From 8c12d7db633cc421cd96690d077461cf45195334 Mon Sep 17 00:00:00 2001 From: sadbeast Date: Thu, 30 May 2024 00:47:47 +0000 Subject: oh no what have i done --- hosts/common/global/default.nix | 185 ++++++++++++++++++++++++++++++++ hosts/common/global/sops.nix | 17 +++ hosts/common/optional/wireless.nix | 35 ++++++ hosts/common/secrets.yaml | 50 +++++++++ hosts/joshua/default.nix | 16 +++ hosts/joshua/hardware-configuration.nix | 98 +++++++++++++++++ hosts/norad/default.nix | 28 +++++ hosts/norad/hardware-configuration.nix | 106 ++++++++++++++++++ hosts/wopr/default.nix | 34 ++++++ hosts/wopr/hardware-configuration.nix | 107 ++++++++++++++++++ hosts/work/default.nix | 117 ++++++++++++++++++++ hosts/work/hardware-configuration.nix | 64 +++++++++++ 12 files changed, 857 insertions(+) create mode 100644 hosts/common/global/default.nix create mode 100644 hosts/common/global/sops.nix create mode 100644 hosts/common/optional/wireless.nix create mode 100644 hosts/common/secrets.yaml create mode 100644 hosts/joshua/default.nix create mode 100644 hosts/joshua/hardware-configuration.nix create mode 100644 hosts/norad/default.nix create mode 100644 hosts/norad/hardware-configuration.nix create mode 100644 hosts/wopr/default.nix create mode 100644 hosts/wopr/hardware-configuration.nix create mode 100644 hosts/work/default.nix create mode 100644 hosts/work/hardware-configuration.nix (limited to 'hosts') diff --git a/hosts/common/global/default.nix b/hosts/common/global/default.nix new file mode 100644 index 0000000..764279d --- /dev/null +++ b/hosts/common/global/default.nix @@ -0,0 +1,185 @@ +# This holds configuration common across hosts +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { + # You can import other NixOS modules here + imports = [ + inputs.home-manager.nixosModules.home-manager + inputs.impermanence.nixosModules.impermanence + ./sops.nix + ]; + + #home-manager.useGlobalPkgs = true; + home-manager.backupFileExtension = "backup"; + home-manager.extraSpecialArgs = { + inherit inputs outputs; + }; + + nixpkgs = { + # You can add overlays here + overlays = [ + # Add overlays your own flake exports (from overlays and pkgs dir): + outputs.overlays.additions + # outputs.overlays.modifications + + outputs.overlays.stable-packages + + # You can also add overlays exported from other flakes: + # neovim-nightly-overlay.overlays.default + + # Or define it inline, for example: + # (final: prev: { + # hi = final.hello.overrideAttrs (oldAttrs: { + # patches = [ ./change-hello-to-hi.patch ]; + # }); + # }) + ]; + config = { + allowUnfree = true; + }; + }; + + nix = let + flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs; + in { + settings = { + # Enable flakes and new 'nix' command + experimental-features = "nix-command flakes ca-derivations"; + accept-flake-config = true; + # Opinionated: disable global registry + flake-registry = ""; + # Workaround for https://github.com/NixOS/nix/issues/9574 + nix-path = config.nix.nixPath; + substituters = [ + "https://cache.nixos.org/" + ]; + trusted-substituters = [ + "https://cache.nixos.org" + "https://nixpkgs-ruby.cachix.org" + ]; + trusted-public-keys = [ + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + "nixpkgs-ruby.cachix.org-1:vrcdi50fTolOxWCZZkw0jakOnUI1T19oYJ+PRYdK4SM=" + ]; + }; + gc = { + automatic = true; + dates = "daily"; + options = "--delete-older-than 7d"; + }; + # Opinionated: disable channels + channel.enable = false; + + # Opinionated: make flake registry and nix path match flake inputs + registry = lib.mapAttrs (_: flake: {inherit flake;}) flakeInputs; + nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs; + }; + + time.timeZone = "America/Los_Angeles"; + + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "emacs2"; + }; + + programs = { + sway.enable = true; + zsh.enable = true; + git.enable = true; + + fuse.userAllowOther = true; + }; + + users.mutableUsers = false; + + users.users.sadbeast = { + hashedPasswordFile = config.sops.secrets.sadbeast-password.path; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGpEusv/bS34Q1JQxZXikdcwnq1vToz2d+HgV+E8NRX" + ]; + + extraGroups = ["wheel" "audio" "video" "docker"]; + shell = pkgs.zsh; + packages = [pkgs.home-manager]; + }; + + sops.secrets.sadbeast-password = { + sopsFile = ../secrets.yaml; + neededForUsers = true; + }; + + home-manager.users.sadbeast = import ../../../home/sadbeast/${config.networking.hostName}.nix; + + services = { + avahi = { + enable = true; + nssmdns4 = true; + openFirewall = true; + }; + + openssh = { + enable = true; + settings = { + # Opinionated: forbid root login through SSH. + PermitRootLogin = "no"; + # Opinionated: use keys only. + PasswordAuthentication = false; + X11Forwarding = true; + }; + }; + + pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + }; + + printing.enable = true; + }; + + security = { + polkit.enable = true; + # rtkit is optional but recommended + rtkit.enable = true; + sudo.wheelNeedsPassword = false; + + pam.services = { + swaylock = {}; + }; + }; + + # environment.persistence."/persistent" = { + # hideMounts = true; + # directories = [ + # "/var/log" + # "/var/lib/nixos" + # "/var/lib/systemd" + # ]; + # files = [ + # "/etc/machine-id" + # "/var/lib/sops-nix/keys.txt" + # ]; + # }; + + # system.activationScripts.persistent-dirs.text = let + # mkHomePersist = user: + # lib.optionalString user.createHome '' + # mkdir -p /persistent/${user.home} + # chown ${user.name}:${user.group} /persistent/${user.home} + # chmod ${user.homeMode} /persistent/${user.home} + # ''; + # users = lib.attrValues config.users.users; + # in + # lib.concatLines (map mkHomePersist users); + + # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion + system.stateVersion = "24.11"; +} diff --git a/hosts/common/global/sops.nix b/hosts/common/global/sops.nix new file mode 100644 index 0000000..9d1d42b --- /dev/null +++ b/hosts/common/global/sops.nix @@ -0,0 +1,17 @@ +{ + inputs, + lib, + config, + ... +}: { + imports = [inputs.sops-nix.nixosModules.sops]; + + sops = { + age = { + #keyFile = "/persistent/var/lib/sops-nix/keys.txt"; + keyFile = "/var/lib/sops-nix/keys.txt"; + sshKeyPaths = []; + }; + gnupg.sshKeyPaths = []; + }; +} diff --git a/hosts/common/optional/wireless.nix b/hosts/common/optional/wireless.nix new file mode 100644 index 0000000..ce66419 --- /dev/null +++ b/hosts/common/optional/wireless.nix @@ -0,0 +1,35 @@ +{config, ...