palo/nixos-config
palo/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Wiki Activity

Merge branch 'feature/clan.lol'

Browse source
This commit is contained in:
Ingolf Wagner 2024-05-27 10:48:38 +02:00
parent 2bedf3a3ec 7ddf6d9f21
commit e840ff3b3d
Signed by: palo
GPG key ID: 76BF5F1928B9618B
3 changed files with 416 additions and 168 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

222
flake.lock
View file

@ -133,7 +133,57 @@
"type": "github" "type": "github"
} }
}, },
"clan-core": {
"inputs": {
"disko": "disko",
"flake-parts": [
"flake-parts"
],
"git-hooks": "git-hooks",
"nixos-generators": "nixos-generators",
"nixos-images": "nixos-images",
"nixpkgs": [
"nixpkgs"
],
"sops-nix": "sops-nix",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1716757238,
"narHash": "sha256-8voKL5nTtf7TX8pZvE9VMzSAzsQ+xFrDrEqvYpw2/yY=",
"ref": "refs/heads/main",
"rev": "6e9f1515d3f3a5ffb5a89a2a28d6014ea0022948",
"revCount": 2850,
"type": "git",
"url": "https://git.clan.lol/clan/clan-core"
},
"original": {
"type": "git",
"url": "https://git.clan.lol/clan/clan-core"
}
},
"disko": { "disko": {
"inputs": {
"nixpkgs": [
"clan-core",
"nixpkgs"
]
},
"locked": {
"lastModified": 1716394172,
"narHash": "sha256-B+pNhV8GFeCj9/MoH+qtGqKbgv6fU4hGaw2+NoYYtB0=",
"owner": "nix-community",
"repo": "disko",
"rev": "23c63fb09334c3e8958b57e2ddc3870b75b9111d",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"disko_2": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
@ -153,7 +203,7 @@
"type": "github" "type": "github"
} }
}, },
"disko_2": { "disko_3": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixos-anywhere", "nixos-anywhere",
@ -251,6 +301,26 @@
} }
}, },
"flake-parts": { "flake-parts": {
"inputs": {
"nixpkgs-lib": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1715865404,
"narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"nixos-anywhere", "nixos-anywhere",
@ -413,6 +483,22 @@
"type": "github" "type": "github"
} }
}, },
"git-hooks": {
"flake": false,
"locked": {
"lastModified": 1716413087,
"narHash": "sha256-nSTIB7JeJGBGsvtqlyfhUByh/isyK1nfOq2YMxUOFJQ=",
"owner": "fricklerhandwerk",
"repo": "git-hooks",
"rev": "99a78fcf7dc03ba7b1d5c00af109c1e28ced3490",
"type": "github"
},
"original": {
"owner": "fricklerhandwerk",
"repo": "git-hooks",
"type": "github"
}
},
"gnome-shell": { "gnome-shell": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -565,14 +651,45 @@
"type": "github" "type": "github"
} }
}, },
"nixlib": {
"locked": {
"lastModified": 1712450863,
"narHash": "sha256-K6IkdtMtq9xktmYPj0uaYc8NsIqHuaAoRBaMgu9Fvrw=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "3c62b6a12571c9a7f65ab037173ee153d539905f",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixos-2311": {
"locked": {
"lastModified": 1715818734,
"narHash": "sha256-WvAJWCwPj/6quKcsgsvQYyZRxV8ho/yUzj0HZQ34DVU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "95742536dc6debb5a8b8b78b27001c38f369f1e7",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixos-anywhere": { "nixos-anywhere": {
"inputs": { "inputs": {
"disko": "disko_2", "disko": "disko_3",
"flake-parts": "flake-parts", "flake-parts": "flake-parts_2",
"nixos-images": "nixos-images", "nixos-images": "nixos-images_2",
"nixos-stable": "nixos-stable", "nixos-stable": "nixos-stable",
"nixpkgs": "nixpkgs_5", "nixpkgs": "nixpkgs_5",
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix_2"
}, },
