diff --git a/README.md b/README.md index d55c001..373e02b 100644 --- a/README.md +++ b/README.md @@ -10,3 +10,9 @@ to deploy the infrastructure, this can be accessed running `nix develop`. [Flux]: https://github.com/fluxcd/flux2 [colmena]: https://colmena.cli.rs/unstable/ + +## Inspired by the following repos +* +* +* +* diff --git a/flake.lock b/flake.lock index 297ba20..118d301 100644 --- a/flake.lock +++ b/flake.lock @@ -123,6 +123,39 @@ } }, "crane": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "rust-overlay": [ + "lanzaboote", + "rust-overlay" + ] + }, + "locked": { + "lastModified": 1683505101, + "narHash": "sha256-VBU64Jfu2V4sUR5+tuQS9erBRAe/QEYUxdVMcJGMZZs=", + "owner": "ipetkov", + "repo": "crane", + "rev": "7b5bd9e5acb2bb0cfba2d65f34d8568a894cdb6c", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "crane_2": { "flake": false, "locked": { "lastModified": 1670284777, @@ -158,9 +191,9 @@ "inputs": { "alejandra": "alejandra", "all-cabal-json": "all-cabal-json", - "crane": "crane", + "crane": "crane_2", "devshell": "devshell", - "flake-parts": "flake-parts", + "flake-parts": "flake-parts_2", "flake-utils-pre-commit": "flake-utils-pre-commit", "ghc-utils": "ghc-utils", "gomod2nix": "gomod2nix", @@ -268,11 +301,11 @@ "flake-compat_3": { "flake": false, "locked": { - "lastModified": 1668681692, - "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", "owner": "edolstra", "repo": "flake-compat", - "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", "type": "github" }, "original": { @@ -284,11 +317,11 @@ "flake-compat_4": { "flake": false, "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", "owner": "edolstra", "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", "type": "github" }, "original": { @@ -298,6 +331,22 @@ } }, "flake-compat_5": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_6": { "flake": false, "locked": { "lastModified": 1673956053, @@ -313,6 +362,27 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1683560683, + "narHash": "sha256-XAygPMN5Xnk/W2c1aW0jyEa6lfMDZWlQgiNtmHXytPc=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "006c75898cf814ef9497252b022e91c946ba8e17", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" }, @@ -379,6 +449,24 @@ } }, "flake-utils_3": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_4": { "locked": { "lastModified": 1667395993, "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", @@ -393,7 +481,7 @@ "type": "github" } }, - "flake-utils_4": { + "flake-utils_5": { "locked": { "lastModified": 1678901627, "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=", @@ -407,9 +495,9 @@ "type": "indirect" } }, - "flake-utils_5": { + "flake-utils_6": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1681202837, @@ -458,6 +546,28 @@ } }, "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gitignore_2": { "inputs": { "nixpkgs": [ "nixvim", @@ -515,6 +625,32 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat_3", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1685349926, + "narHash": "sha256-c1rKI1glJWdJIPefp9aiyhAkEZ4Sc6Rh/J5VumEXu1M=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "2e62c11babeead4b26efbb7f2cd4488baaa2e897", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "lanzaboote", + "type": "github" + } + }, "lowdown-src": { "flake": false, "locked": { @@ -549,7 +685,7 @@ "mailserver": { "inputs": { "blobs": "blobs", - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_4", "nixpkgs": [ "nixpkgs" ], @@ -781,6 +917,22 @@ "type": "github" } }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1678872516, + "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1680668850, @@ -799,11 +951,11 @@ }, "nixpkgs_22-11": { "locked": { - "lastModified": 1685043448, - "narHash": "sha256-U3BwyDc2OzBcZ8tD09qXibyivgOtOQFTFCVgFyJ+6MM=", + "lastModified": 1685314633, + "narHash": "sha256-8LXBPqTQXl5ofkjpJ18JcbmLJ/lWDoMxtUwiDYv0wro=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9886352ec9ab3945896ee8a4185e961fe29df209", + "rev": "c8a17ce7abc03c50cd072e9e6c9b389c5f61836b", "type": "github" }, "original": { @@ -815,11 +967,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1685168767, - "narHash": "sha256-wQgnxz0PdqbyKKpsWl/RU8T8QhJQcHfeC6lh1xRUTfk=", + "lastModified": 1685290091, + "narHash": "sha256-GGQYNZ7POoqPTtXgPOLUuSiHkOKFRWYpCoWUOSeSRoU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e10802309bf9ae351eb27002c85cfdeb1be3b262", + "rev": "4e37b4e55b60fb7d43d2b62deb51032a489bcbe8", "type": "github" }, "original": { @@ -831,11 +983,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1684754342, - "narHash": "sha256-plGnjnbnPLoZCTdQX21oT7xliQhFtgcWlkuDHgtEb1o=", + "lastModified": 1685168767, + "narHash": "sha256-wQgnxz0PdqbyKKpsWl/RU8T8QhJQcHfeC6lh1xRUTfk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7084250df3d7f9735087d3234407f3c1fc2400e3", + "rev": "e10802309bf9ae351eb27002c85cfdeb1be3b262", "type": "github" }, "original": { @@ -926,16 +1078,16 @@ "nixvim": { "inputs": { "beautysh": "beautysh", - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "nixpkgs": "nixpkgs_4", "pre-commit-hooks": "pre-commit-hooks" }, "locked": { - "lastModified": 1685138650, - "narHash": "sha256-1tNM1vxFCX2S1hi/baivwuMPLZ8tAp/jhQl+KOykDws=", + "lastModified": 1685357461, + "narHash": "sha256-UUOEz2VGMc8giiaDF7lpq7ol7bx71mqepRFu2lBzNF8=", "owner": "pta2002", "repo": "nixvim", - "rev": "246f811084886285696a96cdfc45f416af633449", + "rev": "3f08cff1d0c2a45e5bf0448a074c5bcc152cf2c5", "type": "github" }, "original": { @@ -946,11 +1098,11 @@ }, "nur": { "locked": { - "lastModified": 1685263548, - "narHash": "sha256-qljNXIQePMRWr0yhQP16C/rBPSjzqcF38Y2ad4/KnXQ=", + "lastModified": 1685367958, + "narHash": "sha256-7KqC9OKOfQPkwLVh8E+rAOPQ/yEzw82GcUYS4/V9v6g=", "owner": "nix-community", "repo": "NUR", - "rev": "5e934ff2c9502937ebd39cff1aeebe7e60126c45", + "rev": "95e05399f4527fdde06cd151780324fb4f05ac9e", "type": "github" }, "original": { @@ -1005,21 +1157,52 @@ }, "pre-commit-hooks": { "inputs": { - "flake-compat": "flake-compat_4", - "flake-utils": "flake-utils_3", - "gitignore": "gitignore", + "flake-compat": "flake-compat_5", + "flake-utils": "flake-utils_4", + "gitignore": "gitignore_2", "nixpkgs": [ "nixvim", "nixpkgs" ], + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1684842236, + "narHash": "sha256-rYWsIXHvNhVQ15RQlBUv67W3YnM+Pd+DuXGMvCBq2IE=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "61e567d6497bc9556f391faebe5e410e6623217f", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1684763926, - "narHash": "sha256-1pSTzogoCmZc7JB3VrFFgFoj5lNXIIWwkVReFVMHDT8=", + "lastModified": 1682596858, + "narHash": "sha256-Hf9XVpqaGqe/4oDGr30W8HlsWvJXtMsEPHDqHZA6dDg=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "df448ffc5d244f52261d05894c5a96af7f3758a1", + "rev": "fb58866e20af98779017134319b5663b8215d912", "type": "github" }, "original": { @@ -1080,6 +1263,7 @@ "colmena": "colmena", "comma": "comma", "home-manager": "home-manager", + "lanzaboote": "lanzaboote", "mailserver": "mailserver", "nixos-generators": "nixos-generators", "nixos-hardware": "nixos-hardware", @@ -1127,6 +1311,31 @@ "type": "github" } }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1684030847, + "narHash": "sha256-z4tOxaN9Cl8C80u6wyZBpPt9A9MbL21fZ3zdB/vG+AU=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "aa1480f16bec7dda3c62b8cdb184c7e823331ba2", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "stable": { "locked": { "lastModified": 1669735802, @@ -1173,6 +1382,21 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "utils": { "locked": { "lastModified": 1678901627, @@ -1220,8 +1444,8 @@ }, "vault-secrets": { "inputs": { - "flake-compat": "flake-compat_5", - "flake-utils": "flake-utils_4", + "flake-compat": "flake-compat_6", + "flake-utils": "flake-utils_5", "nix": "nix", "nixpkgs": "nixpkgs_7" }, @@ -1241,7 +1465,7 @@ }, "vault-unseal": { "inputs": { - "flake-utils": "flake-utils_5", + "flake-utils": "flake-utils_6", "nixpkgs": "nixpkgs_8" }, "locked": { diff --git a/flake.nix b/flake.nix index 9edbb12..4c581b0 100644 --- a/flake.nix +++ b/flake.nix @@ -1,10 +1,6 @@ { description = "0x76's infrastructure"; - # Based on: - # * https://github.com/serokell/pegasus-infra/blob/master/flake.nix - # * https://git.voidcorp.nl/j00lz/nixos-configs/src/branch/main/flake.nix - # For minecraft use: # * https://github.com/Infinidoge/nix-minecraft @@ -38,6 +34,13 @@ nixos-hardware.url = "github:toastal/nixos-hardware/z-series-no-hidpi"; + lanzaboote = { + url = "github:nix-community/lanzaboote"; + + # Optional but recommended to limit the size of your system closure. + inputs.nixpkgs.follows = "nixpkgs"; + }; + vault-unseal.url = "git+https://git.0x76.dev/v/vault-unseal.git"; }; @@ -101,11 +104,19 @@ default = colmena.packages.${system}.colmena; proxmox-lxc = nixos-generators.nixosGenerate { - inherit pkgs; + inherit system pkgs specialArgs; format = "proxmox-lxc"; modules = util.base_imports ++ [ (import ./nixos/templates/proxmox-lxc.nix) ]; }; + + # Broken + # proxmox-vm = nixos-generators.nixosGenerate { + # inherit system pkgs specialArgs; + # format = "proxmox"; + # modules = util.base_imports + # ++ [ (import ./nixos/templates/proxmox-vm.nix) ]; + # }; }; # Use by running `nix develop` diff --git a/flux/olympus/apps/services/renovate/cronjob.yaml b/flux/olympus/apps/services/renovate/cronjob.yaml index bd0c9c1..f49f8dd 100644 --- a/flux/olympus/apps/services/renovate/cronjob.yaml +++ b/flux/olympus/apps/services/renovate/cronjob.yaml @@ -19,7 +19,7 @@ spec: emptyDir: {} containers: - name: renovate - image: renovate/renovate:35.102.10 + image: renovate/renovate:35.105.2 volumeMounts: - name: config-volume mountPath: /opt/renovate/ diff --git a/nixos/common/common.nix b/nixos/common/common.nix deleted file mode 100644 index 7a34a8a..0000000 --- a/nixos/common/common.nix +++ /dev/null @@ -1,82 +0,0 @@ -{ config, lib, pkgs, ... }: { - imports = [ ./users ./modules ]; - - # Clean /tmp on boot. - boot.tmp.cleanOnBoot = true; - - # Set your time zone. - time.timeZone = lib.mkDefault "Europe/Amsterdam"; - - # Systemd OOMd - # Fedora enables these options by default. See the 10-oomd-* files here: - # https://src.fedoraproject.org/rpms/systemd/tree/acb90c49c42276b06375a66c73673ac3510255 - systemd.oomd = { - enableRootSlice = true; - enableUserServices = true; - }; - - # Nix Settings - nix = { - package = pkgs.nixUnstable; - settings = { - auto-optimise-store = true; - trusted-users = [ "root" "victor" ]; - substituters = [ - "https://cachix.cachix.org" - "https://nix-community.cachix.org" - "https://nixpkgs-review-bot.cachix.org" - "https://colmena.cachix.org" - "https://cache.garnix.io" - "https://0x76-infra.cachix.org" - "https://webcord.cachix.org" - ]; - trusted-public-keys = [ - "cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "nixpkgs-review-bot.cachix.org-1:eppgiDjPk7Hkzzz7XlUesk3rcEHqNDozGOrcLc8IqwE=" - "colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg=" - "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" - "0x76-infra.cachix.org-1:dC1qp+VEN3jj5pdK4URlXR9hf3atT+MnpKGu6PZjMc8=" - "webcord.cachix.org-1:l555jqOZGHd2C9+vS8ccdh8FhqnGe8L78QrHNn+EFEs=" - ]; - }; - optimise = { - automatic = true; - dates = [ "weekly" ]; - }; - gc = { - automatic = true; - dates = "weekly"; - randomizedDelaySec = "3h"; - options = "--delete-older-than 7d"; - }; - extraOptions = '' - experimental-features = nix-command flakes - ''; - }; - - nixpkgs.config.allowUnfree = true; - - nixpkgs.config.permittedInsecurePackages = [ - "nodejs-14.21.3" - "openssl-1.1.1t" - "nodejs-16.20.0" - ]; - - - # Limit the systemd journal to 100 MB of disk or the - # last 7 days of logs, whichever happens first. - services.journald.extraConfig = '' - SystemMaxUse=100M - MaxFileSec=7day - ''; - - # Enable SSH - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = lib.mkDefault false; - PermitRootLogin = lib.mkDefault "no"; - }; - }; -} diff --git a/nixos/common/default.nix b/nixos/common/default.nix index 7d08263..f07a0f8 100644 --- a/nixos/common/default.nix +++ b/nixos/common/default.nix @@ -1,13 +1,6 @@ -{ inputs, lib, config, ... }: { - # This file deals with everything requiring `inputs`, the rest being delagated to `common.nix` - # this is because we can't import inputs from all contexts as that can lead to infinite recursion. - imports = [ ./common.nix inputs.vault-secrets.nixosModules.vault-secrets ]; - - nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; - nix.registry.nixpkgs.flake = inputs.nixpkgs; - - home-manager.sharedModules = - [ ./hm-modules inputs.nixvim.homeManagerModules.nixvim ]; +{ lib, pkgs, inputs, config, ... }: { + imports = + [ ./users ./modules inputs.vault-secrets.nixosModules.vault-secrets ]; vault-secrets = let inherit (config.networking) domain hostName; @@ -17,4 +10,99 @@ vaultAddress = "http://${server}.${domain}:8200/"; approlePrefix = "${domain}-${hostName}"; }; + + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + extraSpecialArgs = { inherit inputs; }; + sharedModules = [ ./hm-modules inputs.nixvim.homeManagerModules.nixvim ]; + }; + + # Clean /tmp on boot. + boot.tmp.cleanOnBoot = true; + + # Set your time zone. + time.timeZone = lib.mkDefault "Europe/Amsterdam"; + + # Systemd OOMd + # Fedora enables these options by default. See the 10-oomd-* files here: + # https://src.fedoraproject.org/rpms/systemd/tree/acb90c49c42276b06375a66c73673ac3510255 + systemd.oomd = { + enableRootSlice = true; + enableUserServices = true; + }; + + # Nix Settings + nix = { + registry.nixpkgs.flake = inputs.nixpkgs; + nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; + package = pkgs.nixUnstable; + settings = { + auto-optimise-store = true; + trusted-users = [ "root" "victor" ]; + substituters = [ + "https://cachix.cachix.org" + "https://nix-community.cachix.org" + "https://nixpkgs-review-bot.cachix.org" + "https://colmena.cachix.org" + "https://cache.garnix.io" + "https://0x76-infra.cachix.org" + "https://webcord.cachix.org" + ]; + trusted-public-keys = [ + "cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "nixpkgs-review-bot.cachix.org-1:eppgiDjPk7Hkzzz7XlUesk3rcEHqNDozGOrcLc8IqwE=" + "colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg=" + "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" + "0x76-infra.cachix.org-1:dC1qp+VEN3jj5pdK4URlXR9hf3atT+MnpKGu6PZjMc8=" + "webcord.cachix.org-1:l555jqOZGHd2C9+vS8ccdh8FhqnGe8L78QrHNn+EFEs=" + ]; + }; + optimise = { + automatic = true; + dates = [ "weekly" ]; + }; + gc = { + automatic = true; + dates = "weekly"; + randomizedDelaySec = "3h"; + options = "--delete-older-than 7d"; + }; + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; + + nixpkgs.config.allowUnfree = true; + + nixpkgs.config.permittedInsecurePackages = + [ "nodejs-14.21.3" "openssl-1.1.1t" "nodejs-16.20.0" ]; + + # Limit the systemd journal to 100 MB of disk or the + # last 7 days of logs, whichever happens first. + services.journald.extraConfig = '' + SystemMaxUse=100M + MaxFileSec=7day + ''; + + # Enable SSH + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = lib.mkDefault false; + PermitRootLogin = lib.mkDefault "no"; + }; + }; + + # Debloat + documentation = { + enable = lib.mkForce false; + doc.enable = lib.mkForce false; + man.enable = lib.mkForce false; + info.enable = lib.mkForce false; + nixos.enable = lib.mkForce false; + }; + + system.disableInstallerTools = lib.mkDefault true; } diff --git a/nixos/common/desktop/default.nix b/nixos/common/desktop/default.nix index 49a2d90..73d5bd3 100644 --- a/nixos/common/desktop/default.nix +++ b/nixos/common/desktop/default.nix @@ -1,9 +1,9 @@ -{ pkgs, lib, ... }: { +{ pkgs, lib, inputs, ... }: { # Bootloader. boot = { kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; loader = { - systemd-boot.enable = true; + systemd-boot.enable = lib.mkDefault true; efi.canTouchEfiVariables = true; efi.efiSysMountPoint = "/boot/efi"; }; @@ -15,6 +15,12 @@ }; hardware.keyboard.qmk.enable = true; + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + users.victor = import ./home.nix; + extraSpecialArgs = { inherit inputs; }; + }; # Enable my config for the gnome desktop environment services.v.gnome.enable = true; @@ -40,7 +46,9 @@ services.printing.enable = true; # Global Packages - environment.systemPackages = with pkgs; [ wireguard-tools ]; + environment = { + systemPackages = with pkgs; [ wireguard-tools sbctl ]; + }; # Enable sound with pipewire. sound.enable = true; @@ -85,6 +93,7 @@ remotePlay.openFirewall = true; }; + programs.adb.enable = true; # Networking networking.networkmanager.enable = true; networking.firewall.checkReversePath = false; diff --git a/nixos/common/desktop/home.nix b/nixos/common/desktop/home.nix index b36249d..858afda 100644 --- a/nixos/common/desktop/home.nix +++ b/nixos/common/desktop/home.nix @@ -7,6 +7,7 @@ let my-python-packages = ps: with ps; [ pandas requests numpy ]; in { home.packages = with pkgs; [ + (python3.withPackages my-python-packages) btop calibre celluloid @@ -17,13 +18,11 @@ in { gimp inputs.comma.packages.${pkgs.system}.default inputs.webcord.packages.