palo/nixos-config
palo/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Wiki Activity

Merge branch 'feature/clan.lol'

Browse source
This commit is contained in:
Ingolf Wagner 2024-05-27 10:48:38 +02:00
parent 2bedf3a3ec 7ddf6d9f21
commit e840ff3b3d
Signed by: palo
GPG key ID: 76BF5F1928B9618B
3 changed files with 416 additions and 168 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

222
flake.lock
View file

@ -133,7 +133,57 @@
"type": "github"
}
},
"clan-core": {
"inputs": {
"disko": "disko",
"flake-parts": [
"flake-parts"
],
"git-hooks": "git-hooks",
"nixos-generators": "nixos-generators",
"nixos-images": "nixos-images",
"nixpkgs": [
"nixpkgs"
],
"sops-nix": "sops-nix",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1716757238,
"narHash": "sha256-8voKL5nTtf7TX8pZvE9VMzSAzsQ+xFrDrEqvYpw2/yY=",
"ref": "refs/heads/main",
"rev": "6e9f1515d3f3a5ffb5a89a2a28d6014ea0022948",
"revCount": 2850,
"type": "git",
"url": "https://git.clan.lol/clan/clan-core"
},
"original": {
"type": "git",
"url": "https://git.clan.lol/clan/clan-core"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"clan-core",
"nixpkgs"
]
},
"locked": {
"lastModified": 1716394172,
"narHash": "sha256-B+pNhV8GFeCj9/MoH+qtGqKbgv6fU4hGaw2+NoYYtB0=",
"owner": "nix-community",
"repo": "disko",
"rev": "23c63fb09334c3e8958b57e2ddc3870b75b9111d",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"disko_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
@ -153,7 +203,7 @@
"type": "github"
}
},
"disko_2": {
"disko_3": {
"inputs": {
"nixpkgs": [
"nixos-anywhere",
@ -251,6 +301,26 @@
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1715865404,
"narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"nixos-anywhere",
@ -413,6 +483,22 @@
"type": "github"
}
},
"git-hooks": {
"flake": false,
"locked": {
"lastModified": 1716413087,
"narHash": "sha256-nSTIB7JeJGBGsvtqlyfhUByh/isyK1nfOq2YMxUOFJQ=",
"owner": "fricklerhandwerk",
"repo": "git-hooks",
"rev": "99a78fcf7dc03ba7b1d5c00af109c1e28ced3490",
"type": "github"
},
"original": {
"owner": "fricklerhandwerk",
"repo": "git-hooks",
"type": "github"
}
},
"gnome-shell": {
"flake": false,
"locked": {
@ -565,14 +651,45 @@
"type": "github"
}
},
"nixlib": {
"locked": {
"lastModified": 1712450863,
"narHash": "sha256-K6IkdtMtq9xktmYPj0uaYc8NsIqHuaAoRBaMgu9Fvrw=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "3c62b6a12571c9a7f65ab037173ee153d539905f",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixos-2311": {
"locked": {
"lastModified": 1715818734,
"narHash": "sha256-WvAJWCwPj/6quKcsgsvQYyZRxV8ho/yUzj0HZQ34DVU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "95742536dc6debb5a8b8b78b27001c38f369f1e7",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixos-anywhere": {
"inputs": {
"disko": "disko_2",
"flake-parts": "flake-parts",
"nixos-images": "nixos-images",
"disko": "disko_3",
"flake-parts": "flake-parts_2",
"nixos-images": "nixos-images_2",
"nixos-stable": "nixos-stable",
"nixpkgs": "nixpkgs_5",
"treefmt-nix": "treefmt-nix"
"treefmt-nix": "treefmt-nix_2"
},
"locked": {
"lastModified": 1715150548,
@ -588,6 +705,28 @@
"type": "github"
}
},
"nixos-generators": {
"inputs": {
"nixlib": "nixlib",
"nixpkgs": [
"clan-core",
"nixpkgs"
]
},
"locked": {
"lastModified": 1716123454,
"narHash": "sha256-U2o4UPM/UsEyIX2p11+YEQgR9HY3PmjZ2mRl/x5e4xo=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "a63e0c83dd83fe28cc571b97129e13373436bd82",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-generators",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1716173274,
@ -604,6 +743,28 @@
}
},
"nixos-images": {
"inputs": {
"nixos-2311": "nixos-2311",
"nixos-unstable": [
"clan-core",
"nixpkgs"
]
},
"locked": {
"lastModified": 1716132123,
"narHash": "sha256-rATSWbPaKQfZGaemu0tHL2xfCzVIVwpuTjk+KSBC+k4=",
"owner": "nix-community",
"repo": "nixos-images",
"rev": "8c9cab8c44434c12dafc465fbf61a710c5bceb08",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-images",
"type": "github"
}
},
"nixos-images_2": {
"inputs": {
"nixos-2311": [
"nixos-anywhere",
@ -1027,8 +1188,10 @@
},
"root": {
"inputs": {
"disko": "disko",
"clan-core": "clan-core",
"disko": "disko_2",
"dns": "dns",
"flake-parts": "flake-parts",
"grocy-scanner": "grocy-scanner",
"home-manager": "home-manager",
"home-manager-utils": "home-manager-utils",
@ -1051,7 +1214,7 @@
"retiolum": "retiolum",
"secrets": "secrets",
"smoke": "smoke",
"sops-nix": "sops-nix",
"sops-nix": "sops-nix_2",
"srvos": "srvos",
"srvos_nixpkgs": [
"srvos",
@ -1119,6 +1282,30 @@
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"clan-core",
"nixpkgs"
],
"nixpkgs-stable": [
"clan-core"
]
},
"locked": {
"lastModified": 1716087663,
"narHash": "sha256-zuSAGlx8Qk0OILGCC2GUyZ58/SJ5R3GZdeUNQ6IS0fQ=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "0bf1808e70ce80046b0cff821c019df2b19aabf5",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"sops-nix_2": {
"inputs": {
"nixpkgs": "nixpkgs_9",
"nixpkgs-stable": "nixpkgs-stable"
@ -1239,6 +1426,27 @@
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"clan-core",
"nixpkgs"
]
},
"locked": {
"lastModified": 1715940852,
"narHash": "sha256-wJqHMg/K6X3JGAE9YLM0LsuKrKb4XiBeVaoeMNlReZg=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "2fba33a182602b9d49f0b2440513e5ee091d838b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt-nix_2": {
"inputs": {
"nixpkgs": [
"nixos-anywhere",

