From 454aae8f88aea503bd017a79eb5622b9cbbe5cff Mon Sep 17 00:00:00 2001 From: prescientmoon Date: Mon, 26 Aug 2024 17:38:47 +0200 Subject: [PATCH] Prepare calypso install --- .sops.yaml | 17 ++- README.md | 4 +- common/fonts.nix | 19 ++- flake.lock | 8 +- flake.nix | 113 +++++++++++------- home/calypso.nix | 74 ++++++++++++ home/euporie.nix | 11 -- home/features/cli/productivity/secrets.yaml | 19 ++- home/features/desktop/default.nix | 3 + home/features/desktop/wakatime/secrets.yaml | 19 ++- home/global.nix | 24 ++-- home/lapetus.nix | 1 + home/tethys.nix | 25 ++-- hosts/nixos/calypso/default.nix | 56 +++++++++ hosts/nixos/calypso/filesystems/default.nix | 40 +++++++ .../nixos/calypso/filesystems/partitions.nix | 102 ++++++++++++++++ hosts/nixos/calypso/hardware/default.nix | 28 +++++ hosts/nixos/calypso/keys/id_ed25519.pub | 1 + .../calypso/keys/ssh_host_ed25519_key.pub | 1 + hosts/nixos/calypso/keys/ssh_host_rsa_key.pub | 1 + hosts/nixos/calypso/services/snapper.nix | 37 ++++++ hosts/nixos/common/global/cli/sudo.nix | 12 -- hosts/nixos/common/global/default.nix | 24 ++-- .../nixos/common/global/services/openssh.nix | 33 +++-- .../nixos/common/optional/desktop/default.nix | 8 ++ hosts/nixos/common/optional/oci.nix | 10 +- hosts/nixos/common/secrets.yaml | 48 +++++--- hosts/nixos/common/users/pilot.nix | 16 ++- hosts/nixos/euporie/default.nix | 20 ---- hosts/nixos/iso/default.nix | 13 ++ hosts/nixos/lapetus/default.nix | 24 ++-- hosts/nixos/lapetus/secrets.yaml | 29 +++-- hosts/nixos/lapetus/services/jupyter.nix | 48 +++++--- hosts/nixos/lapetus/services/zfs.nix | 15 +-- hosts/nixos/tethys/default.nix | 71 +++-------- hosts/nixos/tethys/hardware/default.nix | 18 +++ 36 files changed, 707 insertions(+), 285 deletions(-) create mode 100644 home/calypso.nix delete mode 100644 home/euporie.nix create mode 100644 hosts/nixos/calypso/default.nix create mode 100644 hosts/nixos/calypso/filesystems/default.nix create mode 100644 hosts/nixos/calypso/filesystems/partitions.nix create mode 100644 hosts/nixos/calypso/hardware/default.nix create mode 100755 hosts/nixos/calypso/keys/id_ed25519.pub create mode 100755 hosts/nixos/calypso/keys/ssh_host_ed25519_key.pub create mode 100755 hosts/nixos/calypso/keys/ssh_host_rsa_key.pub create mode 100644 hosts/nixos/calypso/services/snapper.nix delete mode 100644 hosts/nixos/common/global/cli/sudo.nix create mode 100644 hosts/nixos/common/optional/desktop/default.nix delete mode 100644 hosts/nixos/euporie/default.nix create mode 100644 hosts/nixos/iso/default.nix diff --git a/.sops.yaml b/.sops.yaml index 54d4a42..673f5d3 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,26 +1,33 @@ keys: - &users: - - &prescientmoon age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs + - &prescientmoon_tethys age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs + - &prescientmoon_calypso age13c346xw9kzsvra04ck8h8pa47mwdp8nh3aess4pwhyvdsufyhf0qt65ja8 - &hosts: - &tethys age1avsekqqyr62urdwtpfpt0ledzm49wy0rq7wcg3rnsprdx22er5usp0jxgs - &lapetus age1jem6jfkmfq54wzhqqhrnf786jsn5dmx82ewtt4vducac8m2fyukskun2p4 + - &calypso age18gengezksnt0wtc3sv28ypmx546quzeg88kw5s8sywxyje5rmqyqh9daxe creation_rules: - path_regex: hosts/nixos/common/secrets.yaml key_groups: - age: - - *prescientmoon + - *prescientmoon_tethys + - *prescientmoon_calypso - *tethys - *lapetus + - *calypso - path_regex: hosts/nixos/lapetus/secrets.yaml key_groups: - age: - - *prescientmoon + - *prescientmoon_tethys + - *prescientmoon_calypso - *lapetus - path_regex: home/features/desktop/wakatime/secrets.yaml key_groups: - age: - - *prescientmoon + - *prescientmoon_tethys + - *prescientmoon_calypso - path_regex: home/features/cli/productivity/secrets.yaml key_groups: - age: - - *prescientmoon + - *prescientmoon_tethys + - *prescientmoon_calypso diff --git a/README.md b/README.md index 9b07aff..5bee2b3 100644 --- a/README.md +++ b/README.md @@ -17,9 +17,9 @@ The current state of this repo is a refactor of my old, messy nixos config, base This repo's structure is based on the concept of hosts - individual machines configured by me. I'm naming each host based on things in space/mythology (_they are the same picture_). The hosts I have right now are: -- [tethys](./hosts/nixos/tethys/) — my personal laptop +- [calypso](./hosts/nixos/calypso/) — my personal laptop +- [tethys](./hosts/nixos/tethys/) — my previous personal laptop - [lapetus](./hosts/nixos/lapetus/) — older laptop running as a server -- [euporie](./hosts/nixos/euporie/) — barebones host for testing things insdie a VM - enceladus — my android phone. Although not configured using nix, this name gets referenced in some places ## File structure diff --git a/common/fonts.nix b/common/fonts.nix index ced7ab8..c42d5f7 100644 --- a/common/fonts.nix +++ b/common/fonts.nix @@ -1,13 +1,24 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ stylix.fonts = { # monospace = { name = "Iosevka"; package = pkgs.iosevka; }; - monospace = { name = "Cascadia Code"; package = pkgs.cascadia-code; }; - sansSerif = { name = "CMUSansSerif"; package = pkgs.cm_unicode; }; - serif = { name = "CMUSerif-Roman"; package = pkgs.cm_unicode; }; + monospace = { + name = "Cascadia Code"; + package = pkgs.cascadia-code; + }; + sansSerif = { + name = "CMUSansSerif"; + package = pkgs.cm_unicode; + }; + serif = { + name = "CMUSerif-Roman"; + package = pkgs.cm_unicode; + }; sizes = { desktop = 13; applications = 15; + terminal = 25; }; }; } diff --git a/flake.lock b/flake.lock index f94e3bd..2b813ba 100644 --- a/flake.lock +++ b/flake.lock @@ -491,11 +491,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1720411406, - "narHash": "sha256-Z3tMBbMeYQKz1YYmSnbLglG9lm1l/EU+h3CFPJCli4I=", + "lastModified": 1723521794, + "narHash": "sha256-mmcakr+6z7/SDg+e2p1TYQorjYvUzWqG2KUIsmikARM=", "ref": "refs/heads/master", - "rev": "a2a2d880d5ec199ee333c9bf929865d65f92a1d4", - "revCount": 