diff --git a/flake.lock b/flake.lock index 22a270e..bb1b30f 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,53 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": [ + "nix-darwin" + ], + "home-manager": [ + "home-manager" + ], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1696775529, + "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=", + "owner": "ryantm", + "repo": "agenix", + "rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "agenix_2": { + "inputs": { + "darwin": "darwin", + "nixpkgs": [ + "ragenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682101079, + "narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=", + "owner": "ryantm", + "repo": "agenix", + "rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "alejandra": { "inputs": { "flakeCompat": "flakeCompat", @@ -25,11 +73,11 @@ "base16-schemes": { "flake": false, "locked": { - "lastModified": 1680729003, - "narHash": "sha256-M9LHTL24/W4oqgbYRkz0B2qpNrkefTs98pfj3MxIXnU=", + "lastModified": 1689473676, + "narHash": "sha256-L0RhUr9+W5EPWBpLcmkKpUeCEWRs/kLzVMF3Vao2ZU0=", "owner": "tinted-theming", "repo": "base16-schemes", - "rev": "dc048afa066287a719ddbab62b3e19e4b5110cf0", + "rev": "d95123ca6377cd849cfdce92c0a24406b0c6a789", "type": "github" }, "original": { @@ -50,6 +98,59 @@ "url": "https://gist.github.com/antlilja/8372900fcc09e38d7b0b6bbaddad3904/archive/6c3321e0969ff2463f8335da5601986cf2108690.tar.gz" } }, + "crane": { + "inputs": { + "flake-compat": "flake-compat_4", + "flake-utils": [ + "ragenix", + "flake-utils" + ], + "nixpkgs": [ + "ragenix", + "nixpkgs" + ], + "rust-overlay": [ + "ragenix", + "rust-overlay" + ] + }, + "locked": { + "lastModified": 1681680516, + "narHash": "sha256-EB8Adaeg4zgcYDJn9sR6UMjN/OHdIiMMK19+3LmmXQY=", + "owner": "ipetkov", + "repo": "crane", + "rev": "54b63c8eae4c50172cb50b612946ff1d2bc1c75c", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "ragenix", + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "deploy-rs": { "inputs": { "flake-compat": "flake-compat", @@ -59,11 +160,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1686747123, - "narHash": "sha256-XUQK9kwHpTeilHoad7L4LjMCCyY13Oq383CoFADecRE=", + "lastModified": 1695052866, + "narHash": "sha256-agn7F9Oww4oU6nPiw+YiYI9Xb4vOOE73w8PAoBRP4AA=", "owner": "serokell", "repo": "deploy-rs", - "rev": "724463b5a94daa810abfc64a4f87faef4e00f984", + "rev": "e3f41832680801d0ee9e2ed33eb63af398b090e9", "type": "github" }, "original": { @@ -84,6 +185,26 @@ "url": "https://github.com/ziglibs/diffz/archive/90353d401c59e2ca5ed0abe5444c29ad3d7489aa.tar.gz" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1696814493, + "narHash": "sha256-1qArVsJGG2RHbV2iKFpAmM5os3myvwpXMOdFy5nh54M=", + "owner": "nix-community", + "repo": "disko", + "rev": "32ce057c183506cecb0b84950e4eaf39f37e8c75", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -148,6 +269,22 @@ "type": "github" } }, + "flake-compat_5": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -228,6 +365,24 @@ } }, "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { "locked": { "lastModified": 1659877975, "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", @@ -242,16 +397,16 @@ "type": "github" } }, - "flake-utils_3": { + "flake-utils_4": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { - "lastModified": 1689068808, - "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", "owner": "numtide", "repo": "flake-utils", - "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", "type": "github" }, "original": { @@ -284,11 +439,11 @@ ] }, "locked": { - "lastModified": 1660459072, - "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "lastModified": 1694102001, + "narHash": "sha256-vky6VPK1n1od6vXbqzOXnekrQpTL4hbPAwUhT5J9c9E=", "owner": "hercules-ci", "repo": "gitignore.nix", - "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "rev": "9e21c80adf67ebcb077d75bd5e7d724d21eeafd6", "type": "github" }, "original": { @@ -299,11 +454,11 @@ }, "hardware": { "locked": { - "lastModified": 1693718952, - "narHash": "sha256-+nGdJlgTk0MPN7NygopipmyylVuAVi7OItIwTlwtGnw=", + "lastModified": 1695109627, + "narHash": "sha256-4rpyoVzmunIG6xWA/EonnSSqC69bDBzciFi6SjBze/0=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "793de77d9f83418b428e8ba70d1e42c6507d0d35", + "rev": "cb4dc98f776ddb6af165e6f06b2902efe31ca67a", "type": "github" }, "original": { @@ -377,11 +532,11 @@ ] }, "locked": { - "lastModified": 1693972774, - "narHash": "sha256-Dt9UZs0/DaIex598quYRYFuGabUbvFdNrHuvGc6HjBc=", + "lastModified": 1695224363, + "narHash": "sha256-+hfjJLUMck5G92RVFDZA7LWkR3kOxs5zQ7RPW9t3eM8=", "owner": "nix-community", "repo": "home-manager", - "rev": "b22d7bab30076bbb73744867d6c5bf7d6380570c", + "rev": "408ba13188ff9ce309fa2bdd2f81287d79773b00", "type": "github" }, "original": { @@ -394,13 +549,13 @@ "known_folders": { "flake": false, "locked": { - "narHash": "sha256-U/h4bVarq8CFKbFyNXKl3vBRPubYooLxA1xUz3qMGPE=", + "narHash": "sha256-bZfn+jgCzrtm8vKPDDMNWLkJYoo7vKxZu+e2tGvSGHY=", "type": "tarball", - "url": "https://github.com/ziglibs/known-folders/archive/fa75e1bc672952efa0cf06160bbd942b47f6d59b.tar.gz" + "url": "https://github.com/ziglibs/known-folders/archive/a564f582122326328dad6b59209d070d57c4e6ae.tar.gz" }, "original": { "type": "tarball", - "url": "https://github.com/ziglibs/known-folders/archive/fa75e1bc672952efa0cf06160bbd942b47f6d59b.tar.gz" + "url": "https://github.com/ziglibs/known-folders/archive/a564f582122326328dad6b59209d070d57c4e6ae.tar.gz" } }, "langref": { @@ -425,11 +580,11 @@ }, "locked": { "dir": "contrib", - "lastModified": 1693954768, - "narHash": "sha256-DIyHgdfhmftTN2aHVEmJ1q/W2o0Slild0McAf4sEa8U=", + "lastModified": 1695424083, + "narHash": "sha256-mCB8q5XQdmttc4+78YnRnWKtb8cGOYCp3nXEbCJb2Xw=", "owner": "neovim", "repo": "neovim", - "rev": "2ef7b6a433c61837bcef0fca297a665551835423", + "rev": "c68c121f50ee0eae7f26ed043689105086572f55", "type": "github" }, "original": { @@ -450,11 +605,11 @@ ] }, "locked": { - "lastModified": 1693958686, - "narHash": "sha256-UgdB+EXYbi90vm2fam4tYgY9hYGwxSk0sxG96jIyeg4=", + "lastModified": 1695427468, + "narHash": "sha256-LjVp//svQX0mLbzbP8hNUqVcDZPtvWxF1rjeTJRBy1M=", "owner": "nix-community", "repo": "neovim-nightly-overlay", - "rev": "14defe836200c45acf14f3616d7ba20959028cf8", + "rev": "5940bca71d4c8b7a688d72aefc4c29b1350b8c21", "type": "github" }, "original": { @@ -469,11 +624,11 @@ "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { - "lastModified": 1682108218, - "narHash": "sha256-tMr7BbxualFQlN+XopS8rMMgf2XR9ZfRuwIZtjsWmfI=", + "lastModified": 1695388192, + "narHash": "sha256-2jelpE7xK+4M7jZNyWL7QYOYegQLYBDQS5bvdo8XRUQ=", "owner": "misterio77", "repo": "nix-colors", - "rev": "b92df8f5eb1fa20d8e09810c03c9dc0d94ef2820", + "rev": "37227f274b34a3b51649166deb94ce7fec2c6a4c", "type": "github" }, "original": { @@ -489,11 +644,11 @@ ] }, "locked": { - "lastModified": 1692248770, - "narHash": "sha256-tZeFpETKQGbgnaSIO1AGWD27IyTcBm4D+A9d7ulQ4NM=", + "lastModified": 