forked from pub-solar/os
Compare commits
53 commits
main
...
hensoko-pr
Author | SHA1 | Date | |
---|---|---|---|
Hendrik Sokolowski | 06d72216b5 | ||
Hendrik Sokolowski | 5117333177 | ||
Hendrik Sokolowski | 86eab03d87 | ||
Hendrik Sokolowski | 845444f528 | ||
Hendrik Sokolowski | 552f60b7be | ||
Hendrik Sokolowski | 464f059089 | ||
Hendrik Sokolowski | 0028058588 | ||
Hendrik Sokolowski | 4a436666ad | ||
Hendrik Sokolowski | ae0cd2e1fd | ||
Hendrik Sokolowski | 8144c332d1 | ||
Hendrik Sokolowski | 91c8eea69f | ||
Hendrik Sokolowski | 98751b66c9 | ||
Hendrik Sokolowski | e5c9d8e07b | ||
Hendrik Sokolowski | c39d7f8d0b | ||
Hendrik Sokolowski | 51201be734 | ||
Hendrik Sokolowski | 153df0ab4f | ||
Hendrik Sokolowski | e967841fe4 | ||
Hendrik Sokolowski | f6706c9aa5 | ||
Hendrik Sokolowski | 40cb22a7fc | ||
Hendrik Sokolowski | b4df0ccbce | ||
Hendrik Sokolowski | 830ddca0fc | ||
Hendrik Sokolowski | 0d0ca1ac7e | ||
Hendrik Sokolowski | 25d362ed79 | ||
Hendrik Sokolowski | 80e26a3350 | ||
Hendrik Sokolowski | a1c834002a | ||
Hendrik Sokolowski | 069d63e56e | ||
Hendrik Sokolowski | 1e15ff9372 | ||
Hendrik Sokolowski | db551c0588 | ||
Hendrik Sokolowski | afecf5b555 | ||
Hendrik Sokolowski | bcbc1440b8 | ||
Hendrik Sokolowski | 8dc8a846d4 | ||
Hendrik Sokolowski | 5c4b11bd92 | ||
Hendrik Sokolowski | 2c4f7967f5 | ||
Hendrik Sokolowski | a1fa3ef7f0 | ||
Hendrik Sokolowski | cee78aa6cc | ||
Hendrik Sokolowski | 7d240cd3e9 | ||
Hendrik Sokolowski | 2b81a311bb | ||
Hendrik Sokolowski | d46e871d9e | ||
Hendrik Sokolowski | c00e84ea39 | ||
Hendrik Sokolowski | da5aeefbff | ||
Hendrik Sokolowski | cc0dd3f8c4 | ||
Hendrik Sokolowski | 9fa666aeba | ||
Hendrik Sokolowski | 1da25fe215 | ||
Hendrik Sokolowski | 19b91c2898 | ||
Hendrik Sokolowski | 2bcedac110 | ||
Hendrik Sokolowski | 783a114146 | ||
Hendrik Sokolowski | 61525f1390 | ||
Hendrik Sokolowski | 5d9d2caa4f | ||
Hendrik Sokolowski | 60b13f9ec2 | ||
Hendrik Sokolowski | 4bd786be0e | ||
Hendrik Sokolowski | c60b82b3fc | ||
Hendrik Sokolowski | fe56abbd55 | ||
Hendrik Sokolowski | e3295e29a1 |
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -11,3 +11,4 @@ pkgs/_sources/.shake*
|
|||
|
||||
tags
|
||||
/owners
|
||||
|
||||
|
|
49
flake.lock
49
flake.lock
|
@ -42,11 +42,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1657835815,
|
||||
"narHash": "sha256-CnZszAYpNKydh6N7+xg+eRtWNVoAAGqc6bg+Lpgq1xc=",
|
||||
"lastModified": 1660649317,
|
||||
"narHash": "sha256-16sWaj3cTZOQQgrmzlvBSRaBFKLrHJrfYh1k7/sSWok=",
|
||||
"owner": "LnL7",
|
||||
"repo": "nix-darwin",
|
||||
"rev": "54a24f042f93c79f5679f133faddedec61955cf2",
|
||||
"rev": "80871c71edb3da76d40bdff9cae007a2a035c074",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -307,11 +307,11 @@
|
|||
},
|
||||
"latest_2": {
|
||||
"locked": {
|
||||
"lastModified": 1660305968,
|
||||
"narHash": "sha256-r0X1pZCSEA6mzt5OuTA7nHuLmvnbkwgpFAh1iLIx4GU=",
|
||||
"lastModified": 1660574513,
|
||||
"narHash": "sha256-nkMQ1TKIIAYIVbbUzjxfjPn3H1zZFW20TrHUFAjwvNU=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "c4a0efdd5a728e20791b8d8d2f26f90ac228ee8d",
|
||||
"rev": "af9e00071d0971eb292fd5abef334e66eda3cb69",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -321,6 +321,26 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"musnix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixos"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1628019651,
|
||||
"narHash": "sha256-zLXDF2sfvN8BXb78nHAp3KSbhE1flOkia5+KtiPQ+mQ=",
|
||||
"owner": "musnix",
|
||||
"repo": "musnix",
|
||||
"rev": "7fb04384544fa2e68bf5e71869760674656b62e8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "musnix",
|
||||
"repo": "musnix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"naersk": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
|
@ -358,11 +378,11 @@
|
|||
},
|
||||
"nixos": {
|
||||
"locked": {
|
||||
"lastModified": 1660318005,
|
||||
"narHash": "sha256-g9WCa9lVUmOV6dYRbEPjv/TLOR5hamjeCcKExVGS3OQ=",
|
||||
"lastModified": 1660581366,
|
||||
"narHash": "sha256-et+bi9/jlSF/pHx5AYB9ZP2XDdZEQ0vnF7xlvs4503Y=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "5c211b47aeadcc178c5320afd4e74c7eed5c389f",
|
||||
"rev": "3d47bbaa26e7a771059d828eecf3bd8bf28a8b0f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -378,11 +398,11 @@
|
|||
"nixpkgs": "nixpkgs"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1657748715,
|
||||
"narHash": "sha256-WecDwDY/hEcDQYzFnccCNa+5Umht0lfjx/d1qGDy/rQ=",
|
||||
"lastModified": 1660661347,
|
||||
"narHash": "sha256-0eSeeQ7oH502rX5hXXi4Pt9CTgEhygp0/EL+biwhkrk=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixos-generators",
|
||||
"rev": "3323b944d99b026aebfd8de439e001409dde067d",
|
||||
"rev": "ecef210472ddac2a9e06c7d4c7247a5be96b1cab",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -441,8 +461,8 @@
|
|||
"nur": {
|
||||
"locked": {
|
||||
"lastModified": 0,
|
||||
"narHash": "sha256-koC6DBYmLCrgXA+AMHVaODf1uHYPmvcFygHfy3eg6vI=",
|
||||
"path": "/nix/store/6mfkswqi67m35qwv0vh7kpk8rypbl2rq-source",
|
||||
"narHash": "sha256-XzuvFTmsXULdWynQWzgaPHikepNhjEpK4o5WXfmRqek=",
|
||||
"path": "/nix/store/all4f5y28iyigh60lz4j1j6j02106dn2-source",
|
||||
"type": "path"
|
||||
},
|
||||
"original": {
|
||||
|
@ -480,6 +500,7 @@
|
|||
"digga": "digga",
|
||||
"home": "home",
|
||||
"latest": "latest_2",
|
||||
"musnix": "musnix",
|
||||
"naersk": "naersk",
|
||||
"nixos": "nixos",
|
||||
"nixos-generators": "nixos-generators",
|
||||
|
|
84
flake.nix
84
flake.nix
|
@ -38,6 +38,10 @@
|
|||
nixos-hardware.url = "github:nixos/nixos-hardware";
|
||||
|
||||
nixos-generators.url = "github:nix-community/nixos-generators";
|
||||
|
||||
# hensoko additions
|
||||
musnix.url = "github:musnix/musnix";
|
||||
musnix.inputs.nixpkgs.follows = "nixos";
|
||||
};
|
||||
|
||||
outputs =
|
||||
|
@ -50,6 +54,7 @@
|
|||
, agenix
|
||||
, nvfetcher
|
||||
, deploy
|
||||
, musnix
|
||||
, ...
|
||||
} @ inputs:
|
||||
digga.lib.mkFlake
|
||||
|
@ -103,6 +108,21 @@
|
|||
hosts = {
|
||||
/* set host specific properties here */
|
||||
PubSolarOS = { };
|
||||
companion = {
|
||||
system = "aarch64-linux";
|
||||
};
|
||||
cox = {
|
||||
system = "aarch64-linux";
|
||||
};
|
||||
giggles = {
|
||||
system = "aarch64-linux";
|
||||
};
|
||||
harrison = {
|
||||
modules = [
|
||||
musnix.nixosModules.musnix
|
||||
];
|
||||
};
|
||||
norman = { };
|
||||
};
|
||||
importables = rec {
|
||||
profiles = digga.lib.rakeLeaves ./profiles // {
|
||||
|
@ -111,8 +131,32 @@
|
|||
suites = with profiles; rec {
|
||||
base = [ users.pub-solar users.root ];
|
||||
iso = base ++ [ base-user graphical pub-solar-iso ];
|
||||
pubsolaros = [ full-install base-user users.root ];
|
||||
pubsolaros = [ base-user users.root ];
|
||||
anonymous = [ pubsolaros users.pub-solar ];
|
||||
pubsolaros-light = [ base-user users.root ];
|
||||
hensoko = pubsolaros ++ [ users.hensoko ];
|
||||
hensoko-light = pubsolaros-light ++ [ users.hensoko ];
|
||||
hensoko-iot = [ base-user users.root users.hensoko ];
|
||||
|
||||
# server
|
||||
cube = hensoko-iot;
|
||||
|
||||
# home-controller
|
||||
companion = hensoko-iot;
|
||||
cox = hensoko-iot;
|
||||
giggles = hensoko-iot;
|
||||
|
||||
# laptop
|
||||
ringo = hensoko-light ++ [ ];
|
||||
|
||||
# vm
|
||||
redpanda = hensoko;
|
||||
|
||||
# home pc
|
||||
harrison = hensoko ++ [ daw graphical non-free social work ];
|
||||
|
||||
# work laptop
|
||||
norman = hensoko ++ [ graphical non-free social virtualisation work ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -128,6 +172,8 @@
|
|||
};
|
||||
users = {
|
||||
pub-solar = { suites, ... }: { imports = suites.base; };
|
||||
hensoko = { suites, ... }: { imports = suites.base; };
|
||||
hensoko_iot = { suites, ... }: { imports = suites.base; };
|
||||
}; # digga.lib.importers.rakeLeaves ./users/hm;
|
||||
};
|
||||
|
||||
|
@ -135,6 +181,40 @@
|
|||
|
||||
homeConfigurations = digga.lib.mkHomeConfigurations self.nixosConfigurations;
|
||||
|
||||
deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations { };
|
||||
deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations {
|
||||
cube = { };
|
||||
companion = {
|
||||
#profilesOrder = [ "system" "direnv" ];
|
||||
#profiles.direnv = {
|
||||
# user = "hensoko";
|
||||
# path = deploy.lib.aarch64-linux.activate.home-manager self.homeConfigurationsPortable.aarch64-linux."hensoko";
|
||||
#};
|
||||
};
|
||||
cox = {
|
||||
#profilesOrder = [ "system" "direnv" ];
|
||||
#profiles.direnv = {
|
||||
# user = "hensoko";
|
||||
# path = deploy.lib.aarch64-linux.activate.home-manager self.homeConfigurationsPortable.aarch64-linux."hensoko";
|
||||
#};
|
||||
};
|
||||
giggles = {
|
||||
#profilesOrder = [ "system" "direnv" ];
|
||||
#profiles.direnv = {
|
||||
# user = "hensoko";
|
||||
# path = deploy.lib.aarch64-linux.activate.home-manager self.homeConfigurationsPortable.aarch64-linux."hensoko";
|
||||
#};
|
||||
};
|
||||
ringo = {
|
||||
#profilesOrder = [ "system" "direnv" ];
|
||||
#profiles.direnv = {
|
||||
# user = "hensoko";
|
||||
# path = deploy.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux."hensoko";
|
||||
#};
|
||||
};
|
||||
};
|
||||
|
||||
defaultTemplate = self.templates.bud;
|
||||
templates.bud.path = ./.;
|
||||
templates.bud.description = "bud template";
|
||||
};
|
||||
}
|
||||
|
|
16
hosts/companion/companion.nix
Normal file
16
hosts/companion/companion.nix
Normal file
|
@ -0,0 +1,16 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
with lib;
|
||||
let
|
||||
psCfg = config.pub-solar;
|
||||
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./configuration.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
boot.plymouth.enable = lib.mkForce false;
|
||||
pub-solar.nextcloud.enable = lib.mkForce false;
|
||||
};
|
||||
}
|
63
hosts/companion/configuration.nix
Normal file
63
hosts/companion/configuration.nix
Normal file
|
@ -0,0 +1,63 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
./hardware-configuration.nix
|
||||
./home-controller.nix
|
||||
];
|
||||
|
||||
boot.loader.timeout = 0;
|
||||
|
||||
boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
|
||||
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
efiSupport = true;
|
||||
efiInstallAsRemovable = true;
|
||||
device = "nodev";
|
||||
};
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
|
||||
# Per-interface useDHCP will be mandatory in the future, so this generated config
|
||||
# replicates the default behaviour.
|
||||
networking.useDHCP = false;
|
||||
networking.interfaces.eth0.useDHCP = true;
|
||||
networking.interfaces.wlan0.useDHCP = false;
|
||||
networking.networkmanager.enable = lib.mkForce false;
|
||||
|
||||
boot.loader.systemd-boot.enable = lib.mkForce false;
|
||||
|
||||
nix = {
|
||||
extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
|
||||
};
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
wget
|
||||
];
|
||||
|
||||
# Open ports in the firewall.
|
||||
# networking.firewall.allowedTCPPorts = [ ... ];
|
||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||
# Or disable the firewall altogether.
|
||||
# networking.firewall.enable = false;
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "22.11"; # Did you read the comment?
