commit 8fbb25bbaca13f5c34beb51bd6883db59b38f5a4 Author: Lauren Lagarde Date: Mon Mar 3 23:07:58 2025 -0600 Initial release diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..574e7eb --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +result +*.swp diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..57fa4f7 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "users/lauren_lagarde/home-manager"] + path = users/lauren_lagarde/home-manager + url = https://git.mlaga97.space/mlaga97/home-manager.git diff --git a/apply.sh b/apply.sh new file mode 100644 index 0000000..c0a2584 --- /dev/null +++ b/apply.sh @@ -0,0 +1 @@ +nix build -L .?submodules=1#$HOSTNAME diff --git a/build_iso.sh b/build_iso.sh new file mode 100644 index 0000000..0db6f35 --- /dev/null +++ b/build_iso.sh @@ -0,0 +1 @@ +nix build -L .?submodules=1#packages.x86_64-linux.$1 diff --git a/clear_secrets.sh b/clear_secrets.sh new file mode 100644 index 0000000..19d878b --- /dev/null +++ b/clear_secrets.sh @@ -0,0 +1 @@ +rm -rf ./secrets diff --git a/example_flake.nix b/example_flake.nix new file mode 100644 index 0000000..c67b8a8 --- /dev/null +++ b/example_flake.nix @@ -0,0 +1,78 @@ +{ + description = "Lauren's Example Stub Flake"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + + home-manager.url = "github:nix-community/home-manager/release-24.05"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + nixos-generators.url = "github:nix-community/nixos-generators"; + nixos-generators.inputs.nixpkgs.follows = "nixpkgs"; + + # Extras + waveforms.url = "github:liff/waveforms-flake"; + }; + + outputs = { self, nixpkgs, nixpkgs-unstable, home-manager, nixos-generators, waveforms, ... }@inputs: let + system = "x86_64-linux"; + timezone = "America/Chicago"; + locale = "en_US.UTF-8"; + + unstable = nixpkgs-unstable.legacyPackages.${system}; + + iso_modules = [ + "${nixpkgs}/nixos/modules/installer/cd-dvd/iso-image.nix" + { isoImage.squashfsCompression = "zstd"; } + ]; + + # Look into: https://git.sr.ht/~magic_rb/dotfiles/tree/master/item/nixos/systems/gooseberry + pi_modules = [{ + # Disabling the whole `profiles/base.nix` module, which is responsible + # for adding ZFS and a bunch of other unnecessary programs: + disabledModules = [ + "profiles/base.nix" + ]; + }]; + + # TODO: Surely a better way, no? + inherited_modules = [ + { time.timeZone = timezone; } + home-manager.nixosModules.home-manager + waveforms.nixosModule + ]; + in { + nixosConfigurations = { + ll-nixos-headless = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = iso_modules ++ [ + ./nixos/systems/ll-nixos-headless.nix + ] ++ inherited_modules; + specialArgs = { unstable = unstable; }; + }; + }; + + packages.aarch64-linux = { + ll-nixos-headless-pi-sdcard = nixos-generators.nixosGenerate { + system = "aarch64-linux"; + format = "sd-aarch64"; + modules = pi_modules ++ [ + ./nixos/systems/ll-nixos-headless.nix + ] ++ inherited_modules; + specialArgs = { unstable = unstable; }; + }; + }; + + packages.x86_64-linux = { + ll-nixos-headless-iso = nixos-generators.nixosGenerate { + system = "x86_64-linux"; + modules = iso_modules ++ [ + ./nixos/systems/ll-nixos-headless.nix + ] ++ inherited_modules; + format = "install-iso"; + specialArgs = { unstable = unstable; }; + }; + }; + }; +} diff --git a/features/base.nix b/features/base.nix new file mode 100644 index 0000000..9e12290 --- /dev/null +++ b/features/base.nix @@ -0,0 +1,45 @@ +{ pkgs, ... }: { + users.mutableUsers = false; + nixpkgs.config.allowUnfree = true; + + services.smartd.enable = true; + + boot.supportedFilesystems = [ "zfs" "ntfs" ]; + + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + nix.channel.enable = false; + + # TODO: ???? + networking.wireless.enable = false; + + # Basic Services + services.uptimed.enable = true; + + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "no"; + + # Basic Utilities + environment.systemPackages = with pkgs; [ + # Basic Utilities + bc pv killall unzip unrar-wrapper unar + + # System Monitoring / TUI QoL Tools + btop iotop tmux byobu + + # Security / Cryptography + ssss gnupg pwgen qrencode diceware + + # Applications + vim_configurable + + # asdf + git ffmpeg restic rclone nixos-generators + # samba libvirt tinc_pre + + # File Systems + nfs-utils cifs-utils exfatprogs + ]; +} diff --git a/features/br0.nix b/features/br0.nix new file mode 100644 index 0000000..421683d --- /dev/null +++ b/features/br0.nix @@ -0,0 +1,23 @@ +{ ... }: { + networking.useNetworkd = true; + systemd.network = { + enable = true; + netdevs."20-br0".netdevConfig = { + Kind = "bridge"; + Name = "br0"; + }; + networks = { + "40-br0" = { + matchConfig.Name = "br0"; + bridgeConfig = {}; + linkConfig = { + RequiredForOnline = "routable"; + }; + networkConfig = { + DHCP = "ipv4"; + IPv6AcceptRA = true; + }; + }; + }; + }; +} diff --git a/features/docker.nix b/features/docker.nix new file mode 100644 index 0000000..8814f80 --- /dev/null +++ b/features/docker.nix @@ -0,0 +1,3 @@ +{ ... }: { + virtualisation.docker.enable = true; +} diff --git a/features/dockge.nix b/features/dockge.nix new file mode 100644 index 0000000..709c52c --- /dev/null +++ b/features/dockge.nix @@ -0,0 +1,21 @@ +{ ... }: { + virtualisation.oci-containers.backend = "docker"; + virtualisation.oci-containers.containers = { + dockge = { + image = "louislam/dockge"; + ports = [ + "5001:5001" + ]; + volumes = [ + "/var/run/docker.sock:/var/run/docker.sock" + "/opt/stacks/dockge/data:/app/data" + "/root/.docker/:/root/.docker" + "/opt/stacks:/opt/stacks" + ]; + environment = { + DOCKGE_STACKS_DIR = "/opt/stacks"; + }; + }; + }; + +} diff --git a/features/embedded.nix b/features/embedded.nix new file mode 100644 index 0000000..8ad6f64 --- /dev/null +++ b/features/embedded.nix @@ -0,0 +1,44 @@ +{ pkgs, unstable, ... }: { + nixpkgs.config.allowUnfree = true; + nixpkgs.config.segger-jlink.acceptLicense = true; + + # TODO: whygodwhy.jpg + nixpkgs.config.permittedInsecurePackages = [ "segger-jlink-qt4-796s" ]; + + environment.systemPackages = with pkgs; [ + unstable.platformio # https://github.com/NixOS/nixpkgs/commit/0ba947ba44fc17c7cc94be2374dbfb939900cecd + segger-jlink + + arduino-ide + stm32cubemx + + avrdude + esptool + stlink + stlink-gui + (kicad-small.override { addons=[kicadAddons.kikit kicadAddons.kikit-library]; }) + kikit + screen + prusa-slicer + esphome + librecad + pulseview + sigrok-cli + ]; + + services.udev.packages = with pkgs; [ + platformio + platformio-core + + openocd + stlink + esptool + avrdude + ]; + + services.udev.extraRules = '' + SUBSYSTEM=="usb", ATTR{idVendor}="1a86", ATTR{idProduct}=="8010", MODE="0666" + SUBSYSTEM=="usb", ATTR{idVendor}="4348", ATTR{idProduct}=="55e0", MODE="0666" + SUBSYSTEM=="usb", ATTR{idVendor}="1a86", ATTR{idProduct}=="8012", MODE="0666" + ''; +} diff --git a/features/factorio.nix b/features/factorio.nix new file mode 100644 index 0000000..bb38339 --- /dev/null +++ b/features/factorio.