diff --git a/README.md b/README.md index 41ddb84..550653f 100644 --- a/README.md +++ b/README.md @@ -17,15 +17,14 @@ This showcases my end user setup, which I dailydrive on all my hosts. | | Programm | Description ---|---|--- 🐚 Shell | [ZSH](./users/common/shells/zsh/default.nix) & [Starship](./users/common/shells/starfish.nix) | ZSH with FZF autocomplete, starship prompt, sqlite history and histdb-skim for fancy reverse search -🪟 WM | [Sway](./users/common/graphical/wayland/sway.nix) & [i3](./users/common/graphical/Xorg/i3.nix) | Tiling window managers with similar behaviour for wayland and xorg -🖼️ Styling | [Stylix](./modules/graphical/default.nix) | globally consistent styling -📝 Editor | [NeoVim](./users/common/programs/nvim/default.nix) | Extensively configured neovim -🎮 Gaming | [Bottles](./users/common/programs/bottles.nix) & [Steam](./modules/optional/steam.nix) | Pew, Pew and such +🪟 WM | [Hyprland](./users/patrick/wayland/hyprland.nix) | Tiling window manager +🖼️ Styling | [Stylix](./users/patrick/theme.nix) | globally consistent styling +📝 Editor | [NeoVim](./users/patrick/programs/nvim/default.nix) | Extensively configured neovim +🎮 Gaming | [Bottles](./users/patrick/programs/bottles.nix) & [Steam](./users/patrick/programs/steam.nix) | Pew, Pew and such 🌐 Browser | [Firefox](./users/patrick/firefox.nix) | Heavily configured Firefox to still my privacy and security needs -💻 Terminal | [Kitty](./users/common/programs/kitty.nix) | fast terminal -🎵 Music | [Spotify](./users/common/programs/spicetify.nix) | Fancy looking spotify using spicetify +💻 Terminal | [Kitty](./users/patrick/programs/kitty.nix) | fast terminal +🎵 Music | [Spotify](./users/patrick/programs/spicetify.nix) | Fancy looking spotify using spicetify 📫 Mail | [Thunderbird](./users/common/programs/thunderbird.nix) | Best email client there is -🎛️ StreamDeck | [StreamDeck](./users/patrick/streamdeck.nix) | More hotkeys = more better ## Service Configuration These are services I've set up @@ -64,7 +63,7 @@ These are notable external flakes which this config depend upon [impermanence](https://github.com/nix-community/impermanence) | stateless filesystem [lanzaboote](https://github.com/nix-community/lanzaboote) | Secure Boot [stylix](https://github.com/danth/stylix) | theming -[spicetify](https://github.com/the-argus/spicetify-nix) | spotify looking fancy +[spicetify](https://github.com/Gerg-l/spicetify-nix) | spotify looking fancy @@ -82,9 +81,9 @@ These are notable external flakes which this config depend upon - This might take multiple minutes(~10) - Alternatively boot an official nixos image connect with password 3. Copy ISO to usb using dd -3. After booting copy the installer to the live system using `nix copy --to .#nodes..config.system.build.installFromLive` +3. After booting copy the installer to the live system using `nix copy --to .#minimalConfigurations..config.system.build.installFromLive` 4. Run the installer script from the nix store of the live system - - you can get the path using `nix path-info .#nodes..config.system.build.installFromLive` + - you can get the path using `nix path-info .#minimalConfigurations..config.system.build.installFromLive` 4. Export all zpools and reboot into system 6. Retrieve hostkeys using `ssh-keyscan | grep -o 'ssh-ed25519.