"locked": { "locked": {
"lastModified": 1715150548, "lastModified": 1715150548,
@ -588,6 +705,28 @@
"type": "github" "type": "github"
} }
}, },
"nixos-generators": {
"inputs": {
"nixlib": "nixlib",
"nixpkgs": [
"clan-core",
"nixpkgs"
]
},
"locked": {
"lastModified": 1716123454,
"narHash": "sha256-U2o4UPM/UsEyIX2p11+YEQgR9HY3PmjZ2mRl/x5e4xo=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "a63e0c83dd83fe28cc571b97129e13373436bd82",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-generators",
"type": "github"
}
},
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1716173274, "lastModified": 1716173274,
@ -604,6 +743,28 @@
} }
}, },
"nixos-images": { "nixos-images": {
"inputs": {
"nixos-2311": "nixos-2311",
"nixos-unstable": [
"clan-core",
"nixpkgs"
]
},
"locked": {
"lastModified": 1716132123,
"narHash": "sha256-rATSWbPaKQfZGaemu0tHL2xfCzVIVwpuTjk+KSBC+k4=",
"owner": "nix-community",
"repo": "nixos-images",
"rev": "8c9cab8c44434c12dafc465fbf61a710c5bceb08",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-images",
"type": "github"
}
},
"nixos-images_2": {
"inputs": { "inputs": {
"nixos-2311": [ "nixos-2311": [
"nixos-anywhere", "nixos-anywhere",
@ -1027,8 +1188,10 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"disko": "disko", "clan-core": "clan-core",
"disko": "disko_2",
"dns": "dns", "dns": "dns",
"flake-parts": "flake-parts",
"grocy-scanner": "grocy-scanner", "grocy-scanner": "grocy-scanner",
"home-manager": "home-manager", "home-manager": "home-manager",
"home-manager-utils": "home-manager-utils", "home-manager-utils": "home-manager-utils",
@ -1051,7 +1214,7 @@
"retiolum": "retiolum", "retiolum": "retiolum",
"secrets": "secrets", "secrets": "secrets",
"smoke": "smoke", "smoke": "smoke",
"sops-nix": "sops-nix", "sops-nix": "sops-nix_2",
"srvos": "srvos", "srvos": "srvos",
"srvos_nixpkgs": [ "srvos_nixpkgs": [
"srvos", "srvos",
@ -1119,6 +1282,30 @@
} }
}, },
"sops-nix": { "sops-nix": {
"inputs": {
"nixpkgs": [
"clan-core",
"nixpkgs"
],
"nixpkgs-stable": [
"clan-core"
]
},
"locked": {
"lastModified": 1716087663,
"narHash": "sha256-zuSAGlx8Qk0OILGCC2GUyZ58/SJ5R3GZdeUNQ6IS0fQ=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "0bf1808e70ce80046b0cff821c019df2b19aabf5",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"sops-nix_2": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs_9", "nixpkgs": "nixpkgs_9",
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
@ -1239,6 +1426,27 @@
} }
}, },
"treefmt-nix": { "treefmt-nix": {
"inputs": {
"nixpkgs": [
"clan-core",
"nixpkgs"
]
},
"locked": {
"lastModified": 1715940852,
"narHash": "sha256-wJqHMg/K6X3JGAE9YLM0LsuKrKb4XiBeVaoeMNlReZg=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "2fba33a182602b9d49f0b2440513e5ee091d838b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt-nix_2": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixos-anywhere", "nixos-anywhere",

319
flake.nix
View file

@ -5,6 +5,16 @@
url = "git+ssh://forgejo@git.ingolf-wagner.de/palo/nixos-secrets.git?ref=main"; url = "git+ssh://forgejo@git.ingolf-wagner.de/palo/nixos-secrets.git?ref=main";
flake = false; flake = false;
}; };
flake-parts.url = "github:hercules-ci/flake-parts";
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
clan-core = {
url = "git+https://git.clan.lol/clan/clan-core";
inputs.nixpkgs.follows = "nixpkgs"; # Needed if your configuration uses nixpkgs unstable.
