julian/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Releases Wiki Activity

Start migration to using flake-parts

Browse Source
This commit is contained in:
Julian Mutter
2026-03-23 20:34:48 +01:00
parent ba56618049
commit 6cbe60c784
158 changed files with 1935 additions and 1830 deletions
Download Patch File Download Diff File Expand all files Collapse all files

116
hosts/aspi/default.nix
View File

@@ -1,62 +1,72 @@
{
imports = [
./hardware-configuration.nix
../common/global
../common/users/julian
../common/users/yukari
../common/users/pob
../common/optional/binarycaches.nix
../common/optional/remote-builder.nix
../common/optional/boot-efi.nix
../common/optional/greetd.nix
../common/optional/authentication.nix
../common/optional/pcmanfm.nix
../common/optional/pipewire.nix
../common/optional/gamemode.nix
../common/optional/virtualbox.nix
../common/optional/podman.nix
../common/optional/wireguard.nix
../common/optional/wireshark.nix
../common/optional/flatpak.nix
../common/optional/avahi.nix
];
networking.hostName = "aspi";
system.stateVersion = "24.05";
# networking.firewall.checkReversePath = false; # Makes wg interface with all ips work
modules = {
syncthing = {
enable = true;
overrideSettings = false;
};
frajulAutoUpgrade = {
enable = true;
flakePath = "/home/julian/.dotfiles";
};
inputs,
self,
...
}: {
flake.nixosConfigurations.aspi = inputs.nixpkgs.lib.nixosSystem {
modules = [
self.nixosModules.hosts.aspi
];
};
programs.hyprland.enable = true;
services.desktopManager.plasma6.enable = true;
flake.nixosModules.hosts.aspi = {
imports = [
../common/global
../common/users/julian
../common/users/yukari
../common/users/pob
../common/optional/binarycaches.nix
services.blueman.enable = true;
services.upower.enable = true;
../common/optional/remote-builder.nix
../common/optional/boot-efi.nix
programs.steam.enable = true;
../common/optional/greetd.nix
../common/optional/authentication.nix
../common/optional/pcmanfm.nix
../common/optional/pipewire.nix
# TODO: not working
# services.logind.lidSwitch = "lock";
# services.logind.lidSwitchDocked = "lock";
../common/optional/gamemode.nix
../common/optional/virtualbox.nix
programs.kdeconnect.enable = true;
../common/optional/podman.nix
../common/optional/wireguard.nix
../common/optional/wireshark.nix
../common/optional/flatpak.nix
# Enable touchpad support
services.libinput.enable = true;
../common/optional/avahi.nix
];
networking.hostName = "aspi";
system.stateVersion = "24.05";
# networking.firewall.checkReversePath = false; # Makes wg interface with all ips work
modules = {
syncthing = {
enable = true;
overrideSettings = false;
};
frajulAutoUpgrade = {
enable = true;
flakePath = "/home/julian/.dotfiles";
};
};
programs.hyprland.enable = true;
services.desktopManager.plasma6.enable = true;
services.blueman.enable = true;
services.upower.enable = true;
programs.steam.enable = true;
# TODO: not working
# services.logind.lidSwitch = "lock";
# services.logind.lidSwitchDocked = "lock";
programs.kdeconnect.enable = true;
# Enable touchpad support
services.libinput.enable = true;
};
}

144
hosts/aspi/hardware-configuration.nix
View File

@@ -1,78 +1,80 @@
{
config,
lib,
...
}: {
boot.initrd.availableKernelModules = [
"vmd"
"xhci_pci"
"ahci"
"nvme"
"usb_storage"
"usbhid"
"sd_mod"
];
boot.initrd.kernelModules = ["dm-snapshot"];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.blacklistedKernelModules = ["pcspkr"]; # Disables "beep"
boot.binfmt.emulatedSystems = ["aarch64-linux"];
flake.nixosModules.hosts.aspi = {
config,
lib,
...
}: {
boot.initrd.availableKernelModules = [
"vmd"
"xhci_pci"
"ahci"
"nvme"
"usb_storage"
"usbhid"
"sd_mod"
];
boot.initrd.kernelModules = ["dm-snapshot"];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.blacklistedKernelModules = ["pcspkr"]; # Disables "beep"
boot.binfmt.emulatedSystems = ["aarch64-linux"];
boot.initrd.luks.devices = {
root = {
device = "/dev/disk/by-uuid/a4dc9a2c-725b-4252-8fbb-093a271c31ba";
preLVM = true;
allowDiscards = true;
boot.initrd.luks.devices = {
root = {
device = "/dev/disk/by-uuid/a4dc9a2c-725b-4252-8fbb-093a271c31ba";
preLVM = true;
allowDiscards = true;
};
};
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/bbc45be3-75f5-40c5-8427-2a425de8422c";
fsType = "btrfs";
options = [
"subvol=root"
"compress=zstd"
fileSystems."/" = {
device = "/dev/disk/by-uuid/bbc45be3-75f5-40c5-8427-2a425de8422c";
fsType = "btrfs";
options = [
"subvol=root"
"compress=zstd"
];
};
fileSystems."/home" = {
device = "/dev/disk/by-uuid/bbc45be3-75f5-40c5-8427-2a425de8422c";
fsType = "btrfs";
options = [
"subvol=home"
"compress=zstd"
];
};
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/bbc45be3-75f5-40c5-8427-2a425de8422c";
fsType = "btrfs";
options = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/7040-F37C";
fsType = "vfat";
};
swapDevices = [
{device = "/dev/disk/by-uuid/26140b4a-0579-406d-a484-35aa31b32e80";}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp0s20f3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware.nvidia.open = false;
};
fileSystems."/home" = {
device = "/dev/disk/by-uuid/bbc45be3-75f5-40c5-8427-2a425de8422c";
fsType = "btrfs";
options = [
"subvol=home"
"compress=zstd"
];
};
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/bbc45be3-75f5-40c5-8427-2a425de8422c";
fsType = "btrfs";
options = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/7040-F37C";
fsType = "vfat";
};
swapDevices = [
{device = "/dev/disk/by-uuid/26140b4a-0579-406d-a484-35aa31b32e80";}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp0s20f3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware.nvidia.open = false;
}