319
flake.nix
View file

@ -5,6 +5,16 @@
url = "git+ssh://forgejo@git.ingolf-wagner.de/palo/nixos-secrets.git?ref=main";
flake = false;
};
flake-parts.url = "github:hercules-ci/flake-parts";
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
clan-core = {
url = "git+https://git.clan.lol/clan/clan-core";
inputs.nixpkgs.follows = "nixpkgs"; # Needed if your configuration uses nixpkgs unstable.
inputs.flake-parts.follows = "flake-parts";
};
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-legacy_2105.url = "github:nixos/nixpkgs/nixos-21.05";
nixpkgs-legacy_2205.url = "github:nixos/nixpkgs/nixos-22.05";
@ -88,10 +98,12 @@
};
outputs =
{ self
inputs@{ self
, clan-core
, disko
, dns
#, doom-emacs-nix
, flake-parts
, grocy-scanner
, home-manager
, home-manager-utils
@ -113,22 +125,23 @@
, private_assets
, retiolum
, secrets
, srvos
, srvos_nixpkgs
, smoke
, sops-nix
, srvos
, srvos_nixpkgs
, stylix
, taskshell
}:
let
system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system};
let
#system = "x86_64-linux";
#pkgs = nixpkgs.legacyPackages.${system};
inherit (nixpkgs) lib;
meta = { nixpackages ? nixpkgs }: rec {
meta = rec {
system = "x86_64-linux";
pkgs = import nixpackages {
pkgs = import nixpkgs {
inherit system;
config.allowUnfree = true;
config.permittedInsecurePackages = [
@ -163,42 +176,24 @@
inherit private_assets;
assets = ./nixos/assets;
};
};
# todo : why redefine it?
# Mic92 means, is not needed anymore
nixosSystem = args:
(lib.makeOverridable lib.nixosSystem)
(lib.recursiveUpdate args {
modules =
args.modules
++ [
{
config.nixpkgs.pkgs = lib.mkDefault args.pkgs;
config.nixpkgs.localSystem = lib.mkDefault args.pkgs.stdenv.hostPlatform;
}
];
});
nixosConfigurationSetup =
clanSetup =
{ name
, host ? "${name}.private"
, host
, modules
, nixpackages ? nixpkgs
}:
nixosSystem {
inherit (meta { nixpackages = nixpackages; }) system specialArgs pkgs;
modules = modules ++ defaultModules ++ [
{
_module.args.nixinate = {
host = host;
sshUser = "root";
buildOn = "remote"; # valid args are "local" or "remote"
substituteOnTarget = false; # if buildOn is "local" then it will substitute on the target, "-s"
#hermetic = false; # ??? don't know what this is
nixOptions = [ "--max-jobs 1" ];
};
}
#, nixpackages ? meta.nixpkgs
}: {
clan.networking.targetHost = lib.mkDefault "root@${host}";
clanCore.machineIcon = null; # Optional, a path to an image file
#nixpkgs.pkgs = nixpackages;
nixpkgs.pkgs = meta.pkgs;
nixpkgs.hostPlatform = meta.system;
imports = modules ++ defaultModules ++ [
{
imports = [
./nixos/machines/${name}/configuration.nix
@ -228,25 +223,26 @@
# '';
# };
# })
{
nix.settings.substituters = [ "https://cache.nixos.org/" ];
nix.settings.experimental-features = [ "nix-command" "flakes" ];
# no channesl needed this way
nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
}
{
({ pkgs, ... }:
{
nix.settings.substituters = [ "https://cache.nixos.org/" ];
nix.settings.experimental-features = [ "nix-command" "flakes" ];
# no channesl needed this way
nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
})
({ pkgs, ... }: {
boot.tmp.useTmpfs = lib.mkDefault true;
environment.systemPackages = [ nixpkgs-fmt.defaultPackage.${system} ];
environment.systemPackages = [ nixpkgs-fmt.defaultPackage.${pkgs.system} ];
imports = [
permown.nixosModules.permown
disko.nixosModules.disko
#disko.nixosModules.disko
kmonad.nixosModules.default
grocy-scanner.nixosModule
];
}
})
];
homeManagerModules = { config, ... }: {
homeManagerModules = { pkgs, config, ... }: {
imports = [
home-manager.nixosModules.home-manager
stylix.nixosModules.stylix
@ -290,29 +286,33 @@
};
sopsModule = name: { lib, ... }: {
imports = [ sops-nix.nixosModules.sops ];
#imports = [ sops-nix.nixosModules.sops ];
sops.defaultSopsFile = lib.mkForce "${secrets}/secrets/${name}.yaml";
};
in
{
devShells.${system}.default =
pkgs.mkShell {
buildInputs = [
nixpkgs-fmt.defaultPackage.${system}
nixos-anywhere.packages.${system}.nixos-anywhere
];
};
apps = nixinate.nixinate.x86_64-linux self;
flake-parts.lib.mkFlake { inherit inputs; } ({ self, pkgs, ... }: {
# We define our own systems below. you can still use this to add system specific outputs to your flake.
# See: https://flake.parts/getting-started
systems = [ ];
nixosConfigurations =
{
sternchen = nixosConfigurationSetup {
# import clan-core modules
imports = [
clan-core.flakeModules.default
];
# Define your clan
clan = {
# Clan wide settings. (Required)
clanName = "gummybears"; # Ensure to choose a unique name.
specialArgs = meta.specialArgs;
machines = {
sternchen = clanSetup {
name = "sternchen";
#host = "sternchen.secret";
#host = "192.168.178.25";
host = "sternchen";
#host = "sternchen.secure";
host = "192.168.178.25";
modules = [
nixos-hardware.nixosModules.lenovo-thinkpad-x220
homeManagerModules
@ -335,76 +335,121 @@
})
];
};
cream = nixosConfigurationSetup
{
name = "cream";
modules = [
nixos-hardware.nixosModules.framework-12th-gen-intel
retiolum.nixosModules.retiolum
private_assets.nixosModules.cream
homeManagerModules
{ home-manager.users.mainUser.gui.enable = true; }
{
home-manager.users.mainUser = import ./nixos/homes/palo;
home-manager.users.root = import ./nixos/homes/root;
}
];
};
cherry = nixosConfigurationSetup
{
name = "cherry";
modules = [
nixos-hardware.nixosModules.framework-13th-gen-intel
homeManagerModules
{ home-manager.users.mainUser.gui.enable = true; }
{
home-manager.users.mainUser = import ./nixos/homes/palo;
home-manager.users.root = import ./nixos/homes/root;
}
];
};
chungus = nixosConfigurationSetup
{
name = "chungus";
modules = [
homeManagerModules
retiolum.nixosModules.retiolum
private_assets.nixosModules.chungus
{
home-manager.users.mainUser = import ./nixos/homes/palo;
home-manager.users.root = import ./nixos/homes/root;
}
];
};
orbi = nixosConfigurationSetup
{
name = "orbi";
host = "95.216.66.212";
modules = [
homeManagerModules
srvos.nixosModules.hardware-hetzner-online-intel
srvos.nixosModules.server
srvos.nixosModules.mixins-terminfo
#{ home-manager.sharedModules = [{ programs.doom-emacs.enable = false; }]; }
{
home-manager.users.mainUser = import ./nixos/homes/palo;
home-manager.users.root = import ./nixos/homes/root;
}
];
};
robi = nixosConfigurationSetup
{
name = "robi";
modules = [
homeManagerModules
#{ home-manager.sharedModules = [{ programs.doom-emacs.enable = false; }]; }
{
home-manager.users.mainUser = import ./nixos/homes/palo;
home-manager.users.root = import ./nixos/homes/root;
}
];
};
cream = clanSetup {
name = "cream";
host = "cream.private";
modules = [
nixos-hardware.nixosModules.framework-12th-gen-intel
retiolum.nixosModules.retiolum
private_assets.nixosModules.cream
homeManagerModules
{ home-manager.users.mainUser.gui.enable = true; }
{
home-manager.users.mainUser = import ./nixos/homes/palo;
home-manager.users.root = import ./nixos/homes/root;
}
];
};
cherry = clanSetup {
name = "cherry";
host = "cherry.private";
modules = [
nixos-hardware.nixosModules.framework-13th-gen-intel
homeManagerModules
{ home-manager.users.mainUser.gui.enable = true; }
{
home-manager.users.mainUser = import ./nixos/homes/palo;
home-manager.users.root = import ./nixos/homes/root;
}
];
};
chungus = clanSetup {
name = "chungus";
host = "chungus.private";
modules = [
homeManagerModules
retiolum.nixosModules.retiolum
private_assets.nixosModules.chungus
{
home-manager.users.mainUser = import ./nixos/homes/palo;
home-manager.users.root = import ./nixos/homes/root;
}
];
};
orbi = clanSetup {
name = "orbi";
host = "orbi.private";
# host = "95.216.66.212";
modules = [
homeManagerModules
srvos.nixosModules.hardware-hetzner-online-intel
srvos.nixosModules.server
srvos.nixosModules.mixins-terminfo
{ home-manager.sharedModules = [{ programs.doom-emacs.enable = false; }]; }
{
home-manager.users.mainUser = import ./nixos/homes/palo;
home-manager.users.root = import ./nixos/homes/root;
}
];
};
robi = clanSetup {
name = "robi";
host = "robi.private";
modules = [
homeManagerModules
{ home-manager.sharedModules = [{ programs.doom-emacs.enable = false; }]; }
{
home-manager.users.mainUser = import ./nixos/homes/palo;
home-manager.users.root = import ./nixos/homes/root;
}
];
};
};
};
};
});
}
# devShells.${system}.default =
# pkgs.mkShell {
# buildInputs = [
# nixpkgs-fmt.defaultPackage.${system}
# nixos-anywhere.packages.${system}.nixos-anywhere
# ];
# };
#apps = nixinate.nixinate.x86_64-linux self;
# packages = with nixpkgs.lib; {
# ${system} =
# let
# vms = mapAttrs'
# (host: sys: {
# name = "vm-${host}";
# value = sys.config.system.build.vm;
# })
# self.nixosConfigurations;
# sds = mapAttrs'
# (host: sys: {
# name = "sd-${host}";
# value = sys.config.system.build.sdImage;
# })
# (filterAttrs
# (n: hasAttrByPath [ "config" "system" "build" "sdImage" ])
# self.nixosConfigurations);
# in
# vms // sds;
# };
# nixosConfigurations =
# };