1695424346, + "narHash": "sha256-jkjKhxaBpS7p//l90uz9lNdVK5imVe9eo+XH6zbfrJU=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "511177ffe8226c78c9cf6a92a7b5f2df3684956b", + "rev": "c286b23c7fd7f0622bc4af898c91f58b8d304ff1", "type": "github" }, "original": { @@ -605,11 +760,11 @@ }, "nixpkgs-lib_2": { "locked": { - "lastModified": 1680397293, - "narHash": "sha256-wBpJ73+tJ8fZSWb4tzNbAVahC4HSo2QG3nICDy4ExBQ=", + "lastModified": 1694911725, + "narHash": "sha256-8YqI+YU1DGclEjHsnrrGfqsQg3Wyga1DfTbJrN3Ud0c=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "b18d328214ca3c627d3cc3f51fd9d1397fdbcd7a", + "rev": "819180647f428a3826bfc917a54449da1e532ce0", "type": "github" }, "original": { @@ -620,11 +775,27 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1693844670, - "narHash": "sha256-t69F2nBB8DNQUWHD809oJZJVE+23XBrth4QZuVd6IE0=", + "lastModified": 1695145219, + "narHash": "sha256-Eoe9IHbvmo5wEDeJXKFOpKUwxYJIOxKUesounVccNYk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "3c15feef7770eb5500a4b8792623e2d6f598c9c1", + "rev": "5ba549eafcf3e33405e5f66decd1a72356632b96", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1681920287, + "narHash": "sha256-+/d6XQQfhhXVfqfLROJoqj3TuG38CAeoT6jO1g9r1k0=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "645bc49f34fa8eff95479f0345ff57e55b53437e", "type": "github" }, "original": { @@ -684,11 +855,11 @@ }, "nur": { "locked": { - "lastModified": 1694020178, - "narHash": "sha256-1FJT97lTUNL/sjAA85Ysmv8BAExcWohaaHlLJOqb48g=", + "lastModified": 1695447549, + "narHash": "sha256-R0oT3+/qaf9oqTBZQDwZM05Pt61secoA4RjOKVIB3vk=", "owner": "nix-community", "repo": "NUR", - "rev": "1986d63bbafb176538af97ab6e4001ce5bb2718f", + "rev": "be08974e568978b2f6c145e5983d6b0c6f61056f", "type": "github" }, "original": { @@ -697,9 +868,33 @@ "type": "github" } }, + "ragenix": { + "inputs": { + "agenix": "agenix_2", + "crane": "crane", + "flake-utils": "flake-utils_2", + "nixpkgs": "nixpkgs_3", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1682237245, + "narHash": "sha256-xbBR7LNK+d5Yi/D6FXQGc1R6u2VV2nwr/Df5iaEbOEQ=", + "owner": "yaxitech", + "repo": "ragenix", + "rev": "281f68c3d477904f79ff1cd5807a8c226cd80a50", + "type": "github" + }, + "original": { + "owner": "yaxitech", + "repo": "ragenix", + "type": "github" + } + }, "root": { "inputs": { + "agenix": "agenix", "deploy-rs": "deploy-rs", + "disko": "disko", "flake-compat": "flake-compat_2", "hardware": "hardware", "home-manager": "home-manager", @@ -709,11 +904,37 @@ "nix-on-droid": "nix-on-droid", "nixpkgs": "nixpkgs_2", "nur": "nur", + "ragenix": "ragenix", "wired": "wired", "zig-overlay": "zig-overlay", "zls-overlay": "zls-overlay" } }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "ragenix", + "flake-utils" + ], + "nixpkgs": [ + "ragenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682129965, + "narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "2c417c0460b788328220120c698630947547ee83", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -744,6 +965,21 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "utils": { "locked": { "lastModified": 1667395993, @@ -798,18 +1034,18 @@ }, "zig-overlay": { "inputs": { - "flake-compat": "flake-compat_4", - "flake-utils": "flake-utils_2", + "flake-compat": "flake-compat_5", + "flake-utils": "flake-utils_3", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1694002101, - "narHash": "sha256-wYQ4Z5AKT3gqLCDOqXqw1q40mjO3Zh9Tanc3/fMVFRQ=", + "lastModified": 