*' > host//secrets/host.pub` 5. Deploy system diff --git a/hosts/desktopnix/default.nix b/hosts/desktopnix/default.nix index b62f95c..5942e73 100644 --- a/hosts/desktopnix/default.nix +++ b/hosts/desktopnix/default.nix @@ -37,10 +37,10 @@ services.xserver.xkb = { layout = "de"; }; - services.logkeys = { - enable = true; - device = "/dev/input/event15"; - }; + # services.logkeys = { + # enable = true; + # device = "/dev/input/event15"; + # }; boot.binfmt.emulatedSystems = [ "aarch64-linux" diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix index 8437783..2d2a794 100644 --- a/hosts/elisabeth/guests.nix +++ b/hosts/elisabeth/guests.nix @@ -38,7 +38,8 @@ let ipOf = hostName: if hostName == "octoprint" then - nodes.testienix.config.wireguard.elisabeth.ipv4 + #nodes.testienix.config.wireguard.elisabeth.ipv4 + "0.0.0.0" else nodes."elisabeth-${hostName}".config.wireguard.elisabeth.ipv4; in diff --git a/hosts/mailnix/default.nix b/hosts/mailnix/default.nix new file mode 100644 index 0000000..427303d --- /dev/null +++ b/hosts/mailnix/default.nix @@ -0,0 +1,25 @@ +{ + imports = [ + ../../config/basic + ../../config/support/initrd-ssh.nix + ../../config/support/zfs.nix + + ./net.nix + ./fs.nix + ]; + boot = { + initrd.availableKernelModules = [ + "virtio_pci" + "virtio_net" + "virtio_scsi" + "virtio_blk" + "virtio_gpu" + ]; + kernelParams = [ "console=tty" ]; + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + }; + nixpkgs.hostPlatform = "aarch64-linux"; +} diff --git a/hosts/mailnix/fs.nix b/hosts/mailnix/fs.nix new file mode 100644 index 0000000..081ed51 --- /dev/null +++ b/hosts/mailnix/fs.nix @@ -0,0 +1,32 @@ +{ config, lib, ... }: +{ + disko.devices = { + disk = { + drive = rec { + type = "disk"; + device = "/dev/disk/by-id/${config.secrets.secrets.local.disko.drive}"; + content = with lib.disko.gpt; { + type = "gpt"; + partitions = { + boot = (partEfi "256M") // { + device = "${device}-part1"; + }; + rpool = (partLuksZfs "drive" "rpool" "100%") // { + device = "${device}-part2"; + }; + }; + }; + }; + }; + + zpool = with lib.disko.zfs; { + rpool = mkZpool { datasets = impermanenceZfsDatasets; }; + }; + }; + + fileSystems."/state".neededForBoot = true; + fileSystems."/persist".neededForBoot = true; + boot.initrd.systemd.services."zfs-import-panzer".after = [ "cryptsetup.target" ]; + boot.initrd.systemd.services."zfs-import-rpool".after = [ "cryptsetup.target" ]; + +} diff --git a/hosts/mailnix/net.nix b/hosts/mailnix/net.nix new file mode 100644 index 0000000..9fd06dd --- /dev/null +++ b/hosts/mailnix/net.nix @@ -0,0 +1,73 @@ +{ config, lib, ... }: +{ + networking.hostId = config.secrets.secrets.local.networking.hostId; + networking.domain = config.secrets.secrets.global.domains.mail_public; + + boot.initrd.systemd.network = { + enable = true; + networks = { + inherit (config.systemd.network.networks) "lan01"; + }; + }; + + systemd.network.networks = { + "lan01" = + let + icfg = config.secrets.secrets.local.networking.interfaces.lan01; + in + { + address = [ + icfg.hostCidrv4 + (lib.net.cidr.hostCidr 1 icfg.hostCidrv6) + ]; + gateway = [ "fe80::1" ]; + routes = [ + { Destination = "172.31.1.1"; } + { + Gateway = "172.31.1.1"; + GatewayOnLink = true; + } + ]; + matchConfig.MACAddress = icfg.mac; + networkConfig.IPv6PrivacyExtensions = "yes"; + linkConfig.RequiredForOnline = "routable"; + }; + }; + age.secrets.cloudflare_token_acme = { + rekeyFile = ./secrets/cloudflare_api_token.age; + mode = "440"; + group = "acme"; + }; + security.acme = { + acceptTerms = true; + defaults = { + email = config.secrets.secrets.global.devEmail; + dnsProvider = "cloudflare"; + dnsPropagationCheck = true; + reloadServices = [ "nginx" ]; + credentialFiles = { + "CF_DNS_API_TOKEN_FILE" = config.age.secrets.cloudflare_token_acme.path; + "CF_ZONE_API_TOKEN_FILE" = config.age.secrets.cloudflare_token_acme.path; + }; + }; + }; + networking.nftables.firewall.zones.untrusted.interfaces = [ "lan01" ]; + security.acme.certs = { + # mail_public = { + # domain = config.secrets.secrets.global.domains.mail_public; + # extraDomainNames = [ "*.