From d1395f9e6768551967f85128ccab19d12dec4c6f Mon Sep 17 00:00:00 2001 From: Dylan Date: Tue, 16 Sep 2025 16:43:55 +1200 Subject: feat: added server configuration and setup sops-nix --- .sops.yaml | 9 ++ computers/nixy.nix | 266 +++++++++++++++++++++++++++++++++++++++ computers/server.nix | 169 +++++++++++++++++++++++++ configuration.nix | 293 ------------------------------------------- flake.nix | 17 ++- hardware-configuration.nix | 52 -------- hardware-setups/linode.nix | 40 ++++++ hardware-setups/tuf.nix | 52 ++++++++ home-manager/home.nix | 31 ++++- home-manager/i3/config | 3 +- home-manager/shells/bash.nix | 3 + modules/nix.nix | 29 +++++ modules/nvidia.nix | 27 ++++ my-pkgs/adom.nix | 2 +- secrets/test.yaml | 35 ++++++ server-rebuild.sh | 3 + 16 files changed, 677 insertions(+), 354 deletions(-) create mode 100644 .sops.yaml create mode 100644 computers/nixy.nix create mode 100644 computers/server.nix delete mode 100644 configuration.nix delete mode 100644 hardware-configuration.nix create mode 100644 hardware-setups/linode.nix create mode 100644 hardware-setups/tuf.nix create mode 100644 modules/nix.nix create mode 100644 modules/nvidia.nix create mode 100644 secrets/test.yaml create mode 100755 server-rebuild.sh diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..005f00d --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,9 @@ +keys: + - &nixy age1p3sw8q030a7zgawu4ccxm6sgsp88349nuxkd4kale0ruy9klypssdh7c9s + - &nixnode age1g7tzey3t2jmd79kaeukn89lgxg07tpq23w0u30lgq5z37xku0vwqcregzd +creation_rules: + - path_regex: secrets/[^/]+\.yaml$ + key_groups: + - age: + - *nixy + - *nixnode \ No newline at end of file diff --git a/computers/nixy.nix b/computers/nixy.nix new file mode 100644 index 0000000..e7b7fbe --- /dev/null +++ b/computers/nixy.nix @@ -0,0 +1,266 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, inputs, ... }: +{ + imports = + [ # Include the results of the hardware scan. + ../hardware-setups/tuf.nix + ../modules/nix.nix + ../modules/nvidia.nix + inputs.YATwm.nixosModules.default + #inputs.spicetify-nix.nixosModules.default + ]; + + # Use the systemd-boot EFI boot loader. + boot = { + loader.grub.enable = true; + loader.grub.device = "nodev"; + loader.grub.efiSupport = true; + loader.grub.enableCryptodisk = true; + # loader.grub.useOSProber = true; + loader.efi.canTouchEfiVariables = true; + kernel.sysctl."kernel.sysrq" = 502; + plymouth.enable = true; + }; + + + networking.hostName = "nixy"; # Define your hostname. + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + + networking.firewall = { + allowedUDPPorts = [ 51820 ]; + }; + networking.wireguard.enable = false; + networking.wireguard.interfaces.wg0 = { + ips = [ "10.200.200.2/32" ]; + listenPort = 51820; + + privateKeyFile = "/home/boss/.wg/peer_A.key"; + + peers = [ + { + publicKey = "wQSg97FyVqWqkwMbmq1SLolf/MWlt9tIJuE5vKyDiRI="; + + allowedIPs = [ "0.0.0.0/0" ]; + + endpoint = "139.144.99.248:51820"; + + persistentKeepalive = 25; + } + ]; + }; + + # Set your time zone. + time.timeZone = "NZ"; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + #keyMap = "us"; + #useXkbConfig = true; # use xkbOptions in tty. + }; + + # Enable the X11 windowing system. + services.xserver = { + enable = true; + + desktopManager = { + xterm.enable = false; + #default = "none"; + }; + + deviceSection = '' + Option "DRI" "2" + Option "TearFree" "true" + ''; + + windowManager.i3 = { + enable = true; + package = pkgs.i3-gaps; + }; + + windowManager.YATwm = { + enable = true; + package = inputs.YATwm.packages.x86_64-linux.YATwm; + }; + }; + programs.i3lock.enable = true; + programs.hyprland = { + enable = true; + #package = inputs.hyprland.packages.