|
||||
}
|
||||
|
6
hosts/companion/default.nix
Normal file
6
hosts/companion/default.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{ suites, ... }:
|
||||
{
|
||||
imports = [
|
||||
./companion.nix
|
||||
] ++ suites.companion;
|
||||
}
|
61
hosts/companion/hardware-configuration.nix
Normal file
61
hosts/companion/hardware-configuration.nix
Normal file
|
@ -0,0 +1,61 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
boot.initrd.supportedFilesystems = [ "zfs" ];
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
|
||||
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
|
||||
|
||||
boot.initrd.luks.devices = {
|
||||
cryptroot = {
|
||||
device = "/dev/disk/by-uuid/3bbde916-e12a-46a7-9eea-4f5e2aef7883";
|
||||
keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04017028021722045451-0:0-part1";
|
||||
bypassWorkqueues = true;
|
||||
fallbackToPassword = true;
|
||||
};
|
||||
};
|
||||
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "zroot/root";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/5552-1B21";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/rancher/k3s/storage" =
|
||||
{
|
||||
device = "zroot/kubernetes-localstorage";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[{ device = "/dev/disk/by-uuid/0545db4a-0494-44d7-927a-4c78351c4303"; }];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = false;
|
||||
networking.interfaces.eth0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
|
||||
networking.hostId = "71f2d82a";
|
||||
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
|
||||
}
|
55
hosts/companion/home-controller.nix
Normal file
55
hosts/companion/home-controller.nix
Normal file
|
@ -0,0 +1,55 @@
|
|||
{ self, config, pkgs, ... }:
|
||||
|
||||
{
|
||||
config = {
|
||||
age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
|
||||
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_companion_wireguard_key.age";
|
||||
|
||||
pub-solar.home-controller = {
|
||||
enable = true;
|
||||
role = "server";
|
||||
ownIp = "10.0.1.13";
|
||||
|
||||
k3s = {
|
||||
serverAddr = "https://api.kube:6443";
|
||||
tokenFile = "/run/agenix/home_controller_k3s_token";
|
||||
enableLocalStorage = true;
|
||||
enableZfs = true;
|
||||
};
|
||||
|
||||
wireguard = {
|
||||
privateKeyFile = "/run/agenix/home_controller_wireguard";
|
||||
peers = [
|
||||
{
|
||||
# cube
|
||||
publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
|
||||
allowedIPs = [ "10.0.1.5/32" ];
|
||||
endpoint = "data.gssws.de:51899";
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
{
|
||||
# giggles
|
||||
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
|
||||
allowedIPs = [ "10.0.1.11/32" ];
|
||||
endpoint = "giggles.local:51899";
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
{
|
||||
# cox
|
||||
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
|
||||
allowedIPs = [ "10.0.1.12/32" ];
|
||||
endpoint = "cox.local:51899";
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
{
|
||||
# ringo
|
||||
publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
|
||||
allowedIPs = [ "10.0.1.21/32" ];
|
||||
endpoint = "ringo.local:51899";
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
64
hosts/cox/configuration.nix
Normal file
64
hosts/cox/configuration.nix
Normal file
|
@ -0,0 +1,64 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
./hardware-configuration.nix
|
||||
./home-controller.nix
|
||||
];
|
||||
|
||||
boot.loader.timeout = 0;
|
||||
|
||||
boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
|
||||
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
efiSupport = true;
|
||||
efiInstallAsRemovable = true;
|
||||
device = "nodev";
|
||||
};
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
|
||||
# Per-interface useDHCP will be mandatory in the future, so this generated config
|
||||
# replicates the default behaviour.
|
||||
networking.useDHCP = false;
|
||||
networking.interfaces.eth0.useDHCP = true;
|
||||
networking.interfaces.wlan0.useDHCP = false;
|
||||
networking.networkmanager.enable = lib.mkForce false;
|
||||
|
||||
boot.loader.systemd-boot.enable = lib.mkForce false;
|
||||
|
||||
nix = {
|
||||
#package = pkgs.nixFlakes;
|
||||
extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
|
||||
};
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
wget
|
||||
];
|
||||
|
||||
# Open ports in the firewall.
|
||||
# networking.firewall.allowedTCPPorts = [ ... ];
|
||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||
# Or disable the firewall altogether.
|
||||
# networking.firewall.enable = false;
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "22.11"; # Did you read the comment?
|
||||
}
|
||||
|
16
hosts/cox/cox.nix
Normal file
16
hosts/cox/cox.nix
Normal file
|
@ -0,0 +1,16 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
with lib;
|
||||
let
|
||||
psCfg = config.pub-solar;
|
||||
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./configuration.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
boot.plymouth.enable = lib.mkForce false;
|
||||
pub-solar.nextcloud.enable = lib.mkForce false;
|
||||
};
|
||||
}
|
6
hosts/cox/default.nix
Normal file
6
hosts/cox/default.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{ suites, ... }:
|
||||
{
|
||||
imports = [
|
||||
./cox.nix
|
||||
] ++ suites.cox;
|
||||
}
|
61
hosts/cox/hardware-configuration.nix
Normal file
61
hosts/cox/hardware-configuration.nix
Normal file
|
@ -0,0 +1,61 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
boot.initrd.supportedFilesystems = [ "zfs" ];
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
|
||||
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
|
||||
|
||||
boot.initrd.luks.devices = {
|
||||
cryptroot = {
|
||||
device = "/dev/disk/by-uuid/bf333b74-875f-4187-922e-4b433fb53aa2";
|
||||
keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_03024516121421043657-0:0-part1";
|
||||
bypassWorkqueues = true;
|
||||
fallbackToPassword = true;
|
||||
};
|
||||
};
|
||||
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "zroot/root";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/6CB3-6DB8";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/rancher/k3s/storage" =
|
||||
{
|
||||
device = "zroot/kubernetes-localstorage";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[{ device = "/dev/disk/by-uuid/7ef4a3f8-f4a6-42f5-a57d-21f502ed3dba"; }];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = false;
|
||||
networking.interfaces.eth0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
|
||||
networking.hostId = "71f2d82a";
|
||||
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
|
||||
}
|
55
hosts/cox/home-controller.nix
Normal file
55
hosts/cox/home-controller.nix
Normal file
|
@ -0,0 +1,55 @@
|
|||
{ self, config, pkgs, ... }:
|
||||
|
||||
{
|
||||
config = {
|
||||
age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
|
||||
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cox_wireguard_key.age";
|
||||
|
||||
pub-solar.home-controller = {
|
||||
enable = true;
|
||||
role = "server";
|
||||
ownIp = "10.0.1.12";
|
||||
|
||||
k3s = {
|
||||
serverAddr = "https://api.kube:6443";
|
||||
tokenFile = "/run/agenix/home_controller_k3s_token";
|
||||
enableLocalStorage = true;
|
||||
enableZfs = true;
|
||||
};
|
||||
|
||||
wireguard = {
|
||||
privateKeyFile = "/run/agenix/home_controller_wireguard";
|
||||
peers = [
|
||||
{
|
||||
# cube
|
||||
publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
|
||||
allowedIPs = [ "10.0.1.5/32" ];
|
||||
endpoint = "data.gssws.de:51899";
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
{
|
||||
# giggles
|
||||
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
|
||||
allowedIPs = [ "10.0.1.11/32" ];
|
||||
endpoint = "giggles.local:51899";
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
{
|
||||
# companion
|
||||
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
|
||||
allowedIPs = [ "10.0.1.13/32" ];
|
||||
endpoint = "companion.local:51899";
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
{
|
||||
# ringo
|
||||
publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
|
||||
allowedIPs = [ "10.0.1.21/32" ];
|
||||
endpoint = "ringo.local:51899";
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
8
hosts/cube/acme.nix
Normal file
8
hosts/cube/acme.nix
Normal file
|
@ -0,0 +1,8 @@
|
|||
{ pkgs, config, ... }:
|
||||
|
||||
{
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = "hensoko@gssws.de";
|
||||
};
|
||||
}
|
42
hosts/cube/configuration.nix
Normal file
42
hosts/cube/configuration.nix
Normal file
|
@ -0,0 +1,42 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
# Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
./acme.nix
|
||||
./home-assistant.nix
|
||||
./nextcloud.nix
|
||||
./wireguard.nix
|
||||
];
|
||||
|
||||
# Use the GRUB 2 boot loader.
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
boot.loader.grub.device = "/dev/disk/by-id/usb-HP_iLO_Internal_SD-CARD_000002660A01-0:0";
|
||||
|
||||
boot.loader.systemd-boot.enable = lib.mkForce false;
|
||||
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
networking = {
|
||||
useDHCP = false;
|
||||
|
||||
interfaces.eno1.ipv4.addresses = [{
|
||||
address = "80.244.242.2";
|
||||
prefixLength = 29;
|
||||
}];
|
||||
|
||||
defaultGateway = "80.244.242.1";
|
||||
nameservers = [ "95.129.51.51" "80.244.244.244" ];
|
||||
};
|
||||
|
||||
services.openssh.ports = [ 2222 ];
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 2222 ];
|
||||
networking.firewall.allowedUDPPorts = [ 51899 ];
|
||||
networking.firewall.enable = lib.mkForce true;
|
||||
|
||||
system.stateVersion = "21.05"; # Did you read the comment?
|
||||
}
|
13
hosts/cube/cube.nix
Normal file
13
hosts/cube/cube.nix
Normal file
|
@ -0,0 +1,13 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
with lib;
|
||||
with pkgs;
|
||||
let
|
||||
psCfg = config.pub-solar;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./configuration.nix
|
||||
];
|
||||
|
||||
pub-solar.core.disk-encryption-active = false;
|
||||
}
|
6
hosts/cube/default.nix
Normal file
6
hosts/cube/default.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{ suites, ... }:
|
||||
{
|
||||
imports = [
|
||||
./cube.nix
|
||||
] ++ suites.cube;
|
||||
}
|
37
hosts/cube/hardware-configuration.nix
Normal file
37
hosts/cube/hardware-configuration.nix
Normal file
|
@ -0,0 +1,37 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "uhci_hcd" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/715ef65c-6cb3-4455-99ed-fe7408935d00";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/e76a2e82-bf17-4287-967c-bd0f16d16875";
|
||||
fsType = "ext2";
|
||||
};
|
||||
|
||||
fileSystems."/mnt/internal" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/3563f624-f8ed-4664-95d0-ca8b9db1c60a";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[{ device = "/dev/disk/by-uuid/4b0b445b-ae72-439a-8aeb-cbd6a3ed73b9"; }];
|
||||
}
|
19
hosts/cube/home-assistant.nix
Normal file
19
hosts/cube/home-assistant.nix
Normal file
|
@ -0,0 +1,19 @@
|
|||
{ self, pkgs, config, ... }:
|
||||
|
||||
{
|
||||
# HTTP
|
||||
services.nginx = {
|
||||
virtualHosts."ha.gssws.de" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://10.0.1.254:8123";
|
||||
proxyWebsockets = true;
|
||||
extraConfig =
|
||||
"proxy_ssl_server_name on;" +
|
||||
"proxy_pass_header Authorization;"
|
||||
;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
72
hosts/cube/nextcloud.nix
Normal file
72
hosts/cube/nextcloud.nix
Normal file
|
@ -0,0 +1,72 @@
|
|||
{ self, pkgs, config, ... }:
|
||||
|
||||
{
|
||||
age.secrets.nextcloud_db_pass = {
|
||||
owner = "nextcloud";
|
||||
group = "nextcloud";
|
||||
file = "${self}/secrets/cube_nextcloud_db_pass.age";
|
||||
};
|
||||
|
||||
age.secrets.nextcloud_admin_pass = {
|
||||
owner = "nextcloud";
|
||||
group = "nextcloud";
|
||||
file = "${self}/secrets/cube_nextcloud_admin_pass.age";
|
||||
};
|
||||
|
||||
# HTTP
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
|
||||
virtualHosts."data.gssws.de" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
};
|
||||
|
||||
# DATABASES
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
package = pkgs.postgresql_11;
|
||||
|
||||
ensureDatabases = [ "nextcloud" ];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "nextcloud";
|
||||
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
|
||||
}
|
||||
];
|
||||
};
|
||||
systemd.services."nextcloud-setup" = {
|
||||
requires = [ "postgresql.service" ];
|
||||
after = [ "postgresql.service" ];
|
||||
};
|
||||
|
||||
|
||||
# NEXTCLOUD
|
||||
services.nextcloud = {
|
||||
enable = true;
|
||||
package = pkgs.nextcloud24;
|
||||
hostName = "data.gssws.de";
|
||||
https = true;
|
||||
datadir = "/mnt/internal/nextcloud";
|
||||
autoUpdateApps.enable = true;
|
||||
autoUpdateApps.startAt = "05:00:00";
|
||||
|
||||
config = {
|
||||
# Further forces Nextcloud to use HTTPS
|
||||
overwriteProtocol = "https";
|
||||
|
||||
dbtype = "pgsql";
|
||||
dbuser = "nextcloud";
|
||||
dbhost = "/run/postgresql";
|
||||
dbname = "nextcloud";
|
||||
dbpassFile = "/run/agenix/nextcloud_db_pass";
|
||||
adminpassFile = "/run/agenix/nextcloud_admin_pass";
|
||||
adminuser = "admin";
|
||||
};
|
||||
};
|
||||
}
|
63
hosts/cube/wireguard.nix
Normal file
63
hosts/cube/wireguard.nix
Normal file
|
@ -0,0 +1,63 @@
|
|||
{ self, config, pkgs, ... }:
|
||||
|
||||
{
|
||||
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_cube_wireguard_key.age";
