Minor changes

Untested VF2 config, basic "user", option to enable users, option to enable git, basic graphics role, unfinished `router` role, global features

Signed-off-by: Ivan Bushchik <ivabus@ivabus.dev>
This commit is contained in:
Ivan Bushchik 2023-10-03 17:15:14 +03:00
parent 6889a37771
commit f916ffb2b4
No known key found for this signature in database
GPG key ID: 2F16FBF3262E090C
26 changed files with 530 additions and 380 deletions

1
.gitignore vendored
View file

@ -1,2 +1,3 @@
asahi*
.key
*.DS_Store

View file

@ -24,16 +24,16 @@ nix build path:{{REPO_PATH}}#nixosConfigurations.HOST.config.system.build.sdImag
nixos-rebuild switch --flake path:/etc/nixos
```
Apple Silicon hosts require additional `--impure` flag for firmware installation. (Firmware should be placed in /etc/nixos/asahi/firmware (ignored by git)).
Apple Silicon hosts require additional `--impure` flag for firmware installation. (Firmware should be placed in `/etc/nixos/asahi/firmware` (ignored by git)).
### Hosts configured
- stella (Random Ryzen 3 3250U laptop)
- vetus (iMac 27" 2017)
- celerrime (MacBook Air M2)
- celerrime-x (MacBook Air M2 under Darwin) (Needs unifying)
- rubusidaeus (Raspberry Pi 4B)
- celerrime (MacBook Air M2) (coding)
- vetus (iMac 27" 2017) (gaming)
- stella (Random Ryzen 3 3250U laptop) (lite websurfing client)
- celerrime-x (MacBook Air M2 under Darwin) - Needs unifying + doesn't work - Nix daemon "bootloops"
- rubusidaeus (Raspberry Pi 4B) (small services)
- periculo (StarFive VisionFive2) (as router) - WIP + untested
## Modules
@ -70,7 +70,7 @@ curl https://iva.bz/nix | sh
- [ ] iva.bz
- [ ] ивабус.рф
- Setup "secret" roles (I need them)
- Setup router
- Setup router (in progress with `periculo`)
## Copyright

View file

@ -1,6 +1,9 @@
{ config, pkgs, lib, ... }:
{
let
my = import ../.;
secrets = my.secrets { inherit config; };
in {
nix = {
package = pkgs.nixUnstable;
extraOptions = ''
@ -10,7 +13,7 @@
auto-optimise-store = true;
allowed-users = [ "root" "@wheel" ];
trusted-users = [ "root" "@wheel" ];
sandbox = true;
#sandbox = true;
};
gc = {
automatic = true;
@ -25,12 +28,13 @@
};
environment.systemPackages = with pkgs;
[ wget curl git git-crypt neovim python3Minimal nixfmt ]
[ wget curl git git-crypt neovim python3Minimal ]
++ lib.optionals pkgs.stdenv.isLinux [
usbutils
pciutils
coreutils-full
coreutils
killall
];
# Inject secrets through module arguments while evaluating configs.
_module.args.secrets = secrets;
}

View file

@ -4,7 +4,7 @@ let cfg = config.my.git;
in {
options = { my.git.enable = lib.mkEnableOption "Enable git configuration"; };
config = lib.mkIf (cfg.enable) {
config = lib.mkIf (cfg.enable && config.my.users.ivabus.enable) {
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.ivabus = {

View file

@ -7,13 +7,13 @@ in {
};
config = lib.mkIf (cfg.enable) {
networking.wireless.iwd.enable = true;
networking.wireless.iwd.enable = lib.mkDefault true;
environment.systemPackages = with pkgs; [ lm_sensors ];
hardware.bluetooth.enable = true;
services.blueman.enable = true;
hardware.bluetooth.enable = lib.mkDefault true;
services.blueman.enable = lib.mkDefault true;
services.tlp.enable = true;
services.upower.enable = true;
services.tlp.enable = lib.mkDefault true;
services.upower.enable = lib.mkDefault true;
};
}

View file

@ -6,7 +6,7 @@
security = {
lockKernelModules = true;
protectKernelImage = true;
allowSimultaneousMultithreading = false;
allowSimultaneousMultithreading = lib.mkDefault false;
forcePageTableIsolation = true;
virtualisation.flushL1DataCache = "always";
apparmor = {

View file

@ -1,50 +1,77 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, lib, secrets, ... }:
let my = import ../.;
let
cfg = config.my.users;
keys = [
# celerrime-x
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC6HY6er37FUz2tPQnwq5SUQZ5KHmMpGQA5yNlxPOyoCV+uvdx/cU8KF7jlFoyBC9xf2FvNyB8H1MZ6t2eUs4m/pVMpoBbNSTZLSxlvv2n4HuxL2Sg3qPdioJOyxDfnXA4OIZ+Tc+z4zM3ZnPJm1ccGW7W+YPhZ7GhBpl5wlMw+m06dCt8wfdDA4fuf4brnLt1ZMs4aOtVM8u4ZEtMs3IVXVUgtRH5m0RXZ94s7RkrUHhl2UOkOclhkQOiQop9RuJMjpi+iYkDYCniuGCKcKPrmi1+qicKM8KyrYGqR7FkUvzr+H8XtJXu++Kvmjcn54jDYqM4sq/MNL2rf8QaIUGLwiq2ljH2dGamElvElWZoXQBGPp4L80IEbaMVISIcvcNj+8cKW3rPvEUK5iT8jCkIOUwm1oo70YawS5VXTPLDsZif12QduTcJhVJekEaP0ZSifO52zeJksj0adwiEMJPqm7bIk5Y+9dCbQH7PtkWY4Tw3bdGNsYnTXC80MeEfrIKE= ivabus@celerrime-x"
# Celerrime
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCgZJjP2BRycxcR53sriaityzT24f+umMO8iz/xUvWRUJpgwA4WJyqgKwxuIhKYPUZ7e3H/vVPrt3ZqAaqoFM7OildtcXyRskwinuAxE6lhOEE69s1M3iqCXbrTM9YluMlrvf7yd4edInH0jdlCTwuZOY+yisrGU+nOpSSuJgcwlme2fv1pQtKgTQpqz1GflIaXm5415Do4okanNlfuAJXix7ic0PkaLN0gTtONqwJR1W3hkF8hnlHV49t8QvrJHgQptbVdDgd9f96+a6OL6y/6rixnEU23yuC29lWxSwrixwC0xY+/CjhMlDzXqvePG55vC4K5UQypKcvMOCLV/0z9s5m0ca5mvS9eqPDcUj2+9r7VFaL0IdZl4i7eG9JJSS4h/22Or7CdU9Dv0kiMYP3HLiihjS/lrQVEEYpEMr3DmhSnij5DeGZFmMRM2UN5ZqR7/QhkslhQg340ik6ZENjpxuQ9rQino5XRK52DoUiLHleKI/ibBHQ4LiREvX9muyM= ivabus@celerrime"
];
in rec {
users.mutableUsers = false;
users.groups.ivabus = { gid = 1000; };
users.users.ivabus = {
isNormalUser = true;
group = "ivabus";
extraGroups = [ "users" "wheel" ];
uid = 1000;
packages = with pkgs; [
tree
neofetch # I use NixOS BTW
duf
htop
];
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
# celerrime-x
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC6HY6er37FUz2tPQnwq5SUQZ5KHmMpGQA5yNlxPOyoCV+uvdx/cU8KF7jlFoyBC9xf2FvNyB8H1MZ6t2eUs4m/pVMpoBbNSTZLSxlvv2n4HuxL2Sg3qPdioJOyxDfnXA4OIZ+Tc+z4zM3ZnPJm1ccGW7W+YPhZ7GhBpl5wlMw+m06dCt8wfdDA4fuf4brnLt1ZMs4aOtVM8u4ZEtMs3IVXVUgtRH5m0RXZ94s7RkrUHhl2UOkOclhkQOiQop9RuJMjpi+iYkDYCniuGCKcKPrmi1+qicKM8KyrYGqR7FkUvzr+H8XtJXu++Kvmjcn54jDYqM4sq/MNL2rf8QaIUGLwiq2ljH2dGamElvElWZoXQBGPp4L80IEbaMVISIcvcNj+8cKW3rPvEUK5iT8jCkIOUwm1oo70YawS5VXTPLDsZif12QduTcJhVJekEaP0ZSifO52zeJksj0adwiEMJPqm7bIk5Y+9dCbQH7PtkWY4Tw3bdGNsYnTXC80MeEfrIKE= ivabus@celerrime-x"
# Stella
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXWPxd1uVVxEARVezy0s0LZ9fC/Mif6s218oNWDyJNqZMnAiaMwwP/mGHqCy1OXFCb8/5Kv3AM+z6sxY4mIvyXhx3lPW841HoOlJxR+JQ50qgxon/oCXjKFVMZjFptRtexgQLhubhjyINagj7T/K6UjsfC9sIG5DUJdem0O8ZD/8EqvIrkeNGP52klJM3sR4vhXMNwOIPkukNOMq+OLXgAaCXRImc53N+Whi/tCaxxr/Nen5CVGo9raAekRKaiBLKvgboXYnxzNFxiecUe7mqPbyE2bcnJ+rDC7UlwrNYGyIQ/8POjQwbanFxT4UJhS5ib6/hSpia0eYaSiutBqU3fQcIXrmTQWOrGPdrUsLHw5xGMfwnPmoDFMYHdcchU0v6QijbrHrsqVV/bikWoQF4JT7PCwOejfVowOioPghvW2u34gTyMKPkueaMk0w8Jq45V0meneyN5SbobqZX3XFze4Uz3BN8nuiZB6pFRPv0eKLqEqX8+nST9uQDBkqKTvwE= ivabus@stella"
# Celerrime
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCgZJjP2BRycxcR53sriaityzT24f+umMO8iz/xUvWRUJpgwA4WJyqgKwxuIhKYPUZ7e3H/vVPrt3ZqAaqoFM7OildtcXyRskwinuAxE6lhOEE69s1M3iqCXbrTM9YluMlrvf7yd4edInH0jdlCTwuZOY+yisrGU+nOpSSuJgcwlme2fv1pQtKgTQpqz1GflIaXm5415Do4okanNlfuAJXix7ic0PkaLN0gTtONqwJR1W3hkF8hnlHV49t8QvrJHgQptbVdDgd9f96+a6OL6y/6rixnEU23yuC29lWxSwrixwC0xY+/CjhMlDzXqvePG55vC4K5UQypKcvMOCLV/0z9s5m0ca5mvS9eqPDcUj2+9r7VFaL0IdZl4i7eG9JJSS4h/22Or7CdU9Dv0kiMYP3HLiihjS/lrQVEEYpEMr3DmhSnij5DeGZFmMRM2UN5ZqR7/QhkslhQg340ik6ZENjpxuQ9rQino5XRK52DoUiLHleKI/ibBHQ4LiREvX9muyM= ivabus@celerrime"
];
hashedPassword = my.secrets.hashed-password;
options.my.users = {
ivabus.enable = lib.mkEnableOption "Enable ivabus user";
user.enable = lib.mkEnableOption "Enable general-purpose user";
};
config = lib.mkMerge [
(lib.mkIf (cfg.ivabus.enable) {
my.features.secrets = lib.mkForce true;
users.users.root = {
hashedPassword = null;
