diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..a116ab9 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &primary age12x3jgpq5j83rhvxmuu90z99rwnpf8ntu3m87strf856syr6alv2q379k9w +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - age: + - *primary diff --git a/flake.lock b/flake.lock index 70a03ff..b97643f 100644 --- a/flake.lock +++ b/flake.lock @@ -143,6 +143,22 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1717880976, + "narHash": "sha256-BRvSCsKtDUr83NEtbGfHLUOdDK0Cgbezj2PtcHnz+sQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "4913a7c3d8b8d00cb9476a6bd730ff57777f740c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1717196966, @@ -166,7 +182,8 @@ "nix-matlab": "nix-matlab", "nixpkgs": "nixpkgs", "nixpkgs-unstable": "nixpkgs-unstable", - "snowfall-lib": "snowfall-lib" + "snowfall-lib": "snowfall-lib", + "sops-nix": "sops-nix" } }, "snowfall-lib": { @@ -191,6 +208,27 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1718137936, + "narHash": "sha256-psA+1Q5fPaK6yI3vzlLINNtb6EeXj111zQWnZYyJS9c=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "c279dec105dd53df13a5e57525da97905cc0f0d6", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 5163cc0..97374d6 100644 --- a/flake.nix +++ b/flake.nix @@ -22,9 +22,13 @@ nix-matlab.url = "gitlab:doronbehar/nix-matlab"; nix-matlab.inputs.nixpkgs.follows = "nixpkgs"; + + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = inputs: + outputs = + inputs: inputs.snowfall-lib.mkFlake { inherit inputs; # Must always be ./. diff --git a/homes/x86_64-linux/julian@aspi/default.nix b/homes/x86_64-linux/julian@aspi/default.nix index 510fffd..d5f574e 100644 --- a/homes/x86_64-linux/julian@aspi/default.nix +++ b/homes/x86_64-linux/julian@aspi/default.nix @@ -23,9 +23,6 @@ home.username = "julian"; home.homeDirectory = "/home/julian"; - # DO NOT CHANGE!!! - home.stateVersion = "23.11"; - modules = { non-nixos.is-nixos = false; shell = { @@ -77,4 +74,8 @@ # Let Home Manager install and manage itself. programs.home-manager.enable = true; + + # ======================== DO NOT CHANGE THIS ======================== + home.stateVersion = "23.11"; + # ======================== DO NOT CHANGE THIS ======================== } diff --git a/modules/nixos/sops/default.nix b/modules/nixos/sops/default.nix new file mode 100644 index 0000000..cfdbe6f --- /dev/null +++ b/modules/nixos/sops/default.nix @@ -0,0 +1,46 @@ +{ + # Snowfall Lib provides a customized `lib` instance with access to your flake's library + # as well as the libraries available from your flake's inputs. + lib, + # An instance of `pkgs` with your overlays and packages applied is also available. + pkgs, + # You also have access to your flake's inputs. + inputs, + + # Additional metadata is provided by Snowfall Lib. + namespace, # The namespace used for your flake, defaulting to "internal" if not set. + system, # The system architecture for this host (eg. `x86_64-linux`). + target, # The Snowfall Lib target for this system (eg. `x86_64-iso`). + format, # A normalized name for the system target (eg. `iso`). + virtual, # A boolean to determine whether this system is a virtual target using nixos-generators. + systems, # An attribute map of your defined hosts. + + # All other arguments come from the module system. + config, + ... +}: + +let + cfg = config.modules.sops; +in +{ + imports = [ inputs.sops-nix.nixosModules.sops ]; + + options.modules.sops = { }; + + config = { + sops.defaultSopsFile = ../../../secrets/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + sops.age.keyFile = "/home/julian/.config/sops/age/keys.txt"; + + # List