636
hosts/builder/default.nix
View File

@@ -2,352 +2,362 @@
# or
# deploy .#builder
{
config,
pkgs,
inputs,
self,
...
}: {
imports = [
./hardware-configuration.nix
../common/global/fish.nix # fish for admin
../common/global/locale.nix
../common/global/nix.nix
../common/global/sops.nix
../common/global/root.nix
];
networking.hostName = "builder";
system.stateVersion = "23.11";
networking.networkmanager.enable = true;
networking.nameservers = [
"192.168.3.252"
"172.30.20.10"
"1.1.1.1"
];
users.mutableUsers = false;
users.users.nix = {
isNormalUser = true;
description = "Nix";
extraGroups = [
"networkmanager"
"wheel"
"docker"
flake.nixosConfigurations.builder = inputs.nixpkgs.lib.nixosSystem {
modules = [
self.nixosModules.hosts.builder
];
};
nix.settings.experimental-features = [
"nix-command"
"flakes"
];
# Setup binary caches
nix.settings = {
substituters = [
"https://nix-community.cachix.org"
"https://cache.nixos.org/"
"https://hyprland.cachix.org"
"https://devenv.cachix.org"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="
flake.nixosModules.hosts.builder = {
config,
pkgs,
...
}: {
imports = [
../common/global/fish.nix # fish for admin
../common/global/locale.nix
../common/global/nix.nix
../common/global/sops.nix
../common/global/root.nix
];
trusted-users = ["nix"];
max-jobs = "auto";
cores = 0;
networking.hostName = "builder";
system.stateVersion = "23.11";
# Ensure we can still build when missing-server is not accessible
fallback = true;
};
# system.autoUpgrade = {
# enable = true;
# flake = "git+https://gitlab.julian-mutter.de/julian/dotfiles";
# flags = [
# "--recreate-lock-file" # update lock file
# ];
# dates = "02:13";
# };
# optimize store by hardlinking store files
nix.optimise.automatic = true;
nix.optimise.dates = ["03:15"];
# nix.gc.automatic = true;
# nix.gc.dates = "daily";
# nix.gc.options = "--delete-old";
# nix.settings.keep-derivations = false;
# nix.settings.keep-outputs = true;
# Garbage collect up to 100 GiB when only 20 GiB storage left
nix.extraOptions = ''
min-free = ${toString (20 * 1024 * 1024 * 1024)}
max-free = ${toString (100 * 1024 * 1024 * 1024)}
'';
nix.nrBuildUsers = 64;
# prevent memory to get filled
systemd.services.nix-daemon.serviceConfig = {
MemoryAccounting = true;
MemoryMax = "90%";
OOMScoreAdjust = 500;
};
# Ollama used by open-webui as llm backend
services.ollama = {
enable = true;
# acceleration = "rocm";
openFirewall = true;
};
services.nextjs-ollama-llm-ui = {
enable = true;
hostname = "192.168.3.118";
port = 3001;
};
# services.open-webui = {
# enable = true;
# port = 8080;
# openFirewall = true;
# host = "builder.julian-mutter.de";
# };
networking.firewall.allowedTCPPorts = [
80
3001 # ollama-ui
];
services.openssh = {
enable = true;
# require public key authentication for better security
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "yes";
# Add older algorithms for jenkins ssh-agents-plugin to be compatible
settings.Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
"hmac-sha2-512"
"hmac-sha2-256"
"umac-128@openssh.com"
networking.networkmanager.enable = true;
networking.nameservers = [
"192.168.3.252"
"172.30.20.10"
"1.1.1.1"
];
settings.KexAlgorithms = [
"diffie-hellman-group-exchange-sha1"
"diffie-hellman-group14-sha1"
"mlkem768x25519-sha256"
"sntrup761x25519-sha512"
"sntrup761x25519-sha512@openssh.com"
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group-exchange-sha256"
];
};
users.users."root".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjSZYdoF/51F+ykcBAYVCzCPTF5EEigWBL1APiR0h+H julian@aspi"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFcS+3d1tNgHmYCjueymCV9Bd2LcJcKGhVobrDe3r0s julian@kardorf"
];
users.users."nix".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjSZYdoF/51F+ykcBAYVCzCPTF5EEigWBL1APiR0h+H julian@aspi"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAIQ+qMuXvyoxO1DuCR3/x+IQRfSA2WyMuzuotWZjCye root@aspi"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHnfLJnS2SKUs47J0qpLTkk0LQA5quOuAhnxE6yppUDm root@kardorf"
];
# security.pam.sshAgentAuth.enable = true; # enable sudo via ssh
services.hydra = {
enable = true;
hydraURL = "http://hydra.julian-mutter.de"; # externally visible URL
port = 3000;
notificationSender = "hydra@julian-mutter.de"; # e-mail of hydra service
# a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines
# buildMachinesFiles = [ ];
# you will probably also want, otherwise *everything* will be built from scratch
useSubstitutes = true;
minimumDiskFree = 5; # in GB
minimumDiskFreeEvaluator = 4; # in GB
};
# add builder itself as build machine so system emulation is properly supported
# nix.distributedBuilds = true;
nix.buildMachines = [
{
hostName = "localhost";
protocol = null;
# sshUser = "nix";
systems = [
"x86_64-linux"
"aarch64-linux"
users.mutableUsers = false;
users.users.nix = {
isNormalUser = true;
description = "Nix";
extraGroups = [
"networkmanager"
"wheel"
"docker"
];
maxJobs = 4;
speedFactor = 3;
supportedFeatures = [
"nixos-test"
"benchmark"
"big-parallel"
"kvm"
};
nix.settings.experimental-features = [
"nix-command"
"flakes"
];
# Setup binary caches
nix.settings = {
substituters = [
"https://nix-community.cachix.org"
"https://cache.nixos.org/"
"https://hyprland.cachix.org"
"https://devenv.cachix.org"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="
];
}
];
# Uris allowed as flake inputs, otherwise hydra does not fetch them
nix.settings.allowed-uris = [
"github:"
"gitlab:"
"git+https://github.com/hyprwm/Hyprland"
"https://github.com/hyprwm/Hyprland"
"https://github"
"https://gitlab"
"https://gitlab.julian-mutter.de"
"git+https://gitlab.julian-mutter.de"
];
trusted-users = ["nix"];
max-jobs = "auto";
cores = 0;
services.nginx = {
enable = true;
recommendedProxySettings = true;
# recommendedTlsSettings = true;
# other Nginx options
virtualHosts."hydra.julian-mutter.de" = {
# enableACME = true;
# forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
# proxyWebsockets = true; # needed if you need to use WebSocket
# extraConfig =
# # required when the target is also TLS server with multiple hosts
# "proxy_ssl_server_name on;" +
# # required when the server wants to use HTTP Authentication
# "proxy_pass_header Authorization;"
# ;
# Ensure we can still build when missing-server is not accessible
fallback = true;
};
# system.autoUpgrade = {
# enable = true;
# flake = "git+https://gitlab.julian-mutter.de/julian/dotfiles";
# flags = [
# "--recreate-lock-file" # update lock file
# ];
# dates = "02:13";
# };
# optimize store by hardlinking store files
nix.optimise.automatic = true;
nix.optimise.dates = ["03:15"];
# nix.gc.automatic = true;
# nix.gc.dates = "daily";
# nix.gc.options = "--delete-old";
# nix.settings.keep-derivations = false;
# nix.settings.keep-outputs = true;
# Garbage collect up to 100 GiB when only 20 GiB storage left
nix.extraOptions = ''
min-free = ${toString (20 * 1024 * 1024 * 1024)}
max-free = ${toString (100 * 1024 * 1024 * 1024)}
'';
nix.nrBuildUsers = 64;
# prevent memory to get filled
systemd.services.nix-daemon.serviceConfig = {
MemoryAccounting = true;
MemoryMax = "90%";
OOMScoreAdjust = 500;
};
# Ollama used by open-webui as llm backend
services.ollama = {
enable = true;
# acceleration = "rocm";
openFirewall = true;
};
services.nextjs-ollama-llm-ui = {
enable = true;
hostname = "192.168.3.118";
port = 3001;
};
# services.open-webui = {
# enable = true;
# port = 8080;
# openFirewall = true;
# host = "builder.julian-mutter.de";
# };
networking.firewall.allowedTCPPorts = [
80
3001 # ollama-ui
];
services.openssh = {
enable = true;
# require public key authentication for better security
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "yes";
# Add older algorithms for jenkins ssh-agents-plugin to be compatible
settings.Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
"hmac-sha2-512"
"hmac-sha2-256"
"umac-128@openssh.com"
];
settings.KexAlgorithms = [
"diffie-hellman-group-exchange-sha1"
"diffie-hellman-group14-sha1"
"mlkem768x25519-sha256"
"sntrup761x25519-sha512"
"sntrup761x25519-sha512@openssh.com"
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group-exchange-sha256"
];
};
users.users."root".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjSZYdoF/51F+ykcBAYVCzCPTF5EEigWBL1APiR0h+H julian@aspi"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFcS+3d1tNgHmYCjueymCV9Bd2LcJcKGhVobrDe3r0s julian@kardorf"
];
users.users."nix".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjSZYdoF/51F+ykcBAYVCzCPTF5EEigWBL1APiR0h+H julian@aspi"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAIQ+qMuXvyoxO1DuCR3/x+IQRfSA2WyMuzuotWZjCye root@aspi"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHnfLJnS2SKUs47J0qpLTkk0LQA5quOuAhnxE6yppUDm root@kardorf"
];
# security.pam.sshAgentAuth.enable = true; # enable sudo via ssh
services.hydra = {
enable = true;
hydraURL = "http://hydra.julian-mutter.de"; # externally visible URL
port = 3000;
notificationSender = "hydra@julian-mutter.de"; # e-mail of hydra service
# a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines
# buildMachinesFiles = [ ];
# you will probably also want, otherwise *everything* will be built from scratch
useSubstitutes = true;
minimumDiskFree = 5; # in GB
minimumDiskFreeEvaluator = 4; # in GB
};
# add builder itself as build machine so system emulation is properly supported
# nix.distributedBuilds = true;
nix.buildMachines = [
{
hostName = "localhost";
protocol = null;
# sshUser = "nix";
systems = [
"x86_64-linux"
"aarch64-linux"
];
maxJobs = 4;
speedFactor = 3;
supportedFeatures = [
"nixos-test"
"benchmark"
"big-parallel"
"kvm"
];
}
];
# Uris allowed as flake inputs, otherwise hydra does not fetch them
nix.settings.allowed-uris = [
"github:"
"gitlab:"
"git+https://github.com/hyprwm/Hyprland"
"https://github.com/hyprwm/Hyprland"
"https://github"
"https://gitlab"
"https://gitlab.julian-mutter.de"
"git+https://gitlab.julian-mutter.de"
];
services.nginx = {
enable = true;
recommendedProxySettings = true;
# recommendedTlsSettings = true;
# other Nginx options
virtualHosts."hydra.julian-mutter.de" = {
# enableACME = true;
# forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
# proxyWebsockets = true; # needed if you need to use WebSocket
# extraConfig =
# # required when the target is also TLS server with multiple hosts
# "proxy_ssl_server_name on;" +
# # required when the server wants to use HTTP Authentication
# "proxy_pass_header Authorization;"
# ;
};
};
virtualHosts."binarycache.julian-mutter.de" = {
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
};
clientMaxBodySize = "2G";
virtualHosts."cache.julian-mutter.de" = {
locations."/".proxyPass = "http://127.0.0.1:8080";
};
};
virtualHosts."binarycache.julian-mutter.de" = {
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
# =========== Gitea actions ==========
services.gitea-actions-runner.instances."builder" = {
enable = true;
url = "https://gitlab.julian-mutter.de";
name = "builder";
tokenFile = config.sops.secrets."gitea_token".path;
labels = [
# provide a debian base with nodejs for actions
"debian-latest:docker://node:18-bullseye"
# fake the ubuntu name, because node provides no ubuntu builds
"ubuntu-latest:docker://node:18-bullseye"
# devenv
"devenv:docker://ghcr.io/cachix/devenv/devenv:latest"
# provide native execution on the host
"nixos:host"
];
};
clientMaxBodySize = "2G";
virtualHosts."cache.julian-mutter.de" = {
locations."/".proxyPass = "http://127.0.0.1:8080";
virtualisation.docker.enable = true;
# TODO: podman fails with: "cannot resolve hostname"
# virtualisation.podman = {
# enable = true;
# dockerCompat = true;
# defaultNetwork.settings.dns_enabled = true;
# };
sops.secrets."gitea_token" = {
owner = config.users.users.nix.name;
sopsFile = ./secrets.yaml;
};
};
# =========== Gitea actions ==========
services.gitea-actions-runner.instances."builder" = {
enable = true;
url = "https://gitlab.julian-mutter.de";
name = "builder";
tokenFile = config.sops.secrets."gitea_token".path;
labels = [
# provide a debian base with nodejs for actions
"debian-latest:docker://node:18-bullseye"
# fake the ubuntu name, because node provides no ubuntu builds
"ubuntu-latest:docker://node:18-bullseye"
# devenv
"devenv:docker://ghcr.io/cachix/devenv/devenv:latest"
# provide native execution on the host
"nixos:host"
];
};
# =========== Binary Cache ==========
services.nix-serve = {
enable = true;
secretKeyFile = "/var/cache-priv-key.pem";
};
virtualisation.docker.enable = true;
# =========== Binary Cache with attic ==========
sops.secrets."attic_token".sopsFile = ./secrets.yaml;
# TODO: podman fails with: "cannot resolve hostname"
# virtualisation.podman = {
# enable = true;
# dockerCompat = true;
# defaultNetwork.settings.dns_enabled = true;
# };
services.atticd = {
enable = true;
environmentFile = config.sops.secrets."attic_token".path;
settings = {
listen = "[::]:8080";
sops.secrets."gitea_token" = {
owner = config.users.users.nix.name;
sopsFile = ./secrets.yaml;
};
jwt = {};
# =========== Binary Cache ==========
services.nix-serve = {
enable = true;
secretKeyFile = "/var/cache-priv-key.pem";
};
# =========== Binary Cache with attic ==========
sops.secrets."attic_token".sopsFile = ./secrets.yaml;
services.atticd = {
enable = true;
environmentFile = config.sops.secrets."attic_token".path;
settings = {
listen = "[::]:8080";
jwt = {};
# Data chunking
#
# Warning: If you change any of the values here, it will be
# difficult to reuse existing chunks for newly-uploaded NARs
# since the cutpoints will be different. As a result, the
# deduplication ratio will suffer for a while after the change.
chunking = {
# The minimum NAR size to trigger chunking
# Data chunking
#
# If 0, chunking is disabled entirely for newly-uploaded NARs.
# If 1, all NARs are chunked.
nar-size-threshold = 64 * 1024; # 64 KiB
# Warning: If you change any of the values here, it will be
# difficult to reuse existing chunks for newly-uploaded NARs
# since the cutpoints will be different. As a result, the
# deduplication ratio will suffer for a while after the change.
chunking = {
# The minimum NAR size to trigger chunking
#
# If 0, chunking is disabled entirely for newly-uploaded NARs.
# If 1, all NARs are chunked.
nar-size-threshold = 64 * 1024; # 64 KiB
# The preferred minimum size of a chunk, in bytes
min-size = 16 * 1024; # 16 KiB
# The preferred minimum size of a chunk, in bytes
min-size = 16 * 1024; # 16 KiB
# The preferred average size of a chunk, in bytes
avg-size = 64 * 1024; # 64 KiB
# The preferred average size of a chunk, in bytes
avg-size = 64 * 1024; # 64 KiB
# The preferred maximum size of a chunk, in bytes
max-size = 256 * 1024; # 256 KiB
# The preferred maximum size of a chunk, in bytes
max-size = 256 * 1024; # 256 KiB
};
};
};
};
services.gitlab-runner.enable = true;
# runner for everything else
#
sops.secrets."gitlab_runner_token".sopsFile = ./secrets.yaml;
services.gitlab-runner.services.default = {
# File should contain at least these two variables:
authenticationTokenConfigFile = config.sops.secrets."gitlab_runner_token".path;
dockerImage = "alpine:latest";
dockerVolumes = [
"/var/run/docker.sock:/var/run/docker.sock"
];
};
services.gitlab-runner.enable = true;
# runner for everything else
#
sops.secrets."gitlab_runner_token".sopsFile = ./secrets.yaml;
services.gitlab-runner.services.default = {
# File should contain at least these two variables:
authenticationTokenConfigFile = config.sops.secrets."gitlab_runner_token".path;
dockerImage = "alpine:latest";
dockerVolumes = [
"/var/run/docker.sock:/var/run/docker.sock"
];
};
### Jenkins node
users.users.jenkins = {
createHome = true;
home = "/var/lib/jenkins";
group = "jenkins";
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ36sQhVz3kUEi8754G7r3rboihhG4iqFK/UvQm6SING jenkins@home"
];
packages = with pkgs; [
git
devenv
];
extraGroups = [
"docker"
];
};
### Jenkins node
users.users.jenkins = {
createHome = true;
home = "/var/lib/jenkins";
group = "jenkins";
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ36sQhVz3kUEi8754G7r3rboihhG4iqFK/UvQm6SING jenkins@home"
];
packages = with pkgs; [
git
devenv
];
extraGroups = [
"docker"
];
};
users.groups.jenkins = {};
programs.java = {
enable = true;
package = pkgs.jdk21; # Same as jenkins version on home
users.groups.jenkins = {};
programs.java = {
enable = true;
package = pkgs.jdk21; # Same as jenkins version on home
};
};
}