|
||||
|
||||
|
||||
systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
|
||||
systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
|
||||
|
||||
# Enable WireGuard
|
||||
networking.wireguard.interfaces = {
|
||||
wg1 = {
|
||||
# Determines the IP address and subnet of the client's end of the tunnel interface.
|
||||
ips = [ "10.0.1.5" ];
|
||||
listenPort = 51899; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
|
||||
|
||||
# Path to the private key file.
|
||||
#
|
||||
# Note: The private key can also be included inline via the privateKey option,
|
||||
# but this makes the private key world-readable; thus, using privateKeyFile is
|
||||
# recommended.
|
||||
privateKeyFile = "/run/agenix/home_controller_wireguard";
|
||||
|
||||
peers = [
|
||||
# For a client configuration, one peer entry for the server will suffice.
|
||||
|
||||
{
|
||||
# giggles
|
||||
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
|
||||
allowedIPs = [ "10.0.1.11/32" ];
|
||||
|
||||
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
{
|
||||
# cox
|
||||
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
|
||||
allowedIPs = [ "10.0.1.12/32" ];
|
||||
|
||||
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
{
|
||||
# companion
|
||||
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
|
||||
allowedIPs = [ "10.0.1.13/32" ];
|
||||
|
||||
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
|
||||
{
|
||||
# hsha
|
||||
publicKey = "sC0wWHE/tvNaVYX3QQTHQUmSTTjZMOjkQ5x/qy6qjTc=";
|
||||
allowedIPs = [ "10.0.1.254/32" ];
|
||||
|
||||
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
65
hosts/giggles/configuration.nix
Normal file
65
hosts/giggles/configuration.nix
Normal file
|
@ -0,0 +1,65 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
# Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
./home-controller.nix
|
||||
];
|
||||
|
||||
boot.loader.timeout = 0;
|
||||
|
||||
boot.loader.generic-extlinux-compatible.enable = lib.mkForce false;
|
||||
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
efiSupport = true;
|
||||
efiInstallAsRemovable = true;
|
||||
device = "nodev";
|
||||
};
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
|
||||
# Per-interface useDHCP will be mandatory in the future, so this generated config
|
||||
# replicates the default behaviour.
|
||||
networking.useDHCP = false;
|
||||
networking.interfaces.eth0.useDHCP = true;
|
||||
networking.interfaces.wlan0.useDHCP = false;
|
||||
networking.networkmanager.enable = lib.mkForce false;
|
||||
|
||||
boot.loader.systemd-boot.enable = lib.mkForce false;
|
||||
|
||||
nix = {
|
||||
#package = pkgs.nixFlakes;
|
||||
extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
|
||||
};
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
wget
|
||||
];
|
||||
|
||||
# Open ports in the firewall.
|
||||
# networking.firewall.allowedTCPPorts = [ ... ];
|
||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||
# Or disable the firewall altogether.
|
||||
# networking.firewall.enable = false;
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "22.11"; # Did you read the comment?
|
||||
}
|
||||
|
6
hosts/giggles/default.nix
Normal file
6
hosts/giggles/default.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{ suites, ... }:
|
||||
{
|
||||
imports = [
|
||||
./giggles.nix
|
||||
] ++ suites.giggles;
|
||||
}
|
16
hosts/giggles/giggles.nix
Normal file
16
hosts/giggles/giggles.nix
Normal file
|
@ -0,0 +1,16 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
with lib;
|
||||
let
|
||||
psCfg = config.pub-solar;
|
||||
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./configuration.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
boot.plymouth.enable = lib.mkForce false;
|
||||
pub-solar.nextcloud.enable = lib.mkForce false;
|
||||
};
|
||||
}
|
61
hosts/giggles/hardware-configuration.nix
Normal file
61
hosts/giggles/hardware-configuration.nix
Normal file
|
@ -0,0 +1,61 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
boot.initrd.supportedFilesystems = [ "zfs" ];
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
|
||||
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_5_18;
|
||||
|
||||
boot.initrd.luks.devices = {
|
||||
cryptroot = {
|
||||
device = "/dev/disk/by-uuid/ef5804e2-2b07-4434-8144-6ae7d9f615e2";
|
||||
keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04020116120721075123-0:0-part1";
|
||||
bypassWorkqueues = true;
|
||||
fallbackToPassword = true;
|
||||
};
|
||||
};
|
||||
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "zroot/root";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/2F05-9B4A";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/rancher/k3s/storage" =
|
||||
{
|
||||
device = "zroot/kubernetes-localstorage";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[{ device = "/dev/disk/by-uuid/ddad2310-57b5-4851-a7bd-280d7182bcec"; }];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = false;
|
||||
networking.interfaces.eth0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
|
||||
networking.hostId = "71f2d82a";
|
||||
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
|
||||
}
|
53
hosts/giggles/home-controller.nix
Normal file
53
hosts/giggles/home-controller.nix
Normal file
|
@ -0,0 +1,53 @@
|
|||
{ self, config, pkgs, ... }:
|
||||
|
||||
{
|
||||
config = {
|
||||
age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
|
||||
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_giggles_wireguard_key.age";
|
||||
|
||||
pub-solar.home-controller = {
|
||||
enable = true;
|
||||
role = "server";
|
||||
ownIp = "10.0.1.11";
|
||||
|
||||
k3s = {
|
||||
enableLocalStorage = true;
|
||||
enableZfs = true;
|
||||
};
|
||||
|
||||
wireguard = {
|
||||
privateKeyFile = "/run/agenix/home_controller_wireguard";
|
||||
peers = [
|
||||
{
|
||||
# cube
|
||||
publicKey = "UVzVK5FwXW/AGNVipudUDT43NgCiNpsunzkzjpTvVnk=";
|
||||
allowedIPs = [ "10.0.1.5/32" ];
|
||||
endpoint = "data.gssws.de:51899";
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
{
|
||||
# cox
|
||||
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
|
||||
allowedIPs = [ "10.0.1.12/32" ];
|
||||
endpoint = "cox.local:51899";
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
{
|
||||
# companion
|
||||
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
|
||||
allowedIPs = [ "10.0.1.13/32" ];
|
||||
endpoint = "companion.local:51899";
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
{
|
||||
# ringo
|
||||
publicKey = "n4fGufXDjHitgS2HqVjKRdSNw+co1rYEV1Sw+sCCVzw=";
|
||||
allowedIPs = [ "10.0.1.21/32" ];
|
||||
endpoint = "ringo.local:51899";
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
19
hosts/harrison/.config/sway/config.d/screens.conf
Normal file
19
hosts/harrison/.config/sway/config.d/screens.conf
Normal file
|
@ -0,0 +1,19 @@
|
|||
set $left 'Eizo Nanao Corporation EV2316W 92008103'
|
||||
set $middle 'Samsung Electric Company SMBX2450L 0x00003231'
|
||||
set $right 'Eizo Nanao Corporation EV2316W 39117013'
|
||||
|
||||
output $left {
|
||||
scale 1
|
||||
pos 0 0
|
||||
transform 270
|
||||
}
|
||||
|
||||
output $middle {
|
||||
scale 1
|
||||
pos 1080 600
|
||||
}
|
||||
|
||||
output $right {
|
||||
scale 1
|
||||
pos 3000 600
|
||||
}
|
48
hosts/harrison/configuration.nix
Normal file
48
hosts/harrison/configuration.nix
Normal file
|
@ -0,0 +1,48 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
# Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "Europe/Berlin";
|
||||
time.hardwareClockInLocalTime = true; # easiest quirk for windows time offset feature
|
||||
|
||||
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
|
||||
# Per-interface useDHCP will be mandatory in the future, so this generated config
|
||||
# replicates the default behaviour.
|
||||
networking.useDHCP = false;
|
||||
networking.interfaces.eno1 = {
|
||||
useDHCP = true;
|
||||
wakeOnLan = {
|
||||
enable = true;
|
||||
};
|
||||
};
|
||||
networking.networkmanager.enable = lib.mkForce false;
|
||||
|
||||
nixpkgs.config.allowUnsupportedSystem = true;
|
||||
|
||||
# List services that you want to enable:
|
||||
|
||||
# Open ports in the firewall.
|
||||
networking.firewall.allowedTCPPorts = [ 22 ];
|
||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||
# Or disable the firewall altogether.
|
||||
# networking.firewall.enable = false;
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "21.05"; # Did you read the comment?
|
||||
}
|
||||
|
6
hosts/harrison/default.nix
Normal file
6
hosts/harrison/default.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{ suites, ... }:
|
||||
{
|
||||
imports = [
|
||||
./harrison.nix
|
||||
] ++ suites.harrison;
|
||||
}
|
76
hosts/harrison/hardware-configuration.nix
Normal file
76
hosts/harrison/hardware-configuration.nix
Normal file
|
@ -0,0 +1,76 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "usb_storage" "usbhid" "sd_mod" "raid1" ];
|
||||
boot.initrd.kernelModules = [ "dm-snapshot" ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
boot.initrd.luks.devices."cryptoroot" = {
|
||||
device = "/dev/disk/by-uuid/e3a0394d-8bb5-4049-bf65-90d7202163cd";
|
||||
keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_04011806021722115743-0:0-part1";
|
||||
fallbackToPassword = true;
|
||||
bypassWorkqueues = true;
|
||||
};
|
||||
|
||||
boot.loader.systemd-boot.enable = lib.mkForce false;
|
||||
boot.loader.efi = {
|
||||
canTouchEfiVariables = true;
|
||||
efiSysMountPoint = "/boot";
|
||||
};
|
||||
boot.loader.grub = {
|
||||
efiSupport = true;
|
||||
enable = true;
|
||||
extraEntries = ''
|
||||
menuentry "Windows" {
|
||||
insmod part_gpt
|
||||
insmod fat
|
||||
insmod search_fs_uuid
|
||||
insmod chain
|
||||
search --fs-uuid --set=root 02DB-F12C
|
||||
chainloader /efi/Microsoft/Boot/bootmgfw.efi
|
||||
}
|
||||
'';
|
||||
devices = [ "nodev" ];
|
||||
};
|
||||
|
||||
|
||||
fileSystems = {
|
||||
"/" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/4ad4db6d-543e-4cc5-a781-396e3b527a05";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
"/boot" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/4B4A-B1B4";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
"/boot2" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/4B2C-385A";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
"/home" =
|
||||
{
|
||||
device = "/dev/mapper/vg0-home";
|
||||
fsType = "ext4";
|
||||
};
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[{ device = "/dev/mapper/vg0-swap"; }];
|
||||
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
21
hosts/harrison/harrison.nix
Normal file
21
hosts/harrison/harrison.nix
Normal file
|
@ -0,0 +1,21 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
with lib;
|
||||
with pkgs;
|
||||
let
|
||||
psCfg = config.pub-solar;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./configuration.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
|
||||
|
||||
home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
|
||||
"sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
|
||||
};
|
||||
|
||||
services.teamviewer.enable = true;
|
||||
};
|
||||
}
|
16
hosts/norman/.config/sway/config.d/custom-keybindings.conf
Normal file
16
hosts/norman/.config/sway/config.d/custom-keybindings.conf
Normal file
|
@ -0,0 +1,16 @@
|
|||
# Screen brightness controls
|
||||
bindsym XF86MonBrightnessUp exec "brightnessctl -d intel_backlight set +10%; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {print $4}')"
|
||||
bindsym XF86MonBrightnessDown exec "brightnessctl -d intel_backlight set 10%-; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ { print $4}')"
|
||||
|
||||
# Keyboard backlight brightness controls
|
||||
bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 10%-; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ { print $4}')"
|
||||
bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +10%; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ { print $4}')"
|
||||
|
||||
# Pulse Audio controls
|
||||
bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. up' #increase sound volume
|
||||
bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. down' #decrease sound volume
|
||||
bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle && notify-send 'Mute sound' # mute sound
|
||||
# Media player controls
|
||||
bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'"
|
||||
bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'"
|
||||
bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'"
|
13
hosts/norman/.config/sway/config.d/screens.conf
Normal file
13
hosts/norman/.config/sway/config.d/screens.conf
Normal file
|
@ -0,0 +1,13 @@
|
|||
set $left 'Eizo Nanao Corporation EV2316W 92008103'
|
||||
set $middle 'Samsung Electric Company SMBX2450L 0x00003231'
|
||||
|
||||
output $left {
|
||||
scale 1
|
||||
pos 0 0
|
||||
transform 270
|
||||
}
|
||||
|
||||
output $middle {
|
||||
scale 1
|
||||
pos 1080 600
|
||||
}
|
67
hosts/norman/configuration.nix
Normal file
67
hosts/norman/configuration.nix
Normal file
|
@ -0,0 +1,67 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
# Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
./wireguard.nix
|
||||
];
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
|
||||
# Per-interface useDHCP will be mandatory in the future, so this generated config
|
||||
# replicates the default behaviour.
|
||||
networking.firewall = {
|
||||
allowedUDPPorts = [
|
||||
51820
|
||||
51821
|
||||
]; # Clients and peers can use the same port, see listenport
|
||||
};
|
||||
|
||||
hardware.nitrokey.enable = true;
|
||||
|
||||
programs.gnupg.agent = {
|
||||
enable = true;
|
||||
enableSSHSupport = true;
|
||||
};
|
||||
|
||||
# Disable bluetooth
|
||||
hardware.bluetooth.enable = false;
|
||||
services.blueman.enable = false;
|
||||
|
||||
services.tlp = {
|
||||
enable = true;
|
||||
settings = {
|
||||
CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
|
||||
CPU_SCALING_GOVERNOR_ON_AC = "performance";
|
||||
|
||||
# The following prevents the battery from charging fully to
|
||||
# preserve lifetime. Run `tlp fullcharge` to temporarily force
|
||||
# full charge.
|
||||
# https://linrunner.de/tlp/faq/battery.html#how-to-choose-good-battery-charge-thresholds
|
||||
START_CHARGE_THRESH_BAT0 = 40;
|
||||
STOP_CHARGE_THRESH_BAT0 = 80;
|
||||
|
||||
# 100 being the maximum, limit the speed of my CPU to reduce
|
||||
# heat and increase battery usage:
|
||||
CPU_MAX_PERF_ON_AC = 100;
|
||||
CPU_MAX_PERF_ON_BAT = 30;
|
||||
};
|
||||
};
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "21.11"; # Did you read the comment?