inputs.flake-parts.follows = "flake-parts";
};
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-legacy_2105.url = "github:nixos/nixpkgs/nixos-21.05"; nixpkgs-legacy_2105.url = "github:nixos/nixpkgs/nixos-21.05";
nixpkgs-legacy_2205.url = "github:nixos/nixpkgs/nixos-22.05"; nixpkgs-legacy_2205.url = "github:nixos/nixpkgs/nixos-22.05";
@ -88,10 +98,12 @@
}; };
outputs = outputs =
{ self inputs@{ self
, clan-core
, disko , disko
, dns , dns
#, doom-emacs-nix #, doom-emacs-nix
, flake-parts
, grocy-scanner , grocy-scanner
, home-manager , home-manager
, home-manager-utils , home-manager-utils
@ -113,22 +125,23 @@
, private_assets , private_assets
, retiolum , retiolum
, secrets , secrets
, srvos
, srvos_nixpkgs
, smoke , smoke
, sops-nix , sops-nix
, srvos
, srvos_nixpkgs
, stylix , stylix
, taskshell , taskshell
}: }:
let
system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system}; let
#system = "x86_64-linux";
#pkgs = nixpkgs.legacyPackages.${system};
inherit (nixpkgs) lib; inherit (nixpkgs) lib;
meta = { nixpackages ? nixpkgs }: rec { meta = rec {
system = "x86_64-linux"; system = "x86_64-linux";
pkgs = import nixpackages { pkgs = import nixpkgs {
inherit system; inherit system;
config.allowUnfree = true; config.allowUnfree = true;
config.permittedInsecurePackages = [ config.permittedInsecurePackages = [
@ -163,42 +176,24 @@
inherit private_assets; inherit private_assets;
assets = ./nixos/assets; assets = ./nixos/assets;
}; };
}; };
# todo : why redefine it? clanSetup =
# Mic92 means, is not needed anymore
nixosSystem = args:
(lib.makeOverridable lib.nixosSystem)
(lib.recursiveUpdate args {
modules =
args.modules
++ [
{
config.nixpkgs.pkgs = lib.mkDefault args.pkgs;
config.nixpkgs.localSystem = lib.mkDefault args.pkgs.stdenv.hostPlatform;
}
];
});
nixosConfigurationSetup =
{ name { name
, host ? "${name}.private" , host
, modules , modules
, nixpackages ? nixpkgs #, nixpackages ? meta.nixpkgs
}: }: {
nixosSystem {
inherit (meta { nixpackages = nixpackages; }) system specialArgs pkgs; clan.networking.targetHost = lib.mkDefault "root@${host}";
modules = modules ++ defaultModules ++ [ clanCore.machineIcon = null; # Optional, a path to an image file
{
_module.args.nixinate = { #nixpkgs.pkgs = nixpackages;
host = host; nixpkgs.pkgs = meta.pkgs;
sshUser = "root"; nixpkgs.hostPlatform = meta.system;
buildOn = "remote"; # valid args are "local" or "remote"
substituteOnTarget = false; # if buildOn is "local" then it will substitute on the target, "-s" imports = modules ++ defaultModules ++ [
#hermetic = false; # ??? don't know what this is
nixOptions = [ "--max-jobs 1" ];
};
}
{ {
imports = [ imports = [
./nixos/machines/${name}/configuration.nix ./nixos/machines/${name}/configuration.nix
@ -228,25 +223,26 @@
# ''; # '';
# }; # };
# }) # })
{ ({ pkgs, ... }:
nix.settings.substituters = [ "https://cache.nixos.org/" ]; {
nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.settings.substituters = [ "https://cache.nixos.org/" ];
# no channesl needed this way nix.settings.experimental-features = [ "nix-command" "flakes" ];
nix.nixPath = [ "nixpkgs=${pkgs.path}" ]; # no channesl needed this way
} nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
{ })
({ pkgs, ... }: {
boot.tmp.useTmpfs = lib.mkDefault true; boot.tmp.useTmpfs = lib.mkDefault true;
environment.systemPackages = [ nixpkgs-fmt.defaultPackage.${system} ]; environment.systemPackages = [ nixpkgs-fmt.defaultPackage.${pkgs.system} ];
imports = [ imports = [
permown.nixosModules.permown permown.nixosModules.permown
disko.nixosModules.disko #disko.nixosModules.disko
kmonad.nixosModules.default kmonad.nixosModules.default
grocy-scanner.nixosModule grocy-scanner.nixosModule
]; ];
} })
]; ];
homeManagerModules = { config, ... }: { homeManagerModules = { pkgs, config, ... }: {
imports = [ imports = [
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
stylix.nixosModules.stylix stylix.nixosModules.stylix
@ -290,29 +286,33 @@
}; };
sopsModule = name: { lib, ... }: { sopsModule = name: { lib, ... }: {
imports = [ sops-nix.nixosModules.sops ]; #imports = [ sops-nix.nixosModules.sops ];
sops.defaultSopsFile = lib.mkForce "${secrets}/secrets/${name}.yaml"; sops.defaultSopsFile = lib.mkForce "${secrets}/secrets/${name}.yaml";
}; };
in in
{
devShells.${system}.default =
pkgs.mkShell {
buildInputs = [
nixpkgs-fmt.defaultPackage.${system}
nixos-anywhere.packages.${system}.nixos-anywhere
];
};
apps = nixinate.nixinate.x86_64-linux self; flake-parts.lib.mkFlake { inherit inputs; } ({ self, pkgs, ... }: {