openssh.authorizedKeys.keys =
users.users.ivabus.openssh.authorizedKeys.keys;
};
users.groups.ivabus = { gid = 1000; };
users.users.ivabus = {
isNormalUser = true;
group = "ivabus";
extraGroups = [ "users" "wheel" ];
uid = 1000;
packages = with pkgs; [
tree
neofetch # I use NixOS BTW
duf
htop
];
shell = pkgs.zsh;
openssh.authorizedKeys.keys = keys;
hashedPassword = secrets.hashed-password;
};
programs.gnupg.agent.enable = true;
})
environment.shells = [ pkgs.zsh ];
programs.zsh = {
enable = true;
promptInit = "";
};
(lib.mkIf (cfg.user.enable) {
users.users.user = {
isNormalUser = true;
group = "users";
extraGroups = [ "video" "audio" "networkmanager" ];
uid = 1001;
packages = with pkgs; [
tree
neofetch # I use NixOS BTW
duf
htop
];
shell = pkgs.zsh;
openssh.authorizedKeys.keys = keys;
password = "12345";
};
})
programs.gnupg.agent.enable = true;
programs.ssh.startAgent = true;
({
users.mutableUsers = false;
users.users.root = {
hashedPassword = null;
openssh.authorizedKeys.keys = keys;
};
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
environment.shells = [ pkgs.zsh ];
programs.zsh = {
enable = true;
promptInit = "";
};
programs.ssh.startAgent = true;
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
})
];
}

View file

@ -1,7 +1,8 @@
rec {
common = import ./common;
roles = import ./roles;
features = import ./features.nix;
secrets = import ./secrets.nix;
modules = { pkgs, ... }: { imports = [ common roles ]; };
modules = { pkgs, ... }: { imports = [ features common roles ]; };
}

5
features.nix Normal file
View file

@ -0,0 +1,5 @@
{ lib, config, ... }:
let
in {
options.my.features.secrets = lib.mkEnableOption "Enable secrets decrypting";
}

View file

@ -1,153 +0,0 @@
{
"nodes": {
"apple-silicon-support": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1693064156,
"narHash": "sha256-EnZntHnlPqWZIoa593zDV4GSkfbLLAL6VAreMvM6JN4=",
"owner": "tpwrules",
"repo": "nixos-apple-silicon",
"rev": "bef25f9cdfd8513a42c175b88a1cb619e3ef5951",
"type": "github"
},
"original": {
"owner": "tpwrules",
"repo": "nixos-apple-silicon",
"type": "github"
}
},
"flake-compat": {
"locked": {
"lastModified": 1688025799,
"narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=",
"owner": "nix-community",
"repo": "flake-compat",
"rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "flake-compat",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1693208669,
"narHash": "sha256-hHFaaUsZ860wvppPeiu7nJn/nXZjJfnqAQEu9SPFE9I=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "5bac4a1c06cd77cf8fc35a658ccb035a6c50cd2c",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-23.05",
"repo": "home-manager",
"type": "github"
}
},
"nix-darwin": {
"inputs": {
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1692248770,
"narHash": "sha256-tZeFpETKQGbgnaSIO1AGWD27IyTcBm4D+A9d7ulQ4NM=",
"owner": "LnL7",
"repo": "nix-darwin",
"rev": "511177ffe8226c78c9cf6a92a7b5f2df3684956b",
"type": "github"
},
"original": {
"owner": "LnL7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1692913444,
"narHash": "sha256-1SvMQm2DwofNxXVtNWWtIcTh7GctEVrS/Xel/mdc6iY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "18324978d632ffc55ef1d928e81630c620f4f447",
"type": "github"
},
"original": {
"owner": "nixos",
"repo": "nixpkgs",
"rev": "18324978d632ffc55ef1d928e81630c620f4f447",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1694062546,
"narHash": "sha256-PiGI4f2BGnZcedP6slLjCLGLRLXPa9+ogGGgVPfGxys=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b200e0df08f80c32974a6108ce431d8a8a5e6547",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-23.05-darwin",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1693985761,