|
||||
}
|
||||
|
6
hosts/norman/default.nix
Normal file
6
hosts/norman/default.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{ suites, ... }:
|
||||
{
|
||||
imports = [
|
||||
./norman.nix
|
||||
] ++ suites.norman;
|
||||
}
|
46
hosts/norman/hardware-configuration.nix
Normal file
46
hosts/norman/hardware-configuration.nix
Normal file
|
@ -0,0 +1,46 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports = [ ];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "uas" "sdhci_pci" ];
|
||||
boot.initrd.kernelModules = [ "dm-snapshot" ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
boot.loader.grub.trustedBoot = {
|
||||
enable = true;
|
||||
systemHasTPM = "YES_TPM_is_activated";
|
||||
};
|
||||
|
||||
boot.initrd.luks.devices."cryptroot" = {
|
||||
device = "/dev/disk/by-uuid/cdc29f0f-5b18-4ee7-8d38-1f4bac80b1e6";
|
||||
bypassWorkqueues = true;
|
||||
};
|
||||
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/5b441f8f-d7eb-44f8-8df2-7354b3314a61";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/84CD-91B6";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[{ device = "/dev/disk/by-uuid/54162798-9017-4b59-afd7-ab9578da4bb9"; }];
|
||||
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
|
||||
hardware.trackpoint = {
|
||||
enable = true;
|
||||
device = "TPPS/2 ALPS TrackPoint";
|
||||
emulateWheel = true;
|
||||
};
|
||||
}
|
20
hosts/norman/norman.nix
Normal file
20
hosts/norman/norman.nix
Normal file
|
@ -0,0 +1,20 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
with lib;
|
||||
let
|
||||
psCfg = config.pub-solar;
|
||||
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./configuration.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
|
||||
|
||||
home-manager.users."${psCfg.user.name}".xdg.configFile = mkIf psCfg.sway.enable {
|
||||
"sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
|
||||
"sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf;
|
||||
};
|
||||
};
|
||||
}
|
93
hosts/norman/wireguard.nix
Normal file
93
hosts/norman/wireguard.nix
Normal file
|
@ -0,0 +1,93 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
systemd.services.wireguard-wg0.serviceConfig.Restart = "on-failure";
|
||||
systemd.services.wireguard-wg0.serviceConfig.RestartSec = "5s";
|
||||
systemd.services.wireguard-wg1.serviceConfig.Restart = "on-failure";
|
||||
systemd.services.wireguard-wg1.serviceConfig.RestartSec = "5s";
|
||||
|
||||
# Enable WireGuard
|
||||
networking.wireguard.interfaces = {
|
||||
# "wg0" is the network interface name. You can name the interface arbitrarily.
|
||||
wg0 = {
|
||||
# Determines the IP address and subnet of the client's end of the tunnel interface.
|
||||
ips = [
|
||||
"10.0.0.13/32"
|
||||
"fc00:200::13/128"
|
||||
];
|
||||
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
|
||||
|
||||
# Path to the private key file.
|
||||
#
|
||||
# Note: The private key can also be included inline via the privateKey option,
|
||||
# but this makes the private key world-readable; thus, using privateKeyFile is
|
||||
# recommended.
|
||||
privateKeyFile = "/home/hensoko/.config/wireguard/hosting-de.private";
|
||||
|
||||
peers = [
|
||||
# For a client configuration, one peer entry for the server will suffice.
|
||||
|
||||
{
|
||||
# Public key of the server (not a file path).
|
||||
publicKey = "02/MRPduMGx1as7yS4G7GpL4+pQjsjpyS/tD9iPu8X0=";
|
||||
|
||||
# Forward all the traffic via VPN.
|
||||
allowedIPs = [
|
||||
"10.0.0.0/24"
|
||||
"192.168.50.0/24"
|
||||
"192.168.200.0/24"
|
||||
"10.20.30.0/24"
|
||||
"fc00:200::/120"
|
||||
"95.129.51.5"
|
||||
"95.129.54.43"
|
||||
"134.0.28.89"
|
||||
"134.0.27.108"
|
||||
"134.0.25.181"
|
||||
];
|
||||
|
||||
# Set this to the server IP and port.
|
||||
endpoint = "134.0.30.154:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
|
||||
|
||||
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
];
|
||||
};
|
||||
wg1 = {
|
||||
# Determines the IP address and subnet of the client's end of the tunnel interface.
|
||||
ips = [
|
||||
"10.7.0.21"
|
||||
];
|
||||
listenPort = 51821; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
|
||||
|
||||
# Path to the private key file.
|
||||
#
|
||||
# Note: The private key can also be included inline via the privateKey option,
|
||||
# but this makes the private key world-readable; thus, using privateKeyFile is
|
||||
# recommended.
|
||||
privateKeyFile = "/home/hensoko/.config/wireguard/data-gssws-de.private";
|
||||
|
||||
peers = [
|
||||
# For a client configuration, one peer entry for the server will suffice.
|
||||
|
||||
{
|
||||
# Public key of the server (not a file path).
|
||||
publicKey = "RwMocdha7fyx+MGTtQpZhZQGJY4WU79YgpspYBclK3c=";
|
||||
|
||||
# Forward all the traffic via VPN.
|
||||
allowedIPs = [
|
||||
"10.7.0.0/24"
|
||||
];
|
||||
|
||||
# Set this to the server IP and port.
|
||||
endpoint = "80.244.242.2:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
|
||||
|
||||
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
];
|
||||
|
||||
};
|
||||
};
|
||||
}
|
||||
|
110
hosts/redpanda/configuration.nix
Normal file
110
hosts/redpanda/configuration.nix
Normal file
|
@ -0,0 +1,110 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
# Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
boot.loader.systemd-boot.enable = lib.mkForce false;
|
||||
|
||||
# Use the GRUB 2 boot loader.
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
# boot.loader.grub.efiSupport = true;
|
||||
# boot.loader.grub.efiInstallAsRemovable = true;
|
||||
# boot.loader.efi.efiSysMountPoint = "/boot/efi";
|
||||
# Define on which hard drive you want to install Grub.
|
||||
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
|
||||
|
||||
# networking.hostName = "nixos"; # Define your hostname.
|
||||
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
||||
|
||||
# Set your time zone.
|
||||
# time.timeZone = "Europe/Amsterdam";
|
||||
|
||||
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
|
||||
# Per-interface useDHCP will be mandatory in the future, so this generated config
|
||||
# replicates the default behaviour.
|
||||
networking.useDHCP = false;
|
||||
networking.interfaces.enp0s3.useDHCP = true;
|
||||
|
||||
# Configure network proxy if necessary
|
||||
# networking.proxy.default = "http://user:password@proxy:port/";
|
||||
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
|
||||
|
||||
nix = {
|
||||
#package = pkgs.nixFlakes;
|
||||
extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes";
|
||||
};
|
||||
|
||||
# Select internationalisation properties.
|
||||
# i18n.defaultLocale = "en_US.UTF-8";
|
||||
# console = {
|
||||
# font = "Lat2-Terminus16";
|
||||
# keyMap = "us";
|
||||
# };
|
||||
|
||||
# Enable the X11 windowing system.
|
||||
# services.xserver.enable = true;
|
||||
|
||||
# Configure keymap in X11
|
||||
# services.xserver.layout = "us";
|
||||
# services.xserver.xkbOptions = "eurosign:e";
|
||||
|
||||
# Enable CUPS to print documents.
|
||||
# services.printing.enable = true;
|
||||
|
||||
# Enable sound.
|
||||
# sound.enable = true;
|
||||
# hardware.pulseaudio.enable = true;
|
||||
|
||||
# Enable touchpad support (enabled default in most desktopManager).
|
||||
# services.xserver.libinput.enable = true;
|
||||
|
||||
# Define a user account. Don't forget to set a password with ‘passwd’.
|
||||
# users.users.jane = {
|
||||
# isNormalUser = true;
|
||||
# extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
|
||||
# };
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
wget
|
||||
firefox
|
||||
];
|
||||
|
||||
# Some programs need SUID wrappers, can be configured further or are
|
||||
# started in user sessions.
|
||||
# programs.mtr.enable = true;
|
||||
# programs.gnupg.agent = {
|
||||
# enable = true;
|
||||
# enableSSHSupport = true;
|
||||
# };
|
||||
|
||||
# List services that you want to enable:
|
||||
|
||||
# Open ports in the firewall.
|
||||
networking.firewall.allowedTCPPorts = [ 22 ];
|
||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||
# Or disable the firewall altogether.
|
||||
# networking.firewall.enable = false;
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "21.05"; # Did you read the comment?
|
||||
|
||||
|
||||
}
|
||||
|
6
hosts/redpanda/default.nix
Normal file
6
hosts/redpanda/default.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{ suites, ... }:
|
||||
{
|
||||
imports = [
|
||||
./redpanda.nix
|
||||
] ++ suites.redpanda;
|
||||
}
|
21
hosts/redpanda/hardware-configuration.nix
Normal file
21
hosts/redpanda/hardware-configuration.nix
Normal file
|
@ -0,0 +1,21 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports = [ ];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ohci_pci" "virtio_pci" "sd_mod" "sr_mod" "virtio_scsi" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "/dev/disk/by-label/nixos";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
#virtualisation.virtualbox.guest.enable = true;
|
||||
}
|
17
hosts/redpanda/redpanda.nix
Normal file
17
hosts/redpanda/redpanda.nix
Normal file
|
@ -0,0 +1,17 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
with lib;
|
||||
let
|
||||
psCfg = config.pub-solar;
|
||||
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./configuration.nix
|
||||
];
|
||||
|
||||
#pub-solar.nextcloud.enable = lib.mkForce false;
|
||||
|
||||
config = {
|
||||
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
|
||||
};
|
||||
}
|
35
hosts/ringo/configuration.nix
Normal file
35
hosts/ringo/configuration.nix
Normal file
|
@ -0,0 +1,35 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
./hardware-configuration.nix
|
||||
./home-controller.nix
|
||||
];
|
||||
|
||||
# Use the systemd-boot EFI boot loader.
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
|
||||
# Per-interface useDHCP will be mandatory in the future, so this generated config
|
||||
# replicates the default behaviour.
|
||||
networking.useDHCP = false;
|
||||
networking.interfaces.enp0s25.useDHCP = true;
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "21.11"; # Did you read the comment?
|
||||
}
|
||||
|
6
hosts/ringo/default.nix
Normal file
6
hosts/ringo/default.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{ suites, ... }:
|
||||
{
|
||||
imports = [
|
||||
./ringo.nix
|
||||
] ++ suites.ringo;
|
||||
}
|
43
hosts/ringo/hardware-configuration.nix
Normal file
43
hosts/ringo/hardware-configuration.nix
Normal file
|
@ -0,0 +1,43 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports = [ ];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
boot.initrd.luks.devices."cryptroot" = {
|
||||
device = "/dev/disk/by-uuid/bd1ebf98-adc1-4868-842f-3d2c6ee04e13";
|
||||
keyFile = "/dev/disk/by-partuuid/9ff6ebf7-01";
|
||||
fallbackToPassword = true;
|
||||
bypassWorkqueues = true;
|
||||
};
|
||||
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/1999ec2e-4564-4f5a-8333-6eb23ae03c8b";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/47ED-2F0B";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
fileSystems."/home" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/69c89392-be11-4bd4-8f3b-6b7db20c716e";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[{ device = "/dev/disk/by-uuid/4ef0cdbc-38f4-4dcb-8fe8-553bbdb06192"; }];
|
||||
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
43
hosts/ringo/home-controller.nix
Normal file
43
hosts/ringo/home-controller.nix
Normal file
|
@ -0,0 +1,43 @@
|
|||
{ self, config, pkgs, ... }:
|
||||
|
||||
{
|
||||
config = {
|
||||
age.secrets.home_controller_k3s_token.file = "${self}/secrets/home_controller_k3s_server_token.age";
|
||||
age.secrets.home_controller_wireguard.file = "${self}/secrets/home_controller_ringo_wireguard_key.age";
|
||||
|
||||
pub-solar.home-controller = {
|
||||
enable = true;
|
||||
role = "agent";
|
||||
ownIp = "10.0.1.21";
|
||||
|
||||
k3s = {
|
||||
serverAddr = "https://api.kube:6443";
|
||||
tokenFile = "/run/agenix/home_controller_k3s_token";
|
||||
};
|
||||
|
||||
wireguard = {
|
||||
privateKeyFile = "/run/agenix/home_controller_wireguard";
|
||||
peers = [
|
||||
{
|
||||
# giggles
|
||||
publicKey = "i5kiTSPGR2jrdHl+s/S6D0YWb+xkbPudczG2RWmWwCg=";
|
||||
allowedIPs = [ "10.0.1.11/32" ];
|
||||
endpoint = "giggles.local:51899";
|
||||
}
|
||||
{
|
||||
# cox
|
||||
publicKey = "VogQYYYNdXLhPKY9/P2WAn6gfEX9ojN3VD+DKx4gl0k=";
|
||||
allowedIPs = [ "10.0.1.12/32" ];
|
||||
endpoint = "cox.local:51899";
|
||||
}
|
||||
{
|
||||
# companion
|
||||
publicKey = "7EUcSUckw/eLiWFHD+AzfcoKWstjr+cL70SupOJ6zC0=";
|
||||
allowedIPs = [ "10.0.1.13/32" ];
|
||||
endpoint = "companion.local:51899";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
13
hosts/ringo/ringo.nix
Normal file
13
hosts/ringo/ringo.nix
Normal file
|
@ -0,0 +1,13 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
with lib;
|
||||
let
|
||||
psCfg = config.pub-solar;
|
||||
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./configuration.nix
|
||||
];
|
||||
|
||||
pub-solar.nextcloud.enable = lib.mkForce false;
|
||||
}
|
|
@ -65,6 +65,9 @@ in
|
|||
context.default.clock = {
|
||||
allowed-rates = [ 44100 48000 88200 96000 ];
|
||||
rate = 44100;
|
||||
quantum = 2048;
|
||||
min-quantum = 1024;
|
||||
max-quantum = 4096;
|
||||
};
|
||||
};
|
||||
config.pipewire-pulse = builtins.fromJSON (builtins.readFile ./pipewire-pulse.conf.json);
|
||||
|
|
|
@ -26,6 +26,7 @@ in
|
|||
networking.networkmanager = {
|
||||
# Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff.