# We define our own systems below. you can still use this to add system specific outputs to your flake.
# See: https://flake.parts/getting-started
systems = [ ];
nixosConfigurations = # import clan-core modules
{ imports = [
sternchen = nixosConfigurationSetup { clan-core.flakeModules.default
];
# Define your clan
clan = {
# Clan wide settings. (Required)
clanName = "gummybears"; # Ensure to choose a unique name.
specialArgs = meta.specialArgs;
machines = {
sternchen = clanSetup {
name = "sternchen"; name = "sternchen";
#host = "sternchen.secret"; #host = "sternchen.secure";
#host = "192.168.178.25"; host = "192.168.178.25";
host = "sternchen";
modules = [ modules = [
nixos-hardware.nixosModules.lenovo-thinkpad-x220 nixos-hardware.nixosModules.lenovo-thinkpad-x220
homeManagerModules homeManagerModules
@ -335,76 +335,121 @@
}) })
]; ];
}; };
cream = nixosConfigurationSetup
{ cream = clanSetup {
name = "cream"; name = "cream";
modules = [ host = "cream.private";
nixos-hardware.nixosModules.framework-12th-gen-intel modules = [
retiolum.nixosModules.retiolum nixos-hardware.nixosModules.framework-12th-gen-intel
private_assets.nixosModules.cream retiolum.nixosModules.retiolum
homeManagerModules private_assets.nixosModules.cream
{ home-manager.users.mainUser.gui.enable = true; } homeManagerModules
{ { home-manager.users.mainUser.gui.enable = true; }
home-manager.users.mainUser = import ./nixos/homes/palo; {
home-manager.users.root = import ./nixos/homes/root; home-manager.users.mainUser = import ./nixos/homes/palo;
} home-manager.users.root = import ./nixos/homes/root;
]; }
}; ];
cherry = nixosConfigurationSetup };
{
name = "cherry"; cherry = clanSetup {
modules = [ name = "cherry";
nixos-hardware.nixosModules.framework-13th-gen-intel host = "cherry.private";
homeManagerModules modules = [
{ home-manager.users.mainUser.gui.enable = true; } nixos-hardware.nixosModules.framework-13th-gen-intel
{ homeManagerModules
home-manager.users.mainUser = import ./nixos/homes/palo; { home-manager.users.mainUser.gui.enable = true; }
home-manager.users.root = import ./nixos/homes/root; {
} home-manager.users.mainUser = import ./nixos/homes/palo;
]; home-manager.users.root = import ./nixos/homes/root;
}; }
chungus = nixosConfigurationSetup ];
{ };
name = "chungus";
modules = [ chungus = clanSetup {
homeManagerModules name = "chungus";
retiolum.nixosModules.retiolum host = "chungus.private";
private_assets.nixosModules.chungus modules = [
{ homeManagerModules
home-manager.users.mainUser = import ./nixos/homes/palo; retiolum.nixosModules.retiolum
home-manager.users.root = import ./nixos/homes/root; private_assets.nixosModules.chungus
} {
]; home-manager.users.mainUser = import ./nixos/homes/palo;
}; home-manager.users.root = import ./nixos/homes/root;
orbi = nixosConfigurationSetup }
{ ];
name = "orbi"; };
host = "95.216.66.212";
modules = [ orbi = clanSetup {
homeManagerModules name = "orbi";
srvos.nixosModules.hardware-hetzner-online-intel host = "orbi.private";
srvos.nixosModules.server # host = "95.216.66.212";
srvos.nixosModules.mixins-terminfo modules = [
#{ home-manager.sharedModules = [{ programs.doom-emacs.enable = false; }]; } homeManagerModules