1695428435, + "narHash": "sha256-RfegRMM3r+xSN2xrsb/GqI8t/hog9TCtUz/xaUTxMCk=", "owner": "mitchellh", "repo": "zig-overlay", - "rev": "b9b8492e4e6edede26bf3bd36d8a42d9d54230d5", + "rev": "8d84a99ebb95616575dec694657c21d83a6ac51e", "type": "github" }, "original": { @@ -822,7 +1058,7 @@ "inputs": { "binned_allocator": "binned_allocator", "diffz": "diffz", - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_4", "gitignore": "gitignore", "known_folders": "known_folders", "langref": "langref", @@ -834,11 +1070,11 @@ ] }, "locked": { - "lastModified": 1693924059, - "narHash": "sha256-PfxEkc7BHWiIOaFvCLBCxyIRdgSdmMsKU4kHA0E5ps8=", + "lastModified": 1695406829, + "narHash": "sha256-eTtDS5dfNfwz+VKHzRsliB2sDAwGFdUFe8PDnY+YIa4=", "owner": "zigtools", "repo": "zls", - "rev": "7aeb758e9e652c3bad8fd11d1fb146328a3edbd3", + "rev": "ab0352a6203adce9a94805c32bd3770af6b92832", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 892c750..d5d5281 100644 --- a/flake.nix +++ b/flake.nix @@ -32,11 +32,38 @@ flake = false; }; + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + deploy-rs = { url = "github:serokell/deploy-rs"; inputs.nixpkgs.follows = "nixpkgs"; }; + agenix = { + url = "github:ryantm/agenix"; + inputs = { + nixpkgs.follows = "nixpkgs"; + darwin.follows = "nix-darwin"; + home-manager.follows = "home-manager"; + }; + }; + + ragenix = { + url = "github:yaxitech/ragenix"; + }; + + # sops-nix = { + # url = "github:Mic92/sops-nix"; + # inputs = { + # nixpkgs.follows = "nixpkgs"; + # darwin.follows = "nix-darwin"; + # home-manager.follows = "home-manager"; + # }; + # }; + # Nix User Repository nur = { url = "github:nix-community/NUR"; @@ -78,7 +105,10 @@ , nix-on-droid , nix-darwin , home-manager + , disko , deploy-rs + , agenix + , ragenix , nur , hardware , nix-colors @@ -105,7 +135,7 @@ # Dev Shells (`nix develop`) devShells = util.forEachPkgs (pkgs: - import ./shells { inherit pkgs; } + import ./shells { inherit pkgs inputs outputs; } ); # Formatter diff --git a/machines/nixos/x86_64-linux/jeeves/configuration.nix b/machines/nixos/x86_64-linux/jeeves/configuration.nix new file mode 100644 index 0000000..a9ac85d --- /dev/null +++ b/machines/nixos/x86_64-linux/jeeves/configuration.nix @@ -0,0 +1,122 @@ +{ inputs, outputs, lib, pkgs, config, ... }: +{ + imports = [ + (import ./disko.nix { inherit inputs outputs; }) + inputs.agenix.nixosModules.default + ./network.nix + ]; + + nixpkgs = { + hostPlatform = "x86_64-linux"; + config = { + allowUnfree = true; + }; + overlays = [ + ]; + }; + + networking.hostName = "jeeves"; + + boot = { + loader.systemd-boot.enable = true; + kernelPackages = pkgs.linuxPackages_latest; + initrd.availableKernelModules = [ + "nvme" + ]; + }; + + hardware.enableRedistributableFirmware = true; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + nix = { + registry = + lib.mapAttrs + (_: value: { + flake = value; + }) + inputs; + + nixPath = + lib.mapAttrsToList + (key: value: + "${key}=${value.to.path}") + config.nix.registry; + + settings = { + experimental-features = "nix-command flakes"; + auto-optimise-store = true; + }; + }; + + programs.zsh.enable = true; + + environment.systemPackages = with pkgs; [ + git + neovim + ]; + + # NOTE: made with `mkpasswd -m sha-516` + age.secrets."home/jeeves_password".file = ../../../../secrets/home/jeeves_password.age; + users = { + mutableUsers = true; + users = { + jeeves = { + isNormalUser = true; + shell = pkgs.zsh; + passwordFile = config.age.secrets."home/jeeves_password".path; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBj8ZGcvI80WrJWV+dNy1a3L973ydSNqtwcVHzurDUaW (none)" + ]; + extraGroups = [ + "wheel" + "networkmanager" + "audio" + "docker" + ]; + }; + }; + }; + + # reo101.jellyfin = { + # enable = true; + # image = "docker.io/jellyfin/jellyfin:latest"; + # volumes = [ + # "/var/cache/jellyfin/config:/config" + # "/var/cache/jellyfin/cache:/cache" + # "/var/log/jellyfin:/log" + # "/data/media/jellyfin:/media:ro" + # ]; + # ports = [ + # "8096:8096" + # ]; + # }; + + security.sudo.extraRules= [ + { + users = [ + "jeeves" + ]; + commands = [ + { + command = "ALL" ; + options= [ "NOPASSWD" ]; # "SETENV" # Adding the following could be a good idea + } + ]; + } + ]; + + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "no"; + PasswordAuthentication = false; + }; + }; + + boot.plymouth = { + enable = true; + }; + + # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion + system.stateVersion = "23.05"; +} diff --git a/machines/nixos/x86_64-linux/jeeves/deploy.nix b/machines/nixos/x86_64-linux/jeeves/deploy.nix new file mode 100644 index 0000000..b8bfce5 --- /dev/null +++ b/machines/nixos/x86_64-linux/jeeves/deploy.nix @@ -0,0 +1,42 @@ +{ + # This is the hostname by which you'll refer to this machine using reploy-rs + hostname = "jeeves.reo101.xyz"; + + # This is the user that deploy-rs will use when connecting. + # This will default to your own username if not specified anywhere + sshUser = "jeeves"; + + # This is the user that the profile will be deployed to (will use sudo if not the same as above). + # If `sshUser` is specified, this will be the default (though it will _not_ default to your own username) + user = "root"; + + # Which sudo command to use. Must accept at least two arguments: + # the user name to execute commands as and the rest is the command to execute + # This will default to "sudo -u" if not specified anywhere. + sudo = "sudo -u"; + + # This is an optional list of arguments that will be passed to SSH. + sshOpts = [ "-p" "727" ]; + + # Fast connection to the node. If this is true, copy the whole closure instead of letting the node substitute. + # This defaults to `false` + fastConnection = false; + + # If the previous profile should be re-activated if activation fails. + # This defaults to `true` + autoRollback = true; + + # See the earlier section about Magic Rollback for more information. + # This defaults to `true` + magicRollback = true; + + # The path which deploy-rs will use for temporary files, this is currently only used by `magicRollback` to create an inotify watcher in for confirmations + # If not specified, this will default to `/tmp` + # (if `magicRollback` is in use, this _must_ be writable by `user`) + tempPath = "/tmp"; + + # Build the derivation on the target system + # Will also fetch all external dependencies from the target system's substituters. + # This default to `false` + remoteBuild = true; +} diff --git a/machines/nixos/x86_64-linux/jeeves/disko.nix b/machines/nixos/x86_64-linux/jeeves/disko.nix new file mode 100644 index 0000000..5cc10db --- /dev/null +++ b/machines/nixos/x86_64-linux/jeeves/disko.nix @@ -0,0 +1,200 @@ +{ inputs, outputs, ... }: +{ lib, pkgs, config, ... }: +{ + imports = [ + inputs.disko.nixosModules.disko + ]; + + environment.systemPackages = with pkgs; [ + # `statfs` for btrfs commands + gocryptfs + ]; + + # If on installer + disko.enableConfig = true; + + # `head -c 8 /etc/machine-id` + networking.hostId = "1418566e"; + + # NOTE: needed for mounting `/key` (for LUKS) + boot.initrd.kernelModules = [ + "uas" + "ext4" + ]; + + # HACK: for troubleshooting + # see https://github.com/NixOS/nixpkgs/blob/9d6655c6222211adada5eeec4a91cb255b50dcb6/nixos/modules/system/boot/stage-1-init.sh#L45-L49 + boot.initrd.preFailCommands = '' + export allowShell=1 + ''; + + # NOTE: doesn't get mounted early enough, see below + # fileSystems."