diff --git a/flake.lock b/flake.lock index deadf14..e1befc3 100644 --- a/flake.lock +++ b/flake.lock @@ -908,11 +908,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1675998131, - "narHash": "sha256-j17u/hZeFk/qJsqi8R3//UZbMZUFmuhM3EgqL/DdByo=", + "lastModified": 1676307221, + "narHash": "sha256-6XX4HQHuQxRnD2p3M1fLBOpfl9wFKIGc51Lm/bGqPOU=", "ref": "main", - "rev": "035d16fc7f29ee294da3091f74a4a909d46f197d", - "revCount": 45, + "rev": "060661c725d1c9cdfe6c54692fd22193dfced4f2", + "revCount": 46, "type": "git", "url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git" }, diff --git a/flake.nix b/flake.nix index 1221066..46915dc 100644 --- a/flake.nix +++ b/flake.nix @@ -178,6 +178,24 @@ home-manager.useUserPackages = true; }; + cream = { name, nodes, pkgs, ... }: { + deployment.allowLocalDeployment = true; + deployment.targetHost = "${name}.private"; + deployment.tags = [ "desktop" "online" "private" ]; + imports = [ + grocy-scanner.nixosModule + nixos-hardware.nixosModules.framework-12th-gen-intel + #retiolum.nixosModules.retiolum + ]; + + home-manager.users.mainUser = { + imports = [ + doom-emacs-nix.hmModule + home-manager-utils.hmModule + ]; + }; + }; + sterni = { name, nodes, pkgs, ... }: { deployment.allowLocalDeployment = true; deployment.targetHost = "${name}.private"; diff --git a/images/usb-init-configuration.nix b/images/usb-init-configuration.nix index b26053a..115bcd9 100644 --- a/images/usb-init-configuration.nix +++ b/images/usb-init-configuration.nix @@ -49,7 +49,7 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "22.05"; # Did you read the comment? + system.stateVersion = "22.11"; # Did you read the comment? } diff --git a/nixos/components/network/tinc/private.nix b/nixos/components/network/tinc/private.nix index 5f490ca..e925ed7 100644 --- a/nixos/components/network/tinc/private.nix +++ b/nixos/components/network/tinc/private.nix @@ -12,6 +12,7 @@ let sterni = "10.23.42.24"; bobi = "10.23.42.25"; pepe = "10.23.42.26"; + cream = "10.23.42.27"; robi = "10.23.42.111"; }; subDomains = { @@ -34,6 +35,7 @@ in sops.secrets.tinc_ed25519_key = { }; + # nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096" services.tinc.networks = { ${network} = { ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path; @@ -46,6 +48,10 @@ in subnets = [{ address = hosts.mobi; }]; settings.Ed25519PublicKey = "X5sp3YYevVNUrzYvi+HZ2iW5WbO0bIb58jR4jZFH6MB"; }; + cream = { + subnets = [{ address = hosts.cream; }]; + settings.Ed25519PublicKey = "Y/YRA90mAlNEmdhUWlUTHjjsco6d6hlvW11sPtarIdL"; + }; sterni = { subnets = [{ address = hosts.sterni; }]; settings.Ed25519PublicKey = "r6mRDc814z2YtyG9ev/XXV2SgquqWR8n53V13xNXb7O"; @@ -92,6 +98,10 @@ in hostNames = [ "sterni.${network}" hosts.sterni ]; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht"; }; + "cream.${network}" = { + hostNames = [ "cream.${network}" hosts.cream ]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIConHiCL7INgAhuN6Z9TqP0zP+xNpdV7+OHwUca4IRDD"; + }; "pepe.${network}" = { hostNames = [ "pepe.