}: { + # Wireless secrets stored through sops + sops.secrets.wireless = { + sopsFile = ../secrets.yaml; + neededForUsers = true; + }; + + networking.wireless = { + enable = true; + fallbackToWPA2 = false; + + # Declarative + secretsFile = config.sops.secrets.wireless.path; + networks = { + "Black Vulture" = { + pskRaw = "ext:home_psk"; + }; + }; + + # Imperative + allowAuxiliaryImperativeNetworks = true; + userControlled = { + enable = true; + group = "network"; + }; + extraConfig = '' + update_config=1 + ''; + }; + + # Ensure group exists + users.groups.network = {}; + + systemd.services.wpa_supplicant.preStart = "touch /etc/wpa_supplicant.conf"; +} diff --git a/hosts/common/secrets.yaml b/hosts/common/secrets.yaml new file mode 100644 index 0000000..d0dc065 --- /dev/null +++ b/hosts/common/secrets.yaml @@ -0,0 +1,50 @@ +sadbeast-password: ENC[AES256_GCM,data:Oy3x2JbsX/iTHSYd//sScEfpK2AcW9mfAD/jHR1zymkZ/hMgrK/pfzWiCiLSrCoV38lcaBsFHdv80Bf7TRhYkUQZ6F6EPtaVYg==,iv:/cEQPob8z5fzsUIo1unv7zT8h2MsdKMTVBxnSMlCgaM=,tag:afhjGiTXdPjiZVpzAKUvwA==,type:str] +work-password: ENC[AES256_GCM,data:6gcVp0kW+6sHg/9KxqjtnGa6ycfSitlAAAzgc2teE2mmgh9DBfP+0IiTGk0XrHjLZCrGCa/zyrIDKq3jdXE+E42laH7H68SrpA==,iv:LvRc7Uj5MJ3RMxIbp5s2U5qx50RLKe6o8mZSqwbrktk=,tag:ZpIaOfTWtt/6w93O/B2drw==,type:str] +wireless: ENC[AES256_GCM,data:aeetnjjKGbt0wudRuIY5ruemnxlhm5Iw808G5D9BO1dTYi0EbA7JrXHz3wXh737WsPMOXL0S9NaeRH4w,iv:NIoIJ6CjXWGesoEraRoSH2hmF2JpRvpV8fCpwNi06/c=,tag:/aS84d4H0jEHCBZd/CCOCg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16qcn9298rk3eav38442zw2ejhqac6uvdj0m86qf4ggnjgug8efgsp9lwcd + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBndG9RVWpCZXlsanhTbUky + N1drL1RlZVpZbElCaDljVWx6ZG9Vc3JsbTBRCk0rclJkUCtzdVF5NDdKTFRsamZR + UXpleTFWcU9CWlRyL0JLVVJCNnNzL2MKLS0tIHNISSsvTllQaFZ5dGk2VTJ0Vkxq + enh2dmxhcDgyNjlKRDFRZnlWTndYZjgK8aRkrdMx+SaZBnc2HFVdmwGm8K5T19Aa + UsoeqXyCPA1rxUFA6eCzy9y9sst/susfkwgRwFucP9W8lE3+kglMNg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1hls0h26tcls67ukcpt7e0ztua8mwzheaqkuuwl4anv8zstq8regqd7nqv9 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPa1RucTA0UnVSQkhtdE9P + c2wzS01ucWN5M3A2QjRYZ1h4Y00wSjJvUkJjCktGck9JRFVYcGQyQ0plQ1B6dDNU + Zit2MmpDRExTU1NwR0pxc0dyaXdJUjAKLS0tIGE5YXFoRW1MU2VyL2N3ZGFmQSti + dFAvNEtTYlgzMUJZQjhZK3VvWGNvTWsKzafclExVkycuEnq5lsloVYSpUd+1SfQS + rj5xDJV8E37+q7lsizRhKMtjJNv/raeLXicsBwL2vmnY6RoYsPSfCw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dg0dxg6nf5rm05py3da3yz8tkg7xtgustuehxwn37cm8mdrf93ysn9n622 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArVEZZaXQ0TjU1RFVZMnQr + MWQzbXEyV25RZmhVRFZlUzdjamNYR2hWcjBZCkRSSWMrSVpVV3pETkJUY1AyZTRZ + SVZkZDhnMkhaUUxWYklTdUszVlM2VHMKLS0tIFNrL0crZExQV3p2ZGxScmo1aXlK + Y3BLSkFyVkpUalRjSkxHMFpLVTJabTAKW2ydqX5ZulhSyiFCaNW3rMFncNBGllZU + v2HET4US1eUzT8suMWzfhjm7GA6D7KD3pJICglhtumk9sihRL3TrQg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1a6k6lwndk7w5ck3w8vydw72af3q8appm6jyxj7amwp6fmqnylywsy7ay0e + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUeFlOb093ekpDanBiZEl0 + TGo4T2w4aHk4Zjl6eUdrS0diQzBWM1ltUDN3ClpVemlBN1YvVmNuZFlGWEVhSktv + SHNOZFBzWm5DTzJyNEhiSVRTampjR0UKLS0tIFFVODY0L1h0bThIclgxRnhVZmtk + Njl4U3h2UmZUOVhnQ0lqb3NnbUcwME0KfEhBK4MnSGDwQZYztvWKl5k4zRZD+kDT + t2yCzytfW3wcWmnqnbtBqFGFiZhtBaN1GhlJhHJY16JClJ/c8dhQ6g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-17T23:15:06Z" + mac: ENC[AES256_GCM,data:ojX6Ec9XP2MMnBQUkxlvmJYL+q9RGgwNZbtu7HObbXKXwozk68r//A2BwMFILcuFaSi1y1TOfgs1xdSr8wZPqLsGxLLSkruhmNnjO2fbYPYc33FW4OYoloTFeGZuL7Z1RGXUwDDZ59nqzH8DwKqfAmorJ2opyWS/igmEf1plWHQ=,iv:0+za47Ga2yfPcOlV4a8WniQ4wQma+k0+xqFqWvDXdGQ=,tag:Yoz3TvK7QtqwgZMVLJweoA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/hosts/joshua/default.nix b/hosts/joshua/default.nix new file mode 100644 index 0000000..7f1a0b1 --- /dev/null +++ b/hosts/joshua/default.nix @@ -0,0 +1,16 @@ +{ + imports = [ + ./hardware-configuration.nix + + ../common/global + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "joshua"; + + # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion + system.stateVersion = "24.11"; +} diff --git a/hosts/joshua/hardware-configuration.nix b/hosts/joshua/hardware-configuration.nix new file mode 100644 index 0000000..fd53e13 --- /dev/null +++ b/hosts/joshua/hardware-configuration.nix @@ -0,0 +1,98 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/32a45644-86e5-42c0-96e9-343e8078349e"; + fsType = "btrfs"; + options = ["subvol=root" "noatime"]; + }; + + # Note `lib.mkBefore` is used instead of `lib.mkAfter` here. + #boot.initrd.postDeviceCommands = pkgs.lib.mkBefore '' + # mkdir -p /mnt + + # # We first mount the btrfs root to /mnt + # # so we can manipulate btrfs subvolumes. + # mount -o subvol=/ /dev/mapper/enc /mnt + + # # While we're tempted to just delete /root and create + # # a new snapshot from /root-blank, /root is already + # # populated at this point with a number of subvolumes, + # # which makes `btrfs subvolume delete` fail. + # # So, we remove them first. + # # + # # /root contains subvolumes: + # # - /root/var/lib/portables + # # - /root/var/lib/machines + # # + # # I suspect these are related to systemd-nspawn, but + # # since I don't use it I'm not 100% sure. + # # Anyhow, deleting these subvolumes hasn't resulted + # # in any issues so far, except for fairly + # # benign-looking errors from systemd-tmpfiles. + # btrfs subvolume list -o /mnt/root | + # cut -f9 -d' ' | + # while read subvolume; do + # echo "deleting /$subvolume subvolume..." + # btrfs subvolume delete "/mnt/$subvolume" + # done && + # echo "deleting /root subvolume..." && + # btrfs subvolume delete /mnt/root + + # echo "restoring blank /root subvolume..." + # btrfs subvolume snapshot /mnt/root-blank /mnt/root + + # # Once we're done rolling back to a blank snapshot, + # # we can unmount /mnt and continue on the boot process. + # umount /mnt + #''; + + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/32a45644-86e5-42c0-96e9-343e8078349e"; + fsType = "btrfs"; + options = ["subvol=nix" "noatime"]; + }; + + fileSystems."/persistent" = { + device = "/dev/disk/by-uuid/32a45644-86e5-42c0-96e9-343e8078349e"; + fsType = "btrfs"; + neededForBoot = true; + options = ["subvol=persist" "noatime"]; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/323A-5741"; + fsType = "vfat"; + options = ["fmask=0022" "dmask=0022"]; + }; + + swapDevices = [ + {device = "/dev/disk/by-uuid/1962cd0f-4063-4996-a33c-8ebaa9ecea1d";} + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/norad/default.nix b/hosts/norad/default.nix new file mode 100644 index 0000000..7dbba73 --- /dev/null +++ b/hosts/norad/default.nix @@ -0,0 +1,28 @@ +{pkgs, ...}: { + imports = [ + ./hardware-configuration.nix + + ../common/global + ../common/optional/wireless.nix + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "norad"; + + # Slows down write operations considerably + nix.settings.auto-optimise-store = false; + + services = { + logind.extraConfig = '' + HandleLidSwitchExternalPower=ignore + ''; + + blueman.enable = true; + }; + + # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion + system.stateVersion = "24.11"; +} diff --git a/hosts/norad/hardware-configuration.nix b/hosts/norad/hardware-configuration.nix new