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: { + environment.systemPackages = with pkgs; [ + (factorio.override { + username = ""; + token = ""; + + releaseType = "alpha"; + version = "1.1.107"; + + # nix-prefetch-url "file:///run/media/lauren_lagarde/Lauren%20USB/Applications/factorio/factorio_alpha_x64_1.1.107.tar.xz" --name factorio_alpha_x64-1.1.107.tar.xz + }) + ]; +} diff --git a/features/headless.nix b/features/headless.nix new file mode 100644 index 0000000..d75917e --- /dev/null +++ b/features/headless.nix @@ -0,0 +1,67 @@ +{ config, lib, pkgs, callPackage, ... }: { + + ############################################################################## + ############################################################################## + ############################################################################## + # Packages + + environment.systemPackages = with pkgs; [ + # Basic Utilities + bc pv killall unzip unrar-wrapper unar + + # System Monitoring / TUI QoL Tools + btop iotop tmux byobu + + # Backup Tools + restic rclone + + # Networking Utilities + dig tinc_pre traceroute wireguard-tools iperf3 + + # Security / Cryptography + (pass.withExtensions (ext: with ext; [ pass-otp pass-update ])) + ssss gnupg pwgen qrencode diceware + + # NixOS Helpers + nixos-generators nix-index nix-search-cli + + # Applications + vim_configurable + + # File Systems + nfs-utils cifs-utils exfatprogs + + # Multimedia Utilities + ffmpeg imagemagick + + # Services + podman-compose + + units usbutils pciutils + ]; + + ############################################################################## + ############################################################################## + ############################################################################## + # Services + # TODO: Split this out further + + services.uptimed.enable = true; + + services.openssh = { + enable = true; + settings = { + PermitRootLogin = lib.mkForce "no"; + PasswordAuthentication = false; + }; + }; + + # TODO: Attempt to use podman + virtualisation.docker.enable = true; + virtualisation.containers.enable = true; + virtualisation.podman = { + enable = true; + dockerCompat = false; + defaultNetwork.settings.dns_enabled = true; + }; +} diff --git a/features/i3.nix b/features/i3.nix new file mode 100644 index 0000000..635e57a --- /dev/null +++ b/features/i3.nix @@ -0,0 +1,71 @@ +{ pkgs, lib, unstable, ... }: { + + hardware.graphics.enable32Bit = true; + + ############################################################################## + ############################################################################## + ############################################################################## + # Display Server Config + + services.xserver = { + enable = true; + + desktopManager = { + xterm.enable = false; + gnome.enable = true; + }; + + windowManager.i3.enable = true; + }; + + services.displayManager = { + defaultSession = "none+i3"; + }; + + ############################################################################## + ############################################################################## + ############################################################################## + # Packages + + programs.virt-manager.enable = true; + + environment.systemPackages = with pkgs; [ + # Polybar + siji + polybar + font-awesome + font-awesome_5 + networkmanagerapplet + + # Apps + gnome-terminal + chromium + qtpass + unstable.yt-dlp + + rofi + i3status + i3lock + i3blocks + nemo-with-extensions + dunst + pinentry-qt + brightnessctl + openscad-unstable + shutter + pavucontrol + arandr + blueman + sublime-merge + libreoffice + gparted + loupe + gthumb + vlc + mpv + + ledger + xorg.xkill + sound-juicer + ]; +} diff --git a/features/intelgpu.nix b/features/intelgpu.nix new file mode 100644 index 0000000..b888ac3 --- /dev/null +++ b/features/intelgpu.nix @@ -0,0 +1,16 @@ +{ pkgs, ... }: { + nixpkgs.config.packageOverrides = pkgs: { + intel-vaapi-driver = pkgs.intel-vaapi-driver.override { enableHybridCodec = true; }; + }; + + hardware.graphics = { + enable = true; + extraPackages = with pkgs; [ + intel-media-driver + intel-vaapi-driver + libvdpau-va-gl + ]; + }; + + environment.sessionVariables = { LIBVA_DRIVER_NAME = "iHD"; }; +} diff --git a/features/libvirt.nix b/features/libvirt.nix new file mode 100644 index 0000000..0c0e87e --- /dev/null +++ b/features/libvirt.nix @@ -0,0 +1,3 @@ +{ ... }: { + virtualisation.libvirtd.enable = true; +} diff --git a/features/nvidia.nix b/features/nvidia.nix new file mode 100644 index 0000000..e0dda2d --- /dev/null +++ b/features/nvidia.nix @@ -0,0 +1,36 @@ +# https://community.frame.work/t/egpu-gtx-1060-6gb-working-great-on-nixos-on-the-12th-gen-framework/40919 +{ config, ... }: { + # Enable OpenGL + hardware.graphics.enable = true; + + # Load nvidia driver for Xorg and Wayland + services.xserver.videoDrivers = ["nvidia"]; + + hardware.nvidia = { + # Modesetting is required. + modesetting.enable = true; + + # Nvidia power management. Experimental, and can cause sleep/suspend to fail. + powerManagement.enable = true; + + # Fine-grained power management. Turns off GPU when not in