"narHash": "sha256-K5b+7j7Tt3+AqbWkcw+wMeqOAWyCD1MH26FPZyWXpdo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "0bffda19b8af722f8069d09d8b6a24594c80b352",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"apple-silicon-support": "apple-silicon-support",
"home-manager": "home-manager",
"nix-darwin": "nix-darwin",
"nixpkgs": "nixpkgs_3"
}
},
"rust-overlay": {
"flake": false,
"locked": {
"lastModified": 1686795910,
"narHash": "sha256-jDa40qRZ0GRQtP9EMZdf+uCbvzuLnJglTUI2JoHfWDc=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "5c2b97c0a9bc5217fc3dfb1555aae0fb756d99f9",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

View file

@ -12,13 +12,17 @@
apple-silicon-support.url = "github:tpwrules/nixos-apple-silicon";
#nixos-vf2 = { url = "path:/root/nixos-vf2"; };
#nixos-vf2 = { url = "github:Snektron/nixos-vf2"; };
nix-darwin = {
url = "github:LnL7/nix-darwin/master";
inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { self, nixpkgs, home-manager, nix-darwin, apple-silicon-support
# , nixos-vf2
, ... }@inputs: {
# Stella = Unchartevice 6540 (Ryzen 3 3250U, 16GB RAM)
nixosConfigurations."stella" = nixpkgs.lib.nixosSystem {
@ -52,6 +56,17 @@
];
};
# VisionFive 2, 8GB - firewall + router
nixosConfigurations."periculo" = nixpkgs.lib.nixosSystem {
system = "riscv64-linux";
modules = [
#nixos-vf2.nixosModules.sdImage
./hardware/vf2.nix
home-manager.nixosModules.home-manager
./machines/periculo
];
};
# Celerrime under macOS
darwinConfigurations."celerrime-x" = nix-darwin.lib.darwinSystem {
system = "aarch64-darwin";

View file

@ -3,3 +3,4 @@
Contains `portable` configurations for hardware.
`./rpi4.nix` - Raspberry Pi 4
`./vf2.nix` - StarFive VisionFive 2

60
hardware/vf2.nix Normal file
View file

@ -0,0 +1,60 @@
{ config, pkgs, lib, ... }:
let
overlay = final: super: {
makeModulesClosure = x:
super.makeModulesClosure (x // {
allowMissing = true;
}); # Ignores missing kernel modules (can't build image without this fix)
# Overflow tests fail
diffutils = super.diffutils.override { doCheck = false; };
};
in {
boot = {
kernelParams = [
"console=tty0"
"console=ttyS0,115200"
"earlycon=sbi"
"boot.shell_on_fail"
];
supportedFilesystems = lib.mkForce [ "ext4" ];
initrd.includeDefaultModules = false;
initrd.availableKernelModules = [
"xhci_pci"
"usbhid"
"usb_storage"
"dw_mmc-pltfm"
"dw_mmc-starfive"
"dwmac-starfive"
"spi-dw-mmio"
"mmc_block"
"nvme"
"sdhci"
"sdhci-pci"
"sdhci-of-dwcmshc"
];
loader = {
grub.enable = false;
generic-extlinux-compatible.enable = true;
};
};
systemd.services."serial-getty@hvc0".enable = false;
systemd.services."serial-getty@ttyS0" = {
enable = true;
wantedBy = [ "getty.target" ];
serviceConfig.Restart = "always";
};
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
options = [ "noatime" ];
};
};
sdImage.compressImage = false;
hardware.enableRedistributableFirmware = true;
}

View file

@ -38,23 +38,22 @@
enable = true;
promptInit = "";
};
/* users.users.ivabus.home = "/Users/ivabus";
users.users.ivabus.openssh.authorizedKeys.keys = [
# i should somehow reuse it from common/user.nix
# celerrime-x
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC6HY6er37FUz2tPQnwq5SUQZ5KHmMpGQA5yNlxPOyoCV+uvdx/cU8KF7jlFoyBC9xf2FvNyB8H1MZ6t2eUs4m/pVMpoBbNSTZLSxlvv2n4HuxL2Sg3qPdioJOyxDfnXA4OIZ+Tc+z4zM3ZnPJm1ccGW7W+YPhZ7GhBpl5wlMw+m06dCt8wfdDA4fuf4brnLt1ZMs4aOtVM8u4ZEtMs3IVXVUgtRH5m0RXZ94s7RkrUHhl2UOkOclhkQOiQop9RuJMjpi+iYkDYCniuGCKcKPrmi1+qicKM8KyrYGqR7FkUvzr+H8XtJXu++Kvmjcn54jDYqM4sq/MNL2rf8QaIUGLwiq2ljH2dGamElvElWZoXQBGPp4L80IEbaMVISIcvcNj+8cKW3rPvEUK5iT8jCkIOUwm1oo70YawS5VXTPLDsZif12QduTcJhVJekEaP0ZSifO52zeJksj0adwiEMJPqm7bIk5Y+9dCbQH7PtkWY4Tw3bdGNsYnTXC80MeEfrIKE="
users.users.ivabus.home = "/Users/ivabus";