|
||||
enable = true;
|
||||
wifi.backend = "iwd";
|
||||
};
|
||||
|
||||
# Customized binary caches list (with fallback to official binary cache)
|
||||
|
@ -39,7 +40,7 @@ in
|
|||
|
||||
# Caddy reverse proxy for local services like cups
|
||||
services.caddy = {
|
||||
enable = true;
|
||||
enable = false;
|
||||
globalConfig = ''
|
||||
default_bind 127.0.0.1
|
||||
auto_https off
|
||||
|
|
|
@ -16,11 +16,17 @@ in
|
|||
|
||||
services.gnome.gnome-keyring.enable = true;
|
||||
|
||||
environment.shellInit = ''
|
||||
gpg-connect-agent /bye
|
||||
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
|
||||
'';
|
||||
|
||||
home-manager = with pkgs; pkgs.lib.setAttrByPath [ "users" psCfg.user.name ] {
|
||||
systemd.user.services.polkit-gnome-authentication-agent = import ./polkit-gnome-authentication-agent.service.nix pkgs;
|
||||
|
||||
services.gpg-agent = {
|
||||
enable = true;
|
||||
enableSshSupport = true;
|
||||
pinentryFlavor = "gnome3";
|
||||
verbose = true;
|
||||
};
|
||||
|
@ -32,9 +38,6 @@ in
|
|||
home.packages = [
|
||||
gnome.seahorse
|
||||
keepassxc
|
||||
libsecret
|
||||
qMasterPassword
|
||||
restic
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
131
modules/home-controller/default.nix
Normal file
131
modules/home-controller/default.nix
Normal file
|
@ -0,0 +1,131 @@
|
|||
{ lib, config, pkgs, ... }:
|
||||
with lib;
|
||||
let
|
||||
psCfg = config.pub-solar;
|
||||
cfg = config.pub-solar.home-controller;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./k3s.nix
|
||||
./wireguard.nix
|
||||
];
|
||||
|
||||
options.pub-solar.home-controller = {
|
||||
enable = mkEnableOption "Control your home";
|
||||
|
||||
role = mkOption {
|
||||
description = ''
|
||||
Whether the node should run as a server or agent.
|
||||
Note that the server, by default, also runs as an agent.
|
||||
'';
|
||||
default = "server";
|
||||
type = types.enum [ "server" "agent" ];
|
||||
};
|
||||
|
||||
ownIp = mkOption {
|
||||
description = ''
|
||||
Internal ip in wireguard used for cluster control-plane communication.
|
||||
'';
|
||||
type = types.str;
|
||||
};
|
||||
|
||||
k3s = {
|
||||
enableLocalStorage = mkOption {
|
||||
description = ''
|
||||
Enable local storage provisioner.
|
||||
'';
|
||||
default = false;
|
||||
type = types.bool;
|
||||
};
|
||||
|
||||
defaultLocalStoragePath = mkOption {
|
||||
description = ''
|
||||
Default path to use for local storage provisioner.
|
||||
'';
|
||||
default = "/var/lib/rancher/k3s/storage";
|
||||
type = types.path;
|
||||
};
|
||||
|
||||
flannelBackend = mkOption {
|
||||
description = ''
|
||||
Flannel backend to use.
|
||||
'';
|
||||
default = "wireguard-native";
|
||||
type = types.str;
|
||||
};
|
||||
|
||||
serverAddr = mkOption {
|
||||
description = ''
|
||||
Set server address of master
|
||||
'';
|
||||
default = "";
|
||||
type = types.str;
|
||||
example = "https://api.kube:6443";
|
||||
};
|
||||
|
||||
tokenFile = mkOption {
|
||||
description = ''
|
||||
Location of token file used to join cluster.
|
||||
'';
|
||||
default = "";
|
||||
type = types.str;
|
||||
};
|
||||
|
||||
enableZfs = mkOption {
|
||||
description = ''
|
||||
Enable when k3s should use a ZFS compatible runtime.
|
||||
'';
|
||||
default = false;
|
||||
type = types.bool;
|
||||
};
|
||||
|
||||
zfsPool = mkOption {
|
||||
description = ''
|
||||
The ZFS pool to use and create a containerd volume in.
|
||||
'';
|
||||
default = "zroot";
|
||||
type = types.str;
|
||||
};
|
||||
};
|
||||
|
||||
wireguard = {
|
||||
privateKeyFile = mkOption {
|
||||
description = ''
|
||||
Location of private key file
|
||||
'';
|
||||
type = types.path;
|
||||
};
|
||||
|
||||
listenPort = mkOption {
|
||||
description = ''
|
||||
Port for wireguard.
|
||||
'';
|
||||
default = 51899;
|
||||
type = types.int;
|
||||
};
|
||||
|
||||
peers = mkOption {
|
||||
description = ''
|
||||
Wireguard peers.
|
||||
'';
|
||||
type = types.listOf types.attrs;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
boot.kernelModules = [ "rbd" ];
|
||||
|
||||
networking.extraHosts =
|
||||
''
|
||||
192.168.42.231 ringo.local
|
||||
192.168.42.232 giggles.local
|
||||
192.168.42.234 cox.local
|
||||
192.168.42.236 companion.local
|
||||
10.0.1.11 api.kube giggles.kube
|
||||
10.0.1.12 cox.kube
|
||||
10.0.1.13 companion.kube
|
||||
10.0.1.21 ringo.kube
|
||||
'';
|
||||
};
|
||||
}
|
76
modules/home-controller/k3s.nix
Normal file
76
modules/home-controller/k3s.nix
Normal file
|
@ -0,0 +1,76 @@
|
|||
{ lib, config, pkgs, ... }:
|
||||
with lib;
|
||||
let
|
||||
psCfg = config.pub-solar;
|
||||
cfg = config.pub-solar.home-controller;
|
||||
in
|
||||
{
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = with pkgs; [
|
||||
kubernetes-helm
|
||||
];
|
||||
|
||||
environment.sessionVariables = lib.mkIf (cfg.role == "server") rec {
|
||||
KUBECONFIG = "/etc/rancher/k3s/k3s.yaml";
|
||||
};
|
||||
|
||||
services.k3s = {
|
||||
enable = true;
|
||||
docker = false;
|
||||
role = cfg.role;
|
||||
serverAddr = lib.mkIf (cfg.k3s.serverAddr != "") cfg.k3s.serverAddr;
|
||||
tokenFile = lib.mkIf (cfg.k3s.tokenFile != "") cfg.k3s.tokenFile;
|
||||
extraFlags = concatStringsSep " " (
|
||||
[
|
||||
"--node-ip ${cfg.ownIp}"
|
||||
"--container-runtime-endpoint unix:///run/containerd/containerd.sock"
|
||||
|
||||
"${optionalString (cfg.role == "server") "--disable servicelb"}"
|
||||
"${optionalString (cfg.role == "server") "--disable traefik"}"
|
||||
|
||||
"${optionalString (cfg.role == "server") "--bind-address ${cfg.ownIp}"}"
|
||||
|
||||
"${optionalString (cfg.role == "server" && cfg.k3s.flannelBackend != "") "--flannel-backend=${cfg.k3s.flannelBackend}"}"
|
||||
|
||||
"${optionalString (cfg.role == "server" && !cfg.k3s.enableLocalStorage) "--disable local-storage"}"
|
||||
"${optionalString (cfg.role == "server" && cfg.k3s.enableLocalStorage) "--default-local-storage-path ${cfg.k3s.defaultLocalStoragePath}"}"
|
||||
|
||||
"${optionalString cfg.k3s.enableZfs "--snapshotter=zfs"}"
|
||||
]
|
||||
);
|
||||
};
|
||||
|
||||
systemd.services.containerd = mkIf cfg.k3s.enableZfs {
|
||||
serviceConfig = {
|
||||
ExecStartPre = [
|
||||
"-${pkgs.zfs}/bin/zfs create -o mountpoint=/var/lib/containerd/io.containerd.snapshotter.v1.zfs ${cfg.k3s.zfsPool}/containerd"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.k3s = {
|
||||
after = [ "containerd.service" ];
|
||||
requisite = [ "containerd.service" ];
|
||||
};
|
||||
|
||||
virtualisation.containerd = {
|
||||
enable = true;
|
||||
settings =
|
||||
let
|
||||
fullCNIPlugins = pkgs.buildEnv {
|
||||
name = "full-cni";
|
||||
paths = with pkgs; [
|
||||
cni-plugins
|
||||
cni-plugin-flannel
|
||||
];
|
||||
};
|
||||
in
|
||||
{
|
||||
plugins."io.containerd.grpc.v1.cri".cni = {
|
||||
bin_dir = "${fullCNIPlugins}/bin";
|
||||
conf_dir = "/var/lib/rancher/k3s/agent/etc/cni/net.d/";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
23
modules/home-controller/wireguard.nix
Normal file
23
modules/home-controller/wireguard.nix
Normal file
|
@ -0,0 +1,23 @@
|
|||
{ lib, config, pkgs, ... }:
|
||||
with lib;
|
||||
let
|
||||
psCfg = config.pub-solar;
|
||||
cfg = config.pub-solar.home-controller;
|
||||
in
|
||||
{
|
||||
config = mkIf cfg.enable {
|
||||
systemd.services.wireguard-wghome.serviceConfig.Restart = "on-failure";
|
||||
systemd.services.wireguard-wghome.serviceConfig.RestartSec = "5s";
|
||||
|
||||
networking.firewall.allowedUDPPorts = [ cfg.wireguard.listenPort ];
|
||||
|
||||
networking.wireguard.interfaces = {
|
||||
wghome = {
|
||||
ips = [ cfg.ownIp ];
|
||||
listenPort = cfg.wireguard.listenPort;
|
||||
privateKeyFile = cfg.wireguard.privateKeyFile;
|
||||
peers = cfg.wireguard.peers;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
20
modules/server/default.nix
Normal file
20
modules/server/default.nix
Normal file
|
@ -0,0 +1,20 @@
|
|||
{ lib, config, pkgs, ... }:
|
||||
with lib;
|
||||
let
|
||||
psCfg = config.pub-solar;
|
||||
cfg = config.pub-solar.server;
|
||||
in
|
||||
{
|
||||
options.pub-solar.server = {
|
||||
enable = mkEnableOption "Enable server options like sshd";
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
permitRootLogin = lib.mkForce "prohibit-password";
|
||||
passwordAuthentication = true;
|
||||
openFirewall = true;
|
||||
};
|
||||
};
|
||||
}
|
|
@ -14,8 +14,11 @@ in
|
|||
home.packages = [
|
||||
signal-desktop
|
||||
tdesktop
|
||||
discord
|
||||
element-desktop
|
||||
irssi
|
||||
tdesktop
|
||||
mattermost-desktop
|
||||
whatsapp-for-linux
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,15 +1,17 @@
|
|||
# switch to workspace with urgent window automatically
|
||||
for_window [urgent=latest] focus
|
||||
|
||||
assign [app_id="Element"] $ws7
|
||||
assign [app_id="Signal"] $ws7
|
||||