use. + # Experimental and only works on modern Nvidia GPUs (Turing or newer). + powerManagement.finegrained = false; + + # Use the NVidia open source kernel module (not to be confused with the + # independent third-party "nouveau" open source driver). + # Support is limited to the Turing and later architectures. Full list of + # supported GPUs is at: + # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus + # Only available from driver 515.43.04+ + # Currently alpha-quality/buggy, so false is currently the recommended setting. + open = false; + + # Enable the Nvidia settings menu, + # accessible via `nvidia-settings`. + nvidiaSettings = true; + + # Optionally, you may need to select the appropriate driver version for your specific GPU. + package = config.boot.kernelPackages.nvidiaPackages.stable; + }; +} diff --git a/features/persistent_docker.nix b/features/persistent_docker.nix new file mode 100644 index 0000000..81a9219 --- /dev/null +++ b/features/persistent_docker.nix @@ -0,0 +1,40 @@ +{ pkgs, lib, ... }: { + systemd.mounts = [ + { + type = "ext4"; + options = "rw"; + what = "/dev/vda"; + where = "/persistent"; + } + ]; + + systemd.automounts = [ + { + wantedBy = [ "multi-user.target" ]; + where = "/persistent"; + } + ]; + + virtualisation.docker.daemon.settings = { + data-root = "/persistent/docker-root"; + }; + + virtualisation.oci-containers.backend = "docker"; + virtualisation.oci-containers.containers = { + dockge = { + image = "louislam/dockge"; + ports = [ + "5001:5001" + ]; + volumes = [ + "/var/run/docker.sock:/var/run/docker.sock" + "/persistent/stacks/dockge/data:/app/data" + "/root/.docker/:/root/.docker" + "/persistent/stacks:/persistent/stacks" + ]; + environment = { + DOCKGE_STACKS_DIR = "/persistent/stacks"; + }; + }; + }; +} diff --git a/features/printing.nix b/features/printing.nix new file mode 100644 index 0000000..1dcc289 --- /dev/null +++ b/features/printing.nix @@ -0,0 +1,10 @@ +{ pkgs, ... }: { + services.printing.enable = true; + services.printing.drivers = with pkgs; [ brlaser hplipWithPlugin ]; + + services.avahi = { + enable = true; + nssmdns4 = true; + openFirewall = true; + }; +} diff --git a/features/rtl-sdr.nix b/features/rtl-sdr.nix new file mode 100644 index 0000000..f159d88 --- /dev/null +++ b/features/rtl-sdr.nix @@ -0,0 +1,12 @@ +{ pkgs, unstable, ... }: { + hardware.rtl-sdr.enable = true; + users.users.lauren_lagarde.extraGroups = [ "plugdev" ]; + + services.udev.packages = [ pkgs.rtl-sdr ]; + + environment.systemPackages = with pkgs; [ + gnuradio + soapyrtlsdr + gqrx + ]; +} diff --git a/features/stronghold-binary-cache.nix b/features/stronghold-binary-cache.nix new file mode 100644 index 0000000..f8b4750 --- /dev/null +++ b/features/stronghold-binary-cache.nix @@ -0,0 +1,13 @@ +{ ... }: { + nix.settings = { + substituters = [ + "http://nix-cache.stronghold.mlaga97.space" + "https://nix-community.cachix.org" + "https://cache.nixos.org/" + ]; + trusted-public-keys = [ + "nix-cache.stronghold.mlaga97.space:RR2S/XWXGjACgAeN30qWCgG1wySOyTGtup8Os3yrdQw=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; +} diff --git a/features/virtualbox.nix b/features/virtualbox.nix new file mode 100644 index 0000000..a34cf24 --- /dev/null +++ b/features/virtualbox.nix @@ -0,0 +1,10 @@ +{ ... }: { + virtualisation.libvirtd.enable = false; + + virtualisation.virtualbox = { + host = { + enable = true; + enableExtensionPack = true; + }; + }; +} diff --git a/features/yubikey.nix b/features/yubikey.nix new file mode 100644 index 0000000..e288ded --- /dev/null +++ b/features/yubikey.nix @@ -0,0 +1,17 @@ +{ pkgs, lib, ... }: { + environment.systemPackages = with pkgs; [ + yubikey-personalization + ]; + + services.udev.packages = with pkgs; [ + yubikey-personalization + ]; + + services.pcscd.enable = true; + programs.ssh.startAgent = false; + + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..b2caa5f --- /dev/null +++ b/flake.lock @@ -0,0 +1,255 @@ +{ + "nodes": { + "disko": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1736864502, + "narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=", + "owner": "nix-community", + "repo": "disko", + "rev": "0141aabed359f063de7413f80d906e1d98c0c123", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v1.11.0", + "repo": "disko", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flakey-profile": { + "locked": { + "lastModified": 1712898590, + "narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=", + "owner": "lf-", + "repo": "flakey-profile", + "rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d", + "type": "github" + }, + "original": { + "owner": "lf-", + "repo": "flakey-profile", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1735344290, + "narHash": "sha256-oJDtWPH1oJT34RJK1FSWjwX4qcGOBRkcNQPD0EbSfNM=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "613691f285dad87694c2ba1c9e6298d04736292d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-24.11", + "repo": "home-manager", + "type": "github" + } + }, + "lix": { + "flake": false, + "locked": { + "lastModified": 1729298361, + "narHash": "sha256-hiGtfzxFkDc9TSYsb96Whg0vnqBVV7CUxyscZNhed0U=", + "rev": "ad9d06f7838a25beec425ff406fe68721fef73be", + "type": "tarball", + "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ad9d06f7838a25beec425ff406fe68721fef73be.tar.gz?rev=ad9d06f7838a25beec425ff406fe68721fef73be" + }, + "original": { + "type": "tarball", + "url": "https://git.lix.systems/lix-project/lix/archive/2.91.1.tar.gz" + } + }, + "lix-module": { + "inputs": { + "flake-utils": "flake-utils", + "flakey-profile": "flakey-profile", + "lix": "lix", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1732605668, + "narHash": "sha256-DN5/166jhiiAW0Uw6nueXaGTueVxhfZISAkoxasmz/g=", + "rev": "f19bd752910bbe3a861c9cad269bd078689d50fe", + "type": "tarball", + "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/f19bd752910bbe3a861c9cad269bd078689d50fe.tar.gz?rev=f19bd752910bbe3a861c9cad269bd078689d50fe" + }, + "original": { + "type": "tarball", + "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-2.tar.gz" + } + }, + "nixlib": { + "locked": { + "lastModified": 