Compare commits
2 commits
789131b422
...
fd80b9de3a
Author | SHA1 | Date | |
---|---|---|---|
|
fd80b9de3a | ||
|
88de00b897 |
17 changed files with 432 additions and 19 deletions
|
@ -1294,11 +1294,11 @@
|
|||
"secrets": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1692771442,
|
||||
"narHash": "sha256-ZyPeoIoDGh4Sfgpcx0grNDVDXNDmR1YHgU1K3z4x2EE=",
|
||||
"lastModified": 1702824777,
|
||||
"narHash": "sha256-Lsa6g03o8Qd35C9I48WZ7GFB3c8nQyHgrI7oGseMV98=",
|
||||
"ref": "main",
|
||||
"rev": "0a13af540fe8fea07ca020be953b14923a80d25c",
|
||||
"revCount": 55,
|
||||
"rev": "fbe67abe5b5586d71f108a5214be28aeff49f4a3",
|
||||
"revCount": 60,
|
||||
"type": "git",
|
||||
"url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git"
|
||||
},
|
||||
|
|
10
flake.nix
10
flake.nix
|
@ -333,6 +333,16 @@
|
|||
{ home-manager.users.mainUser.gui.enable = true; }
|
||||
];
|
||||
};
|
||||
cherry = nixosConfigurationSetup {
|
||||
name = "cherry";
|
||||
modules = [
|
||||
nixos-hardware.nixosModules.framework-13th-gen-intel
|
||||
homeManagerModules
|
||||
# { home-manager.users.root = import ./nixos/homes/root; }
|
||||
{ home-manager.users.mainUser = import ./nixos/homes/palo; }
|
||||
{ home-manager.users.mainUser.gui.enable = true; }
|
||||
];
|
||||
};
|
||||
chungus = nixosConfigurationSetup {
|
||||
name = "chungus";
|
||||
modules = [
|
||||
|
|
|
@ -14,6 +14,7 @@ let
|
|||
pepe = "10.23.42.26";
|
||||
cream = "10.23.42.27";
|
||||
chungus = "10.23.42.28";
|
||||
cherry = "10.23.42.29";
|
||||
robi = "10.23.42.111";
|
||||
};
|
||||
subDomains = {
|
||||
|
@ -30,12 +31,6 @@ let
|
|||
"prowlarr.robi" = hosts.robi;
|
||||
"jellyseerr.robi" = hosts.robi;
|
||||
"unmanic.robi" = hosts.robi;
|
||||
# pepe
|
||||
"grafana.pepe" = hosts.pepe;
|
||||
"loki.pepe" = hosts.pepe;
|
||||
"prometheus.pepe" = hosts.pepe;
|
||||
"tdarr.pepe" = hosts.pepe;
|
||||
"tts.pepe" = hosts.pepe;
|
||||
# chungus
|
||||
"de.tts.chungus" = hosts.chungus;
|
||||
"en.tts.chungus" = hosts.chungus;
|
||||
|
@ -76,6 +71,10 @@ in
|
|||
subnets = [{ address = hosts.cream; }];
|
||||
settings.Ed25519PublicKey = "Y/YRA90mAlNEmdhUWlUTHjjsco6d6hlvW11sPtarIdL";
|
||||
};
|
||||
cherry = {
|
||||
subnets = [{ address = hosts.cherry; }];
|
||||
settings.Ed25519PublicKey = "BsPIrZjbzn0aryC0HO3OXSb4oFCMmzNDmMDQmxUXUuC";
|
||||
};
|
||||
sterni = {
|
||||
subnets = [{ address = hosts.sterni; }];
|
||||
settings.Ed25519PublicKey = "r6mRDc814z2YtyG9ev/XXV2SgquqWR8n53V13xNXb7O";
|
||||
|
|
|
@ -12,8 +12,6 @@ let
|
|||
~/Nextcloud/${folder} \
|
||||
"https://${user}:${password}@nextcloud.ingolf-wagner.de"
|
||||
'';
|
||||
|
||||
|
||||
in
|
||||
{
|
||||