96
hosts/builder/hardware-configuration.nix
View File

@@ -1,50 +1,52 @@
{lib, ...}: {
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
# boot.initrd.kernelModules = [ "amdgpu" ]; # GPU support
boot.kernelModules = [];
boot.extraModulePackages = [];
{
flake.nixosModules.hosts.builder = {lib, ...}: {
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
# boot.initrd.kernelModules = [ "amdgpu" ]; # GPU support
boot.kernelModules = [];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-uuid/f088fe8e-bf3d-4a89-98bd-ead9852d381f";
fsType = "ext4";
fileSystems."/" = {
device = "/dev/disk/by-uuid/f088fe8e-bf3d-4a89-98bd-ead9852d381f";
fsType = "ext4";
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
# hardware.graphics = {
# enable = true;
# extraPackages = with pkgs; [
# rocmPackages.clr.icd
# linuxPackages.amdgpu-pro
# ];
# };
# boot.kernelParams = [
# "radeon.si_support=0"
# "radeon.cik_support=1"
# "amdgpu.si_support=0"
# "amdgpu.cik_support=1"
# ];
# boot.extraModulePackages = with config.boot.kernelPackages; [ amdgpu-pro ];
# boot.blacklistedKernelModules = [ "radeon" ];
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
# Emulated systems used as alternative to cross-compiling
boot.binfmt.emulatedSystems = ["aarch64-linux"];
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
# hardware.graphics = {
# enable = true;
# extraPackages = with pkgs; [
# rocmPackages.clr.icd
# linuxPackages.amdgpu-pro
# ];
# };
# boot.kernelParams = [
# "radeon.si_support=0"
# "radeon.cik_support=1"
# "amdgpu.si_support=0"
# "amdgpu.cik_support=1"
# ];
# boot.extraModulePackages = with config.boot.kernelPackages; [ amdgpu-pro ];
# boot.blacklistedKernelModules = [ "radeon" ];
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
# Emulated systems used as alternative to cross-compiling
boot.binfmt.emulatedSystems = ["aarch64-linux"];
}

16
hosts/common/global/auto-upgrade.nix
View File

@@ -1,16 +0,0 @@
{
inputs,
config,
...
}: {
system.hydraAutoUpgrade = {
# Only enable if not dirty
enable = inputs.self ? rev;
dates = "*:0/10"; # Every 10 minutes
instance = "http://hydra.julian-mutter.de";
project = "dotfiles";
jobset = "main";
job = "hosts.${config.networking.hostName}";
oldFlakeRef = "self";
};
}

47
hosts/common/global/default.nix
View File

@@ -1,47 +0,0 @@
# Common config for all hosts
{
inputs,
outputs,
pkgs,
lib,
...
}: {
imports =
[
./fish.nix # fish for admin
./locale.nix
./nix.nix
./sops.nix
./root.nix
]
++ [
inputs.home-manager.nixosModules.home-manager
]
++ (builtins.attrValues outputs.nixosModules);
# Replaces the (modulesPath + "/installer/scan/not-detected.nix") from default hardware-configuration.nix
# Enables non-free firmware
hardware.enableRedistributableFirmware = true;
# Networking
networking.networkmanager = {
enable = true;
plugins = with pkgs; [
networkmanager-openconnect
];
};
services.resolved.enable = false;
# MDNS Taken by avahi
# networking.networkmanager.dns = "none";
networking.nameservers = lib.mkDefault [
"1.1.1.1"
"8.8.8.8"
];
# HM module
home-manager.useGlobalPkgs = true; # hm module uses the pkgs of the nixos config
home-manager.backupFileExtension = "hm-backup"; # backup conflicting files. So hm activation never fails
home-manager.extraSpecialArgs = {
inherit inputs outputs;
};
}

10
hosts/common/global/fish.nix
View File

@@ -1,10 +0,0 @@
{
programs.fish = {
enable = true;
vendor = {
completions.enable = true;
config.enable = true;
functions.enable = true;
};
};
}

26
hosts/common/global/locale.nix
View File

@@ -1,26 +0,0 @@
{
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "de_DE.UTF-8";
LC_IDENTIFICATION = "de_DE.UTF-8";
LC_MEASUREMENT = "de_DE.UTF-8";
LC_MONETARY = "de_DE.UTF-8";
LC_NAME = "de_DE.UTF-8";
LC_NUMERIC = "en_US.UTF-8";
LC_PAPER = "de_DE.UTF-8";
LC_TELEPHONE = "de_DE.UTF-8";
LC_TIME = "de_DE.UTF-8";
};
# Keymap
services.xserver.xkb = {
layout = "de";
variant = "";
};
console.keyMap = "de";
time.timeZone = "Europe/Berlin";
}

46
hosts/common/global/nix.nix
View File

@@ -1,46 +0,0 @@
{outputs, ...}: {
# Apply overlays
nixpkgs = {
# TODO: apply this to hm and nixos without duplicate code
overlays = builtins.attrValues outputs.overlays;
config = {
nvidia.acceptLicense = true;
allowUnfree = true;
allowUnfreePredicate = _: true; # TODO: what is this
warn-dirty = false;
permittedInsecurePackages = [
"olm-3.2.16"
];
};
};
# optimize at every build, slows down builds
# better to do optimise.automatic for regular optimising
# nix.settings.auto-optimise-store = lib.mkDefault true;
nix.settings.experimental-features = [
"nix-command"
"flakes"
"ca-derivations"
];
# warn-dirty = false;
nix.gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
persistent = true;
};
nix.optimise = {
automatic = true;
dates = ["weekly"]; # Optional; allows customizing optimisation schedule
persistent = true;
};
programs.nix-ld.enable = true;
# TODO: is this useful?, what does it do?
# nix.settings.flake-registry = ""; # Disable global flake registry
# Add each flake input as a registry and nix_path
# registry = lib.mapAttrs (_: flake: { inherit flake; }) flakeInputs;
# nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
}

9
hosts/common/global/root.nix
View File

@@ -1,9 +0,0 @@
{pkgs, ...}: {
# Packages needed as root
environment.systemPackages = with pkgs; [
vim
htop
mc
gparted-xhost # needs to be installed as system package so it can be actually opened
];
}

22
hosts/common/global/sops.nix
View File

@@ -1,22 +0,0 @@
{
inputs,
config,
...
}: let
isEd25519 = k: k.type == "ed25519";
getKeyPath = k: k.path;
keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
in {
imports = [inputs.sops-nix.nixosModules.sops];
sops.age = {
sshKeyPaths = map getKeyPath keys;
# TODO: remove? only rely on ssh or pgp keys (e.g. ubikey like misterio is using!!!)
# keyFile = "/home/julian/.config/sops/age/keys.txt";
# Generate key if none of the above worked. With this, building will still work, just without secrets
generateKey = false; # TODO: building should not work without secrets!?
};
sops.defaultSopsFile = ../secrets.yaml;
}

29
hosts/common/optional/authentication.nix
View File

@@ -1,29 +0,0 @@
{
pkgs,
lib,
...
}: {
# Make programs like nextcloud client access saved passwords
services.gnome.gnome-keyring.enable = true;
programs.seahorse.enable = true;
programs.ssh.askPassword = lib.mkForce "${pkgs.seahorse}/libexec/seahorse/ssh-askpass"; # Solve conflicting definition in seahorse and plasma6
# Make authentication work for e.g. gparted
security.polkit.enable = true;
systemd = {
user.services.polkit-gnome-authentication-agent-1 = {
description = "polkit-gnome-authentication-agent-1";
wantedBy = ["graphical-session.target"];
wants = ["graphical-session.target"];
after = ["graphical-session.target"];
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
Restart = "on-failure";
RestartSec = 1;
TimeoutStopSec = 10;
};
};
};
}

12
hosts/common/optional/avahi.nix
View File

@@ -1,12 +0,0 @@
{
# MDNS on local network
services.avahi = {
enable = true;
nssmdns4 = true;
nssmdns6 = true;
publish.enable = true;
publish.addresses = true;
ipv4 = true;
ipv6 = true;
};
}

31
hosts/common/optional/binarycaches.nix
View File

@@ -1,31 +0,0 @@
{
lib,
outputs,
...
}: {
# Setup binary caches
nix.settings = {
substituters = [
"https://nix-community.cachix.org"
"https://cache.nixos.org/"
"https://hyprland.cachix.org"
"http://binarycache.julian-mutter.de"
"https://devenv.cachix.org"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
"binarycache.julian-mutter.de:oJ67uRFwRhNPKL58CHzy3QQLv38Kx7OA1K+6xlEPu7E="
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="
];
trusted-users = [
"root"
"@wheel"
]; # needed for devenv to add custom caches
# Ensure we can still build when missing-server is not accessible
fallback = true;
};
}

17
hosts/common/optional/boot-efi.nix
View File

@@ -1,17 +0,0 @@
{
# Bootloader
# Use this for simple nix boot menu, if no dual boot required
boot.loader.systemd-boot.enable = true;
boot.loader.systemd-boot.configurationLimit = 10;
boot.loader.efi.canTouchEfiVariables = true;
# https://github.com/NixOS/nixpkgs/blob/c32c39d6f3b1fe6514598fa40ad2cf9ce22c3fb7/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix#L66
boot.loader.systemd-boot.editor = false;
boot.supportedFilesystems = [
"btrfs"
"ntfs"
"nfs"
"cifs"
];
}

5
hosts/common/optional/docker.nix
View File

@@ -1,5 +0,0 @@
{
virtualisation.docker = {
enable = true;
};
}

6
hosts/common/optional/flatpak.nix
View File

@@ -1,6 +0,0 @@
{pkgs, ...}: {
services.flatpak.enable = true;
xdg.portal.enable = true;
xdg.portal.extraPortals = [pkgs.xdg-desktop-portal-gtk];
xdg.portal.config.common.default = "*"; # Use first portal implementation found
}

21
hosts/common/optional/gamemode.nix
View File

@@ -1,21 +0,0 @@
{pkgs, ...}: {
programs.gamemode = {
enable = true;
settings = {
general = {
softrealtime = "auto";
inhibit_screensaver = 1;
renice = 5;
};
# gpu = {
# apply_gpu_optimisations = "accept-responsibility";
# gpu_device = 1;
# amd_performance_level = "high";
# };
custom = {
start = "${pkgs.libnotify}/bin/notify-send 'GameMode started'";
end = "${pkgs.libnotify}/bin/notify-send 'GameMode ended'";
};
};
};
}

13
hosts/common/optional/gdm.nix
View File

@@ -1,13 +0,0 @@
{
config,
lib,
pkgs,
...
}: {
services.xserver.displayManager.gdm = {
enable = true;
};
# unlock GPG keyring on login
security.pam.services.gdm.enableGnomeKeyring = true;
}

37
hosts/common/optional/greetd.nix
View File

@@ -1,37 +0,0 @@
{config, ...}: let
homeCfgs = config.home-manager.users;
julianCfg = homeCfgs.julian;
in {
users.extraUsers.greeter = {
# For caching
home = "/tmp/greeter-home";
createHome = true;
};
programs.regreet = {
enable = true;
iconTheme = julianCfg.gtk.iconTheme;
theme = julianCfg.gtk.theme;
# font = julianCfg.fontProfiles.regular; # TODO: do
cursorTheme = {
inherit (julianCfg.gtk.cursorTheme) name package;
};
cageArgs = [
"-s"
"-m"
"last"
]; # multimonitor use last monitor
# settings.background = {
# path = julianCfg.wallpaper;
# fit = "Cover";
# }; # TODO: fix
# TODO: setting keyboard language does not work
# settings = {
# env = {
# XKB_DEFAULT_LAYOUT = "de";
# # XKB_DEFAULT_VARIANT = "altgr-intl";
# };
# };
};
}

16
hosts/common/optional/i3.nix
View File

@@ -1,16 +0,0 @@
{
config,
lib,
pkgs,
...
}: {
services.xserver.windowManager.i3.enable = true;
services.xserver.windowManager.i3.package = pkgs.i3-gaps;
services.displayManager.defaultSession = "none+i3";
programs.xss-lock = {
# responds to "loginctl lock-session" via dbus
enable = true;
lockerCommand = "${pkgs.i3lock}/bin/i3lock --ignore-empty-password --color=000000";
};
}

23
hosts/common/optional/kerberos.nix
View File

@@ -1,23 +0,0 @@
{
security.krb5.enable = true;
security.krb5.settings = {
# domain_realm = {
# ".julian-mutter.de" = "julian-mutter.de";
# "julian-mutter.de" = "julian-mutter.de";
# };
libdefaults = {
default_realm = "julian-mutter.de";
# dns_lookup_realm = true;
# dns_lookup_kdc = true;
# ticket_lifetime = "24h";
# renew_lifetime = "7d";
};
realms = {
"julian-mutter.de" = {
kdc = ["kerberos.julian-mutter.de"];
admin_server = "kerberos-admin.julian-mutter.de";
default_domain = "julian-mutter.de";
};
};
};
}

49
hosts/common/optional/openssh.nix
View File

@@ -1,49 +0,0 @@
{
outputs,
lib,
config,
...
}: let
hosts = lib.attrNames outputs.nixosConfigurations;
in {
services.openssh = {
enable = true;
settings = {
# Harden
PasswordAuthentication = false;
PermitRootLogin = "no";
# TODO: what does this do
# Let WAYLAND_DISPLAY be forwarded
AcceptEnv = "WAYLAND_DISPLAY";
X11Forwarding = true;
};
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
# TODO: is automatic known hosts file even necessary?
# programs.ssh = {
# # Each hosts public key
# knownHosts = lib.genAttrs hosts (hostname: {
# publicKeyFile = ../../${hostname}/ssh_host_ed25519_key.pub;
# extraHostNames =
# [
# # "${hostname}.m7.rs"
# ]
# ++
# # Alias for localhost if it's the same host
# (lib.optional (hostname == config.networking.hostName) "localhost")
# # Alias to m7.rs and git.m7.rs if it's alcyone
# ++ (lib.optionals (hostname == "alcyone") [
# "m7.rs"
# "git.m7.rs"
# ]);
# });
# };
}

9
hosts/common/optional/pcmanfm.nix
View File

@@ -1,9 +0,0 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [
shared-mime-info # extended mimetype support
lxmenu-data # open with "Installed Applications"
pcmanfm
];
services.gvfs.enable = true; # Mount, trash, and other functionalities
}

28
hosts/common/optional/pipewire.nix
View File

@@ -1,28 +0,0 @@
{
security.rtkit.enable = true;
services.pulseaudio.enable = false;
services.pipewire = {
enable = true;
wireplumber.enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
extraConfig.pipewire = {
"99-no-bell" = {
# Disable bell sound
"context.properties" = {
"module.x11.bell" = false;
};
};
"10-increase-buffer" = {
"context.properties" = {
"default.clock.rate" = 48000;
"default.clock.quantum" = 1024;
"default.clock.min-quantum" = 1024;
"default.clock.max-quantum" = 2048;
};
};
};
};
}

10
hosts/common/optional/podman.nix
View File

@@ -1,10 +0,0 @@
{config, ...}: let
dockerEnabled = config.virtualisation.docker.enable;
in {
virtualisation.podman = {
enable = true;
dockerCompat = !dockerEnabled;
dockerSocket.enable = !dockerEnabled;
defaultNetwork.settings.dns_enabled = true;
};
}

12
hosts/common/optional/redshift.nix
View File

@@ -1,12 +0,0 @@
{
config,
lib,
pkgs,
...
}: {
# Set location used by redshift
location.provider = "manual";
location.latitude = 47.92;
location.longitude = 10.12;
services.redshift.enable = true;
}

34
hosts/common/optional/remote-builder.nix
View File

@@ -1,34 +0,0 @@
{
nix.distributedBuilds = true;
nix.settings.builders-use-substitutes = true;
nix.buildMachines = [
{
hostName = "builder.julian-mutter.de";
protocol = "ssh";
sshUser = "nix";
systems = [
"x86_64-linux"
"aarch64-linux"
];
maxJobs = 4;
speedFactor = 3;
supportedFeatures = [
"nixos-test"
"benchmark"
"big-parallel"
"kvm"
];
mandatoryFeatures = [];
}
# {
# hostName = "localhost";
# protocol = null;
# systems = [
# "x86_64-linux"
# ];
# maxJobs = 4;
# speedFactor = 1;
# }
];
}

16
hosts/common/optional/thunar.nix
View File

@@ -1,16 +0,0 @@
{
config,
lib,
pkgs,
...
}: {
programs.thunar.enable = true;
programs.xfconf.enable = true; # Persist saved preferences
programs.thunar.plugins = with pkgs.xfce; [
thunar-archive-plugin
thunar-volman
thunar-media-tags-plugin
];
services.gvfs.enable = true; # Mount, trash, and other functionalities
services.tumbler.enable = true; # Thumbnail support for images
}

12
hosts/common/optional/virtualbox.nix
View File

@@ -1,12 +0,0 @@
{
config,
lib,
pkgs,
...
}: {
virtualisation.virtualbox.host.enable = true;
# virtualisation.virtualbox.host.enableExtensionPack = true;
# virtualisation.virtualbox.guest.enable = true;
# virtualisation.virtualbox.guest.x11 = true;
users.extraGroups.vboxusers.members = ["julian"];
}

12
hosts/common/optional/wireguard.nix
View File

@@ -1,12 +0,0 @@
{
networking.wg-quick.interfaces = {
julian = {
configFile = "/etc/wireguard/julian.conf";
autostart = true; # This interface is started on boot
};
comu = {
configFile = "/etc/wireguard/comu.conf";
autostart = false;
};
};
}

9
hosts/common/optional/wireshark.nix
View File

@@ -1,9 +0,0 @@
{
programs.wireshark = {
enable = true;
dumpcap.enable = true;
usbmon.enable = true;
};
users.users.julian.extraGroups = ["wireshark"];
}

6
hosts/common/optional/xserver.nix
View File

@@ -1,6 +0,0 @@
{
services.xserver = {
enable = true;
wacom.enable = true;
};
}

53
hosts/common/secrets.yaml
View File

@@ -1,53 +0,0 @@
#ENC[AES256_GCM,data:NSxfTl2hTXEoGl23aQnElG+df/1YzA==,iv:+oy9oITMGzdM2muDUPjwxJqUu1Bdyregl65/0hiulZ0=,tag:VKjforpyahKj0ktIN36gNw==,type:comment]
julian-password: ENC[AES256_GCM,data:tgeu4uVI91j34+Gfzy2Uckmopj9bJNWiu65W0cdA76Kly3LH7RqXCq4rNM4DCwrsX3k9WdOlGX6T9edIjJgmbbe6MkeH7oQwiA==,iv:GE6zfSHymkAewjry7fofURz70az608+hja385LLeCIY=,tag:FqTopL5DyM3DTpa7AoGPDg==,type:str]
wifi:
pianonix: ENC[AES256_GCM,data:Ty1wElfVj+CU9bTbpuYIk2dA4fgFm59PkQGqvODn51Q=,iv:bLomyTlOW2Z4rPbue7Klo6Jt5lR+44AuL+dIMFgDNAE=,tag:DuH2ayeb19dkPi9xmbAu3A==,type:str]
syncthing:
public-keys:
aspi-nix: ENC[AES256_GCM,data:ZTykdQCyh4DMuQUCy1DSKsGNxxn1dinaqztpDdJY53pkWcW4YcWRHk94iGJQZgG1oLfr3AB2S3J6b9w2WuV3,iv:9z2ovHzq6JjRtHzNMIQtcUCinIjG/ImSGqqC7KPhpuw=,tag:No2LCjD+XXB77Su+s98MIA==,type:str]
pianonix: ENC[AES256_GCM,data:pUJPXH47VG363aIoxZwmbVe3uBoO7EO2TflK4f761C7PwD0tFNthZt9HRE6gQXAMQMF6qWzNK3CNGspSzKsE,iv:E89oz8BG5iQW/mRzdxSrYewGeVLiCrTcAF+c9ny6gPc=,tag:rLqwUmFDsaOMClR1tbE1sA==,type:str]
pianonix:
key: ENC[AES256_GCM,data:IaCXIRDMWCHj3lTKpkLg1Nd3pX4bktWg4WjZPGKgTBCLVkMi/SDtlaoNhDz+a+Vt6jYTXHS4exFnIVJ878nWSrA1sD2NHXmfsMh1kkLhub68qv0M33dBXvgX0vQ51Z1WMoti73yDUjJH8Ym5yF/SCg2+RbkVf+4pe2hSlAzwkGP6YC2rbCE5sZG31C55MkaGC6zwo2ZpZXdVhCW845SqAc11cF/OeEHb9B1FS3rd+El7rlJHrIEVQTkomNLshcspb13H0z3vNhtfu9pPkGxee8Hp/hEhFQ+waWBAg4w15yKihjHJmhzdjhDHCilvwYaceb7b5OwARuuiruQ+cJ40bdnStDpi2ouP8QJjEi7tmKWeplZ0X70PVZJFH/e/mTH5,iv:3hQMB4ka31w3chXXwjl/1IHF8ES/RobZVeugMC3ddlU=,tag:j8wwrNQUQbCEGtcriSpc4g==,type:str]
cert: ENC[AES256_GCM,data:v9LO8qpeGDDV6I+AJU5iTYKKBV6qgr1ddwLvBVEOYyvmtPNeqaatYaK6vMBCabBIhxQu2NC96pREvWu1UHbxaMWvSCT1TzrIPrcFm+gKCH6PIPhqcnQpdGa3OYn01ohThpLp8hEmVUpJ0FO/AnE1QHK0VfPqJ3S0uHLjSCBJtxLmcBWNVvlcTU/P68QIQkrYAQRAtz9aDS+JNpUKhwCJBgjpY1Thj8Lj/fpc1t0qWo3BKIL3eW5iSlUW0iEriFS0bkMr4Bi9mNqpO26l1eZ3IXFJy/7pkqhmXXW83qOaF9AFXgg41p1Kjw4G6isB/obuhR7Z4oQ/AtkSU0wxHP4mF0AWrvC7/YGlrDG9aPYUEWOexTTBHkm89PhgEa69sekbzac7mYYFi/MIdU34ks4oc8ZIChWpT+V66mbo4f+3mn7raih5SLnyEMS7ENBes9cQC7SghSpB7D8c/2+q74A5aEZHUWRhqiDEx9IggP43SiWuNnb/HyZw16RUB7xnQKPs7LzAVlLC6M7ZETUmyEDEWWOsDY8+0Li4wuD3z4WXLAD9nP43TMx4GNoafjG+0Gu05hSR8fWv8strRCtIWjzK3wMaD9VT/cbt2oqOBkJcaqIW8+lM+ktk1WsD4Kc1DQ4q5O2oMrdPOWI9xZOs7DQTFshLHuvxutN05vgEUovI1vbMOl7SIzUW8YUY9PN0ofC7zwQlEJxfOdqT0nwv9vmqikSMP6V3jXgP5OnPb4KVx8G27X0oCjN++dJgDxdkh2JiLR9JaJHNmYPtLlP7hU4NsBpRpd9ObxRlv+uIbF2o0I8PGXMo3IVnRjrFDrRyoth2UJ+YUMGCVuonoS+nZLMCNz1xwRMaZBYjSEESmxc2Ilwdu3XTzd1KF282UvumBpRwcNxvsmPhI84v/XV8TJE8Z7YxyO3RYBQHD5+OuHOHKTtlajnKpSp/m0p0QR7rrGFoDuDKp+Z81MKz8wz3/8GG+sDh0pgniUfNyrmLroLPdT6nj0brvSVWYmOIJHDHKqM+6HZok5PyS+uHlb5dzwnmrd9OmhmwPVdkP5s=,iv:X9VNz2nsN4ywu3E0c+agwZCl43I4bt6jHz0jMoMFTJQ=,tag:RZUWa4h5JoIiZaDrYgcAeg==,type:str]
sops:
age:
- recipient: age1ee5udznhadk6m7jtglu4709rep080yjyd2ukzdl8jma4mm92y3psv0slpg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBualdnWmtBTThhZDFVdDRP
WHlMamk1MFhUYUwwa0hyQmpobGNocC9VR0ZVCmc3N1FjcUZCNUdTTm91OVpwZDhP
bTNXekp2bDd3Tjh6a2ZVTVNTSW9RTU0KLS0tIGJpcUVHb2ZlODgvelhwQ0JFU3l5
WU5VanhYMTUvNklYazJxOXVveXhpM2cKCo+4FhhcbRylASEbQb9rAQUzEO1D+0AR
52Jzc9s9rSdypeBRE7SaSOI4eVnkEjPfyhNFvMdxiBzBj7GdocpmCw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1q8lc5340gz5xw2f57nglrss68wv0j0hf36py2pdtrl6ky3yrq9qqk0njr4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4STZpU0ZnRzVVOFFRUXZG
akcwS2Z5V3lmQzRTSGNHT2hDME5JMks2QTNNClpkZzNMc0wyRjVEaVlBRFlyNFhs
M1pyeW1XdnZubnRxMzEzMFJoK0lkVVEKLS0tIENhRExzUWRWMUlObmhxazM5cU9y
aDFyaDJackFoaEZOYWdTbWt0ODB1bm8Kg1VDAj5/i8ZbYxspIdXrI474YN5YkV4H
86maCRDfUxO5lvu4zBa9pOmFtJ2iuJ2MxDnmCSHTl+GOk8yyUT8JhA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tguyu2yd5xv8rgjjl50cq6dq5rr7umqgv098dgre4u9wyj30ea7sexw62c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAveE9NV2JCOW9odlN6Wmkw
WFEvU2pka3htV2FTTFlpc05ES2JjbGxTaFJZCjhYdG1sRVBFaEF3YjNkWEw3Ny8x
MlYyTjJBMHA2YVpHRkkwWW5hNDdrS1UKLS0tIFZXTFNVbkd6VFExc0dSVU4vd3JF
ajlFY2pvWW13VGxOZ0hEc3dMbU9IeUUKNSf7ycj+1XHhsoghmY2iR1BwIySqfIOF
zawE+MQcQg0u+fy6Aik26eUGvQG3rya2Fx2+3VlAbKB+rbiP0fwsgg==
-----END AGE ENCRYPTED FILE-----
- recipient: age15lxw97z03q40xrdscnxqqugh5ky5aqrerg2t2rphkcqm6rnllurq8v98q5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxaTNJNkJ0RVJiYlRzcmlX
TmEweVdLaGpoVXMxZEFDU3dOZTJCRjdiNENBCkZ3bjJUNm1vcmY1ZUpZcEo4OGxa
UWJKSjNKL002UDhmTmJER2M0MjJ3aG8KLS0tIFMvZjBkOS83T3NDUE82M3kweVNw
VXhoN0VyWkVxMEJPQ3orVUNDK21rRU0KvnmuFxcCpP+LZg7v5jaStw9F0owVrQl9
AkIq7GUJh7xewLxcVZfiBRpXMhw/mM8LYnd2KGP8R/TfYg+v0//+5A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-23T07:00:17Z"
mac: ENC[AES256_GCM,data:JgaTIRbzD0hs2o86xUlQrPN2cPXvsuTH/zKG5xbQIDaYcEvD/mkuVa3hfnYKrA91kWg2Y1DgEi9583+o6UCl/+ldY4ptu+xpnYfyQFdhM4rB+KoP/pDt8vQKQ3zAX8fpAkugCgTTbuvm3TfQ1nt98V8boyhCn4JHNC1T0j7ZtZI=,iv:G3YJOLeDWDKuANo2mxS2JAdrRaonD87CU9BpCZZrlRs=,tag:mcKIdP5cSQUwNL2tcv/o6g==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.1

50
hosts/common/users/julian/default.nix
View File

@@ -1,50 +0,0 @@
{
pkgs,
config,
lib,
...
}: let
ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
in {
users.mutableUsers = false;
users.users.julian = {
description = "Julian";
group = "julian";
isNormalUser = true;
uid = 1000;
shell = pkgs.fish;
extraGroups = ifTheyExist [
"networkmanager"
"wheel"
"audio"
"realtime"
"rtkit"
"network"
"video"
"podman"
"docker"
"git"
"gamemode"
"dialout"
];
openssh.authorizedKeys.keys = lib.splitString "\n" (
builtins.readFile ../../../../homes/julian/ssh.pub
);
# hashedPasswordFile = config.sops.secrets.julian-password.path;
hashedPassword = "$y$j9T$N33kLJQbV8soUoCbDkpwA1$r/yahJDgOPo4GGOrAi6BUG5zLTzmaBrA5NQ4nno561A";
packages = [pkgs.home-manager];
};
users.groups.julian = {
gid = 1000;
};
sops.secrets.julian-password = {
sopsFile = ../../secrets.yaml;
neededForUsers = true;
};
home-manager.users.julian = import ../../../../homes/julian/${config.networking.hostName}.nix;
security.pam.services.swaylock = {}; # Make swaylock unlocking work
}

28
hosts/common/users/pob/default.nix
View File

@@ -1,28 +0,0 @@
{
pkgs,
config,
...
}: let
ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
in {
users.mutableUsers = false;
users.users.pob = {
description = "A helper user to use another profile for some applications";
group = "pob";
isNormalUser = true;
shell = pkgs.fish;
extraGroups = ifTheyExist [
"networkmanager"
];
packages = with pkgs; [
firefox
wineWowPackages.stable # 32-bit and 64-bit wine
winetricks
];
};
users.groups.pob = {};
security.sudo.extraConfig = ''
julian ALL=(pob) NOPASSWD: ALL
'';
}

30
hosts/common/users/wolfi/default.nix
View File

@@ -1,30 +0,0 @@
{
pkgs,
config,
...
}: let
ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
in {
users.mutableUsers = false;
users.users.wolfi = {
description = "Wolfi";
group = "wolfi";
isNormalUser = true;
shell = pkgs.fish;
extraGroups = ifTheyExist [
"networkmanager"
"wheel"
"audio"
"network"
"video"
"podman"
"docker"
"git"
"gamemode"
];
hashedPassword = "$y$j9T$ifzWjoZaRtPUOOfMYnbJ20$uFOO1EyDApL52vRUicZYgupaTA/a6sGNUj3imZ/lcb6";
packages = [pkgs.home-manager];
};
users.groups.wolfi = {};
}

97
hosts/common/users/yukari/default.nix
View File

@@ -1,97 +0,0 @@
{
pkgs,
config,
lib,
outputs,
...
}: let
ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
in {
users.mutableUsers = false;
users.users.yukari = {
description = "Yukari";
group = "yukari";
isNormalUser = true;
shell = pkgs.fish;
extraGroups = ifTheyExist [
"networkmanager"
"audio"
"network"
"video"
"podman"
"docker"
"git"
"gamemode"
];
createHome = true;
hashedPassword = "$y$j9T$rGuTL0rfiy7ht8L58BGCw0$fN.KwHjYlIitFEPHndKvV06ezgeWzP3/58o1kkviZwB";
packages = [pkgs.home-manager];
};
users.groups.yukari = {};
home-manager.users.yukari = {
imports =
[
../../../../homes/julian/features/fonts
../../../../homes/julian/features/suites/cli
]
++ (builtins.attrValues outputs.homeManagerModules);
home = {
username = lib.mkDefault "yukari";
homeDirectory = lib.mkDefault "/home/${config.home.username}";
stateVersion = lib.mkDefault "23.11";
sessionPath = ["$HOME/.local/bin"];
packages = with pkgs; [
arandr
calibre # ebook manager and viewer
# digikam
discord
discord-ptb # in case discord updates take their time
# dvdisaster
# element-desktop
# rocketchat-desktop
thunderbird
telegram-desktop # telegram
# schildichat-desktop # not updated regularly
nheko
evince # Simple pdf reader, good for focusing on document content
firefox
vivaldi
# geogebra
cheese
handbrake
# kitty # Terminal, already available as feature
libnotify
libreoffice
mate.engrampa
nomacs # Image viewer
kdePackages.okular # Pdf reader with many features, good for commenting documents
pavucontrol
qalculate-gtk # Nice gui calculator
qpdfview
# qutebrowser
# realvnc-vnc-viewer
# rustdesk
tor-browser
# frajul.pob-dev-version # Path of Building
vlc
wineWowPackages.stable # 32-bit and 64-bit wine
winetricks
xclip # x11 clipboard access from terminal
xfce.mousepad # simple text editor
xournalpp # Edit pdf files
zoom-us # Video conferencing
zotero # Manage papers and other sources
pdfpc # Present slides in pdf form
];
};
programs = {
home-manager.enable = true;
git.enable = true;
};
};
}

81
hosts/kardorf/default.nix
View File

@@ -1,50 +1,59 @@
{pkgs, ...}: {
imports = [
./hardware-configuration.nix
{
inputs,
self,
...
}: {
flake.nixosConfigurations.kardorf = inputs.nixpkgs.lib.nixosSystem {
modules = [
self.nixosModules.hosts.kardorf
];
};
flake.nixosModules.hosts.kardorf = {pkgs, ...}: {
imports = [
../common/global
../common/users/julian
../common/users/wolfi
../common/optional/binarycaches.nix
../common/global
../common/users/julian
../common/users/wolfi
../common/optional/binarycaches.nix
# ../common/optional/xserver.nix
../common/optional/remote-builder.nix
../common/optional/boot-efi.nix
# ../common/optional/xserver.nix
../common/optional/remote-builder.nix
../common/optional/boot-efi.nix
../common/optional/greetd.nix
../common/optional/authentication.nix
../common/optional/pcmanfm.nix
../common/optional/pipewire.nix
../common/optional/greetd.nix
../common/optional/authentication.nix
../common/optional/pcmanfm.nix
../common/optional/pipewire.nix
../common/optional/virtualbox.nix
../common/optional/virtualbox.nix
# ../common/optional/gdm.nix
# ../common/optional/i3.nix
# ../common/optional/gdm.nix
# ../common/optional/i3.nix
../common/optional/openssh.nix
../common/optional/openssh.nix
../common/optional/podman.nix
../common/optional/flatpak.nix
];
../common/optional/podman.nix
../common/optional/flatpak.nix
];
networking.hostName = "kardorf";
system.stateVersion = "22.11";
networking.hostName = "kardorf";
system.stateVersion = "22.11";
# Not using the drivers leads to way better results
# services.xserver.videoDrivers = [ "nvidia" ];
# Not using the drivers leads to way better results
# services.xserver.videoDrivers = [ "nvidia" ];
networking.networkmanager.insertNameservers = ["192.168.3.252"];
networking.networkmanager.insertNameservers = ["192.168.3.252"];
programs.kdeconnect.enable = true;
programs.steam.enable = true;
programs.kdeconnect.enable = true;
programs.steam.enable = true;
programs.hyprland.enable = true;
services.desktopManager.plasma6.enable = true;
programs.hyprland.enable = true;
services.desktopManager.plasma6.enable = true;
# Enable CUPS to print documents.
services.printing.enable = true;
services.printing.browsing = true;
services.printing.drivers = with pkgs; [gutenprint];
# Enable CUPS to print documents.
services.printing.enable = true;
services.printing.browsing = true;
services.printing.drivers = with pkgs; [gutenprint];
services.libinput.enable = true;
services.libinput.enable = true;
};
}

165
hosts/kardorf/hardware-configuration.nix
View File

@@ -1,89 +1,88 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
...
}: {
boot.initrd.availableKernelModules = [
"ehci_pci"
"ahci"
"xhci_pci"
"usbhid"
"uas"
"usb_storage"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.loader.efi.efiSysMountPoint = "/boot/efi";
fileSystems."/" = {
device = "/dev/disk/by-uuid/97a9342e-0be0-4193-9a25-03400fc7da94";
fsType = "btrfs";
options = [
"subvol=root"
"compress=zstd"
flake.nixosModules.hosts.kardorf = {
config,
lib,
...
}: {
boot.initrd.availableKernelModules = [
"ehci_pci"
"ahci"
"xhci_pci"
"usbhid"
"uas"
"usb_storage"
"sd_mod"
"sr_mod"
];
};
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.loader.efi.efiSysMountPoint = "/boot/efi";
fileSystems."/home" = {
device = "/dev/disk/by-uuid/97a9342e-0be0-4193-9a25-03400fc7da94";
fsType = "btrfs";
options = [
"subvol=home"
"compress=zstd"
fileSystems."/" = {
device = "/dev/disk/by-uuid/97a9342e-0be0-4193-9a25-03400fc7da94";
fsType = "btrfs";
options = [
"subvol=root"
"compress=zstd"
];
};
fileSystems."/home" = {
device = "/dev/disk/by-uuid/97a9342e-0be0-4193-9a25-03400fc7da94";
fsType = "btrfs";
options = [
"subvol=home"
"compress=zstd"
];
};
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/97a9342e-0be0-4193-9a25-03400fc7da94";
fsType = "btrfs";
options = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
fileSystems."/swap" = {
device = "/dev/disk/by-uuid/97a9342e-0be0-4193-9a25-03400fc7da94";
fsType = "btrfs";
options = [
"subvol=swap"
"noatime"
];
};
fileSystems."/boot/efi" = {
device = "/dev/disk/by-uuid/7D48-A59C";
fsType = "vfat";
};
swapDevices = [
{
device = "/swap/swapfile";
size = 16 * 1024;
}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.docker0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# Use latest version of driver
# hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
hardware.nvidia.modesetting.enable = true; # produces errors, display manager fails to start
hardware.nvidia.nvidiaSettings = true;
hardware.nvidia.open = false;
};
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/97a9342e-0be0-4193-9a25-03400fc7da94";
fsType = "btrfs";
options = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
fileSystems."/swap" = {
device = "/dev/disk/by-uuid/97a9342e-0be0-4193-9a25-03400fc7da94";
fsType = "btrfs";
options = [
"subvol=swap"
"noatime"
];
};
fileSystems."/boot/efi" = {
device = "/dev/disk/by-uuid/7D48-A59C";
fsType = "vfat";
};
swapDevices = [
{
device = "/swap/swapfile";
size = 16 * 1024;
}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.docker0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# Use latest version of driver
# hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
hardware.nvidia.modesetting.enable = true; # produces errors, display manager fails to start
hardware.nvidia.nvidiaSettings = true;
hardware.nvidia.open = false;
}

