patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

feat: systemd update und agenix rekey update

Browse source
This commit is contained in:
Patrick 2023-09-25 13:53:07 +02:00
parent 5d5397a0c0
commit 2d39fbbb7e
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
7 changed files with 216 additions and 100 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

246
flake.lock
View file

@ -11,11 +11,11 @@
]
},
"locked": {
"lastModified": 1694793763,
"narHash": "sha256-y6gTE1C9mIoSkymRYyzCmv62PFgy+hbZ5j8fuiQK5KI=",
"lastModified": 1695384796,
"narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=",
"owner": "ryantm",
"repo": "agenix",
"rev": "572baca9b0c592f71982fca0790db4ce311e3c75",
"rev": "1f677b3e161d3bdbfd08a939e8f25de2568e0ef4",
"type": "github"
},
"original": {
@ -26,16 +26,21 @@
},
"agenix-rekey": {
"inputs": {
"devshell": "devshell",
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
],
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
"lastModified": 1692783612,
"narHash": "sha256-Mz1xv45Rjzet1D2bMGKapgw1JCHaD60dBs4sE6Dz2+A=",
"lastModified": 1695588239,
"narHash": "sha256-FMeJBXADlrWqJlBCEkfsOz4b2yzjMUwAD0zYGkLhAXQ=",
"owner": "oddlama",
"repo": "agenix-rekey",
"rev": "52695865488742e0b34a56111cd40e229b3ab90a",
"rev": "e33d9479671a9e253790c8b2b09bbe3072ecf289",
"type": "github"
},
"original": {
@ -64,7 +69,7 @@
},
"colmena": {
"inputs": {
"flake-compat": "flake-compat",
"flake-compat": "flake-compat_2",
"flake-utils": [
"flake-utils"
],
@ -143,6 +148,28 @@
}
},
"devshell": {
"inputs": {
"nixpkgs": [
"agenix-rekey",
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1695195896,
"narHash": "sha256-pq9q7YsGXnQzJFkR5284TmxrLNFc0wo4NQ/a5E93CQU=",
"owner": "numtide",
"repo": "devshell",
"rev": "05d40d17bf3459606316e3e9ec683b784ff28f16",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "devshell",
"type": "github"
}
},
"devshell_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
@ -152,11 +179,11 @@
]
},
"locked": {
"lastModified": 1694858246,
"narHash": "sha256-zcKnlTrMspD6YUgN1VyKMKSZ5Few3LCyDyBz3wtGPJQ=",
"lastModified": 1695195896,
"narHash": "sha256-pq9q7YsGXnQzJFkR5284TmxrLNFc0wo4NQ/a5E93CQU=",
"owner": "numtide",
"repo": "devshell",
"rev": "f26c2e05cd766be3750dd3d6e276650a1eab4c61",
"rev": "05d40d17bf3459606316e3e9ec683b784ff28f16",
"type": "github"
},
"original": {
@ -172,11 +199,11 @@
]
},
"locked": {
"lastModified": 1695039393,
"narHash": "sha256-HXvRPTSfQ/fCqxYGvWOc1duSBdXcQlrYvyno8YZbyHI=",
"lastModified": 1695632260,
"narHash": "sha256-B8nW57UouYtiWMJKX5leByifMj+lYk7IyV5uz0c/ZwA=",
"owner": "nix-community",
"repo": "disko",
"rev": "9f29cedac79d0acf07b6341f9112f46dec3abb8f",
"rev": "a14a3fb0a8e465fcd728e398d00204a195be06a3",
"type": "github"
},
"original": {
@ -186,6 +213,22 @@
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1650374568,
@ -201,7 +244,7 @@
"type": "github"
}
},
"flake-compat_2": {
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1673956053,
@ -217,7 +260,7 @@
"type": "github"
}
},
"flake-compat_3": {
"flake-compat_4": {
"locked": {
"lastModified": 1688025799,
"narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=",
@ -232,7 +275,7 @@
"type": "github"
}
},
"flake-compat_4": {
"flake-compat_5": {
"flake": false,
"locked": {
"lastModified": 1673956053,
@ -248,7 +291,7 @@
"type": "github"
}
},
"flake-compat_5": {
"flake-compat_6": {
"flake": false,
"locked": {
"lastModified": 1673956053,
@ -329,7 +372,7 @@
},
"flake-utils_2": {
"inputs": {
"systems": "systems"
"systems": "systems_2"
},
"locked": {
"lastModified": 1681202837,
@ -347,7 +390,7 @@
},
"flake-utils_3": {
"inputs": {
"systems": "systems_2"
"systems": "systems_3"
},
"locked": {
"lastModified": 1694529238,
@ -365,7 +408,7 @@
},
"flake-utils_4": {
"inputs": {
"systems": "systems_3"
"systems": "systems_4"
},
"locked": {
"lastModified": 1685518550,
@ -398,6 +441,28 @@
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"agenix-rekey",
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1660459072,
"narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gitignore_2": {
"inputs": {
"nixpkgs": [
"lanzaboote",
@ -419,7 +484,7 @@
"type": "github"
}
},
"gitignore_2": {
"gitignore_3": {
"inputs": {
"nixpkgs": [
"pre-commit-hooks",
@ -447,11 +512,11 @@
]
},
"locked": {
"lastModified": 1694643239,
"narHash": "sha256-pv2k/5FvyirDE8g4TNehzwZ0T4UOMMmqWSQnM/luRtE=",
"lastModified": 1695550077,
"narHash": "sha256-xoxR/iY69/3lTnnZDP6gf3J46DUKPcf+Y1jH03tfZXE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "d9b88b43524db1591fb3d9410a21428198d75d49",
"rev": "a88df2fb101778bfd98a17556b3a2618c6c66091",
"type": "github"
},
"original": {
@ -499,7 +564,7 @@
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat_2",
"flake-compat": "flake-compat_3",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils_2",
"nixpkgs": [
@ -529,11 +594,11 @@
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1694952508,
"narHash": "sha256-0KzgnYW9RvlwUnl5qYinNOg/WsV9jEJfMPVQoJL8bmI=",
"lastModified": 1695557304,
"narHash": "sha256-HYoJE+KE6/zGHgRI496n9E1abDFaqsl9EnEfGIEEqLo=",
"owner": "nix-community",
"repo": "lib-aggregate",
"rev": "d44755862cce5ba5e040ec8f7df6c6b33e47c8a0",
"rev": "cb8bfd550aaaf32a330c1c8870a3d9a5bfa00954",
"type": "github"
},
"original": {
@ -549,11 +614,11 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1695000172,
"narHash": "sha256-TWPMFY29XcWAwUJFE3n+4pGqBdBbr4XsWDZwr77fTwo=",
"lastModified": 1695258303,
"narHash": "sha256-5Ibd9qjkAk04y8GyweQF+ciIaPzRaet3xZAmTDOWCng=",
"owner": "nix-community",
"repo": "nix-eval-jobs",
"rev": "a91f3595b22037f561912cd3a9ca549933e4544d",
"rev": "39657d146828157ef51c4f2d8bebb96a77075fc6",
"type": "github"
},
"original": {
@ -569,11 +634,11 @@
]
},
"locked": {
"lastModified": 1694921880,
"narHash": "sha256-yU36cs5UdzhTwsM9bUWUz43N//ELzQ1ro69C07pU/8E=",
"lastModified": 1695526222,
"narHash": "sha256-/NwZz3QcVplrfiDKk1thYg1EIHLSNucVHNUi2uwO3RI=",
"owner": "nix-community",
"repo": "nix-index-database",
"rev": "9d2bcc47110b3b6217dfebd6761ba20bc78aedf2",
"rev": "25d6369c232bbea1ec1f90226fd17982e7a0a647",
"type": "github"
},
"original": {
@ -620,11 +685,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1695033975,
"narHash": "sha256-GIUxbgLBhVyaKRxQw/NWYFLx7/jbKW3+U0HoSsMLPAs=",
"lastModified": 1695541019,
"narHash": "sha256-rs++zfk41K9ArWkDAlmBDlGlKO8qeRIRzdjo+9SmNFI=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "161b027169b19d3a0ad6bd0a8948edf0c0fb0f64",
"rev": "61283b30d11f27d5b76439d43f20d0c0c8ff5296",
"type": "github"
},
"original": {
@ -635,11 +700,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1694767346,
"narHash": "sha256-5uH27SiVFUwsTsqC5rs3kS7pBoNhtoy9QfTP9BmknGk=",
"lastModified": 1695360818,
"narHash": "sha256-JlkN3R/SSoMTa+CasbxS1gq+GpGxXQlNZRUh9+LIy/0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ace5093e36ab1e95cb9463863491bee90d5a4183",
"rev": "e35dcc04a3853da485a396bdd332217d0ac9054f",
"type": "github"
},
"original": {
@ -651,11 +716,11 @@
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1694911725,
"narHash": "sha256-8YqI+YU1DGclEjHsnrrGfqsQg3Wyga1DfTbJrN3Ud0c=",
"lastModified": 1695516402,