${pkgs.system}.default - # jetbrains.clion kdenlive mullvad-vpn neofetch nixfmt nixpkgs-review - (python3.withPackages my-python-packages) plex-media-player rustup solo2-cli @@ -35,7 +34,6 @@ in { # Enable my own hm modules themes.v.catppuccin.enable = true; - programs.v.nvim.enable = true; programs.v.vscode.enable = true; programs.riff = { @@ -56,22 +54,21 @@ in { userName = "Victor"; userEmail = "victor@xirion.net"; lfs.enable = true; - # delta.enable = true; extraConfig = { push.autoSetupRemote = true; init.defaultBranch = "main"; }; - }; - programs.tmux = { - enable = true; - shortcut = "b"; - terminal = "screen-256color"; - clock24 = true; + difftastic.enable = true; }; programs.firefox.enable = true; + programs.chromium = { + enable = true; + package = pkgs.ungoogled-chromium; + }; + programs.direnv = { enable = true; nix-direnv.enable = true; diff --git a/nixos/common/hm-modules/nvim.nix b/nixos/common/hm-modules/nvim.nix index b2a96e3..4818d83 100644 --- a/nixos/common/hm-modules/nvim.nix +++ b/nixos/common/hm-modules/nvim.nix @@ -11,11 +11,16 @@ in { globals = { mapleader = " "; }; + options = { number = true; }; + maps.normal = { "ff" = "lua require('telescope.builtin').find_files()"; "fg" = "lua require('telescope.builtin').live_grep()"; + "" = "lua require('Comment.api').toggle.linewise.current()"; # map ctrl+/ to commenting code + + "g=" = "lua vim.lsp.buf.format{async=true}"; }; extraPlugins = with pkgs.vimPlugins; [ catppuccin-nvim luasnip ]; @@ -26,6 +31,19 @@ in { plugins = { bufferline.enable = true; + null-ls = { + enable = true; + sources = { + formatting.nixpkgs_fmt.enable = true; + code_actions.shellcheck.enable = true; + code_actions.statix.enable = true; + diagnostics = { + statix.enable = true; + deadnix.enable = true; + shellcheck.enable = true; + }; + }; + }; nix.enable = true; treesitter = { enable = true; @@ -47,8 +65,8 @@ in { comment-nvim = { enable = true; }; lsp = { enable = true; + servers.nil_ls.enable = true; servers.rust-analyzer.enable = true; - servers.rnix-lsp.enable = true; servers.pyright.enable = true; servers.elixirls.enable = true; servers.clangd.enable = true; diff --git a/nixos/common/users/default.nix b/nixos/common/users/default.nix index 674a6d7..bf0253f 100644 --- a/nixos/common/users/default.nix +++ b/nixos/common/users/default.nix @@ -23,6 +23,8 @@ programs.neovim = { enable = true; viAlias = true; + vimAlias = true; + defaultEditor = true; }; # Disable sudo prompt for `wheel` users. diff --git a/nixos/common/users/victor.nix b/nixos/common/users/victor.nix index 3718bdc..5147733 100644 --- a/nixos/common/users/victor.nix +++ b/nixos/common/users/victor.nix @@ -21,4 +21,21 @@ extraGroups = [ "systemd-journal" "wheel" "networkmanager" "libvirtd" "dialout" ]; }; + + home-manager.users.victor = { + programs.home-manager.enable = true; + + home.username = "victor"; + home.homeDirectory = "/home/victor"; + home.stateVersion = "23.05"; + + programs.v.nvim.enable = true; + + programs.tmux = { + enable = true; + shortcut = "b"; + terminal = "screen-256color"; + clock24 = true; + }; + }; } diff --git a/nixos/hosts/hades/default.nix b/nixos/hosts/hades/default.nix index 7670659..6945a4e 100644 --- a/nixos/hosts/hades/default.nix +++ b/nixos/hosts/hades/default.nix @@ -136,19 +136,19 @@ mac = "12:fa:24:02:65:e6"; nix = false; }; - "docker-registry-proxy" = { - ip = "192.168.0.128"; - mac = "0e:11:65:62:66:9f"; - }; + # "docker-registry-proxy" = { + # ip = "192.168.0.128"; + # mac = "0e:11:65:62:66:9f"; + # }; "hassio" = { ip = "192.168.0.129"; mac = "e6:80:32:fb:00:75"; nix = false; }; - "docker-registry" = { - ip = "192.168.0.130"; - mac = "5e:0e:a6:cf:64:70"; - }; + # "docker-registry" = { + # ip = "192.168.0.130"; + # mac = "5e:0e:a6:cf:64:70"; + # }; "minecraft" = { ip = "192.168.0.131"; mac = "00:0c:29:9b:e1:c4"; diff --git