home.packages = [
|
||||
|
|
151
nixos/machines/cherry/configuration.nix
Normal file
151
nixos/machines/cherry/configuration.nix
Normal file
|
@ -0,0 +1,151 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
|
||||
imports = [
|
||||
|
||||
../../components
|
||||
../../system/desktop
|
||||
../../system/server/netdata.nix
|
||||
|
||||
./disko-config.nix
|
||||
./hardware-configuration.nix
|
||||
|
||||
./syncthing.nix
|
||||
./cups.nix
|
||||
./tinc.nix
|
||||
#./tinc_retiolum.nix
|
||||
|
||||
./qemu.nix
|
||||
./wireguard.nix
|
||||
|
||||
];
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
|
||||
|
||||
|
||||
components.gui.enable = true;
|
||||
components.mainUser.enable = true;
|
||||
components.media.enable = true;
|
||||
components.media.tts-client.enable = false;
|
||||
components.network.enable = true;
|
||||
components.network.wifi.enable = true;
|
||||
components.terminal.enable = true;
|
||||
|
||||
home-manager.users.mainUser.home.sessionPath = [ "$HOME/.timewarrior/scripts" ];
|
||||
|
||||
sops.secrets.yubikey_u2fAuthFile = { };
|
||||
|
||||
components.gui.taskwarrior.config = {
|
||||
general = {
|
||||
targets = [ "terranix" "my_github" ];
|
||||
log_level = "INFO";
|
||||
static_fields = [ "priority" ];
|
||||
merge_annotations = false;
|
||||
};
|
||||
terranix = {
|
||||
service = "github";
|
||||
login = "mrVanDalo";
|
||||
token = "@oracle:eval:${pkgs.pass}/bin/pass development/github/mrVanDalo/bugwarriorAccessToken";
|
||||
username = "mrVanDalo";
|
||||
default_priority = "";
|
||||
description_template = "{{githubtitle}} {{githuburl}}";
|
||||
add_tags = "github";
|
||||
project_template = "terranix";
|
||||
involved_issues = true;
|
||||
query = "org:terranix is:open";
|
||||
include_user_issues = false;
|
||||
include_user_repos = false;
|
||||
};
|
||||
my_github = {
|
||||
service = "github";
|
||||
login = "mrVanDalo";
|
||||
token = "@oracle:eval:${pkgs.pass}/bin/pass development/github/mrVanDalo/bugwarriorAccessToken";
|
||||
username = "mrVanDalo";
|
||||
description_template = "{{githubtitle}} {{githuburl}}";
|
||||
add_tags = "github";
|
||||
include_user_issues = true;
|
||||
include_user_repos = true;
|
||||
exclude_repos = [ "azubi" "csv-to-qif" "stepp0r" ];
|
||||
};
|
||||
# todo : add github issues
|
||||
};
|
||||
|
||||
|
||||
users.users.mainUser.extraGroups = [ "pipewire" ];
|
||||
|
||||
services.nginx.enable = true;
|
||||
|
||||
networking.hostName = "cherry";
|
||||
|
||||
# make sure battery is charged in a way to live for a long time
|
||||
services.power-profiles-daemon.enable = false;
|
||||
services.tlp = {
|
||||
enable = true;
|
||||
settings = {
|
||||
