From e6ec6d548212a8e436bfc75e2098db869e74520f Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sun, 28 May 2023 14:01:47 +0000 Subject: [PATCH 01/17] Update renovate/renovate Docker tag to v35.103.0 --- flux/olympus/apps/services/renovate/cronjob.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flux/olympus/apps/services/renovate/cronjob.yaml b/flux/olympus/apps/services/renovate/cronjob.yaml index bd0c9c1..8383af7 100644 --- a/flux/olympus/apps/services/renovate/cronjob.yaml +++ b/flux/olympus/apps/services/renovate/cronjob.yaml @@ -19,7 +19,7 @@ spec: emptyDir: {} containers: - name: renovate - image: renovate/renovate:35.102.10 + image: renovate/renovate:35.103.0 volumeMounts: - name: config-volume mountPath: /opt/renovate/ From 48f074e2fa4130a724e273a5b6fdf4c61587d952 Mon Sep 17 00:00:00 2001 From: Victor Date: Mon, 29 May 2023 16:24:59 +0200 Subject: [PATCH 02/17] flake update --- flake.lock | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/flake.lock b/flake.lock index 297ba20..53bbfd4 100644 --- a/flake.lock +++ b/flake.lock @@ -799,11 +799,11 @@ }, "nixpkgs_22-11": { "locked": { - "lastModified": 1685043448, - "narHash": "sha256-U3BwyDc2OzBcZ8tD09qXibyivgOtOQFTFCVgFyJ+6MM=", + "lastModified": 1685314633, + "narHash": "sha256-8LXBPqTQXl5ofkjpJ18JcbmLJ/lWDoMxtUwiDYv0wro=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9886352ec9ab3945896ee8a4185e961fe29df209", + "rev": "c8a17ce7abc03c50cd072e9e6c9b389c5f61836b", "type": "github" }, "original": { @@ -815,11 +815,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1685168767, - "narHash": "sha256-wQgnxz0PdqbyKKpsWl/RU8T8QhJQcHfeC6lh1xRUTfk=", + "lastModified": 1685290091, + "narHash": "sha256-GGQYNZ7POoqPTtXgPOLUuSiHkOKFRWYpCoWUOSeSRoU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e10802309bf9ae351eb27002c85cfdeb1be3b262", + "rev": "4e37b4e55b60fb7d43d2b62deb51032a489bcbe8", "type": "github" }, "original": { @@ -831,11 +831,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1684754342, - "narHash": "sha256-plGnjnbnPLoZCTdQX21oT7xliQhFtgcWlkuDHgtEb1o=", + "lastModified": 1685168767, + "narHash": "sha256-wQgnxz0PdqbyKKpsWl/RU8T8QhJQcHfeC6lh1xRUTfk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7084250df3d7f9735087d3234407f3c1fc2400e3", + "rev": "e10802309bf9ae351eb27002c85cfdeb1be3b262", "type": "github" }, "original": { @@ -931,11 +931,11 @@ "pre-commit-hooks": "pre-commit-hooks" }, "locked": { - "lastModified": 1685138650, - "narHash": "sha256-1tNM1vxFCX2S1hi/baivwuMPLZ8tAp/jhQl+KOykDws=", + "lastModified": 1685357461, + "narHash": "sha256-UUOEz2VGMc8giiaDF7lpq7ol7bx71mqepRFu2lBzNF8=", "owner": "pta2002", "repo": "nixvim", - "rev": "246f811084886285696a96cdfc45f416af633449", + "rev": "3f08cff1d0c2a45e5bf0448a074c5bcc152cf2c5", "type": "github" }, "original": { @@ -946,11 +946,11 @@ }, "nur": { "locked": { - "lastModified": 1685263548, - "narHash": "sha256-qljNXIQePMRWr0yhQP16C/rBPSjzqcF38Y2ad4/KnXQ=", + "lastModified": 1685367958, + "narHash": "sha256-7KqC9OKOfQPkwLVh8E+rAOPQ/yEzw82GcUYS4/V9v6g=", "owner": "nix-community", "repo": "NUR", - "rev": "5e934ff2c9502937ebd39cff1aeebe7e60126c45", + "rev": "95e05399f4527fdde06cd151780324fb4f05ac9e", "type": "github" }, "original": { @@ -1015,11 +1015,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1684763926, - "narHash": "sha256-1pSTzogoCmZc7JB3VrFFgFoj5lNXIIWwkVReFVMHDT8=", + "lastModified": 1684842236, + "narHash": "sha256-rYWsIXHvNhVQ15RQlBUv67W3YnM+Pd+DuXGMvCBq2IE=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "df448ffc5d244f52261d05894c5a96af7f3758a1", + "rev": "61e567d6497bc9556f391faebe5e410e6623217f", "type": "github" }, "original": { From 576c5db3330c3dc6f16c53d771954896b0380f7e Mon Sep 17 00:00:00 2001 From: Victor Date: Mon, 29 May 2023 18:08:25 +0200 Subject: [PATCH 03/17] add split-dns settings --- nixos/hosts/hades/dns/configuration.nix | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/nixos/hosts/hades/dns/configuration.nix b/nixos/hosts/hades/dns/configuration.nix index 2294810..3e7e897 100644 --- a/nixos/hosts/hades/dns/configuration.nix +++ b/nixos/hosts/hades/dns/configuration.nix @@ -17,4 +17,22 @@ openFirewall = true; mode = "server"; }; + + services.unbound.settings.server = { + local-zone = [ + "xirion.net typetransparent" + "hades.xirion.net typetransparent" + "requests.xirion.net typetransparent" + "ha.xirion.net typetransparent" + "mail.xirion.net typetransparent" + ]; + + local-data = [ + ''"xirion.net A 192.168.0.122"'' + ''"hades.xirion.net A 192.168.0.122"'' + ''"requests.xirion.net A 192.168.0.122"'' + ''"ha.xirion.net A 192.168.0.122"'' + ''"mail.xirion.net A 192.168.0.122"'' + ]; + }; } From 9a4b0d51c0bcd0716123bb2658873546c1ac22e4 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 29 May 2023 22:00:26 +0000 Subject: [PATCH 04/17] Update renovate/renovate Docker tag to v35.105.0 --- flux/olympus/apps/services/renovate/cronjob.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flux/olympus/apps/services/renovate/cronjob.yaml b/flux/olympus/apps/services/renovate/cronjob.yaml index 8383af7..92a7174 100644 --- a/flux/olympus/apps/services/renovate/cronjob.yaml +++ b/flux/olympus/apps/services/renovate/cronjob.yaml @@ -19,7 +19,7 @@ spec: emptyDir: {} containers: - name: renovate - image: renovate/renovate:35.103.0 + image: renovate/renovate:35.105.0 volumeMounts: - name: config-volume mountPath: /opt/renovate/ From f29f2e9b20f5f1a7f3ceec7cb919eb0bcdb1e8be Mon Sep 17 00:00:00 2001 From: Victor Date: Tue, 30 May 2023 08:41:42 +0200 Subject: [PATCH 05/17] aoife: enable secure boot --- README.md | 6 + flake.lock | 264 +++++++++++++++++-- flake.nix | 11 +- nixos/common/desktop/default.nix | 2 +- nixos/hosts/thalassa/aoife/configuration.nix | 10 +- nixos/util.nix | 7 +- 6 files changed, 272 insertions(+), 28 deletions(-) diff --git a/README.md b/README.md index d55c001..9fd288d 100644 --- a/README.md +++ b/README.md @@ -10,3 +10,9 @@ to deploy the infrastructure, this can be accessed running `nix develop`. [Flux]: https://github.com/fluxcd/flux2 [colmena]: https://colmena.cli.rs/unstable/ + +## Inspired by the following repos +* +* +* +* diff --git a/flake.lock b/flake.lock index 53bbfd4..118d301 100644 --- a/flake.lock +++ b/flake.lock @@ -123,6 +123,39 @@ } }, "crane": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "rust-overlay": [ + "lanzaboote", + "rust-overlay" + ] + }, + "locked": { + "lastModified": 1683505101, + "narHash": "sha256-VBU64Jfu2V4sUR5+tuQS9erBRAe/QEYUxdVMcJGMZZs=", + "owner": "ipetkov", + "repo": "crane", + "rev": "7b5bd9e5acb2bb0cfba2d65f34d8568a894cdb6c", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "crane_2": { "flake": false, "locked": { "lastModified": 1670284777, @@ -158,9 +191,9 @@ "inputs": { "alejandra": "alejandra", "all-cabal-json": "all-cabal-json", - "crane": "crane", + "crane": "crane_2", "devshell": "devshell", - "flake-parts": "flake-parts", + "flake-parts": "flake-parts_2", "flake-utils-pre-commit": "flake-utils-pre-commit", "ghc-utils": "ghc-utils", "gomod2nix": "gomod2nix", @@ -268,11 +301,11 @@ "flake-compat_3": { "flake": false, "locked": { - "lastModified": 1668681692, - "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", "owner": "edolstra", "repo": "flake-compat", - "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", "type": "github" }, "original": { @@ -284,11 +317,11 @@ "flake-compat_4": { "flake": false, "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", "owner": "edolstra", "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", "type": "github" }, "original": { @@ -298,6 +331,22 @@ } }, "flake-compat_5": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_6": { "flake": false, "locked": { "lastModified": 1673956053, @@ -313,6 +362,27 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1683560683, + "narHash": "sha256-XAygPMN5Xnk/W2c1aW0jyEa6lfMDZWlQgiNtmHXytPc=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "006c75898cf814ef9497252b022e91c946ba8e17", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" }, @@ -379,6 +449,24 @@ } }, "flake-utils_3": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_4": { "locked": { "lastModified": 1667395993, "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", @@ -393,7 +481,7 @@ "type": "github" } }, - "flake-utils_4": { + "flake-utils_5": { "locked": { "lastModified": 1678901627, "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=", @@ -407,9 +495,9 @@ "type": "indirect" } }, - "flake-utils_5": { + "flake-utils_6": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1681202837, @@ -458,6 +546,28 @@ } }, "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gitignore_2": { "inputs": { "nixpkgs": [ "nixvim", @@ -515,6 +625,32 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat_3", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1685349926, + "narHash": "sha256-c1rKI1glJWdJIPefp9aiyhAkEZ4Sc6Rh/J5VumEXu1M=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "2e62c11babeead4b26efbb7f2cd4488baaa2e897", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "lanzaboote", + "type": "github" + } + }, "lowdown-src": { "flake": false, "locked": { @@ -549,7 +685,7 @@ "mailserver": { "inputs": { "blobs": "blobs", - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_4", "nixpkgs": [ "nixpkgs" ], @@ -781,6 +917,22 @@ "type": "github" } }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1678872516, + "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1680668850, @@ -926,7 +1078,7 @@ "nixvim": { "inputs": { "beautysh": "beautysh", - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "nixpkgs": "nixpkgs_4", "pre-commit-hooks": "pre-commit-hooks" }, @@ -1005,14 +1157,14 @@ }, "pre-commit-hooks": { "inputs": { - "flake-compat": "flake-compat_4", - "flake-utils": "flake-utils_3", - "gitignore": "gitignore", + "flake-compat": "flake-compat_5", + "flake-utils": "flake-utils_4", + "gitignore": "gitignore_2", "nixpkgs": [ "nixvim", "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { "lastModified": 1684842236, @@ -1028,6 +1180,37 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1682596858, + "narHash": "sha256-Hf9XVpqaGqe/4oDGr30W8HlsWvJXtMsEPHDqHZA6dDg=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "fb58866e20af98779017134319b5663b8215d912", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "pre-commit-hooks_2": { "inputs": { "flake-utils": [ @@ -1080,6 +1263,7 @@ "colmena": "colmena", "comma": "comma", "home-manager": "home-manager", + "lanzaboote": "lanzaboote", "mailserver": "mailserver", "nixos-generators": "nixos-generators", "nixos-hardware": "nixos-hardware", @@ -1127,6 +1311,31 @@ "type": "github" } }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1684030847, + "narHash": "sha256-z4tOxaN9Cl8C80u6wyZBpPt9A9MbL21fZ3zdB/vG+AU=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "aa1480f16bec7dda3c62b8cdb184c7e823331ba2", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "stable": { "locked": { "lastModified": 1669735802, @@ -1173,6 +1382,21 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "utils": { "locked": { "lastModified": 1678901627, @@ -1220,8 +1444,8 @@ }, "vault-secrets": { "inputs": { - "flake-compat": "flake-compat_5", - "flake-utils": "flake-utils_4", + "flake-compat": "flake-compat_6", + "flake-utils": "flake-utils_5", "nix": "nix", "nixpkgs": "nixpkgs_7" }, @@ -1241,7 +1465,7 @@ }, "vault-unseal": { "inputs": { - "flake-utils": "flake-utils_5", + "flake-utils": "flake-utils_6", "nixpkgs": "nixpkgs_8" }, "locked": { diff --git a/flake.nix b/flake.nix index 98f81d5..40353fd 100644 --- a/flake.nix +++ b/flake.nix @@ -1,10 +1,6 @@ { description = "0x76's infrastructure"; - # Based on: - # * https://github.com/serokell/pegasus-infra/blob/master/flake.nix - # * https://git.voidcorp.nl/j00lz/nixos-configs/src/branch/main/flake.nix - # For minecraft use: # * https://github.com/Infinidoge/nix-minecraft @@ -38,6 +34,13 @@ nixos-hardware.url = "github:toastal/nixos-hardware/z-series-no-hidpi"; + lanzaboote = { + url = "github:nix-community/lanzaboote"; + + # Optional but recommended to limit the size of your system closure. + inputs.nixpkgs.follows = "nixpkgs"; + }; + vault-unseal.url = "git+https://git.0x76.dev/v/vault-unseal.git"; }; diff --git a/nixos/common/desktop/default.nix b/nixos/common/desktop/default.nix index 9a93dbe..af704c1 100644 --- a/nixos/common/desktop/default.nix +++ b/nixos/common/desktop/default.nix @@ -38,7 +38,7 @@ services.printing.enable = true; # Global Packages - environment.systemPackages = with pkgs; [ wireguard-tools ]; + environment.systemPackages = with pkgs; [ wireguard-tools sbctl ]; # Enable sound with pipewire. sound.enable = true; diff --git a/nixos/hosts/thalassa/aoife/configuration.nix b/nixos/hosts/thalassa/aoife/configuration.nix index 75ceeb5..566477e 100644 --- a/nixos/hosts/thalassa/aoife/configuration.nix +++ b/nixos/hosts/thalassa/aoife/configuration.nix @@ -2,7 +2,7 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ inputs, ... }: { +{ inputs, lib, ... }: { imports = [ ./hardware-configuration.nix inputs.nixos-hardware.nixosModules.lenovo-thinkpad-z @@ -11,8 +11,16 @@ # Bootloader. boot = { + bootspec.enable = true; initrd.kernelModules = [ "amdgpu" ]; resumeDevice = "/dev/nvme0n1p2"; + loader.systemd-boot.enable = lib.mkForce false; + + lanzaboote = { + enable = true; + configurationLimit = 5; + pkiBundle = "/etc/secureboot"; + }; }; home-manager = { diff --git a/nixos/util.nix b/nixos/util.nix index 6f6511a..05f10f5 100644 --- a/nixos/util.nix +++ b/nixos/util.nix @@ -1,4 +1,4 @@ -{ nixpkgs, home-manager, mailserver, ... }: +{ nixpkgs, home-manager, mailserver, lanzaboote, ... }: let inherit (builtins) filter attrValues concatMap mapAttrs; inherit (nixpkgs.lib.attrsets) mapAttrsToList; @@ -13,7 +13,10 @@ let ./common/generic-lxc.nix ]; "vm" = [ ./common/generic-vm.nix ]; - "local" = [ ./common/desktop ]; + "local" = [ + lanzaboote.nixosModules.lanzaboote + ./common/desktop + ]; }; in type: import_cases.${type} ++ base_imports; # Helper function to resolve what should be imported depending on the type of config (lxc, vm, bare metal) From 2cad79d4b5de80b2f808c5a8d6273edbf07be210 Mon Sep 17 00:00:00 2001 From: Victor Date: Tue, 30 May 2023 09:58:17 +0200 Subject: [PATCH 06/17] various updates --- flake.nix | 29 ++++++++++++++------ nixos/common/common.nix | 8 ++---- nixos/common/desktop/default.nix | 18 ++++++++++-- nixos/common/desktop/home.nix | 2 ++ nixos/common/hm-modules/nvim.nix | 20 +++++++++++++- nixos/common/users/default.nix | 2 ++ nixos/hosts/olympus/eevee/hardware.nix | 5 ++++ nixos/pkgs/dnd-5e-latex-template/default.nix | 7 +++-- nixos/pkgs/gitea-agatheme/default.nix | 6 +++- 9 files changed, 76 insertions(+), 21 deletions(-) diff --git a/flake.nix b/flake.nix index 40353fd..18ce4d9 100644 --- a/flake.nix +++ b/flake.nix @@ -44,8 +44,16 @@ vault-unseal.url = "git+https://git.0x76.dev/v/vault-unseal.git"; }; - outputs = { self, nixpkgs, nixpkgs_22-11, vault-secrets, colmena - , nixos-generators, nur, ... }@inputs: + outputs = + { self + , nixpkgs + , nixpkgs_22-11 + , vault-secrets + , colmena + , nixos-generators + , nur + , ... + }@inputs: let inherit (nixpkgs) lib; @@ -79,7 +87,8 @@ source /etc/set-environment nix repl --file "${./.}/repl.nix" $@ ''; - in { + in + { # Make the nixosConfigurations for compat reasons (e.g. vault) nixosConfigurations = (import (inputs.colmena + "/src/nix/hive/eval.nix") { @@ -91,12 +100,14 @@ }).nodes; # Make the colmena configuration - colmena = lib.foldr (el: acc: acc // util.mkColmenaHost el) { - meta = { - inherit specialArgs; - nixpkgs = pkgs; - }; - } nixHosts; + colmena = lib.foldr (el: acc: acc // util.mkColmenaHost el) + { + meta = { + inherit specialArgs; + nixpkgs = pkgs; + }; + } + nixHosts; packages.${system} = { inherit apply-local; diff --git a/nixos/common/common.nix b/nixos/common/common.nix index 7a34a8a..a61ac68 100644 --- a/nixos/common/common.nix +++ b/nixos/common/common.nix @@ -57,12 +57,8 @@ nixpkgs.config.allowUnfree = true; - nixpkgs.config.permittedInsecurePackages = [ - "nodejs-14.21.3" - "openssl-1.1.1t" - "nodejs-16.20.0" - ]; - + nixpkgs.config.permittedInsecurePackages = + [ "nodejs-14.21.3" "openssl-1.1.1t" "nodejs-16.20.0" ]; # Limit the systemd journal to 100 MB of disk or the # last 7 days of logs, whichever happens first. diff --git a/nixos/common/desktop/default.nix b/nixos/common/desktop/default.nix index af704c1..e9bf197 100644 --- a/nixos/common/desktop/default.nix +++ b/nixos/common/desktop/default.nix @@ -3,7 +3,7 @@ boot = { kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; loader = { - systemd-boot.enable = true; + systemd-boot.enable = lib.mkDefault true; efi.canTouchEfiVariables = true; efi.efiSysMountPoint = "/boot/efi"; }; @@ -38,7 +38,9 @@ services.printing.enable = true; # Global Packages - environment.systemPackages = with pkgs; [ wireguard-tools sbctl ]; + environment = { + systemPackages = with pkgs; [ wireguard-tools sbctl ]; + }; # Enable sound with pipewire. sound.enable = true; @@ -83,6 +85,18 @@ remotePlay.openFirewall = true; }; + programs.adb.enable = true; + + # Debloat + documentation = { + enable = false; + doc.enable = false; + man.enable = false; + info.enable = false; + nixos.enable = false; + }; + system.disableInstallerTools = true; + # Networking networking.networkmanager.enable = true; networking.firewall.checkReversePath = false; diff --git a/nixos/common/desktop/home.nix b/nixos/common/desktop/home.nix index c575b57..7a64942 100644 --- a/nixos/common/desktop/home.nix +++ b/nixos/common/desktop/home.nix @@ -59,6 +59,8 @@ in { push.autoSetupRemote = true; init.defaultBranch = "main"; }; + + difftastic.enable = true; }; programs.tmux = { diff --git a/nixos/common/hm-modules/nvim.nix b/nixos/common/hm-modules/nvim.nix index b2a96e3..4818d83 100644 --- a/nixos/common/hm-modules/nvim.nix +++ b/nixos/common/hm-modules/nvim.nix @@ -11,11 +11,16 @@ in { globals = { mapleader = " "; }; + options = { number = true; }; + maps.normal = { "ff" = "lua require('telescope.builtin').find_files()"; "fg" = "lua require('telescope.builtin').live_grep()"; + "" = "lua require('Comment.api').toggle.linewise.current()"; # map ctrl+/ to commenting code + + "g=" = "lua vim.lsp.buf.format{async=true}"; }; extraPlugins = with pkgs.vimPlugins; [ catppuccin-nvim luasnip ]; @@ -26,6 +31,19 @@ in { plugins = { bufferline.enable = true; + null-ls = { + enable = true; + sources = { + formatting.nixpkgs_fmt.enable = true; + code_actions.shellcheck.enable = true; + code_actions.statix.enable = true; + diagnostics = { + statix.enable = true; + deadnix.enable = true; + shellcheck.enable = true; + }; + }; + }; nix.enable = true; treesitter = { enable = true; @@ -47,8 +65,8 @@ in { comment-nvim = { enable = true; }; lsp = { enable = true; + servers.nil_ls.enable = true; servers.rust-analyzer.enable = true; - servers.rnix-lsp.enable = true; servers.pyright.enable = true; servers.elixirls.enable = true; servers.clangd.enable = true; diff --git a/nixos/common/users/default.nix b/nixos/common/users/default.nix index 674a6d7..bf0253f 100644 --- a/nixos/common/users/default.nix +++ b/nixos/common/users/default.nix @@ -23,6 +23,8 @@ programs.neovim = { enable = true; viAlias = true; + vimAlias = true; + defaultEditor = true; }; # Disable sudo prompt for `wheel` users. diff --git a/nixos/hosts/olympus/eevee/hardware.nix b/nixos/hosts/olympus/eevee/hardware.nix index 561c570..6efe1de 100644 --- a/nixos/hosts/olympus/eevee/hardware.nix +++ b/nixos/hosts/olympus/eevee/hardware.nix @@ -22,6 +22,11 @@ driSupport = true; }; + hardware.logitech.wireless = { + enable = true; + enableGraphical = true; + }; + # udev services.udev.packages = with pkgs; [ android-udev-rules diff --git a/nixos/pkgs/dnd-5e-latex-template/default.nix b/nixos/pkgs/dnd-5e-latex-template/default.nix index ef5ffca..c295de6 100644 --- a/nixos/pkgs/dnd-5e-latex-template/default.nix +++ b/nixos/pkgs/dnd-5e-latex-template/default.nix @@ -1,4 +1,4 @@ -{ stdenvNoCC, fetchFromGitHub }: +{ lib, stdenvNoCC, fetchFromGitHub }: stdenvNoCC.mkDerivation rec { pname = "dnd-5e-latex-template"; version = "0.8.0"; @@ -23,5 +23,8 @@ stdenvNoCC.mkDerivation rec { runHook postInstall ''; - meta = { description = "DnD 5e latex template"; }; + meta = { + description = "DnD 5e latex template"; + license = lib.licenses.mit; + }; } diff --git a/nixos/pkgs/gitea-agatheme/default.nix b/nixos/pkgs/gitea-agatheme/default.nix index ec5fdf7..0901a05 100644 --- a/nixos/pkgs/gitea-agatheme/default.nix +++ b/nixos/pkgs/gitea-agatheme/default.nix @@ -1,4 +1,4 @@ -{ stdenvNoCC, fetchurl }: +{ stdenvNoCC, fetchurl, lib }: stdenvNoCC.mkDerivation { pname = "gitea-agatheme"; version = "1.2"; @@ -14,4 +14,8 @@ stdenvNoCC.mkDerivation { installPhase = '' cp $src $out ''; + + meta = with lib; { + description = "Gitea/Forgejo purple theme"; + }; } From 557bc492f4eb99b15342be26119be9b8d4338e02 Mon Sep 17 00:00:00 2001 From: Victor Date: Tue, 30 May 2023 10:01:49 +0200 Subject: [PATCH 07/17] disable docs everywhere --- nixos/common/common.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/nixos/common/common.nix b/nixos/common/common.nix index a61ac68..0a589b6 100644 --- a/nixos/common/common.nix +++ b/nixos/common/common.nix @@ -75,4 +75,15 @@ PermitRootLogin = lib.mkDefault "no"; }; }; + + # Debloat + documentation = { + enable = false; + doc.enable = false; + man.enable = false; + info.enable = false; + nixos.enable = false; + }; + + system.disableInstallerTools = lib.mkDefault true; } From 80cda8ed2baa3ed4bdca5346af14a9ed3dcb7f05 Mon Sep 17 00:00:00 2001 From: Victor Roest Date: Tue, 30 May 2023 12:08:32 +0200 Subject: [PATCH 08/17] fix build error --- nixos/common/common.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/nixos/common/common.nix b/nixos/common/common.nix index 0a589b6..8c51643 100644 --- a/nixos/common/common.nix +++ b/nixos/common/common.nix @@ -78,11 +78,11 @@ # Debloat documentation = { - enable = false; - doc.enable = false; - man.enable = false; - info.enable = false; - nixos.enable = false; + enable = lib.mkForce false; + doc.enable = lib.mkForce false; + man.enable = lib.mkForce false; + info.enable = lib.mkForce false; + nixos.enable = lib.mkForce false; }; system.disableInstallerTools = lib.mkDefault true; From 2f82c391e0ec3dcea47894fbdfc4ae5854758fcd Mon Sep 17 00:00:00 2001 From: Victor Date: Tue, 30 May 2023 12:09:05 +0200 Subject: [PATCH 09/17] simplify hm (also as prep to use it on servers) --- nixos/common/desktop/default.nix | 20 ++++++++------------ nixos/common/desktop/home.nix | 15 ++++++++++++--- nixos/hosts/olympus/eevee/configuration.nix | 3 --- nixos/hosts/olympus/eevee/home/default.nix | 8 -------- nixos/hosts/thalassa/aoife/configuration.nix | 7 +------ nixos/hosts/thalassa/aoife/home/default.nix | 8 -------- 6 files changed, 21 insertions(+), 40 deletions(-) diff --git a/nixos/common/desktop/default.nix b/nixos/common/desktop/default.nix index e9bf197..a3e5693 100644 --- a/nixos/common/desktop/default.nix +++ b/nixos/common/desktop/default.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, ... }: { +{ pkgs, lib, inputs, ... }: { # Bootloader. boot = { kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; @@ -14,6 +14,13 @@ }; }; + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + users.victor = import ./home.nix; + extraSpecialArgs = { inherit inputs; }; + }; + # Enable my config for the gnome desktop environment services.v.gnome.enable = true; @@ -86,17 +93,6 @@ }; programs.adb.enable = true; - - # Debloat - documentation = { - enable = false; - doc.enable = false; - man.enable = false; - info.enable = false; - nixos.enable = false; - }; - system.disableInstallerTools = true; - # Networking networking.networkmanager.enable = true; networking.firewall.checkReversePath = false; diff --git a/nixos/common/desktop/home.nix b/nixos/common/desktop/home.nix index 7a64942..6ec552f 100644 --- a/nixos/common/desktop/home.nix +++ b/nixos/common/desktop/home.nix @@ -6,7 +6,14 @@ let }; my-python-packages = ps: with ps; [ pandas requests numpy ]; in { + programs.home-manager.enable = true; + + home.username = "victor"; + home.homeDirectory = "/home/victor"; + home.stateVersion = "23.05"; + home.packages = with pkgs; [ + (python3.withPackages my-python-packages) btop calibre celluloid @@ -16,13 +23,11 @@ in { gimp inputs.comma.packages.${pkgs.system}.default inputs.webcord.packages.${pkgs.system}.default - # jetbrains.clion kdenlive mullvad-vpn neofetch nixfmt nixpkgs-review - (python3.withPackages my-python-packages) plex-media-player rustup solo2-cli @@ -54,7 +59,6 @@ in { userName = "Victor"; userEmail = "victor@xirion.net"; lfs.enable = true; - # delta.enable = true; extraConfig = { push.autoSetupRemote = true; init.defaultBranch = "main"; @@ -72,6 +76,11 @@ in { programs.firefox.enable = true; + programs.chromium = { + enable = true; + package = pkgs.ungoogled-chromium; + }; + programs.direnv = { enable = true; nix-direnv.enable = true; diff --git a/nixos/hosts/olympus/eevee/configuration.nix b/nixos/hosts/olympus/eevee/configuration.nix index bf240a9..70b4cc4 100644 --- a/nixos/hosts/olympus/eevee/configuration.nix +++ b/nixos/hosts/olympus/eevee/configuration.nix @@ -41,10 +41,7 @@ environment.sessionVariables.NIXOS_OZONE_WL = "1"; home-manager = { - useGlobalPkgs = true; - useUserPackages = true; users.victor = import ./home; - extraSpecialArgs = { inherit inputs; }; }; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions diff --git a/nixos/hosts/olympus/eevee/home/default.nix b/nixos/hosts/olympus/eevee/home/default.nix index ce2eaae..2e78a54 100644 --- a/nixos/hosts/olympus/eevee/home/default.nix +++ b/nixos/hosts/olympus/eevee/home/default.nix @@ -1,12 +1,4 @@ _: { - programs.home-manager.enable = true; - - home.username = "victor"; - home.homeDirectory = "/home/victor"; - home.stateVersion = "23.05"; - - imports = [ ../../../../common/desktop/home.nix ]; - dconf.settings."org/gnome/desktop/peripherals/mouse" = { accel-profile = "flat"; }; diff --git a/nixos/hosts/thalassa/aoife/configuration.nix b/nixos/hosts/thalassa/aoife/configuration.nix index 566477e..928e8c2 100644 --- a/nixos/hosts/thalassa/aoife/configuration.nix +++ b/nixos/hosts/thalassa/aoife/configuration.nix @@ -23,12 +23,7 @@ }; }; - home-manager = { - useGlobalPkgs = true; - useUserPackages = true; - users.victor = import ./home; - extraSpecialArgs = { inherit inputs; }; - }; + home-manager.users.victor = import ./home; # Enable Ozone rendering for Chromium and Electron apps. environment.sessionVariables.NIXOS_OZONE_WL = "1"; diff --git a/nixos/hosts/thalassa/aoife/home/default.nix b/nixos/hosts/thalassa/aoife/home/default.nix index cce6c37..b126d8e 100644 --- a/nixos/hosts/thalassa/aoife/home/default.nix +++ b/nixos/hosts/thalassa/aoife/home/default.nix @@ -1,12 +1,4 @@ _: { - programs.home-manager.enable = true; - - home.username = "victor"; - home.homeDirectory = "/home/victor"; - home.stateVersion = "23.05"; - - imports = [ ../../../../common/desktop/home.nix ]; - # Custom dconf settings dconf.settings."org/gnome/desktop/input-sources" = { xkb-options = [ "caps:swapescape" ]; From af8d436204227488418cf3357cd5bf236bf1069a Mon Sep 17 00:00:00 2001 From: Victor Date: Tue, 30 May 2023 14:36:52 +0200 Subject: [PATCH 10/17] fix deadnix --- nixos/hosts/olympus/eevee/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/hosts/olympus/eevee/configuration.nix b/nixos/hosts/olympus/eevee/configuration.nix index 70b4cc4..26a0bfd 100644 --- a/nixos/hosts/olympus/eevee/configuration.nix +++ b/nixos/hosts/olympus/eevee/configuration.nix @@ -2,7 +2,7 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ pkgs, inputs, ... }: { +{ pkgs, ... }: { imports = [ ./hardware-configuration.nix ./hardware.nix ]; # Bootloader. From 841f34cdd16b25a57042615aab12ae253dc7b12c Mon Sep 17 00:00:00 2001 From: Victor Date: Tue, 30 May 2023 14:50:49 +0200 Subject: [PATCH 11/17] add hm config for all machines --- nixos/common/common.nix | 2 ++ nixos/common/default.nix | 8 ++++++-- nixos/common/desktop/home.nix | 14 -------------- nixos/common/users/victor.nix | 17 +++++++++++++++++ nixos/hosts/olympus/bastion/configuration.nix | 2 -- nixos/hosts/olympus/bastion/home.nix | 5 ----- 6 files changed, 25 insertions(+), 23 deletions(-) diff --git a/nixos/common/common.nix b/nixos/common/common.nix index 8c51643..fa2b2a8 100644 --- a/nixos/common/common.nix +++ b/nixos/common/common.nix @@ -76,6 +76,8 @@ }; }; + + # Debloat documentation = { enable = lib.mkForce false; diff --git a/nixos/common/default.nix b/nixos/common/default.nix index 7d08263..0144463 100644 --- a/nixos/common/default.nix +++ b/nixos/common/default.nix @@ -6,8 +6,12 @@ nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; nix.registry.nixpkgs.flake = inputs.nixpkgs; - home-manager.sharedModules = - [ ./hm-modules inputs.nixvim.homeManagerModules.nixvim ]; + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + extraSpecialArgs = { inherit inputs; }; + sharedModules = [ ./hm-modules inputs.nixvim.homeManagerModules.nixvim ]; + }; vault-secrets = let inherit (config.networking) domain hostName; diff --git a/nixos/common/desktop/home.nix b/nixos/common/desktop/home.nix index 6ec552f..efbc7cf 100644 --- a/nixos/common/desktop/home.nix +++ b/nixos/common/desktop/home.nix @@ -6,12 +6,6 @@ let }; my-python-packages = ps: with ps; [ pandas requests numpy ]; in { - programs.home-manager.enable = true; - - home.username = "victor"; - home.homeDirectory = "/home/victor"; - home.stateVersion = "23.05"; - home.packages = with pkgs; [ (python3.withPackages my-python-packages) btop @@ -38,7 +32,6 @@ in { # Enable my own hm modules themes.v.catppuccin.enable = true; - programs.v.nvim.enable = true; programs.v.vscode.enable = true; programs.riff = { @@ -67,13 +60,6 @@ in { difftastic.enable = true; }; - programs.tmux = { - enable = true; - shortcut = "b"; - terminal = "screen-256color"; - clock24 = true; - }; - programs.firefox.enable = true; programs.chromium = { diff --git a/nixos/common/users/victor.nix b/nixos/common/users/victor.nix index 3718bdc..5147733 100644 --- a/nixos/common/users/victor.nix +++ b/nixos/common/users/victor.nix @@ -21,4 +21,21 @@ extraGroups = [ "systemd-journal" "wheel" "networkmanager" "libvirtd" "dialout" ]; }; + + home-manager.users.victor = { + programs.home-manager.enable = true; + + home.username = "victor"; + home.homeDirectory = "/home/victor"; + home.stateVersion = "23.05"; + + programs.v.nvim.enable = true; + + programs.tmux = { + enable = true; + shortcut = "b"; + terminal = "screen-256color"; + clock24 = true; + }; + }; } diff --git a/nixos/hosts/olympus/bastion/configuration.nix b/nixos/hosts/olympus/bastion/configuration.nix index 7770573..8127348 100644 --- a/nixos/hosts/olympus/bastion/configuration.nix +++ b/nixos/hosts/olympus/bastion/configuration.nix @@ -69,7 +69,5 @@ in { pinentryFlavor = "curses"; }; - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; home-manager.users.victor = import ./home.nix; } diff --git a/nixos/hosts/olympus/bastion/home.nix b/nixos/hosts/olympus/bastion/home.nix index fad23ec..a65de8e 100644 --- a/nixos/hosts/olympus/bastion/home.nix +++ b/nixos/hosts/olympus/bastion/home.nix @@ -1,9 +1,4 @@ _: { - programs.home-manager.enable = true; - home.username = "victor"; - home.homeDirectory = "/home/victor"; - home.stateVersion = "22.05"; - programs.direnv = { enable = true; nix-direnv = { enable = true; }; From 4aa82b8964a8fb5e2e34847e3526ecc8569482b6 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 30 May 2023 14:01:56 +0000 Subject: [PATCH 12/17] chore(deps): update renovate/renovate docker tag to v35.105.1 --- flux/olympus/apps/services/renovate/cronjob.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flux/olympus/apps/services/renovate/cronjob.yaml b/flux/olympus/apps/services/renovate/cronjob.yaml index 92a7174..232b6cf 100644 --- a/flux/olympus/apps/services/renovate/cronjob.yaml +++ b/flux/olympus/apps/services/renovate/cronjob.yaml @@ -19,7 +19,7 @@ spec: emptyDir: {} containers: - name: renovate - image: renovate/renovate:35.105.0 + image: renovate/renovate:35.105.1 volumeMounts: - name: config-volume mountPath: /opt/renovate/ From fd9b354c4d3538409b1119246af919b0fd6727d6 Mon Sep 17 00:00:00 2001 From: Victor Date: Tue, 30 May 2023 17:14:45 +0200 Subject: [PATCH 13/17] fix J00LZ nixos link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9fd288d..373e02b 100644 --- a/README.md +++ b/README.md @@ -14,5 +14,5 @@ to deploy the infrastructure, this can be accessed running `nix develop`. ## Inspired by the following repos * * -* +* * From 294135e4f1e542df4d3f5b91b3e45daac35db26e Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 31 May 2023 06:00:25 +0000 Subject: [PATCH 14/17] chore(deps): update renovate/renovate docker tag to v35.105.2 --- flux/olympus/apps/services/renovate/cronjob.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flux/olympus/apps/services/renovate/cronjob.yaml b/flux/olympus/apps/services/renovate/cronjob.yaml index 232b6cf..f49f8dd 100644 --- a/flux/olympus/apps/services/renovate/cronjob.yaml +++ b/flux/olympus/apps/services/renovate/cronjob.yaml @@ -19,7 +19,7 @@ spec: emptyDir: {} containers: - name: renovate - image: renovate/renovate:35.105.1 + image: renovate/renovate:35.105.2 volumeMounts: - name: config-volume mountPath: /opt/renovate/ From 78dfe88c65c870abe385903381e3840e7902c684 Mon Sep 17 00:00:00 2001 From: Victor Date: Wed, 31 May 2023 16:45:10 +0200 Subject: [PATCH 15/17] fix infinite recursion --- flake.nix | 45 +++--------- nixos/common/common.nix | 91 ------------------------ nixos/common/default.nix | 112 ++++++++++++++++++++++++++---- nixos/templates/iso-graphical.nix | 13 ---- nixos/templates/iso.nix | 12 ---- nixos/templates/proxmox-lxc.nix | 2 +- 6 files changed, 110 insertions(+), 165 deletions(-) delete mode 100644 nixos/common/common.nix delete mode 100644 nixos/templates/iso-graphical.nix delete mode 100644 nixos/templates/iso.nix diff --git a/flake.nix b/flake.nix index 18ce4d9..77712d2 100644 --- a/flake.nix +++ b/flake.nix @@ -44,16 +44,8 @@ vault-unseal.url = "git+https://git.0x76.dev/v/vault-unseal.git"; }; - outputs = - { self - , nixpkgs - , nixpkgs_22-11 - , vault-secrets - , colmena - , nixos-generators - , nur - , ... - }@inputs: + outputs = { self, nixpkgs, nixpkgs_22-11, vault-secrets, colmena + , nixos-generators, nur, nixvim, ... }@inputs: let inherit (nixpkgs) lib; @@ -87,8 +79,7 @@ source /etc/set-environment nix repl --file "${./.