assign [app_id="telegramdesktop"] $ws7
|
||||
assign [app_id="rambox"] $ws7
|
||||
assign [class="Mattermost"] $ws7
|
||||
|
||||
for_window [app_id="keepassxc"] floating disable
|
||||
assign [app_id="keepassxc"] $ws8
|
||||
|
||||
for_window [app_id="virt-manager"] floating disable
|
||||
assign [app_id="virt-manager"] $ws9
|
||||
|
||||
assign [instance="element"] $ws4
|
||||
assign [app_id="Signal"] $ws4
|
||||
assign [app_id="telegramdesktop"] $ws4
|
||||
assign [app_id=thunderbird title="^.+$"] $ws9
|
||||
for_window [app_id=thunderbird title="^$"] floating enable
|
||||
|
||||
# Launcher
|
||||
for_window [app_id="launcher" title="Alacritty"] floating enable, border pixel 10, sticky enable
|
||||
|
|
|
@ -78,24 +78,10 @@ in
|
|||
withPython3 = true;
|
||||
|
||||
extraPackages = with pkgs; lib.mkIf (!cfg.lite) [
|
||||
ccls
|
||||
gopls
|
||||
nodejs
|
||||
nodePackages.bash-language-server
|
||||
nodePackages.dockerfile-language-server-nodejs
|
||||
nodePackages.svelte-language-server
|
||||
nodePackages.typescript
|
||||
nodePackages.typescript-language-server
|
||||
nodePackages.vim-language-server
|
||||
nodePackages.vue-language-server
|
||||
nodePackages.vscode-langservers-extracted
|
||||
nodePackages.yaml-language-server
|
||||
python39Packages.python-lsp-server
|
||||
python3Full
|
||||
solargraph
|
||||
rnix-lsp
|
||||
rust-analyzer
|
||||
terraform-ls
|
||||
universal-ctags
|
||||
];
|
||||
|
||||
|
|
|
@ -50,7 +50,7 @@ in
|
|||
name = "romkatv/powerlevel10k";
|
||||
tags = [ "as:theme" "depth:1" ];
|
||||
}
|
||||
{ name = "zdharma/fast-syntax-highlighting"; }
|
||||
{ name = "zdharma-continuum/fast-syntax-highlighting"; }
|
||||
{ name = "chisui/zsh-nix-shell"; }
|
||||
];
|
||||
};
|
||||
|
|
|
@ -23,7 +23,7 @@ in
|
|||
};
|
||||
publicKeys = mkOption {
|
||||
description = "User SSH public keys";
|
||||
type = types.listOf types.path;
|
||||
type = types.listOf types.str;
|
||||
default = [ ];
|
||||
};
|
||||
fullName = mkOption {
|
||||
|
|
|
@ -18,6 +18,8 @@ in
|
|||
"iommu=pt"
|
||||
];
|
||||
|
||||
virtualisation.spiceUSBRedirection.enable = true;
|
||||
|
||||
virtualisation.libvirtd = {
|
||||
enable = true;
|
||||
qemu.ovmf.enable = true;
|
||||
|
|
|
@ -4,6 +4,7 @@ with final; {
|
|||
sources = prev.callPackage (import ./_sources/generated.nix) { };
|
||||
# then, call packages with `final.callPackage`
|
||||
import-gtk-settings = writeShellScriptBin "import-gtk-settings" (import ./import-gtk-settings.nix final);
|
||||
#delve = writeShellScriptBin "delve" (import ./delve.nix final);
|
||||
lgcl = writeShellScriptBin "lgcl" (import ./lgcl.nix final);
|
||||
mailto-mutt = writeShellScriptBin "mailto-mutt" (import ./mailto-mutt.nix final);
|
||||
mopidy-jellyfin = import ./mopidy-jellyfin.nix final;
|
||||
|
|
8
pkgs/delve.nix
Normal file
8
pkgs/delve.nix
Normal file
|
@ -0,0 +1,8 @@
|
|||
self: with self;
|
||||
let
|
||||
delve = self.delve.overrideAttrs (old: {
|
||||
meta.platforms = [ "x86_64-linux" "aarch64-linux" ];
|
||||
});
|
||||
in
|
||||
''
|
||||
''
|
|
@ -8,25 +8,16 @@ in
|
|||
${if user.fullName != null then "name = ${user.fullName}" else ""}
|
||||
${if user.gpgKeyId != null then "signingkey = ${user.gpgKeyId}" else ""}
|
||||
[core]
|
||||
editor = /etc/profiles/per-user/${config.pub-solar.user.name}/bin/nvim
|
||||
excludesFile = /home/${config.pub-solar.user.name}/.config/git/global_gitignore
|
||||
[alias]
|
||||
pol = pull
|
||||
ack = -c color.grep.linenumber=\"bold yellow\"\n -c color.grep.filename=\"bold green\"\n -c color.grep.match=\"reverse yellow\"\n grep --break --heading --line-number
|
||||
# define command which will be used when "nvim"is set as a merge tool
|
||||
|
||||
[mergetool]
|
||||
prompt = false
|
||||
[merge]
|
||||
tool = nvim
|
||||
[mergetool "nvim"]
|
||||
cmd = /etc/profiles/per-user/${config.pub-solar.user.name}/bin/nvim -f -c \"Gdiffsplit!\" \"$MERGED\"
|
||||
|
||||
[commit]
|
||||
gpgsign = true
|
||||
template = ${xdg.configHome}/git/gitmessage
|
||||
[tag]
|
||||
gpgsign = true
|
||||
[init]
|
||||
defaultBranch = main
|
||||
[pull]
|
||||
|
|
|
@ -25,7 +25,7 @@ in
|
|||
];
|
||||
initialHashedPassword = if psCfg.user.password != null then psCfg.user.password else "";
|
||||
shell = pkgs.zsh;
|
||||
openssh.authorizedKeys.keyFiles = if psCfg.user.publicKeys != null then psCfg.user.publicKeys else [ ];
|
||||
openssh.authorizedKeys.keys = if psCfg.user.publicKeys != null then psCfg.user.publicKeys else [ ];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
21
profiles/daw/default.nix
Normal file
21
profiles/daw/default.nix
Normal file
|
@ -0,0 +1,21 @@
|
|||
{ self, config, home-manager, lib, pkgs, inputs, ... }:
|
||||
let
|
||||
psCfg = config.pub-solar;
|
||||
in
|
||||
{
|
||||
# Sets nrdxp.cachix.org binary cache which just speeds up some builds
|
||||
imports = [ ../cachix ];
|
||||
|
||||
config = {
|
||||
pub-solar.audio.enable = lib.mkForce true;
|
||||
|
||||
musnix.enable = true;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
ardour
|
||||
helm
|
||||
];
|
||||
|
||||
services.pipewire.jack.enable = true;
|
||||
};
|
||||
}
|
6
profiles/non-free/default.nix
Normal file
6
profiles/non-free/default.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{ self, config, lib, pkgs, ... }:
|
||||
let inherit (lib) fileContents;
|
||||
in
|
||||
{
|
||||
hardware.enableRedistributableFirmware = true;
|
||||
}
|
7
profiles/server/default.nix
Normal file
7
profiles/server/default.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
{ self, config, lib, pkgs, ... }:
|
||||
let inherit (lib) fileContents;
|
||||
in
|
||||
{
|
||||
pub-solar.server.enable = true;
|
||||
hardware.ksm.enable = true;
|
||||
}
|
6
profiles/virtualisation/default.nix
Normal file
6
profiles/virtualisation/default.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{ self, config, lib, pkgs, ... }:
|
||||
let inherit (lib) fileContents;
|
||||
in
|
||||
{
|
||||
pub-solar.virtualisation.enable = true;
|
||||
}
|
36
profiles/work/default.nix
Normal file
36
profiles/work/default.nix
Normal file
|
@ -0,0 +1,36 @@
|
|||
{ self, config, home-manager, lib, pkgs, inputs, ... }:
|
||||
let
|
||||
psCfg = config.pub-solar;
|
||||
in
|
||||
{
|
||||
# Sets nrdxp.cachix.org binary cache which just speeds up some builds
|
||||
imports = [ ../cachix ];
|
||||
|
||||
pub-solar.docker.enable = true;
|
||||
pub-solar.nextcloud.enable = true;
|
||||
pub-solar.social.enable = true;
|
||||
pub-solar.office.enable = true;
|
||||
|
||||
boot.kernelParams = [
|
||||
"systemd.unified_cgroup_hierarchy=1"
|
||||
];
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
jetbrains.idea-community
|
||||
minicom
|
||||
openjdk11
|
||||
putty
|
||||
python39Full
|
||||
python39Packages.pyyaml
|
||||
remmina
|
||||
slack
|
||||
thunderbird
|
||||
vscode
|
||||
vscode-extensions.golang.go
|
||||
vscode-extensions.ms-python.python
|
||||
vscode-extensions.redhat.java
|
||||
wireshark
|
||||
teams
|
||||
];
|
||||
|
||||
}
|
20
secrets/cube_nextcloud_admin_pass.age
Normal file
20
secrets/cube_nextcloud_admin_pass.age
Normal file
|
@ -0,0 +1,20 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 hPyiJw wG1VH/Rd8D9VhI2nUdKN8ev8GmDTmByYojrAGXiVQ0c
|
||||
Ce5LdJLYhXZxozhrFZOCCcG6DvDlzcwHUp7rsAAYMb4
|
||||
-> ssh-ed25519 YFSOsg KWrIirfADk9OlVVF/SvnyE4P4JWorWhcShIWMLaYezg
|
||||
kjNaCLQRKwrLKWT6H6mygsawWXas1alwf/rPbpgnIbE
|
||||
-> ssh-rsa 42S2Dw
|
||||
GlF0Iwkmi2IukEP4aghJLQP4QUv8Lt2qPBsysz/NIfPxtxuVgnphqmbtZ3ylKURL
|
||||
iWQbDwvNG3DBQMgbFUTtLpp48yZ++ZWfVCLJxylifoo8Fk1/edOieiQxmKySFIiS
|
||||
RBDjal+JFIAMQVa4i9zTJ2HolgFGioq7fsQgimjhhcTpbPWF0YgbeFlD/Bx3Uc3D
|
||||
QXHkPGTWWJr8nmsBLW0erQKuT+2pTy3Yo00BmYYfaHhRSWPxaRiUvlQzqwfEJGZy
|
||||
N8CWyU8JqacMQfFfMVYYNR8qHGv5p5nu9FtJPQFWz79TB0j0OaowW8VuhP70UVI1
|
||||
QvZLDCv1JN4fd9TqDqgcnA
|
||||
-> ssh-ed25519 iHV63A b0w5AmQtO1FWnySOYDh3JIWkiFM05WNz9M4H67GVZEM
|
||||
suTrfziEta0t9iGJxx+tcvi6BzQS1NJxPmCnPBx5ViU
|
||||
-> ssh-ed25519 uTVbSg rMwuqUqpr40KdbuOZnhi9Bya/Ql2F8HfZdAQvcw3JUY
|
||||
vVF6J8lzQNXnHgzEMzwkcrOGSExKJmPBmuxDklQ7TGA
|
||||
-> ?<GZ,~j-grease
|
||||
jdlD7DImSTrtgtmVJVA+M0g9TNqUI7SSRIlpfGB8KL78WuSIvQWv2z0lpzot
|
||||
--- 4h3KwWAMcJYCF/K/JGPS3cNpCbSDTC8mTerADBFy2to
|
||||
æ½íÓ¤¾øë—L¸×(7ŸÉ„pÉOsTÏI³pJí2ÑkS[Ö¥/–æþ@¶pyºí-¾{øFÚ0Žõ‹“¶ÏѲ±%Ëà}º^<5E>‚Ô
|
21
secrets/cube_nextcloud_db_pass.age
Normal file
21
secrets/cube_nextcloud_db_pass.age
Normal file
|
@ -0,0 +1,21 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 hPyiJw 4cMG8rywMIHkCJO0vbcnD46xPHZKTbUFi/bKKPLJW0c
|
||||
aOmQ7lws7MIDNE7xejtcomQAtRuXjHd+VSGGy805cUk
|
||||
-> ssh-ed25519 YFSOsg UnTniCyloz+bfIlKsgGvQflAOCIwdNBuKIM64ZZ7fSI
|
||||
/Q6KAn80cNs38LgOxZhg9tXmAtJJKw5VpN9lfPqNuhc
|
||||
-> ssh-rsa 42S2Dw
|
||||
FoosAbMAGlculUJOkL+9U2Wajf80dgUY+Acd2MQDbeSR/A/hE+NOv3JtH2Sx9weD
|
||||