CPU_BOOST_ON_BAT = 0;
|
||||
CPU_SCALING_GOVERNOR_ON_BATTERY = "powersave";
|
||||
START_CHARGE_THRESH_BAT0 = 30;
|
||||
STOP_CHARGE_THRESH_BAT0 = 85;
|
||||
RUNTIME_PM_ON_BAT = "auto";
|
||||
};
|
||||
};
|
||||
|
||||
security.wrappers = {
|
||||
pmount = {
|
||||
source = "${pkgs.pmount}/bin/pmount";
|
||||
setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
};
|
||||
pumount = {
|
||||
source = "${pkgs.pmount}/bin/pumount";
|
||||
setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
};
|
||||
};
|
||||
|
||||
programs.custom.steam.enable = true;
|
||||
services.printing.enable = true;
|
||||
|
||||
# fonts
|
||||
# -----
|
||||
programs.custom.urxvt.fontSize = 16;
|
||||
programs.custom.urxvt.fontType = "vector";
|
||||
programs.custom.xterm.fontSize = 16;
|
||||
# todo : add xterm fontType
|
||||
# programs.custom.xterm.fontType = "vector";
|
||||
|
||||
virtualisation = {
|
||||
docker.enable = true;
|
||||
podman.enable = true;
|
||||
virtualbox = {
|
||||
host.enable = false;
|
||||
guest.x11 = false;
|
||||
guest.enable = false;
|
||||
};
|
||||
};
|
||||
|
||||
#services.xserver.desktopManager.gnome.enable = true;
|
||||
#services.xserver.displayManager.lightdm.enable = false;
|
||||
#services.xserver.displayManager.sddm.enable = true;
|
||||
|
||||
custom.samba-share = {
|
||||
enable = false;
|
||||
folders = {
|
||||
share = "/home/share";
|
||||
video = "/home/video-material";
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
# for congress and streaming
|
||||
hardware.opengl = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
system.stateVersion = "23.11";
|
||||
|
||||
}
|
16
nixos/machines/cherry/cups.nix
Normal file
16
nixos/machines/cherry/cups.nix
Normal file
|
@ -0,0 +1,16 @@
|
|||
{
|
||||
hardware.printers.ensurePrinters = [
|
||||
{
|
||||
description = "Lexmark E350d";
|
||||
deviceUri = "usb://Lexmark/E350d?serial=622Z9ZC";
|
||||
location = "office";
|
||||
name = "Lexmark_E350d";
|
||||
model = "drv:///sample.drv/generic.ppd";
|
||||
ppdOptions = {
|
||||
job-sheets = "none, none";
|
||||
media = "na_letter_8.5x11in";
|
||||
sides = "one-sided";
|
||||
};
|
||||
}
|
||||
];
|
||||
}
|
88
nixos/machines/cherry/disko-config.nix
Normal file
88
nixos/machines/cherry/disko-config.nix
Normal file
|
@ -0,0 +1,88 @@
|
|||
# nix run github:nix-community/disko -- --mode zap_create_mount ./disko-config.nix
|
||||
# nixos-generate-config --no-filesystems --root /mnt
|
||||
{ config, lib, ... }:
|
||||
{
|
||||
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
# head -c4 /dev/urandom | od -A none -t x4
|
||||
networking.hostId = "59e38471";
|
||||
services.zfs.autoSnapshot.enable = true;