${config.secrets.secrets.global.domains.mail_public}" ]; + # }; + # mail_private = { + # domain = config.secrets.secrets.global.domains.mail_private; + # extraDomainNames = [ "*.${config.secrets.secrets.global.domains.mail_private}" ]; + # }; + }; + environment.persistence."/state".directories = [ + { + directory = "/var/lib/acme"; + user = "acme"; + group = "acme"; + mode = "0755"; + } + ]; +} diff --git a/hosts/mailnix/secrets/cloudflare_api_token.age b/hosts/mailnix/secrets/cloudflare_api_token.age new file mode 100644 index 0000000..5306a75 --- /dev/null +++ b/hosts/mailnix/secrets/cloudflare_api_token.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> X25519 uhnRibm92XSz2UcJWT43CrsZfOrSzUyqVFU8nWiYEXs +QNxh6YGDCgSSoCWLthZlou7F7i9OJpunB+/6J4ogk2k +-> piv-p256 XTQkUA AzTDTMXLU5jTp54ysvnVIDo5lIb5ED1zkP8659tTH2JJ +VLO6rtfY5poFGVH/eeD+T/xrlNdPGnlLQ6mK1HytT8A +-> piv-p256 ZFgiIw AnwL/t0GNZI3/y7KlatHLebToW1pJLfOasODGQ7ogriz +Wl7xm6+a1qmqLeTZszpO0XG96BcDRO5l8wvpc0atW0Y +-> piv-p256 5vmPtQ AzC3t9sPdKF/IPkJSqhldnx3Mnkc84DCD13l8tYqZIWd +GaNzRxPoSOy/kEuLzbXpiRDo5F2hZT8KriXpgqZkQ5Y +-> piv-p256 ZFgiIw ApFdJVoW4zoWq38fE27TR/OFEDs4Wub1g3q6RiF+fDTR +IypnQqeluntk31gez5I6eYtlKiY/8sy+dXNkpWhdwPs +-> wX-grease +neAQttCOcpQWsfSpI38jdOjODJYK8uOhqjWsZOLWlHZaRUQtoyXI +--- r44AgWizs6H92oY6hKMs67ARXqr8Je0Z0cIJr9xidBg +Ѩ␟̪Ph\dv _]Ӛ܊ژEʃewIt.W6ZFi \ No newline at end of file diff --git a/hosts/mailnix/secrets/generated/initrd_host_ed25519_key.age b/hosts/mailnix/secrets/generated/initrd_host_ed25519_key.age new file mode 100644 index 0000000..6575020 --- /dev/null +++ b/hosts/mailnix/secrets/generated/initrd_host_ed25519_key.age @@ -0,0 +1,18 @@ +age-encryption.org/v1 +-> X25519 ddFv+EKlJUwePVA7CiwFOA/mECyJ9pC328u5r9Bjhz4 +5c05Nlc1ADOpUq5MugDuHJqSz4OW4Yupl0UBl9DxyDk +-> piv-p256 ZFgiIw AgiBCvmbqRaShnyh+NuDFFESQ9Q5sZZ/YjYXelOzCYyV +/6/igWsiKPwTlydwiAR1ZECyURFkBiJWCppdXP5GDRk +-> piv-p256 XTQkUA An4etg/KtGFdnw74QM+QW9vRkrAxEZmMjhexLKENVnV3 +m8UleuJcvy/OZhlZrOEguL+0hWo5n2Ykgboq8BqFrdU +-> piv-p256 ZFgiIw A1vxQkA8CeZGrXNcvBZo57iL82PiTPm0hP3KODzWnU/z +USt8rTNK7l9VUUyAiSnDiLVQgLZiFZQgcy04lWdk+nM +-> piv-p256 5vmPtQ AnAB3M/AWePGjmIUdoH0rSHg+gDnxg62RPy9qgHAgIIN +7PPd5p4sXrbDvZBITS3zMnG7qNmlj61hdHPlVo5cJDQ +-> qtLMz'K-grease ?Rtv +~4H. vh +ZBK1Zs8LKTiGvOSxH/dacE3yc1ouqSylHM5Ahv+HmR89RQX/JR4y3Gtec+G2W0Ty +Dh9z2wVbCDlJTTt+N+9sLvV/b5+wETpwhPmiSWbh92yvNYH1yLQ +--- jynsWcgTRZR51+fu9nqHP5yTxxz1BovM1s2YY+0uL2I +Sӿ4}NT (+ e9_q2O)=w//D|v`6XI/ˆw^+h6nrq@f2 l/ݓz7,rFP6Ӏe1N4FSҩ8̷g]i}n)MDH%^28(8\`ACн/<%8\e=(*6a V\GuI |gݗ#v&@х HIhXY9M5%e6?2" +YM#L*6*!JM& G%C34sقmA?9|MȺOSr+3QeRLKue?{=-[m +ە>QT71z \ No newline at end of file diff --git a/hosts/mailnix/secrets/host.pub b/hosts/mailnix/secrets/host.pub new file mode 100644 index 0000000..3489444 --- /dev/null +++ b/hosts/mailnix/secrets/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFqG1mU7UX0uNATdPaodHdSm9YYDV4grqmf266D0ajO diff --git a/hosts/mailnix/secrets/secrets.nix.age b/hosts/mailnix/secrets/secrets.nix.age new file mode 100644 index 0000000..c543830 Binary files /dev/null and b/hosts/mailnix/secrets/secrets.nix.age differ diff --git a/hosts/testienix/default.nix b/hosts/testienix/default.nix deleted file mode 100644 index 53fbdfe..0000000 --- a/hosts/testienix/default.