${pkgs.system}.hyprland; + #portalPackage = inputs.hyprland.packages.${pkgs.system}.xdg-desktop-portal-hyprland; + }; + services.displayManager = { + #defaultSession = "none+i3"; + sddm.enable = true; + #sddm.theme = "catppuccin-macchiato"; + # ly.enable = true; + }; + # services.xserver.displayManager = { + # lightdm.enable = true; + # }; + + # Configure keymap in X11 + services.xserver.xkb.layout = "us"; + services.xserver.xkb.options = "caps:super"; + + + security.pam.services.swaylock = {}; + + # Enable CUPS to print documents. + services.printing.enable = true; + services.printing.drivers = [ pkgs.hplip ]; + services.avahi = { + enable = true; + nssmdns4 = true; + openFirewall = true; + }; + + # Enable sound. + #sound.enable = true; + services.pipewire = + { + enable = true; + alsa.enable = false; + alsa.support32Bit = false; + pulse.enable = true; + }; + + services.upower.enable = true; + + # Enable touchpad support (enabled default in most desktopManager). + security.rtkit.enable = true; + services.libinput = { + enable = true; + mouse = { + accelProfile = "flat"; + }; + }; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.boss = { + isNormalUser = true; + extraGroups = [ "wheel" "networkmanager" "input" "uinput" ]; + }; + + fonts.packages = with pkgs; [ + #(nerdfonts.override { fonts = [ "Cousine" ]; }) + nerd-fonts.cousine + ]; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; + [ + vim + firefox + pfetch + neofetch + pinentry-gtk2 + git + ]; + documentation.dev.enable = true; + + hardware.graphics.enable32Bit = true; + programs.steam = { + enable = true; + extraCompatPackages = with pkgs; [ + proton-ge-bin + ]; + }; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + programs.gnupg = { + agent = { + enable = true; + pinentryPackage = pkgs.pinentry-gtk2; + }; + # enableSSHSupport = true; + }; + + hardware.bluetooth.enable = true; # enables support for Bluetooth + hardware.bluetooth.powerOnBoot = true; # powers up the default Bluetooth controller on boot + services.blueman.enable = true; + + systemd.tmpfiles.rules = [ + "f /var/lib/systemd/linger/boss" # enables lingering + ]; + + + services.ratbagd.enable = true; + + stylix = { + enable = true; + + base16Scheme = "${pkgs.base16-schemes}/share/themes/material-palenight.yaml"; + + image = ../wallpaper.png; + targets.grub.useImage = true; + + opacity = { + terminal = 0.8; + }; + + polarity = "dark"; + + fonts = { + monospace = { + package = pkgs.nerd-fonts.cousine; + name = "Cousine Nerd Font Mono"; + }; + + serif = { + package = pkgs.dejavu_fonts; + name = "DejaVu Serif"; + }; + + sansSerif = { + package = pkgs.dejavu_fonts; + name = "DejaVu Sans"; + }; + + emoji = { + package = pkgs.noto-fonts-emoji; + name = "Noto Color Emoji"; + }; + + sizes = { + terminal = 10; + applications = 10; + desktop = 10; + popups = 10; + }; + }; + + cursor = { + package = pkgs.nordzy-cursor-theme; + name = "Nordzy-cursors"; + size = 20; + }; + }; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + # system.copySystemConfiguration = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "24.05"; # Did you read the comment? + +} diff --git a/computers/server.nix b/computers/server.nix new file mode 100644 index 