${network}" hosts.pepe ]; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz"; diff --git a/nixos/components/network/tinc/secret.nix b/nixos/components/network/tinc/secret.nix index f44cca1..4a28e9a 100644 --- a/nixos/components/network/tinc/secret.nix +++ b/nixos/components/network/tinc/secret.nix @@ -11,6 +11,7 @@ let hosts = { sternchen = "10.123.42.25"; sterni = "10.123.42.24"; + cream = "10.123.42.27"; robi = "10.123.42.123"; }; network = "secret"; @@ -27,9 +28,13 @@ in ''; hostSettings = { sternchen = { - subnets = [{ address = hosts.sterni; }]; + subnets = [{ address = hosts.sternchen; }]; settings.Ed25519PublicKey = "Z567IKl00Kw5JFBNwMvjL33QYe2hRoNtQcNIDFRPReB"; }; + cream = { + subnets = [{ address = hosts.cream; }]; + settings.Ed25519PublicKey = ""; + }; sterni = { subnets = [{ address = hosts.sterni; }]; settings.Ed25519PublicKey = "r6mRDc814z2YtyG9ev/XXV2SgquqWR8n53V13xNXb7O"; diff --git a/nixos/machines/cream/configuration.nix b/nixos/machines/cream/configuration.nix new file mode 100644 index 0000000..85d36b1 --- /dev/null +++ b/nixos/machines/cream/configuration.nix @@ -0,0 +1,102 @@ +{ config, pkgs, lib, ... }: { + + imports = [ + + ../../system/desktop + ../../system/server/netdata.nix + + ./hardware-configuration.nix + ./packages.nix + ./syncthing.nix + ./tinc.nix + + #./wifi-access-point.nix + #./wireshark.nix + #./scanner.nix + #./qemu.nix + ./wireguard.nix + + ]; + + + services.nginx.enable = true; + + networking.hostName = "cream"; + + system.custom.wifi.interfaces = [ "wlp166s0" ]; + + security.wrappers = { + pmount = { + source = "${pkgs.pmount}/bin/pmount"; + setuid = true; + owner = "root"; + group = "root"; + }; + pumount = { + source = "${pkgs.pmount}/bin/pumount"; + setuid = true; + owner = "root"; + group = "root"; + }; + }; + + programs.custom.steam.enable = true; + programs.custom.video.enable = false; + + services.printing.enable = true; + + # fonts + # ----- + programs.custom.urxvt.fontSize = 12; + programs.custom.xterm.fontSize = 12; + system.custom.fonts.dpi = 200; + + virtualisation = { + docker.enable = true; + podman.enable = true; + + virtualbox = { + host.enable = false; + guest.x11 = false; + guest.enable = false; + }; + }; + + configuration.desktop = { + width = 2256; + height = 1504; + }; + + services.xserver.desktopManager.gnome.enable = true; + + custom.samba-share = { + enable = false; + folders = { + share = "/home/share"; + video = "/home/video-material"; + }; + }; + + # enable this to use sidequest + programs.adb.enable = true; + users.users.mainUser.extraGroups = [ "adbusers" "video" ]; + + # for congress and streaming + hardware.opengl = { + enable = true; + # extraPackages = [ + # intel-media-driver # LIBVA_DRIVER_NAME=iHD + # vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) + # vaapiVdpau + # libvdpau-va-gl + # ]; + driSupport = true; + driSupport32Bit = true; + }; + #nixpkgs.config.packageOverrides = pkgs: { + # vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; + #}; + + system.stateVersion = "22.11"; # Did you read the comment? + +} diff --git a/nixos/machines/cream/hardware-configuration.nix b/nixos/machines/cream/hardware-configuration.nix new file mode 100644 index 0000000..026c6d5 --- /dev/null +++ b/nixos/machines/cream/hardware-configuration.nix @@ -0,0 +1,79 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "uas" "sd_mod" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Use the systemd-boot EFI boot loader, not grub + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.tmpOnTmpfs = true; # make /tmp a tmpfs (performance!) + + boot.initrd.luks.devices = { + pool = { + device = "/dev/nvme0n1p2"; + preLVM = true; + }; + }; + + fileSystems."/" = + { + device = "/dev/disk/by-uuid/48228fad-8123-4e87-9c70-2e4c204d7a49"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/13A0-D756"; + fsType = "vfat"; + }; + + fileSystems."