From 7520235965872ae1103398a14a3ab3d778acfea9 Mon Sep 17 00:00:00 2001 From: noe Date: Mon, 11 Dec 2023 18:18:41 -0500 Subject: [PATCH] Reset from zero --- .editorconfig | 7 + .envrc | 1 + .gitignore | 4 + .sops.yaml | 29 + Justfile | 64 ++ darwin/common.nix | 50 ++ darwin/hosts/noe-air/default.nix | 13 + darwin/hosts/work-mac/default.nix | 25 + darwin/user.nix | 4 + flake.lock | 564 ++++++++++++++++++ flake.nix | 143 +++++ home-manager/features/direnv.nix | 13 + home-manager/features/git.nix | 7 + home-manager/noe/common/default.nix | 34 ++ home-manager/noe/common/home-user.nix | 10 + home-manager/noe/common/work-user.nix | 11 + home-manager/noe/hosts/noe-air.nix | 6 + home-manager/noe/hosts/thonkpad.nix | 6 + home-manager/noe/hosts/work-mac.nix | 6 + modules/darwin/default.nix | 3 + modules/home-manager/default.nix | 3 + modules/nixos/default.nix | 3 + modules/nixos/pod.nix | 59 ++ nixos/base.nix | 69 +++ nixos/client.nix | 19 + nixos/features/fonts.nix | 20 + nixos/features/podman.nix | 18 + nixos/features/sops.nix | 9 + nixos/features/sound.nix | 12 + nixos/features/systemd-boot.nix | 4 + nixos/features/tailscale.nix | 5 + nixos/features/wifi.nix | 9 + nixos/features/xfce.nix | 22 + nixos/hosts/blueberry/default.nix | 55 ++ .../blueberry/hardware-configuration.nix | 37 ++ nixos/hosts/thonkpad/default.nix | 15 + .../hosts/thonkpad/hardware-configuration.nix | 38 ++ nixos/hosts/thonkpad/orig.nix | 163 +++++ nixos/server.nix | 20 + nixos/users/noe.nix | 28 + nixpkgs.nix | 8 + overlays/default.nix | 33 + pkgs/default.nix | 2 + secrets/default.yaml | 42 ++ shell.nix | 19 + tools/onboard-machine.js | 71 +++ 46 files changed, 1783 insertions(+) create mode 100644 .editorconfig create mode 100644 .envrc create mode 100644 .gitignore create mode 100644 .sops.yaml create mode 100644 Justfile create mode 100644 darwin/common.nix create mode 100644 darwin/hosts/noe-air/default.nix create mode 100644 darwin/hosts/work-mac/default.nix create mode 100644 darwin/user.nix create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 home-manager/features/direnv.nix create mode 100644 home-manager/features/git.nix create mode 100644 home-manager/noe/common/default.nix create mode 100644 home-manager/noe/common/home-user.nix create mode 100644 home-manager/noe/common/work-user.nix create mode 100644 home-manager/noe/hosts/noe-air.nix create mode 100644 home-manager/noe/hosts/thonkpad.nix create mode 100644 home-manager/noe/hosts/work-mac.nix create mode 100644 modules/darwin/default.nix create mode 100644 modules/home-manager/default.nix create mode 100644 modules/nixos/default.nix create mode 100644 modules/nixos/pod.nix create mode 100644 nixos/base.nix create mode 100644 nixos/client.nix create mode 100644 nixos/features/fonts.nix create mode 100644 nixos/features/podman.nix create mode 100644 nixos/features/sops.nix create mode 100644 nixos/features/sound.nix create mode 100644 nixos/features/systemd-boot.nix create mode 100644 nixos/features/tailscale.nix create mode 100644 nixos/features/wifi.nix create mode 100644 nixos/features/xfce.nix create mode 100644 nixos/hosts/blueberry/default.nix create mode 100644 nixos/hosts/blueberry/hardware-configuration.nix create mode 100644 nixos/hosts/thonkpad/default.nix create mode 100644 nixos/hosts/thonkpad/hardware-configuration.nix create mode 100644 nixos/hosts/thonkpad/orig.nix create mode 100644 nixos/server.nix create mode 100644 nixos/users/noe.nix create mode 100644 nixpkgs.nix create mode 100644 overlays/default.nix create mode 100644 pkgs/default.nix create mode 100644 secrets/default.yaml create mode 100644 shell.nix create mode 100644 tools/onboard-machine.js diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..b3dfee7 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,7 @@ +root = true + +[*] +end_of_line = lf +insert_final_newline = true +indent_style = space +indent_size = 2 diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..44610e5 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use flake; diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b5c0414 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +result +.sops.keys +.username +.direnv \ No newline at end of file diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..b9b76e4 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,29 @@ +keys: &all + - &op_noe age1lq5q5g5qjsdcc3key0n6qytkc9z3qx3d3e96ap9zre2aqgvc9ujq82l9hd + - &op_noe_2 age1p0f62dwatt558sf5s4equdqwtg5m7lsnaytrf3xjnvmx3e0lqu4svtugyp + - &m_thonkpad age1f5cqspxexkl8f42v5ne47mx6xmm4v00lafdlslq9g79a508e4p9qrku72s + - &m_blueberry age1ts3t7q08cthuwj39juajve2jjk0rw28ljzesnrmnkwd0n7zs49kq7dgxnm + - &m_work-mac age14vsmekuppm4xhp4rthhv9jjgzfv45v39a0q8dsgg6yusw0pjkvaqnr9kq8 + +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: *all + - path_regex: secrets/thonkpad/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *op_noe + - *op_noe_2 + - *m_thonkpad + - path_regex: secrets/blueberry/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *op_noe + - *op_noe_2 + - *m_blueberry + - path_regex: secrets/work-mac/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *op_noe + - *op_noe_2 + - *m_work-mac diff --git a/Justfile b/Justfile new file mode 100644 index 0000000..5ee187f --- /dev/null +++ b/Justfile @@ -0,0 +1,64 @@ +# Build the system config and switch to it when running `just` with no args +default: switch + +hostname := `hostname | cut -d "." -f 1` +work_mac_impure := `if [ $(hostname) = "AMERMACC02G65A8MD6T" ]; then echo "--impure"; else echo ""; fi` + +# Build the nix-darwin system configuration without switching to it +[macos] +build target_host=hostname flags="": + @echo "Building nix-darwin config..." + nix --extra-experimental-features 'nix-command flakes' build {{work_mac_impure}} ".#darwinConfigurations.