0000000..4e66375 --- /dev/null +++ b/computers/server.nix @@ -0,0 +1,169 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ config, lib, pkgs, inputs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ../hardware-setups/linode.nix + ../modules/nix.nix + inputs.STK.nixosModules.default + inputs.sops.nixosModules.sops + ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + # boot.loader.grub.efiSupport = true; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # Define on which hard drive you want to install Grub. + # boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only + + # networking.hostName = "nixos"; # Define your hostname. + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + + # Set your time zone. + # time.timeZone = "Europe/Amsterdam"; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + # i18n.defaultLocale = "en_US.UTF-8"; + # console = { + # font = "Lat2-Terminus16"; + # keyMap = "us"; + # useXkbConfig = true; # use xkb.options in tty. + # }; + + # Enable the X11 windowing system. + # services.xserver.enable = true; + + security.sudo.wheelNeedsPassword = false; + + sops.defaultSopsFile = ../secrets/test.yaml; + sops.defaultSopsFormat = "yaml"; + + sops.age.keyFile = "/home/boss/.config/sops/age/keys.txt"; + + sops.secrets = { + test-value = {}; + }; + + services.httpd = { + enable = false; + virtualHosts."172.105.172.191" = { + documentRoot = "/srv/httpd"; + }; + }; + + + # Configure keymap in X11 + # services.xserver.xkb.layout = "us"; + # services.xserver.xkb.options = "eurosign:e,caps:escape"; + + # Enable CUPS to print documents. + # services.printing.enable = true; + + # Enable sound. + # services.pulseaudio.enable = true; + # OR + # services.pipewire = { + # enable = true; + # pulse.enable = true; + # }; + + # Enable touchpad support (enabled default in most desktopManager). + # services.libinput.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.boss = { + isNormalUser = true; + extraGroups = [ "wheel" "networkmanager" ]; # Enable ‘sudo’ for the user. + home = "/home/boss"; + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOukEKExoF6vr3vciQN8pBdd4FtZtRzqIGFJrUvllOY boss@nixy" ]; + }; + + # programs.firefox.enable = true; + + # List packages installed in system profile. + # You can use https://search.nixos.org/ to find more packages (and options). + environment.systemPackages = with pkgs; [ + vim + emacs + inetutils + mtr + sysstat + git + ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + # services.openssh.enable = true; + services.openssh = { + enable = true; + settings.PermitRootLogin = "no"; + settings.PasswordAuthentication = false; + }; + + services.superTuxKarts = { + enable = true; + port = 2757; + serverOptions = { + server-name = "LUG STK server"; + server-mode = 0; + server-difficulty = 3; + private-server-password = "lug@uoa"; + motd = "Server for LUG@UoA\nChampionship coming soon!"; + }; + }; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + networking.usePredictableInterfaceNames = false; + networking.useDHCP = false; + networking.interfaces.eth0.useDHCP = true; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + # system.copySystemConfiguration = true; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "25.05"; # Did you read the comment? + +} diff --git a/configuration.nix b/configuration.nix deleted file mode 100644 index aa843dd..0000000 --- a/configuration.nix +++ /dev/null @@ -1,293 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ config, pkgs, inputs, ... }: - -let - nvidia-offload = pkgs.writeShellScriptBin "prime-run" '' -export __NV_PRIME_RENDER_OFFLOAD=1 -export __NV_PRIME_RENDER_OFFLOAD_PROVIDER=NVIDIA-G0 -export __GLX_VENDOR_LIBRARY_NAME=nvidia -export __VK_LAYER_NV_optimus=NVIDIA_only -exec "$@" -''; -in -{ - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - inputs.YATwm.nixosModules.default - #inputs.spicetify-nix.nixosModules.default - ]; - - - nix.nixPath = [ "/etc/nix/path" ]; - nix.registry.nixpkgs.flake = inputs.nixpkgs; - environment.etc."nix/path/nixpkgs".source = inputs.nixpkgs; - - # Use the systemd-boot EFI boot loader. - boot = { - loader.grub.enable = true; - loader.grub.device = "nodev"; - loader.grub.efiSupport = true; - loader.grub.enableCryptodisk = true; - # loader.grub.useOSProber = true; - loader.efi.canTouchEfiVariables = true; - kernel.sysctl."kernel.sysrq" = 502; - plymouth.enable = true; - }; - - - networking.hostName = "nixy"; # Define your hostname. - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - - # Set your time zone. - time.timeZone = "NZ"; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - console = { - font = "Lat2-Terminus16"; - #keyMap = "us"; - #useXkbConfig = true; # use xkbOptions in tty. - }; - - nixpkgs.config.allowUnfree = true; - hardware.graphics.enable = true; - hardware.nvidia.modesetting.enable = true; - hardware.nvidia.open = true; - hardware.nvidia.prime = { - offload.enable = true; - - nvidiaBusId = "PCI:1:0:0"; - intelBusId = "PCI:5:0:0"; - }; - hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.stable; - - # Enable the X11 windowing system. - services.xserver = { - enable = true; - videoDrivers = [ "nvidia" ]; - - desktopManager = { - xterm.enable = false; - #default = "none"; - }; - - deviceSection = '' - Option "DRI" "2" - Option "TearFree" "true" - ''; - - windowManager.i3 = { - enable = true; - package = pkgs.i3-gaps; - }; - - windowManager.YATwm = { - enable = true; - package = inputs.YATwm.packages.x86_64-linux.YATwm; - }; - }; - programs.i3lock.enable = true; - programs.hyprland = { - enable = true; - #package = inputs.hyprland.packages.${pkgs.system}.hyprland; - #portalPackage = inputs.hyprland.packages.${pkgs.system}.xdg-desktop-portal-hyprland; - }; - services.displayManager = { - #defaultSession = "none+i3"; - sddm.enable = true; - #sddm.theme = "catppuccin-macchiato"; - # ly.enable = true; - }; - # services.xserver.displayManager = { - # lightdm.enable = true; - # }; - - # Configure keymap in X11 - services.xserver.xkb.layout = "us"; - services.xserver.xkb.options = "caps:super"; - - - security.pam.services.swaylock = {}; - - # Enable CUPS to print documents. - services.printing.enable = true; - services.printing.drivers = [ pkgs.hplip ]; - services.avahi = { - enable = true; - nssmdns4 = true; - openFirewall = true; - }; - - # Enable sound. - #sound.enable = true; - services.pipewire = - { - enable = true; - alsa.enable = false; - alsa.support32Bit = false; - pulse.enable = true; - }; - - services.upower.enable = true; - - # Enable touchpad support (enabled default in most desktopManager). - security.rtkit.enable = true; - services.libinput = { - enable = true; - mouse = { - accelProfile = "flat"; - }; - }; - - # Define a user account. Don't forget to set a password with ‘passwd’. - users.users.boss = { - isNormalUser = true; - extraGroups = [ "wheel" "networkmanager" "input" "uinput" ]; - }; - - fonts.packages = with pkgs; [ - #(nerdfonts.override { fonts = [ "Cousine" ]; }) - nerd-fonts.cousine - ]; - - # List packages installed in system profile. To search, run: - # $ nix search wget - nix = { - settings = { - experimental-features = [ "nix-command" "flakes" ]; - auto-optimise-store = true; - - trusted-users = [ "boss" ]; - - substituters = [ - "https://cache.nixos.org" - ]; - - # trusted-public-keys = [ - # "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" - # ]; - }; - gc = { - automatic = true; - dates = "weekly"; - options = "--delete-older-than +5"; - }; - optimise.automatic = true; - }; - environment.systemPackages = with pkgs; - [ - nvidia-offload - vim - firefox - pfetch - neofetch - pinentry-gtk2 - git - ]; - documentation.dev.enable = true; - - hardware.graphics.enable32Bit = true; - - programs.steam = { - enable = true; - extraCompatPackages = with pkgs; [ - proton-ge-bin - ]; - }; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - programs.gnupg = { - agent = { - enable = true; - pinentryPackage = pkgs.pinentry-gtk2; - }; - # enableSSHSupport = true; - }; - - hardware.bluetooth.enable = true; # enables support for Bluetooth - hardware.bluetooth.powerOnBoot = true; # powers up the default Bluetooth controller on boot - services.blueman.enable = true; - - systemd.tmpfiles.rules = [ - "f /var/lib/systemd/linger/boss" # enables lingering - ]; - - - services.ratbagd.enable = true; - - stylix = { - enable = true; - - base16Scheme = "${pkgs.base16-schemes}/share/themes/material-palenight.yaml"; - - image = ./wallpaper.png; - targets.grub.useImage = true; - - opacity = { - terminal = 0.8; - }; - - polarity = "dark"; - - fonts = { - monospace = { - package = pkgs.nerd-fonts.cousine; - name = "Cousine Nerd Font Mono"; - }; - - serif = { - package = pkgs.dejavu_fonts; - name = "DejaVu Serif"; - }; - - sansSerif = { - package = pkgs.dejavu_fonts; - name = "DejaVu Sans"; - }; - - emoji = { - package = pkgs.noto-fonts-emoji; - name = "Noto Color Emoji"; - }; - - sizes = { - terminal = 10; - applications = 10; - desktop = 10; - popups = 10; - }; - }; - - cursor = { - package = pkgs.nordzy-cursor-theme; - name = "Nordzy-cursors"; - size = 20; - }; - }; - - # Copy the NixOS configuration file and link it from the resulting system - # (/run/current-system/configuration.nix). This is useful in case you - # accidentally delete configuration.nix. - # system.copySystemConfiguration = true; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "24.05"; # Did you read the comment? - -} diff --git a/flake.nix b/flake.nix index 3ec4440..58b6397 100644 --- a/flake.nix +++ b/flake.nix @@ -21,6 +21,10 @@ url = "git+file:///home/boss/Documents/Coding/WM/YATwm"; inputs.nixpkgs.follows = "nixpkgs"; }; + STK = { + url = "git+file:///home/boss/stk"; + inputs.nixpkgs.follows = "nixpkgs"; + }; # hyprland = { # url = "github:hyprwm/Hyprland"; # inputs.nixpkgs.follows = "nixpkgs"; @@ -45,6 +49,10 @@ url = "github:kaylorben/nixcord"; inputs.nixpkgs.follows = "nixpkgs"; }; + sops = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = inputs@{ nixpkgs, ... }: { @@ -55,7 +63,7 @@ modules = [ (import ./my-pkgs) - ./configuration.nix + ./computers/nixy.nix inputs.home-manager.nixosModules.home-manager { @@ -69,6 +77,13 @@ inputs.stylix.nixosModules.stylix ]; }; + nixos = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = {inherit inputs;}; + modules = [ + ./computers/server.nix + ]; + }; }; }; } diff --git a/hardware-configuration.nix b/hardware-configuration.nix deleted file mode 100644 index a400a7d..0000000 --- a/hardware-configuration.nix +++ /dev/null @@ -1,52 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; - boot.initrd.kernelModules = [ "dm-snapshot" "cryptd"]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - boot.initrd.luks.devices.cryptroot = { - device = "/dev/disk/by-uuid/18e2ffad-9ffb-4c3a-a82f-dd8098171427"; - preLVM = true; - }; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/db909240-4006-4ca8-a03a-3e3fc60cba17"; - fsType = "ext4"; - }; - - fileSystems."/home" = - { device = "/dev/disk/by-uuid/9ef8fad1-08cb-4c7a-9db1-3a37097544b0"; - fsType = "ext4"; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/6FC0-9F1C"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; - }; - - swapDevices = - [ { device = "/dev/disk/by-uuid/e1e972c8-3bb9-4131-a77f-fdea9f086a4d"; } - ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; - # networking.interfaces.enp5s0f3u1.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - hardware.enableAllFirmware = true; -} diff --git a/hardware-setups/linode.nix b/hardware-setups/linode.nix new file mode 100644 index 0000000..d952ae5 --- /dev/null +++ b/hardware-setups/linode.nix @@ -0,0 +1,40 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + boot.kernelParams = [ "console=ttyS0,19200n8" ]; + boot.loader.grub.extraConfig = '' + serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1; + terminal_input serial; + terminal_output serial + ''; + boot.loader.grub.forceInstall = true; + boot.loader.grub.device = "nodev"; + boot.loader.timeout = 10; + + fileSystems."/" = + { device = "/dev/sda"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/sdb"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s5.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hardware-setups/tuf.nix b/hardware-setups/tuf.nix new file mode 100644 index 0000000..a400a7d --- /dev/null +++ b/hardware-setups/tuf.nix @@ -0,0 +1,52 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ "dm-snapshot" "cryptd"]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + boot.initrd.luks.devices.cryptroot = { + device = "/dev/disk/by-uuid/18e2ffad-9ffb-4c3a-a82f-dd8098171427"; + preLVM = true; + }; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/db909240-4006-4ca8-a03a-3e3fc60cba17"; + fsType = "ext4"; + }; + + fileSystems."/home" = + { device = "/dev/disk/by-uuid/9ef8fad1-08cb-4c7a-9db1-3a37097544b0"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/6FC0-9F1C"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/e1e972c8-3bb9-4131-a77f-fdea9f086a4d"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp5s0f3u1.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.enableAllFirmware = true; +} diff --git a/home-manager/home.nix b/home-manager/home.nix index fe27af0..9f468a6 100644 --- a/home-manager/home.nix +++ b/home-manager/home.nix @@ -24,7 +24,7 @@ home.packages = with pkgs; [ feh pass - #spotify + spotify playerctl libqalculate libreoffice @@ -40,7 +40,6 @@ mumble gimp bottom - obs-studio xfce.thunar mpv man-pages @@ -64,12 +63,16 @@ wireguard-tools brightnessctl inputs.nil.packages.${system}.default - inputs.polymc.packages.${system}.default + #inputs.polymc.packages.${system}.default jre8 - inputs.zen-browser.packages."${system}".default + #inputs.zen-browser.packages."