|
||||
|
||||
# ZFS already has its own scheduler. Without this my(@Artturin) computer froze for a second when i nix build something.
|
||||
# copied from : https://github.com/numtide/srvos/blob/main/nixos/common/zfs.nix
|
||||
services.udev.extraRules = lib.optionalString (config.boot.zfs.enabled) ''
|
||||
ACTION=="add|change", KERNEL=="sd[a-z]*[0-9]*|mmcblk[0-9]*p[0-9]*|nvme[0-9]*n[0-9]*p[0-9]*", ENV{ID_FS_TYPE}=="zfs_member", ATTR{../queue/scheduler}="none"
|
||||
'';
|
||||
|
||||
disko.devices = {
|
||||
disk = {
|
||||
root = {
|
||||
type = "disk";
|
||||
device = "/dev/nvme0n1";
|
||||
content = {
|
||||
type = "table";
|
||||
format = "gpt";
|
||||
partitions = [
|
||||
{
|
||||
name = "ESP";
|
||||
start = "0";
|
||||
end = "500MiB";
|
||||
bootable = true;
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
mountOptions = [ "defaults" ];
|
||||
};
|
||||
}
|
||||
{
|
||||
name = "zfs";
|
||||
start = "500MiB";
|
||||
end = "100%";
|
||||
content = {
|
||||
type = "luks";
|
||||
name = "root";
|
||||
settings.allowDiscards = true;
|
||||
passwordFile = "/tmp/secret.key";
|
||||
content = {
|
||||
type = "zfs";
|
||||
pool = "zroot";
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
zpool = {
|
||||
zroot = {
|
||||
type = "zpool";
|
||||
rootFsOptions = {
|
||||
mountpoint = "none";
|
||||
canmount = "off";
|
||||
compression = "lz4";
|
||||
};
|
||||
datasets = {
|
||||
"root" = {
|
||||
type = "zfs_fs";
|
||||
mountpoint = "/";
|
||||
options = {
|
||||
mountpoint = "legacy";
|
||||
compression = "lz4";
|
||||
};
|
||||
};
|
||||
"store" = {
|
||||
type = "zfs_fs";
|
||||
mountpoint = "/nix/store";
|
||||
options = {
|
||||
mountpoint = "legacy";
|
||||
compression = "lz4";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
|
29
nixos/machines/cherry/hardware-configuration.nix
Normal file
29
nixos/machines/cherry/hardware-configuration.nix
Normal file
|
@ -0,0 +1,29 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp0s13f0u2c2.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.tinc.private.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.wlp170s0.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
16
nixos/machines/cherry/qemu.nix
Normal file
16
nixos/machines/cherry/qemu.nix
Normal file
|
@ -0,0 +1,16 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
|
||||
virtualisation.libvirtd.enable = true;
|
||||
#virtualisation.libvirtd.allowedBridges = ["virbr0"];
|
||||
virtualisation.libvirtd.onShutdown = "shutdown";
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.qemu_kvm
|
||||
(pkgs.quickemu.override { qemu = pkgs.qemu_kvm; })
|
||||
pkgs.virt-manager
|
||||
];
|
||||
|
||||
users.users.mainUser.extraGroups = [ "libvirtd" ];
|
||||
|
||||
}
|
58
nixos/machines/cherry/syncthing.nix
Normal file
58
nixos/machines/cherry/syncthing.nix
Normal file
|
@ -0,0 +1,58 @@
|
|||
{ config, pkgs, lib, ... }: {
|
||||
|
||||
#sops.secrets.syncthing_cert = { };
|
||||
#sops.secrets.syncthing_key = { };
|
||||
|
||||
services.syncthing = {
|
||||
enable = true;
|
||||
openDefaultPorts = false;
|
||||
user = "palo";
|
||||
dataDir = "/home/palo/.syncthing";
|
||||
configDir = "/home/palo/.syncthing";
|
||||
#cert = toString config.sops.secrets.syncthing_cert.path;
|
||||
#key = toString config.sops.secrets.syncthing_key.path;
|
||||
overrideFolders = true;
|
||||
settings.folders = {
|
||||
|
||||
# on encrypted drive
|
||||
# ------------------
|
||||
password-store = {
|
||||
enable = true;
|
||||
path = "/home/palo/.password-store";
|
||||
};
|
||||
#private = {
|
||||
# enable = true;
|
||||
# path = "/home/palo/private";
|
||||
#};
|
||||
art = {
|