523
hosts/pianonix/default.nix
View File

@@ -1,276 +1,285 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{
lib,
inputs,
config,
pkgs,
self,
...
}: {
imports = [
inputs.nixos-hardware.nixosModules.raspberry-pi-4
./hardware-configuration.nix
../common/global
../common/users/julian
../common/optional/binarycaches.nix
../common/optional/pipewire.nix
../common/optional/remote-builder.nix
../common/optional/pcmanfm.nix
../common/optional/redshift.nix
../common/optional/authentication.nix
../common/optional/avahi.nix
];
environment.systemPackages = [
(pkgs.python3.withPackages (p:
with p; [
numpy
pillow
flask
rpi-gpio
webcolors
psutil
mido
rtmidi-python
spidev
waitress
websockets
werkzeug
pkgs.frajul.rpi-ws281x-python
]))
];
# disko.devices.disk.main.device = "/dev/mmcblk1";
# enabled by fish, disabling speeds up builds
documentation.man.generateCaches = false;
# networking.enableIPv6 = false; # This only leads to issues with avahi
# services.avahi.ipv6 = false;
hardware.raspberry-pi."4".bluetooth.enable = true;
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = true;
services.blueman.enable = true; # bluetooth gui
# raspberry pi specific
# systemd.services.btattach = {
# before = [ "bluetooth.service" ];
# after = [ "dev-ttyAMA0.device" ];
# wantedBy = [ "multi-user.target" ];
# serviceConfig = {
# ExecStart = "${pkgs.bluez}/bin/btattach -B /dev/ttyAMA0 -P bcm -S 3000000";
# };
# };
# networking.wireless.enable = true;
# networking.wireless.secretsFile = config.sops.secrets."wifi/pianonix".path;
# networking.wireless.networks = {
# "SMARTments".pskRaw = "ext:PSK";
# };
# networking.networkmanager.enable = lib.mkForce false;
services.gnome.at-spi2-core.enable = true; # for onboard
networking.hostName = "pianonix";
system.stateVersion = "22.11";
sops.secrets."vnc-passwd" = {
owner = config.users.users.julian.name;
sopsFile = ./secrets-vnc-passwd.bin;
format = "binary";
};
sops.secrets."wifi/pianonix" = {};
sops.secrets."syncthing/pianonix/key" = {};
sops.secrets."syncthing/pianonix/cert" = {};
# sops.secrets."syncthing/public-keys/aspi-nix" = { };
# sops.secrets."syncthing/public-keys/pianonix" = { };
sops.secrets."wg-config" = {
sopsFile = ./secrets-wg-config.bin;
format = "binary";
};
networking.wg-quick.interfaces = {
home = {
configFile = config.sops.secrets."wg-config".path;
autostart = true; # This interface is started on boot
};
};
modules = {
syncthing = {
enable = true;
overrideSettings = true;
};
};
# Enable the Desktop Environment.
# services.xserver.displayManager.lightdm.enable = true;
services.displayManager.defaultSession = "xfce";
services.displayManager.autoLogin = {
enable = true;
user = "julian";
};
systemd.services.x11vnc = {
description = "Run x11vnc server";
after = ["display-manager.service"];
wantedBy = ["multi-user.target"];
serviceConfig = {
ExecStart = "${pkgs.x11vnc}/bin/x11vnc -rfbauth ${
config.sops.secrets."vnc-passwd".path
} -forever -loop -noxdamage -repeat -rfbport 5900 -shared";
User = config.users.users.julian.name;
Restart = "on-failure";
Environment = "DISPLAY=:0";
};
};
boot.loader.timeout = lib.mkForce 1; # Set boot loader timeout to 1s
# De-facto disable network manager, which is enabled by gnome
# networking.networkmanager.unmanaged = [ "*" ];
services.xserver.enable = true;
services.xserver.desktopManager = {
xfce = {
enable = true;
};
};
services.xserver.displayManager.sessionCommands = ''
# Prevent screen from going blank or turning off (values in min)
${pkgs.xfce.xfconf}/bin/xfconf-query -c xfce4-power-manager -p /xfce4-power-manager/blank-on-ac -s 0
${pkgs.xfce.xfconf}/bin/xfconf-query -c xfce4-power-manager -p /xfce4-power-manager/dpms-on-ac-sleep -s 0
${pkgs.xfce.xfconf}/bin/xfconf-query -c xfce4-power-manager -p /xfce4-power-manager/dpms-on-ac-off -s 0
'';
services.xserver.xautolock.enable = false;
services.xserver.desktopManager.xfce.enableScreensaver = false;
# xdg.portal.lxqt.enable = true;
services.openssh = {
enable = true;
# require public key authentication for better security
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "yes";
};
users.users."root".openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDVk/m4ydcYXzHxTWeNw2MlwxKU+JirTVOeHsYR4wdTokwYyNWZ3/zPcU4+XekSRatwJW1LJYrZ1Y5IJkobzgnOvYVI7SXZ1Tbzb1kAcnChSt+Dp/pKdMPZ8yY3PTFZh+R5F3rWFA/YZqTRhh0vuxPIVbLl7zOPExWwYGn9crkZaYZvKHVvgE5660hXo9pxbUKsSs+DIy/AE7gfKiZLusY95nk9T/jZ7Vmhl0UsF0RiDsfxgE664/vEKe8b+82kKCDt5nJVe8THSrjaw4+NUhef6R8UoUO1/Pn4TKq3Gil3Z36wPEPdkw2lYzX+d1EFyaC3hZJedSUfdFliPOejIbNvvhPBBD1wAGxxyuJZB5KLwWN7/efwCgw45buLbVfUuwwug7K7GK84A3yzqClbZKKv8rYdO04UG64A+Taq2LeyxQIDjygTgGk/1j/0Neb1RO0FbjlbTeNMZ54P+u7BTEcikJCsbFeseWDtYzupQtLt96KMbcdRgHy0CTGqFHE+my8= julian@julian-aspi"
];
services.syncthing.key = config.sops.secrets."syncthing/pianonix/key".path;
services.syncthing.cert = config.sops.secrets."syncthing/pianonix/cert".path;
services.syncthing.settings = {
devices = {
"aspi-nix" = {
id = "DM5QRYU-ILJ4XYB-4V6NZDG-RAMVOND-3RSDSYR-52TW6RW-3XIU333-T7FNAA3";
};
"pianonix" = {
id = "FD3XSFW-7LQSCIQ-KHZPLNQ-7VZYGKH-RJ2ZKTJ-BG67NRH-36TQIZM-CXDYWAH";
};
};
folders = {
"Klavier" = {
path = "/home/julian/Klavier";
id = "flc3m-q4gp2";
devices = [
"aspi-nix"
"pianonix"
];
};
};
};
networking.firewall.enable = false;
networking.firewall.allowedTCPPorts = [
5900 # for vnc
];
# Disable the GNOME3/GDM auto-suspend feature that cannot be disabled in GUI!
# If no user is logged in, the machine will power down after 20 minutes.
systemd.targets.sleep.enable = false;
systemd.targets.suspend.enable = false;
systemd.targets.hibernate.enable = false;
systemd.targets.hybrid-sleep.enable = false;
## Raspberry pi specific config
# hardware.raspberry-pi."4" = {
# fkms-3d.enable = true;
# touch-ft5406.enable = true;
# };
# Prevent host becoming unreachable on wifi after some time (for raspberry pi)
networking.networkmanager.wifi.powersave = false;
# Enable audio devices on raspberry pi
# boot.kernelParams = [
# "snd_bcm2835.enable_hdmi=1"
# "snd_bcm2835.enable_headphones=1"
# ];
# boot.loader.raspberryPi.firmwareConfig = ''
# dtparam=audio=on
# '';
## Enable SPI
hardware.raspberry-pi."4".apply-overlays-dtmerge.enable = true;
hardware.deviceTree = {
enable = true;
filter = lib.mkForce "*-rpi-4*.dtb";
overlays = [
{
name = "spi";
dtboFile = ./spi0-0cs.dtbo;
}
flake.nixosConfigurations.pianonix = inputs.nixpkgs.lib.nixosSystem {
modules = [
self.nixosModules.hosts.pianonix
];
};
users.groups.spi = {};
flake.nixosModules.hosts.pianonix = {
lib,
inputs,
config,
pkgs,
...
}: {
imports = [
inputs.nixos-hardware.nixosModules.raspberry-pi-4
# services.udev.extraRules = ''
# SUBSYSTEM=="spidev", KERNEL=="spidev0.0", GROUP="spi", MODE="0660"
# '';
./hardware-configuration.nix
## Use GPIO as non-root
# Create gpio group
users.groups.gpio = {};
../common/global
../common/users/julian
../common/optional/binarycaches.nix
# Change permissions gpio devices
services.udev.extraRules = ''
SUBSYSTEM=="spidev", KERNEL=="spidev0.0", GROUP="spi", MODE="0660"
../common/optional/pipewire.nix
../common/optional/remote-builder.nix
../common/optional/pcmanfm.nix
../common/optional/redshift.nix
../common/optional/authentication.nix
SUBSYSTEM=="bcm2835-gpiomem", KERNEL=="gpiomem", GROUP="gpio",MODE="0660"
SUBSYSTEM=="gpio", KERNEL=="gpiochip*", ACTION=="add", RUN+="${pkgs.bash}/bin/bash -c 'chown root:gpio /sys/class/gpio/export /sys/class/gpio/unexport ; chmod 220 /sys/class/gpio/export /sys/class/gpio/unexport'"
SUBSYSTEM=="gpio", KERNEL=="gpio*", ACTION=="add",RUN+="${pkgs.bash}/bin/bash -c 'chown root:gpio /sys%p/active_low /sys%p/direction /sys%p/edge /sys%p/value ; chmod 660 /sys%p/active_low /sys%p/direction /sys%p/edge /sys%p/value'"
'';
../common/optional/avahi.nix
];
# Add user to group
users.users.julian.extraGroups = ["gpio"];
environment.systemPackages = [
(pkgs.python3.withPackages (p:
with p; [
numpy
pillow
flask
rpi-gpio
webcolors
psutil
mido
rtmidi-python
spidev
waitress
websockets
werkzeug
## My own Piano LED Visualizer
services.piano-led-visualizer.enable = true;
pkgs.frajul.rpi-ws281x-python
]))
];
## Crude fix for avahi
systemd.timers.avahiRestart = {
description = "Restart avahi-daemon every 5 minutes";
wantedBy = ["timers.target"];
timerConfig = {
OnBootSec = "5min";
OnUnitActiveSec = "5min";
Unit = "avahiRestart.service";
# disko.devices.disk.main.device = "/dev/mmcblk1";
# enabled by fish, disabling speeds up builds
documentation.man.generateCaches = false;
