vim
    git
    dnsutils
  ];
  programs.mtr.enable = true;
 }
--- a/nixos/hosts/common/nixos/users/truxnell/default.nix
+++ b/nixos/hosts/common/nixos/users/truxnell/default.nix
@ -0,0 +1,25 @@
 { pkgs, config, ... }:
 let ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
 in
 {
  users.users.truxnell = {
    isNormalUser = true;
    shell = pkgs.fish;
    # passwordFile = config.sops.secrets.taylor-password.path;
    # initialHashedPassword = ""; # TODO add key
    extraGroups = [
      "wheel"
    ] ++ ifTheyExist [
      "network"
      "samba-users"
    ];
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZS9J1ydflZ4iJdJgO8+vnN8nNSlEwyn9tbWU9OcysW truxnell@home"
    ];
    packages = [ pkgs.home-manager ];
  };
  # home-manager.users.taylor = import ../../../../../home-manager/taylor_${config.networking.hostName}.nix; TODO home-manager?
 }
--- a/nixos/hosts/common/optional/chrony.nix
+++ b/nixos/hosts/common/optional/chrony.nix
@ -0,0 +1,7 @@
 { inputs, outputs, config, ... }: {
 # Time
  networking.timeServers = ["10.8.10.1"];
  services.chrony = {
    enable = true;
  };
 }
--- a/nixos/hosts/common/optional/dnscrypt-proxy2.nix
+++ b/nixos/hosts/common/optional/dnscrypt-proxy2.nix
@ -0,0 +1,44 @@
 # Ref: https://nixos.wiki/wiki/Encrypted_DNS#dnscrypt-proxy2
 { inputs, outputs, pkgs, config, ... }: {
  # Disable resolvd to ensure it doesnt re-write /etc/resolv.conf
  services.resolved.enable = false;
  # Fix this devices DNS resolv.conf
  networking = {
    nameservers = [ "10.8.10.1" ];
    dhcpcd.extraConfig = "nohook resolv.conf";
  };
  services.dnscrypt-proxy2 = {
    enable = true;
    settings = {
        require_dnssec = true;
        forwarding_rules = pkgs.writeText "forwarding-rules.txt" ''
          natallan.com 10.8.10.1
          sonarr.trux.dev 10.8.20.11
          radarr.trux.dev 10.8.20.11
          lidarr.trux.dev 10.8.20.11
          qbittorrent.trux.dev 10.8.20.11
          qbittorrent-lidarr.trux.dev 10.8.20.11
          syncthing.trux.dev 10.8.20.11
          qbittorrent-readarr.trux.dev 10.8.20.11
          filebrowser.trux.dev 10.8.20.11
          minio.trux.dev 10.8.20.11
          sabnzbd.trux.dev 10.8.20.11
          trux.dev   10.8.20.203
        '';
         server_names = ["NextDNS-f6fe35"];
         static = { 
            "NextDNS-f6fe35" = {
            stamp = "sdns://AgEAAAAAAAAAAAAOZG5zLm5leHRkbnMuaW8HL2Y2ZmUzNQ";
          };
        };
    };
  };
 }
--- a/nixos/hosts/common/optional/fish.nix
+++ b/nixos/hosts/common/optional/fish.nix
@ -0,0 +1,10 @@
 {
  programs.fish = {
    enable = true;
    vendor = {
      completions.enable = true;
      config.enable = true;
      functions.enable = true;
    };
  };
 }
--- a/nixos/hosts/common/optional/monitoring.nix
+++ b/nixos/hosts/common/optional/monitoring.nix
@ -0,0 +1,29 @@
 { config, pkgs, lib, ... }:
 {
  services.prometheus.exporters = {
    node = {
      enable = true;
      enabledCollectors = [
        "diskstats"
        "filesystem"
        "loadavg"
        "meminfo"
        "netdev"
        "stat"
        "time"
        "uname"
        "systemd"
      ];
    };
    smartctl = {
      enable = true;
    };
  };
  networking.firewall.allowedTCPPorts = [
    config.services.prometheus.exporters.node.port
    config.services.prometheus.exporters.smartctl.port
  ];
 }
--- a/nixos/hosts/common/optional/reboot-required.nix
+++ b/nixos/hosts/common/optional/reboot-required.nix
@ -0,0 +1,37 @@
 {
  config,
  pkgs,
  ...
 }: {
  systemd.timers."reboot-required-check" = {
    wantedBy = ["timers.target"];
    timerConfig = {
      # start at boot
      OnBootSec = "0m";
      # check every hour
      OnUnitActiveSec = "1h";
      Unit = "reboot-required-check.service";
    };
  };
  systemd.services."reboot-required-check" = {
    script = ''
      #!/usr/bin/env bash
      # compare current system with booted sysetm to determine if a reboot is required
      if [[ "$(readlink /run/booted-system/{initrd,kernel,kernel-modules})" == "$(readlink /run/current-system/{initrd,kernel,kernel-modules})" ]]; then
        # check if the '/var/run/reboot-required' file exists and if it does, remove it
        if [[ -f /var/run/reboot-required ]]; then
          rm /var/run/reboot-required || { echo "Failed to remove /var/run/reboot-required"; exit 1; }
        fi
      else
        echo "reboot required"
        touch /var/run/reboot-required || { echo "Failed to create /var/run/reboot-required"; exit 1; }
      fi
    '';
    serviceConfig = {
      Type = "oneshot";
      User = "root";
    };
  };
 }
--- a/nixos/hosts/nixosvm/default.nix
+++ b/nixos/hosts/nixosvm/default.nix
@ -0,0 +1,105 @@
 # Edit this configuration file to define what should be installed on
 # your system. Help is available in the configuration.nix(5) man page, on
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
 { config, lib, pkgs, ... }:
 {
  imports =
    [ 
      # Host-specific
      ./hardware-configuration.nix
      # Common imports
      ../common/nixos
      ../common/nixos/users/truxnell
      ../common/optional/fish.nix
      ../common/optional/monitoring.nix
      ../common/optional/reboot-required.nix
      ../common/optional/dnscrypt-proxy2.nix
    ];
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "nixosvm"; # Define your hostname.