a/nixos/hosts/hades/dns/configuration.nix b/nixos/hosts/hades/dns/configuration.nix index 2294810..3e7e897 100644 --- a/nixos/hosts/hades/dns/configuration.nix +++ b/nixos/hosts/hades/dns/configuration.nix @@ -17,4 +17,22 @@ openFirewall = true; mode = "server"; }; + + services.unbound.settings.server = { + local-zone = [ + "xirion.net typetransparent" + "hades.xirion.net typetransparent" + "requests.xirion.net typetransparent" + "ha.xirion.net typetransparent" + "mail.xirion.net typetransparent" + ]; + + local-data = [ + ''"xirion.net A 192.168.0.122"'' + ''"hades.xirion.net A 192.168.0.122"'' + ''"requests.xirion.net A 192.168.0.122"'' + ''"ha.xirion.net A 192.168.0.122"'' + ''"mail.xirion.net A 192.168.0.122"'' + ]; + }; } diff --git a/nixos/hosts/olympus/bastion/configuration.nix b/nixos/hosts/olympus/bastion/configuration.nix index 7770573..8127348 100644 --- a/nixos/hosts/olympus/bastion/configuration.nix +++ b/nixos/hosts/olympus/bastion/configuration.nix @@ -69,7 +69,5 @@ in { pinentryFlavor = "curses"; }; - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; home-manager.users.victor = import ./home.nix; } diff --git a/nixos/hosts/olympus/bastion/home.nix b/nixos/hosts/olympus/bastion/home.nix index fad23ec..a65de8e 100644 --- a/nixos/hosts/olympus/bastion/home.nix +++ b/nixos/hosts/olympus/bastion/home.nix @@ -1,9 +1,4 @@ _: { - programs.home-manager.enable = true; - home.username = "victor"; - home.homeDirectory = "/home/victor"; - home.stateVersion = "22.05"; - programs.direnv = { enable = true; nix-direnv = { enable = true; }; diff --git a/nixos/hosts/olympus/eevee/configuration.nix b/nixos/hosts/olympus/eevee/configuration.nix index bf240a9..26a0bfd 100644 --- a/nixos/hosts/olympus/eevee/configuration.nix +++ b/nixos/hosts/olympus/eevee/configuration.nix @@ -2,7 +2,7 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ pkgs, inputs, ... }: { +{ pkgs, ... }: { imports = [ ./hardware-configuration.nix ./hardware.nix ]; # Bootloader. @@ -41,10 +41,7 @@ environment.sessionVariables.NIXOS_OZONE_WL = "1"; home-manager = { - useGlobalPkgs = true; - useUserPackages = true; users.victor = import ./home; - extraSpecialArgs = { inherit inputs; }; }; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions diff --git a/nixos/hosts/olympus/eevee/hardware.nix b/nixos/hosts/olympus/eevee/hardware.nix index 14ca765..f051d03 100644 --- a/nixos/hosts/olympus/eevee/hardware.nix +++ b/nixos/hosts/olympus/eevee/hardware.nix @@ -22,6 +22,11 @@ driSupport = true; }; + hardware.logitech.wireless = { + enable = true; + enableGraphical = true; + }; + # udev services.udev.packages = with pkgs; [ android-udev-rules diff --git a/nixos/hosts/olympus/eevee/home/default.nix b/nixos/hosts/olympus/eevee/home/default.nix index ce2eaae..2e78a54 100644 --- a/nixos/hosts/olympus/eevee/home/default.nix +++ b/nixos/hosts/olympus/eevee/home/default.nix @@ -1,12 +1,4 @@ _: { - programs.home-manager.enable = true; - - home.username = "victor"; - home.homeDirectory = "/home/victor"; - home.stateVersion = "23.05"; - - imports = [ ../../../../common/desktop/home.nix ]; - dconf.settings."org/gnome/desktop/peripherals/mouse" = { accel-profile = "flat"; }; diff --git a/nixos/hosts/thalassa/aoife/configuration.nix b/nixos/hosts/thalassa/aoife/configuration.nix index 75ceeb5..928e8c2 100644 --- a/nixos/hosts/thalassa/aoife/configuration.nix +++ b/nixos/hosts/thalassa/aoife/configuration.nix @@ -2,7 +2,7 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ inputs, ... }: { +{ inputs, lib, ... }: { imports = [ ./hardware-configuration.nix inputs.nixos-hardware.nixosModules.lenovo-thinkpad-z @@ -11,16 +11,19 @@ # Bootloader. boot = { + bootspec.enable = true; initrd.kernelModules = [ "amdgpu" ]; resumeDevice = "/dev/nvme0n1p2"; + loader.systemd-boot.enable = lib.mkForce false; + + lanzaboote = { + enable = true; + configurationLimit = 5; + pkiBundle = "/etc/secureboot"; + }; }; - home-manager = { - useGlobalPkgs = true; - useUserPackages = true; - users.victor = import ./home; - extraSpecialArgs = { inherit inputs; }; - }; + home-manager.users.victor = import ./home; # Enable Ozone rendering for Chromium and Electron apps. environment.sessionVariables.NIXOS_OZONE_WL = "1"; diff --git a/nixos/hosts/thalassa/aoife/home/default.nix b/nixos/hosts/thalassa/aoife/home/default.nix index cce6c37..b126d8e 100644 --- a/nixos/hosts/thalassa/aoife/home/default.nix +++ b/nixos/hosts/thalassa/aoife/home/default.nix @@ -1,12 +1,4 @@ _: { - programs.home-manager.enable = true; - - home.username = "victor"; - home.homeDirectory = "/home/victor"; - home.stateVersion = "23.05"; - - imports = [ ../../../../common/desktop/home.nix ]; - # Custom dconf settings dconf.settings."org/gnome/desktop/input-sources" = { xkb-options = [ "caps:swapescape" ]; diff --git a/nixos/pkgs/dnd-5e-latex-template/default.nix b/nixos/pkgs/dnd-5e-latex-template/default.nix index ef5ffca..c295de6 100644 --- a/nixos/pkgs/dnd-5e-latex-template/default.nix +++ b/nixos/pkgs/dnd-5e-latex-template/default.nix @@ -1,4 +1,4 @@ -{ stdenvNoCC, fetchFromGitHub }: +{ lib, stdenvNoCC, fetchFromGitHub }: stdenvNoCC.mkDerivation rec { pname = "dnd-5e-latex-template"; version = "0.8.0"; @@ -23,5 +23,8 @@ stdenvNoCC.mkDerivation rec { runHook postInstall ''; - meta = { description = "DnD 5e latex template"; }; + meta = { + description = "DnD 5e latex template"; + license = lib.licenses.mit; + }; } diff --git a/nixos/pkgs/gitea-agatheme/default.nix b/nixos/pkgs/gitea-agatheme/default.nix index ec5fdf7..0901a05 100644 --- a/nixos/pkgs/gitea-agatheme/default.nix +++ b/nixos/pkgs/gitea-agatheme/default.nix @@ -1,4 +1,4 @@ -{ stdenvNoCC, fetchurl }: +{ stdenvNoCC, fetchurl, lib }: stdenvNoCC.mkDerivation { pname = "gitea-agatheme"; version = "1.2"; @@ -14,4 +14,8 @@ stdenvNoCC.mkDerivation { installPhase = '' cp $src $out ''; + + meta = with lib; { + description = "Gitea/Forgejo purple theme"; + }; } diff --git a/nixos/templates/proxmox-lxc.nix b/nixos/templates/proxmox-lxc.nix index 2d1502b..74079dd 100644 --- a/nixos/templates/proxmox-lxc.nix +++ b/nixos/templates/proxmox-lxc.nix @@ -1,5 +1,5 @@ { lib, ... }: { - imports = [ ../common/common.nix ../common/generic-lxc.nix ]; + imports = [ ../common ../common/generic-lxc.nix ]; proxmoxLXC = { manageNetwork = true; diff --git a/nixos/util.nix b/nixos/util.nix index 6f6511a..05f10f5 100644 --- a/nixos/util.nix +++ b/nixos/util.nix @@ -1,4 +1,4 @@ -{ nixpkgs, home-manager, mailserver, ... }: +{ nixpkgs, home-manager, mailserver, lanzaboote, ... }: let inherit (builtins) filter attrValues concatMap mapAttrs; inherit (nixpkgs.lib.attrsets) mapAttrsToList; @@ -13,7 +13,10 @@ let ./common/generic-lxc.nix ]; "vm" = [ ./common/generic-vm.nix ]; - "local" = [ ./common/desktop ]; + "local" = [ + lanzaboote.nixosModules.lanzaboote + ./common/desktop + ]; }; in type: import_cases.${type} ++ base_imports; # Helper function to resolve what should be imported depending on the type of config (lxc, vm, bare metal)