ww2n/K5uKQhFKrTVIRn5Bp1qYnay2FIn6lz0zu1I2tqmGFCMiR+RhTnrcxFztNjQ
|
||||
dYbs4F9mvCDmyn9tShTzqAxnClWCdOHkrXBuCMAg08tp5cjAPqaSMdE0wFn5Jvhg
|
||||
DY5nHJWlxbZcGEhJSW2mxKb+HP4ecZ5FY0Uf4qYn/FTcKm7K80Pojg/e72XV7sq9
|
||||
04dPKpa162G53BKQXCmv55L6D81YepydA0wAoeTXXfC1E+DxeWfHrsmF80qdEnBg
|
||||
ZpPIRWdSBs61zqp4XavsSw
|
||||
-> ssh-ed25519 iHV63A mumH3Brpcqa3t8Q495yyV9vn8AKalaf2WchgmsirN2Q
|
||||
fk5iQUYBlUiq+8Nblb5H9mhJarPONiyuOG3ioknlbzk
|
||||
-> ssh-ed25519 uTVbSg O5xBbchEqAsFJtU4kCZo4gqpByHNAnZO0Ik7p5fwFAM
|
||||
e+adn+gDYIF2BW0N1zoHZj+/mciN60rVcCPs9OplLsE
|
||||
-> ,-grease M6FrPQz + B{
|
||||
QAdvJryfCY0NJ0XU5sC9D5J2KnHIxCcjBi7iFlehcB56qrdQbSPsL+ysZVqTzfQx
|
||||
QjDs0lXBKqL2f0g0cWiM9Q
|
||||
--- Vl5VtidJZtEk19VojwdWLaGJGsIRkvwRTjW0mdnTqiM
|
||||
¾ÕT_Á‰åŸŽ%<25>Õ2ò³yÍŒWÄK¿õ²hc¤<63>eThÚ<68>ÁçX‰ºš$™õ¶å×TR9;æ$
|
20
secrets/home_controller_companion_wireguard_key.age
Normal file
20
secrets/home_controller_companion_wireguard_key.age
Normal file
|
@ -0,0 +1,20 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 hPyiJw tQeQac/fLw4UXYx/SXj46HPeG6oPKY4U8IJJI89Fv3c
|
||||
rB6bWP8ba0kAA9qwcq81rTDgmerGORN4jAE5Usrz1tY
|
||||
-> ssh-ed25519 YFSOsg W1SJl0W8oRo5ApD+40puyRae+MDhsxd6Miv6vHaeXn4
|
||||
Z1xqbXD5r0Lo9XvouS967LxnxEX9arLhylZJnFLG0aM
|
||||
-> ssh-rsa 42S2Dw
|
||||
t48CWYrVFfH1x59IYXJtfkeONo1QPnqN6VMwVzMh0c0Vm5U2OFfAml+/6Kit4QWI
|
||||
u7PASBpg+GRsQmoWC9hFJsCDiikg5NIhyBO4feSS+4Cus+8Xr9cSPjYg5EKsgoOd
|
||||
+HpTrPhiNG1Wy2pE4kkxSsS5pKOcdIezU+DfqookoXALLneUIUEsaHYCmdOLwE21
|
||||
yRzWxiXavQKnvabxnqISYeBK+aHNGtd8hczhnoM8oR7qTaNQwfuQoVa8te0MLTIK
|
||||
EXIuev6vESPFtdo3gGJUSbmlXY9hH0tumFFgug185oJwkp745rWKM4QlFEB5fNGR
|
||||
LE54GOkv9sF3+Wij/ELHAA
|
||||
-> ssh-ed25519 iHV63A OOf5Cx0vckL1ve6WOzL0IAhIKasXAjodubuyKbWKv1Q
|
||||
1av0Vqos3YsycBFpncCvP69RunBwCQ4oSextLvR9P+Y
|
||||
-> ssh-ed25519 t1M4HQ j2B7jugQZy124AM5f0JK+id4W2TN6n4C0c/HUNFfLU8
|
||||
BJr18XJI/XzFgH32nXKZb5SdBbU8raRCKL6PWgad5cs
|
||||
-> QwO-grease *8]/h/ 7|S
|
||||
LM23rOF57rKeWQ
|
||||
--- 7xz9ru8cIHt3zksF696olmLR+vEkwDfVv0tl2stfNhM
|
||||
ž´e
T|,7kZ5:AdžNê<IU™èÙo«
’vÉ°ëN‡»+w„Ho<48>âö°éÄ#NŒg©(du)̱-Sð° 4è?`Þz
|
20
secrets/home_controller_cox_wireguard_key.age
Normal file
20
secrets/home_controller_cox_wireguard_key.age
Normal file
|
@ -0,0 +1,20 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 hPyiJw ZGGRZr/HOQSZ1zREl5pqPE0sftSc0CLVHiKBrJ3X938
|
||||
cO/aAeVwrQp5OSAl6JTnIPfhEJmG/1rnbJAtoplTESE
|
||||
-> ssh-ed25519 YFSOsg G/XSLzhX7SSsOZNWnpdLJ+m6NXyL6F/itN76CfJZzkk
|
||||
sNfdi78MFpBcoAh1xPpcvWYkTWQQ2fIL6i1myHdun/U
|
||||
-> ssh-rsa 42S2Dw
|
||||
RuHlOwIJJhJffpJEcIpUEOX8czKVY8c+bvae1XrCSNplNV1f3CHl/WSdKfhOCC//
|
||||
u1qOEiidsDxWphJu3IHjiLgTCmlnwwaISZ2bnEOkTSDNPphARrEA7JfrSyQOlZJB
|
||||
Mu1qhSi5u4uGVi4Mk7TuLxCHRnjDUjDLVh96kbjiwrnAAtI/0fK64ci8rx9P1GzD
|
||||
aZR1to8+uWFx3sTtr3JUA5I+azQdYb37p5ehlCrvVybcze/16oCkreSDuW88HdoD
|
||||
yIXrX3tlnjJJou7LGR/s8o74ookFMT89rlkf8DXMhkPpmiUWYxCyJZ1oS6twtee2
|
||||
Gwo4twB5KIHTCmryJsZ5mA
|
||||
-> ssh-ed25519 iHV63A Jun3KRgZaEfE0RmefSaa8WLdMoVLhQGH0kwK9IORaSk
|
||||
IlMxqMUjdhKOciC3/KTQWIBctjyW3dVHKJpWLfVT+NI
|
||||
-> ssh-ed25519 w1vtTQ 0iNKMsnq32OTGYhQNz75FszXV8ePAWTPXTSra0s/WAw
|
||||
4eecaT/DX9CowOod+NRva3PiSbrgmjPerTGceN+u3mg
|
||||
-> @I^"ao-grease L#%xN`Bb 6l.LN ,
|
||||
h77R6GmXSVnEblcP1Kxuf7kCy8DnMtAF
|
||||
--- RvWj6AeYYIavoCseUazZH1lw0LFUm0mB9Ww9HeyVRio
|
||||
9Aêð7oMÐqÖ#^ÍŽ3@"£Ësõõ‚‚(/Õ<>„¡-{¯ô¯§Óº„¨™[/1AY‰:¦ÉìLZ0<5A>¹üuÄE'¡ákÔVƒ/à
|
20
secrets/home_controller_cube_wireguard_key.age
Normal file
20
secrets/home_controller_cube_wireguard_key.age
Normal file
|
@ -0,0 +1,20 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 hPyiJw V5crsXjhEfj2BKe5uEjccio8m1hzjvZ1u3DU16SdmVs
|
||||
gxC6r8tzwj3l7SW6kn4TXinZV2ZNgKpWsiKGn56CZgE
|
||||
-> ssh-ed25519 YFSOsg Q1tpXI8ilmFt3JGx5ad8SCtZRbrbR8DgGNiu7vXQ7x4
|
||||
geB/YeAwQqJuLG0pf27W2FhuXm9SS2RRoqe2UaV2U4o
|
||||
-> ssh-rsa 42S2Dw
|
||||
KWliiGsVgLgkkY1DkKNsNtBUzfKSX820nJfLLOMBgFcil78IJz+Sw5Ns6NFLR7Xe
|
||||
+o+HsUxcnLOXhDYMImR9SALYL6TwLdqp1C+LAQ8HXri35IyERU2uqMXdkzYREn4f
|
||||
4c4JlCbtCy6F+8nFy0OkK/VtV/yoBpnDMtjDk9wdHYBouSGX91/8QwNUu1L0m0V1
|
||||
dvYVjk/tCPDsk3TYGFAR7lG328jt3khqVAV+rcvwwTPzD+jBCkbyGCFQ5N3xZBGI
|
||||
Wa3xMB+P9ojv4XAfde0eK+6N0uPvoMvnmPGguJTXiaCEgw8K/ILV6PuhkSyo4Wea
|
||||
EytCf4k42l7wjwG4LWFWZA
|
||||
-> ssh-ed25519 iHV63A o/IPrEtX8l4ZWCcC/yJWGRUAPDPX7vMJKBvm7ngWRjE
|
||||
YoXHRtVmNXlxJ4uJqs7jNW/2pBnjMroj1AlLiERLQGk
|
||||
-> ssh-ed25519 uTVbSg WF+8m47L2GWewOEK36k3g+Ozv1JC20cfswQ0ksbhhzs
|
||||
w5qbtYBfnrKOB4/ZTiD8Qsd42NibKcgbL9AYQKx9bnM
|
||||
-> y-grease y>]"'a W "
|
||||
w265AhhbaGNvdOMRX4xs+w
|
||||
--- /proerdf6QHIKGNWA0vTE+ZPNuvbJBGhpMEt0DscFgQ
|
||||
™m±çd¾]©ÙˆËÔG±<0F>(n˜ïÁ¨hø¹»Å‚LARR¯ä°ÎëjMÞUVÈ<56>%ÈMÐ^þ©oЋJ<E280B9>êQîÿD<C3BF>›nÁŒ
|
20
secrets/home_controller_giggles_wireguard_key.age
Normal file
20
secrets/home_controller_giggles_wireguard_key.age
Normal file
|
@ -0,0 +1,20 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 hPyiJw gEHEUHodm0u6YauWsDFycNYfBlNEncGz6cGiFVbMSQw
|
||||
eb/YlV8CeU2GZaoREi8n4CB6O+bltLjwARBh1SvPHuU
|
||||
-> ssh-ed25519 YFSOsg oObR84uRNYEhcbdILnSni61pMzaNQcbMSV8CMdUFCVs
|
||||
hZeKavP58fmaxjpZwHDSNf2QnUqn5GqeSx/MVbWM8w0
|
||||
-> ssh-rsa 42S2Dw
|
||||
W/0mcDisoN/RoEshQ0gDmmYZTfSG3BRAq/PsXT9Xt0mahAqZumfdysT9T2Wkso5O
|
||||
2SKVvJvP2YAGNs+d/+lnn5/I8f7qlx6K0oQ1e72Y9ZNmoxgZmL3h2jBR3x+GfgG8
|
||||
Qp57nfvoF4js2JyC2MSUm3CjOppxDN/BM2v5qOTuPB5/K3bPOP1iBdENH71f9d64
|
||||
PK/7HZA1BTtn4jOWYQ52BZIcOjiA9JoVO6HFvB7d5UobasbbXDhO6ZgZ3aWdsDE4
|
||||
/0S099FWbvzTk8aITl5qSphQy0Pgp+yeTobx1Hn/b6vokoNIwaMZniOVd1mS0CuU
|
||||
DL8SGpuQUeOl+27sstHfUw
|
||||
-> ssh-ed25519 iHV63A 34vhrBbCb4J5xzjoa9o4hWokszJER12Pfd/s8RGxfg4
|
||||
2p8SUyhXdks06NJPZMkbKcdsn+YB3+/Ksaipc72mBvg
|
||||
-> ssh-ed25519 AsPNJg bAYRIQICTPeVri4/qkBBedxmm08TNoBMseEauYtTkX8
|
||||
ZeNmjU+oG4qYSMREtv7QdbRLf3SAmdHnX63eiHjvcOU
|
||||
-> J._|'iH-grease VaQ1S' W7^S -r HJ'
|
||||
KbnGq5EUW0HcQ4v7n8Gh/4R/Y55bXYOuSPNt2jXTbog
|
||||
--- Bk+tEcikn4Gd90ou6llBA1nYq+mRGdfB1TaJvIOYEaw
|
||||
›’×ÎML—ã7|–2žÌF'ZžoàÁZ<C381>{ÿ¯?°J,—®âµ×ÜžmíÈñ\G´†RœaaÁ<61>\tñùäŠ<Àìâë5<C3AB><35>Ú
|
31
secrets/home_controller_k3s_server_token.age
Normal file
31
secrets/home_controller_k3s_server_token.age
Normal file
|
@ -0,0 +1,31 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 hPyiJw B7i7cir4NIqIxeuwN7lBZiHLaLDNwSD5ZJLs0iYidDo
|
||||
fmj7NzNi4DT805TlhjtyMXa1dcu7rGVIllQG4ALtJdo
|
||||
-> ssh-ed25519 YFSOsg SpldcBYdyAYW4W+U4JrgkcA8Y5+YnPjW78OISjviDz8
|
||||
Czi1SkmtvFmko+fP2hdCanpWJKpo/KndE/MI8BcJVxQ
|
||||
-> ssh-rsa 42S2Dw
|
||||
EvIS2maHrEa4Qyhrp3TJ/LULJkdCixIEcvI2HS9SUhVRIJS6jpY/Z+pW+XZqxEgk
|
||||
P7sp1CjRsjRZ4RZsgBUsgdO4mRnUtSkrTTLzrS84d3QG1QfjQphtF/BSt2+8t1nw
|
||||
S/XVZWu/LyFb8Z3TbhVkf3vx7ujIBwjdFj+LiUmEYwB4o57MWKH9aCcvyMLZF4Ne
|
||||
AltRXfkGkEVt7Yn0iKwb8yHaqMPa5CjfjDP9ybLp/my08/pZEQTVduKe/Q6p09DM
|
||||
8gEF1uVM+3BxXf7yAvt8fW80Hgm21VnYUq0h6exDZaaf0wLPOh0kRnN1MDqK2tjO
|
||||
uxre1sro1ZQx5CPCXD4ICQ
|
||||
-> ssh-ed25519 iHV63A Toc315/VlOneCwbLzcp2fDqHZSMDNtSprquR3BOVfAg
|
||||
ZeEZEdla/o/sAa7Tbh4NY5qqrNkWfHqpbvUokSofC5A
|
||||
-> ssh-ed25519 AsPNJg ui5FmbBKlKQ69R38yqlFURrMBTX1n7ysQP7mBo9SSRQ
|
||||
c7dp6ewRp/5rHThk/oGcaaCxNwmBWTcfVSK4IrHJh2M
|
||||
-> ssh-ed25519 w1vtTQ 7ToJvl/p9DzxX0v/b7nNOIfdgyb85Ja6862Tw2HLLyo
|
||||
PkEaeBdx60i9mX6t5Ue5PeabY4COffefCSt65H5hRxU
|
||||
-> ssh-ed25519 t1M4HQ 14NmP2HdhTouv66lkTKPEKh7HANgEUIek8FA8wAntSU
|
||||
ZZ+Mc8m/Pb16Vbxc9bOZtXJ+0ZXv/YiV30LiKra55cM
|
||||
-> ssh-ed25519 uTVbSg 1151u2eVy3izoghgXS1zPukpbSiZo6Mc+JTtCNqrqxE
|
||||
5NGufz7+RjYTy4gUfAHjV/g8VdF5FxPcB3GUzafotn8
|
||||
-> ssh-ed25519 4eCLig NAsWZu3MFuCEgi/Fm+2kB04A8ZckvTP5ueLjB2NKZDg
|
||||
5DKhLww7UKvOxPveJTtuc7jGk/9cypM9UadP1A8C6Ko
|
||||
-> t-grease > 8z4 `,R~f.lb
|
||||
K0DjBt5R459zTRkIA58mcIYl+Na5m+1SIXbezHjWZy2q1cIX8L331Du4SE6/UCCR
|
||||
e3Q
|
||||
--- ZjP/FefBuH6f+bEQpgqeiL3Uj+f9AbSCVRQni7pYyjQ
|
||||
6{…Ï{;‘5%·n@~óNóÖn!EÏ·A&âí¯`v‰¶-ÃË5©Æ{œîžïP
|
||||
Í8'ém7p‡â1 bàn¾¬#ö0"çí=~àÉê"—¶Ã}ç@Ô89eB Á°
|
||||
/¹*´ìUo<”šî.£ñEå)t2fX¶o9FüQG)çÞù
|
21
secrets/home_controller_ringo_wireguard_key.age
Normal file
21
secrets/home_controller_ringo_wireguard_key.age
Normal file
|
@ -0,0 +1,21 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 hPyiJw zHWVBLJi1r1M3C/3Xf1rCOOXhjihjYuF4f0ZsRo4dWI
|
||||
sB14DJ0gjz2Z9+oJG/RBAl5GJ31NOjUJmpSvKwmkEVU
|
||||
-> ssh-ed25519 YFSOsg RHtbqm+jWVTkXqyTWRblggdgfbp2OOJmCqieDhI4+HI
|
||||
0lc7kKOQL3Abo8UyjXfRHvDcq+dOvPe0q7izfycZkj8
|
||||
-> ssh-rsa 42S2Dw
|
||||
QnOc7ZIigTURoIjglNY64KzZh8QbhE2TbioIP88F9OztV/1umy5hniBNYrE3grd2
|
||||
+nQSdBEHsHKgyElC3VvdKQ9RvzrbrDHnNt4oBgmH70KfAQzH1wehOvofcNMlu0+B
|
||||
0ddUjo9BEf5VtxKY4fdUFLoROBv/rIMCuCR69NE4KfS/Cl7I+saWUOzoRVcZKsBc
|
||||
XmYYCTDezlVOT0dtoRDJT0PBimXQZ+3D9Fj7VKUOobggUiQBOH7irvpKy/JFG6+0
|
||||
C5CRDZKPp4XOKfz/XAqIxbkyzxF6ZRpmXz+QJhHXTCJfWdRMfUl45YO5r/fX6ybV
|
||||
vqZnYo4ytlZtIaoe0ipFJQ
|
||||
-> ssh-ed25519 iHV63A WkP5FVc9iS9OEQMr2E+ewVvBS1ppHnuCWqGTvdvBY38
|
||||