43
nixos/components/yubikey.nix
View file

@ -14,14 +14,7 @@ with lib;
config = mkIf config.components.yubikey.enable {
services.pcscd.enable = true;
services.udev.packages = [
pkgs.yubikey-personalization
# additional services, but I just want gpg
# pkgs.libu2f-host
];
services.udev.packages = [ pkgs.yubikey-personalization ];
environment.systemPackages = [
@ -43,24 +36,26 @@ with lib;
];
## managed by home-manager now
#environment.shellInit = ''
# export GPG_TTY="$(tty)"
# gpg-connect-agent /bye
# export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
#'';
#programs = {
# ssh.startAgent = false;
# gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
#};
## managed by home-manager now
#security.pam.u2f.enable = true;
#security.pam.u2f.authFile = toString config.sops.secrets.yubikey_u2fAuthFile.path;
#sops.secrets.yubikey_u2fAuthFile = { };
environment.shellInit = ''
export GPG_TTY="$(tty)"
gpg-connect-agent /bye
export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
'';
programs = {
ssh.startAgent = false;
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
};
## managed by home-manager now
security.pam.u2f.enable = true;
security.pam.u2f.authFile = toString config.sops.secrets.yubikey_u2fAuthFile.path;
sops.secrets.yubikey_u2fAuthFile = { };
};
}