"narHash": "sha256-pL7m8iu1OLs/7ywhh+Q8ltPgmtwbMpi7484yr32zgYI=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "819180647f428a3826bfc917a54449da1e532ce0",
"rev": "01fc4cd75e577ac00e7c50b7e5f16cd9b6d633e8",
"type": "github"
},
"original": {
@ -665,6 +730,22 @@
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1685801374,
"narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c37ca420157f4abc31e26f436c1145f8951ff373",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1678872516,
"narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",
@ -680,7 +761,7 @@
"type": "github"
}
},
"nixpkgs-stable_2": {
"nixpkgs-stable_3": {
"locked": {
"lastModified": 1685801374,
"narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
@ -698,7 +779,7 @@
},
"nixpkgs-wayland": {
"inputs": {
"flake-compat": "flake-compat_3",
"flake-compat": "flake-compat_4",
"lib-aggregate": "lib-aggregate",
"nix-eval-jobs": "nix-eval-jobs",
"nixpkgs": [
@ -706,11 +787,11 @@
]
},
"locked": {
"lastModified": 1695035588,
"narHash": "sha256-jhB35iAcGXVXFPPA+JAQQX2J6Uj3BqlyEGjMDZSEAD0=",
"lastModified": 1695640374,
"narHash": "sha256-uhux9CgJkqtoS+Mh2KAPTIz2YTGTASqv2IbN/0iSE90=",
"owner": "nix-community",
"repo": "nixpkgs-wayland",
"rev": "9613c0cb66dcbb7fa5bcdf6667e384caf53eab26",
"rev": "48c55ade480192dbb65eb7e8850a68b6b64a7927",
"type": "github"
},
"original": {
@ -721,11 +802,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1694998849,
"narHash": "sha256-A23ROwLGc+lbgUZOkHMhsJ+3IMC+5MmRXXl61iEuhhQ=",
"lastModified": 1695256509,
"narHash": "sha256-Je+ZId+dYrx0NOZ8J6le7CwZZdVZAAP5dddxK9kZNfA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5b859eef2e5dd7aacfd229e819f426942eed25fc",
"rev": "ff7daa56614b083d3a87e2872917b676e9ba62a6",
"type": "github"
},
"original": {
@ -788,15 +869,17 @@
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat_4",
"flake-compat": "flake-compat",
"flake-utils": [
"agenix-rekey",
"flake-utils"
],
"gitignore": "gitignore_2",
"gitignore": "gitignore",
"nixpkgs": [
"agenix-rekey",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_2"
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1694364351,
@ -822,12 +905,12 @@
"lanzaboote",
"flake-utils"
],
"gitignore": "gitignore",
"gitignore": "gitignore_2",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1681413034,
@ -843,12 +926,38 @@
"type": "github"
}
},
"pre-commit-hooks_2": {
"inputs": {
"flake-compat": "flake-compat_5",
"flake-utils": [
"flake-utils"
],
"gitignore": "gitignore_3",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_3"
},
"locked": {
"lastModified": 1695576016,
"narHash": "sha256-71KxwRhTfVuh7kNrg3/edNjYVg9DCyKZl2QIKbhRggg=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "cb770e93516a1609652fa8e945a0f310e98f10c0",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"agenix-rekey": "agenix-rekey",
"colmena": "colmena",
"devshell": "devshell",
"devshell": "devshell_2",
"disko": "disko",
"flake-utils": "flake-utils",
"home-manager": "home-manager",
@ -860,9 +969,9 @@
"nixpkgs": "nixpkgs",
"nixpkgs-wayland": "nixpkgs-wayland",
"nixseparatedebuginfod": "nixseparatedebuginfod",
"pre-commit-hooks": "pre-commit-hooks",
"pre-commit-hooks": "pre-commit-hooks_2",
"stylix": "stylix",
"systems": "systems_4",
"systems": "systems_5",
"templates": "templates"
}
},
@ -910,7 +1019,7 @@
"stylix": {
"inputs": {
"base16": "base16",
"flake-compat": "flake-compat_5",
"flake-compat": "flake-compat_6",
"home-manager": "home-manager_2",
"nixpkgs": "nixpkgs_4"
},
@ -988,6 +1097,21 @@
"type": "github"
}
},
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"templates": {
"locked": {
"lastModified": 1685790891,