3677, + "rev": "abafaabfa893ac432bae898a8652bc4a83c49d27", + "revCount": 3727, "type": "git", "url": "https://gitlab.com/rycee/nur-expressions?dir=pkgs/firefox-addons" }, diff --git a/flake.nix b/flake.nix index 4d255b7..c911068 100644 --- a/flake.nix +++ b/flake.nix @@ -60,7 +60,7 @@ spicetify-nix.inputs.nixpkgs.follows = "nixpkgs"; # }}} # {{{ Theming - darkmatter-grub-theme.url = gitlab:VandalByte/darkmatter-grub-theme; + darkmatter-grub-theme.url = "gitlab:VandalByte/darkmatter-grub-theme"; darkmatter-grub-theme.inputs.nixpkgs.follows = "nixpkgs"; stylix.url = "github:danth/stylix/a33d88cf8f75446f166f2ff4f810a389feed2d56"; @@ -73,7 +73,13 @@ }; # }}} - outputs = { self, nixpkgs, home-manager, ... }@inputs: + outputs = + { + self, + nixpkgs, + home-manager, + ... + }@inputs: let # {{{ Common helpers inherit (self) outputs; @@ -84,33 +90,37 @@ upkgs = inputs.nixpkgs-unstable.legacyPackages.${system}; }; - # }}} in + # }}} { # {{{ Packages # Accessible through 'nix build', 'nix shell', etc - packages = forAllSystems - (system: - let - pkgs = nixpkgs.legacyPackages.${system}; - upkgs = inputs.nixpkgs-unstable.legacyPackages.${system}; - myPkgs = import ./pkgs { inherit pkgs upkgs; }; - in - myPkgs // { - octodns = upkgs.octodns.withProviders - (ps: [ myPkgs.octodns-cloudflare ]); - } // (import ./dns/pkgs.nix) { inherit pkgs self system; } - ); + packages = forAllSystems ( + system: + let + pkgs = nixpkgs.legacyPackages.${system}; + upkgs = inputs.nixpkgs-unstable.legacyPackages.${system}; + myPkgs = import ./pkgs { inherit pkgs upkgs; }; + in + myPkgs + // { + octodns = upkgs.octodns.withProviders (ps: [ myPkgs.octodns-cloudflare ]); + } + // (import ./dns/pkgs.nix) { inherit pkgs self system; } + ); # }}} # {{{ Bootstrapping and other pinned devshells # Accessible through 'nix develop' - devShells = forAllSystems - (system: - let - pkgs = nixpkgs.legacyPackages.${system}; - args = { inherit pkgs; } // specialArgs system; - in - import ./devshells args); + devShells = forAllSystems ( + system: + let + pkgs = nixpkgs.legacyPackages.${system}; + args = { + inherit pkgs; + } // specialArgs system; + in + import ./devshells args + ); # }}} # {{{ Overlays and modules # Custom packages and modifications, exported as overlays @@ -126,24 +136,38 @@ # NixOS configuration entrypoint # Available through 'nixos-rebuild --flake .#... nixosConfigurations = - let nixos = { system, hostname }: nixpkgs.lib.nixosSystem { - inherit system; - specialArgs = specialArgs system; + let + nixos = + { system, hostname }: + nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = specialArgs system; - modules = [ - home-manager.nixosModules.home-manager - { - home-manager.users.pilot = import ./home/${hostname}.nix; - home-manager.extraSpecialArgs = specialArgs system // { inherit hostname; }; - home-manager.useUserPackages = true; + modules = [ + # {{{ Import home manager + ( + { lib, ... }: + { + imports = lib.lists.optional (builtins.pathExists ./home/${hostname}.nix) [ + home-manager.nixosModules.home-manager + { + home-manager.users.pilot = import ./home/${hostname}.nix; + home-manager.extraSpecialArgs = specialArgs system // { + inherit hostname; + }; + home-manager.useUserPackages = true; - stylix.homeManagerIntegration.followSystem = false; - stylix.homeManagerIntegration.autoImport = false; - } + stylix.homeManagerIntegration.followSystem = false; + stylix.homeManagerIntegration.autoImport = false; + } + ]; + } + ) + # }}} - ./hosts/nixos/${hostname} - ]; - }; + ./hosts/nixos/${hostname} + ]; + }; in { tethys = nixos { @@ -156,14 +180,15 @@ hostname = "lapetus"; }; - # Disabled because `flake check` complains about filesystems and bootloader - # options not being set. This is not an issue in practice, as this config is - # supposed to be used inside a VM, but there's not much I can do about it. - # euporie = nixos { - # system = "x86_64-linux"; - # hostname = "euporie"; - # }; + calypso = nixos { + system = "x86_64-linux"; + hostname = "calypso"; + }; + iso = nixos { + system = "x86_64-linux"; + hostname = "iso"; + }; }; # }}} }; diff --git a/home/calypso.nix b/home/calypso.nix new file mode 100644 index 0000000..5921247 --- /dev/null +++ b/home/calypso.nix @@ -0,0 +1,74 @@ +{ pkgs, ... }: +{ + imports = [ + ./global.nix + + ./features/desktop/zathura.nix + ./features/desktop/spotify.nix + ./features/desktop/obsidian.nix + ./features/desktop/foot.nix + ./features/desktop/firefox + ./features/desktop/discord + ./features/cli/productivity + ./features/cli/pass.nix + ./features/cli/zellij.nix + ./features/cli/nix-index.nix + ./features/cli/catgirl.nix + ./features/cli/lazygit.nix + ./features/wayland/hyprland + ./features/neovim + ]; + + # Arbitrary extra packages + home.packages = with pkgs; [ + # {{{ Communication + # signal-desktop # Signal client + element-desktop # Matrix client + # zoom-us # Zoom client 🤮 + # }}} + # {{{ Editors for different formats + gimp # Image editing + # lmms # Music software + # kicad # PCB editing + # libreoffice # Free office suite + # }}} + # {{{ Gaming + # wine # Windows compat layer or whatever + # lutris # Game launcher + # }}} + # {{{ Clis + sops # Secret editing + # sherlock # Search for usernames across different websites + # }}} + # {{{ Misc + bitwarden # Password-manager + qbittorrent # Torrent client + # google-chrome # Not my primary browser, but sometimes needed in webdev + # plover.dev # steno engine + + overskride # Bluetooth client + # }}} + # {{{ Media playing/recording + mpv # Video player + imv # Image viewer + # peek # GIF recorder + # obs-studio # video recorder + # }}} + ]; + + home.username = "moon"; + home.stateVersion = "24.05"; + + satellite = { + # Symlink some commonly modified dotfiles outside the nix store + dev.enable = true; + + monitors = [ + { + name = "eDP-1"; + width = 1920; + height = 1080; + } + ]; + }; +} diff --git a/home/euporie.nix b/home/euporie.nix deleted file mode 100644 index ba4ea0c..0000000 --- a/home/euporie.