users.users.ivabus.openssh.authorizedKeys.keys = [
# i should somehow reuse it from common/user.nix
# celerrime-x
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC6HY6er37FUz2tPQnwq5SUQZ5KHmMpGQA5yNlxPOyoCV+uvdx/cU8KF7jlFoyBC9xf2FvNyB8H1MZ6t2eUs4m/pVMpoBbNSTZLSxlvv2n4HuxL2Sg3qPdioJOyxDfnXA4OIZ+Tc+z4zM3ZnPJm1ccGW7W+YPhZ7GhBpl5wlMw+m06dCt8wfdDA4fuf4brnLt1ZMs4aOtVM8u4ZEtMs3IVXVUgtRH5m0RXZ94s7RkrUHhl2UOkOclhkQOiQop9RuJMjpi+iYkDYCniuGCKcKPrmi1+qicKM8KyrYGqR7FkUvzr+H8XtJXu++Kvmjcn54jDYqM4sq/MNL2rf8QaIUGLwiq2ljH2dGamElvElWZoXQBGPp4L80IEbaMVISIcvcNj+8cKW3rPvEUK5iT8jCkIOUwm1oo70YawS5VXTPLDsZif12QduTcJhVJekEaP0ZSifO52zeJksj0adwiEMJPqm7bIk5Y+9dCbQH7PtkWY4Tw3bdGNsYnTXC80MeEfrIKE="
# Stella
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXWPxd1uVVxEARVezy0s0LZ9fC/Mif6s218oNWDyJNqZMnAiaMwwP/mGHqCy1OXFCb8/5Kv3AM+z6sxY4mIvyXhx3lPW841HoOlJxR+JQ50qgxon/oCXjKFVMZjFptRtexgQLhubhjyINagj7T/K6UjsfC9sIG5DUJdem0O8ZD/8EqvIrkeNGP52klJM3sR4vhXMNwOIPkukNOMq+OLXgAaCXRImc53N+Whi/tCaxxr/Nen5CVGo9raAekRKaiBLKvgboXYnxzNFxiecUe7mqPbyE2bcnJ+rDC7UlwrNYGyIQ/8POjQwbanFxT4UJhS5ib6/hSpia0eYaSiutBqU3fQcIXrmTQWOrGPdrUsLHw5xGMfwnPmoDFMYHdcchU0v6QijbrHrsqVV/bikWoQF4JT7PCwOejfVowOioPghvW2u34gTyMKPkueaMk0w8Jq45V0meneyN5SbobqZX3XFze4Uz3BN8nuiZB6pFRPv0eKLqEqX8+nST9uQDBkqKTvwE= ivabus@stella"
# Stella
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXWPxd1uVVxEARVezy0s0LZ9fC/Mif6s218oNWDyJNqZMnAiaMwwP/mGHqCy1OXFCb8/5Kv3AM+z6sxY4mIvyXhx3lPW841HoOlJxR+JQ50qgxon/oCXjKFVMZjFptRtexgQLhubhjyINagj7T/K6UjsfC9sIG5DUJdem0O8ZD/8EqvIrkeNGP52klJM3sR4vhXMNwOIPkukNOMq+OLXgAaCXRImc53N+Whi/tCaxxr/Nen5CVGo9raAekRKaiBLKvgboXYnxzNFxiecUe7mqPbyE2bcnJ+rDC7UlwrNYGyIQ/8POjQwbanFxT4UJhS5ib6/hSpia0eYaSiutBqU3fQcIXrmTQWOrGPdrUsLHw5xGMfwnPmoDFMYHdcchU0v6QijbrHrsqVV/bikWoQF4JT7PCwOejfVowOioPghvW2u34gTyMKPkueaMk0w8Jq45V0meneyN5SbobqZX3XFze4Uz3BN8nuiZB6pFRPv0eKLqEqX8+nST9uQDBkqKTvwE= ivabus@stella"
# Celerrime
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCgZJjP2BRycxcR53sriaityzT24f+umMO8iz/xUvWRUJpgwA4WJyqgKwxuIhKYPUZ7e3H/vVPrt3ZqAaqoFM7OildtcXyRskwinuAxE6lhOEE69s1M3iqCXbrTM9YluMlrvf7yd4edInH0jdlCTwuZOY+yisrGU+nOpSSuJgcwlme2fv1pQtKgTQpqz1GflIaXm5415Do4okanNlfuAJXix7ic0PkaLN0gTtONqwJR1W3hkF8hnlHV49t8QvrJHgQptbVdDgd9f96+a6OL6y/6rixnEU23yuC29lWxSwrixwC0xY+/CjhMlDzXqvePG55vC4K5UQypKcvMOCLV/0z9s5m0ca5mvS9eqPDcUj2+9r7VFaL0IdZl4i7eG9JJSS4h/22Or7CdU9Dv0kiMYP3HLiihjS/lrQVEEYpEMr3DmhSnij5DeGZFmMRM2UN5ZqR7/QhkslhQg340ik6ZENjpxuQ9rQino5XRK52DoUiLHleKI/ibBHQ4LiREvX9muyM= ivabus@celerrime"
];
# Celerrime
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCgZJjP2BRycxcR53sriaityzT24f+umMO8iz/xUvWRUJpgwA4WJyqgKwxuIhKYPUZ7e3H/vVPrt3ZqAaqoFM7OildtcXyRskwinuAxE6lhOEE69s1M3iqCXbrTM9YluMlrvf7yd4edInH0jdlCTwuZOY+yisrGU+nOpSSuJgcwlme2fv1pQtKgTQpqz1GflIaXm5415Do4okanNlfuAJXix7ic0PkaLN0gTtONqwJR1W3hkF8hnlHV49t8QvrJHgQptbVdDgd9f96+a6OL6y/6rixnEU23yuC29lWxSwrixwC0xY+/CjhMlDzXqvePG55vC4K5UQypKcvMOCLV/0z9s5m0ca5mvS9eqPDcUj2+9r7VFaL0IdZl4i7eG9JJSS4h/22Or7CdU9Dv0kiMYP3HLiihjS/lrQVEEYpEMr3DmhSnij5DeGZFmMRM2UN5ZqR7/QhkslhQg340ik6ZENjpxuQ9rQino5XRK52DoUiLHleKI/ibBHQ4LiREvX9muyM= ivabus@celerrime"
];
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
*/
services.nix-daemon.enable = true;
nix.package = lib.mkForce pkgs.nix;
}

View file

@ -26,6 +26,11 @@ in {
server = { ivabus-dev.enable = false; };
};
my.users = {
ivabus.enable = true;
user.enable = false;
};
my.features.secrets = true;
networking.useDHCP = true;

View file

@ -21,6 +21,7 @@ in {
devel.enable = true;
gaming.enable = true;
graphical.enable = true;
graphical.basic.enable = false;
latex.enable = true;
media-client.enable = true;
torrent.enable = true;
@ -29,6 +30,11 @@ in {
server = { ivabus-dev.enable = true; };
};
my.users = {
ivabus.enable = true;