{ srvos.nixosModules.hardware-hetzner-online-intel
home-manager.users.mainUser = import ./nixos/homes/palo; srvos.nixosModules.server
home-manager.users.root = import ./nixos/homes/root; srvos.nixosModules.mixins-terminfo
} { home-manager.sharedModules = [{ programs.doom-emacs.enable = false; }]; }
]; {
}; home-manager.users.mainUser = import ./nixos/homes/palo;
robi = nixosConfigurationSetup home-manager.users.root = import ./nixos/homes/root;
{ }
name = "robi"; ];
modules = [ };
homeManagerModules
#{ home-manager.sharedModules = [{ programs.doom-emacs.enable = false; }]; } robi = clanSetup {
{ name = "robi";
home-manager.users.mainUser = import ./nixos/homes/palo; host = "robi.private";
home-manager.users.root = import ./nixos/homes/root; modules = [
} homeManagerModules
]; { home-manager.sharedModules = [{ programs.doom-emacs.enable = false; }]; }
}; {
home-manager.users.mainUser = import ./nixos/homes/palo;
home-manager.users.root = import ./nixos/homes/root;
}
];
};
}; };
};
};
});
} }
# devShells.${system}.default =
# pkgs.mkShell {
# buildInputs = [
# nixpkgs-fmt.defaultPackage.${system}
# nixos-anywhere.packages.${system}.nixos-anywhere
# ];
# };
#apps = nixinate.nixinate.x86_64-linux self;
# packages = with nixpkgs.lib; {
# ${system} =
# let
# vms = mapAttrs'
# (host: sys: {
# name = "vm-${host}";
# value = sys.config.system.build.vm;
# })
# self.nixosConfigurations;
# sds = mapAttrs'
# (host: sys: {
# name = "sd-${host}";
# value = sys.config.system.build.sdImage;
# })
# (filterAttrs
# (n: hasAttrByPath [ "config" "system" "build" "sdImage" ])
# self.nixosConfigurations);
# in
# vms // sds;
# };
# nixosConfigurations =
# };

43
nixos/components/yubikey.nix
View file

@ -14,14 +14,7 @@ with lib;
config = mkIf config.components.yubikey.enable { config = mkIf config.components.yubikey.enable {
services.pcscd.enable = true; services.pcscd.enable = true;
services.udev.packages = [ services.udev.packages = [ pkgs.yubikey-personalization ];
pkgs.yubikey-personalization
# additional services, but I just want gpg
# pkgs.libu2f-host
];
environment.systemPackages = [ environment.systemPackages = [
@ -43,24 +36,26 @@ with lib;
]; ];
## managed by home-manager now
#environment.shellInit = ''
# export GPG_TTY="$(tty)"
# gpg-connect-agent /bye
# export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
#'';
#programs = {
# ssh.startAgent = false;
# gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
#};
## managed by home-manager now ## managed by home-manager now
#security.pam.u2f.enable = true; environment.shellInit = ''
#security.pam.u2f.authFile = toString config.sops.secrets.yubikey_u2fAuthFile.path; export GPG_TTY="$(tty)"
#sops.secrets.yubikey_u2fAuthFile = { }; gpg-connect-agent /bye
export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
'';
programs = {
ssh.startAgent = false;
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
};
## managed by home-manager now
security.pam.u2f.enable = true;
security.pam.u2f.authFile = toString config.sops.secrets.yubikey_u2fAuthFile.path;
sops.secrets.yubikey_u2fAuthFile = { };
}; };
} }