# networking.enableIPv6 = false; # This only leads to issues with avahi
# services.avahi.ipv6 = false;
hardware.raspberry-pi."4".bluetooth.enable = true;
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = true;
services.blueman.enable = true; # bluetooth gui
# raspberry pi specific
# systemd.services.btattach = {
# before = [ "bluetooth.service" ];
# after = [ "dev-ttyAMA0.device" ];
# wantedBy = [ "multi-user.target" ];
# serviceConfig = {
# ExecStart = "${pkgs.bluez}/bin/btattach -B /dev/ttyAMA0 -P bcm -S 3000000";
# };
# };
# networking.wireless.enable = true;
# networking.wireless.secretsFile = config.sops.secrets."wifi/pianonix".path;
# networking.wireless.networks = {
# "SMARTments".pskRaw = "ext:PSK";
# };
# networking.networkmanager.enable = lib.mkForce false;
services.gnome.at-spi2-core.enable = true; # for onboard
networking.hostName = "pianonix";
system.stateVersion = "22.11";
sops.secrets."vnc-passwd" = {
owner = config.users.users.julian.name;
sopsFile = ./secrets-vnc-passwd.bin;
format = "binary";
};
};
sops.secrets."wifi/pianonix" = {};
sops.secrets."syncthing/pianonix/key" = {};
sops.secrets."syncthing/pianonix/cert" = {};
# sops.secrets."syncthing/public-keys/aspi-nix" = { };
# sops.secrets."syncthing/public-keys/pianonix" = { };
systemd.services.avahiRestart = {
description = "Restart avahi-daemon service";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.systemd}/bin/systemctl restart avahi-daemon.service";
sops.secrets."wg-config" = {
sopsFile = ./secrets-wg-config.bin;
format = "binary";
};
networking.wg-quick.interfaces = {
home = {
configFile = config.sops.secrets."wg-config".path;
autostart = true; # This interface is started on boot
};
};
modules = {
syncthing = {
enable = true;
overrideSettings = true;
};
};
# Enable the Desktop Environment.
# services.xserver.displayManager.lightdm.enable = true;
services.displayManager.defaultSession = "xfce";
services.displayManager.autoLogin = {
enable = true;
user = "julian";
};
systemd.services.x11vnc = {
description = "Run x11vnc server";
after = ["display-manager.service"];
wantedBy = ["multi-user.target"];
serviceConfig = {
ExecStart = "${pkgs.x11vnc}/bin/x11vnc -rfbauth ${
config.sops.secrets."vnc-passwd".path
} -forever -loop -noxdamage -repeat -rfbport 5900 -shared";
User = config.users.users.julian.name;
Restart = "on-failure";
Environment = "DISPLAY=:0";
};
};
boot.loader.timeout = lib.mkForce 1; # Set boot loader timeout to 1s
# De-facto disable network manager, which is enabled by gnome
# networking.networkmanager.unmanaged = [ "*" ];
services.xserver.enable = true;
services.xserver.desktopManager = {
xfce = {
enable = true;
};
};
services.xserver.displayManager.sessionCommands = ''
# Prevent screen from going blank or turning off (values in min)
${pkgs.xfce.xfconf}/bin/xfconf-query -c xfce4-power-manager -p /xfce4-power-manager/blank-on-ac -s 0
${pkgs.xfce.xfconf}/bin/xfconf-query -c xfce4-power-manager -p /xfce4-power-manager/dpms-on-ac-sleep -s 0
${pkgs.xfce.xfconf}/bin/xfconf-query -c xfce4-power-manager -p /xfce4-power-manager/dpms-on-ac-off -s 0
'';
services.xserver.xautolock.enable = false;
services.xserver.desktopManager.xfce.enableScreensaver = false;
# xdg.portal.lxqt.enable = true;
services.openssh = {
enable = true;
# require public key authentication for better security
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "yes";
};
users.users."root".openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDVk/m4ydcYXzHxTWeNw2MlwxKU+JirTVOeHsYR4wdTokwYyNWZ3/zPcU4+XekSRatwJW1LJYrZ1Y5IJkobzgnOvYVI7SXZ1Tbzb1kAcnChSt+Dp/pKdMPZ8yY3PTFZh+R5F3rWFA/YZqTRhh0vuxPIVbLl7zOPExWwYGn9crkZaYZvKHVvgE5660hXo9pxbUKsSs+DIy/AE7gfKiZLusY95nk9T/jZ7Vmhl0UsF0RiDsfxgE664/vEKe8b+82kKCDt5nJVe8THSrjaw4+NUhef6R8UoUO1/Pn4TKq3Gil3Z36wPEPdkw2lYzX+d1EFyaC3hZJedSUfdFliPOejIbNvvhPBBD1wAGxxyuJZB5KLwWN7/efwCgw45buLbVfUuwwug7K7GK84A3yzqClbZKKv8rYdO04UG64A+Taq2LeyxQIDjygTgGk/1j/0Neb1RO0FbjlbTeNMZ54P+u7BTEcikJCsbFeseWDtYzupQtLt96KMbcdRgHy0CTGqFHE+my8= julian@julian-aspi"
];
services.syncthing.key = config.sops.secrets."syncthing/pianonix/key".path;
services.syncthing.cert = config.sops.secrets."syncthing/pianonix/cert".path;
services.syncthing.settings = {
devices = {
"aspi-nix" = {
id = "DM5QRYU-ILJ4XYB-4V6NZDG-RAMVOND-3RSDSYR-52TW6RW-3XIU333-T7FNAA3";
};
"pianonix" = {
id = "FD3XSFW-7LQSCIQ-KHZPLNQ-7VZYGKH-RJ2ZKTJ-BG67NRH-36TQIZM-CXDYWAH";
};
};
folders = {
"Klavier" = {
path = "/home/julian/Klavier";
id = "flc3m-q4gp2";
devices = [
"aspi-nix"
"pianonix"
];
};
};
};
networking.firewall.enable = false;
networking.firewall.allowedTCPPorts = [
5900 # for vnc
];
# Disable the GNOME3/GDM auto-suspend feature that cannot be disabled in GUI!
# If no user is logged in, the machine will power down after 20 minutes.
systemd.targets.sleep.enable = false;
systemd.targets.suspend.enable = false;
systemd.targets.hibernate.enable = false;
systemd.targets.hybrid-sleep.enable = false;
## Raspberry pi specific config
# hardware.raspberry-pi."4" = {
# fkms-3d.enable = true;
# touch-ft5406.enable = true;
# };
# Prevent host becoming unreachable on wifi after some time (for raspberry pi)
networking.networkmanager.wifi.powersave = false;
# Enable audio devices on raspberry pi
# boot.kernelParams = [
# "snd_bcm2835.enable_hdmi=1"
# "snd_bcm2835.enable_headphones=1"
# ];
# boot.loader.raspberryPi.firmwareConfig = ''
# dtparam=audio=on
# '';
## Enable SPI
hardware.raspberry-pi."4".apply-overlays-dtmerge.enable = true;
hardware.deviceTree = {
enable = true;
filter = lib.mkForce "*-rpi-4*.dtb";
overlays = [
{
name = "spi";
dtboFile = ./spi0-0cs.dtbo;
}
];
};
users.groups.spi = {};
# services.udev.extraRules = ''
# SUBSYSTEM=="spidev", KERNEL=="spidev0.0", GROUP="spi", MODE="0660"
# '';
## Use GPIO as non-root
# Create gpio group
users.groups.gpio = {};
# Change permissions gpio devices
services.udev.extraRules = ''
SUBSYSTEM=="spidev", KERNEL=="spidev0.0", GROUP="spi", MODE="0660"
SUBSYSTEM=="bcm2835-gpiomem", KERNEL=="gpiomem", GROUP="gpio",MODE="0660"
SUBSYSTEM=="gpio", KERNEL=="gpiochip*", ACTION=="add", RUN+="${pkgs.bash}/bin/bash -c 'chown root:gpio /sys/class/gpio/export /sys/class/gpio/unexport ; chmod 220 /sys/class/gpio/export /sys/class/gpio/unexport'"
SUBSYSTEM=="gpio", KERNEL=="gpio*", ACTION=="add",RUN+="${pkgs.bash}/bin/bash -c 'chown root:gpio /sys%p/active_low /sys%p/direction /sys%p/edge /sys%p/value ; chmod 660 /sys%p/active_low /sys%p/direction /sys%p/edge /sys%p/value'"
'';
# Add user to group
users.users.julian.extraGroups = ["gpio"];
## My own Piano LED Visualizer
services.piano-led-visualizer.enable = true;
## Crude fix for avahi
systemd.timers.avahiRestart = {
description = "Restart avahi-daemon every 5 minutes";
wantedBy = ["timers.target"];
timerConfig = {
OnBootSec = "5min";
OnUnitActiveSec = "5min";
Unit = "avahiRestart.service";
};
};
systemd.services.avahiRestart = {
description = "Restart avahi-daemon service";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.systemd}/bin/systemctl restart avahi-daemon.service";
};
};
};
}

71
hosts/pianonix/hardware-configuration.nix
View File

@@ -1,41 +1,40 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [(modulesPath + "/installer/scan/not-detected.nix")];
flake.nixosModules.hosts.pianonix = {
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [(modulesPath + "/installer/scan/not-detected.nix")];
boot.initrd.availableKernelModules = ["xhci_pci"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
boot.kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
boot.blacklistedKernelModules = ["snd_bcm2835"]; # Disables sound, required for ws281x to work
# boot.supportedFilesystems = lib.mkForce [
# # remove zfs, since its incompatible with latest kernel
# "vfat"
# "ext4"
# ];
boot.initrd.availableKernelModules = ["xhci_pci"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
boot.kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
boot.blacklistedKernelModules = ["snd_bcm2835"]; # Disables sound, required for ws281x to work
# boot.supportedFilesystems = lib.mkForce [
# # remove zfs, since its incompatible with latest kernel
# "vfat"
# "ext4"
# ];
fileSystems."/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
fileSystems."/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.end0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
};
swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.end0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}