/key" = { + # device = "/dev/disk/by-partlabel/key"; + # fsType = "ext4"; + # neededForBoot = true; + # }; + + disko = { + devices = { + disk = { + # NOTE: we could do this to setup a usb for the keys + # but disko overrides it with no option of ignoring when partitioning + # (i.e. tell disko to only use this only for decalartion) + # key = { + # type = "disk"; + # device = "/dev/disk/by-id/usb-USB2.0_Flash_Disk_1000000000001D8B-0"; + # content = { + # type = "gpt"; + # partitions = { + # key = { + # label = "key"; + # size = "100%"; + # content = { + # type = "filesystem"; + # format = "ext4"; + # mountpoint = "/key"; + # }; + # }; + # }; + # }; + # }; + ssd1 = { + type = "disk"; + device = "/dev/disk/by-id/nvme-eui.e8238fa6bf530001001b448b4ebde3a6"; + content = { + type = "gpt"; + partitions = { + boot = { + label = "boot_mbr"; + size = "1M"; + type = "EF02"; # for grub MBR + priority = 1; + }; + ESP = { + label = "boot"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + priority = 2; + }; + root = { + label = "root"; + size = "100%"; + content = { + type = "luks"; + name = "root"; + extraOpenArgs = [ ]; + settings = { + keyFile = "/key/root"; + # HACK: we need to manually wait for and mount the partition containing the keys + preOpenCommands = '' + # Prepare (kernel modules and directory for mounting) + modprobe uas + modprobe ext4 + mkdir -m "0755" -p "/key" + + # Loop until mounted (+ initial wait) + sleep 5 + until mount -n -t "ext4" -o "ro" "/dev/disk/by-partlabel/key" "/key" 2>&1 1>/dev/null; do + echo 'Could not find a partition with label `key` (at `/dev/disk/by-partlabel/key`), retrying...' + sleep 2 + done + ''; + }; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; # Override existing partition + subvolumes = { + "/root" = { + mountpoint = "/"; + }; + }; + }; + }; + priority = 3; + }; + }; + }; + }; + hdd1 = { + type = "disk"; + device = "/dev/disk/by-id/ata-WDC_WD8003FFBX-68B9AN0_VYJB5TUM"; + content = { + type = "gpt"; + partitions = { + mdadm = { + label = "hdd1"; + size = "100%"; + content = { + type = "mdraid"; + name = "tank"; + }; + }; + }; + }; + }; + hdd2 = { + type = "disk"; + device = "/dev/disk/by-id/ata-WDC_WD8003FFBX-68B9AN0_VYHZTWSM"; + content = { + type = "gpt"; + partitions = { + mdadm = { + label = "hdd2"; + size = "100%"; + content = { + type = "mdraid"; + name = "tank"; + }; + }; + }; + }; + }; + }; + mdadm = { + tank = { + type = "mdadm"; + level = 1; + content = { + type = "luks"; + name = "tank"; + extraOpenArgs = [ "--allow-discards" ]; + settings.keyFile = "/key/tank"; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; # Override existing partition + subvolumes = { + "/home" = { + mountpoint = "/home"; + mountOptions = [ + "compress=zstd" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/data" = { + mountpoint = "/data"; + mountOptions = [ + "compress=zstd" + ]; + }; + "/data/media" = { }; + "/data/media/jellyfin" = { }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/machines/nixos/x86_64-linux/jeeves/home/jeeves.nix