add cream

flake.lock

@@ -908,11 +908,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1675998131,
-        "narHash": "sha256-j17u/hZeFk/qJsqi8R3//UZbMZUFmuhM3EgqL/DdByo=",
+        "lastModified": 1676307221,
+        "narHash": "sha256-6XX4HQHuQxRnD2p3M1fLBOpfl9wFKIGc51Lm/bGqPOU=",
         "ref": "main",
-        "rev": "035d16fc7f29ee294da3091f74a4a909d46f197d",
-        "revCount": 45,
+        "rev": "060661c725d1c9cdfe6c54692fd22193dfced4f2",
+        "revCount": 46,
         "type": "git",
         "url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git"
       },

flake.nix

@@ -178,6 +178,24 @@
             home-manager.useUserPackages = true;
           };
 
+          cream = { name, nodes, pkgs, ... }: {
+            deployment.allowLocalDeployment = true;
+            deployment.targetHost = "${name}.private";
+            deployment.tags = [ "desktop" "online" "private" ];
+            imports = [
+              grocy-scanner.nixosModule
+              nixos-hardware.nixosModules.framework-12th-gen-intel
+              #retiolum.nixosModules.retiolum
+            ];
+
+            home-manager.users.mainUser = {
+              imports = [
+                doom-emacs-nix.hmModule
+                home-manager-utils.hmModule
+              ];
+            };
+          };
+
           sterni = { name, nodes, pkgs, ... }: {
             deployment.allowLocalDeployment = true;
             deployment.targetHost = "${name}.private";

images/usb-init-configuration.nix

@@ -49,7 +49,7 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "22.05"; # Did you read the comment?
+  system.stateVersion = "22.11"; # Did you read the comment?
 
 
 }

nixos/components/network/tinc/private.nix

@@ -12,6 +12,7 @@ let
     sterni = "10.23.42.24";
     bobi = "10.23.42.25";
     pepe = "10.23.42.26";
+    cream = "10.23.42.27";
     robi = "10.23.42.111";
   };
   subDomains = {
@@ -34,6 +35,7 @@ in
 
   sops.secrets.tinc_ed25519_key = { };
 
+  #  nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
   services.tinc.networks = {
     ${network} = {
       ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path;
@@ -46,6 +48,10 @@ in
           subnets = [{ address = hosts.mobi; }];
           settings.Ed25519PublicKey = "X5sp3YYevVNUrzYvi+HZ2iW5WbO0bIb58jR4jZFH6MB";
         };
+        cream = {
+          subnets = [{ address = hosts.cream; }];
+          settings.Ed25519PublicKey = "Y/YRA90mAlNEmdhUWlUTHjjsco6d6hlvW11sPtarIdL";
+        };
         sterni = {
           subnets = [{ address = hosts.sterni; }];
           settings.Ed25519PublicKey = "r6mRDc814z2YtyG9ev/XXV2SgquqWR8n53V13xNXb7O";
@@ -92,6 +98,10 @@ in
       hostNames = [ "sterni.${network}" hosts.sterni ];
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
     };
+    "cream.${network}" = {
+      hostNames = [ "cream.${network}" hosts.cream ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIConHiCL7INgAhuN6Z9TqP0zP+xNpdV7+OHwUca4IRDD";
+    };
     "pepe.${network}" = {
       hostNames = [ "pepe.${network}" hosts.pepe ];
       publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz";

nixos/components/network/tinc/secret.nix

@@ -11,6 +11,7 @@ let
   hosts = {
     sternchen = "10.123.42.25";
     sterni = "10.123.42.24";
+    cream = "10.123.42.27";
     robi = "10.123.42.123";
   };
   network = "secret";
@@ -27,9 +28,13 @@ in
       '';
       hostSettings = {
         sternchen = {
-          subnets = [{ address = hosts.sterni; }];
+          subnets = [{ address = hosts.sternchen; }];
           settings.Ed25519PublicKey = "Z567IKl00Kw5JFBNwMvjL33QYe2hRoNtQcNIDFRPReB";
         };
+        cream = {
+          subnets = [{ address = hosts.cream; }];
+          settings.Ed25519PublicKey = "";
+        };
         sterni = {
           subnets = [{ address = hosts.sterni; }];
           settings.Ed25519PublicKey = "r6mRDc814z2YtyG9ev/XXV2SgquqWR8n53V13xNXb7O";

nixos/machines/cream/configuration.nix

@@ -0,0 +1,102 @@
+{ config, pkgs, lib, ... }: {
+
+  imports = [
+
+    ../../system/desktop
+    ../../system/server/netdata.nix
+
+    ./hardware-configuration.nix
+    ./packages.nix
+    ./syncthing.nix
+    ./tinc.nix
+
+    #./wifi-access-point.nix
+    #./wireshark.nix
+    #./scanner.nix
+    #./qemu.nix
+    ./wireguard.nix
+
+  ];
+
+
+  services.nginx.enable = true;
+
+  networking.hostName = "cream";
+
+  system.custom.wifi.interfaces = [ "wlp166s0" ];
+
+  security.wrappers = {
+    pmount = {
+      source = "${pkgs.pmount}/bin/pmount";
+      setuid = true;
+      owner = "root";
+      group = "root";
+    };
+    pumount = {
+      source = "${pkgs.pmount}/bin/pumount";
+      setuid = true;
+      owner = "root";
+      group = "root";
+    };
+  };
+
+  programs.custom.steam.enable = true;
+  programs.custom.video.enable = false;
+
+  services.printing.enable = true;
+
+  # fonts
+  # -----
+  programs.custom.urxvt.fontSize = 12;
+  programs.custom.xterm.fontSize = 12;
+  system.custom.fonts.dpi = 200;
+
+  virtualisation = {
+    docker.enable = true;
+    podman.enable = true;
+
+    virtualbox = {
+      host.enable = false;
+      guest.x11 = false;
+      guest.enable = false;
+    };
+  };
+
+  configuration.desktop = {
+    width = 2256;
+    height = 1504;
+  };
+
+  services.xserver.desktopManager.gnome.enable = true;
+
+  custom.samba-share = {
+    enable = false;
+    folders = {
+      share = "/home/share";
+      video = "/home/video-material";
+    };
+  };
+
+  # enable this to use sidequest
+  programs.adb.enable = true;
+  users.users.mainUser.extraGroups = [ "adbusers" "video" ];
+
+  # for congress and streaming
+  hardware.opengl = {
+    enable = true;
+    #  extraPackages = [
+    #        intel-media-driver # LIBVA_DRIVER_NAME=iHD
+    #        vaapiIntel         # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
+    #        vaapiVdpau
+    #        libvdpau-va-gl
+    #  ];
+    driSupport = true;
+    driSupport32Bit = true;
+  };
+  #nixpkgs.config.packageOverrides = pkgs: {
+  #  vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
+  #};
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+
+}

nixos/machines/cream/hardware-configuration.nix

@@ -0,0 +1,79 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "uas" "sd_mod" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  # Use the systemd-boot EFI boot loader, not grub
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.tmpOnTmpfs = true; # make /tmp a tmpfs (performance!)
+
+  boot.initrd.luks.devices = {
+    pool = {
+      device = "/dev/nvme0n1p2";
+      preLVM = true;
+    };
+  };
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/48228fad-8123-4e87-9c70-2e4c204d7a49";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/13A0-D756";
+      fsType = "vfat";
+    };
+
+  fileSystems."/home" =
+    {
+      device = "/dev/disk/by-uuid/d73dd71d-9f0f-4c49-8267-9ad7e3f01ff1";
+      fsType = "ext4";
+    };
+
+  fileSystems."/removable" =
+    {
+      device = "/dev/disk/by-uuid/081de08c-b080-4a05-9915-235caae193e7";
+      fsType = "ext4";
+    };
+
+  fileSystems."/share" = {
+    device = "none";
+    fsType = "tmpfs";
+  };
+
+  fileSystems."/browsers" = {
+    device = "none";
+    fsType = "tmpfs";
+  };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s13f0u4c2.useDHCP = lib.mkDefault true;
+  # networking.interfaces.tinc.private.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp166s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  #powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  # high-resolution display
+  hardware.video.hidpi.enable = lib.mkDefault true;
+}

nixos/machines/cream/packages.nix

@@ -0,0 +1,112 @@
+{ config, lib, pkgs, ... }:
+let
+  nextcloudSync = folder:
+    let
+      password = "$( pass show home/nextcloud/palo/nextcloudcmd-token)";
+      user = "palo";
+    in
+    pkgs.writers.writeBashBin "nextcloud-sync-${folder}" ''
+      ${pkgs.nextcloud-client}/bin/nextcloudcmd \
+        --path "${folder}" \
+        ~/Nextcloud/${folder} \
+        "https://${user}:${password}@nextcloud.ingolf-wagner.de"
+    '';
+
+
+in
+{
+  environment.systemPackages = with pkgs; [
+
+    ((ganttproject-bin.override {
+      jre = pkgs.openjdk11;
+    }).overrideAttrs (old: {
+      version = "3.1.3100";
+      src = pkgs.fetchzip {
+        url = "https://dl.ganttproject.biz/ganttproject-3.1.3100/ganttproject-3.1.3100.zip";
+        sha256 = "sha256-hw2paak0P670/kemiuqYHIaN0uUtkVKy+AX2X7OdnJ4=";
+      };
+    }))
+
+    autorandr
+
+    (nextcloudSync "InstantUpload")
+    (nextcloudSync "Pictures")
+    (nextcloudSync "Unterlagen")
+    (nextcloudSync "Nähen")
+    (nextcloudSync "Video")
+    (nextcloudSync "Kunstbuch")
+    (nextcloudSync "AWS-SolutionArchitect-Professional")
+
+    (pkgs.writeShellScriptBin "nixFlakes" ''
+      exec ${pkgs.nixUnstable}/bin/nix --experimental-features "nix-command flakes" "$@"
+    '')
+
+    valentina
+
+    sweethome3d.application
+    pkgs.polygon-art.polygon-art
+
+    # bluetooth gui
+    blueberry
+
+    nextcloud-client
+    gimp
+    inkscape
+    imagemagick
+
+    bitwig-studio3
+    #sononym-crawler
+    darktable
+
+    #blender
+    mosquitto
+    (pkgs.writers.writeBashBin "mqtt-tail" ''
+      ${pkgs.mosquitto}/bin/mosquitto_sub -v \
+               -h pepe.private \
+               -u homeassistant \
+               -P password \
+               -t "#"
+    '')
+
+    # rust development environment
+    rustup
+    jetbrains.clion
+
+    # general
+    jetbrains.idea-ultimate
+    #vscode
+
+    # python
+    python3Full
+    jetbrains.pycharm-professional
+    jetbrains.datagrip
+
+    # matrix clients
+    # --------------
+    #element-desktop
+    #fractal
+    legacy.mirage-im
+
+    tor-browser-bundle-bin
+    #(tor-browser-bundle-bin.overrideAttrs (old: rec {
+    #  version = "11.0.1";
+    #  name = "tor-browser-bundle-${version}";
+    #  src = pkgs.fetchurl {
+    #    url =
+    #      "https://dist.torproject.org/torbrowser/10.0.15/tor-browser-linux64-10.0.15_en-US.tar.xz";
+    #      "https://dist.torproject.org/torbrowser/11.0.1/tor-browser-linux64-11.0.1_en-US.tar.xz";
+    #    sha256 = "1ah69jmfgik063f9gkvyv9d4k706pqihmzc4k7cc95zyd17v8wrs";
+    #  };
+    #}))
+
+    sops
+
+    bitwarden
+
+  ];
+
+  home-manager.users.mainUser = {
+    programs.obs-studio.enable = true;
+  };
+
+}

nixos/machines/cream/qemu.nix

@@ -0,0 +1,17 @@
+{ config, lib, pkgs, ... }:
+
+{
+
+  virtualisation.libvirtd.enable = true;
+  #virtualisation.libvirtd.allowedBridges = ["virbr0"];
+  virtualisation.libvirtd.onShutdown = "shutdown";
+
+  environment.systemPackages = [
+    pkgs.qemu_kvm
+    pkgs.virt-manager
+  ];
+
+  users.users.mainUser.extraGroups = [ "libvirtd" ];
+
+
+}

nixos/machines/cream/scanner.nix

@@ -0,0 +1,9 @@
+{ config, lib, pkgs, ... }:
+{
+  services.grocy-scanner = {
+    enable = true;
+    host = "https://grocy.ingolf-wagner.de";
+    device = "/dev/input/by-id/usb-Belon.cn_2.4G_Wireless_Device_Belon_Smart-event-kbd";
+    apiKeyFile = toString (pkgs.writeText "key" "my-api-key-not");
+  };
+}

nixos/machines/cream/syncthing.nix

@@ -0,0 +1,66 @@
+{ config, pkgs, lib, ... }: {
+
+  #sops.secrets.syncthing_cert = { };
+  #sops.secrets.syncthing_key = { };
+
+  services.syncthing = {
+    enable = true;
+    openDefaultPorts = false;
+    user = "palo";
+    dataDir = "/home/palo/.syncthing";
+    configDir = "/home/palo/.syncthing";
+    #cert = toString config.sops.secrets.syncthing_cert.path;
+    #key = toString config.sops.secrets.syncthing_key.path;
+    overrideFolders = true;
+    folders = {
+
+      # on encrypted drive
+      # ------------------
+      password-store = {
+        enable = true;
+        path = "/home/palo/.password-store";
+      };
+      private = {
+        enable = true;
+        path = "/home/palo/private";
+      };
+      art = {
+        enable = true;
+        path = "/home/palo/art";
+      };
+      desktop = {
+        enable = true;
+        path = "/home/palo/desktop";
+      };
+      finance = {
+        enable = true;
+        path = "/home/palo/finance";
+      };
+
+      # no need to be encrypted
+      # -----------------------
+      books = {
+        enable = true;
+        path = "/home/palo/books";
+      };
+      music-library = {
+        enable = true;
+        path = "/home/palo/music-library";
+      };
+      music-projects = {
+        enable = true;
+        path = "/home/palo/music-projects";
+      };
+    };
+  };
+
+  services.permown."/home/palo/music-library" = {
+    owner = "palo";
+    group = "users";
+  };
+
+  services.permown."/home/palo/finance" = {
+    owner = "palo";
+    group = "syncthing";
+  };
+}

nixos/machines/cream/tinc.nix

@@ -0,0 +1,15 @@
+{ config, ... }:
+{
+
+  tinc.private.enable = true;
+  tinc.private.ipv4 = "10.23.42.27";
+
+  tinc.secret.enable = true;
+  tinc.secret.ipv4 = "10.123.42.27";
+
+  # retiolum
+  #networking.retiolum.port = 720;
+  #sops.secrets.tinc_retiolum_ed25519_key = { };
+  #services.tinc.networks.retiolum.ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path;
+
+}

nixos/machines/cream/wireguard.nix

@@ -0,0 +1,26 @@
+{ config, ... }:
+{
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+  sops.secrets.wireguard_private = { };
+
+  # Enable WireGuard
+  networking.wg-quick.interfaces = {
+    # Hub and Spoke Setup
+    # https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
+    wg0 = {
+      address = [ "10.100.0.6/32" ];
+      listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+      privateKeyFile = config.sops.secrets.wireguard_private.path;
+      mtu = 1280;
+
+      peers = [
+        {
+          # robi
+          publicKey = "uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU=";
+          allowedIPs = [ "10.100.0.1/24" ];
+          endpoint = "ingolf-wagner.de:51820";
+        }
+      ];
+    };
+  };
+}

nixos/machines/robi/wireguard.nix

@@ -44,6 +44,11 @@
           publicKey = "v0/cozfHsRUYBXHGUrY7TEZF/ItcQywVphDAQdm9GU0=";
           allowedIPs = [ "10.100.0.5/32" ];
         }
+        {
+          # cream
+          publicKey = "R1Vk1DDG/LsVU0HHRDmOJshXOVnNzPVbuv5hP7ZSGEQ=";
+          allowedIPs = [ "10.100.0.6/32" ];
+        }
       ];
     };
   };

nixos/machines/sterni/configuration.nix

@@ -72,7 +72,7 @@
   services.xserver.desktopManager.gnome.enable = true;
 
   custom.samba-share = {
-    enable = true;
+    enable = false;
     folders = {
       share = "/home/share";
       video = "/home/video-material";

nixos/machines/sterni/hardware-configuration.nix

@@ -16,6 +16,7 @@
   # Use the systemd-boot EFI boot loader, not grub
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
+  boot.tmpOnTmpfs = true; # make /tmp a tmpfs (performance!)
 
   #zramSwap = {
   #  enable = true;
@@ -25,18 +26,12 @@
   #};
 
   fileSystems."/share" = {
-    #device = "/dev/ram1";
     device = "none";
     fsType = "tmpfs";
   };
 
   fileSystems."/browsers" = {
-    #options = [ "noatime" "nodiratime" "discard" ];
-    #device = "/dev/vg/browser";
-    #fsType = "ext4";
-
     device = "none";
-    #device = "/dev/ram2";
     fsType = "tmpfs";
   };
 

scripts/disko-config-cream.nix

@@ -0,0 +1,104 @@
+# nix run github:nix-community/disko -- --mode create ./disko-config-cream.nix --dry-run
+# nix run github:nix-community/disko -- --mode mount ./disko-config-cream.nix --dry-run
+# nixos-generate-config --root /mnt/
+# vim /mnt/configuration.nix
+# nixos-install --root /mnt
+{ ... }:
+{
+  disk = {
+    nvme0n1 = {
+      type = "disk";
+      device = "/dev/nvme0n1";
+      content = {
+        type = "table";
+        format = "gpt";
+        partitions = [
+          {
+            type = "partition";
+            name = "ESP";
+            start = "1MiB";
+            end = "500MiB";
+            bootable = true;
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+              mountOptions = [
+                "defaults"
+              ];
+            };
+          }
+          {
+            type = "partition";
+            name = "luks";
+            start = "500MiB";
+            end = "100%";
+            content = {
+              type = "luks";
+              name = "pool";
+              #keyFile = "/tmp/secret.key";
+              content = {
+                type = "lvm_pv";
+                vg = "pool";
+              };
+            };
+          }
+        ];
+      };
+    };
+    sdb = {
+      type = "disk";
+      device = "/dev/sdb";
+      content = {
+        type = "table";
+        format = "gpt";
+        partitions = [
+          {
+            type = "partition";
+            name = "removable";
+            start = "1MiB";
+            end = "100%";
+            bootable = false;
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/removable";
+              mountOptions = [
+                "defaults"
+              ];
+            };
+          }
+        ];
+
+      };
+    };
+  };
+  lvm_vg = {
+    pool = {
+      type = "lvm_vg";
+      lvs = {
+        root = {
+          type = "lvm_lv";
+          size = "100G";
+          content = {
+            type = "filesystem";
+            format = "ext4";
+            mountpoint = "/";
+            mountOptions = [
+              "defaults"
+            ];
+          };
+        };
+        home = {
+          type = "lvm_lv";
+          size = "150G";
+          content = {
+            type = "filesystem";
+            format = "ext4";
+            mountpoint = "/home";
+          };
+        };
+      };
+    };
+  };
+}