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ - inputs, - lib, - minimal, - ... -}: -{ - imports = [ - inputs.nixos-hardware.nixosModules.common-pc - inputs.nixos-hardware.nixosModules.common-pc-ssd - - ../../config/basic - - ../../config/support/initrd-ssh.nix - ../../config/support/physical.nix - ../../config/support/zfs.nix - - ./net.nix - ./fs.nix - ] ++ lib.lists.optionals (!minimal) [ ../../config/services/octoprint.nix ]; - services.xserver.xkb = { - layout = "de"; - }; - services.thermald.enable = lib.mkForce false; - nixpkgs.hostPlatform = "x86_64-linux"; -} diff --git a/hosts/testienix/fs.nix b/hosts/testienix/fs.nix deleted file mode 100644 index 22f8e4e..0000000 --- a/hosts/testienix/fs.nix +++ /dev/null @@ -1,83 +0,0 @@ -{ config, lib, ... }: -{ - disko.devices = { - disk = { - internal-hdd = { - type = "disk"; - device = "/dev/disk/by-id/${config.secrets.secrets.local.disko.internal-hdd}"; - content = with lib.disko.gpt; { - type = "gpt"; - partitions = { - boot = partEfi "1G"; - swap = partSwap "16G"; - rpool = lib.attrsets.recursiveUpdate (partLuksZfs "rpool" "rpool" "100%") { - content.extraFormatArgs = [ "--pbkdf pbkdf2" ]; - }; - }; - }; - }; - }; - - zpool = with lib.disko.zfs; { - rpool = mkZpool { datasets = impermanenceZfsDatasets; }; - }; - }; - - services.zrepl = { - enable = true; - settings = { - global = { - logging = [ - { - type = "syslog"; - level = "info"; - format = "human"; - } - ]; - # TODO Monitoring - }; - jobs = [ - #{ - # type = "push"; - # name = "push-to-remote"; - #} - { - type = "snap"; - name = "mach-schnipp-schusss"; - filesystems = { - "rpool/local/state<" = true; - "rpool/safe<" = true; - }; - snapshotting = { - type = "periodic"; - prefix = "zrepl-"; - interval = "10m"; - timestamp_format = "iso-8601"; - }; - pruning = { - keep = [ - { - type = "regex"; - regex = "^zrepl-.*$"; - negate = true; - } - { - type = "grid"; - grid = lib.concatStringsSep " | " [ - "1x1d(keep=all)" - "142x1h(keep=2)" - "90x1d(keep=2)" - "500x7d" - ]; - regex = "^zrepl-.*$"; - } - ]; - }; - } - ]; - }; - }; - - fileSystems."/state".neededForBoot = true; - fileSystems."/persist".neededForBoot = true; -} diff --git a/hosts/testienix/net.nix b/hosts/testienix/net.nix deleted file mode 100644 index 9e32bdb..0000000 --- a/hosts/testienix/net.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ config, ... }: -{ - networking = { - inherit (config.secrets.secrets.local.networking) hostId; - }; - networking.nftables.firewall.zones.untrusted.interfaces = [ "lan01" ]; - systemd.network.networks = { - "lan01" = { - address = [ "192.168.178.32/24" ]; - gateway = [ "192.168.178.1" ]; - matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac; - networkConfig = { - IPv6PrivacyExtensions = "yes"; - MulticastDNS = true; - }; - }; - }; -} diff --git a/hosts/testienix/secrets/generated/initrd_host_ed25519_key.age b/hosts/testienix/secrets/generated/initrd_host_ed25519_key.age deleted file mode 100644 index 9b9ab48..0000000 Binary files a/hosts/testienix/secrets/generated/initrd_host_ed25519_key.age and /dev/null differ diff --git a/hosts/testienix/secrets/host.pub b/hosts/testienix/secrets/host.pub deleted file mode 100644 index 705773e..0000000 --- a/hosts/testienix/secrets/host.