{{target_host}}.system" {{flags}} + +# Build the nix-darwin config with the --show-trace flag set +[macos] +trace target_host=hostname: (build target_host "--show-trace") + +# Build the nix-darwin configuration and switch to it +[macos] +switch target_host=hostname: (build target_host) + @echo "switching to new config for {{target_host}}" + # if macOS updates and overwrites /etc/shells, nix will refuse to update it + sudo mv /etc/shells /tmp/shells.bak + ./result/sw/bin/darwin-rebuild switch {{work_mac_impure}} --flake ".#{{target_host}}" + +# Reload the skhd (hotkey daemon) service to apply new config. Workaround for config changes not being auto-detected. +[macos] +reload-skhd: + launchctl stop org.nixos.skhd && launchctl start org.nixos.skhd && sleep 1 && skhd -r + +# on asahi linux, we need to pass the --impure flag to read in firmware files +rebuild_flags := `if [ -d /boot/asahi ]; then echo "--impure"; else echo ""; fi` + + +# Build the NixOS configuration without switching to it +[linux] +build target_host=hostname flags="": + nixos-rebuild build --flake .#{{target_host}} {{rebuild_flags}} {{flags}} + +# Build the NixOS config with the --show-trace flag set +[linux] +trace target_host=hostname: (build target_host "--show-trace") + +# Build the NixOS configuration and switch to it. +[linux] +switch target_host=hostname: + sudo nixos-rebuild switch --flake .#{{target_host}} {{rebuild_flags}} + +# Update flake inputs to their latest revisions +update: + nix flake update + +# Garbage collect old OS generations and remove stale packages from the nix store +gc generations="5d": + sudo nix-env --delete-generations {{generations}} + sudo nix-store --gc + +# Add a machine's age key for SOPS +sops-add machine_name target: + bun tools/onboard-machine.js {{machine_name}} {{target}} + sops updatekeys -y secrets/default.yaml + +sops-generate-keys: + sudo cat /etc/ssh/ssh_host_ed25519_key | ssh-to-age --private-key > .sops.keys + cat ~/.ssh/id_ed25519 | ssh-to-age --private-key >> .sops.keys \ No newline at end of file diff --git a/darwin/common.nix b/darwin/common.nix new file mode 100644 index 0000000..950f9d8 --- /dev/null +++ b/darwin/common.nix @@ -0,0 +1,50 @@ +{ pkgs, lib, inputs, outputs, ...}: let + inherit (inputs) nixpkgs; +in { + imports = [ + inputs.sops-nix-darwin.darwinModules.sops + inputs.home-manager.darwinModules.home-manager + ]; + + # pin nixpkgs in the system flake registry to the revision used + # to build the config + nix.registry.nixpkgs.flake = nixpkgs; + nixpkgs.config.allowUnfree = true; + nixpkgs.config.overlays = [ + (final: prev: lib.optionalAttrs (prev.stdenv.system == "aarch64-darwin") { + # Add access to x86 packages system is running Apple Silicon + pkgs-x86 = import nixpkgs { + system = "x86_64-darwin"; + config.allowUnfree = true; + }; + }) + ]; + + # Keep nix upgraded + services.nix-daemon.enable = true; + nix.package = pkgs.nix; + + # Enable flakes, and enrich apple silicon + nix.extraOptions = '' + experimental-features = nix-command flakes repl-flake + ''+ lib.optionalString (pkgs.system == "aarch64-darwin") '' + extra-platforms = x86_64-darwin aarch64-darwin + ''; + + programs.zsh.enable = true; + programs.fish.enable = true; + + environment.shells = [ + pkgs.fish + pkgs.zsh + pkgs.bashInteractive + ]; + users.users.root.shell = pkgs.fish; + + #system.configurationRevision = self.rev or self.dirtyRev or null; + system.stateVersion = 4; + + security.pam.enableSudoTouchIdAuth = true; + + home-manager.extraSpecialArgs = { inherit inputs outputs; }; +} diff --git a/darwin/hosts/noe-air/default.nix b/darwin/hosts/noe-air/default.nix new file mode 100644 index 0000000..62d074b --- /dev/null +++ b/darwin/hosts/noe-air/default.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: { + imports = [ + ../../common.nix + ]; + + programs.fish.enable = true; + + users.users.noe = (import ../../user.nix) "noe" // { + shell = pkgs.fish; + }; + + home-manager.users.noe = import ../../../home-manager/noe/hosts/noe-air.nix; +} diff --git a/darwin/hosts/work-mac/default.nix b/darwin/hosts/work-mac/default.nix new file mode 100644 index 0000000..c593afa --- /dev/null +++ b/darwin/hosts/work-mac/default.nix @@ -0,0 +1,25 @@ +{ pkgs, ... }: let + username = builtins.getEnv "USER"; +in { + imports = [ + ../../common.nix + ]; + + users.users.${username} = (import ../../user.nix) username // { + shell = pkgs.fish; + }; + + home-manager.users.${username} = import ../../../home-manager/noe/hosts/work-mac.nix; + + environment.systemPackages = + with pkgs; [ + vim + neovim + tfswitch + awscli2 + kubectl + jq + nil + direnv + ]; +} \ No newline at end of file diff --git a/darwin/user.nix b/darwin/user.nix new file mode 100644 index 0000000..4f191ae --- /dev/null +++ b/darwin/user.nix @@ -0,0 +1,4 @@ +username: { + name = username; + home = "/Users/${username}"; +} \ No newline at end of file diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..572c5b7 --- /dev/null +++ b/flake.lock @@ -0,0 +1,564 @@ +{ + "nodes": { + "apple-silicon": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1700436815, + "narHash": "sha256-+txRDmFuI/dW/ZmacfDrqSsKiWTNLmRygej25u2ojNM=", + "owner": "tpwrules", + "repo": "nixos-apple-silicon", + "rev": "14b327ca47703c376ebb82ba16dc42ca2baa57d8", + "type": "github" + }, + "original": { + "owner": "tpwrules", + "repo": "nixos-apple-silicon", + "type": "github" + } + }, + "base16-schemes": { + "flake": false, + "locked": { + "lastModified": 1689473676, + "narHash": "sha256-L0RhUr9+W5EPWBpLcmkKpUeCEWRs/kLzVMF3Vao2ZU0=", + "owner": "tinted-theming", + "repo": "base16-schemes", + "rev": "d95123ca6377cd849cfdce92c0a24406b0c6a789", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "base16-schemes", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "repo": "nix-darwin", + "type": "github" + } + }, + "firefox-addons": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "dir": "pkgs/firefox-addons", + "lastModified": 