diff --git a/.sops.yaml b/.sops.yaml index 8d529d7..bd46c74 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,6 +4,7 @@ keys: - &cirrus age1qm70jkg7us4ft4x3nh7kwxlul022kteescjj83ywvjhysj6nsq5sw7l6p8 - &dishwasher age1cxlskqynwl5njjm0qf363308dsjwxjq59rq7pn6ucpscpzpvry4qwtpx73 - &nextcloud age1ds7zgenz9a664jqx5308m6q5mgtavzmelg239xsj8mdh64pmqa9qtkffmk + - &toaster age1qyj95tsntreefqeetawqy5pf26456s9c0v3tzz8yzs706c0jsg6qv56jzk creation_rules: - path_regex: secrets/microwave/[^/]+\.yaml$ key_groups: @@ -29,3 +30,9 @@ creation_rules: - *admin_oxa age: - *nextcloud + - path_regex: secrets/toaster/[^/]+\.yaml$ + key_groups: + - pgp: + - *admin_oxa + age: + - *toaster diff --git a/flake.nix b/flake.nix index c85d967..a6a46f9 100644 --- a/flake.nix +++ b/flake.nix @@ -53,7 +53,14 @@ system = "x86_64-linux"; specialArgs = { inherit inputs; }; modules = [ + sops-nix.nixosModules.sops ./hosts/toaster + ./modules/basic-tools.nix + ./modules/binary-caches.nix + ./modules/devtools.nix + ./modules/gnupg.nix + ./modules/sway.nix + ./modules/tlp.nix ]; }; diff --git a/hosts/microwave/stateful-networking.nix b/hosts/microwave/stateful-networking.nix index 1c89ae3..860c926 100644 --- a/hosts/microwave/stateful-networking.nix +++ b/hosts/microwave/stateful-networking.nix @@ -9,18 +9,18 @@ }; # fix networkmanager wireguard - networking.firewall = { - # if packets are still dropped, they will show up in dmesg - logReversePathDrops = true; - # wireguard trips rpfilter up - extraCommands = '' - ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN - ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN - ''; - extraStopCommands = '' - ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true - ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true - ''; + networking.firewall = { + # if packets are still dropped, they will show up in dmesg + logReversePathDrops = true; + # wireguard trips rpfilter up + extraCommands = '' + ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN + ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN + ''; + extraStopCommands = '' + ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true + ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true + ''; }; services.resolved = { diff --git a/hosts/toaster/default.nix b/hosts/toaster/default.nix new file mode 100644 index 0000000..50442f4 --- /dev/null +++ b/hosts/toaster/default.nix @@ -0,0 +1,47 @@ +{ ... }: { + imports = [ + ./hardware-configuration.nix + ./zfs.nix + ./network.nix + ]; + + nixpkgs.config.allowUnfree = true; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # Set your time zone. + time.timeZone = "Europe/Amsterdam"; + + # Select internationalisation properties. + i18n = { + defaultLocale = "en_US.UTF-8"; + supportedLocales = [ "all" ]; + }; + + users.users.grue = { + extraGroups = [ + "wheel" + "video" + "plugdev" + "dialout" + "bluetooth" + ]; + group = "users"; + home = "/home/grue"; + isNormalUser = true; + uid = 1000; + }; + + + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? + +} diff --git a/hosts/toaster/hardware-configuration.nix b/hosts/toaster/hardware-configuration.nix new file mode 100644 index 0000000..94a2433 --- /dev/null +++ b/hosts/toaster/hardware-configuration.nix @@ -0,0 +1,91 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { + device = "toasterpool/nixos/root"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + + fileSystems."/nix" = + { + device = "toasterpool/nixos/nix"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + + fileSystems."/var" = + { + device = "toasterpool/userdata/var"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + + fileSystems."/var/lib" = + { + device = "toasterpool/userdata/var/lib"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + + fileSystems."/var/log" = + { + device = "toasterpool/userdata/var/log"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + + fileSystems."/home" = + { + device = "toasterpool/userdata/home"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + + fileSystems."