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMTiFpqpCiJaFOcSjFrJWk7YPBiZLwoJRbyy1JgZWFmN diff --git a/hosts/testienix/secrets/secrets.nix.age b/hosts/testienix/secrets/secrets.nix.age deleted file mode 100644 index efe7e88..0000000 Binary files a/hosts/testienix/secrets/secrets.nix.age and /dev/null differ diff --git a/modules/smb-mounts.nix b/modules/smb-mounts.nix index 904da1a..ff936df 100644 --- a/modules/smb-mounts.nix +++ b/modules/smb-mounts.nix @@ -6,6 +6,7 @@ }: let inherit (lib) + any mkOption types flip @@ -64,42 +65,48 @@ in } ]; - imports = [ - { - environment.systemPackages = [ pkgs.cifs-utils ]; - fileSystems = mkMerge ( - flip concatMap (attrNames config.home-manager.users) ( - user: - let - parentPath = "/home/${user}/smb"; - cfg = config.home-manager.users.${user}.home.smb; - inherit (config.users.users.${user}) uid; - inherit (config.users.groups.${user}) gid; - in - flip map cfg (cfg: { - "${parentPath}/${cfg.localPath}" = - let - options = - baseOptions - ++ [ - "uid=${toString uid}" - "gid=${toString gid}" - "file_mode=0600" - "dir_mode=0700" - "credentials=${cfg.credentials}" - "x-systemd.automount" - "_netdev" - ] - ++ (optional (!cfg.automatic) "noauto"); - in - { - inherit options; - device = "//${cfg.address}/${cfg.remotePath}"; - fsType = "cifs"; - }; - }) - ) + imports = + let + existingCfg = flip any (attrNames config.home-manager.users) ( + user: (config.home-manager.users.${user}.home.smb != [ ]) ); - } - ]; + in + [ + { + environment.systemPackages = lib.optional existingCfg pkgs.cifs-utils; + fileSystems = mkMerge ( + flip concatMap (attrNames config.home-manager.users) ( + user: + let + parentPath = "/home/${user}/smb"; + cfg = config.home-manager.users.${user}.home.smb; + inherit (config.users.users.${user}) uid; + inherit (config.users.groups.${user}) gid; + in + flip map cfg (cfg: { + "${parentPath}/${cfg.localPath}" = + let + options = + baseOptions + ++ [ + "uid=${toString uid}" + "gid=${toString gid}" + "file_mode=0600" + "dir_mode=0700" + "credentials=${cfg.credentials}" + "x-systemd.automount" + "_netdev" + ] + ++ (optional (!cfg.automatic) "noauto"); + in + { + inherit options; + device = "//${cfg.address}/${cfg.remotePath}"; + fsType = "cifs"; + }; + }) + ) + ); + } + ]; } diff --git a/secrets/secrets.nix.age b/secrets/secrets.nix.age index 92a3407..96c9c4e 100644 Binary files a/secrets/secrets.nix.age and b/secrets/secrets.nix.age differ diff --git a/users/patrick/ssh.nix b/users/patrick/ssh.nix index 4c6fe13..8f89338 100644 --- a/users/patrick/ssh.nix +++ b/users/patrick/ssh.nix @@ -40,6 +40,10 @@ hostname = config.secrets.secrets.global.user.hetzner_ip; user = "root"; }; + "mailnix" = { + hostname = config.secrets.secrets.global.user.mailnix_ip; + user = "root"; + }; "desktopnix" = { hostname = "desktopnix.local"; diff --git a/users/root/default.nix b/users/root/default.nix index 651eb8e..9a72218 100644 --- a/users/root/default.nix +++ b/users/root/default.nix @@ -1,6 +1,8 @@ { pkgs, config, + lib, + minimal, ... }: { @@ -10,12 +12,10 @@ # Patrick "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZixkix0KfKuq7Q19whS5FQQg51/AJGB5BiNF/7h/LM" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxD4GOrwrBTG4/qQhm5hoSB2CP7W9g1LPWP11oLGOjQ" - # Simon old yubikey - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFmees72GMKG/rsQQRhs2I/lQnJa0uW5KmZlNBeriCh0" ]; hashedPassword = config.secrets.secrets.global.users.root.passwordHash; }; - imports = [ + imports = lib.optionals (!minimal) [ ../patrick/alias.nix ../patrick/theme.nix