file mode 100644 index 0000000..5c9bdaa --- /dev/null +++ b/hosts/norad/hardware-configuration.nix @@ -0,0 +1,106 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "firewire_ohci" "usb_storage" "sd_mod" "sr_mod" "sdhci_pci"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; + + boot.initrd.luks.devices."enc".device = "/dev/disk/by-uuid/088d061d-7a81-4a91-9d97-c5958d5d4b6c"; + + # Note `lib.mkBefore` is used instead of `lib.mkAfter` here. + #boot.initrd.postDeviceCommands = pkgs.lib.mkBefore '' + # mkdir -p /mnt + + # # We first mount the btrfs root to /mnt + # # so we can manipulate btrfs subvolumes. + # mount -o subvol=/ /dev/mapper/enc /mnt + + # # While we're tempted to just delete /root and create + # # a new snapshot from /root-blank, /root is already + # # populated at this point with a number of subvolumes, + # # which makes `btrfs subvolume delete` fail. + # # So, we remove them first. + # # + # # /root contains subvolumes: + # # - /root/var/lib/portables + # # - /root/var/lib/machines + # # + # # I suspect these are related to systemd-nspawn, but + # # since I don't use it I'm not 100% sure. + # # Anyhow, deleting these subvolumes hasn't resulted + # # in any issues so far, except for fairly + # # benign-looking errors from systemd-tmpfiles. + # btrfs subvolume list -o /mnt/root | + # cut -f9 -d' ' | + # while read subvolume; do + # echo "deleting /$subvolume subvolume..." + # btrfs subvolume delete "/mnt/$subvolume" + # done && + # echo "deleting /root subvolume..." && + # btrfs subvolume delete /mnt/root + + # echo "restoring blank /root subvolume..." + # btrfs subvolume snapshot /mnt/root-blank /mnt/root + + # # Once we're done rolling back to a blank snapshot, + # # we can unmount /mnt and continue on the boot process. + # umount /mnt + #''; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/2990-A0D7"; + fsType = "vfat"; + options = ["fmask=0022" "dmask=0022"]; + }; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/8bcaf4f2-c648-420d-8605-72407206244c"; + + fsType = "btrfs"; + options = ["subvol=root" "compress=zstd" "noatime"]; + }; + + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/8bcaf4f2-c648-420d-8605-72407206244c"; + fsType = "btrfs"; + options = ["subvol=nix" "compress=zstd" "noatime"]; + }; + + fileSystems."/persistent" = { + device = "/dev/disk/by-uuid/8bcaf4f2-c648-420d-8605-72407206244c"; + fsType = "btrfs"; + neededForBoot = true; + options = ["subvol=persistent" "compress=zstd" "noatime"]; + }; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking = { + useDHCP = lib.mkDefault true; + wireless = { + enable = true; + userControlled.enable = true; + }; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware = { + cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + graphics.enable = true; + bluetooth = { + enable = true; + powerOnBoot = true; + }; + }; +} diff --git a/hosts/wopr/default.nix b/hosts/wopr/default.nix new file mode 100644 index 0000000..aed36d2 --- /dev/null +++ b/hosts/wopr/default.nix @@ -0,0 +1,34 @@ +{pkgs, ...