/home/grue" = + { + device = "toasterpool/userdata/home/grue"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/7663-6239"; + fsType = "vfat"; + options = [ "X-mount.mkdir" ]; + }; + + swapDevices = [ + { + device = "/dev/disk/by-id/nvme-eui.ace42e002621ff2b2ee4ac0000000001-part2"; + randomEncryption = true; + } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + networking.interfaces.enp1s0f0.useDHCP = lib.mkDefault true; + #networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true; + networking.interfaces.wlan0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/toaster/network.nix b/hosts/toaster/network.nix new file mode 100644 index 0000000..239ee0e --- /dev/null +++ b/hosts/toaster/network.nix @@ -0,0 +1,62 @@ +{ config, pkgs, ... }: { + environment.systemPackages = with pkgs; [ iwgtk ]; + + networking = { + hostName = "toaster"; + firewall.enable = true; + networkmanager.enable = false; + useNetworkd = true; + wireguard.enable = true; + wireless.iwd.enable = true; + }; + + services.resolved = { + enable = true; + dnssec = "allow-downgrade"; + }; + + # workaround for networkd waiting for shit + systemd.services.systemd-networkd-wait-online.serviceConfig.ExecStart = [ + "" # clear old command + "${config.systemd.package}/lib/systemd/systemd-networkd-wait-online --any" + ]; + + systemd.network = { + enable = true; + + # wait-online.ignoredInterfaces = [ "wlan0" "enp53s0" ]; + + # Interfaces on the machine + netdevs."10-james" = { + netdevConfig = { + Name = "james"; + Kind = "bond"; + }; + bondConfig = { + Mode = "active-backup"; + PrimaryReselectPolicy = "always"; + MIIMonitorSec = "1s"; + }; + }; + networks."10-ether-bond" = { + matchConfig.MACAddress = "e8:80:88:2f:c6:70"; + networkConfig = { + Bond = "james"; + PrimarySlave = true; + }; + }; + networks."10-wlan-bond" = { + matchConfig.MACAddress = "04:7b:cb:2a:aa:8c"; + networkConfig = { + Bond = "james"; + }; + }; + networks."10-james-bond" = { + matchConfig.Name = "james"; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = true; + }; + }; + }; +} diff --git a/hosts/toaster/zfs.nix b/hosts/toaster/zfs.nix new file mode 100644 index 0000000..a7e9d7a --- /dev/null +++ b/hosts/toaster/zfs.nix @@ -0,0 +1,19 @@ +{ config, pkgs, ... }: { + services.fstrim.enable = true; + services.zfs = { + autoSnapshot.enable = true; + trim.enable = true; + autoScrub = { + enable = true; + pools = [ "toasterpool" ]; + }; + }; + networking.hostId = "dca22577"; + boot = { + kernelPackages = pkgs.zfs.latestCompatibleLinuxPackages; + supportedFilesystems = [ "zfs" ]; + kernelParams = [ "nohibernate" ]; + plymouth.enable = false; + tmpOnTmpfs = true; + }; +} diff --git a/modules/devtools.nix b/modules/devtools.nix index 4ef3e9f..0922f74 100644 --- a/modules/devtools.nix +++ b/modules/devtools.nix @@ -8,7 +8,7 @@ clang clang-tools direnv - (nix-direnv.override { enableFlakes = true; }) + (nix-direnv.override { enableFlakes = true; }) # rust (inputs.fenix.packages."x86_64-linux".complete.toolchain) # nix diff --git a/modules/sway.nix b/modules/sway.nix index af4073f..9268edb 100644 --- a/modules/sway.nix +++ b/modules/sway.nix @@ -8,6 +8,8 @@ screen-message qbittorrent dino + tdesktop + signal-desktop gajim imv swayimg @@ -23,7 +25,7 @@ foot qt5.qtwayland bashmount - (xfce.thunar.override { thunarPlugins = with xfce; [ thunar-volman thunar-archive-plugin ];}) + (xfce.thunar.override { thunarPlugins = with xfce; [ thunar-volman thunar-archive-plugin ]; }) ]; #on the desktop, we need nice fonts ^^ diff --git a/pkgs/imhex.nix b/pkgs/imhex.nix index 510f91c..164649d 100644 --- a/pkgs/imhex.nix +++ b/pkgs/imhex.nix @@ -1,16 +1,16 @@ { stdenv, lib, cmake, openssl, pkgconfig, wrapQtAppsHook, fetchFromGithub }: - stdenv.mkDerivation rec { - pname = "imhex"; - version = "1.24.3"; +stdenv.mkDerivation rec { + pname = "imhex"; + version = "1.24.3"; - src = fetchFromGithub { - owner = "WerWolv"; - repo = "ImHex"; - rev = "v${version}"; - sha256 = lib.fakeSha256; - }; + src = fetchFromGithub { + owner = "WerWolv"; + repo = "ImHex"; + rev = "v${version}"; + sha256 = lib.fakeSha256; + }; nativeBuildInputs = [ cmake ]; - } +}