of defined secrets + sops.secrets."aspi/password" = { + neededForUsers = true; + }; + + # sops.secrets."aspi/syncthing/key" = { + # neededForUsers = true; + # }; + # sops.secrets."ngrok/terraria" = { }; + }; +} diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..9fbecfb --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,24 @@ +aspi: + syncthing: + cert: ENC[AES256_GCM,data:AByFKHdW0/kW5LdMdAlvB8O0OBtTSolnIs1o8V94b5H/Mqyy52HwaxTLu4I5BttlK4dd43dCRploUs7LwBiilmI5SlO1RFU2MupzBlGMiun4UbXC9dFW7iDY+lfX3fwlR6uUfmkm+iW8tSAii+G8KS7eBjyq2EqJ2KzXuEBS74pDJKQ5+hlKWa3dBSCfz3o+on1lfQYqjD9Sgf5x/irEhdCsGFTRM7pnEqdwHhJ87mrv//qrGU9ZWgvOEAQc3mJClGZniF1ePAGnCa9fMu3JKXbsKzLKC2QgIa576k0pgnIK5dEyLUaUemnS2fidbRGz6rAp0tPK8Nm/pbROjkReCfPZ2IjKHX8CAG7VcZokJX8pry+NWCq2/vRnkz6tgAIZu1nykVcRTM0TGDNlXNolK1tCycx3BDRzKFQunp0FdvcN3QTrVsA1sRInZve5x3Y1XVukQjgMk/uyfvQ4ktt3io5PcVmeTWBugJaNC6WlCUwee2o7b2kJGsshk2N+FgfAWZS9bGIxi/ijC87IGZu0bSvqlg4D1bsTCfODte/l+bTW+CZ96eu/8fbcQ+S4ClDeqzzjvIjFiGxSq/KXB3RLGP8aORbdI6y6AkLdwzhb2icFGzVHo/pU3VqHGYhFHbxbpRBs8iJ+EBMoL9AZJi/wh9Hg/gWHtpfWr06nySIEjQkqzEgTzC5O3A1mltkBaHP0XXp1WxyHq2id2dehB+xFpwA8h+Yg25HXMgJowNPpU0Z9a4BNmjdQl9cMWBytGP/20wwQEc9gwweFw5/kFRV0BVtfKUHYerwNoR+yWWURhPl0eUgn3tt77vVhwsuJcKlzbu8XRe0fj/1CFV8mmR8T3zBss4K7sZiDGAWgknRUAdhBV3HincmXdwkT4HWfgT4OSKk156BJof40xJNMpkk+CXFd2M0Trb9UcQQEneldnnvvDe1rML2FFrURRwTCKekCr7Wfsij6cvfz90Qs8NqkfWiAhwsZLwlfHcQrZn1gYHepW6OY/5knB5QWUuexGgRKUQmPQsiaVOgcz8zmSBWtYhLQEXenTg==,iv:n/8CkSiZu666RcOtMXB+Fg5rU2Un77OhxD0wtwfRNYc=,tag:Gy5i2UbBpckO6beyn8gv6Q==,type:str] + key: ENC[AES256_GCM,data:81YkG2zWuYIrpC9BMm/+79Ad7gXLHqHqtxnNbUox7E/oii9nNlbR4YqQJfegkDijrV/PK+UjgeiySHfxUzH0MFnVQ4XTDVFiuQ31s1ft/TZlZmOs7JmElc2i8AbdJM31+NCLoH8nDxGOcoqfErFmf4hbRFprnamItYrDqjq/vIbtPbpjm2cTZw3qwKT1HTPpZfvM6b2xDBd9BqjaoOqwhRUVg45Z0gjKXyKqMv0d9JfpoY5lGp6x6SoSlIzM+a5CpKM3v5I1lxN6DtAlh8hO/dCJZCkXCjuIgWWhl3DVol3h6XzDeNsUvgmjhMSjMmEg4utpIMAYzDCTF5GzHyogPdrhqSejnHG1Y6GQnYqniwobabU/6tcY/6nTkLjMpSbM,iv:Nn5LpyxvsvHnxY39Bg205chZ4nhNsHbBstGcJ2Nf2mc=,tag:fslhHkp3gspRnNZNlA7fbg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age12x3jgpq5j83rhvxmuu90z99rwnpf8ntu3m87strf856syr6alv2q379k9w + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByL0l4a0ZHcjFEQk5ETXk0 + dlZJWktVS2pQVjBoZkxyNlo0R3pMM2JkdTNJCk11VEs0U0xleFI3dGkrZEVwWWtz + S1dOV1NYcEtOMFFkMWVhM3poNXhTdVkKLS0tIEp2Zk4wanp2M0pIT1Y1eDBYbW1y + NUNKTTA1VGhOVFRiV0RDSDJGREgzWFUKvW4A3/CPoTGb6gdrbEQN9NgXSQ+L4wXp + NOxR56TemX6fmSZhQU7wyxMmD1rZ64b9cIedauEWr91iYbKjhNpw2A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-12T17:14:51Z" + mac: ENC[AES256_GCM,data:XiTeyln5B9lpxUr903mSNBlCw9EsJwQEDVV18NMdHJ3e6Ryq+VkSVYOB60rl2E4C9KiFnh+ibU6KnSmi+bpWBKZ2KjkqxK7jhLnD3FdWFvruJKwf+SZxhd1UAKYjT7yssvQLc971ExVk18zFHRLJwPoPE8ukU9cixlA5PjDUbbY=,iv:w1t+4noBUhirZCcp4FgNQw6Ip+P58OW7HgR39vcOjoY=,tag:bZWznsdm3edevNyZSeQLgQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/systems/x86_64-linux/aspi/default.nix b/systems/x86_64-linux/aspi/default.nix new file mode 100644 index 0000000..7ef12b4 --- /dev/null +++ b/systems/x86_64-linux/aspi/default.nix @@ -0,0 +1,247 @@ +{ + # Snowfall Lib provides a customized `lib` instance with access to your flake's library + # as well as the libraries available from your flake's inputs. + lib, + # An instance of `pkgs` with your overlays and packages applied is also available. + pkgs, + # You also have access to your flake's inputs. + inputs, + + # Additional metadata is provided by Snowfall Lib. + namespace, # The namespace used for your flake, defaulting to "internal" if not set. + system, # The system architecture for this host (eg. `x86_64-linux`). + target, # The Snowfall Lib target for this system (eg. `x86_64-iso`). + format, # A normalized name for the system target (eg. `iso`). + virtual, # A boolean to determine whether this system is a virtual target using nixos-generators. + systems, # An attribute map of your defined hosts. + + # All other arguments come from the system system. + config, + ... +}: +{ + imports = [ ./hardware-configuration.nix ]; + + nix.buildMachines = [ + { + hostName = "192.168.3.118"; + system = "x86_64-linux"; + protocol = "ssh"; + # if the builder supports building for multiple architectures, + # replace the previous line by, e.g. + # systems = ["x86_64-linux" "aarch64-linux"]; + maxJobs = 4; + speedFactor = 3; + supportedFeatures = [ + "nixos-test" + "benchmark" + "big-parallel" + "kvm" + ]; + mandatoryFeatures = [ ]; + } + ]; + nix.distributedBuilds = true; + # optional, useful when the builder has a faster internet connection than yours + nix.extraOptions = " builders-use-substitutes = true\n"; + + # Bootloader + # Use this for simple nix boot menu, if no dual boot required + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.efi.efiSysMountPoint = "/boot/efi"; + + boot.supportedFilesystems = [ + "btrfs" + "ntfs" + "nfs" + "cifs" + ]; + + networking.hostName = "aspi"; + networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + networking.networkmanager.enable = true; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # Set location used by redshift + location.provider = "manual"; + location.latitude = 47.92; + location.longitude = 10.12; + + modules = { + locales.enable = true; + }; + + nix.settings.auto-optimise-store = true; + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; + + # Setup binary caches + nix.settings = { + substituters = [ + "https://nix-community.cachix.org" + "https://cache.nixos.org/" + ]; + trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ]; + }; + + # Enable the X11 windowing system. + services.xserver.enable = true; + hardware.opengl.enable = true; + + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + + # Enable the XFCE Desktop Environment. + services.xserver.displayManager.lightdm.enable = true; + services.xserver.desktopManager = { + xterm.enable = false; + xfce = { + enable = true; + noDesktop = true; + enableXfwm = false; + }; + }; + services.displayManager.defaultSession = "none+i3"; + services.xserver.windowManager.i3.enable = true; + services.xserver.windowManager.i3.package = pkgs.i3-gaps; + + # Configure keymap in X11 + services.xserver = { + xkb.layout = "de"; + xkb.variant = ""; + }; + + # Configure console keymap + console.keyMap = "de"; + + # Enable sound with pipewire. + sound.enable = true; + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + }; + + # Enable touchpad support (enabled default in most desktopManager). + services.xserver.libinput.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.julian = { + isNormalUser = true; + description = "Julian"; + uid = 1000; + group = "julian"; + shell = pkgs.fish; + extraGroups = [ + "networkmanager" + "wheel" + "docker" + ]; + }; + + # home-manager.useGlobalPkgs = true; # make overlays for nixpkgs work for home-manager, not only the system + # home-manager.useUserPackages = true; + + programs.fish.enable = true; + + programs.nix-ld.enable = true; + + users.groups.julian = { + gid = 1000; + }; + + # List services that you want to enable: + # Enable the OpenSSH daemon. + services.openssh.enable = false; + + services.syncthing.enable = true; + services.syncthing.user = "julian"; + services.syncthing.group = "julian"; + services.syncthing.key = config.sops.secrets."aspi/syncthing/key".path; + services.syncthing.cert = config.sops.secrets."aspi/syncthing/cert".path; + # overrideDevices = true; # overrides any devices added or deleted through the WebUI + # overrideFolders = true; # overrides any folders added or deleted through the WebUI + # settings = { + # devices = { + # "device1" = { + # id = "DEVICE-ID-GOES-HERE"; + # }; + # "device2" = { + # id = "DEVICE-ID-GOES-HERE"; + # }; + # }; + # folders = { + # "Documents" = { + # # Name of folder in Syncthing, also the folder ID + # path = "/home/myusername/Documents"; # Which folder to add to Syncthing + # devices = [ + # "device1" + # "device2" + # ]; # Which devices to share the folder with + # }; + # "Example" = { + # path = "/home/myusername/Example"; + # devices = [ "device1" ]; + # ignorePerms = false; # By default, Syncthing doesn't sync file permissions. This line enables it for this folder. + # }; + # }; + # }; + + services.redshift.enable = true; + + services.flatpak.enable = true; + + xdg.portal.enable = true; + xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ]; + + # services.emacs.enable = true; + + # services.gnome.gnome-keyring.enable = true; + + # List packages installed in system profile. To search, run: + # $ nix search wget + + # Packages needed as root + environment.systemPackages = with pkgs; [ + vim + htop + mc + ]; + + virtualisation.docker.enable = true; + + virtualisation.virtualbox.host.enable = true; + # virtualisation.virtualbox.host.enableExtensionPack = true; + # virtualisation.virtualbox.guest.enable = true; + # virtualisation.virtualbox.guest.x11 = true; + users.extraGroups.vboxusers.members = [ "julian" ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # ======================== DO NOT CHANGE THIS ======================== + system.stateVersion = "24.05"; + # ======================== DO NOT CHANGE THIS ======================== +} diff --git a/systems/x86_64-linux/kardorf/default.nix b/systems/x86_64-linux/kardorf/default.nix index 275bb7e..70d5a14 100644 --- a/systems/x86_64-linux/kardorf/default.nix +++ b/systems/x86_64-linux/kardorf/default.nix @@ -7,6 +7,7 @@ inputs, config, pkgs, + systems, ... }: { @@ -161,7 +162,6 @@ "wheel" "docker" ]; - packages = with pkgs; [ ]; # Using home-manager instead }; # home-manager.useGlobalPkgs = true; # make overlays for nixpkgs work for home-manager, not only the system diff --git a/systems/x86_64-linux/kardorf/home.nix b/systems/x86_64-linux/kardorf/home.nix deleted file mode 100644 index 7af3678..0000000 --- a/systems/x86_64-linux/kardorf/home.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ config, pkgs, ... }: - -{ - # Home Manager needs a bit of information about you and the - # paths it should manage. - home.username = "julian"; - home.homeDirectory = "/home/julian"; - - # This value determines the Home Manager release that your - # configuration is compatible with. This helps avoid breakage - # when a new Home Manager release introduces backwards - # incompatible changes. - # - # You can update Home Manager without changing this value. See - # the Home Manager release notes for a list of state version - # changes in each release. - home.stateVersion = "23.05"; - - # Let Home Manager install and manage itself. - programs.home-manager.enable = true; - - home.packages = [ - # pkgs.cowsay - ]; - - # home.file - # home.sessionVariables - - gtk = { - enable = true; - theme.name = "Adwaita-dark"; - # theme.package = pkgs.materia-theme; - # cursorTheme.name = "Bibata-Modern-Ice"; - # iconTheme.name = "GruvboxPlus"; - }; - -}