1702267377, + "narHash": "sha256-l1wYWeqicyizoMS/yrBFR55wMg4bCrzW/MABSreBDM8=", + "owner": "rycee", + "repo": "nur-expressions", + "rev": "8d8f9c2d34ba23bcb692baac247e2dc3d0e2c2ad", + "type": "gitlab" + }, + "original": { + "dir": "pkgs/firefox-addons", + "owner": "rycee", + "repo": "nur-expressions", + "type": "gitlab" + } + }, + "flake-compat": { + "locked": { + "lastModified": 1688025799, + "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=", + "owner": "nix-community", + "repo": "flake-compat", + "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "locked": { + "lastModified": 1629284811, + "narHash": "sha256-JHgasjPR0/J1J3DRm4KxM4zTyAj4IOJY8vIl75v/kPI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c5d161cc0af116a2e17f54316f0bf43f0819785c", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1685518550, + "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "nixvim", + "pre-commit-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1702203126, + "narHash": "sha256-4BhN2Vji19MzRC7SUfPZGmtZ2WZydQeUk/ogfRBIZMs=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "defbb9c5857e157703e8fc7cf3c2ceb01cb95883", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "nix-colors": { + "inputs": { + "base16-schemes": "base16-schemes", + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1695388192, + "narHash": "sha256-2jelpE7xK+4M7jZNyWL7QYOYegQLYBDQS5bvdo8XRUQ=", + "owner": "misterio77", + "repo": "nix-colors", + "rev": "37227f274b34a3b51649166deb94ce7fec2c6a4c", + "type": "github" + }, + "original": { + "owner": "misterio77", + "repo": "nix-colors", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1700419998, + "narHash": "sha256-aXh4adx9x9RlRMSykzR+bY8AOVjcwMEJO1ZeQROwbcE=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "12a0ade5e458984675b9789a4b260ebabdd2d1ab", + "type": "github" + }, + "original": { + "owner": "nixos", + "repo": "nixpkgs", + "rev": "12a0ade5e458984675b9789a4b260ebabdd2d1ab", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1694911725, + "narHash": "sha256-8YqI+YU1DGclEjHsnrrGfqsQg3Wyga1DfTbJrN3Ud0c=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "819180647f428a3826bfc917a54449da1e532ce0", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1702233072, + "narHash": "sha256-H5G2wgbim2Ku6G6w+NSaQaauv6B6DlPhY9fMvArKqRo=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "781e2a9797ecf0f146e81425c822dca69fe4a348", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1685801374, + "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c37ca420157f4abc31e26f436c1145f8951ff373", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_3": { + "locked": { + "lastModified": 1702148972, + "narHash": "sha256-h2jODFP6n+ABrUWcGRSVPRFfLOkM9TJ2pO+h+9JcaL0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b8f33c044e51de6dde3ad80a9676945e0e4e3227", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_4": { + "locked": { + "lastModified": 1692492726, + "narHash": "sha256-rld5qm2B4oRkDwcPD+yOSyTrZQdfCR6mzJGGkecjvTs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "5e63e8bbc46bc4fc22254da1edaf42fc7549c18a", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1702151865, + "narHash": "sha256-9VAt19t6yQa7pHZLDbil/QctAgVsA66DLnzdRGqDisg=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "666fc80e7b2afb570462423cb0e1cf1a3a34fedd", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1627814220, + "narHash": "sha256-P+MDgdZw2CBk9X1ZZaUgHgN+32pTfLFf3XVIBOXirI4=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "ab5b6828af26215bf2646c31961da5d3749591ef", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1702151865, + "narHash": "sha256-9VAt19t6yQa7pHZLDbil/QctAgVsA66DLnzdRGqDisg=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "666fc80e7b2afb570462423cb0e1cf1a3a34fedd", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1702029940, + "narHash": "sha256-qM3Du0perpLesh5hr87mVPZ79McMUKIWUH7EQMh2kWo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e9ef8a102c555da4f8f417fe5cf5bd539d8a38b7", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_5": { + "locked": { + "lastModified": 1692463654, + "narHash": "sha256-F8hZmsQINI+S6UROM4jyxAMbQLtzE44pI8Nk6NtMdao=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ca3c9ac9f4cdd4bea19f592b32bb59b74ab7d783", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixvim": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs-unstable" + ], + "pre-commit-hooks": "pre-commit-hooks" + }, + "locked": { + "lastModified": 1702303976, + "narHash": "sha256-xOsTE50vcY3WQ1SPzGq0RaFauUMYdOylqlRXv8LoDzg=", + "owner": "nix-community", + "repo": "nixvim", + "rev": "7fbb9240de5f9c72f096dba0c8554f1eed053322", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixvim", + "type": "github" + } + }, + "nur": { + "locked": { + "lastModified": 1702319163, + "narHash": "sha256-LBLXEzGE5MjYg+7aLj+uzGs5adBsiDMDbfid//yiiJM=", + "owner": "nix-community", + "repo": "nur", + "rev": "621aae944d776922f3ac9f74b478464a73353660", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nur", + "type": "github" + } + }, + "pre-commit-hooks": { + "inputs": { + "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils_3", + "gitignore": "gitignore", + "nixpkgs": [ + "nixvim", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1700922917, + "narHash": "sha256-ej2fch/T584b5K9sk1UhmZF7W6wEfDHuoUYpFN8dtvM=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "e5ee5c5f3844550c01d2131096c7271cec5e9b78", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, + "root": { + "inputs": { + "apple-silicon": "apple-silicon", + "darwin": "darwin", + "firefox-addons": "firefox-addons", + "home-manager": "home-manager", + "nix-colors": "nix-colors", + "nixpkgs": "nixpkgs_3", + "nixpkgs-stable": "nixpkgs-stable", + "nixpkgs-unstable": "nixpkgs-unstable", + "nixvim": "nixvim", + "nur": "nur", + "sops-nix": "sops-nix", + "sops-nix-darwin": "sops-nix-darwin" + } + }, + "rust-overlay": { + "flake": false, + "locked": { + "lastModified": 