b/machines/nixos/x86_64-linux/jeeves/home/jeeves.nix new file mode 100644 index 0000000..b91b395 --- /dev/null +++ b/machines/nixos/x86_64-linux/jeeves/home/jeeves.nix @@ -0,0 +1,69 @@ +{ inputs, outputs, lib, pkgs, config, ... }: + +{ + imports = [ + inputs.wired.homeManagerModules.default + ]; + + nixpkgs = { + overlays = builtins.attrValues outputs.overlays; + + config.allowUnfree = true; + }; + + home = { + username = "jeeves"; + homeDirectory = "/home/jeeves"; + stateVersion = "23.05"; + }; + + # Let Home Manager install and manage itself. + programs.home-manager.enable = true; + + home.packages = with pkgs; [ + ## Core + neovim + git + gnupg + pciutils # lspci + usbutils # lsusb + + ## Shell + # zsh + # starship + # zoxide + ripgrep + + ## Nix + direnv + + ## Torrents + tremc + + ## Rust + rustc + cargo + rust-analyzer + clang + openssl + pkg-config + ]; + + reo101 = { + shell = { + enable = true; + direnv = true; + zoxide = true; + shells = [ + "zsh" + "nushell" + ]; + }; + }; + + home.file = { + ".config/nvim" = { + source = config.lib.file.mkOutOfStoreSymlink "${config.home.homeDirectory}/.local/src/reovim"; + }; + }; +} diff --git a/machines/nixos/x86_64-linux/jeeves/network.nix b/machines/nixos/x86_64-linux/jeeves/network.nix new file mode 100644 index 0000000..3978637 --- /dev/null +++ b/machines/nixos/x86_64-linux/jeeves/network.nix @@ -0,0 +1,47 @@ +{ lib, pkgs, config, ... }: +{ + environment.systemPackages = with pkgs; [ + ]; + + # Networking + age.secrets."home/wifi.env".file = ../../../../secrets/home/wifi.env.age; + networking.wireless = { + iwd.enable = true; + environmentFile = config.age.secrets."home/wifi.env".path; + networks = { + home = { + ssid = "@HOME_WIFI_SSID@"; + psk = "@HOME_WIFI_PSK@"; + }; + }; + }; + + systemd.network = { + enable = true; + wait-online = { + enable = false; + anyInterface = true; + ignoredInterfaces = [ + "eth0" + ]; + }; + + networks."10-eth0" = { + matchConfig.Name = "eth0"; + networkConfig.DHCP = "yes"; + }; + links."10-eth0" = { + matchConfig.PermanentMACAddress = "04:7c:16:80:3c:2c"; + linkConfig.Name = "eth0"; # "enp8s0"; + }; + + networks."15-wan0" = { + matchConfig.Name = "wan0"; + networkConfig.DHCP = "yes"; + }; + links."15-wan0" = { + matchConfig.PermanentMACAddress = "bc:f4:d4:40:5c:ed"; + linkConfig.Name = "wan0"; # "wlp15s0"; + }; + }; +} diff --git a/secrets/home/jeeves_password.age b/secrets/home/jeeves_password.age new file mode 100644 index 0000000..46851f6 --- /dev/null +++ b/secrets/home/jeeves_password.age @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtbHdXaWlnVnl6bStVUEpR +c1d6a0lHL09VbVAraGtvclpJU1F6TUVCNUhRClNmVFFFVkpuNWJqUUxRTE93d3lT +Wk1qT2oraUpSMGduOTk3NXBuMkFsbW8KLT4gc3NoLWVkMjU1MTkgdk1uYmxnIEJu +ZUpodTN0VmRBanQwWWpIdzZvOS9HS0ZuZ05TWUtQbk5jRHI3cVNKRWcKT1IvYmpy +Tmw5SXJHdHBCREZKWmtsZVB4WGlkVFNaNFhyRmE5R2NwdVNtcwotPiBhSi1ncmVh +c2UgQlwKZHZQU2NwdkRhallRUStvU2tRSmVLRzN2d3NZMHVDNGxQQ01tVUZQOUQ0 +QURBbmJ1Y2hGR2VBN0xrNFR3MGMyTApUZ2xPZmVGRndFb3NwR3FwZGVoVi9XWEYw +RGx5TDROYzJaQWFjc2UvQUs4Ci0tLSBDQy8yckEwTEttQVFIamxlM3VIVDRQZTN4 +VGZZUjZsWk9SVGR4UmtmOEU4ClM22goWXt0lCfW7h8NOsbT7DrEZ6NeOUBi/soFL +nhAzqMKdDY5e3apubmGaerbzJ9nt22kAtnaswPA8EQF2FvdIRwiVvuPqp7sUbS/6 +8rWhNuuBqxwLCoVWUe7dkRTVwKu7Wk6stWUrhEZhOpDU9pjFIs9p4dzXD8zFBzpA +pqn9cbRE46jheGN43sU= +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/home/wifi.env.age b/secrets/home/wifi.env.age new file mode 100644 index 0000000..d9cd420 --- /dev/null +++ b/secrets/home/wifi.env.age @@ -0,0 +1,20 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USBuTWds +TmVVbEVPZjNYemU5Y0srUWdabnhGZDZ6TklvYXJaWlBtTWZ3MGhJCmhWd0VqZ1lV +djBwL05MVTZpR2xNWU9Hd0tLVWxYRExWc0ZKb1BYa3Bjc00KLT4gc3NoLWVkMjU1 +MTkgV2Y4dmp3IE4vSHF2MHdrZmVvaXluWFpuZHRSU0tTQlRwTzBUUzNDaytvL3Jt +UEcwSE0KSkRoTlpZSmYrekRtT0ltOHNMTjVubWNLWTlDVTAvenJTcDErdHV2Z202 +VQotPiBYMjU1MTkgUjJsMmc2QjR2T0ZQbS93ZUJhUFBIbHl3RFFzRzZrclcvOG5J +SVE0WDNUNApMZkYxeEc1ZXhMTTdVK0VBa1FLUXNscmJLWGVQRHFKQjFTaW5VTElj +UnJBCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyA4TmQxSjNDV3Q0N3hLQXhYZnBCditI +aUtOZEpXVWpLRzF0c1h4SzZTSUZjCno0K0JhMENVY3ovMHRuL295dzI2VGtTZWt4 +SW5jWWZ6K1hLV2FCeEhEMXcKLT4gc3NoLWVkMjU1MTkgQjdiZXhBIExkZEdwUlJp +V09YOEdKQmtpTE9xWXRwQkRsZ1VLRUhVTWxSK1dyQ2x1eDAKc29GMEt6a3NjSzRV +UDJBaENVYlRLS2JRM1VDK0hvN1hGdHNiYmFwM3ZWMAotPiBvP0UtZ3JlYXNlIFxG +IHA2O1okOzVsCkYxNGRtWnQ0M2pRVW1GZWw5bExoU0ZxSmllZEN3UWs5WFZpZG1V +RWhaUC9xSTFpQk9TaFhDOGxOZmk0YVJ4cjYKYzhPM3AxZC8raXVnUVh3ZlF3U0Vy +UUxMTytOb2tEOE1kU3RpaW15WWg1K1lTVXBnc29hU1k0TQotLS0gbzc3dHdJQ0pB +VmxzZ1FhTmo0UUc0RldKclZzZkNBb1FlNUNBZjJBekp6MArQ+1zBESesqZ6HtsI2 +jdZVixj3TeSsdLzfW68kVyrBhUdV+r9zT3YHyHx0Qv9mr5alvdxTJxG00zJ7q0+u +kmDgK/mnCmVwn/bRGyPtYXJdF1i2YgT/enkZhA== +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..7e60eea --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,26 @@ +# This file is not imported into the NixOS/home-manager configurations. +# It is only used for the `agenix` CLI. +# `agenix` use the public keys defined in this file to encrypt the secrets. +# Users can decrypt the secrets by any of the corresponding private keys. + +let + # User's ssh public key: + # cat ~/.ssh/id_ed25519.pub + # Generate using: + # ssh-keygen -t ed25519 + main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBj8ZGcvI80WrJWV+dNy1a3L973ydSNqtwcVHzurDUaW"; + limonka = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDmO9YwsuPMstyLVElvam5mKZfr51qnNj6cIZN8cCu7f"; + limonka_age = "age1m23jgdtkfh6gqnxge88q03yy9exckajmlmx8sw2z9t3t5gpr0c4qxgdtwr"; + users = [ main limonka limonka_age ]; + + # System's ssh public key: + # cat /etc/ssh/ssh_host_ed25519_key.pub + # Generated automatically when running `sshd` + jeeves_system = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPopSTZ81UyKp9JSljCLp+Syk51zacjh9fLteqxQ6/aB"; + limonka_system = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2DM5F3nLKDiWoxqTwJw4bi5Q1RGZYtEPmTcLxTC7c9"; + systems = [ jeeves_system limonka_system ]; +in +{ + "home/wifi.env.age".publicKeys = users ++ systems; + "home/jeeves_password.age".publicKeys = [ limonka_age jeeves_system ]; +} diff --git a/shells/default.nix b/shells/default.nix index b94d183..4bf0ce8 100644 --- a/shells/default.nix +++ b/shells/default.nix @@ -1,6 +1,8 @@ # If pkgs is not defined, instanciate nixpkgs from locked commit { pkgs ? (import ../nixpkgs.nix) { } +, inputs +, outputs , ... }: { - default = import ./default { inherit pkgs; }; + default = import ./default { inherit pkgs inputs outputs; }; } diff --git a/shells/default/default.nix b/shells/default/default.nix index 983452f..bb3c7db 100644 --- a/shells/default/default.nix +++ b/shells/default/default.nix @@ -1,5 +1,7 @@ # Shell for bootstrapping flake-enabled nix and other tooling { pkgs +, inputs +, outputs , ... }: pkgs.mkShell { NIX_CONFIG = '' @@ -9,5 +11,9 @@ nix home-manager git + deploy-rs + # inputs.agenix.packages.${pkgs.system}.agenix + inputs.ragenix.packages.${pkgs.system}.ragenix + rage ]; }