user.enable = false;
};
my.features.secrets = true;
networking.useDHCP = true;

View file

@ -0,0 +1,54 @@
{ config, pkgs, lib, ... }:
let my = import ../..;
in {
imports = [ my.modules ];
networking.hostName = "periculo";
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
# All "my" options
my.laptop.enable = false;
my.git.enable = false;
my.roles = {
design.enable = false;
devel.enable = false;
gaming.enable = false;
graphical.enable = false;
latex.enable = false;
media-client.enable = false;
torrent.enable = false;
virtualisation.enable = false;
yggdrasil-client.enable = false;
server = { ivabus-dev.enable = false; };
};
my.users = {
ivabus.enable = true;
user.enable = false;
};
my.features.secrets = true;
my.roles.router = {
enable = false;
interfaces = {
wan = "enp1s0";
lan = "enp2s0";
};
};
# find out interfaces that show onboard
/* networking = {
enp1s0.useDHCP = false;
enp2s0.useDHCP = false;
};
*/
hardware.enableRedistributableFirmware = true;
system.stateVersion = "23.05";
}

View file

@ -29,6 +29,13 @@ in {
server = { ivabus-dev.enable = true; };
};
my.users = {
ivabus.enable = true;
user.enable = false;
};
my.features.secrets = true;
networking = {
useNetworkd = false;
useDHCP = false;

View file

@ -7,31 +7,48 @@ in {
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
google-chrome
zoom-us
whatsapp-for-linux
telegram-desktop
];
networking.hostName = "stella";
my.laptop.enable = true;
my.git.enable = true;
my.roles = {
design.enable = true;
devel.enable = true;
gaming.enable = true;
graphical.enable = true;
design.enable = false;
devel.enable = false;
gaming.enable = false;
graphical.enable = false;
graphical.basic.enable = true;
latex.enable = false;
media-client.enable = true;
torrent.enable = true;
virtualisation.enable = true;
yggdrasil-client.enable = true;
torrent.enable = false;
virtualisation.enable = false;
yggdrasil-client.enable = false;
};
my.users = {
ivabus.enable = false;
user.enable = true;
};
my.features.secrets = false;
services.xserver.videoDrivers = [ "amdgpu" ];
boot.initrd.kernelModules = [ "amdgpu" ];
powerManagement = {
enable = true;
cpuFreqGovernor = "ondemand";
cpuFreqGovernor = "powersave";
};
networking.useDHCP = true;
# system is very slow without it
security.allowSimultaneousMultithreading = lib.mkForce true;
system.stateVersion = "23.05";
}

View file

@ -1,36 +1,37 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules =
[ "xhci_pci" "ahci" "usb_storage" "sd_mod" ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" "nct6775" ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
environment.etc = {
"sysconfig/lm_sensors".text = ''
HWMON_MODULES="lm75"
'';
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/01106217-beff-4837-87ce-60f36ad0296e";
fsType = "btrfs";
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/e9d47776-8f25-490b-9ea3-ee80ab9d6110";
fsType = "btrfs";
};
boot.initrd.luks.devices."cryptroot".device =
"/dev/disk/by-uuid/c2e3757b-b29c-4797-9535-084eb71351e9";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/4F73-6FFF";
fsType = "vfat";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/22B9-FD88";
fsType = "vfat";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View file

@ -21,6 +21,13 @@ in {
yggdrasil-client.enable = true;
};
my.users = {
ivabus.enable = true;
user.enable = false;
};
my.features.secrets = true;
networking.useDHCP = true;
services.xserver.videoDrivers = [ "amdgpu" ];

View file

@ -6,6 +6,7 @@
./graphical.nix
./latex.nix
./media-client.nix # TODO: media-server
./router.nix
./ntp-server.nix
./torrent.nix
./virtualisation.nix

View file

@ -23,6 +23,7 @@ in {
picocom
screen
hyperfine
nixfmt
];
}