/home" = + { + device = "/dev/disk/by-uuid/d73dd71d-9f0f-4c49-8267-9ad7e3f01ff1"; + fsType = "ext4"; + }; + + fileSystems."/removable" = + { + device = "/dev/disk/by-uuid/081de08c-b080-4a05-9915-235caae193e7"; + fsType = "ext4"; + }; + + fileSystems."/share" = { + device = "none"; + fsType = "tmpfs"; + }; + + fileSystems."/browsers" = { + device = "none"; + fsType = "tmpfs"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s13f0u4c2.useDHCP = lib.mkDefault true; + # networking.interfaces.tinc.private.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp166s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + #powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + # high-resolution display + hardware.video.hidpi.enable = lib.mkDefault true; +} diff --git a/nixos/machines/cream/packages.nix b/nixos/machines/cream/packages.nix new file mode 100644 index 0000000..6fd1fb2 --- /dev/null +++ b/nixos/machines/cream/packages.nix @@ -0,0 +1,112 @@ +{ config, lib, pkgs, ... }: +let + nextcloudSync = folder: + let + password = "$( pass show home/nextcloud/palo/nextcloudcmd-token)"; + user = "palo"; + in + pkgs.writers.writeBashBin "nextcloud-sync-${folder}" '' + ${pkgs.nextcloud-client}/bin/nextcloudcmd \ + --path "${folder}" \ + ~/Nextcloud/${folder} \ + "https://${user}:${password}@nextcloud.ingolf-wagner.de" + ''; + + +in +{ + environment.systemPackages = with pkgs; [ + + ((ganttproject-bin.override { + jre = pkgs.openjdk11; + }).overrideAttrs (old: { + version = "3.1.3100"; + src = pkgs.fetchzip { + url = "https://dl.ganttproject.biz/ganttproject-3.1.3100/ganttproject-3.1.3100.zip"; + sha256 = "sha256-hw2paak0P670/kemiuqYHIaN0uUtkVKy+AX2X7OdnJ4="; + }; + })) + + autorandr + + (nextcloudSync "InstantUpload") + (nextcloudSync "Pictures") + (nextcloudSync "Unterlagen") + (nextcloudSync "Nähen") + (nextcloudSync "Video") + (nextcloudSync "Kunstbuch") + (nextcloudSync "AWS-SolutionArchitect-Professional") + + (pkgs.writeShellScriptBin "nixFlakes" '' + exec ${pkgs.nixUnstable}/bin/nix --experimental-features "nix-command flakes" "$@" + '') + + valentina + + sweethome3d.application + pkgs.polygon-art.polygon-art + + # bluetooth gui + blueberry + + nextcloud-client + gimp + inkscape + imagemagick + + bitwig-studio3 + #sononym-crawler + darktable + + #blender + mosquitto + (pkgs.writers.writeBashBin "mqtt-tail" '' + ${pkgs.mosquitto}/bin/mosquitto_sub -v \ + -h pepe.private \ + -u homeassistant \ + -P password \ + -t "#" + '') + + # rust development environment + rustup + jetbrains.clion + + # general + jetbrains.idea-ultimate + #vscode + + # python + python3Full + jetbrains.pycharm-professional + jetbrains.datagrip + + # matrix clients + # -------------- + #element-desktop + #fractal + legacy.mirage-im + + tor-browser-bundle-bin + #(tor-browser-bundle-bin.overrideAttrs (old: rec { + # version = "11.0.1"; + # name = "tor-browser-bundle-${version}"; + # src = pkgs.fetchurl { + # url = + # "https://dist.torproject.org/torbrowser/10.0.15/tor-browser-linux64-10.0.15_en-US.tar.xz"; + # "https://dist.torproject.org/torbrowser/11.0.1/tor-browser-linux64-11.0.1_en-US.tar.xz"; + # sha256 = "1ah69jmfgik063f9gkvyv9d4k706pqihmzc4k7cc95zyd17v8wrs"; + # }; + #})) + + sops + + bitwarden + + ]; + + home-manager.users.mainUser = { + programs.obs-studio.enable = true; + }; + +} diff --git a/nixos/machines/cream/qemu.nix b/nixos/machines/cream/qemu.nix new file mode 100644 index 0000000..f14ad8d --- /dev/null +++ b/nixos/machines/cream/qemu.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, ... }: + +{ + + virtualisation.libvirtd.enable = true; + #virtualisation.libvirtd.allowedBridges = ["virbr0"]; + virtualisation.libvirtd.onShutdown = "shutdown"; + + environment.systemPackages = [ + pkgs.qemu_kvm + pkgs.virt-manager + ]; + + users.users.mainUser.extraGroups = [ "libvirtd" ]; + + +} diff --git a/nixos/machines/cream/scanner.nix b/nixos/machines/cream/scanner.nix new file mode 100644 index 0000000..bf3e1a2 --- /dev/null +++ b/nixos/machines/cream/scanner.nix @@ -0,0 +1,9 @@ +{ config, lib, pkgs, ... }: +{ + services.grocy-scanner = { + enable = true; + host = "https://grocy.ingolf-wagner.de"; + device = "/dev/input/by-id/usb-Belon.cn_2.4G_Wireless_Device_Belon_Smart-event-kbd"; + apiKeyFile = toString (pkgs.writeText "key" "my-api-key-not"); + }; +} diff --git a/nixos/machines/cream/syncthing.nix b/nixos/machines/cream/syncthing.nix new file mode 100644 index 0000000..bf27899 --- /dev/null +++ b/nixos/machines/cream/syncthing.nix @@ -0,0 +1,66 @@ +{ config, pkgs, lib, ... }: { + + #sops.secrets.syncthing_cert = { }; + #sops.secrets.syncthing_key = { }; + + services.syncthing = { + enable = true; + openDefaultPorts = false; + user = "palo"; + dataDir = "/home/palo/.syncthing"; + configDir = "/home/palo/.syncthing"; + #cert = toString config.sops.secrets.syncthing_cert.path; + #key = toString config.sops.secrets.syncthing_key.path; + overrideFolders = true; + folders = { + + # on encrypted drive + # ------------------ + password-store = { + enable = true; + path = "/home/palo/.password-store"; + }; + private = { + enable = true; + path = "/home/palo/private"; + }; + art = { + enable = true; + path = "/home/palo/art"; + }; + desktop = { + enable = true; + path = "/home/palo/desktop"; + }; + finance = { + enable = true; + path = "/home/palo/finance"; + }; + + # no need to be encrypted + # ----------------------- + books = { + enable = true; + path = "/home/palo/books"; + }; + music-library = { + enable = true; + path = "/home/palo/music-library"; + }; + music-projects = { + enable = true; + path = "/home/palo/music-projects"; + }; + }; + }; + + services.permown."/home/palo/music-library" = { + owner = "palo"; + group = "users"; + }; + + services.permown."/home/palo/finance" = { + owner = "palo"; + group = "syncthing"; + }; +} diff --git a/nixos/machines/cream/tinc.nix b/nixos/machines/cream/tinc.nix new file mode 100644 index 0000000..e53ccfe --- /dev/null +++ b/nixos/machines/cream/tinc.nix @@ -0,0 +1,15 @@ +{ config, ... }: +{ + + tinc.private.enable = true; + tinc.private.ipv4 = "10.23.42.27"; + + tinc.secret.enable = true; + tinc.secret.ipv4 = "10.123.42.27"; + + # retiolum + #networking.retiolum.port = 720; + #sops.secrets.tinc_retiolum_ed25519_key = { }; + #services.tinc.networks.retiolum.ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path; + +} diff --git a/nixos/machines/cream/wireguard.nix b/nixos/machines/cream/wireguard.nix new file mode 100644 index 0000000..a8adf3d --- /dev/null +++ b/nixos/machines/cream/wireguard.nix @@ -0,0 +1,26 @@ +{ config, ... }: +{ + networking.firewall.allowedUDPPorts = [ 51820 ]; + sops.secrets.wireguard_private = { }; + + # Enable WireGuard + networking.wg-quick.interfaces = { + # Hub and Spoke Setup + # https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/ + wg0 = { + address = [ "10.100.0.6/32" ]; + listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) + privateKeyFile = config.sops.secrets.wireguard_private.path; + mtu = 1280; + + peers = [ + { + # robi + publicKey = "uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU="; + allowedIPs = [ "10.100.0.1/24" ]; + endpoint = "ingolf-wagner.de:51820"; + } + ]; + }; + }; +} diff --git a/nixos/machines/robi/wireguard.nix b/nixos/machines/robi/wireguard.nix index 9f27836..23d18bb 100644 --- a/nixos/machines/robi/wireguard.nix +++ b/nixos/machines/robi/wireguard.nix @@ -44,6 +44,11 @@ publicKey = "v0/cozfHsRUYBXHGUrY7TEZF/ItcQywVphDAQdm9GU0="; allowedIPs = [ "10.100.0.5/32" ]; } + { + # cream + publicKey = "R1Vk1DDG/LsVU0HHRDmOJshXOVnNzPVbuv5hP7ZSGEQ="; + allowedIPs = [ "10.100.0.6/32" ]; + } ]; }; }; diff --git a/nixos/machines/sterni/configuration.nix b/nixos/machines/sterni/configuration.nix index 49eeeee..81a93bb 100644 --- a/nixos/machines/sterni/configuration.nix +++ b/nixos/machines/sterni/configuration.nix @@ -72,7 +72,7 @@ services.xserver.desktopManager.gnome.enable = true; custom.samba-share = { - enable = true; + enable = false; folders = { share = "/home/share"; video = "/home/video-material"; diff --git a/nixos/machines/sterni/hardware-configuration.nix b/nixos/machines/sterni/hardware-configuration.nix index df0fedb..0f6c91c 100644 --- a/nixos/machines/sterni/hardware-configuration.nix +++ b/nixos/machines/sterni/hardware-configuration.nix @@ -16,6 +16,7 @@ # Use the systemd-boot EFI boot loader, not grub boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + boot.tmpOnTmpfs = true; # make /tmp a tmpfs (performance!) #zramSwap = { # enable = true; @@ -25,18 +26,12 @@ #}; fileSystems."/share" = { - #device = "/dev/ram1"; device = "none"; fsType = "tmpfs"; }; fileSystems."/browsers" = { - #options = [ "noatime" "nodiratime" "discard" ]; - #device = "/dev/vg/browser"; - #fsType = "ext4"; - device = "none"; - #device = "/dev/ram2"; fsType = "tmpfs"; }; diff --git a/scripts/disko-config-cream.nix b/scripts/disko-config-cream.nix new file mode 100644 index 0000000..d8ed243 --- /dev/null +++ b/scripts/disko-config-cream.nix @@ -0,0 +1,104 @@ +# nix run github:nix-community/disko -- --mode create ./disko-config-cream.nix --dry-run +# nix run github:nix-community/disko -- --mode mount ./disko-config-cream.nix --dry-run +# nixos-generate-config --root /mnt/ +# vim /mnt/configuration.nix +# nixos-install --root /mnt +{ ... }: +{ + disk = { + nvme0n1 = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "table"; + format = "gpt"; + partitions = [ + { + type = "partition"; + name = "ESP"; + start = "1MiB"; + end = "500MiB"; + bootable = true; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "defaults" + ]; + }; + } + { + type = "partition"; + name = "luks"; + start = "500MiB"; + end = "100%"; + content = { + type = "luks"; + name = "pool"; + #keyFile = "/tmp/secret.key"; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + } + ]; + }; + }; + sdb = { + type = "disk"; + device = "/dev/sdb"; + content = { + type = "table"; + format = "gpt"; + partitions = [ + { + type = "partition"; + name = "removable"; + start = "1MiB"; + end = "100%"; + bootable = false; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/removable"; + mountOptions = [ + "defaults" + ]; + }; + } + ]; + + }; + }; + }; + lvm_vg = { + pool = { + type = "lvm_vg"; + lvs = { + root = { + type = "lvm_lv"; + size = "100G"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ + "defaults" + ]; + }; + }; + home = { + type = "lvm_lv"; + size = "150G"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/home"; + }; + }; + }; + }; + }; +}