}/repl.nix" $@ ''; - in - { + in { # Make the nixosConfigurations for compat reasons (e.g. vault) nixosConfigurations = (import (inputs.colmena + "/src/nix/hive/eval.nix") { @@ -100,34 +91,20 @@ }).nodes; # Make the colmena configuration - colmena = lib.foldr (el: acc: acc // util.mkColmenaHost el) - { - meta = { - inherit specialArgs; - nixpkgs = pkgs; - }; - } - nixHosts; + colmena = lib.foldr (el: acc: acc // util.mkColmenaHost el) { + meta = { + inherit specialArgs; + nixpkgs = pkgs; + }; + } nixHosts; packages.${system} = { inherit apply-local; default = colmena.packages.${system}.colmena; - iso = nixos-generators.nixosGenerate { - inherit system pkgs; - format = "install-iso"; - modules = [ (import ./nixos/templates/iso.nix) ]; - }; - - iso-graphical = nixos-generators.nixosGenerate { - inherit system pkgs; - format = "install-iso"; - modules = [ (import ./nixos/templates/iso-graphical.nix) ]; - }; - proxmox-lxc = nixos-generators.nixosGenerate { - inherit pkgs; + inherit system pkgs specialArgs; format = "proxmox-lxc"; modules = util.base_imports ++ [ (import ./nixos/templates/proxmox-lxc.nix) ]; @@ -135,7 +112,7 @@ # Broken # proxmox-vm = nixos-generators.nixosGenerate { - # inherit system pkgs; + # inherit system pkgs specialArgs; # format = "proxmox"; # modules = util.base_imports # ++ [ (import ./nixos/templates/proxmox-vm.nix) ]; diff --git a/nixos/common/common.nix b/nixos/common/common.nix deleted file mode 100644 index fa2b2a8..0000000 --- a/nixos/common/common.nix +++ /dev/null @@ -1,91 +0,0 @@ -{ config, lib, pkgs, ... }: { - imports = [ ./users ./modules ]; - - # Clean /tmp on boot. - boot.tmp.cleanOnBoot = true; - - # Set your time zone. - time.timeZone = lib.mkDefault "Europe/Amsterdam"; - - # Systemd OOMd - # Fedora enables these options by default. See the 10-oomd-* files here: - # https://src.fedoraproject.org/rpms/systemd/tree/acb90c49c42276b06375a66c73673ac3510255 - systemd.oomd = { - enableRootSlice = true; - enableUserServices = true; - }; - - # Nix Settings - nix = { - package = pkgs.nixUnstable; - settings = { - auto-optimise-store = true; - trusted-users = [ "root" "victor" ]; - substituters = [ - "https://cachix.cachix.org" - "https://nix-community.cachix.org" - "https://nixpkgs-review-bot.cachix.org" - "https://colmena.cachix.org" - "https://cache.garnix.io" - "https://0x76-infra.cachix.org" - "https://webcord.cachix.org" - ]; - trusted-public-keys = [ - "cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "nixpkgs-review-bot.cachix.org-1:eppgiDjPk7Hkzzz7XlUesk3rcEHqNDozGOrcLc8IqwE=" - "colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg=" - "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" - "0x76-infra.cachix.org-1:dC1qp+VEN3jj5pdK4URlXR9hf3atT+MnpKGu6PZjMc8=" - "webcord.cachix.org-1:l555jqOZGHd2C9+vS8ccdh8FhqnGe8L78QrHNn+EFEs=" - ]; - }; - optimise = { - automatic = true; - dates = [ "weekly" ]; - }; - gc = { - automatic = true; - dates = "weekly"; - randomizedDelaySec = "3h"; - options = "--delete-older-than 7d"; - }; - extraOptions = '' - experimental-features = nix-command flakes - ''; - }; - - nixpkgs.config.allowUnfree = true; - - nixpkgs.config.permittedInsecurePackages = - [ "nodejs-14.21.3" "openssl-1.1.1t" "nodejs-16.20.0" ]; - - # Limit the systemd journal to 100 MB of disk or the - # last 7 days of logs, whichever happens first. - services.journald.extraConfig = '' - SystemMaxUse=100M - MaxFileSec=7day - ''; - - # Enable SSH - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = lib.mkDefault false; - PermitRootLogin = lib.mkDefault "no"; - }; - }; - - - - # Debloat - documentation = { - enable = lib.mkForce false; - doc.enable = lib.mkForce false; - man.enable = lib.mkForce false; - info.enable = lib.mkForce false; - nixos.enable = lib.mkForce false; - }; - - system.disableInstallerTools = lib.mkDefault true; -} diff --git a/nixos/common/default.nix b/nixos/common/default.nix index 0144463..f07a0f8 100644 --- a/nixos/common/default.nix +++ b/nixos/common/default.nix @@ -1,17 +1,6 @@ -{ inputs, lib, config, ... }: { - # This file deals with everything requiring `inputs`, the rest being delagated to `common.nix` - # this is because we can't import inputs from all contexts as that can lead to infinite recursion. - imports = [ ./common.nix inputs.vault-secrets.nixosModules.vault-secrets ]; - - nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; - nix.registry.nixpkgs.flake = inputs.nixpkgs; - - home-manager = { - useGlobalPkgs = true; - useUserPackages = true; - extraSpecialArgs = { inherit inputs; }; - sharedModules = [ ./hm-modules inputs.nixvim.homeManagerModules.nixvim ]; - }; +{ lib, pkgs, inputs, config, ... }: { + imports = + [ ./users ./modules inputs.vault-secrets.nixosModules.vault-secrets ]; vault-secrets = let inherit (config.networking) domain hostName; @@ -21,4 +10,99 @@ vaultAddress = "http://${server}.