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ - imports = [ - ./global.nix - ./features/wayland/hyprland - ]; - - # Set up my custom imperanence wrapper - satellite.persistence = { - enable = true; - }; -} diff --git a/home/features/cli/productivity/secrets.yaml b/home/features/cli/productivity/secrets.yaml index 9f7e466..5845add 100644 --- a/home/features/cli/productivity/secrets.yaml +++ b/home/features/cli/productivity/secrets.yaml @@ -12,11 +12,20 @@ sops: - recipient: age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwYkx3eWhxZUpTRVR3R1R4 - Vm9hMTVsbXBnU0tFU093amU3TTNjalhsVHdvCmZURElTY2Q0eTQvR3M1V3AzTVl4 - VkR2NXRHR2FiTURqNUp5Y3VDWFQ1UjgKLS0tIEVlRWs3YUFaZzdvd1Q5bmFwazJi - Y2E3bmM1TkZoOEN0anJqYUNSQUN5ZDAKtobUBBKbfaUeiPtKN4/oTNaxY3C2joCK - 8h4FlRLXd+CGnAyjN2p4FliWzLgmOg4HFNmZSmYLpIh4E9yqadNSSg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYTk5WWWlsK2ZyTEJEQjFH + ZW1XWm9uTlZBeXB2ZUFzaDVYUTNlSDh3aWpnClRmbExNQmRXMVVNS3BYODF1d2Ez + bVQ3UGZ5TTMrdm5GVjlQMk5sak55Qk0KLS0tIEVLVys2cnJ0Z0EvRmpUV3B2Nk9J + NzVJZmpmODYramRNaHFxL0wzOHduSTgKgq0kqWffjhQnXoiBvsBYCTxHoA6u1jug + xb5LuisZElikx3BVKoNV1HpuUwWe83VSK2hJw1lfpQZ/DFByrv5YfA== + -----END AGE ENCRYPTED FILE----- + - recipient: age13c346xw9kzsvra04ck8h8pa47mwdp8nh3aess4pwhyvdsufyhf0qt65ja8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLcFlQYjZ1N0JrSnVoUENB + MXl2Um9PMEhCVHFySU1MWnpqNjcxamZJRjJ3CjlMS1N3TjdxOVl1REZ3M2hSYlhi + VW9qZy9FbnJqKy9ObVc5bGNNRksrT3MKLS0tIDY5aGVZUVpkVUgvSVFHbFcwOWVY + SFVUTlpIaDlZUDhJT3hicWpxRzBia2sK6hu2aJMyHMYRwlEkbcPDtqUlU9VsDCsR + fBXvietF/w/TpfY+G2fCEDcWJAtQ7lLM0tNiiNqbUQwWBWddPVyPBA== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-02-12T23:55:37Z" mac: ENC[AES256_GCM,data:RvJMumDJ2S8JgHwRLG/jhyj1a/ekBmjbzFFk7+6hrDg1/Zi8UzzATLEsEBUhX0X4vlqHBUxv4r61SQEroCl5GXBst+Wtac/zxMGIKm5PDH92HccjJhi4aftGP22PHlYCEOis7+D/Vw7W8ovRCFpEYVxxslxibCIo9RuUf8vDE94=,iv:kavw38JSPem1eChO+ntLwLFt6bAJT1rd8s00nmHNzGY=,tag:QuncWa50NvpLqMZGS0F9ug==,type:str] diff --git a/home/features/desktop/default.nix b/home/features/desktop/default.nix index 145731d..a231960 100644 --- a/home/features/desktop/default.nix +++ b/home/features/desktop/default.nix @@ -15,4 +15,7 @@ package = pkgs.papirus-icon-theme; name = "Papirus"; }; + + # Bigger text in qt apps + home.sessionVariables.QT_SCREEN_SCALE_FACTORS = 1.4; } diff --git a/home/features/desktop/wakatime/secrets.yaml b/home/features/desktop/wakatime/secrets.yaml index d95db77..b3c2e8b 100644 --- a/home/features/desktop/wakatime/secrets.yaml +++ b/home/features/desktop/wakatime/secrets.yaml @@ -8,11 +8,20 @@ sops: - recipient: age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDR0RmdFIxNFJpQTdGYXlq - bkZrNktMaFlrOEZtSXh6Y1l6NTN0REN6N2dnCmNMRUk2TXA3RWhtZVlnbTg2aE00 - eFVwejBTcWRaTUhGWFFIS1RlVkhhQ28KLS0tIEdWWGRWSDZOQW9pQkdCRFFncTM2 - cURjWFplY1pyMzY4a0h6cTRLS2I2ZW8KqGtYjCsdriSWdKhC+kGBAMSY9WVDL3tE - oMxyhrgDMtWndZEGv1+J3XLLmatDKmEcJO2k0CXZlCWWj17O4Rm+eA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2dDhCMWVSY280NUlsd3Bu + L3QreE1zSGdQWnV3Tm1SQzh2SUF0VDlBcTMwCjNhdE51VzlRdXlRY241VXpaVkFR + MndqZTQxQ0FCQ3pvb3BXcXRrR3BYc2cKLS0tIElLYkVLL2h2NXNabW5CRXVla0pa + LzY0ejRvMDVmR21ISkdraHZzTndmRmcKVcQeKFytVs8QlkQpMA1GfLL8ccrbSqD+ + 7+5YJoDMiHS01Jgbh+4HNFIg/P3S3yIOCRx+ukvWF2/p7GP55Braxg== + -----END AGE ENCRYPTED FILE----- + - recipient: age13c346xw9kzsvra04ck8h8pa47mwdp8nh3aess4pwhyvdsufyhf0qt65ja8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBackQ3NzRMZ25RekM5cjNz + dlRXeTUyTVFlSDFRSC9jeFFoYlVKbWJRbEFNCnpKZHViK2F2VWJYTTBlNXpITUo1 + SFlUZUR0WTE4cUFZQlE0YzJJdS9TVVEKLS0tIE45Y25Bam5mdUNkTXkwOGkzb09t + ejU0YlVQR3JhaUE2aHBRUFhXaEdTV1EKgsHa/nufIXbLnrkvXNsZJ30dH1L2tMKf + jZufrpkQuPXWYzubUYejgQ0/yHGTDQtT9ptn72isGKKgSJZllCnPiA== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-05-09T13:00:44Z" mac: ENC[AES256_GCM,data:pvcHe28Vnv/Trq84YwQjDKNiITdX5HbdRaLtoq0gzVGzuN9VL5GtufQN+rtZY3RLFDdEt6qeJe4ichVSK88S0VUEsc5CtsvR1QR59aZ20dsiELI6a9qyOLlCJCP80J9XWCe3Gr93v7AoelKdpPFo2BcRL7TNbkYxJC9t0JienSY=,iv:PtIH5IeCA7SmgekT8hs9p0kXtg4xrivhOz3HWG9UpTA=,tag:1B+POnrhCXFP/WsrfOnn3w==,type:str] diff --git a/home/global.nix b/home/global.nix index 2f7d135..a362cb7 100644 --- a/home/global.nix +++ b/home/global.nix @@ -1,4 +1,10 @@ -{ inputs, lib, config, outputs, ... }: +{ + inputs, + lib, + config, + outputs, + ... +}: let # {{{ Imports imports = [ @@ -21,10 +27,10 @@ let ./features/cli ./features/persistence.nix ../common - # }}} + # }}} ]; - # }}} in +# }}} { # Import all modules defined in modules/home-manager imports = builtins.attrValues outputs.homeManagerModules ++ imports; @@ -32,10 +38,9 @@ in # {{{ Nixpkgs nixpkgs = { # Add all overlays defined in the overlays directory - overlays = builtins.attrValues outputs.overlays ++ - lib.lists.optional - config.satellite.toggles.neovim-nightly.enable - inputs.neovim-nightly-overlay.overlay; + overlays = + builtins.attrValues outputs.overlays + ++ lib.lists.optional config.satellite.toggles.neovim-nightly.enable inputs.neovim-nightly-overlay.overlay; config.allowUnfree = true; @@ -55,10 +60,9 @@ in home = { username = lib.mkDefault "adrielus"; homeDirectory = "/home/${config.home.username}"; - stateVersion = lib.mkDefault "23.05"; }; - # }}} - # {{{ Ad-hoc settings + # }}} + # {{{ Ad-hoc settings # Nicely reload system units when changing configs systemd.user.startServices = lib.mkForce "sd-switch"; diff --git a/home/lapetus.nix b/home/lapetus.nix index 0761b6f..9001202 100644 --- a/home/lapetus.nix +++ b/home/lapetus.nix @@ -1,3 +1,4 @@ { imports = [ ./global.nix ]; + home.stateVersion = "23.05"; } diff --git a/home/tethys.nix b/home/tethys.nix index 7f0cd35..10e133b 100644 --- a/home/tethys.nix +++ b/home/tethys.nix @@ -1,4 +1,5 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ imports = [ ./global.nix @@ -20,19 +21,18 @@ # Arbitrary extra packages home.packages = with pkgs; [ - alacritty # {{{ Communication # signal-desktop # Signal client element-desktop # Matrix client # zoom-us # Zoom client 🤮 # }}} - # {{{ Editors for different formats + # {{{ Editors for different formats gimp # Image editing # lmms # Music software # kicad # PCB editing # libreoffice # Free office suite # }}} - # {{{ Gaming + # {{{ Gaming # wine # Windows compat layer or whatever # lutris # Game launcher # }}} @@ -40,14 +40,14 @@ sops # Secret editing # sherlock # Search for usernames across different websites # }}} - # {{{ Misc + # {{{ Misc bitwarden # Password-manager qbittorrent # Torrent client # google-chrome # Not my primary browser, but sometimes needed in webdev # plover.dev # steno engine overskride # Bluetooth client - # }}} + # }}} # {{{ Media playing/recording mpv # Video player imv # Image viewer @@ -57,15 +57,18 @@ ]; home.sessionVariables.QT_SCREEN_SCALE_FACTORS = 1.4; # Bigger text in qt apps + home.stateVersion = "23.05"; satellite = { # Symlink some commonly modified dotfiles outside the nix store dev.enable = true; - monitors = [{ - name = "eDP-1"; - width = 1920; - height = 1080; - }]; + monitors = [ + { + name = "eDP-1"; + width = 1920; + height = 1080; + } + ]; }; } diff --git a/hosts/nixos/calypso/default.nix b/hosts/nixos/calypso/default.nix new file mode 100644 index 0000000..b7bf9f9 --- /dev/null +++ b/hosts/nixos/calypso/default.nix @@ -0,0 +1,56 @@ +{ config, ... }: +{ + # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion + system.stateVersion = "24.05"; + + # {{{ Imports + imports = [ + ../common/global + ../common/users/pilot.nix + + ../common/optional/bluetooth.nix + ../common/optional/greetd.nix + ../common/optional/oci.nix + ../common/optional/quietboot.nix + + ../common/optional/desktop + ../common/optional/desktop/steam.nix + ../common/optional/wayland/hyprland.nix + + ../common/optional/services/kanata.nix + ../common/optional/services/syncthing.nix + ../common/optional/services/restic + + ./services/snapper.nix + + ./filesystems + ./hardware + ]; + # }}} + # {{{ Machine ids + networking.hostName = "calypso"; + networking.hostId = ""; + environment.etc.machine-id.text = ""; + # }}} + # {{{ Tailscale internal IP DNS records + satellite.dns.records = [ + # { + # at = config.networking.hostName; + # type = "A"; + # value = "100.93.136.59"; + # } + # { + # at = config.networking.hostName; + # type = "AAAA"; + # value = "fd7a:115c:a1e0::e75d:883b"; + # } + ]; + # }}} + # {{{ A few ad-hoc programs + programs.kdeconnect.enable = true; + programs.firejail.enable = true; + # }}} + + satellite.pilot.name = "moon"; + boot.loader.systemd-boot.enable = true; +} diff --git a/hosts/nixos/calypso/filesystems/default.nix b/hosts/nixos/calypso/filesystems/default.nix new file mode 100644 index 0000000..b2fd442 --- /dev/null +++ b/hosts/nixos/calypso/filesystems/default.nix @@ -0,0 +1,40 @@ +{ lib, pkgs, ... }: +{ + imports = [ (import ./partitions.nix { }) ]; + + boot.supportedFilesystems = [ "btrfs" ]; + services.btrfs.autoScrub.enable = true; + + # {{{ Mark a bunch of paths as needed for boot + fileSystems = + lib.attrsets.genAttrs + [ + "/" + "/nix" + "/persist/data" + "/persist/state" + "/persist/local/cache" + "/boot" + ] + (p: { + neededForBoot = true; + }); + # }}} + # {{{ Rollback + boot.initrd.systemd.services.rollback = { + path = [ pkgs.btrfs-progs ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + unitConfig.DefaultDependencies = "no"; + wantedBy = [ "initrd.target" ]; + after = [ "systemd-cryptsetup@enc.service" ]; + before = [ "sysroot.mount" ]; + script = '' + btrfs subvolume delete /root + btrfs subvolume snapshot /blank /root + ''; + }; + # }}} +} diff --git a/hosts/nixos/calypso/filesystems/partitions.nix b/hosts/nixos/calypso/filesystems/partitions.nix new file mode 100644 index 0000000..fdbf35f --- /dev/null +++ b/hosts/nixos/calypso/filesystems/partitions.nix @@ -0,0 +1,102 @@ +{ + disks ? [ "/dev/sda" ], + ... +}: +{ + disko.devices.disk.main = { + type = "disk"; + device = builtins.elemAt disks 0; + content = { + type = "gpt"; + partitions = { + # {{{ Boot + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + # }}} + # {{{ Luks + luks = { + size = "384G"; # The remaining space is left for windows + content = { + type = "luks"; + name = "crypted"; + passwordFile = "/hermes/secrets/calypso/disk.key"; + settings.allowDiscards = true; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + + postCreateHook = '' + # We then take an empty *readonly* snapshot of the root subvolume, + # which we'll eventually rollback to on every boot. + btrfs subvolume snapshot -r /root /blank + ''; + + subvolumes = { + # {{{ /root + "/root" = { + mountpoint = "/"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + # }}} + # {{{ /swap + "/swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "20G"; + }; + # }}} + # {{{ /root/persist/data + "/root/persist/data" = { + mountpoint = "/persist/data"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + # }}} + # {{{ /root/persist/state + "/root/persist/state" = { + mountpoint = "/persist/state"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + # }}} + # {{{ /root/local/nix + "/root/local/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + # }}} + # {{{ /root/local/cache + "/root/local/cache" = { + mountpoint = "/persist/local/cache"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + # }}} + }; + }; + }; + }; + # }}} + }; + }; + }; +} diff --git a/hosts/nixos/calypso/hardware/default.nix b/hosts/nixos/calypso/hardware/default.nix