kxdQm6sXkGlFId0KEoMqcbyXII5G1En0g9I6WObwNpk
|
||||
-> ssh-ed25519 4eCLig /lrGyo78vdS92cFFs3aS8R/BcM+QDLspab0ftIZU9WE
|
||||
+rvfUcml+WEDzZ9B6WbSvfwh+ceHygGIvHsw4UME94k
|
||||
-> u\-grease JD#pg \__| M\j|M
|
||||
9RN98je/hB0
|
||||
--- JoemHAPRRKWcsEMIOEU1Cq8AyPFTtz3qYqCgyeonyrs
|
||||
|
||||
"©´S¹ÐnqRÈvKRËUsF+“ÓE„ôë³}•Ý»^)ªxôx\_´S'ÔÍ Ð/í¶2ô•àbxùÃ]Srôõ‡„Ø„çï ÙñØÈ
|
|
@ -1,9 +1,33 @@
|
|||
let
|
||||
# set ssh public keys here for your system and user
|
||||
system = "";
|
||||
user = "";
|
||||
allKeys = [ system user ];
|
||||
user_hensoko_nitrokey_1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135";
|
||||
|
||||
user_hensoko_harrison = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb hensoko@harrison";
|
||||
user_hensoko_norman_1 = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+euxPp6bHXw61UeUqTGHH8Ub2L+Sy1iteupv/AGudgoVNp2GebqJy1cxQ74mgnL8eWMlaA9jZlKQ1xFFhgtolCsoAKTE9AE8X0egvmEM18fEUR3EWWchmX4MXUhUiOtwitkl4+EpSsp5rh/kIxcpQFz1dpBibroq6jDLKlrVou+2LppR8nMfFT2sqg3694Ltxz4CWMdAfitLax05ckKMAnzz+TgpXK5OyfQSBvl18Qu1SWITYa6AVNXQ7/ovWBDIUfg25GWouzWqkSUpLdCVIcXPe2X7g6X1QsHXnnhaMAhvYH54GZ4wU2kBwIJ6KvplfZdbJ09KAltPVt08evafb hendriksokolowski@hsokolowski-pc";
|
||||
user_hensoko_norman_2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work";
|
||||
|
||||
users = [ user_hensoko_nitrokey_1 user_hensoko_harrison user_hensoko_norman_1 user_hensoko_norman_2 ];
|
||||
|
||||
system_giggles = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOLyNmSzxVpVQtTWhkH48e03nFDdskE08N4L81MZcLZ root@nixos";
|
||||
system_cox = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNr7q7eAkROtdvTmw96Q5tZu9W4jt31OCjc6L8uM5Uv root@nixos";
|
||||
system_companion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjIyVeAPsIpUTsB5bPEjmJeRFN8Xp3PD9a/41yPp3HM root@nixos";
|
||||
|
||||
system_cube = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5ok5tIuDKYpIw3KVmUnqBSDJ1QriWQJ04IVLF1Kaig root@nixos";
|
||||
system_ringo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5g8CfSiMxboEJT2U92JoYdnv0nsArBPW/vfTEsUWZO root@nixos";
|
||||
|
||||
systems_home_controller = [ system_giggles system_cox system_companion system_cube system_ringo ];
|
||||
allKeys = users ++ systems_home_controller;
|
||||
in
|
||||
{
|
||||
"secret.age".publicKeys = allKeys;
|
||||
"home_controller_giggles_wireguard_key.age".publicKeys = users ++ [ system_giggles ];
|
||||
"home_controller_cox_wireguard_key.age".publicKeys = users ++ [ system_cox ];
|
||||
"home_controller_companion_wireguard_key.age".publicKeys = users ++ [ system_companion ];
|
||||
|
||||
"home_controller_cube_wireguard_key.age".publicKeys = users ++ [ system_cube ];
|
||||
"cube_nextcloud_admin_pass.age".publicKeys = users ++ [ system_cube ];
|
||||
"cube_nextcloud_db_pass.age".publicKeys = users ++ [ system_cube ];
|
||||
|
||||
"home_controller_ringo_wireguard_key.age".publicKeys = users ++ [ system_ringo ];
|
||||
|
||||
"home_controller_k3s_server_token.age".publicKeys = users ++ systems_home_controller;
|
||||
}
|
||||
|
|
3
users/hensoko/.config/sway/config.d/input-language.conf
Normal file
3
users/hensoko/.config/sway/config.d/input-language.conf
Normal file
|
@ -0,0 +1,3 @@
|
|||
input * {
|
||||
xkb_layout us(intl)
|
||||
}
|
29
users/hensoko/default.nix
Normal file
29
users/hensoko/default.nix
Normal file
|
@ -0,0 +1,29 @@
|
|||
{ config, hmUsers, pkgs, lib, ... }:
|
||||
let
|
||||
psCfg = config.pub-solar;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./home.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
home-manager.users = { inherit (hmUsers) hensoko; };
|
||||
|
||||
pub-solar = {
|
||||
user = {
|
||||
name = "hensoko";
|
||||
description = "hensoko";
|
||||
password = "$6$BBUvcGQBFBjBmRLw$VQgMxaVPInM0S/nr3rkWvCvzlI/oSZ0Kj8wb25k4Fx6aHJkxYzurXh4deslVgGKvz0O2LScBamt7M2pV81EWx0";
|
||||
fullName = "Hendrik Sokolowski";
|
||||
email = "hensoko@gssws.de";
|
||||
publicKeys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb hensoko@harrison"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+euxPp6bHXw61UeUqTGHH8Ub2L+Sy1iteupv/AGudgoVNp2GebqJy1cxQ74mgnL8eWMlaA9jZlKQ1xFFhgtolCsoAKTE9AE8X0egvmEM18fEUR3EWWchmX4MXUhUiOtwitkl4+EpSsp5rh/kIxcpQFz1dpBibroq6jDLKlrVou+2LppR8nMfFT2sqg3694Ltxz4CWMdAfitLax05ckKMAnzz+TgpXK5OyfQSBvl18Qu1SWITYa6AVNXQ7/ovWBDIUfg25GWouzWqkSUpLdCVIcXPe2X7g6X1QsHXnnhaMAhvYH54GZ4wU2kBwIJ6KvplfZdbJ09KAltPVt08evafb hendriksokolowski@hsokolowski-pc"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
95
users/hensoko/home.nix
Normal file
95
users/hensoko/home.nix
Normal file
|
@ -0,0 +1,95 @@
|
|||
{ config, pkgs, lib, self, ... }:
|
||||
with lib;
|
||||
let
|
||||
psCfg = config.pub-solar;
|
||||
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
|
||||
in
|
||||
{
|
||||
imports = [ ];
|
||||
|
||||
services.fwupd.enable = true;
|
||||
|
||||
pub-solar.graphical.autologin.enable = false;
|
||||
|
||||
security.sudo.extraRules = [
|
||||
{
|
||||
users = [ "${psCfg.user.name}" ];
|
||||
commands = [
|
||||
{
|
||||
command = "ALL";
|
||||
options = [ "NOPASSWD" ];
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
|
||||
home-manager = pkgs.lib.setAttrByPath [ "users" psCfg.user.name ] {
|
||||
xdg.configFile = mkIf psCfg.sway.enable {
|
||||
"sway/config.d/10-input-language.conf".source = ./.config/sway/config.d/input-language.conf;
|
||||
};
|
||||
home.packages = with pkgs; [
|
||||
dig
|
||||
fping
|
||||
htop
|
||||
keepassxc
|
||||
ncdu
|
||||
sysstat
|
||||
tig
|
||||
thunderbird
|
||||
wakeonlan
|
||||
wlr-randr
|
||||
];
|
||||
|
||||
programs.ssh = {
|
||||
enable = true;
|
||||
matchBlocks = {
|
||||
"hsha" = {
|
||||
hostname = "192.168.42.5";
|
||||
user = "root";
|
||||
port = 2222;
|
||||
};
|
||||
"media" = {
|
||||
hostname = "192.168.42.11";
|
||||
user = "root";
|
||||
port = 2222;
|
||||
};
|
||||
"ringo" = {
|
||||
hostname = "192.168.42.231";
|
||||
user = "hensoko";
|
||||
port = 22;
|
||||
};
|
||||
"giggles" = {
|
||||
hostname = "192.168.42.232";
|
||||
user = "hensoko";
|
||||
port = 22;
|
||||
};
|
||||
"norman" = {
|
||||
hostname = "192.168.42.233";
|
||||
user = "hensoko";
|
||||
port = 22;
|
||||
};
|
||||
"cox" = {
|
||||
hostname = "192.168.42.234";
|
||||
user = "hensoko";
|
||||
port = 22;
|
||||
};
|
||||
"cube" = {
|
||||
hostname = "80.244.242.2";
|
||||
user = "hensoko";
|
||||
port = 2222;
|
||||
};
|
||||
"mail" = {
|
||||
hostname = "mail.gssws.de";
|
||||
user = "root";
|
||||
port = 2222;
|
||||
};
|
||||
"git" = {
|
||||
hostname = "git.gssws.de";
|
||||
user = "git";
|
||||
port = 2222;
|
||||
};
|
||||
};
|
||||
extraConfig = "PubKeyAcceptedKeyTypes +ssh-rsa";
|
||||
};
|
||||
};
|
||||
}
|
29
users/hensoko_iot/default.nix
Normal file
29
users/hensoko_iot/default.nix
Normal file
|
@ -0,0 +1,29 @@
|
|||
{ config, hmUsers, pkgs, lib, ... }:
|
||||
let
|
||||
psCfg = config.pub-solar;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./home.nix
|
||||
];
|
||||
|
||||
config = {
|
||||
home-manager.users = { inherit (hmUsers) hensoko_iot; };
|
||||
|
||||
pub-solar = {
|
||||
user = {
|
||||
name = "hensoko";
|
||||
description = "hensoko";
|
||||
password = "$6$BBUvcGQBFBjBmRLw$VQgMxaVPInM0S/nr3rkWvCvzlI/oSZ0Kj8wb25k4Fx6aHJkxYzurXh4deslVgGKvz0O2LScBamt7M2pV81EWx0";
|
||||
fullName = "Hendrik Sokolowski";
|
||||
email = "hensoko@gssws.de";
|
||||
publicKeys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb hensoko@harrison"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+euxPp6bHXw61UeUqTGHH8Ub2L+Sy1iteupv/AGudgoVNp2GebqJy1cxQ74mgnL8eWMlaA9jZlKQ1xFFhgtolCsoAKTE9AE8X0egvmEM18fEUR3EWWchmX4MXUhUiOtwitkl4+EpSsp5rh/kIxcpQFz1dpBibroq6jDLKlrVou+2LppR8nMfFT2sqg3694Ltxz4CWMdAfitLax05ckKMAnzz+TgpXK5OyfQSBvl18Qu1SWITYa6AVNXQ7/ovWBDIUfg25GWouzWqkSUpLdCVIcXPe2X7g6X1QsHXnnhaMAhvYH54GZ4wU2kBwIJ6KvplfZdbJ09KAltPVt08evafb hendriksokolowski@hsokolowski-pc"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
39
users/hensoko_iot/home.nix
Normal file
39
users/hensoko_iot/home.nix
Normal file
|
@ -0,0 +1,39 @@
|
|||
{ config, pkgs, lib, self, ... }:
|
||||
with lib;
|
||||
let
|
||||
psCfg = config.pub-solar;
|
||||
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
|
||||
in
|
||||
{
|
||||
imports = [ ];
|
||||
|
||||
pub-solar.graphical.autologin.enable = false;
|
||||
|
||||
security.sudo.extraRules = [
|
||||
{
|
||||
users = [ "${psCfg.user.name}" ];
|
||||
commands = [
|
||||
{
|
||||
command = "ALL";
|
||||
options = [ "NOPASSWD" ];
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
|
||||
environment.systemPackages = [
|
||||
grml-zsh-config
|
||||
];
|
||||
|
||||
home-manager = pkgs.lib.setAttrByPath [ "users" psCfg.user.name ] {
|
||||
home.packages = with pkgs; [
|
||||
dig
|
||||
fping
|
||||
htop
|
||||
ncdu
|
||||
sysstat
|
||||
tig
|
||||
wakeonlan
|
||||
];
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue