add cream

This commit is contained in:
Ingolf Wagner 2023-02-13 18:40:56 +01:00
parent c565a9873a
commit 19581c7620
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
17 changed files with 576 additions and 13 deletions

View file

@ -908,11 +908,11 @@
"secrets": { "secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1675998131, "lastModified": 1676307221,
"narHash": "sha256-j17u/hZeFk/qJsqi8R3//UZbMZUFmuhM3EgqL/DdByo=", "narHash": "sha256-6XX4HQHuQxRnD2p3M1fLBOpfl9wFKIGc51Lm/bGqPOU=",
"ref": "main", "ref": "main",
"rev": "035d16fc7f29ee294da3091f74a4a909d46f197d", "rev": "060661c725d1c9cdfe6c54692fd22193dfced4f2",
"revCount": 45, "revCount": 46,
"type": "git", "type": "git",
"url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git" "url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git"
}, },

View file

@ -178,6 +178,24 @@
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
}; };
cream = { name, nodes, pkgs, ... }: {
deployment.allowLocalDeployment = true;
deployment.targetHost = "${name}.private";
deployment.tags = [ "desktop" "online" "private" ];
imports = [
grocy-scanner.nixosModule
nixos-hardware.nixosModules.framework-12th-gen-intel
#retiolum.nixosModules.retiolum
];
home-manager.users.mainUser = {
imports = [
doom-emacs-nix.hmModule
home-manager-utils.hmModule
];
};
};
sterni = { name, nodes, pkgs, ... }: { sterni = { name, nodes, pkgs, ... }: {
deployment.allowLocalDeployment = true; deployment.allowLocalDeployment = true;
deployment.targetHost = "${name}.private"; deployment.targetHost = "${name}.private";

View file

@ -49,7 +49,7 @@
# this value at the release version of the first install of this system. # this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option # Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment? system.stateVersion = "22.11"; # Did you read the comment?
} }

View file

@ -12,6 +12,7 @@ let
sterni = "10.23.42.24"; sterni = "10.23.42.24";
bobi = "10.23.42.25"; bobi = "10.23.42.25";
pepe = "10.23.42.26"; pepe = "10.23.42.26";
cream = "10.23.42.27";
robi = "10.23.42.111"; robi = "10.23.42.111";
}; };
subDomains = { subDomains = {
@ -34,6 +35,7 @@ in
sops.secrets.tinc_ed25519_key = { }; sops.secrets.tinc_ed25519_key = { };
# nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
services.tinc.networks = { services.tinc.networks = {
${network} = { ${network} = {
ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path; ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path;
@ -46,6 +48,10 @@ in
subnets = [{ address = hosts.mobi; }]; subnets = [{ address = hosts.mobi; }];
settings.Ed25519PublicKey = "X5sp3YYevVNUrzYvi+HZ2iW5WbO0bIb58jR4jZFH6MB"; settings.Ed25519PublicKey = "X5sp3YYevVNUrzYvi+HZ2iW5WbO0bIb58jR4jZFH6MB";
}; };
cream = {
subnets = [{ address = hosts.cream; }];
settings.Ed25519PublicKey = "Y/YRA90mAlNEmdhUWlUTHjjsco6d6hlvW11sPtarIdL";
};
sterni = { sterni = {
subnets = [{ address = hosts.sterni; }]; subnets = [{ address = hosts.sterni; }];
settings.Ed25519PublicKey = "r6mRDc814z2YtyG9ev/XXV2SgquqWR8n53V13xNXb7O"; settings.Ed25519PublicKey = "r6mRDc814z2YtyG9ev/XXV2SgquqWR8n53V13xNXb7O";
@ -92,6 +98,10 @@ in
hostNames = [ "sterni.${network}" hosts.sterni ]; hostNames = [ "sterni.${network}" hosts.sterni ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht"; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
}; };
"cream.${network}" = {
hostNames = [ "cream.${network}" hosts.cream ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIConHiCL7INgAhuN6Z9TqP0zP+xNpdV7+OHwUca4IRDD";
};
"pepe.${network}" = { "pepe.${network}" = {
hostNames = [ "pepe.${network}" hosts.pepe ]; hostNames = [ "pepe.${network}" hosts.pepe ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz"; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz";

View file

@ -11,6 +11,7 @@ let
hosts = { hosts = {
sternchen = "10.123.42.25"; sternchen = "10.123.42.25";
sterni = "10.123.42.24"; sterni = "10.123.42.24";
cream = "10.123.42.27";
robi = "10.123.42.123"; robi = "10.123.42.123";
}; };
network = "secret"; network = "secret";
@ -27,9 +28,13 @@ in
''; '';
hostSettings = { hostSettings = {
sternchen = { sternchen = {
subnets = [{ address = hosts.sterni; }]; subnets = [{ address = hosts.sternchen; }];
settings.Ed25519PublicKey = "Z567IKl00Kw5JFBNwMvjL33QYe2hRoNtQcNIDFRPReB"; settings.Ed25519PublicKey = "Z567IKl00Kw5JFBNwMvjL33QYe2hRoNtQcNIDFRPReB";
}; };
cream = {
subnets = [{ address = hosts.cream; }];
settings.Ed25519PublicKey = "";
};
sterni = { sterni = {
subnets = [{ address = hosts.sterni; }]; subnets = [{ address = hosts.sterni; }];
settings.Ed25519PublicKey = "r6mRDc814z2YtyG9ev/XXV2SgquqWR8n53V13xNXb7O"; settings.Ed25519PublicKey = "r6mRDc814z2YtyG9ev/XXV2SgquqWR8n53V13xNXb7O";

View file

@ -0,0 +1,102 @@
{ config, pkgs, lib, ... }: {
imports = [
../../system/desktop
../../system/server/netdata.nix
./hardware-configuration.nix
./packages.nix
./syncthing.nix
./tinc.nix
#./wifi-access-point.nix
#./wireshark.nix
#./scanner.nix
#./qemu.nix
./wireguard.nix
];
services.nginx.enable = true;
networking.hostName = "cream";
system.custom.wifi.interfaces = [ "wlp166s0" ];
security.wrappers = {
pmount = {
source = "${pkgs.pmount}/bin/pmount";
setuid = true;
owner = "root";
group = "root";
};
pumount = {
source = "${pkgs.pmount}/bin/pumount";
setuid = true;
owner = "root";
group = "root";
};
};
programs.custom.steam.enable = true;
programs.custom.video.enable = false;
services.printing.enable = true;
# fonts
# -----
programs.custom.urxvt.fontSize = 12;
programs.custom.xterm.fontSize = 12;
system.custom.fonts.dpi = 200;
virtualisation = {
docker.enable = true;
podman.enable = true;
virtualbox = {
host.enable = false;
guest.x11 = false;
guest.enable = false;
};
};
configuration.desktop = {
width = 2256;
height = 1504;
};
services.xserver.desktopManager.gnome.enable = true;
custom.samba-share = {
enable = false;
folders = {
share = "/home/share";
video = "/home/video-material";
};
};
# enable this to use sidequest
programs.adb.enable = true;
users.users.mainUser.extraGroups = [ "adbusers" "video" ];
# for congress and streaming
hardware.opengl = {
enable = true;
# extraPackages = [
# intel-media-driver # LIBVA_DRIVER_NAME=iHD
# vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
# vaapiVdpau
# libvdpau-va-gl
# ];
driSupport = true;
driSupport32Bit = true;
};
#nixpkgs.config.packageOverrides = pkgs: {
# vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
#};
system.stateVersion = "22.11"; # Did you read the comment?
}

View file

@ -0,0 +1,79 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "uas" "sd_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
# Use the systemd-boot EFI boot loader, not grub
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.tmpOnTmpfs = true; # make /tmp a tmpfs (performance!)
boot.initrd.luks.devices = {
pool = {
device = "/dev/nvme0n1p2";
preLVM = true;
};
};
fileSystems."/" =
{
device = "/dev/disk/by-uuid/48228fad-8123-4e87-9c70-2e4c204d7a49";
fsType = "ext4";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/13A0-D756";
fsType = "vfat";
};
fileSystems."/home" =
{
device = "/dev/disk/by-uuid/d73dd71d-9f0f-4c49-8267-9ad7e3f01ff1";
fsType = "ext4";
};
fileSystems."/removable" =
{
device = "/dev/disk/by-uuid/081de08c-b080-4a05-9915-235caae193e7";
fsType = "ext4";
};
fileSystems."/share" = {
device = "none";
fsType = "tmpfs";
};
fileSystems."/browsers" = {
device = "none";
fsType = "tmpfs";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s13f0u4c2.useDHCP = lib.mkDefault true;
# networking.interfaces.tinc.private.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp166s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
#powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# high-resolution display
hardware.video.hidpi.enable = lib.mkDefault true;
}

View file

@ -0,0 +1,112 @@
{ config, lib, pkgs, ... }:
let
nextcloudSync = folder:
let
password = "$( pass show home/nextcloud/palo/nextcloudcmd-token)";
user = "palo";
in
pkgs.writers.writeBashBin "nextcloud-sync-${folder}" ''
${pkgs.nextcloud-client}/bin/nextcloudcmd \
--path "${folder}" \
~/Nextcloud/${folder} \
"https://${user}:${password}@nextcloud.ingolf-wagner.de"
'';
in
{
environment.systemPackages = with pkgs; [
((ganttproject-bin.override {
jre = pkgs.openjdk11;
}).overrideAttrs (old: {
version = "3.1.3100";
src = pkgs.fetchzip {
url = "https://dl.ganttproject.biz/ganttproject-3.1.3100/ganttproject-3.1.3100.zip";
sha256 = "sha256-hw2paak0P670/kemiuqYHIaN0uUtkVKy+AX2X7OdnJ4=";
};
}))
autorandr
(nextcloudSync "InstantUpload")
(nextcloudSync "Pictures")
(nextcloudSync "Unterlagen")
(nextcloudSync "Nähen")
(nextcloudSync "Video")
(nextcloudSync "Kunstbuch")
(nextcloudSync "AWS-SolutionArchitect-Professional")
(pkgs.writeShellScriptBin "nixFlakes" ''
exec ${pkgs.nixUnstable}/bin/nix --experimental-features "nix-command flakes" "$@"
'')
valentina
sweethome3d.application
pkgs.polygon-art.polygon-art
# bluetooth gui
blueberry
nextcloud-client
gimp
inkscape
imagemagick
bitwig-studio3
#sononym-crawler
darktable
#blender
mosquitto
(pkgs.writers.writeBashBin "mqtt-tail" ''
${pkgs.mosquitto}/bin/mosquitto_sub -v \
-h pepe.private \
-u homeassistant \
-P password \
-t "#"
'')
# rust development environment
rustup
jetbrains.clion
# general
jetbrains.idea-ultimate
#vscode
# python
python3Full
jetbrains.pycharm-professional
jetbrains.datagrip
# matrix clients
# --------------
#element-desktop
#fractal
legacy.mirage-im
tor-browser-bundle-bin
#(tor-browser-bundle-bin.overrideAttrs (old: rec {
# version = "11.0.1";
# name = "tor-browser-bundle-${version}";
# src = pkgs.fetchurl {
# url =
# "https://dist.torproject.org/torbrowser/10.0.15/tor-browser-linux64-10.0.15_en-US.tar.xz";
# "https://dist.torproject.org/torbrowser/11.0.1/tor-browser-linux64-11.0.1_en-US.tar.xz";
# sha256 = "1ah69jmfgik063f9gkvyv9d4k706pqihmzc4k7cc95zyd17v8wrs";
# };
#}))
sops
bitwarden
];
home-manager.users.mainUser = {
programs.obs-studio.enable = true;
};
}

View file

@ -0,0 +1,17 @@
{ config, lib, pkgs, ... }:
{
virtualisation.libvirtd.enable = true;
#virtualisation.libvirtd.allowedBridges = ["virbr0"];
virtualisation.libvirtd.onShutdown = "shutdown";
environment.systemPackages = [
pkgs.qemu_kvm
pkgs.virt-manager
];
users.users.mainUser.extraGroups = [ "libvirtd" ];
}

View file

@ -0,0 +1,9 @@
{ config, lib, pkgs, ... }:
{
services.grocy-scanner = {
enable = true;
host = "https://grocy.ingolf-wagner.de";
device = "/dev/input/by-id/usb-Belon.cn_2.4G_Wireless_Device_Belon_Smart-event-kbd";
apiKeyFile = toString (pkgs.writeText "key" "my-api-key-not");
};
}

View file

@ -0,0 +1,66 @@
{ config, pkgs, lib, ... }: {
#sops.secrets.syncthing_cert = { };
#sops.secrets.syncthing_key = { };
services.syncthing = {
enable = true;
openDefaultPorts = false;
user = "palo";
dataDir = "/home/palo/.syncthing";
configDir = "/home/palo/.syncthing";
#cert = toString config.sops.secrets.syncthing_cert.path;
#key = toString config.sops.secrets.syncthing_key.path;
overrideFolders = true;
folders = {
# on encrypted drive
# ------------------
password-store = {
enable = true;
path = "/home/palo/.password-store";
};
private = {
enable = true;
path = "/home/palo/private";
};
art = {
enable = true;
path = "/home/palo/art";
};
desktop = {
enable = true;
path = "/home/palo/desktop";
};
finance = {
enable = true;
path = "/home/palo/finance";
};
# no need to be encrypted
# -----------------------
books = {
enable = true;
path = "/home/palo/books";
};
music-library = {
enable = true;
path = "/home/palo/music-library";
};
music-projects = {
enable = true;
path = "/home/palo/music-projects";
};
};
};
services.permown."/home/palo/music-library" = {
owner = "palo";
group = "users";
};
services.permown."/home/palo/finance" = {
owner = "palo";
group = "syncthing";
};
}

View file

@ -0,0 +1,15 @@
{ config, ... }:
{
tinc.private.enable = true;
tinc.private.ipv4 = "10.23.42.27";
tinc.secret.enable = true;
tinc.secret.ipv4 = "10.123.42.27";
# retiolum
#networking.retiolum.port = 720;
#sops.secrets.tinc_retiolum_ed25519_key = { };
#services.tinc.networks.retiolum.ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path;
}

View file

@ -0,0 +1,26 @@
{ config, ... }:
{
networking.firewall.allowedUDPPorts = [ 51820 ];
sops.secrets.wireguard_private = { };
# Enable WireGuard
networking.wg-quick.interfaces = {
# Hub and Spoke Setup
# https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
wg0 = {
address = [ "10.100.0.6/32" ];
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
privateKeyFile = config.sops.secrets.wireguard_private.path;
mtu = 1280;
peers = [
{
# robi
publicKey = "uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU=";
allowedIPs = [ "10.100.0.1/24" ];
endpoint = "ingolf-wagner.de:51820";
}
];
};
};
}

View file

@ -44,6 +44,11 @@
publicKey = "v0/cozfHsRUYBXHGUrY7TEZF/ItcQywVphDAQdm9GU0="; publicKey = "v0/cozfHsRUYBXHGUrY7TEZF/ItcQywVphDAQdm9GU0=";
allowedIPs = [ "10.100.0.5/32" ]; allowedIPs = [ "10.100.0.5/32" ];
} }
{
# cream
publicKey = "R1Vk1DDG/LsVU0HHRDmOJshXOVnNzPVbuv5hP7ZSGEQ=";
allowedIPs = [ "10.100.0.6/32" ];
}
]; ];
}; };
}; };

View file

@ -72,7 +72,7 @@
services.xserver.desktopManager.gnome.enable = true; services.xserver.desktopManager.gnome.enable = true;
custom.samba-share = { custom.samba-share = {
enable = true; enable = false;
folders = { folders = {
share = "/home/share"; share = "/home/share";
video = "/home/video-material"; video = "/home/video-material";

View file

@ -16,6 +16,7 @@
# Use the systemd-boot EFI boot loader, not grub # Use the systemd-boot EFI boot loader, not grub
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
boot.tmpOnTmpfs = true; # make /tmp a tmpfs (performance!)
#zramSwap = { #zramSwap = {
# enable = true; # enable = true;
@ -25,18 +26,12 @@
#}; #};
fileSystems."/share" = { fileSystems."/share" = {
#device = "/dev/ram1";
device = "none"; device = "none";
fsType = "tmpfs"; fsType = "tmpfs";
}; };
fileSystems."/browsers" = { fileSystems."/browsers" = {
#options = [ "noatime" "nodiratime" "discard" ];
#device = "/dev/vg/browser";
#fsType = "ext4";
device = "none"; device = "none";
#device = "/dev/ram2";
fsType = "tmpfs"; fsType = "tmpfs";
}; };

View file

@ -0,0 +1,104 @@
# nix run github:nix-community/disko -- --mode create ./disko-config-cream.nix --dry-run
# nix run github:nix-community/disko -- --mode mount ./disko-config-cream.nix --dry-run
# nixos-generate-config --root /mnt/
# vim /mnt/configuration.nix
# nixos-install --root /mnt
{ ... }:
{
disk = {
nvme0n1 = {
type = "disk";
device = "/dev/nvme0n1";
content = {
type = "table";
format = "gpt";
partitions = [
{
type = "partition";
name = "ESP";
start = "1MiB";
end = "500MiB";
bootable = true;
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"defaults"
];
};
}
{
type = "partition";
name = "luks";
start = "500MiB";
end = "100%";
content = {
type = "luks";
name = "pool";
#keyFile = "/tmp/secret.key";
content = {
type = "lvm_pv";
vg = "pool";
};
};
}
];
};
};
sdb = {
type = "disk";
device = "/dev/sdb";
content = {
type = "table";
format = "gpt";
partitions = [
{
type = "partition";
name = "removable";
start = "1MiB";
end = "100%";
bootable = false;
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/removable";
mountOptions = [
"defaults"
];
};
}
];
};
};
};
lvm_vg = {
pool = {
type = "lvm_vg";
lvs = {
root = {
type = "lvm_lv";
size = "100G";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
mountOptions = [
"defaults"
];
};
};
home = {
type = "lvm_lv";
size = "150G";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/home";
};
};
};
};
};
}