${domain}:8200/"; approlePrefix = "${domain}-${hostName}"; }; + + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + extraSpecialArgs = { inherit inputs; }; + sharedModules = [ ./hm-modules inputs.nixvim.homeManagerModules.nixvim ]; + }; + + # Clean /tmp on boot. + boot.tmp.cleanOnBoot = true; + + # Set your time zone. + time.timeZone = lib.mkDefault "Europe/Amsterdam"; + + # Systemd OOMd + # Fedora enables these options by default. See the 10-oomd-* files here: + # https://src.fedoraproject.org/rpms/systemd/tree/acb90c49c42276b06375a66c73673ac3510255 + systemd.oomd = { + enableRootSlice = true; + enableUserServices = true; + }; + + # Nix Settings + nix = { + registry.nixpkgs.flake = inputs.nixpkgs; + nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; + package = pkgs.nixUnstable; + settings = { + auto-optimise-store = true; + trusted-users = [ "root" "victor" ]; + substituters = [ + "https://cachix.cachix.org" + "https://nix-community.cachix.org" + "https://nixpkgs-review-bot.cachix.org" + "https://colmena.cachix.org" + "https://cache.garnix.io" + "https://0x76-infra.cachix.org" + "https://webcord.cachix.org" + ]; + trusted-public-keys = [ + "cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "nixpkgs-review-bot.cachix.org-1:eppgiDjPk7Hkzzz7XlUesk3rcEHqNDozGOrcLc8IqwE=" + "colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg=" + "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" + "0x76-infra.cachix.org-1:dC1qp+VEN3jj5pdK4URlXR9hf3atT+MnpKGu6PZjMc8=" + "webcord.cachix.org-1:l555jqOZGHd2C9+vS8ccdh8FhqnGe8L78QrHNn+EFEs=" + ]; + }; + optimise = { + automatic = true; + dates = [ "weekly" ]; + }; + gc = { + automatic = true; + dates = "weekly"; + randomizedDelaySec = "3h"; + options = "--delete-older-than 7d"; + }; + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; + + nixpkgs.config.allowUnfree = true; + + nixpkgs.config.permittedInsecurePackages = + [ "nodejs-14.21.3" "openssl-1.1.1t" "nodejs-16.20.0" ]; + + # Limit the systemd journal to 100 MB of disk or the + # last 7 days of logs, whichever happens first. + services.journald.extraConfig = '' + SystemMaxUse=100M + MaxFileSec=7day + ''; + + # Enable SSH + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = lib.mkDefault false; + PermitRootLogin = lib.mkDefault "no"; + }; + }; + + # Debloat + documentation = { + enable = lib.mkForce false; + doc.enable = lib.mkForce false; + man.enable = lib.mkForce false; + info.enable = lib.mkForce false; + nixos.enable = lib.mkForce false; + }; + + system.disableInstallerTools = lib.mkDefault true; } diff --git a/nixos/templates/iso-graphical.nix b/nixos/templates/iso-graphical.nix deleted file mode 100644 index 4d92727..0000000 --- a/nixos/templates/iso-graphical.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ pkgs, modulesPath, lib, ... }: { - imports = [ - "${modulesPath}/installer/cd-dvd/installation-cd-graphical-calamares-gnome.nix" - ]; - - # use the latest Linux kernel - boot.kernelPackages = pkgs.linuxPackages_latest; - - environment.systemPackages = with pkgs; [ git ]; - - # Needed for https://github.com/NixOS/nixpkgs/issues/58959 - boot.supportedFilesystems = lib.mkForce [ "btrfs" "ext4" ]; -} diff --git a/nixos/templates/iso.nix b/nixos/templates/iso.nix deleted file mode 100644 index 48d7dc9..0000000 --- a/nixos/templates/iso.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ pkgs, modulesPath, lib, ... }: { - imports = [ "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix" ]; - - # use the latest Linux kernel - boot.kernelPackages = pkgs.linuxPackages_latest; - - environment.systemPackages = with pkgs; [ git ]; - - # Needed for https://github.com/NixOS/nixpkgs/issues/58959 - boot.supportedFilesystems = - lib.mkForce [ "btrfs" "reiserfs" "vfat" "f2fs" "xfs" "ntfs" "cifs" ]; -} diff --git a/nixos/templates/proxmox-lxc.nix b/nixos/templates/proxmox-lxc.nix index 2d1502b..74079dd 100644 --- a/nixos/templates/proxmox-lxc.nix +++ b/nixos/templates/proxmox-lxc.nix @@ -1,5 +1,5 @@ { lib, ... }: { - imports = [ ../common/common.nix ../common/generic-lxc.nix ]; + imports = [ ../common ../common/generic-lxc.nix ]; proxmoxLXC = { manageNetwork = true; From 85dafd6786941bbefcb7c7314b307eb7b45c2839 Mon Sep 17 00:00:00 2001 From: Victor Date: Wed, 31 May 2023 17:24:17 +0200 Subject: [PATCH 16/17] fix deadnix --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 77712d2..4c581b0 100644 --- a/flake.nix +++ b/flake.nix @@ -45,7 +45,7 @@ }; outputs = { self, nixpkgs, nixpkgs_22-11, vault-secrets, colmena - , nixos-generators, nur, nixvim, ... }@inputs: + , nixos-generators, nur, ... }@inputs: let inherit (nixpkgs) lib; From 78f8e9b2f1f1eff00fd15853407c1dad63cecc96 Mon Sep 17 00:00:00 2001 From: Victor Date: Wed, 31 May 2023 17:26:17 +0200 Subject: [PATCH 17/17] disable docker registries --- nixos/hosts/hades/default.nix | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/nixos/hosts/hades/default.nix b/nixos/hosts/hades/default.nix index 7670659..6945a4e 100644 --- a/nixos/hosts/hades/default.nix +++ b/nixos/hosts/hades/default.nix @@ -136,19 +136,19 @@ mac = "12:fa:24:02:65:e6"; nix = false; }; - "docker-registry-proxy" = { - ip = "192.168.0.128"; - mac = "0e:11:65:62:66:9f"; - }; + # "docker-registry-proxy" = { + # ip = "192.168.0.128"; + # mac = "0e:11:65:62:66:9f"; + # }; "hassio" = { ip = "192.168.0.129"; mac = "e6:80:32:fb:00:75"; nix = false; }; - "docker-registry" = { - ip = "192.168.0.130"; - mac = "5e:0e:a6:cf:64:70"; - }; + # "docker-registry" = { + # ip = "192.168.0.130"; + # mac = "5e:0e:a6:cf:64:70"; + # }; "minecraft" = { ip = "192.168.0.131"; mac = "00:0c:29:9b:e1:c4";