||||
enable = true;
|
||||
path = "/home/palo/art";
|
||||
};
|
||||
desktop = {
|
||||
enable = true;
|
||||
path = "/home/palo/desktop";
|
||||
};
|
||||
finance = {
|
||||
enable = true;
|
||||
path = "/home/palo/finance";
|
||||
};
|
||||
|
||||
# no need to be encrypted
|
||||
# -----------------------
|
||||
books = {
|
||||
enable = true;
|
||||
path = "/home/palo/books";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.permown."/home/palo/music-library" = {
|
||||
owner = "palo";
|
||||
group = "users";
|
||||
};
|
||||
|
||||
services.permown."/home/palo/finance" = {
|
||||
owner = "palo";
|
||||
group = "syncthing";
|
||||
};
|
||||
}
|
10
nixos/machines/cherry/tinc.nix
Normal file
10
nixos/machines/cherry/tinc.nix
Normal file
|
@ -0,0 +1,10 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
|
||||
tinc.private.enable = true;
|
||||
tinc.private.ipv4 = "10.23.42.29";
|
||||
|
||||
tinc.secret.enable = true;
|
||||
tinc.secret.ipv4 = "10.123.42.29";
|
||||
|
||||
}
|
13
nixos/machines/cherry/tinc_retiolum.nix
Normal file
13
nixos/machines/cherry/tinc_retiolum.nix
Normal file
|
@ -0,0 +1,13 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
sops.secrets.tinc_retiolum_ed25519_key = { };
|
||||
sops.secrets.tinc_retiolum_rsa_key = { };
|
||||
|
||||
networking.retiolum.port = 720;
|
||||
networking.retiolum.nodename = "sol";
|
||||
|
||||
services.tinc.networks.retiolum = {
|
||||
ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path;
|
||||
rsaPrivateKeyFile = config.sops.secrets.tinc_retiolum_rsa_key.path;
|
||||
};
|
||||
}
|
26
nixos/machines/cherry/wireguard.nix
Normal file
26
nixos/machines/cherry/wireguard.nix
Normal file
|
@ -0,0 +1,26 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
networking.firewall.allowedUDPPorts = [ 51820 ];
|
||||
sops.secrets.wireguard_private = { };
|
||||
|
||||
# Enable WireGuard
|
||||
networking.wg-quick.interfaces = {
|
||||
# Hub and Spoke Setup
|
||||
# https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
|
||||
wg0 = {
|
||||
address = [ "10.100.0.7/32" ];
|
||||
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
|
||||
privateKeyFile = config.sops.secrets.wireguard_private.path;
|
||||
mtu = 1280;
|
||||
|
||||
peers = [
|
||||
{
|
||||
# robi
|
||||
publicKey = "uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU=";
|
||||
allowedIPs = [ "10.100.0.1/24" ];
|
||||
endpoint = "ingolf-wagner.de:51820";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -138,7 +138,6 @@
|
|||
};
|
||||
};
|
||||
|
||||
|
||||
# for congress and streaming
|
||||
hardware.opengl = {
|
||||
enable = true;
|
||||
|
|
|
@ -7,9 +7,4 @@
|
|||
tinc.secret.enable = true;
|
||||
tinc.secret.ipv4 = "10.123.42.27";
|
||||
|
||||
# retiolum
|
||||
#networking.retiolum.port = 720;
|
||||
#sops.secrets.tinc_retiolum_ed25519_key = { };
|
||||
#services.tinc.networks.retiolum.ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path;
|
||||
|
||||
}
|
||||
|
|
|
@ -49,6 +49,11 @@
|
|||
publicKey = "R1Vk1DDG/LsVU0HHRDmOJshXOVnNzPVbuv5hP7ZSGEQ=";
|
||||
allowedIPs = [ "10.100.0.6/32" ];
|
||||
}
|
||||
{
|
||||
# cherry
|
||||
publicKey = "ZNnlmPdxAGYtaUvOU2V47tcEhcB06LBCXkSxIvWZL2k=";
|
||||
allowedIPs = [ "10.100.0.7/32" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
@ -42,7 +42,7 @@
|
|||
|
||||
# Machines should be fast by default
|
||||
# ----------------------------------
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
|
||||
powerManagement.cpuFreqGovernor = lib.mkOverride 1001 "ondemand";
|
||||
|
||||
# set vim to the default editor
|
||||
# -----------------------------
|
||||
|
|
Loading…
Reference in a new issue