${system}".default piper qbittorrent - adom + sbcl + superTuxKart + typst + sops + #adom ]; nix = { @@ -103,6 +106,22 @@ }; }; }; + + programs.obs-studio = { + enable = true; + + # optional Nvidia hardware acceleration + package = ( + pkgs.obs-studio.override { + cudaSupport = true; + } + ); + + plugins = with pkgs.obs-studio-plugins; [ + obs-pipewire-audio-capture + input-overlay + ]; + }; programs.firefox.enable = true; @@ -121,7 +140,7 @@ spicePkgs = inputs.spicetify-nix.legacyPackages.${pkgs.system}; in { - enable = true; + enable = false; enabledExtensions = with spicePkgs.extensions; [ fullAppDisplay powerBar diff --git a/home-manager/i3/config b/home-manager/i3/config index acfd0d0..59116ba 100644 --- a/home-manager/i3/config +++ b/home-manager/i3/config @@ -94,6 +94,7 @@ bindsym $mod+x exec --no-startup-id "loginctl lock-session" bindsym $mod+Shift+x exec --no-startup-id "loginctl lock-session; systemctl suspend" # bindsym $mod+Shift+c exec --no-startup-id "~/.i3_commands/open-qb.sh" bindsym $mod+c exec --no-startup-id "firefox" +bindsym $mod+Shift+c exec --no-startup-id "nyxt" bindsym $mod+Shift+minus exec --no-startup-id "emacsclient -c" bindsym XF86MonBrightnessUp exec --no-startup-id brightnessctl s +5 @@ -120,7 +121,7 @@ floating_modifier $mod bindsym $mod+Return exec --no-startup-id kitty # Start emacs with vterm -bindsym $mod+Shift+Return exec --no-startup-id "emacsclient -c --eval '(start-terminal)'" +bindsym $mod+Shift+Return exec --no-startup-id "emacsclient -c --eval '(multi-vterm)'" # kill focused window bindsym $mod+Shift+q kill diff --git a/home-manager/shells/bash.nix b/home-manager/shells/bash.nix index a902af3..cd5f51d 100644 --- a/home-manager/shells/bash.nix +++ b/home-manager/shells/bash.nix @@ -60,8 +60,11 @@ __prompt_command() { ls = "lsd"; la = "lsd -a"; ll = "lsd -al"; + tree = "lsd --tree"; pathfindsaver = "while sleep 1; do pathfind -f; done"; qalc = "qalc -s 'varunits 0' -s 'angle 2'"; + + flake-rebuild = "nixos-rebuild switch --flake ~/nixos-configuration"; }; }; diff --git a/modules/nix.nix b/modules/nix.nix new file mode 100644 index 0000000..2c4ef83 --- /dev/null +++ b/modules/nix.nix @@ -0,0 +1,29 @@ +{ inputs, ... }: +{ + nix.nixPath = [ "/etc/nix/path" ]; + nix.registry.nixpkgs.flake = inputs.nixpkgs; + environment.etc."nix/path/nixpkgs".source = inputs.nixpkgs; + + nix = { + settings = { + experimental-features = [ "nix-command" "flakes" ]; + auto-optimise-store = true; + + trusted-users = [ "boss" ]; + + substituters = [ + "https://cache.nixos.org" + ]; + + # trusted-public-keys = [ + # "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + # ]; + }; + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than +7"; + }; + optimise.automatic = true; + }; +} diff --git a/modules/nvidia.nix b/modules/nvidia.nix new file mode 100644 index 0000000..ba71df9 --- /dev/null +++ b/modules/nvidia.nix @@ -0,0 +1,27 @@ +{ config, pkgs, inputs, ... }: +let + nvidia-offload = pkgs.writeShellScriptBin "prime-run" '' +export __NV_PRIME_RENDER_OFFLOAD=1 +export __NV_PRIME_RENDER_OFFLOAD_PROVIDER=NVIDIA-G0 +export __GLX_VENDOR_LIBRARY_NAME=nvidia +export __VK_LAYER_NV_optimus=NVIDIA_only +exec "$@" +''; +in +{ + nixpkgs.config.allowUnfree = true; + hardware.graphics.enable = true; + hardware.nvidia.modesetting.enable = true; + hardware.nvidia.open = true; + hardware.nvidia.prime = { + offload.enable = true; + + nvidiaBusId = "PCI:1:0:0"; + intelBusId = "PCI:5:0:0"; + }; + hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.stable; + + services.xserver.videoDrivers = [ "nvidia" ]; + + environment.systemPackages = [ nvidia-offload ]; +} diff --git a/my-pkgs/adom.nix b/my-pkgs/adom.nix index 25d2dae..e91842a 100644 --- a/my-pkgs/adom.nix +++ b/my-pkgs/adom.nix @@ -28,7 +28,7 @@ stdenv.mkDerivation rec { sourceRoot = "adom"; installPhase = let desktopEntry = makeDesktopItem { name = "adom"; - desktopName = "Adom"; + desktopName = "ADOM"; exec = "OUT_DIR/bin/adom"; #path = "OUT_DIR/share"; }; in '' diff --git a/secrets/test.yaml b/secrets/test.yaml new file mode 100644 index 0000000..642eefb --- /dev/null +++ b/secrets/test.yaml @@ -0,0 +1,35 @@ +hello: ENC[AES256_GCM,data:+/HfdCFoRsNydVWi5fGbtPShVi/XKnyx5LZiFkp7D6WGPkG4yEVpOiXsC2wAHQ==,iv:Y/vcsF+qFMvDfNA1vTymu3ToMVIYHP2OW22WKU6GOWM=,tag:0slxbzpbGac3uL0kqR5+lQ==,type:str] +example_key: ENC[AES256_GCM,data:EbXQZk7OkrK+83omfg==,iv:+Nn42ROgLy3LE0oEbx8QbuT7Hlujzu7Iz9Stu1pO+o4=,tag:Xek6+n2ZCs1uwVItvFdguQ==,type:str] +#ENC[AES256_GCM,data:T4zHJT8qQUWXnXbxULy97A==,iv:UOC0JThZIE5QaNBpuEd3AsZ8C/ztXN04aa42HuWA5MM=,tag:cWP9iincPkR/EaMrzH/IxQ==,type:comment] +example_array: + - ENC[AES256_GCM,data:bwA20gQpwNoLdN9q2eg=,iv:pkaMt+6AEKfZNRwIfaoRnrk6lqyYHVp9jq9nXgKnDdM=,tag:N4RLJ06fpvCJBZoowBMQQA==,type:str] + - ENC[AES256_GCM,data:a8etS77qQhrrpZuJzzQ=,iv:vHWFkqzJAdgRDCwrzDzNjU/UtM71QgFcsz9gVXoMP0k=,tag:tZZB3ieUXFP/WWegyXTQ1w==,type:str] +example_number: ENC[AES256_GCM,data:UE2bIlOI3WTZVg==,iv:j18MAwIC4Zf26HscNOoEbbc5IjhrsDx+hj7Re36JOrU=,tag:5s/918XsYuQJzqtP63/bvQ==,type:float] +example_booleans: + - ENC[AES256_GCM,data:oYjGew==,iv:3n5b4dxrYB5Oa5MTkUHQIDX+fFCI31c8RFFeWKcD+rE=,tag:VvfWpx7obTnR2bqlHNLKsg==,type:bool] + - ENC[AES256_GCM,data:CDBenE0=,iv:G5p3Q2Y7kcI27Oey3NUAd8hX7vomrZN+bJrr/IezuaQ=,tag:bQJEziJF/NrOerpdSQ3XcA==,type:bool] +test-value: ENC[AES256_GCM,data:hd+HuQ==,iv:OUo3H+2dcDYq2RNPVGRIOPW0oMSwCCEroFr/CR5oIao=,tag:HWW0+kIcujMyLrsy7K4l8Q==,type:str] +sops: + age: + - recipient: age1p3sw8q030a7zgawu4ccxm6sgsp88349nuxkd4kale0ruy9klypssdh7c9s + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjOGlrYjdvWSttMlRadThB + S0JvZXo5SStVMEtpMnl5SVo1cllHNlNqZWhJCi81eVk3Z1dINTJ1aWxkNHEzUzVX + aVVoOVQ1bVd6eEdqL2RKcXZ5MlJPdjQKLS0tIHkwZEZhRFBwS0pMNmVCdEZNcDhI + Skk1YlZpQUppN1FsbXVoc3BVUTFiSVEKyuw+u2ZkGb+4n0oLdn7IPwE8kXZmByEk + 1JPZOWtOeoHMDOlkKNw98JEW9TQAdlnO0riKHFNHpQ80mhzjeE7YXw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1g7tzey3t2jmd79kaeukn89lgxg07tpq23w0u30lgq5z37xku0vwqcregzd + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQVE1MdUR2SkE1VHlkSDNW + VE5Nb1VVdkE3WTRBK29PeHN6UGJsWnFKVHpzCm1XVHZFM2V1WHJJNnRGRTBVbFFk + ZERCWmJYR0sreEpvelIzaHZqYktKbkkKLS0tIEpEN29jeVNBZXdzYUh3M1VwQkdK + ZFlBZllvWFhGdEtIVlNqZ3dnM0hkWTAKIniBn7mPe+rLJE5Pce6bIW2AjeDdVkPh + tMybfEWdIwkYdqJ3yTcW/WlxX5Vel702V8wD7vUr44BCPbCAPQyvgQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-09-16T04:34:31Z" + mac: ENC[AES256_GCM,data:qHK/wyZSzufZlBmhY7pGMfi8C1wyhBB0o3oVm22ouhDxIdC26Cbhy1mMgw+Uu3ej4eiyh/CihqMd6BAx/apgdmFZoc579/M0O/FoKoCQPr7KjaPD/z23Xclb9G82ep5U5tRcg9lKnRVugKhTZD2eK7Z4/vU25M8k8B53zkmKnz8=,iv:qZDsnbrY7purFEmfPtD8Bee6dA3FtO+hqfoYDBa3LFs=,tag:LXORKqvIayN7hAHVf8BYhg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/server-rebuild.sh b/server-rebuild.sh new file mode 100755 index 0000000..8bda048 --- /dev/null +++ b/server-rebuild.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +nixos-rebuild switch --use-remote-sudo --target-host 172.105.172.191 --flake ".#nixos" -j $(nproc) -- cgit v1.2.3