# Architecture-specific packages and configuration
@ -35,16 +36,20 @@ in {
(lib.mkIf (!pkgs.stdenv.isx86_64) {
boot.binfmt.emulatedSystems = [ "x86_64-linux" "i686-linux" ];
})
# Install CLion only if we are on x86_64
(lib.mkIf (pkgs.stdenv.isx86_64) {
environment.systemPackages = with pkgs; [ jetbrains.clion ];
(lib.mkIf (builtins.currentSystem != "riscv64-linux") {
boot.binfmt.emulatedSystems = [ "riscv64-linux" ];
})
# Install vscode only if we are on x86_64 or aarch64 or aarch32
(lib.mkIf
(pkgs.stdenv.isx86_64 || pkgs.stdenv.isAarch64 || pkgs.stdenv.isAarch32) {
environment.systemPackages = with pkgs; [ vscode ];
})
/* # Install CLion only if we are on x86_64
(lib.mkIf (pkgs.stdenv.isx86_64) {
environment.systemPackages = with pkgs; [ jetbrains.clion ];
})
# Install vscode only if we are on x86_64 or aarch64 or aarch32
(lib.mkIf
(pkgs.stdenv.isx86_64 || pkgs.stdenv.isAarch64 || pkgs.stdenv.isAarch32) {
environment.systemPackages = with pkgs; [ vscode ];
})
*/
]);
}

View file

@ -2,121 +2,138 @@
let cfg = config.my.roles.graphical;
in {
options.my.roles.graphical.enable = lib.mkEnableOption "Enable GUI";
config = lib.mkIf (cfg.enable) {
environment.systemPackages = with pkgs; [
firefox
alacritty
pavucontrol
bottom
mpv
glib
ffmpeg
cinnamon.nemo
usbmuxd
keepassxc
];
# When adding pkgs prefer GTK over Qt, because Qt bad GTK good
services.greetd = {
enable = true;
vt = 7;
settings = {
default_session = {
command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd sway";
user = "greeter";
};
};
};
programs.sway = {
enable = true;
extraPackages = with pkgs; [
waybar
grim
slurp
wf-recorder
sway-launcher-desktop
swaybg
swayidle
swaylock
poweralertd
kanshi
libsForQt5.qt5ct
mako
brightnessctl
wdisplays
options.my.roles.graphical.enable = lib.mkEnableOption "Enable GUI (sway)";
options.my.roles.graphical.basic.enable =
lib.mkEnableOption "Enable GUI (MATE)";
config = lib.mkMerge [
(lib.mkIf (cfg.enable) {
environment.systemPackages = with pkgs; [
firefox
alacritty
pavucontrol
bottom
mpv
glib
ffmpeg
cinnamon.nemo
usbmuxd
keepassxc
];
wrapperFeatures.gtk = true;
};
# When adding pkgs prefer GTK over Qt, because Qt bad GTK good
xdg.portal = {
enable = true;
wlr.enable = true;
};
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
alsa.support32Bit = true;
};
qt = {
enable = true;
platformTheme = "gtk2";
style = "gtk2";
};
services.dbus.enable = true;
fonts.packages = with pkgs; [
noto-fonts
noto-fonts-cjk
noto-fonts-cjk-sans
noto-fonts-cjk-serif
noto-fonts-emoji
jetbrains-mono
font-awesome
#google-fonts
liberation_ttf
open-sans
roboto
roboto-mono
kochi-substitute
];
environment.sessionVariables.NIXOS_OZONE_WL =
"1"; # Enable wayland for electron
home-manager.users.ivabus = {
gtk = {
services.greetd = {
enable = true;
theme = {
name = "Catppuccin-Macchiato-Standard-Blue-dark";
package = pkgs.catppuccin-gtk.override {
accents = [ "blue" ];
tweaks = [ "rimless" ];
size = "standard";
variant = "macchiato";
vt = 7;
settings = {
default_session = {
command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd sway";
user = "greeter";
};
};
iconTheme = {
name = "Mint-Y-Blue";
package = pkgs.cinnamon.mint-y-icons;
};
programs.sway = {
enable = true;
extraPackages = with pkgs; [
waybar
grim
slurp
wf-recorder
sway-launcher-desktop
swaybg
swayidle
swaylock
poweralertd
kanshi
libsForQt5.qt5ct
mako
brightnessctl
wdisplays
];
wrapperFeatures.gtk = true;
};
xdg.portal = {
enable = true;
wlr.enable = true;
};
environment.sessionVariables.NIXOS_OZONE_WL =
"1"; # Enable wayland for electron
home-manager.users.ivabus = {
gtk = {
enable = true;
theme = {
name = "Catppuccin-Macchiato-Standard-Blue-dark";
package = pkgs.catppuccin-gtk.override {
accents = [ "blue" ];