1711241261, + "narHash": "sha256-knrTvpl81yGFHIpm1SsLDApe0thFkw1cl3ISAMPmP/0=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "b2a1eeef8c185f6bd27432b053ff09d773244cbc", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixos-generators": { + "inputs": { + "nixlib": "nixlib", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729472750, + "narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=", + "owner": "nix-community", + "repo": "nixos-generators", + "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-generators", + "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1736241350, + "narHash": "sha256-CHd7yhaDigUuJyDeX0SADbTM9FXfiWaeNyY34FL1wQU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8c9fd3e564728e90829ee7dbac6edc972971cd0f", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1723175592, + "narHash": "sha256-M0xJ3FbDUc4fRZ84dPGx5VvgFsOzds77KiBMW/mMTnI=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "5e0ca22929f3342b19569b21b2f3462f053e497b", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1735531152, + "narHash": "sha256-As8I+ebItDKtboWgDXYZSIjGlKeqiLBvjxsQHUmAf1Q=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3ffbbdbac0566a0977da3d2657b89cbcfe9a173b", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1, + "narHash": "sha256-QJFvxzBCZHVjWApIe4KaxC3gRd5d1QgDT3xJNetMwVE=", + "path": "/nix/store/n9acswl48815yv56dqwszbm2s80rlf7r-nixos-24.05.20240531.805a384/nixos", + "type": "path" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "root": { + "inputs": { + "disko": "disko", + "home-manager": "home-manager", + "lix-module": "lix-module", + "nixos-generators": "nixos-generators", + "nixpkgs": "nixpkgs_2", + "nixpkgs-unstable": "nixpkgs-unstable", + "waveforms": "waveforms" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "waveforms": { + "inputs": { + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1722915115, + "narHash": "sha256-kkH01G1ViT7N/0gNQVcsPMxyrhn+rPFGeGHK3w2Xryo=", + "owner": "liff", + "repo": "waveforms-flake", + "rev": "49ef7864932c4428b628791cd7cfccc694717ee8", + "type": "github" + }, + "original": { + "owner": "liff", + "repo": "waveforms-flake", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..3b589d4 --- /dev/null +++ b/flake.nix @@ -0,0 +1,271 @@ +# https://nix.dev/ +# https://github.com/barrucadu/nixfiles/tree/master +# https://bitbucket.org/bzz/nixos/src/master/configuration.nix +# https://grahamc.com/blog/erase-your-darlings/ +# https://github.com/Misterio77/nix-starter-configs + +## Build System +# sudo rm -rf /etc/nixos/ && sudo cp ./ /etc/nixos/ && sudo nixos-rebuild switch + +## Build Iso +# nix build -L .#packages.x86_64-linux.ll-nixos-full-iso + +## Update Packages +# nix flake update + +## Clean up nix-store +# nix-store --delete ... + +## Encrypted Home Directory +# https://github.com/nix-community/home-manager/issues/3415 + +## Declarative Disk Partioning +# https://github.com/nix-community/disko +# https://github.com/nix-community/nixos-anywhere-examples/blob/main/configuration.nix + +{ + description = "Lauren's System Flake"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + + home-manager.url = "github:nix-community/home-manager/release-24.11"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + nixos-generators.url = "github:nix-community/nixos-generators/7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565"; + nixos-generators.inputs.nixpkgs.follows = "nixpkgs"; + + lix-module.url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-2.tar.gz"; + lix-module.inputs.nixpkgs.follows = "nixpkgs"; + + # Extras + waveforms.url = "github:liff/waveforms-flake"; + disko.url = "github:nix-community/disko/v1.11.0"; + }; + + outputs = { self, nixpkgs, nixpkgs-unstable, home-manager, nixos-generators, disko, waveforms, lix-module, ... }@inputs: let + system = "x86_64-linux"; + timezone = "America/Chicago"; + locale = "en_US.UTF-8"; + stateVersion = "24.11"; + + unstable = nixpkgs-unstable.legacyPackages.${system}; + + iso_modules = [ + "${nixpkgs}/nixos/modules/installer/cd-dvd/iso-image.nix" + { isoImage.squashfsCompression = "zstd"; } + ]; + + # Look into: https://git.sr.ht/~magic_rb/dotfiles/tree/master/item/nixos/systems/gooseberry + pi_modules = [{ + # Disabling the whole `profiles/base.nix` module, which is responsible + # for adding ZFS and a bunch of other unnecessary programs: + disabledModules = [ + "profiles/base.nix" + ]; + + # Allows for remote deployment via + # nixos-rebuild -L switch --flake .?submodules=1#HOSTNAME --target-host USER@HOSTNAME + nix.settings.require-sigs = false; + }]; + + # TODO: Surely a better way, no? + inherited_modules = [ + { + time.timeZone = timezone; + system.stateVersion = stateVersion; + } + lix-module.nixosModules.default + home-manager.nixosModules.home-manager + waveforms.nixosModule + disko.nixosModules.default + ]; + in { + nixosConfigurations = { + ll-nixos-headless = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = iso_modules ++ [ + { networking.hostName = "ll-nixos-headless"; } + ./systems/ll-nixos-headless.nix + ] ++ inherited_modules; + specialArgs = { unstable = unstable; }; + }; + + ll-nixos = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = iso_modules ++ [ + { networking.hostName = "ll-nixos"; } + ./systems/ll-nixos-full.nix + ] ++ inherited_modules; + specialArgs = { unstable = unstable; }; + }; + + ll-latitude-e5591 = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = iso_modules ++ [ + { + networking.hostName = "ll-latitude-e5591"; + networking.hostId = "f55542ee"; + } + ./systems/ll-latitude-e5591.nix + ] ++ inherited_modules; + specialArgs = { unstable = unstable; }; + }; + + ll-nixos-headless-pi = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + modules = pi_modules ++ [ + { + networking.hostName = "ll-nixos-headless-pi"; + + boot.loader.grub.enable = false; + boot.loader.generic-extlinux-compatible.enable = true; + + fileSystems = { + "/" = { + device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + }; + + "/boot/firmware" = { + device = "/dev/disk/by-label/FIRMWARE"; + fsType = "vfat"; + }; + }; + } + ./systems/ll-nixos-headless.nix + ] ++ inherited_modules; + specialArgs = { unstable = unstable; }; + }; + + # Real Systems + bastion-in-training = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ ./systems/bastion/bastion-in-training.nix ] ++ inherited_modules; + }; + bastion = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ ./systems/bastion/bastion-actual.nix ] ++ inherited_modules; + }; + + stronghold = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + { + networking.hostName = "stronghold"; + networking.hostId = "c581a1cd"; + } + ./systems/vm-docker-base.nix + ] ++ inherited_modules; + }; + }; + + packages.aarch64-linux = { + ll-nixos-headless-pi-sdcard = nixos-generators.nixosGenerate { + system = "aarch64-linux"; + format = "sd-aarch64"; + modules = pi_modules ++ [ + { networking.hostName = "ll-nixos-headless-pi"; } + ./systems/ll-nixos-headless.nix + ] ++ inherited_modules; + specialArgs = { unstable = unstable; }; + }; + + token-pi-sdcard = nixos-generators.nixosGenerate { + system = "aarch64-linux"; + format = "sd-aarch64"; + modules = pi_modules ++ [ + { networking.hostName = "token-pi"; } + ./systems/ll-nixos-headless.nix + ] ++ inherited_modules; + specialArgs = { unstable = unstable; }; + }; + }; + + packages.x86_64-linux = { + + ########################################################################## + ########################################################################## + ########################################################################## + # Personal Live Disks + + ll-nixos-headless-iso = nixos-generators.nixosGenerate { + system = "x86_64-linux"; + modules = iso_modules ++ [ + { networking.hostName = "ll-nixos-headless"; } + ./systems/ll-nixos-headless.nix + ] ++ inherited_modules; + format = "install-iso"; + specialArgs = { unstable = unstable; }; + }; + + ll-nixos-base-iso = nixos-generators.nixosGenerate { + system = "x86_64-linux"; + modules = iso_modules ++ [ + { networking.hostName = "ll-nixos-base"; } + ./systems/ll-nixos-base.nix + ] ++ inherited_modules; + format = "install-iso"; + specialArgs = { unstable = unstable; }; + }; + + ll-nixos-full-iso = nixos-generators.nixosGenerate { + system = "x86_64-linux"; + modules = iso_modules ++ [ + { networking.hostName = "ll-nixos"; } + ./systems/ll-nixos-full.nix + ] ++ inherited_modules; + format = "install-iso"; + specialArgs = { unstable = unstable; }; + }; + + ll-latitude-e5591-iso = nixos-generators.nixosGenerate { + system = "x86_64-linux"; + modules = iso_modules ++ [ + { networking.hostName = "ll-latitude-e5591"; } + ./systems/ll-latitude-e5591.nix + ] ++ inherited_modules; + format = "install-iso"; + specialArgs = { unstable = unstable; }; + }; + + ########################################################################## + ########################################################################## + ########################################################################## + # Systems + + ll-nixos-factorio-iso = nixos-generators.nixosGenerate { + system = "x86_64-linux"; + modules = iso_modules ++ [ + { networking.hostName = "ll-nixos-factorio"; } + ./systems/ll-nixos-factorio.nix + ] ++ inherited_modules; + format = "install-iso"; + specialArgs = { unstable = unstable; }; + }; + + vm-docker-dhcp-iso = nixos-generators.nixosGenerate { + system = "x86_64-linux"; + modules = iso_modules ++ [ + { networking.hostName = ""; } + ./systems/vm-docker-dhcp.nix + ] ++ inherited_modules; + format = "install-iso"; + specialArgs = { unstable = unstable; }; + }; + + living-room-nixos-iso = nixos-generators.nixosGenerate { + system = "x86_64-linux"; + modules = iso_modules ++ [ + { networking.hostName = "living-room-nixos-iso"; } + ./systems/ll-nixos-full.nix + ] ++ inherited_modules; + format = "install-iso"; + specialArgs = { unstable = unstable; }; + }; + + default = self.packages.x86_64-linux.ll-nixos-full-iso; + }; + }; +} diff --git a/pop_secrets.sh b/pop_secrets.sh new file mode 100644 index 0000000..df5fe60 --- /dev/null +++ b/pop_secrets.sh @@ -0,0 +1 @@ +cat secrets.tar.zst.gpg | gpg -d | tar --zstd -xv diff --git a/push_secrets.sh b/push_secrets.sh new file mode 100644 index 0000000..db29adb --- /dev/null +++ b/push_secrets.sh @@ -0,0 +1 @@ +tar -c secrets/ | zstd | gpg --encrypt --compress-algo none --recipient mlaga97@gmail.com > secrets.tar.zst.gpg diff --git a/secrets.tar.zst.gpg b/secrets.tar.zst.gpg new file mode 100644 index 0000000..42ecd93 Binary files /dev/null and b/secrets.tar.zst.gpg differ diff --git a/systems/bastion/bastion-actual.nix b/systems/bastion/bastion-actual.nix new file mode 100644 index 0000000..7f87a31 --- /dev/null +++ b/systems/bastion/bastion-actual.nix @@ -0,0 +1,117 @@ +{ pkgs, ... }: { + networking.hostName = "bastion"; + networking.hostId = "0d13f99b"; + + # WARNING: BUILT-IN ETHERNET HARDWARE IS BORKED!!! + # https://xcp-ng.org/docs/networking.html#intel-i218-i219-slow-speed + # https://serverfault.com/questions/581265/disable-tcp-checksum-offloading-on-kvm-virtual-network + + imports = [ + ./bastion_base.nix + + ../../features/intelgpu.nix + ../../tweaks/powersave.nix + ]; + + boot.loader.grub.mirroredBoots = [ + { + devices = [ "nodev" ]; + path = "/boot0"; + } + { + devices = [ "nodev" ]; + path = "/boot1"; + } + ]; + + fileSystems = { + "/boot0" = { + device = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNG0MA07159M-part1"; + fsType = "vfat"; + options = [ "nofail" ]; + }; + "/boot1" = { + device = "/dev/disk/by-id/ata-PNY_CS900_1TB_SSD_PNY244624111201023FB-part1"; + fsType = "vfat"; + options = [ "nofail" ]; + }; + + "/exports/Frigate" = { + device = "bastion-frigate"; + fsType = "zfs"; + }; + "/exports/MyBook" = { + device = "MyBook/root"; + fsType = "zfs"; + options = [ "nofail" ]; + }; + }; + + ############################################################################## + ############################################################################## + ############################################################################## + # Networking + + systemd.network.networks = { + "30-eno1" = { + matchConfig.Name = "eno1"; + networkConfig.Bridge = "br0"; + linkConfig.RequiredForOnline = "enslaved"; + }; + "30-enp0s20f0u8" = { + matchConfig.Name = "enp0s20f0u8"; + networkConfig.Bridge = "br0"; + linkConfig.RequiredForOnline = "enslaved"; + }; + + "90-tinc" = { + matchConfig.Name = "tinc.mlaga97spa"; + address = [ "10.86.84.105/32" ]; + routes = [ { Destination = "10.86.84.0/24"; } ]; + }; + }; + + services.tinc.networks.mlaga97space = { + name = "bastion"; + ed25519PrivateKeyFile = "/root/tinc/mlaga97space_ed25519_key.priv"; + + chroot = false; + settings.ConnectTo = [ "fortress" "citadel" ]; + }; + + ############################################################################## + ############################################################################## + ############################################################################## + # Services + + hardware.coral.pcie.enable = true; + + services.apcupsd = { + enable = true; + configText = '' + UPSTYPE usb + NISIP 0.0.0.0 + BATTERYLEVEL 5 + MINUTES 3 + ''; + }; + + # TODO: Put scripts into version control + services.cron = { + enable = true; + mailto = ""; + systemCronJobs = [ + + # Sync Restic from Archive to MyBook daily at 0600 + "0 6 * * * root /home/lauren_lagarde/bin/SyncRestic > /dev/null" + + # Copy footage from Frigate to MyBook and clear up space on both every 10 minutes + "*/10 * * * * root /home/lauren_lagarde/bin/MaintainFrigate > /dev/null" + + # Grab a still photo from all cameras once per minute + "* * * * * root /home/lauren_lagarde/bin/GetAllCameraImages > /dev/null" + + # TODO: Automatically Collate Camera Images Monthly + ]; + }; +} diff --git a/systems/bastion/bastion-in-training.nix b/systems/bastion/bastion-in-training.nix new file mode 100644 index 0000000..545da38 --- /dev/null +++ b/systems/bastion/bastion-in-training.nix @@ -0,0 +1,43 @@ +{ ... }: { + networking.hostName = "bastion-in-training"; + networking.hostId = "c3e44236"; + + imports = [ + ./bastion_base.nix + ]; + + boot.zfs.devNodes = "/dev/vda2"; + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; + + boot.loader.grub.mirroredBoots = [ + { + devices = [ "nodev" ]; + path = "/boot0"; + } + { + devices = [ "nodev" ]; + path = "/boot1"; + } + ]; + + fileSystems = { + "/boot0" = { + device = "/dev/vda1"; + fsType = "vfat"; + options = [ "nofail" ]; + }; + "/boot1" = { + device = "/dev/vdb1"; + fsType = "vfat"; + options = [ "nofail" ]; + }; + }; + + systemd.network.networks = { + "30-enp1s0" = { + matchConfig.Name = "enp1s0"; + networkConfig.Bridge = "br0"; + linkConfig.RequiredForOnline = "enslaved"; + }; + }; +} diff --git a/systems/bastion/bastion_base.nix b/systems/bastion/bastion_base.nix new file mode 100644 index 0000000..d44d704 --- /dev/null +++ b/systems/bastion/bastion_base.nix @@ -0,0 +1,127 @@ +{ pkgs, ... }: { + imports = [ + # Base Config + ../../features/base.nix + ../../features/headless.nix + + # Features + ../../features/br0.nix + ../../features/dockge.nix + ../../features/docker.nix + ../../features/libvirt.nix + + # Tweaks + ../../tweaks/zfs.nix + ../../tweaks/zram.nix + ../../tweaks/disable_firewall.nix + ../../tweaks/systemd-resolved_nonsense.nix + + # Dotspace + ../../secrets/dotspace.nix + + # Users + ../../users/lauren_lagarde/lauren_lagarde.nix + ../../users/ashley_funkhouser/ashley_funkhouser.nix + ]; + + ############################################################################## + ############################################################################## + ############################################################################## + # Bootloader / Kernel + + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.grub = { + enable = true; + zfsSupport = true; + efiSupport = true; + }; + + ############################################################################## + ############################################################################## + ############################################################################## + # Local Filesystems + + fileSystems = { + "/" = { + device = "bastion-root/root"; + fsType = "zfs"; + }; + }; + + ############################################################################## + ############################################################################## + ############################################################################## + # Services + + services.cron = { + enable = true; + mailto = ""; + systemCronJobs = [ + "* * * * * lauren_lagarde /home/lauren_lagarde/bin/PublishStats > /dev/null" + ]; + }; + + services.samba = { + enable = true; + openFirewall = true; + settings = { + Frigate = { + path = "/exports/Frigate"; + comment = "NVR Local Storage"; + writable = "yes"; + browseable = "yes"; + + "force user" = "nobody"; + "force group" = "users"; + + "create mask" = "775"; + "force create mode" = "775"; + "security mask" = "775"; + "force security mode" = "775"; + + "directory mask" = "2775"; + "force directory mode" = "2775"; + "directory security mask" = "2775"; + "force directory security mode" = "2775"; + }; + + MyBook = { + path = "/exports/MyBook"; + comment = "External Storage"; + writable = "yes"; + browseable = "yes"; + + "force user" = "nobody"; + "force group" = "users"; + + "create mask" = "775"; + "force create mode" = "775"; + "security mask" = "775"; + "force security mode" = "775"; + + "directory mask" = "2775"; + "force directory mode" = "2775"; + "directory security mask" = "2775"; + "force directory security mode" = "2775"; + }; + }; + }; + + ############################################################################## + ############################################################################## + ############################################################################## + # System Users + + users.users = { + bastion = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + initialHashedPassword = "$y$j9T$WThHVbTQdHbv4mI0m4EjK/$LA.4Uf95jD/rJpLVf0kbfH0wFBj4FHCimV6xiDfLOD/"; + }; + dotspace = { + isNormalUser = true; + shell = pkgs.shadow; + initialHashedPassword = "$y$j9T$cH1b/0aafCTaHyWigarb70$bS6WFrbYV4xUZwVtqDCepydOhEol1DqmokBfkGmvRcA"; + }; + }; +} diff --git a/systems/living-room-nixos.nix b/systems/living-room-nixos.nix new file mode 100644 index 0000000..59a8a99 --- /dev/null +++ b/systems/living-room-nixos.nix @@ -0,0 +1,14 @@ +{ ... }: { + imports = [ + ../ll-nixos-full.nix + ]; + + # Fix issue with HDMI passthrough + home-manager.users.lauren_lagarde = { + xsession.windowManager.i3 = { + config.startup = [ + { command = "xrandr --output HDMI-1 --mode 1920x1080 --rate 60 --primary"; } + ]; + }; + }; +} diff --git a/systems/ll-latitude-e5591.nix b/systems/ll-latitude-e5591.nix new file mode 100644 index 0000000..f5a33b4 --- /dev/null +++ b/systems/ll-latitude-e5591.nix @@ -0,0 +1,12 @@ +{ config, pkgs, ... }: { + imports = [ + ./ll-nixos-full.nix + ../features/intelgpu.nix + ]; + + hardware.enableRedistributableFirmware = true; + + boot.kernelParams = [ + "i915.enable_guc=2" + ]; +} diff --git a/systems/ll-nixos-base.nix b/systems/ll-nixos-base.nix new file mode 100644 index 0000000..4f8ab01 --- /dev/null +++ b/systems/ll-nixos-base.nix @@ -0,0 +1,22 @@ +{ ... }: { + imports = [ + ./ll-nixos-headless.nix + + # i3wm + ../features/i3.nix + ../features/yubikey.nix + ../tweaks/bluetooth.nix + ../tweaks/intel_igpu_screen_tearing.nix + + # Lauren + ../users/lauren_lagarde/i3.nix + ../users/lauren_lagarde/autologin.nix + ]; + + home-manager.users.lauren_lagarde = { + imports = [ + ../users/lauren_lagarde/home-manager/monitor_configs.nix + ../users/lauren_lagarde/home-manager/secrets/dotspace_gui.nix + ]; + }; +} diff --git a/systems/ll-nixos-factorio.nix b/systems/ll-nixos-factorio.nix new file mode 100644 index 0000000..6961e7c --- /dev/null +++ b/systems/ll-nixos-factorio.nix @@ -0,0 +1,8 @@ +{ ... }: { + imports = [ + ./ll-nixos-base.nix + + # Additional Features + ../features/factorio.nix + ]; +} diff --git a/systems/ll-nixos-full.nix b/systems/ll-nixos-full.nix new file mode 100644 index 0000000..0fb0e20 --- /dev/null +++ b/systems/ll-nixos-full.nix @@ -0,0 +1,11 @@ +{ ... }: { + imports = [ + ./ll-nixos-base.nix + + # Additional Features + ../features/rtl-sdr.nix + ../features/printing.nix + ../features/embedded.nix + ../features/virtualbox.nix + ]; +} diff --git a/systems/ll-nixos-headless.nix b/systems/ll-nixos-headless.nix new file mode 100644 index 0000000..ffe3bb0 --- /dev/null +++ b/systems/ll-nixos-headless.nix @@ -0,0 +1,28 @@ +{ ... }: { + imports = [ + # Core + ../features/base.nix + ../tweaks/zram.nix + ../tweaks/disable_nixos_user.nix + ../tweaks/systemd-resolved_nonsense.nix + + # Headless + ../features/headless.nix + ../tweaks/zfs.nix + + # Lauren + ../users/lauren_lagarde/lauren_lagarde.nix + { + home-manager.users.lauren_lagarde = { + imports = [ + ../users/lauren_lagarde/home-manager/lauren_lagarde.nix + ]; + }; + } + + # Dotspace + ../features/stronghold-binary-cache.nix + ../secrets/dotspace.nix + ../users/lauren_lagarde/dotspace.nix + ]; +} diff --git a/systems/vm-docker-base.nix b/systems/vm-docker-base.nix new file mode 100644 index 0000000..0b10127 --- /dev/null +++ b/systems/vm-docker-base.nix @@ -0,0 +1,78 @@ +# cd; rm nixos-config; tar -xvf /Parlor/Lauren/nixos-config.tar.zst; cd nixos-config/nixos/; sudo nix run 'github:nix-community/disko/latest#disko-install' -- --flake .#TARGET_HOSTNAME --disk vda /dev/vda +{ ... }: { + imports = [ + ./ll-nixos-headless.nix + + ../features/docker.nix + ../features/dockge.nix + + ../tweaks/disable_firewall.nix + ]; + + ############################################################################## + ############################################################################## + ############################################################################## + # Bootloader / Kernel + + # UEFI Boot + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.systemd-boot.enable = true; + + # Libvirt Guest Kernel Modules + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; + + ############################################################################## + ############################################################################## + ############################################################################## + # Disk Layout + + # https://github.com/nix-community/disko/issues/528 + disko.devices = { + disk = { + vda = { + type = "disk"; + device = "/dev/vda"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + primary = { + size = "100%"; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + }; + }; + }; + }; + lvm_vg = { + pool = { + type = "lvm_vg"; + lvs = { + root = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; + }; +} diff --git a/systems/vm-docker-dhcp.nix b/systems/vm-docker-dhcp.nix new file mode 100644 index 0000000..079c2f5 --- /dev/null +++ b/systems/vm-docker-dhcp.nix @@ -0,0 +1,9 @@ +{ ... }: { + imports = [ + ./ll-nixos-headless.nix + + # Additional Features + ../features/persistent_docker.nix + ../tweaks/disable-firewall.nix + ]; +} diff --git a/tweaks/bluetooth.nix b/tweaks/bluetooth.nix new file mode 100644 index 0000000..19502dd --- /dev/null +++ b/tweaks/bluetooth.nix @@ -0,0 +1,25 @@ +{ pkgs, lib, ... }: { + hardware.enableRedistributableFirmware = true; + + services.blueman.enable = true; + + hardware.bluetooth = { + enable = true; + settings.General = { + Enable = "Source,Sink,Media,Socket"; + Experimental = true; + }; + }; + + # PipeWire appears to have marginally less shitty bluetooth support + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + audio.enable = true; + pulse.enable = true; + alsa.enable = true; + alsa.support32Bit = true; + jack.enable = true; + }; +} diff --git a/tweaks/disable_firewall.nix b/tweaks/disable_firewall.nix new file mode 100644 index 0000000..68fb8f5 --- /dev/null +++ b/tweaks/disable_firewall.nix @@ -0,0 +1,3 @@ +{ ... }: { + networking.firewall.enable = false; +} diff --git a/tweaks/disable_nixos_user.nix b/tweaks/disable_nixos_user.nix new file mode 100644 index 