new file mode 100644 index 0000000..f63a729 --- /dev/null +++ b/hosts/nixos/calypso/hardware/default.nix @@ -0,0 +1,28 @@ +{ inputs, ... }: +{ + # {{{ Imports + imports = with inputs.nixos-hardware.nixosModules; [ + common-cpu-amd + common-gpu-amd + common-pc-laptop + common-pc-ssd + ./generated.nix + ]; + # }}} + # {{{ Misc + hardware.enableAllFirmware = true; + hardware.opengl.enable = true; + hardware.opentabletdriver.enable = true; + hardware.keyboard.qmk.enable = true; + # }}} + # {{{ Power management + powerManagement.cpuFreqGovernor = "performance"; + services.tlp = { + enable = true; + settings = { + CPU_SCALING_GOVERNOR_ON_BAT = "performance"; + CPU_SCALING_GOVERNOR_ON_AC = "performance"; + }; + }; + # }}} +} diff --git a/hosts/nixos/calypso/keys/id_ed25519.pub b/hosts/nixos/calypso/keys/id_ed25519.pub new file mode 100755 index 0000000..e3d2b8b --- /dev/null +++ b/hosts/nixos/calypso/keys/id_ed25519.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBwFNYf8q84oGOwiGCXmJqeBPdglTPcWJB9nnLpmS2RG root@tethys diff --git a/hosts/nixos/calypso/keys/ssh_host_ed25519_key.pub b/hosts/nixos/calypso/keys/ssh_host_ed25519_key.pub new file mode 100755 index 0000000..278e629 --- /dev/null +++ b/hosts/nixos/calypso/keys/ssh_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIASX1E4WYg5dydret3G0fWYJLQn2oRxNZdHWWaJojW1a root@tethys diff --git a/hosts/nixos/calypso/keys/ssh_host_rsa_key.pub b/hosts/nixos/calypso/keys/ssh_host_rsa_key.pub new file mode 100755 index 0000000..0ef141f --- /dev/null +++ b/hosts/nixos/calypso/keys/ssh_host_rsa_key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAfRDNDA5B0YlnR0K5wQ0w6pMl0Pi8WIjanKol5SA615VDye3caBdv3UzxdC221ECIa9bZQcaKt/ncIuj/3fE49W8D0+2wL/1Eruy4ximAVAtLgIMzm+hl/dP3KsyTjUajIUbso08S9PUjtJl8PgmiiEPEppMAo++hwKycn5bRoUywE/VoNgPhAB5sgKaFZiQhPu4q0mZWhikGiaJzKPRi84bP4gCL9/h0slSWP3VmhWE7Vyvyjv6OKHdfjXoJA/AjSd3VogmGnzDWUI5lkwJzkHv/ybie9+7y+0o+wBu4+0lJlchBEq0f6dp9fw0MZRt84DYw8/MFDa+SXq5cO5aAwHARpRYeAHkPIRnwJbxTqn6uDlAdWrIxY8SPXIrrBpfnVSoaH8SJN/spsEoILkqrOpncQi5QP1rY8Bi2zaI13WD1kYsh9l4FqmqvCeawEgN0pedudZf2qqHWD93lDTAWxM7k5rPHSSgnnfsgwE35peBpmepJH8ZNFaBqw+aCvIM= root@tethys diff --git a/hosts/nixos/calypso/services/snapper.nix b/hosts/nixos/calypso/services/snapper.nix new file mode 100644 index 0000000..8f312cf --- /dev/null +++ b/hosts/nixos/calypso/services/snapper.nix @@ -0,0 +1,37 @@ +{ + services.snapper = { + snapshotInterval = "hourly"; + cleanupInterval = "1d"; + # http://snapper.io/manpages/snapper-configs.html + configs = { + # {{{ Data + data = { + SUBVOLUME = "/root/persist/data"; + TIMELINE_CREATE = true; + TIMELINE_CLEANUP = true; + BACKGROUND_COMPARISON = "yes"; + + TIMELINE_LIMIT_HOURLY = "24"; + TIMELINE_LIMIT_DAILY = "7"; + TIMELINE_LIMIT_WEEKLY = "4"; + TIMELINE_LIMIT_MONTHLY = "12"; + TIMELINE_LIMIT_YEARLY = "0"; + }; + # }}} + # {{{ State + state = { + SUBVOLUME = "/root/persist/state"; + TIMELINE_CREATE = true; + TIMELINE_CLEANUP = true; + BACKGROUND_COMPARISON = "yes"; + + TIMELINE_LIMIT_HOURLY = "6"; + TIMELINE_LIMIT_DAILY = "3"; + TIMELINE_LIMIT_WEEKLY = "1"; + TIMELINE_LIMIT_MONTHLY = "1"; + TIMELINE_LIMIT_YEARLY = "0"; + }; + # }}} + }; + }; +} diff --git a/hosts/nixos/common/global/cli/sudo.nix b/hosts/nixos/common/global/cli/sudo.nix deleted file mode 100644 index 47d221e..0000000 --- a/hosts/nixos/common/global/cli/sudo.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ pkgs, inputs, lib, ... }: { - security.sudo = { - enable = true; - extraRules = [{ - commands = [{ - command = lib.getExe inputs.deploy-rs.packages.${pkgs.system}.default; - options = [ "NOPASSWD" ]; - }]; - groups = [ "wheel" ]; - }]; - }; -} diff --git a/hosts/nixos/common/global/default.nix b/hosts/nixos/common/global/default.nix index 5fcd5a7..3f127e7 100644 --- a/hosts/nixos/common/global/default.nix +++ b/hosts/nixos/common/global/default.nix @@ -1,9 +1,15 @@ # Configuration pieces included on all (nixos) hosts -{ inputs, lib, config, outputs, ... }: +{ + inputs, + lib, + config, + outputs, + ... +}: let # {{{ Imports imports = [ - # {{{ flake inputs + # {{{ flake inputs inputs.disko.nixosModules.default inputs.stylix.nixosModules.stylix inputs.sops-nix.nixosModules.sops @@ -23,8 +29,8 @@ let ../../../../common # }}} ]; - # }}} in +# }}} { # Import all modules defined in modules/nixos imports = builtins.attrValues outputs.nixosModules ++ imports; @@ -44,13 +50,17 @@ in # Boot using systemd boot.initrd.systemd.enable = true; # }}} + # {{{ Disable sudo default lecture + security.sudo.extraConfig = '' + Defaults lecture = never + ''; + # }}} nixpkgs = { # Add all overlays defined in the overlays directory - overlays = builtins.attrValues outputs.overlays ++ - lib.lists.optional - config.satellite.toggles.neovim-nightly.enable - inputs.neovim-nightly-overlay.overlay; + overlays = + builtins.attrValues outputs.overlays + ++ lib.lists.optional config.satellite.toggles.neovim-nightly.enable inputs.neovim-nightly-overlay.overlay; config.allowUnfree = true; }; diff --git a/hosts/nixos/common/global/services/openssh.nix b/hosts/nixos/common/global/services/openssh.nix index 7458f7c..f9ecbfb 100644 --- a/hosts/nixos/common/global/services/openssh.nix +++ b/hosts/nixos/common/global/services/openssh.nix @@ -1,5 +1,10 @@ -# This setups a SSH server. -{ outputs, config, lib, ... }: +# This setups a SSH server. +{ + outputs, + config, + lib, + ... +}: let # Record containing all the hosts hosts = outputs.nixosConfigurations; @@ -15,8 +20,8 @@ in enable = true; settings = { - PermitRootLogin = "no"; # Forbid root login through SSH. - PasswordAuthentication = false; # Use keys only. + PermitRootLogin = lib.mkDefault "no"; # Forbid root login through SSH. + PasswordAuthentication = lib.mkDefault false; # Use keys only. }; # Automatically remove stale sockets @@ -26,7 +31,10 @@ in # Generate ssh key hostKeys = - let mkKey = type: path: extra: { inherit type path; } // extra; + let + mkKey = + type: path: extra: + { inherit type path; } // extra; in [ (mkKey "ed25519" "/persist/state/etc/ssh/ssh_host_ed25519_key" { }) @@ -43,19 +51,22 @@ in # attrsetof host -> attrsetof { ... } (builtins.mapAttrs # string -> host -> { ... } - (name: _: { - publicKeyFile = pubKey name; - extraHostNames = lib.optional (name == hostname) "localhost"; - })) + ( + name: _: { + publicKeyFile = pubKey name; + extraHostNames = lib.optional (name == hostname) "localhost"; + } + ) + ) # attrsetof { ... } -> attrsetof { ... } (lib.attrsets.filterAttrs # string -> { ... } -> bool - (_: { publicKeyFile, ... }: builtins.pathExists publicKeyFile)) + (_: { publicKeyFile, ... }: builtins.pathExists publicKeyFile) + ) ]; }; - # By default, this will ban failed ssh attempts services.fail2ban.enable = true; diff --git a/hosts/nixos/common/optional/desktop/default.nix b/hosts/nixos/common/optional/desktop/default.nix new file mode 100644 index 0000000..2219c4c --- /dev/null +++ b/hosts/nixos/common/optional/desktop/default.nix @@ -0,0 +1,8 @@ +{ + imports = [ + ../pipewire.nix + ./xdg-portal.nix + ]; + + stylix.targets.gtk.enable = true; +} diff --git a/hosts/nixos/common/optional/oci.nix b/hosts/nixos/common/optional/oci.nix index e926dc4..858bd8b 100644 --- a/hosts/nixos/common/optional/oci.nix +++ b/hosts/nixos/common/optional/oci.nix @@ -1,14 +1,8 @@ { virtualisation.oci-containers.backend = "docker"; - environment.persistence = { - "/persist/state".directories = [ - "/var/lib/containers/storage" - ]; - - "/persist/local/cache".directories = [ - "/var/lib/containers/cache" - ]; + "/persist/state".directories = [ "/var/lib/containers/storage" ]; + "/persist/local/cache".directories = [ "/var/lib/containers/cache" ]; }; } diff --git a/hosts/nixos/common/secrets.yaml b/hosts/nixos/common/secrets.yaml index d0070c0..8f3bc52 100644 --- a/hosts/nixos/common/secrets.yaml +++ b/hosts/nixos/common/secrets.yaml @@ -11,29 +11,47 @@ sops: - recipient: age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbzNLcXFBcTlIM3hjZTN0 - bTFZUDJnS3lROExSREVkd0FMeHU3RGVWdzJnCkszOVROZlBmZWl2cjFkcTZ1OWZw - eThXSTliNmxHM3o3NzhUOUkvU0YzNzgKLS0tIHBWSmRTTlJBdmlKQy9YWHR0NGds - ak5kUFRJK3JCcUYvSFY2eGtIOTk3RkkKl3yBZjjBExU9RoZbaKBixfsywqFWFnq4 - n7olhkNMVIC+BcLYno0oIT2oILASMkE3NbH85IHlYZY2qQvFKDbG7w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFRVRLdlFuS3I5aXRKRmdF + TjFHY3Yvc2NUUlpYRUR6Y2JHRVgzTkhOZjFNCkhnZjU0R0VIbDJSNVNSb2hZUDd3 + SERkaExNdkRDOXRSWlg5enluY3dXRUUKLS0tIFZBNTJYaHhxbmZhMG56UGFtd25u + aVNDS2h1NnFmMERIMzdUanp1MitBTGcKp4s32NVcyeJNI6BDeU1GGz5xjoSW/iH7 + hUxXrZaRqtiVegq7Ukv7mXCVjAy1x/Flb4dDag4Ym4ReTsyKZpQf/w== + -----END AGE ENCRYPTED FILE----- + - recipient: age13c346xw9kzsvra04ck8h8pa47mwdp8nh3aess4pwhyvdsufyhf0qt65ja8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZzNPU0pBVjJPREF2SGhQ + REl2ckdxakwrdHFPU0RPN0J1K0s1TWFsK0NzCjMzeGgyRktTWWpVVkFxQUpFZDBC + bDRuRHZOOU5ueHN6RlY2VUwxQThmNXcKLS0tIEtVU3F3VUZSRGJtU0VBcVh0NXRh + eFA2TWtCYmpGN2paWnRSQlBoZk83MkkKwIDlq6u31cc1toMfBHvA932dJyozUYa0 + e45KrBC3gy/5wZWcN7MktBgqd2khufa+KEMQv7c3ldyixKXokuBRhw== -----END AGE ENCRYPTED FILE----- - recipient: age1avsekqqyr62urdwtpfpt0ledzm49wy0rq7wcg3rnsprdx22er5usp0jxgs enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3aExaRC9SclVvT1g4WFI0 - N1grVzZWWmpPaGEwRmx3TjUyK0dvL0RNdmhjClY5UmI0eWZOTXZqbGFxT05OSnk1 - RTAyYStRN0NsRnZlWk03eXIrajdiRjQKLS0tIHlMdzBVNFEzR2FuVFZEWStFY1hh - MnFiSGt3dWZxWnF3M2FkbTJzSTA2VTAKtD40Gp12vB24Wnr8NvY7/ZWr9XVDF9Bl - FUL34R1mpgweNJ1IowFPgQbxsyMTG7iYB4jC50JZNOKJxe9NaeOUlQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2VC9ia21rTWpPSnJaamM3 + YzZqMzNJZDA4Q095OTMrR0JGTzczU2RWMVJNCnE0QzNvWWhscnQyWk5WOTV4Vld4 + SmJSdVdOMTRWWDFxUzJxc3hWZmxzUTQKLS0tIE9LWEtjc0x5WkpGWTUwMEt2d25K + TVJJWktOdW1Ic2E4MWpIbjQrdllkMzgK6M8T6M4rAMGgnWcVao/tp0PWG4NXvTTZ + /yNJgLZdBeHQevceLc4madD42IcrX7P2zeb6TM7l0DQVWCy+cBTN8w== -----END AGE ENCRYPTED FILE----- - recipient: age1jem6jfkmfq54wzhqqhrnf786jsn5dmx82ewtt4vducac8m2fyukskun2p4 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtK0pFcWlheEwzV3N3bVFQ - K3EwNXI5MXQyYld6Z3J1aVNHWlQ4UjlxSzIwCktDbG9iMFRVQnJBenhWVFhLa2N1 - SWRMR3JLajJscWFqMy84aGNFcy9UK1UKLS0tIEZoT0d2bVJpV3ByWmV0eENZVjM3 - WFd4ZFNHWG5Cakw5cU9MRE9HWHQ4THMKr/S7v1Oj3zQziMtI/NuFVm6AaJF5JV5U - sEr2nEptYFz4G6YL5psQGXHaKzQKBg+crgKRbYL4akhqT7pfYPC0bQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGNmRXMFVKWnB3QjN3dDNj + QmRaRDRGUVJiczUzWE5WdFNReldBdkNOWlVvCmZCKzY4MThrUmNXeGVPTC9LSGtl + OFJOcGZVbVVjY0RveXR5WXNjU3p6UjgKLS0tIENyUHRpbjRyZjZpdjNlUktuL1g5 + QmNJVlIvTlhSRXJldUZhZjdsR0gwaHMKuNZcv3s65MtylIYzgDUd0qss4OEeJr8V + aI82/McWGJ6Lg0BVmvTUHbYcF09aMEJHeYEZNAzLiJ1a77tlhmY/jw== + -----END AGE ENCRYPTED FILE----- + - recipient: age18gengezksnt0wtc3sv28ypmx546quzeg88kw5s8sywxyje5rmqyqh9daxe + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVVU5Wis5dkJRSE5lRy9U + QjFHb21uc0Z3Zmc4Z2J3NTVaajhmQy9nb2xJCjRqK1htbk82M0dnOWNEV0hHcmFz + RXFrSGE2UjdhTWh6RmwvR1psV05lbnMKLS0tIDRidEFBY0x2cXMrSHJXaXBuaE4r + WXFQQXh2cjlMdzhpa1JUdVVBK3pNbTQK6peUF0mWtmfSuN6KnoYPTEg8sIp/t0R2 + ygJEf8cpNiVxN0vsF/4kwyC/V4JE4XllsKrKF4NhVrBq96m1RmKlYg== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-07-29T19:34:39Z" mac: ENC[AES256_GCM,data:ruCV2JKgFN6BiTYjOwlhNmjDCh9ZRJ9E+H0x0uVevZnsTEcFlTUh5iNSiw3uJtcKcA4H4kuGPXlolyxuGVGsAhVFD4G3zR84i9TTHmGT4STC2dNebcA9VUXVnfPhEUFAExrPRxbEqvx3o0QPZIfGonPQzl3xhJzOPahYsRJOwTQ=,iv:rSuuhOgzOgE7DosgVEWDT1jenF3m+NqnCSEKjoCBrfE=,tag:7pAV4jKvJYG1vPqEEMqOPg==,type:str] diff --git a/hosts/nixos/common/users/pilot.nix b/hosts/nixos/common/users/pilot.nix index 6f057b5..79ab088 100644 --- a/hosts/nixos/common/users/pilot.nix +++ b/hosts/nixos/common/users/pilot.nix @@ -1,6 +1,12 @@ -{ pkgs, outputs, config, lib, ... }: { - satellite.pilot.name = "adrielus"; + pkgs, + outputs, + config, + lib, + ... +}: +{ + satellite.pilot.name = lib.mkDefault "adrielus"; sops.secrets.pilot_password = { sopsFile = ../secrets.yaml; @@ -17,7 +23,7 @@ # This gets referenced in other parts of the config uid = 1000; - # Adds me to some default groups, and creates the home dir + # Adds me to some default groups, and creates the home dir isNormalUser = true; # Picked up by our persistence module @@ -33,12 +39,10 @@ "syncthing" # syncthing! ]; - hashedPasswordFile = config.sops.secrets.pilot_password.path; shell = pkgs.fish; - openssh.authorizedKeys.keyFiles = - (import ./common.nix).authorizedKeys { inherit outputs lib; }; + openssh.authorizedKeys.keyFiles = (import ./common.nix).authorizedKeys { inherit outputs lib; }; }; }; } diff --git a/hosts/nixos/euporie/default.nix b/hosts/nixos/euporie/default.nix deleted file mode 100644 index 57e6e4b..0000000 --- a/hosts/nixos/euporie/default.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ lib, ... }: { - imports = [ - ../common/global - ../common/users/guest.nix - - ../common/optional/greetd.nix - ../common/optional/pipewire.nix - ../common/optional/desktop/xdg-portal.nix - ../common/optional/wayland/hyprland.nix - ]; - - # Usually included in the hardware-configuration - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - - # Set the name of this machine! - networking.hostName = "euporie"; - - # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion - system.stateVersion = "22.11"; -} diff --git a/hosts/nixos/iso/default.nix b/hosts/nixos/iso/default.nix new file mode 100644 index 0000000..3d805d7 --- /dev/null +++ b/hosts/nixos/iso/default.nix @@ -0,0 +1,13 @@ +{ modulesPath, pkgs, ... }: +{ + imports = [ + "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix" + + ../common/global/services/openssh.nix + ../common/global/locale.nix + ../common/global/cli/fish.nix + ../common/global/nix.nix + ]; + + environment.systemPackages = [ pkgs.neovim ]; +} diff --git a/hosts/nixos/lapetus/default.nix b/hosts/nixos/lapetus/default.nix index e005019..f645b22 100644 --- a/hosts/nixos/lapetus/default.nix +++ b/hosts/nixos/lapetus/default.nix @@ -1,4 +1,9 @@ -{ config, ... }: { +{ config, ... }: +{ + # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion + system.stateVersion = "23.05"; + + # {{{ Imports imports = [ ../common/global ../common/users/pilot.nix @@ -38,19 +43,13 @@ ./filesystems ./hardware ]; - - # Machine ids + # }}} + # {{{ Machine ids networking.hostName = "lapetus"; networking.hostId = "08357db3"; environment.etc.machine-id.text = "d9571439c8a34e34b89727b73bad3587"; - - # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion - system.stateVersion = "23.05"; - - # Bootloader - boot.loader.systemd-boot.enable = true; - - # Tailscale internal IP DNS records + # }}} + # {{{ Tailscale internal IP DNS records satellite.dns.records = [ { at = config.networking.hostName; @@ -63,4 +62,7 @@ value = "fd7a:115c:a1e0::e75d:883b"; } ]; + # }}} + + boot.loader.systemd-boot.enable = true; } diff --git a/hosts/nixos/lapetus/secrets.yaml b/hosts/nixos/lapetus/secrets.yaml index 0c4a6a4..4d27a7e 100644 --- a/hosts/nixos/lapetus/secrets.yaml +++ b/hosts/nixos/lapetus/secrets.yaml @@ -18,20 +18,29 @@ sops: - recipient: age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYcjFoRm1WNW9jOUJjUC9W - NmxhWGRjWlFHd2tRaXJ6WnpaaWlxSFQ0RlZnCllVNTZ0b0MvL0VURDhQRUE1dDdW - L1NkYzBRRDFLcFpwTTgzRnphLy9GT00KLS0tIFcvU2ZUQ21FZU1NTEFJaHRTVjV3 - eU1YeEZIOTJKa3I4c3ZwbVdPMlBLbmMKCBhopcTXWiAwR8ACyDf+P11SYcPrPSSv - QRPJ6I8Y1Lc7KTCbkO8zW2hBb6fdbvWBJQtW0rOfCuGQ831OyArr0w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYQzgvU0NQZUFWT0pjZVBZ + ZThMRTVMWStMRThFYTF6Nkl2MlBXTWhkNUNZCmpVWW52NHNyTjZkZTN3c1NoajFR + M2MyZHFDM2czZHdPMUg2MDNPMnNqaVUKLS0tIHhwRThOYnBHY2FUajN0b0pBQ1Fn + dmZtT0xXR3RjVzd1ckNyVGpaRktnSkkKlPSmdYTQ5Qc3PVn9PhxmetF0fO7rWOwM + OTt7EF41IWwCwwhyQLpUcaCnO08jddPui1C5qnvjSFb/LZILiWQkFA== + -----END AGE ENCRYPTED FILE----- + - recipient: age13c346xw9kzsvra04ck8h8pa47mwdp8nh3aess4pwhyvdsufyhf0qt65ja8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtMjdib09GZC9DNGVoNCtK + Z3BnZGNXNzNEb1U3aU1xb1pkaUhPcituSEQwClhiVlMvNlU5OUZhbFE0MnZGTGha + eHpRSHlXaExzNnV0VlNEdnpqQmlDa2MKLS0tIFpPc0ovVnhnZ1IyWGNWTEFYZG81 + a1NaNzE4VVFNRlBwUHRWdTFwWjJ5a00KJvIyBz6XGV2+lfawWzHqFOMILTXt0Vlx + OTs0i0tNER2kMucEo3LHIayIM/SB1ncXv+vl0rwHCVfbKdQ0ABhb2Q== -----END AGE ENCRYPTED FILE----- - recipient: age1jem6jfkmfq54wzhqqhrnf786jsn5dmx82ewtt4vducac8m2fyukskun2p4 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGV2VmdmJ2QlVVbUF6MUtt - dzZFUGJFS3cyKzlTTHJiWjlqRmJkUm04WXh3CktSdGRIUWxJRU5oVVdkUTFwaEZr - M1Y4NnRtclZVTkltOHNjNXAxVW9yaFEKLS0tIGlRYjgwd0FkN0FBU1RSQjRnVWpW - RHZ6alYrUU5BZ2xlMkdGR1dWRG5aeGMKJdsdtVZ6Mk9Vo3a+tS+rzAgaF2wpH+8U - lWhA+c0Kbe8EJT8hm7Vr8PqBmElz4V9AnXSCTp7D+Cu4pfWsHopLUQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTGIzcjYyLyt2QVh1QzJZ + L2NKK0ZFaS9kckdKbjNCd0lBckxlNWV2Qm5NCkoyLy8rOXVPOWt0U1BwTHB3ZTNl + NWVzdEQ0TUU4UjgrbzliRU5kZ0FqWjgKLS0tIE9YNkN1OWFLMVhDd1I3T1Y4Qi9O + VGNDUEo4NmxYR0JQR0NPcUZVdFl1MVEKISsE+UOuBXLZ/5qOeWSf9tPw6XOsNrWa + 09bm8O66Ai0AQGhbn0G3Qf/AlcqF+8eRFYZDmpk0HXryuNZYuj7hBw== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-06-13T14:52:30Z" mac: ENC[AES256_GCM,data:EXVbpc8P8SzTSYw0TWwJBEWYZRpGOAXm4wFS0JbzeiNaWEybZk6Y07Vr5tyaEWucpu52VxLrVwoZn8YSdF9JPAHtTQYYY35MccBkB01+GVXpVDQfxCG9UNYO24qExNboQIs5QRWmtaX7zTbut+ETcOFKHlkqR9g95PZQhsNZx4c=,iv:1Bu9g4/V2ixRvJJBijlkdNO9pdoR+qwDGTeUgr24dsg=,tag:gyF34lCSbF0It4KPmtQYJA==,type:str] diff --git a/hosts/nixos/lapetus/services/jupyter.nix b/hosts/nixos/lapetus/services/jupyter.nix index c774004..ba62bd8 100644 --- a/hosts/nixos/lapetus/services/jupyter.nix +++ b/hosts/nixos/lapetus/services/jupyter.nix @@ -1,15 +1,22 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let # {{{ Jupyterhub/lab env - appEnv = pkgs.python3.withPackages (p: with p; [ - jupyterhub - jupyterlab - jupyterhub-systemdspawner - jupyter-collaboration - jupyterlab-git - ]); - # }}} + appEnv = pkgs.python3.withPackages ( + p: with p; [ + jupyterhub + jupyterlab + jupyterhub-systemdspawner + jupyter-collaboration + jupyterlab-git + ] + ); in +# }}} { systemd.services.jupyterhub.path = [ pkgs.texlive.combined.scheme-full # LaTeX stuff is useful for matplotlib @@ -25,8 +32,8 @@ in # {{{ Spwaner & auth config extraConfig = '' - c.Authenticator.allowed_users = {'adrielus', 'javi'} - c.Authenticator.admin_users = {'adrielus'} + c.Authenticator.allowed_users = {'${config.users.users.pilot.name}', 'javi'} + c.Authenticator.admin_users = {'${config.users.users.pilot.name}'} c.Spawner.notebook_dir='${config.users.users.pilot.home}/projects/notebooks' c.SystemdSpawner.mem_limit = '2G' @@ -35,13 +42,18 @@ in # }}} # {{{ Python 3 kernel kernels.python3 = - let env = (pkgs.python3.withPackages (p: with p; [ - ipykernel - numpy - scipy - matplotlib - tabulate - ])); + let + env = ( + pkgs.python3.withPackages ( + p: with p; [ + ipykernel + numpy + scipy + matplotlib + tabulate + ] + ) + ); in { displayName = "Numerical mathematics setup"; diff --git a/hosts/nixos/lapetus/services/zfs.nix b/hosts/nixos/lapetus/services/zfs.nix index 070b7fd..089b6a2 100644 --- a/hosts/nixos/lapetus/services/zfs.nix +++ b/hosts/nixos/lapetus/services/zfs.nix @@ -1,11 +1,12 @@ -{ config, ... }: { - # {{{ Zfs config +{ config, ... }: +{ + # {{{ Zfs config services.zfs = { trim.enable = true; autoScrub.enable = true; }; # }}} - # {{{ Sanoid config + # {{{ Sanoid config # Sanoid allows me to configure snapshot frequency on a per-dataset basis. services.sanoid = { enable = true; @@ -36,12 +37,4 @@ # }}} }; # }}} - # {{{ Syncoid - # Automatically sync certain snapshot to rsync.net - services.syncoid = { - enable = true; - commands."zroot/root/persist/data".target = "root@rsync.net:zroot/root/persist/data"; - commands."zroot/root/persist/state".target = "root@rsync.net:zroot/root/persist/state"; - }; - # }}} } diff --git a/hosts/nixos/tethys/default.nix b/hosts/nixos/tethys/default.nix index 5d08556..236c6d4 100644 --- a/hosts/nixos/tethys/default.nix +++ b/hosts/nixos/tethys/default.nix @@ -1,88 +1,48 @@ +{ pkgs, ... }: { - config, - lib, - pkgs, - ... -}: -{ + # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion + system.stateVersion = "22.11"; + # {{{ Imports imports = [ ../common/global ../common/users/pilot.nix - ../common/optional/pipewire.nix ../common/optional/bluetooth.nix ../common/optional/greetd.nix + ../common/optional/oci.nix ../common/optional/quietboot.nix + + ../common/optional/desktop ../common/optional/desktop/steam.nix - ../common/optional/desktop/xdg-portal.nix ../common/optional/wayland/hyprland.nix + ../common/optional/services/kanata.nix ../common/optional/services/restic + ./services/syncthing.nix ./hardware ./boot.nix - ./services/syncthing.nix ]; # }}} - - # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion - system.stateVersion = "22.11"; - - services.mullvad-vpn.enable = true; - # {{{ Machine ids networking.hostName = "tethys"; environment.etc.machine-id.text = "08357db3540c4cd2b76d4bb7f825ec88"; # }}} - # {{{ A few ad-hoc hardware settings - hardware.enableAllFirmware = true; - hardware.opengl.enable = true; - hardware.opentabletdriver.enable = true; - hardware.keyboard.qmk.enable = true; - powerManagement.cpuFreqGovernor = "performance"; - services.tlp = { - enable = true; - settings = { - CPU_SCALING_GOVERNOR_ON_BAT = "performance"; - CPU_SCALING_GOVERNOR_ON_AC = "performance"; - }; - }; - # }}} # {{{ A few ad-hoc programs programs.kdeconnect.enable = true; programs.firejail.enable = true; - programs.extra-container.enable = true; - virtualisation.docker.enable = true; - virtualisation.waydroid.enable = true; - # virtualisation.spiceUSBRedirection.enable = true; # This was required for the vm usb passthrough tomfoolery - # }}} - # {{{ Ad-hoc stylix targets - stylix.targets.gtk.enable = true; - # }}} - # {{{ Some ad-hoc site blocking - networking.extraHosts = - let - blacklisted = [ - # "twitter.com" - # "www.reddit.com" - "minesweeper.online" - ]; - blacklist = lib.concatStringsSep "\n" (lib.forEach blacklisted (host: "127.0.0.1 ${host}")); - in - blacklist; - # }}} + services.mullvad-vpn.enable = true; services.mysql = { enable = true; package = pkgs.mysql80; }; - - programs.dconf.enable = true; - services.gnome.evolution-data-server.enable = true; - services.gnome.gnome-online-accounts.enable = true; - - # Tailscale internal IP DNS records + # }}} + # {{{ Ad-hoc stylix targets + stylix.targets.gtk.enable = true; + # }}} + # {{{ Tailscale internal IP DNS records satellite.dns.records = [ # { # at = config.networking.hostName; @@ -95,4 +55,5 @@ # value = "fd7a:115c:a1e0::e75d:883b"; # } ]; + # }}} } diff --git a/hosts/nixos/tethys/hardware/default.nix b/hosts/nixos/tethys/hardware/default.nix index 63eff6e..a416f58 100644 --- a/hosts/nixos/tethys/hardware/default.nix +++ b/hosts/nixos/tethys/hardware/default.nix @@ -1,5 +1,6 @@ { inputs, ... }: { + # {{{ Imports imports = with inputs.nixos-hardware.nixosModules; [ common-cpu-intel # common-gpu-intel # This leads to a "prop ... defined twice" error @@ -7,4 +8,21 @@ common-pc-ssd ./generated.nix ]; + # }}} + # {{{ Misc + hardware.enableAllFirmware = true; + hardware.opengl.enable = true; + hardware.opentabletdriver.enable = true; + hardware.keyboard.qmk.enable = true; + # }}} + # {{{ Power management + powerManagement.cpuFreqGovernor = "performance"; + services.tlp = { + enable = true; + settings = { + CPU_SCALING_GOVERNOR_ON_BAT = "performance"; + CPU_SCALING_GOVERNOR_ON_AC = "performance"; + }; + }; + # }}} }