}: { + imports = [ + ./hardware-configuration.nix + + ../common/global + ../common/optional/wireless.nix + ]; + + programs.nix-ld.enable = true; + programs.nix-ld.libraries = with pkgs; [ + # Add any missing dynamic libraries for unpackaged programs + # here, NOT in environment.systemPackages + SDL2 + libudev-zero + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "wopr"; + + # Slows down write operations considerably + nix.settings.auto-optimise-store = false; + + services = { + logind.extraConfig = '' + HandleLidSwitchExternalPower=ignore + ''; + }; + + # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion + system.stateVersion = "24.11"; +} diff --git a/hosts/wopr/hardware-configuration.nix b/hosts/wopr/hardware-configuration.nix new file mode 100644 index 0000000..07a6366 --- /dev/null +++ b/hosts/wopr/hardware-configuration.nix @@ -0,0 +1,107 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; + + boot.initrd.luks.devices."enc".device = "/dev/disk/by-uuid/b5b16d3a-54e0-4257-8529-ee0235674172"; + + # Note `lib.mkBefore` is used instead of `lib.mkAfter` here. + #boot.initrd.postDeviceCommands = pkgs.lib.mkBefore '' + # mkdir -p /mnt + + # # We first mount the btrfs root to /mnt + # # so we can manipulate btrfs subvolumes. + # mount -o subvol=/ /dev/mapper/enc /mnt + + # # While we're tempted to just delete /root and create + # # a new snapshot from /root-blank, /root is already + # # populated at this point with a number of subvolumes, + # # which makes `btrfs subvolume delete` fail. + # # So, we remove them first. + # # + # # /root contains subvolumes: + # # - /root/var/lib/portables + # # - /root/var/lib/machines + # # + # # I suspect these are related to systemd-nspawn, but + # # since I don't use it I'm not 100% sure. + # # Anyhow, deleting these subvolumes hasn't resulted + # # in any issues so far, except for fairly + # # benign-looking errors from systemd-tmpfiles. + # btrfs subvolume list -o /mnt/root | + # cut -f9 -d' ' | + # while read subvolume; do + # echo "deleting /$subvolume subvolume..." + # btrfs subvolume delete "/mnt/$subvolume" + # done && + # echo "deleting /root subvolume..." && + # btrfs subvolume delete /mnt/root + + # echo "restoring blank /root subvolume..." + # btrfs subvolume snapshot /mnt/root-blank /mnt/root + + # # Once we're done rolling back to a blank snapshot, + # # we can unmount /mnt and continue on the boot process. + # umount /mnt + #''; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/320B-DC40"; + fsType = "vfat"; + options = ["fmask=0022" "dmask=0022"]; + }; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/7f86695d-facd-464a-83b9-79e3de93eeb6"; + fsType = "btrfs"; + options = ["subvol=root" "compress=zstd" "noatime"]; + }; + + fileSystems."/home" = { + device = "/dev/disk/by-uuid/7f86695d-facd-464a-83b9-79e3de93eeb6"; + fsType = "btrfs"; + options = ["subvol=root" "compress=zstd" "noatime"]; + }; + + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/7f86695d-facd-464a-83b9-79e3de93eeb6"; + fsType = "btrfs"; + options = ["subvol=nix" "compress=zstd" "noatime"]; + }; + + fileSystems."/persistent" = { + device = "/dev/disk/by-uuid/7f86695d-facd-464a-83b9-79e3de93eeb6"; + fsType = "btrfs"; + neededForBoot = true; + options = ["subvol=persistent" "compress=zstd" "noatime"]; + }; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking = { + useDHCP = lib.mkDefault true; + wireless = { + enable = true; + userControlled.enable = true; + }; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware = { + cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + graphics.enable = true; + }; +} diff --git a/hosts/work/default.nix b/hosts/work/default.nix new file mode 100644 index 0000000..7d68e85 --- /dev/null +++ b/hosts/work/default.nix @@ -0,0 +1,117 @@ +{ + config, + pkgs, + ... +}: { + imports = [ + ./hardware-configuration.nix + + ../common/global + ../common/optional/wireless.nix + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "work"; + + # Slows down write operations considerably + nix.settings.auto-optimise-store = false; + + programs.nix-ld.enable = true; + programs.nix-ld.libraries = with pkgs; [ + # Add any missing dynamic libraries for unpackaged programs + # here, NOT in environment.systemPackages + ]; + + services = { + logind.extraConfig = '' + HandleLidSwitchExternalPower=ignore + ''; + tmate-ssh-server.enable = true; + + xserver = { + enable = true; + displayManager.startx.enable = true; + windowManager.awesome = { + enable = true; + luaModules = with pkgs.luaPackages; [ + luarocks # is the package manager for Lua modules + luadbi-mysql # Database abstraction layer + ]; + }; + }; + }; + + virtualisation = { + docker = { + enable = true; + + daemon.settings = { + userland-proxy = false; + experimental = true; + metrics-addr = "0.0.0.0:9323"; + ipv6 = true; + fixed-cidr-v6 = "fd00::/80"; + }; + # rootless = { + # enable = true; + # setSocketVariable = true; + # }; + storageDriver = "btrfs"; + }; + + libvirtd = { + enable = true; + qemu = { + package = pkgs.qemu_kvm; + runAsRoot = true; + swtpm.enable = true; + ovmf = { + enable = true; + packages = [ + (pkgs.OVMF.override { + secureBoot = true; + tpmSupport = true; + }) + .fd + ]; + }; + }; + }; + }; + + users.users.sadbeast = { + hashedPasswordFile = config.sops.secrets.sadbeast-password.path; + + extraGroups = ["docker" "libvirtd"]; + + subUidRanges = [ + { + startUid = 100000; + count = 65536; + } + ]; + subGidRanges = [ + { + startGid = 100000; + count = 65536; + } + ]; + }; + + environment = { + systemPackages = [ + (pkgs.writeShellScriptBin "qemu-system-x86_64-uefi" '' + qemu-system-x86_64 \ + -bios ${pkgs.OVMF.fd}/FV/OVMF.fd \ + "$@" + '') + pkgs.qemu + ]; + }; + + # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion + system.stateVersion = "24.11"; +} diff --git a/hosts/work/hardware-configuration.nix b/hosts/work/hardware-configuration.nix new file mode 100644 index 0000000..f174382 --- /dev/null +++ b/hosts/work/hardware-configuration.nix @@ -0,0 +1,64 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "rtsx_usb_sdmmc"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/0ac2bd64-7a06-4972-af6e-beffa6567ba7"; + fsType = "btrfs"; + options = ["subvol=root"]; + }; + + boot.initrd.luks.devices."work".device = "/dev/disk/by-uuid/7ce450be-7739-476e-9a8d-e25e57d8707f"; + + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/0ac2bd64-7a06-4972-af6e-beffa6567ba7"; + fsType = "btrfs"; + options = ["subvol=nix"]; + }; + + fileSystems."/persistent" = { + device = "/dev/disk/by-uuid/0ac2bd64-7a06-4972-af6e-beffa6567ba7"; + fsType = "btrfs"; + options = ["subvol=persistent"]; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/A468-9833"; + fsType = "vfat"; + options = ["fmask=0022" "dmask=0022"]; + }; + + swapDevices = [ + {device = "/dev/disk/by-label/swap";} + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking = { + useDHCP = lib.mkDefault true; + wireless = { + enable = true; + userControlled.enable = true; + }; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware = { + cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + graphics.enable = true; + }; +} -- cgit v1.2.3