diff --git a/common/default.nix b/common/default.nix new file mode 100644 index 0000000..242d51c --- /dev/null +++ b/common/default.nix @@ -0,0 +1,94 @@ +{ config, pkgs, ... }: + +{ + nix = { + package = pkgs.nixFlakes; + extraOptions = '' + experimental-features = nix-command flakes + ''; + optimise.automatic = true; + gc = { + automatic = true; + options = "--delete-older-than 30d"; + }; + }; + + time.timeZone = "Europe/Madrid"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "us"; + }; + + security = { + doas = { + enable = true; + extraRules = [{ + groups = [ "wheel" ]; + keepEnv = true; + noPass = true; + }]; + }; + sudo.enable = false; + }; + + environment.systemPackages = with pkgs; [ git vim wget just ripgrep ]; + + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "no"; + PasswordAuthentication = false; + }; + + hostKeys = [{ + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + }]; + + knownHosts = { + "*.monotremata.xyz,10.*,narwhal,suricata,pikvm,caladan,fugu,lb,snitch,trantor,capibara,axolotl" = + { + certAuthority = true; + publicKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHperHwojXZeo3QWAu1f3kiCKeaHHSqBXJM6ZZEefxdd host_ca"; + }; + }; + + extraConfig = '' + HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub + TrustedUserCAKeys /etc/ssh/user_ca.pub + ''; + }; + + users.mutableUsers = false; + users.groups = { + dags.gid = 506; + }; + users.users = { + + root = { + initialHashedPassword = "$6$tzMk5I1KZlx7byaO$BvlSz7Cgo1g09e4RpxAjrZEuCptzjibF8nDWDfnOImTbz61Py/qzATDAa7HwAC3JyiZxb.2slTb.vA.f25ypd1"; + }; + + rilla = { + uid = 1000; + isNormalUser = true; + extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + initialHashedPassword = "$6$tzMk5I1KZlx7byaO$BvlSz7Cgo1g09e4RpxAjrZEuCptzjibF8nDWDfnOImTbz61Py/qzATDAa7HwAC3JyiZxb.2slTb.vA.f25ypd1"; + }; + + dags = { + uid = 506; + group = "dags"; + extraGroups = [ "wheel" ]; + createHome = false; + isSystemUser = true; + password = "*"; + useDefaultShell = true; + }; + + }; +} diff --git a/common.nix b/common/desktop.nix similarity index 76% rename from common.nix rename to common/desktop.nix index bfa58a2..4b0f661 100644 --- a/common.nix +++ b/common/desktop.nix @@ -1,14 +1,6 @@ { config, pkgs, ... }: { - nix = { - package = pkgs.nixUnstable; - extraOptions = '' - experimental-features = nix-command flakes - ''; - optimise.automatic = true; - }; - # boot.binfmt.emulatedSystems = [ "aarch64-linux" "qemu-aarch64" ]; networking = { @@ -49,47 +41,13 @@ }; }; - # Set your time zone. - time.timeZone = "Europe/Madrid"; - # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - console = { - font = "Lat2-Terminus16"; - keyMap = "us"; - }; - services.dbus.enable = true; - - services.xserver = { - enable = true; - layout = "us"; - xkbVariant = "altgr-intl"; - xkbOptions = "caps:escape"; - displayManager.startx.enable = true; - libinput.enable = true; - extraConfig = '' - Section "InputClass" - Identifier "trackball" - MatchProduct "Clearly Superior Technologies. CST Laser Trackball" - Driver "libinput" - Option "ButtonMapping" "3 2 1 4 5" - Option "AccelerationProfile" "0" - Option "AccelerationScheme" "predictable" - Option "AccelerationNumerator" "3" - Option "AccelSpeed" "-0.9" - EndSection - ''; - }; - services.tor.enable = true; - services.udev = { packages = [ pkgs.android-udev-rules ]; }; - services.avahi.enable = true; # Enable CUPS to print documents. @@ -109,16 +67,6 @@ jack.enable = true; }; - security.doas = { - enable = true; - extraRules = [{ - groups = [ "wheel" ]; - keepEnv = true; - noPass = true; - }]; - }; - security.sudo.enable = true; - security.pam.services = { swaylock.text = '' auth include login @@ -159,20 +107,15 @@ # wget # firefox # ]; - environment.systemPackages = with pkgs; [ dmidecode flashrom git mbuffer ]; + environment.systemPackages = with pkgs; [ dmidecode flashrom mbuffer ]; # Enable touchpad support (enabled default in most desktopManager). # Define a user account. Don't forget to set a password with ‘passwd’. users = { - mutableUsers = false; groups = { plugdev = { }; }; users = { - root.initialHashedPassword = - "$6$3TVh31LfZQFaZi8T$9.cNxrApCaAetC8wRJXxA5U9n4Hbta3CoggvG0HntTQ6sCRQWIV01EhIjdzJoZZ1kqF2ItWkF8Sqprl5raUKY0"; rilla = { - uid = 1000; - isNormalUser = true; shell = pkgs.zsh; extraGroups = [ "wheel" @@ -192,19 +135,10 @@ startGid = 100000; count = 65536; }]; - initialHashedPassword = - "$6$tzMk5I1KZlx7byaO$BvlSz7Cgo1g09e4RpxAjrZEuCptzjibF8nDWDfnOImTbz61Py/qzATDAa7HwAC3JyiZxb.2slTb.vA.f25ypd1"; }; }; }; - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; programs.mosh.enable = true; programs.zsh.enable = true; programs.slock.enable = true; @@ -212,37 +146,8 @@ programs.fuse.userAllowOther = true; programs.nix-ld.enable = true; - # List services that you want to enable: - services.pcscd.enable = true; - services.openssh = { - enable = true; - settings = { - PermitRootLogin = "no"; - PasswordAuthentication = false; - }; - - hostKeys = [{ - path = "/etc/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - }]; - - knownHosts = { - "*.monotremata.xyz,10.*,narwhal,suricata,pikvm,caladan,fugu,lb,snitch,trantor,capibara,axolotl" = - { - certAuthority = true; - publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHperHwojXZeo3QWAu1f3kiCKeaHHSqBXJM6ZZEefxdd host_ca"; - }; - }; - - extraConfig = '' - HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub - TrustedUserCAKeys /etc/ssh/user_ca.pub - ''; - }; - virtualisation = { docker.enable = true; podman = { @@ -277,16 +182,6 @@ hardware.bluetooth.enable = true; services.blueman.enable = true; - fileSystems = { - "/" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = [ "defaults" "size=2G" "mode=755" ]; - }; - }; - - swapDevices = [{ device = "/swap/swapfile"; }]; - environment.persistence = { "/mnt/persist" = { diff --git a/flake.nix b/flake.nix index ff21d68..1714634 100644 --- a/flake.nix +++ b/flake.nix @@ -29,7 +29,7 @@ }; modules = [ - ./trantor.nix + ./hosts/trantor.nix home-manager.nixosModules.home-manager impermanence.nixosModules.impermanence ]; @@ -44,12 +44,21 @@ }; modules = [ - ./capibara.nix + ./hosts/capibara.nix nixos-hardware.nixosModules.lenovo-thinkpad-x230 home-manager.nixosModules.home-manager impermanence.nixosModules.impermanence ]; }; + + lb = nixpkgs-stable.lib.nixosSystem { + system = "aarch64-linux"; + specialArgs = { impermanence = impermanence; }; + modules = [ + ./hosts/lb.nix + impermanence.nixosModules.impermanence + ]; + }; }; }; } diff --git a/hardware-configuration/capibara.nix b/hardware-configuration/capibara.nix index 8bc5983..f183b4e 100644 --- a/hardware-configuration/capibara.nix +++ b/hardware-configuration/capibara.nix @@ -1,6 +1,3 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. { config, lib, pkgs, modulesPath, ... }: { diff --git a/hardware-configuration/lb.nix b/hardware-configuration/lb.nix new file mode 100644 index 0000000..b94dcfb --- /dev/null +++ b/hardware-configuration/lb.nix @@ -0,0 +1,21 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + + boot.initrd.availableKernelModules = [ "usbhid" "usb_storage" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enu1u1.useDHCP = lib.mkDefault true; + # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; +} diff --git a/capibara.nix b/hosts/capibara.nix similarity index 95% rename from capibara.nix rename to hosts/capibara.nix index 70557b7..8a12f83 100644 --- a/capibara.nix +++ b/hosts/capibara.nix @@ -24,14 +24,25 @@ let in { - imports = [ ./hardware-configuration/capibara.nix ./common.nix ]; + imports = [ + ../hardware-configuration/capibara.nix + ../common + ../common/desktop.nix + ]; home-manager = { - users.rilla.imports = - [ home/capibara.nix "${impermanence}/home-manager.nix" ]; + users.rilla.imports = [ + ../home/capibara.nix + "${impermanence}/home-manager.nix" + ]; }; fileSystems = { + "/" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = [ "defaults" "size=2G" "mode=755" ]; + }; "/mnt/btr_root" = { device = "/dev/mapper/root"; @@ -110,6 +121,8 @@ in }; + swapDevices = [{ device = "/swap/swapfile"; }]; + environment.etc = { crypttab = { text = '' diff --git a/hosts/lb.nix b/hosts/lb.nix new file mode 100644 index 0000000..f7640e4 --- /dev/null +++ b/hosts/lb.nix @@ -0,0 +1,106 @@ +{ config, pkgs, impermanence, ... }: + +{ + imports = [ + ./hardware-configuration/lb.nix + ../common + ]; + + boot.loader = { + grub.enable = false; + raspberryPi = { + enable = true; + version = 3; + firmwareConfig = '' + gpu_mem=16 + ''; + }; + }; + boot.readOnlyNixStore = true; + boot.kernelParams = [ "console=tty1" ]; + boot.tmp.cleanOnBoot = true; + + fileSystems = { + + "/" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = [ "size=500M" "mode=755" ]; + }; + + "/boot" = { + device = "/dev/mmcblk0p1"; + fsType = "vfat"; + options = [ "ro" ]; + }; + + "/nix" = { + device = "/dev/mmcblk0p2"; + fsType = "ext4"; + }; + + "/state" = { + device = "/dev/mmcblk0p3"; + fsType = "btrfs"; + options = [ "subvol=state" "compress=zstd" "ro" ]; + neededForBoot = true; + }; + + "/mnt/btr_pool" = { + device = "/dev/mmcblk0p3"; + fsType = "btrfs"; + options = [ "subvolid=5" "compress=zstd" ]; + }; + + "/mnt/data" = { + device = "/dev/mmcblk0p3"; + fsType = "btrfs"; + options = [ "subvol=data" "compress=zstd" ]; + }; + + "/srv/certs" = { + device = "/dev/mmcblk0p3"; + fsType = "btrfs"; + options = [ "subvol=certs" "compress=zstd" ]; + }; + + }; + + swapDevices = [ ]; + + environment.persistence."/state" = { + files = [ + "/etc/machine-id" + "/etc/nix/id_rsa" + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_ed25519_key-cert.pub" + "/etc/ssh/user_ca.pub" + "/etc/nixos" + ]; + }; + + networking.hostName = "lb"; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.nginx = { + enable = true; + virtualHosts = { + + "homer.monotremata.xyz" = { + sslCertificate = "/srv/certs/acme/monotremata.xyz/fullchain.pem"; + sslCertificateKey = "/srv/certs/acme/monotremata.xyz/key.pem"; + addSSL = true; + onlySSL = true; + locations."/" = { + recommendedProxySettings = true; + proxyWebsockets = true; + proxyPass = "http://narwhal:8020/"; + }; + }; + + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/trantor.nix b/hosts/trantor.nix similarity index 94% rename from trantor.nix rename to hosts/trantor.nix index 6336f7e..5383d50 100644 --- a/trantor.nix +++ b/hosts/trantor.nix @@ -6,15 +6,28 @@ let home = "/home/rilla"; in { - imports = [ ./hardware-configuration/trantor.nix ./common.nix ]; + imports = [ + ../hardware-configuration/trantor.nix + ../common + ../common/desktop.nix + ]; home-manager = { - users.rilla.imports = - [ home/trantor.nix "${impermanence}/home-manager.nix" ]; + users.rilla.imports = [ + ../home/trantor.nix + "${impermanence}/home-manager.nix" + ]; extraSpecialArgs.stablePkgs = stablePkgs; }; fileSystems = { + + "/" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = [ "defaults" "size=2G" "mode=755" ]; + }; + "/boot/efi" = { device = "/dev/disk/by-uuid/0BFA-9A66"; fsType = "vfat"; @@ -103,6 +116,8 @@ in { }; + swapDevices = [{ device = "/swap/swapfile"; }]; + environment.etc = { crypttab = { text = ''