tweaks = [ "rimless" ];
size = "standard";
variant = "macchiato";
};
};
iconTheme = {
name = "Mint-Y-Blue";
package = pkgs.cinnamon.mint-y-icons;
};
cursorTheme = {
name = "Catppuccin-Macchiato-Dark-Cursors";
package = pkgs.catppuccin-cursors.macchiatoDark;
};
font = {
name = "Ubuntu";
size = 9;
package = pkgs.ubuntu_font_family;
};
};
cursorTheme = {
home.pointerCursor = {
name = "Catppuccin-Macchiato-Dark-Cursors";
package = pkgs.catppuccin-cursors.macchiatoDark;
};
font = {
name = "Ubuntu";
size = 9;
package = pkgs.ubuntu_font_family;
x11.defaultCursor = "Catppuccin-Macchiato-Dark-Cursors";
};
};
home.pointerCursor = {
name = "Catppuccin-Macchiato-Dark-Cursors";
package = pkgs.catppuccin-cursors.macchiatoDark;
x11.defaultCursor = "Catppuccin-Macchiato-Dark-Cursors";
})
(lib.mkIf (cfg.basic.enable) {
environment.systemPackages = with pkgs; [ firefox ubuntu-themes ];
services.xserver.desktopManager.mate.enable = true;
networking.networkmanager.enable = lib.mkForce true;
networking.networkmanager.wifi.backend = "iwd";
programs.nm-applet.enable = true;
services.xserver.displayManager.sddm.enable = true;
services.xserver.enable = true;
services.xserver.layout = "us,ru";
services.xserver.xkbOptions = "grp:alt_shift_toggle";
})
(lib.mkIf (cfg.basic.enable || cfg.enable) {
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
alsa.support32Bit = true;
};
};
};
qt = {
enable = true;
platformTheme = "gtk2";
style = "gtk2";
};
services.dbus.enable = true;
fonts.packages = with pkgs; [
noto-fonts
noto-fonts-cjk
noto-fonts-cjk-sans
noto-fonts-cjk-serif
noto-fonts-emoji
jetbrains-mono
font-awesome
#google-fonts
liberation_ttf
open-sans
roboto
roboto-mono
kochi-substitute
];
})
];
}

69
roles/router.nix Normal file
View file

@ -0,0 +1,69 @@
{ config, lib, pkgs, ... }:
let cfg = config.my.roles.router;
in {
options.my.roles.router.enable =
lib.mkEnableOption "Enable router capabilities";
options.my.roles.router.interfaces.wan = lib.mkOption {
type = lib.types.str;
default = "wan0";
description = ''
WAN interface name.
'';
};
options.my.roles.router.interfaces.lan = lib.mkOption {
type = lib.types.str;
default = "lan0";
description = ''
LAN interface name.
'';
};
config = lib.mkIf (cfg.enable) {
boot.kernel.sysctl = lib.mkForce {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
"net.ipv6.conf.all.accept_ra" = 0;
"net.ipv6.conf.all.autoconf" = 0;
"net.ipv6.conf.all.use_tempaddr" = 0;
# On WAN, allow IPv6 autoconfiguration and tempory address use.
"net.ipv6.conf.${cfg.interfaces.wan}.accept_ra" = 2;
"net.ipv6.conf.${cfg.interfaces.wan}.autoconf" = 1;
};
services = {
avahi = {
enable = true;
allowInterfaces = [ "${cfg.interfaces.lan}" ];
ipv4 = true;
ipv6 = true;
reflector = true;
};
dhcpd4 = {
enable = true;
interfaces = [ "${cfg.interfaces.lan}" ];
extraConfig = ''
option domain-name-servers 1.1.1.1, 8.8.8.8;
option subnet-mask 255.255.255.0;
subnet 192.168.1.0 netmask 255.255.255.0 {
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
interface ${cfg.interfaces.lan};
range 192.168.1.64 192.168.1.254;
}
'';
};
};
networking = {
nat = {
enable = true;
externalInterface = "${cfg.interfaces.wan}";
internalInterfaces = [ "${cfg.interfaces.lan}" ];
internalIPs = [ "192.168.0.0/24" "192.168.1.0" /24 ];
};
};
};
}

View file

@ -1,8 +1,9 @@
{ config, ... }:
let
canaryHash = builtins.hashFile "sha256" ./secrets/canary;
expectedHash =
"bc6f38a927602241c5e0996b61ebd3a90d5356ca76dc968ec14df3cd45c6612c";
in if canaryHash != expectedHash then
in if (canaryHash != expectedHash && config.my.features.secrets) then
abort "Secrets are not readable. Have you run `git-crypt unlock`?"
else {
hashed-password = builtins.readFile ./secrets/hashed-password;