6
flake.nix
View file

@ -37,6 +37,7 @@
agenix-rekey = {
url = "github:oddlama/agenix-rekey";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
flake-utils = {
@ -102,6 +103,10 @@
#masterIdentities = [./secrets/NIXOSa.key.pub];
extraEncryptionPubkeys = [./secrets/recipients.txt];
};
agenix-rekey = agenix-rekey.configure {
userFlake = self;
inherit (self) nodes pkgs;
};
inherit stateVersion;
inherit
@ -149,7 +154,6 @@
.${system};
};
apps = agenix-rekey.defineApps self pkgs self.nodes;
checks.pre-commit-check =
pre-commit-hooks.lib.${system}.run
{

2
modules/config/nix.nix
View file

@ -6,7 +6,7 @@
nix = {
settings = {
auto-optimise-store = true;
allowed-users = ["@wheel"];
allowed-users = ["@wheel" "nixseparatedebuginfod"];
trusted-users = ["root" "@wheel"];
system-features = ["recursive-nix" "repl-flake" "big-parallel"];
substituters = [

2
modules/config/system.nix
View file

@ -19,6 +19,7 @@
lib.mkIf (lib.pathExists pubkeyPath || lib.trace "Missing pubkey for ${config.node.name}: ${toString pubkeyPath} not found, using dummy replacement key for now." false)
pubkeyPath;
generatedSecretsDir = config.node.secretsDir + "/generated/";
cacheDir = "/var/tmp/agenix-rekey/\"$UID\"";
};
security.sudo.enable = false;
security.tpm2 = {
@ -58,6 +59,7 @@
ripgrep
killall
fd
kitty.terminfo
];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";

24
modules/hardware/pipewire.nix
View file

@ -30,9 +30,9 @@
"pipewire/pipewire.conf.d/92-low-latency.conf".text = ''
context.properties = {
default.clock.rate = 48000
default.clock.quantum = 32
default.clock.quantum = 64
default.clock.min-quantum = 32
default.clock.max-quantum = 32
default.clock.max-quantum = 128
}
'';
"pipewire/pipewire-pulse.d/91-low-latency.conf".text = builtins.toJSON {
@ -41,29 +41,17 @@
name = "libpipewire-module-protocol-pulse";
args = {
pulse.min.req = "32/48000";
pulse.default.req = "32/48000";
pulse.max.req = "32/48000";
pulse.default.req = "64/48000";
pulse.max.req = "128/48000";
pulse.min.quantum = "32/48000";
pulse.max.quantum = "32/48000";
pulse.max.quantum = "128/48000";
};
}
];
stream.properties = {
node.latency = "32/48000";
resample.quality = 1;
node.latency = "128/48000";
};
};
# If resampling is required, use a higher quality. 15 is overkill and too cpu expensive without any obvious audible advantage
"pipewire/pipewire-pulse.conf.d/99-resample.conf".text = builtins.toJSON {
"stream.properties"."resample.quality" = 10;
};
"pipewire/client.conf.d/99-resample.conf".text = builtins.toJSON {
"stream.properties"."resample.quality" = 10;
};
"pipewire/client-rt.conf.d/99-resample.conf".text = builtins.toJSON {
"stream.properties"."resample.quality" = 10;
};
};
sound.enable = false;

22
modules/impermanence/default.nix
View file

@ -18,24 +18,10 @@
];
directories =
[
{
directory = "/var/log";
user = "root";
group = "root";
mode = "0755";
}
{
directory = "/var/lib/systemd";
user = "root";
group = "root";
mode = "0755";
}
{
directory = "/var/lib/nixos";
user = "root";
group = "root";
mode = "0775";
}
"/var/tmp/agenix-rekey"
"/var/log"
"/var/lib/systemd"
"/var/lib/nixos"
]
++ lib.lists.optionals config.hardware.bluetooth.enable [
"/var/lib/bluetooth"

14
nix/devshell.nix
View file

@ -3,11 +3,15 @@
nixpkgs,
colmena,
devshell,
agenix-rekey,
...
}: system: let
pkgs = import nixpkgs {
inherit system;
overlays = [devshell.overlays.default];
overlays = [
devshell.overlays.default
agenix-rekey.overlays.default
];
};
in
pkgs.devshell.mkShell {
@ -33,6 +37,10 @@ in
colmena.packages.${system}.colmena;
help = "Apply nix configurations";
}
{
package = pkgs.agenix-rekey;
help = "Edit and rekey repository secrets";
}
{
package =
alejandra;
@ -42,6 +50,10 @@ in
package = statix;
help = "Linter for nix";
}
{
package = deadnix;
help = "Remove dead nix code";
}
{
package = update-nix-fetchgit;
help = "Update fetcher inside nix files";