diff --git a/common/base.nix b/common/base.nix index 6d6d333..44d96c6 100644 --- a/common/base.nix +++ b/common/base.nix @@ -10,10 +10,7 @@ in { experimental-features = nix-command flakes ''; settings = { - auto-optimise-store = true; - allowed-users = [ "root" "@wheel" ]; - trusted-users = [ "root" "@wheel" ]; - #sandbox = true; + sandbox = true; }; gc = { automatic = true; @@ -27,14 +24,15 @@ in { man.enable = true; }; - environment.systemPackages = with pkgs; + # mkDefaulting due to python3Minimal and python3Full collision + environment.systemPackages = lib.mkDefault (with pkgs; [ wget curl git git-crypt neovim python3Minimal ] ++ lib.optionals pkgs.stdenv.isLinux [ usbutils pciutils coreutils killall - ]; + ]); # Inject secrets through module arguments while evaluating configs. _module.args.secrets = secrets; } diff --git a/common/user.nix b/common/user.nix index 85b40c5..aa1bd4c 100644 --- a/common/user.nix +++ b/common/user.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, secrets, ... }: +{ config, pkgs, lib, secrets, home-manager, ... }: let cfg = config.my.users; @@ -35,6 +35,9 @@ in rec { hashedPassword = secrets.hashed-password; }; programs.gnupg.agent.enable = true; + home-manager.users.ivabus = { + + }; }) (lib.mkIf (cfg.user.enable) { diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..9979e40 --- /dev/null +++ b/flake.lock @@ -0,0 +1,139 @@ +{ + "nodes": { + "apple-silicon-support": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1697932818, + "narHash": "sha256-Nl/8nvRA2AVP6uQo5u4AKnvLJyAH2Xn+v0NHhqGAH6M=", + "owner": "tpwrules", + "repo": "nixos-apple-silicon", + "rev": "08cea2d8b6b32b5dd3976d369863d4b22a22f2b4", + "type": "github" + }, + "original": { + "owner": "tpwrules", + "repo": "nixos-apple-silicon", + "type": "github" + } + }, + "flake-compat": { + "locked": { + "lastModified": 1688025799, + "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=", + "owner": "nix-community", + "repo": "flake-compat", + "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "flake-compat", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1695108154, + "narHash": "sha256-gSg7UTVtls2yO9lKtP0yb66XBHT1Fx5qZSZbGMpSn2c=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "07682fff75d41f18327a871088d20af2710d4744", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-23.05", + "repo": "home-manager", + "type": "github" + } + }, + "nix-darwin": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1698429334, + "narHash": "sha256-Gq3+QabboczSu7RMpcy79RSLMSqnySO3wsnHQk4DfbE=", + "owner": "LnL7", + "repo": "nix-darwin", + "rev": "afe83cbc2e673b1f08d32dd0f70df599678ff1e7", + "type": "github" + }, + "original": { + "owner": "LnL7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1697723726, + "narHash": "sha256-SaTWPkI8a5xSHX/rrKzUe+/uVNy6zCGMXgoeMb7T9rg=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "7c9cc5a6e5d38010801741ac830a3f8fd667a7a0", + "type": "github" + }, + "original": { + "owner": "nixos", + "repo": "nixpkgs", + "rev": "7c9cc5a6e5d38010801741ac830a3f8fd667a7a0", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1698611440, + "narHash": "sha256-jPjHjrerhYDy3q9+s5EAsuhyhuknNfowY6yt6pjn9pc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "0cbe9f69c234a7700596e943bfae7ef27a31b735", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "apple-silicon-support": "apple-silicon-support", + "home-manager": "home-manager", + "nix-darwin": "nix-darwin", + "nixpkgs": "nixpkgs_2" + } + }, + "rust-overlay": { + "flake": false, + "locked": { + "lastModified": 1686795910, + "narHash": "sha256-jDa40qRZ0GRQtP9EMZdf+uCbvzuLnJglTUI2JoHfWDc=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "5c2b97c0a9bc5217fc3dfb1555aae0fb756d99f9", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix index 52d3e29..2dfd60e 100644 --- a/flake.nix +++ b/flake.nix @@ -74,6 +74,13 @@ [ home-manager.darwinModules.home-manager ./machines/celerrime-x ]; }; + # effundam (Macbook as a Server for a little while) under macOS + darwinConfigurations."effundam-x" = nix-darwin.lib.darwinSystem { + system = "aarch64-darwin"; + modules = + [ home-manager.darwinModules.home-manager ./machines/effundam-x ]; + }; + # These machines will be configured later. /* # Effundam = MacBook Air M1 (server usage). Will not be added to flake.nix until thunderbolt and apfs proper support nixosConfigurations."effundam" = nixpkgs.lib.nixosSystem { diff --git a/machines/celerrime-x/default.nix b/machines/celerrime-x/default.nix index d41f7fa..79c1914 100644 --- a/machines/celerrime-x/default.nix +++ b/machines/celerrime-x/default.nix @@ -1,9 +1,9 @@ { pkgs, home, lib, ... }: { # Cannot use "my" for a while. Need to adapt it not to be linux-only - imports = [ ../../common/base.nix ../../common/git.nix ]; + imports = [ ../../common/base.nix ]; nixpkgs.config.allowUnfree = true; - environment.systemPackages = lib.mkForce (with pkgs; [ + environment.systemPackages = with pkgs; [ neofetch vscode @@ -21,8 +21,7 @@ picocom screen hyperfine - ]); - + ]; security.pam.enableSudoTouchIdAuth = true; networking = { @@ -32,28 +31,28 @@ hostName = "celerrime-x"; # ugly computerName = "cellerime on X"; # pretty }; - my.git.enable = true; + environment.shells = with pkgs; [ zsh ]; programs.zsh = { enable = true; promptInit = ""; }; - /* users.users.ivabus.home = "/Users/ivabus"; - users.users.ivabus.openssh.authorizedKeys.keys = [ - # i should somehow reuse it from common/user.nix - # celerrime-x - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC6HY6er37FUz2tPQnwq5SUQZ5KHmMpGQA5yNlxPOyoCV+uvdx/cU8KF7jlFoyBC9xf2FvNyB8H1MZ6t2eUs4m/pVMpoBbNSTZLSxlvv2n4HuxL2Sg3qPdioJOyxDfnXA4OIZ+Tc+z4zM3ZnPJm1ccGW7W+YPhZ7GhBpl5wlMw+m06dCt8wfdDA4fuf4brnLt1ZMs4aOtVM8u4ZEtMs3IVXVUgtRH5m0RXZ94s7RkrUHhl2UOkOclhkQOiQop9RuJMjpi+iYkDYCniuGCKcKPrmi1+qicKM8KyrYGqR7FkUvzr+H8XtJXu++Kvmjcn54jDYqM4sq/MNL2rf8QaIUGLwiq2ljH2dGamElvElWZoXQBGPp4L80IEbaMVISIcvcNj+8cKW3rPvEUK5iT8jCkIOUwm1oo70YawS5VXTPLDsZif12QduTcJhVJekEaP0ZSifO52zeJksj0adwiEMJPqm7bIk5Y+9dCbQH7PtkWY4Tw3bdGNsYnTXC80MeEfrIKE=" + users.users.ivabus.home = "/Users/ivabus"; + users.users.ivabus.openssh.authorizedKeys.keys = [ + # i should somehow reuse it from common/user.nix + # celerrime-x + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC6HY6er37FUz2tPQnwq5SUQZ5KHmMpGQA5yNlxPOyoCV+uvdx/cU8KF7jlFoyBC9xf2FvNyB8H1MZ6t2eUs4m/pVMpoBbNSTZLSxlvv2n4HuxL2Sg3qPdioJOyxDfnXA4OIZ+Tc+z4zM3ZnPJm1ccGW7W+YPhZ7GhBpl5wlMw+m06dCt8wfdDA4fuf4brnLt1ZMs4aOtVM8u4ZEtMs3IVXVUgtRH5m0RXZ94s7RkrUHhl2UOkOclhkQOiQop9RuJMjpi+iYkDYCniuGCKcKPrmi1+qicKM8KyrYGqR7FkUvzr+H8XtJXu++Kvmjcn54jDYqM4sq/MNL2rf8QaIUGLwiq2ljH2dGamElvElWZoXQBGPp4L80IEbaMVISIcvcNj+8cKW3rPvEUK5iT8jCkIOUwm1oo70YawS5VXTPLDsZif12QduTcJhVJekEaP0ZSifO52zeJksj0adwiEMJPqm7bIk5Y+9dCbQH7PtkWY4Tw3bdGNsYnTXC80MeEfrIKE=" - # Stella - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXWPxd1uVVxEARVezy0s0LZ9fC/Mif6s218oNWDyJNqZMnAiaMwwP/mGHqCy1OXFCb8/5Kv3AM+z6sxY4mIvyXhx3lPW841HoOlJxR+JQ50qgxon/oCXjKFVMZjFptRtexgQLhubhjyINagj7T/K6UjsfC9sIG5DUJdem0O8ZD/8EqvIrkeNGP52klJM3sR4vhXMNwOIPkukNOMq+OLXgAaCXRImc53N+Whi/tCaxxr/Nen5CVGo9raAekRKaiBLKvgboXYnxzNFxiecUe7mqPbyE2bcnJ+rDC7UlwrNYGyIQ/8POjQwbanFxT4UJhS5ib6/hSpia0eYaSiutBqU3fQcIXrmTQWOrGPdrUsLHw5xGMfwnPmoDFMYHdcchU0v6QijbrHrsqVV/bikWoQF4JT7PCwOejfVowOioPghvW2u34gTyMKPkueaMk0w8Jq45V0meneyN5SbobqZX3XFze4Uz3BN8nuiZB6pFRPv0eKLqEqX8+nST9uQDBkqKTvwE= ivabus@stella" + # Stella + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXWPxd1uVVxEARVezy0s0LZ9fC/Mif6s218oNWDyJNqZMnAiaMwwP/mGHqCy1OXFCb8/5Kv3AM+z6sxY4mIvyXhx3lPW841HoOlJxR+JQ50qgxon/oCXjKFVMZjFptRtexgQLhubhjyINagj7T/K6UjsfC9sIG5DUJdem0O8ZD/8EqvIrkeNGP52klJM3sR4vhXMNwOIPkukNOMq+OLXgAaCXRImc53N+Whi/tCaxxr/Nen5CVGo9raAekRKaiBLKvgboXYnxzNFxiecUe7mqPbyE2bcnJ+rDC7UlwrNYGyIQ/8POjQwbanFxT4UJhS5ib6/hSpia0eYaSiutBqU3fQcIXrmTQWOrGPdrUsLHw5xGMfwnPmoDFMYHdcchU0v6QijbrHrsqVV/bikWoQF4JT7PCwOejfVowOioPghvW2u34gTyMKPkueaMk0w8Jq45V0meneyN5SbobqZX3XFze4Uz3BN8nuiZB6pFRPv0eKLqEqX8+nST9uQDBkqKTvwE= ivabus@stella" - # Celerrime - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCgZJjP2BRycxcR53sriaityzT24f+umMO8iz/xUvWRUJpgwA4WJyqgKwxuIhKYPUZ7e3H/vVPrt3ZqAaqoFM7OildtcXyRskwinuAxE6lhOEE69s1M3iqCXbrTM9YluMlrvf7yd4edInH0jdlCTwuZOY+yisrGU+nOpSSuJgcwlme2fv1pQtKgTQpqz1GflIaXm5415Do4okanNlfuAJXix7ic0PkaLN0gTtONqwJR1W3hkF8hnlHV49t8QvrJHgQptbVdDgd9f96+a6OL6y/6rixnEU23yuC29lWxSwrixwC0xY+/CjhMlDzXqvePG55vC4K5UQypKcvMOCLV/0z9s5m0ca5mvS9eqPDcUj2+9r7VFaL0IdZl4i7eG9JJSS4h/22Or7CdU9Dv0kiMYP3HLiihjS/lrQVEEYpEMr3DmhSnij5DeGZFmMRM2UN5ZqR7/QhkslhQg340ik6ZENjpxuQ9rQino5XRK52DoUiLHleKI/ibBHQ4LiREvX9muyM= ivabus@celerrime" - ]; - - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - */ + # Celerrime + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCgZJjP2BRycxcR53sriaityzT24f+umMO8iz/xUvWRUJpgwA4WJyqgKwxuIhKYPUZ7e3H/vVPrt3ZqAaqoFM7OildtcXyRskwinuAxE6lhOEE69s1M3iqCXbrTM9YluMlrvf7yd4edInH0jdlCTwuZOY+yisrGU+nOpSSuJgcwlme2fv1pQtKgTQpqz1GflIaXm5415Do4okanNlfuAJXix7ic0PkaLN0gTtONqwJR1W3hkF8hnlHV49t8QvrJHgQptbVdDgd9f96+a6OL6y/6rixnEU23yuC29lWxSwrixwC0xY+/CjhMlDzXqvePG55vC4K5UQypKcvMOCLV/0z9s5m0ca5mvS9eqPDcUj2+9r7VFaL0IdZl4i7eG9JJSS4h/22Or7CdU9Dv0kiMYP3HLiihjS/lrQVEEYpEMr3DmhSnij5DeGZFmMRM2UN5ZqR7/QhkslhQg340ik6ZENjpxuQ9rQino5XRK52DoUiLHleKI/ibBHQ4LiREvX9muyM= ivabus@celerrime" + ]; + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; services.nix-daemon.enable = true; + nix.package = lib.mkForce pkgs.nix; + nix.settings.sandbox = lib.mkForce false; } diff --git a/machines/effundam-x/default.nix b/machines/effundam-x/default.nix new file mode 100644 index 0000000..2713d6d --- /dev/null +++ b/machines/effundam-x/default.nix @@ -0,0 +1,49 @@ +{ pkgs, home, lib, ... }: { + # Cannot use "my" for a while. Need to adapt it not to be linux-only + imports = [ ../../common/base.nix ]; + + nixpkgs.config.allowUnfree = true; + environment.systemPackages = with pkgs; [ + neofetch + ]; + + security.pam.enableSudoTouchIdAuth = true; + + networking = { + hostName = "effundam-x"; # ugly + computerName = "effundam on X"; # pretty + }; + + /* + services.navidrome = { + enable = true; + settings = { + Port = 4544; + Address = "0.0.0.0"; + MusicFolder = "/Users/ivabus/Music"; + }; + };*/ + + environment.shells = with pkgs; [ zsh ]; + programs.zsh = { + enable = true; + promptInit = ""; + }; + users.users.ivabus.home = "/Users/ivabus"; + users.users.ivabus.openssh.authorizedKeys.keys = [ + # i should somehow reuse it from common/user.nix + # celerrime-x + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC6HY6er37FUz2tPQnwq5SUQZ5KHmMpGQA5yNlxPOyoCV+uvdx/cU8KF7jlFoyBC9xf2FvNyB8H1MZ6t2eUs4m/pVMpoBbNSTZLSxlvv2n4HuxL2Sg3qPdioJOyxDfnXA4OIZ+Tc+z4zM3ZnPJm1ccGW7W+YPhZ7GhBpl5wlMw+m06dCt8wfdDA4fuf4brnLt1ZMs4aOtVM8u4ZEtMs3IVXVUgtRH5m0RXZ94s7RkrUHhl2UOkOclhkQOiQop9RuJMjpi+iYkDYCniuGCKcKPrmi1+qicKM8KyrYGqR7FkUvzr+H8XtJXu++Kvmjcn54jDYqM4sq/MNL2rf8QaIUGLwiq2ljH2dGamElvElWZoXQBGPp4L80IEbaMVISIcvcNj+8cKW3rPvEUK5iT8jCkIOUwm1oo70YawS5VXTPLDsZif12QduTcJhVJekEaP0ZSifO52zeJksj0adwiEMJPqm7bIk5Y+9dCbQH7PtkWY4Tw3bdGNsYnTXC80MeEfrIKE=" + + # Stella + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXWPxd1uVVxEARVezy0s0LZ9fC/Mif6s218oNWDyJNqZMnAiaMwwP/mGHqCy1OXFCb8/5Kv3AM+z6sxY4mIvyXhx3lPW841HoOlJxR+JQ50qgxon/oCXjKFVMZjFptRtexgQLhubhjyINagj7T/K6UjsfC9sIG5DUJdem0O8ZD/8EqvIrkeNGP52klJM3sR4vhXMNwOIPkukNOMq+OLXgAaCXRImc53N+Whi/tCaxxr/Nen5CVGo9raAekRKaiBLKvgboXYnxzNFxiecUe7mqPbyE2bcnJ+rDC7UlwrNYGyIQ/8POjQwbanFxT4UJhS5ib6/hSpia0eYaSiutBqU3fQcIXrmTQWOrGPdrUsLHw5xGMfwnPmoDFMYHdcchU0v6QijbrHrsqVV/bikWoQF4JT7PCwOejfVowOioPghvW2u34gTyMKPkueaMk0w8Jq45V0meneyN5SbobqZX3XFze4Uz3BN8nuiZB6pFRPv0eKLqEqX8+nST9uQDBkqKTvwE= ivabus@stella" + + # Celerrime + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCgZJjP2BRycxcR53sriaityzT24f+umMO8iz/xUvWRUJpgwA4WJyqgKwxuIhKYPUZ7e3H/vVPrt3ZqAaqoFM7OildtcXyRskwinuAxE6lhOEE69s1M3iqCXbrTM9YluMlrvf7yd4edInH0jdlCTwuZOY+yisrGU+nOpSSuJgcwlme2fv1pQtKgTQpqz1GflIaXm5415Do4okanNlfuAJXix7ic0PkaLN0gTtONqwJR1W3hkF8hnlHV49t8QvrJHgQptbVdDgd9f96+a6OL6y/6rixnEU23yuC29lWxSwrixwC0xY+/CjhMlDzXqvePG55vC4K5UQypKcvMOCLV/0z9s5m0ca5mvS9eqPDcUj2+9r7VFaL0IdZl4i7eG9JJSS4h/22Or7CdU9Dv0kiMYP3HLiihjS/lrQVEEYpEMr3DmhSnij5DeGZFmMRM2UN5ZqR7/QhkslhQg340ik6ZENjpxuQ9rQino5XRK52DoUiLHleKI/ibBHQ4LiREvX9muyM= ivabus@celerrime" + ]; + + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + + services.nix-daemon.enable = true; +} diff --git a/machines/rubusidaeus/default.nix b/machines/rubusidaeus/default.nix index 1aa3227..306c0e5 100644 --- a/machines/rubusidaeus/default.nix +++ b/machines/rubusidaeus/default.nix @@ -73,6 +73,16 @@ in { enableACME = true; forceSSL = true; }; + virtualHosts."storage.ivabus.dev" = { + locations."/".proxyPass = "http://${secrets.maas-address}:80"; + enableACME = true; + forceSSL = true; + }; + virtualHosts."git.ivabus.dev" = { + locations."/".proxyPass = "http://${secrets.maas-address}:3000"; + enableACME = true; + forceSSL = true; + }; }; diff --git a/secrets/maas-address b/secrets/maas-address index 9176fd4..91559af 100644 Binary files a/secrets/maas-address and b/secrets/maas-address differ