1686795910, + "narHash": "sha256-jDa40qRZ0GRQtP9EMZdf+uCbvzuLnJglTUI2JoHfWDc=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "5c2b97c0a9bc5217fc3dfb1555aae0fb756d99f9", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_4", + "nixpkgs-stable": "nixpkgs-stable_3" + }, + "locked": { + "lastModified": 1702177193, + "narHash": "sha256-J2409SyXROoUHYXVy9h4Pj0VU8ReLuy/mzBc9iK4DBg=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "d806e546f96c88cd9f7d91c1c19ebc99ba6277d9", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, + "sops-nix-darwin": { + "inputs": { + "nixpkgs": "nixpkgs_5", + "nixpkgs-stable": "nixpkgs-stable_4" + }, + "locked": { + "lastModified": 1692658736, + "narHash": "sha256-kucyW+sryHf2buyAFFWQHQMsqkYYHSvvYqr/DvwQukY=", + "owner": "Kloenk", + "repo": "sops-nix", + "rev": "c0864759e5d3f5899195fd9debaeda48e08d47d8", + "type": "github" + }, + "original": { + "owner": "Kloenk", + "ref": "darwin", + "repo": "sops-nix", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..94c99b6 --- /dev/null +++ b/flake.nix @@ -0,0 +1,143 @@ +{ + description = "Your new nix config"; + + inputs = { + # Nixpkgs (usually unstable) + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.11"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + + # Home manager + home-manager = { + url = "github:nix-community/home-manager"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + # Darwin & Apple Silicon tools + darwin = { + url = "github:lnl7/nix-darwin"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + apple-silicon.url = "github:tpwrules/nixos-apple-silicon"; + + + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix-darwin.url = "github:Kloenk/sops-nix?ref=darwin"; + nix-colors.url = "github:misterio77/nix-colors"; + nixvim = { + url = "github:nix-community/nixvim"; + inputs.nixpkgs.follows = "nixpkgs-unstable"; + }; + nur.url = "github:nix-community/nur"; + firefox-addons.url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons"; + }; + + outputs = { self, nixpkgs, home-manager, ... }@inputs: + let + inherit (self) outputs; + forAllSystems = nixpkgs.lib.genAttrs [ + "aarch64-linux" + "i686-linux" + "x86_64-linux" + "aarch64-darwin" + "x86_64-darwin" + ]; + + mkNixos = modules: nixpkgs.lib.nixosSystem { + inherit modules; + specialArgs = { inherit inputs outputs; }; + }; + + mkDarwin = system: modules: inputs.darwin.lib.darwinSystem { + inherit modules system inputs; + specialArgs = { inherit inputs outputs; }; + }; + + mkHome = modules: pkgs: home-manager.lib.homeManagerConfiguration { + inherit modules pkgs; + extraSpecialArgs = { inherit inputs outputs; }; + }; + in + rec { + # Your custom packages + # Acessible through 'nix build', 'nix shell', etc + packages = forAllSystems (system: + let pkgs = nixpkgs.legacyPackages.${system}; + in import ./pkgs { inherit pkgs; } + ); + + # Devshell for bootstrapping + # Acessible through 'nix develop' or 'nix-shell' (legacy) + devShells = forAllSystems (system: + let pkgs = nixpkgs.legacyPackages.${system}; + in import ./shell.nix { inherit pkgs; } + ); + + # Your custom packages and modifications, exported as overlays + overlays = import ./overlays { inherit inputs; }; + + # Reusable nixos modules you might want to export + # These are usually stuff you would upstream into nixpkgs + nixosModules = import ./modules/nixos; + + # Reusable home-manager modules you might want to export + # These are usually stuff you would upstream into home-manager + homeManagerModules = import ./modules/home-manager; + + # Reusable nix-darwin packages you might want to export + # These are usually hacks! + darwinModules = import ./modules/darwin; + + # NixOS configuration entrypoint + # Available through 'nixos-rebuild --flake .#your-hostname' + nixosConfigurations = { + # T480 + thonkpad = mkNixos [ ./nixos/hosts/thonkpad ]; + + # Blueberry Lab + blueberry = mkNixos [ ./nixos/hosts/blueberry ]; + + # 2015 MBP + #echo = mkNixos [ ./nixos/hosts/echo ]; + + # 2013 MBP + #who = + + # Pi4B Xbox Hacking + #xxx = mkNixos [ + + # PlanetSide Stack + #watermelon = + + # Akkoma (sapphic.engineer) + #pineapple = + + # Web Services + #honeydew = + + # Workers + #tangerine = + + # Pi3B Audio Streamer + #audiofox = + + # Router + #nekomata = + + # just give me a machine THANKS + #lab = + }; + + darwinConfigurations = { + noe-air = mkDarwin "aarch64-darwin" [ ./darwin/hosts/noe-air ]; + AMERMACC02G65A8MD6T = mkDarwin "x86_64-darwin" [ ./darwin/hosts/work-mac ]; + }; + + # Standalone home-manager configuration entrypoint + # Available through 'home-manager --flake .#your-username@your-hostname' + homeConfigurations = { + # TODO: add generic standalone home-manager config + }; + }; +} + diff --git a/home-manager/features/direnv.nix b/home-manager/features/direnv.nix new file mode 100644 index 0000000..f6604cc --- /dev/null +++ b/home-manager/features/direnv.nix @@ -0,0 +1,13 @@ +{ pkgs, lib, ... }: { + programs.direnv = { + enable = true; + enableBashIntegration = true; + #enableFishIntegration = lib.mkDefault true; + #enableZshIntegration = lib.mkDefault true; + nix-direnv.enable = true; + }; + + programs.zsh.enable = true; + programs.fish.enable = true; + programs.bash.enable = true; +} diff --git a/home-manager/features/git.nix b/home-manager/features/git.nix new file mode 100644 index 0000000..4050618 --- /dev/null +++ b/home-manager/features/git.nix @@ -0,0 +1,7 @@ +{ pkgs, ... }: { + programs.git = { + enable = true; + userName = "noe"; + userEmail = "git@kat.cafe"; + }; +} diff --git a/home-manager/noe/common/default.nix b/home-manager/noe/common/default.nix new file mode 100644 index 0000000..1f97c9c --- /dev/null +++ b/home-manager/noe/common/default.nix @@ -0,0 +1,34 @@ +{ inputs, outputs, lib, ... }: +{ + imports = [ + inputs.sops-nix.homeManagerModules.sops + ../../features/direnv.nix + ../../features/git.nix + ] ++ (builtins.attrValues outputs.homeManagerModules); + + nixpkgs = { + overlays = [ + outputs.overlays.additions + outputs.overlays.modifications + outputs.overlays.unstable-packages + inputs.nur.overlay + ]; + config = { + allowUnfree = true; + allowUnfreePredicate = (_: true); + }; + }; + + home = { + sessionVariables = { + EDITOR = "nvim"; + TERMINAL = lib.mkDefault "kitty"; + COLORTERM = lib.mkDefault "truecolor"; + BROWSER = lib.mkDefault "firefox"; + }; + }; + + programs.home-manager.enable = true; + + home.stateVersion = "24.05"; +} diff --git a/home-manager/noe/common/home-user.nix b/home-manager/noe/common/home-user.nix new file mode 100644 index 0000000..2b3a0a6 --- /dev/null +++ b/home-manager/noe/common/home-user.nix @@ -0,0 +1,10 @@ +{ pkgs, ... }: +let + inherit (pkgs.stdenv) isDarwin; +in +{ + home = { + username = "noe"; + homeDirectory = if isDarwin then "/Users/noe" else "/home/noe"; + }; +} \ No newline at end of file diff --git a/home-manager/noe/common/work-user.nix b/home-manager/noe/common/work-user.nix new file mode 100644 index 0000000..ec1a017 --- /dev/null +++ b/home-manager/noe/common/work-user.nix @@ -0,0 +1,11 @@ +{ pkgs, ... }: +let + inherit (pkgs.stdenv) isDarwin; + username = builtins.getEnv "USER"; +in +{ + home = { + inherit username; + homeDirectory = if isDarwin then "/Users/${username}" else "/home/${username}"; + }; +} \ No newline at end of file diff --git a/home-manager/noe/hosts/noe-air.nix b/home-manager/noe/hosts/noe-air.nix new file mode 100644 index 0000000..fec4317 --- /dev/null +++ b/home-manager/noe/hosts/noe-air.nix @@ -0,0 +1,6 @@ +{ ... }: { + imports = [ + ../common + ../common/home-user.nix + ]; +} diff --git a/home-manager/noe/hosts/thonkpad.nix b/home-manager/noe/hosts/thonkpad.nix new file mode 100644 index 0000000..fec4317 --- /dev/null +++ b/home-manager/noe/hosts/thonkpad.nix @@ -0,0 +1,6 @@ +{ ... }: { + imports = [ + ../common + ../common/home-user.nix + ]; +} diff --git a/home-manager/noe/hosts/work-mac.nix b/home-manager/noe/hosts/work-mac.nix new file mode 100644 index 0000000..fb63492 --- /dev/null +++ b/home-manager/noe/hosts/work-mac.nix @@ -0,0 +1,6 @@ +username: { + imports = [ + ../common + ../common/work-user.nix + ]; +} diff --git a/modules/darwin/default.nix b/modules/darwin/default.nix new file mode 100644 index 0000000..0e0dcd2 --- /dev/null +++ b/modules/darwin/default.nix @@ -0,0 +1,3 @@ +{ + +} \ No newline at end of file diff --git a/modules/home-manager/default.nix b/modules/home-manager/default.nix new file mode 100644 index 0000000..1797133 --- /dev/null +++ b/modules/home-manager/default.nix @@ -0,0 +1,3 @@ +{ + +} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix new file mode 100644 index 0000000..e0b4887 --- /dev/null +++ b/modules/nixos/default.nix @@ -0,0 +1,3 @@ +{ + pod = import ./pod.nix; +} diff --git a/modules/nixos/pod.nix b/modules/nixos/pod.nix new file mode 100644 index 0000000..73cf484 --- /dev/null +++ b/modules/nixos/pod.nix @@ -0,0 +1,59 @@ +{ pkgs, config, lib, ... }: + +let + cfg = config.pods; + + podOpts = with lib; { + container = mkOption { + type = types.attrsOf (types.submodule ({ options = podContainerOpts; })); + }; + + exportPorts = mkOption { + type = types.listOf types.str; + }; + + routes = mkOption { + type = types.attrsOf (types.submodule ({ options = routeOpts; })); + }; + }; + + podContainerOpts = with lib; { + image = mkOption { + type = types.str; + }; + + ports = mkOption { + type = types.listOf types.str; + }; + + environment = mkOption { + type = types.attrsOf types.str; + }; + + secrets = mkOption { + type = types.attrsOf types.path; + }; + + volumes = mkOption { + type = types.attrsOf types.str; + }; + }; + + routeOpts = with lib; { + port = mkOption { + type = types.str; + }; + }; +in { + options.pods = with lib; { + enable = mkEnableOption "Enable pod support"; + + pods = mkOption { + type = types.attrsOf (types.submodule ({ options = podOpts; })); + }; + }; + + config = lib.mkIf cfg.enable { + + } +} diff --git a/nixos/base.nix b/nixos/base.nix new file mode 100644 index 0000000..78998ae --- /dev/null +++ b/nixos/base.nix @@ -0,0 +1,69 @@ +# Things every machine will have... + +{ inputs, outputs, lib, config, pkgs, ... }: { + imports = [ + inputs.home-manager.nixosModules.home-manager + ./users/noe.nix + ./features/sops.nix + ]; + + boot.tmp.cleanOnBoot = true; + + # Set ET + time.timeZone = lib.mkDefault "America/New_York"; + + i18n.defaultLocale = "en_US.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "en_US.UTF-8"; + LC_IDENTIFICATION = "en_US.UTF-8"; + LC_MEASUREMENT = "en_US.UTF-8"; + LC_MONETARY = "en_US.UTF-8"; + LC_NAME = "en_US.UTF-8"; + LC_NUMERIC = "en_US.UTF-8"; + LC_PAPER = "en_US.UTF-8"; + LC_TELEPHONE = "en_US.UTF-8"; + LC_TIME = "en_US.UTF-8"; + }; + + home-manager.extraSpecialArgs = { inherit inputs outputs; }; + + # A very fishy fish. + programs.fish = { + enable = true; + }; + + programs.git.enable = true; + + users.defaultUserShell = pkgs.fish; + + services.openssh.enable = lib.mkDefault true; + + programs.neovim = { + enable = true; + defaultEditor = true; + viAlias = true; + vimAlias = true; + }; + + nixpkgs = { + overlays = [ + outputs.overlays.additions + outputs.overlays.modifications + outputs.overlays.unstable-packages + ]; + config = { + allowUnfree = true; + }; + }; + + nix = { + gc.automatic = true; + settings = { + experimental-features = "nix-command flakes"; + #auto-optimize-store = true; + }; + }; + +# system.copySystemConfiguration = true; +} diff --git a/nixos/client.nix b/nixos/client.nix new file mode 100644 index 0000000..cd5816c --- /dev/null +++ b/nixos/client.nix @@ -0,0 +1,19 @@ +{ pkgs, ... }: { + imports = [ + ./base.nix + ./features/fonts.nix + ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + boot.kernelPackages = pkgs.linuxPackages_zen; + + environment.systemPackages = with pkgs; [ + firefox + curl + btop + htop + neofetch + ]; +} diff --git a/nixos/features/fonts.nix b/nixos/features/fonts.nix new file mode 100644 index 0000000..a334686 --- /dev/null +++ b/nixos/features/fonts.nix @@ -0,0 +1,20 @@ +{ pkgs, ... }: { + + fonts = { + packages = with pkgs; [ + atkinson-hyperlegible + (nerdfonts.override { fonts = [ "FiraCode" ]; }) + ]; + + fontDir.enable = true; + + enableDefaultPackages = true; + + fontconfig.defaultFonts = { + sansSerif = [ "Atkinson Hyperlegible" ]; + serif = [ "Atkinson Hyperlegible" ]; + monospace = [ "FiraCode Nerd Font" "Fira Code" ]; + }; + }; + +} diff --git a/nixos/features/podman.nix b/nixos/features/podman.nix new file mode 100644 index 0000000..e476c11 --- /dev/null +++ b/nixos/features/podman.nix @@ -0,0 +1,18 @@ +{ config, pkgs, ... }: { + + virtualisation = { + docker.enable = false; + podman = { + enable = true; + dockerSocket.enable = true; + defaultNetwork.settings.dns_enabled = true; + defaultNetwork.settings.ipv6_enabled = true; + }; + }; + + networking.firewall = { + # interfaces.podman0.allowedUDPPorts = [ 53 ]; + trustedInterfaces = [ "podman0" ]; + }; + +} diff --git a/nixos/features/sops.nix b/nixos/features/sops.nix new file mode 100644 index 0000000..703d5a7 --- /dev/null +++ b/nixos/features/sops.nix @@ -0,0 +1,9 @@ +{ inputs, ... }: { + imports = [ + inputs.sops-nix.nixosModules.sops + ]; + + sops.defaultSopsFile = ../../secrets/default.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; +# sops.secrets.default = {}; +} diff --git a/nixos/features/sound.nix b/nixos/features/sound.nix new file mode 100644 index 0000000..c7374d0 --- /dev/null +++ b/nixos/features/sound.nix @@ -0,0 +1,12 @@ +{ pkgs, config, ... }: { + sound.enable = true; + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + }; +} diff --git a/nixos/features/systemd-boot.nix b/nixos/features/systemd-boot.nix new file mode 100644 index 0000000..36ba2ed --- /dev/null +++ b/nixos/features/systemd-boot.nix @@ -0,0 +1,4 @@ +{ pkgs, config, ... }: { + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; +} diff --git a/nixos/features/tailscale.nix b/nixos/features/tailscale.nix new file mode 100644 index 0000000..b8ff8a2 --- /dev/null +++ b/nixos/features/tailscale.nix @@ -0,0 +1,5 @@ +{ ... }: { + services.tailscale = { + enable = true; + }; +} diff --git a/nixos/features/wifi.nix b/nixos/features/wifi.nix new file mode 100644 index 0000000..e13a297 --- /dev/null +++ b/nixos/features/wifi.nix @@ -0,0 +1,9 @@ +{ config, pkgs, ... }: { + + networking.networkmanager = { + enable = true; + }; + + # TODO: WiFi password automation + +} diff --git a/nixos/features/xfce.nix b/nixos/features/xfce.nix new file mode 100644 index 0000000..b3c0878 --- /dev/null +++ b/nixos/features/xfce.nix @@ -0,0 +1,22 @@ +{ pkgs, ... }: { + imports = [ + ./sound.nix + ]; + + services.xserver = { + enable = true; + + displayManager = { + sddm.enable = true; + defaultSession = "xfce"; + }; + + desktopManager = { + xterm.enable = false; + xfce.enable = true; + }; + + layout = "us"; + xkbVariant = ""; + }; +} diff --git a/nixos/hosts/blueberry/default.nix b/nixos/hosts/blueberry/default.nix new file mode 100644 index 0000000..1efbe01 --- /dev/null +++ b/nixos/hosts/blueberry/default.nix @@ -0,0 +1,55 @@ +{ config, ... }: { + + imports = [ + ./hardware-configuration.nix + ../../server.nix + ../../features/systemd-boot.nix + ../../features/podman.nix + ]; + + networking.hostName = "blueberry"; + system.stateVersion = "23.05"; + services.qemuGuest.enable = true; + + sops.secrets."saerro/database/url" = { + sopsFile = ../../../secrets/blueberry/default.yaml; + }; + + sops.secrets."saerro/database/password" = { + sopsFile = ../../../secrets/blueberry/default.yaml; + }; + + sops.secrets."saerro/ws_addr" = { + sopsFile = ../../../secrets/blueberry/default.yaml; + }; + + pods.enable = true; + pods.pods.saerro = { + routes = let + route = { port = "8003"; }; + in { + "saerro.ps2.live" = route; + "saerro-new.ps2.live" = route; + }; + + exportPorts = [ + "0.0.0.0:8003:8003" + ]; + + containers = { + api = { + image = "ghcr.io/genudine/saerro/api:latest"; + environment = { + PORT = "8003"; + WEBSOCKET_HEALTHCHECK = "http://127.0.0.1:8004/healthz"; + }; + secrets = { + DATABASE_ADDR = config.sops.secrets."saerro/database/url".path; + }; + ports = [ + "8003:8003"; + ]; + }; + }; + }; +} diff --git a/nixos/hosts/blueberry/hardware-configuration.nix b/nixos/hosts/blueberry/hardware-configuration.nix new file mode 100644 index 0000000..f153af8 --- /dev/null +++ b/nixos/hosts/blueberry/hardware-configuration.nix @@ -0,0 +1,37 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/cc75594b-3158-455a-9230-b634128713ae"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/1FFC-3FAC"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp6s18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} + diff --git a/nixos/hosts/thonkpad/default.nix b/nixos/hosts/thonkpad/default.nix new file mode 100644 index 0000000..74a0480 --- /dev/null +++ b/nixos/hosts/thonkpad/default.nix @@ -0,0 +1,15 @@ +{ lib, config, pkgs, outputs, ... }: { + imports = [ + ./hardware-configuration.nix + ../../client.nix + + ../../features/wifi.nix + ../../features/xfce.nix + ../../features/tailscale.nix + ]; + + home-manager.users.noe = import ../../../home-manager/noe/hosts/thonkpad.nix; + + networking.hostName = "thonkpad"; + system.stateVersion = "24.05"; +} diff --git a/nixos/hosts/thonkpad/hardware-configuration.nix b/nixos/hosts/thonkpad/hardware-configuration.nix new file mode 100644 index 0000000..205b9c7 --- /dev/null +++ b/nixos/hosts/thonkpad/hardware-configuration.nix @@ -0,0 +1,38 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/8b2ea978-a219-4634-ad9e-80c31edc7787"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/9C1A-EB83"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/nixos/hosts/thonkpad/orig.nix b/nixos/hosts/thonkpad/orig.nix new file mode 100644 index 0000000..fd3c15b --- /dev/null +++ b/nixos/hosts/thonkpad/orig.nix @@ -0,0 +1,163 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ../../client.nix + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.kernelPackages = pkgs.linuxPackages_zen; + + networking.hostName = "thonkpad"; # Define your hostname. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + + # Configure network proxy if necessary + + + # Enable networking + networking.networkmanager.enable = true; + + services.tailscale = { + enable = true; + }; + + # Set your time zone. + time.timeZone = "America/New_York"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "en_US.UTF-8"; + LC_IDENTIFICATION = "en_US.UTF-8"; + LC_MEASUREMENT = "en_US.UTF-8"; + LC_MONETARY = "en_US.UTF-8"; + LC_NAME = "en_US.UTF-8"; + LC_NUMERIC = "en_US.UTF-8"; + LC_PAPER = "en_US.UTF-8"; + LC_TELEPHONE = "en_US.UTF-8"; + LC_TIME = "en_US.UTF-8"; + }; + + # Enable the X11 windowing system. + + + # Configure keymap in X11 + services.xserver = { + enable = true; + displayManager = { + defaultSession = "xfce"; + sddm.enable = true; + #sddm.wayland.enable = true; + }; + desktopManager = { + xterm.enable = false; + xfce.enable = true; + }; + layout = "us"; + xkbVariant = ""; + }; + + # Enable CUPS to print documents. + #services.printing.enable = true; + + # Enable sound with pipewire. + sound.enable = true; + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + # If you want to use JACK applications, uncomment this + #jack.enable = true; + + # use the example session manager (no others are packaged yet so this is enabled by default, + # no need to redefine it in your config for now) + #media-session.enable = true; + }; + + # Enable touchpad support (enabled default in most desktopManager). + # services.xserver.libinput.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.noe = { + isNormalUser = true; + description = "noe"; + extraGroups = [ "networkmanager" "wheel" ]; + packages = with pkgs; [ + firefox + ]; + }; + + # Allow unfree packages + nixpkgs.config.allowUnfree = true; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + curl + kitty + git + zsh + ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + # services.openssh.enable = true; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "24.05"; # Did you read the comment? + + programs.neovim = { + enable = true; + defaultEditor = true; + viAlias = true; + vimAlias = true; + }; + + fonts = { + packages = with pkgs; [ + atkinson-hyperlegible + (nerdfonts.override { fonts = [ "FiraCode" ]; }) + ]; + fontDir.enable = true; + enableDefaultPackages = true; + fontconfig.defaultFonts = { + sansSerif = [ "Atkinson Hyperlegible" ]; + serif = [ "Atkinson Hyperlegible" ]; + monospace = [ "FiraCode Nerd Font" "Fira Code" ]; + }; + }; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; +} diff --git a/nixos/server.nix b/nixos/server.nix new file mode 100644 index 0000000..c5e23b4 --- /dev/null +++ b/nixos/server.nix @@ -0,0 +1,20 @@ +{ config, pkgs, ... }: { + + imports = [ + ./base.nix + + ./features/tailscale.nix + ]; + + services.openssh.settings.PasswordAuthentication = false; + + system.autoUpgrade = { + enable = true; + allowReboot = true; + rebootWindow = { + lower = "05:00"; + upper = "07:00"; + }; + }; + +} diff --git a/nixos/users/noe.nix b/nixos/users/noe.nix new file mode 100644 index 0000000..38349e8 --- /dev/null +++ b/nixos/users/noe.nix @@ -0,0 +1,28 @@ +{ config, pkgs, ... }: { + users.users.noe = { + hashedPasswordFile = config.sops.secrets."users/noe/password".path; + isNormalUser = true; + extraGroups = [ "wheel" ]; + shell = pkgs.fish; + openssh.authorizedKeys.keys = [ + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrjnDY3hlN3cOCMBpcoh4GWdnG5nc9ZeOXJ7MtJVL3I'' + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBs6/s+973H28jOrvN0zr1eayT+thrs61l1qV7uFhw8I'' + ]; + }; + + environment.systemPackages = [ pkgs.nixos-rebuild ]; + security.sudo.extraRules = [ + { + users = [ "noe" ]; + commands = [ + { command = "${pkgs.nixos-rebuild}/bin/nixos-rebuild"; options = [ "NOPASSWD" "SETENV" ]; } + { command = "/run/current-system/sw/bin/nixos-rebuild"; options = [ "NOPASSWD" "SETENV" ]; } + { command = "${pkgs.systemd}/bin/systemctl"; options = [ "NOPASSWD" "SETENV" ]; } + { command = "/run/current-system/sw/bin/shutdown"; options = [ "NOPASSWD" "SETENV" ]; } + { command = "/run/current-system/sw/bin/reboot"; options = [ "NOPASSWD" "SETENV" ]; } + ]; + } + ]; + + sops.secrets."users/noe/password".neededForUsers = true; +} diff --git a/nixpkgs.nix b/nixpkgs.nix new file mode 100644 index 0000000..041de40 --- /dev/null +++ b/nixpkgs.nix @@ -0,0 +1,8 @@ +# A nixpkgs instance that is grabbed from the pinned nixpkgs commit in the lock file +# This is useful to avoid using channels when using legacy nix commands +let lock = (builtins.fromJSON (builtins.readFile ./flake.lock)).nodes.nixpkgs.locked; +in +import (fetchTarball { + url = "https://github.com/nixos/nixpkgs/archive/${lock.rev}.tar.gz"; + sha256 = lock.narHash; +}) diff --git a/overlays/default.nix b/overlays/default.nix new file mode 100644 index 0000000..4618130 --- /dev/null +++ b/overlays/default.nix @@ -0,0 +1,33 @@ +# This file defines overlays +{ inputs, ... }: +{ + # This one brings our custom packages from the 'pkgs' directory + additions = final: _prev: { + # nest everything under a namespace that's not likely to collide + # with anything in nixpkgs + local-pkgs = import ../pkgs { pkgs = final; }; + }; + + # This one contains whatever you want to overlay + # You can change versions, add patches, set compilation flags, anything really. + # https://nixos.wiki/wiki/Overlays + modifications = final: prev: { + # example = prev.example.overrideAttrs (oldAttrs: rec { + # ... + # }); + }; + + unstable-packages = final: _prev: { + # use 'pkgs.unstable' + unstable = import inputs.nixpkgs-unstable { + system = final.system; + config.allowUnfree = true; + }; + + # use 'pkgs.stable' + stable = import inputs.nixpkgs-stable { + system = final.system; + config.allowUnfree = true; + }; + }; +} diff --git a/pkgs/default.nix b/pkgs/default.nix new file mode 100644 index 0000000..f6c4d0f --- /dev/null +++ b/pkgs/default.nix @@ -0,0 +1,2 @@ +{ pkgs ? (import ../nixpkgs.nix) { } }: rec { +} diff --git a/secrets/default.yaml b/secrets/default.yaml new file mode 100644 index 0000000..855596f --- /dev/null +++ b/secrets/default.yaml @@ -0,0 +1,42 @@ +users: + noe: + password: ENC[AES256_GCM,data:+FlVNBkfm8ogTcWlbY9sR4uvWCbX+dBQ8jtXpsNwdvmTN3ibE6ZAx6XbNG1tbfMpCKYHzvgTLyJB6oHCx3gd+RXESB4fqvsxKLA=,iv:SIvnnQhTD5V1myug5OcLr0b4kaT9vg/3nKtpXyunhQM=,tag:HY43Ap9J5ByW4m7+XqcBZQ==,type:str] + ssh_key: ENC[AES256_GCM,data:jn0M4WTw+ZWpQTfEFInU0YxcPD2yfpBjq+uUKsd/Wii96mlXcXUYXVaCZGHbv8qBpvAuIrFuKL8ZMEB03XRwtYNdBA1OwEWvrH7qMmI8ikjgSO3emoGbmzfNtzz4srTYU6TUMpmdDpxfMYUz3Q4MMNI9eEQlEEtMxLiwPBW+5HovkmtIzRJYproW+1b+ZRPKg8U9oT1LBrY0iNgm4qesZlzQ0YG9BiKYhXUdfXMlaiITLmDtucEkogTZsbscsyeqoblzRrKEL/sTf5q1WVsXoOuAdhb5soJtdACu5bVPRFCTNYm/XRbxJN4iqZ2PD6H3eMtK4VFLkG8mdU+DJB8mTv1ZeACIdeZu81BG/wjWfrdHjBjwN5oPD9lodFJASzk1XfHAvyHlYyuiGKj1ODe28RI+KQ5giCE3GoGnm1YprWBmCQMdf2Wr/RVFnPfEn2/miWml/b7sLQ6AylE7aEQfBO9FaU29TBNRhucsrA+/Mh/tfRw/io+sOVYT4QFx8obmT7Q=,iv:nTMAFWmCi/lcvVWVM3PWujmmnoKpDvr+Yv1Wp4kwdS8=,tag:OjwaupTDKzekQ0en21v8MA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1lq5q5g5qjsdcc3key0n6qytkc9z3qx3d3e96ap9zre2aqgvc9ujq82l9hd + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuRkJDOUZDaUVHTnNsNW9y + eE1DVXVXNUpEOGpsVnZQVkFTUFdvTjlUWUZnCndvVTlId3hGNnZzbXc2YW5MTFY3 + TXZabTdoU3p0UVgybUZBdWFJbmUva2MKLS0tIGlNaGJWczlUVGgzYkUyb043WVRT + a3V2d2FjT0JCN0Q0RTZEcnpZZXdlaGsKO7LKi/0hup/vBootyE56eP08flFoILYo + Dp0RU5GaSlTRv5ZbLanML1ocrUJp2TBy8NcGqCywCMChN9PzeGVGGQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1f5cqspxexkl8f42v5ne47mx6xmm4v00lafdlslq9g79a508e4p9qrku72s + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZRW9IZEJ5SUthM3FsSFZy + ZVc2TGk4SjhKanlkN2owMUN3L2ZST0FmQ0djCitIQ0RaOFhoSGdWZnp4cWZPR0pj + TjdidlBaOUFLYndONExzWTJvUVgydUkKLS0tIEw5eDJTMXVnc2VlcHRvdmR4Y0Vz + Y1ZpMGFXZVl3UE5yU1VlcjdsWEtETmcKo6RNsXqER4K+M9BpRiL+13Lj67iY6Kxk + 7xTcxNzzk5aXaVT8iUfKuh6fITr23CDfBVRgIw59AKINtQfCeofxdg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ts3t7q08cthuwj39juajve2jjk0rw28ljzesnrmnkwd0n7zs49kq7dgxnm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZRUNtbnA5ZjBxNkpQdFVs + ejc0Z1huVkNNWVA3amczMzNqMVQ2NThwNDM4Cjc5a2lXckM5NWdva1BqbFFXdnhD + dTYxZlp1VEFaK1hGSVc5QmUrMzl6VTQKLS0tIHhQYUlYSkRSVTNxa3hWS0plWG50 + WG92WDdZYXZjZEhGWFZpVmpTTTVUc00KLYBVIJj3hm75/qtApgUCDRHxT8m+qy3x + ymdV0aKTMmam9/POlDeKTvj+GNx/gZ0cWH8cmRCjSMstp3DgG0/Hzw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-10T04:05:10Z" + mac: ENC[AES256_GCM,data:73XfD7acH2PkT3DCO33tOkrdpdur8g7NkkXJp9OvRvqwdregVos++TmabA6/akrrRFPJkWwI2/Y5WZQjWzIkFWsFnzj0cl0Dv0sT69YrhpsidiaNMUbyIt+D29T0s4AIvccCjh64HSXJjWRPzLawIypJSQkkTzbQkIDsC2n6T98=,iv:s9Fn3CSllkRXM4qD70kHdveCnoRzOh70YNXjMTxcBqM=,tag:SKm6CwT1517DH6ldWpgVpg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/shell.nix b/shell.nix new file mode 100644 index 0000000..7ee2f36 --- /dev/null +++ b/shell.nix @@ -0,0 +1,19 @@ +# Shell for bootstrapping flake-enabled nix and home-manager +# You can enter it through 'nix develop' or (legacy) 'nix-shell' + +{ pkgs ? (import ./nixpkgs.nix) { } }: { + default = pkgs.mkShell { + # Enable experimental features without having to specify the argument + NIX_CONFIG = "experimental-features = nix-command flakes"; + nativeBuildInputs = with pkgs; [ + nix + home-manager + git + just + sops + age + ssh-to-age + bun + ]; + }; +} diff --git a/tools/onboard-machine.js b/tools/onboard-machine.js new file mode 100644 index 0000000..bb59369 --- /dev/null +++ b/tools/onboard-machine.js @@ -0,0 +1,71 @@ +import { dirname, resolve, relative } from "path" +import { parseDocument, stringify, } from "yaml" + +const [, script, name, host] = process.argv + +const sopsFilePath = resolve(dirname(script), "../.sops.yaml") +const sopsFile = await Bun.file(sopsFilePath).text() +const sopsConfig = parseDocument(sopsFile) + +// +// STEP 1: Get the remote key, convert to age key +// + +const remoteKeyProc = Bun.spawn(`ssh-keyscan -t ed25519 ${host}`.split(" "), { + stderr: null, +}) + +const sshToAgeProc = Bun.spawn(["ssh-to-age"], { + stdin: await new Response(remoteKeyProc.stdout).arrayBuffer() +}) + +const ageKey = (await new Response(sshToAgeProc.stdout).text()).trim() + +// +// STEP 2: Add to keys +// +const keysNode = sopsConfig.get("keys") +let keys = keysNode.items + +// remove keynode if it exists +keys = keys.filter(i => i.anchor !== `m_${name}`) + +// create the new key node +const newNode = sopsConfig.createNode(ageKey) +newNode.anchor = `m_${name}` + +keys = [...keys, newNode] + +keysNode.items = keys +sopsConfig.set("keys", keysNode) + +// +// STEP 3: Add machine to creation_rules +// +const pathRegex = `secrets/${name}/[^/]+\\.(yaml|json|env|ini)$` +const opsAnchors = keys.filter(i => i.anchor.startsWith("op_")).map(i => sopsConfig.createAlias(i)) + +//console.log({opsAnchors}) + +const creationRuleTemplate = ({ + path_regex: pathRegex, + key_groups: [ + { + age: [ + ...opsAnchors, + sopsConfig.createAlias(newNode) + ] + } + ] +}) + +// Remove old creation_rules entry +const creationRules = sopsConfig.get("creation_rules").items.filter(i => i.get("path_regex") !== pathRegex) + +const creationRulesNode = sopsConfig.createNode(creationRules) +creationRulesNode.add(creationRuleTemplate) +sopsConfig.set("creation_rules", creationRulesNode) + +await Bun.write(sopsFilePath, sopsConfig.toString()) + +console.log(`Finished. Added ${name} with key ${ageKey} to ${relative(dirname(script), sopsFilePath)}.`)