  # Pick only one of the below networking options.
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  # networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
  # Select internationalisation properties.
  # i18n.defaultLocale = "en_US.UTF-8";
  # console = {
  #   font = "Lat2-Terminus16";
  #   keyMap = "us";
  #   useXkbConfig = true; # use xkb.options in tty.
  # };
  # Enable the X11 windowing system.
  # services.xserver.enable = true;
  # Configure keymap in X11
  # services.xserver.xkb.layout = "us";
  # services.xserver.xkb.options = "eurosign:e,caps:escape";
  # Enable CUPS to print documents.
  # services.printing.enable = true;
  # Enable sound.
  # sound.enable = true;
  # hardware.pulseaudio.enable = true;
  # Enable touchpad support (enabled default in most desktopManager).
  # services.xserver.libinput.enable = true;
  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  # programs.gnupg.agent = {
  #   enable = true;
  #   enableSSHSupport = true;
  # };
  # List services that you want to enable:
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # Copy the NixOS configuration file and link it from the resulting system
  # (/run/current-system/configuration.nix). This is useful in case you
  # accidentally delete configuration.nix.
  # system.copySystemConfiguration = true;
  # This option defines the first version of NixOS you have installed on this particular machine,
  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
  #
  # Most users should NEVER change this value after the initial install, for any reason,
  # even if you've upgraded your system to a new NixOS release.
  #
  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
  # so changing it will NOT upgrade your system.
  #
  # This value being lower than the current NixOS release does NOT mean your system is
  # out of date, out of support, or vulnerable.
  #
  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
  # and migrated your data accordingly.
  #
  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
  system.stateVersion = "23.11"; # Did you read the comment?
 }
--- a/nixos/hosts/nixosvm/hardware-configuration.nix
+++ b/nixos/hosts/nixosvm/hardware-configuration.nix
@ -0,0 +1,37 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports = [ ];
  boot.initrd.availableKernelModules = [ "ata_piix" "ohci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/e9c21872-a682-4418-9fae-a5ff2a16362d";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/5572-019E";
      fsType = "vfat";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/34d04571-5752-426a-b4bc-48c88a1a4def"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s3.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  virtualisation.virtualbox.guest.enable = true;
 }
--- a/nixos/hosts/playground/README.md
+++ b/nixos/hosts/playground/README.md
@ -0,0 +1,26 @@
 # Playground NixOS container
 Spin up a TTY only container using systemd nspawn to experiment with configuration.
 ```bash
 # Create container from configuration flake
 sudo nixos-container create playground \
    --local-address 10.235.1.2 \
    --host-address 10.235.1.1 \
    --flake .#playground
 # Update container
 sudo nixos-container update playground --flake .#playground
 # Start container
 sudo nixos-container start playground
 # Attach to container TTY
 sudo nixos-container login playground
 # Stop when done testing
 sudo nixos-container stop playground
 # Destroy container
 sudo nixos-container destroy playground
 ```
--- a/nixos/hosts/playground/default.nix
+++ b/nixos/hosts/playground/default.nix
@ -0,0 +1,29 @@
 { config, lib, ... }:
 {
  imports = [ ./playground.nix ];
  boot.isContainer = true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  networking = {
    hostName = "playground";
    useDHCP = false;
    useHostResolvConf = false;
    resolvconf.enable = true;
    resolvconf.extraConfig = ''
      resolv_conf_local_only=NO
      name_server_blacklist=127.0.0.1
      name_servers=1.1.1.1
    '';
  };
  security.sudo.wheelNeedsPassword = false;
  system.stateVersion = "22.05";
  nix.gc.automatic = false;
  mySystem.home-manager.enable = false;
  # Workaround for broken home-manager
  systemd.tmpfiles.rules = [
    "d /nix/var/nix/gcroots/per-user/${config.mySystem.user} - ${config.mySystem.user} - - -"
    "d /nix/var/nix/profiles/per-user/${config.mySystem.user} - ${config.mySystem.user} - - -"
  ];
 }
--- a/nixos/hosts/playground/playground.nix
+++ b/nixos/hosts/playground/playground.nix
@ -0,0 +1,3 @@
 { config, pkgs, lib, inputs, outputs, ... }:
 { }
--- a/nixos/modules/.gitkeep
+++ b/nixos/modules/.gitkeep
--- a/nixos/overlays/.gitkeep
+++ b/nixos/overlays/.gitkeep
--- a/nixos/overlays/default.nix
+++ b/nixos/overlays/default.nix
@ -0,0 +1,9 @@
 { inputs, ... }:
 {
  unstable-packages = final: _prev: {
    unstable = import inputs.nixpkgs-unstable {
      system = final.system;
      config.allowUnfree = true;
    };
  };
 }
--- a/nixos/pkgs/.gitkeep
+++ b/nixos/pkgs/.gitkeep
		`@ -0,0 +1,3 @@`
							`{ config, pkgs, lib, inputs, outputs, ... }:`

							`{ }`