0000000..1c83962 --- /dev/null +++ b/tweaks/disable_nixos_user.nix @@ -0,0 +1,12 @@ +{ config, lib, pkgs, ... }: { + services.getty.autologinUser = lib.mkForce null; + + users.groups.nixos = {}; + users.users.nixos.group = "nixos"; + users.users.nixos.isSystemUser = lib.mkForce true; + users.users.nixos.isNormalUser = lib.mkForce false; + users.users.nixos.initialHashedPassword = lib.mkForce "!"; + + # Disable root as well + users.users.root.initialHashedPassword = lib.mkForce "!"; +} diff --git a/tweaks/intel_igpu_screen_tearing.nix b/tweaks/intel_igpu_screen_tearing.nix new file mode 100644 index 0000000..480c4a0 --- /dev/null +++ b/tweaks/intel_igpu_screen_tearing.nix @@ -0,0 +1,6 @@ +{ ... }: { + # Fix screen tearing on Intel iGPU + # TODO: I think this is still broken + services.picom.enable = true; + services.picom.vSync = true; +} diff --git a/tweaks/powersave.nix b/tweaks/powersave.nix new file mode 100644 index 0000000..5c85e0f --- /dev/null +++ b/tweaks/powersave.nix @@ -0,0 +1,3 @@ +{ ... }: { + powerManagement.cpuFreqGovernor = "powersave"; +} diff --git a/tweaks/systemd-resolved_nonsense.nix b/tweaks/systemd-resolved_nonsense.nix new file mode 100644 index 0000000..397129d --- /dev/null +++ b/tweaks/systemd-resolved_nonsense.nix @@ -0,0 +1,4 @@ +{ ... }: { + # I...this is dumb... + services.resolved.extraConfig = "ResolveUnicastSingleLabel=yes"; +} diff --git a/tweaks/zfs.nix b/tweaks/zfs.nix new file mode 100644 index 0000000..08244cb --- /dev/null +++ b/tweaks/zfs.nix @@ -0,0 +1,16 @@ +{ config, ... }: { + boot.supportedFilesystems = [ "zfs" ]; + boot.zfs.devNodes = "/dev/disk/by-id/"; + + services.zfs.autoScrub.enable = true; + services.zfs.autoScrub.interval = "weekly"; + + boot.extraModprobeConfig = '' + # Under low-write conditions, wait up to 30 seconds before committing data to disk + options zfs zfs_txg_timeout=30 + + # Stupid silent data corruption bug (https://github.com/openzfs/zfs/issues/15933) + options zfs zfs_bclone_enabled=0 + options zfs zfs_dmu_offset_next_sync=0 + ''; +} diff --git a/tweaks/zram.nix b/tweaks/zram.nix new file mode 100644 index 0000000..ed7a411 --- /dev/null +++ b/tweaks/zram.nix @@ -0,0 +1,7 @@ +{ ... }: { + zramSwap = { + enable = true; + algorithm = "zstd"; + memoryPercent = 200; + }; +} diff --git a/users/ashley_funkhouser/ashley_funkhouser.nix b/users/ashley_funkhouser/ashley_funkhouser.nix new file mode 100644 index 0000000..3684659 --- /dev/null +++ b/users/ashley_funkhouser/ashley_funkhouser.nix @@ -0,0 +1,11 @@ +{ ... }: { + users.users.ashley_funkhouser = { + isNormalUser = true; + description = "Ashley Funkhouser"; + extraGroups = [ "wheel" "libvirtd" ]; + initialHashedPassword = "$y$j9T$b.JgT15KeFXOjWQ0gJ7Ae0$n1KSyoAa8E.zI.4WZ6ze.Sk0RqXayZRrZK2319C77W/"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwgQE831tqVEbb5bhLH9XkhmiIxTJ4YlL0Yjha2MJ0uoXfC7y+twp2fJB0FjmXvrU5li2mAes5DVakq0RqG5MtkbGSFN9/lJPuis+k6OzTTihe3PGTkRqaC6JWAs5Db7yHlaq0a+qLpniXPH/9/W/IqjRB67EPvfPkZ7VefjeEkJ1aPSoobws8DJUGum5PAg1oLTGwgirGMSlpWNOCxt8h3dynjrRLbUG4afU/FvbQDy27J0ODIN5CPDj8ZiTgz1s0KsA702dXz8UiioDp8ES9gOOfLqye50lga3UuK47jNJXelwmIAvCdPj1LKpy4HvmdIH8F4CsCqwkzbF1/s55quWvf/olhcWofayKcjP6Vbs8k3M6cshjcXPKBbr2FnpznHZCPSDq0Htk6a/YfFGh3Jy96x5PJW29deKJ9pjEvTufWDBhU6Uqd/80QGpGg/VBNiMot5qPrcdKM3kN7aPxU1mlbF9ICG/T0E7mSGEQHYqKd2LGfbielvobE/pdPbErjTRzl9KeqYiN9NA8Um5r8KDj8w/E9oF6DMpqulFA9fdMYtMTeEVPXxt6c7S1+VzOkfSbRt/p5Ql5FF294f6lvN01gbbJrGrfAstXmyPKGmJ/OSYrTEX7hhpaDJytW9KgzAebdkP2C5CQnwyJHaTDr1dEDSieoB0JgRFMWuvBNUQ== ajfunk27@gmail.com" + ]; + }; +} diff --git a/users/lauren_lagarde/autologin.nix b/users/lauren_lagarde/autologin.nix new file mode 100644 index 0000000..35a178e --- /dev/null +++ b/users/lauren_lagarde/autologin.nix @@ -0,0 +1,6 @@ +{ ... }: { + services.displayManager = { + autoLogin.enable = true; + autoLogin.user = "lauren_lagarde"; + }; +} diff --git a/users/lauren_lagarde/dotspace.nix b/users/lauren_lagarde/dotspace.nix new file mode 100644 index 0000000..b432937 --- /dev/null +++ b/users/lauren_lagarde/dotspace.nix @@ -0,0 +1,7 @@ +{ pkgs, unstable, ... }: { + home-manager.users.lauren_lagarde = { + imports = [ + ./home-manager/secrets/dotspace.nix + ]; + }; +} diff --git a/users/lauren_lagarde/home-manager b/users/lauren_lagarde/home-manager new file mode 160000 index 0000000..97cde8a --- /dev/null +++ b/users/lauren_lagarde/home-manager @@ -0,0 +1 @@ +Subproject commit 97cde8a8e73f1623a390397b060e5e4b7ffa61ba diff --git a/users/lauren_lagarde/i3.nix b/users/lauren_lagarde/i3.nix new file mode 100644 index 0000000..d149677 --- /dev/null +++ b/users/lauren_lagarde/i3.nix @@ -0,0 +1,9 @@ +{ home-manager, unstable, ... }: { + home-manager.extraSpecialArgs = { + inherit unstable; + }; + + home-manager.users.lauren_lagarde.imports = [ + ./home-manager/i3.nix + ]; +} diff --git a/users/lauren_lagarde/lauren_lagarde.nix b/users/lauren_lagarde/lauren_lagarde.nix new file mode 100644 index 0000000..ed873cf --- /dev/null +++ b/users/lauren_lagarde/lauren_lagarde.nix @@ -0,0 +1,11 @@ +{ pkgs, ... }: { + users.users.lauren_lagarde = { + isNormalUser = true; + description = "Lauren Lagarde"; + extraGroups = [ "docker" "wheel" "libvirtd" "disks" ]; + initialHashedPassword = "$y$j9T$KqTFvSj9TYmRXugVbiSgj.$RbvxcGlY/DbLFioa64ntY5RO4Ym0CMswhegeQj5qHyD"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCl881A1gvgCx+4ECrmJnO2QCTiqjaOLfAegKAAkvWNFKL0rDfsj8tZULUcyn87HYsRrdmqCOQ62GOjQyK803azq7QTxwY4vjczkJxico4LnIToTobcz+JkgF6Rf/h74bs9dHk4ZU853FRBz3wi/14rI10Iwckt37B1ayJacpELuzFobKYip2FjiL1vNH3tiAFR131z+YBByvNX+uJYEhpsI0xry9zbsSUWUq5/YFpmjezblzYRokfsReYiKJeQBeROSeRC/xFBSnikECSylNI4sw5VIpGXFIxL5xhss+s+3dnb+LFQ+zInOYxkVRydYc/In9Wz6Tu7v07K8bjvE7nQwHenoGtRW590Xu0rJApS+k8Cu16sCO2QFj/aI+gCrhU0ymM0aicr0hFAME6Y7j9HcR6PxYxnXZjI7cfqhO5TG8jot25SPzJcvH3EV5oPKtAkw9XA+8+nAI9czFlUgHnuMJAqw1IGOD3qozwqZ5yn1+kG7FZJRpvaPc5pK2HtqaAKJmnRuVaWcFuNALh86gr7Qn8IEp8Q+YyKmDqrMZ4KLJUMnVqn4y0HVS1eB5nVujaJZUGJWA4q3og0FE/2kH74WEp2ZtuJAoEPcgfZ6Ns7BmmXIZU7qu4kQoQ73b3mn6hCi5xlQ/sClzwHYkRPo4tST64ED/UIRPCYe1byNUWSww== lauren@lagarde.dev" + ]; + }; +}