From 667f337363ac65d45cd099fae4775d004660996f Mon Sep 17 00:00:00 2001 From: Fern Garden Date: Tue, 8 Jul 2025 22:26:33 +0800 Subject: [PATCH] Refactor. --- configuration/server/common.nix | 10 -- configuration/server/docker.nix | 23 --- flake.nix | 164 +++++++++--------- hosts/{ => laptop}/muskduck.nix | 21 +-- .../lxc}/firefox-syncserver.nix | 3 +- .../containers => hosts/lxc}/technitium.nix | 1 + hosts/server/weebill.nix | 26 +++ hosts/{vm-docker.nix => vm/docker.nix} | 0 hosts/{vm-minecraft.nix => vm/minecraft.nix} | 0 {configuration => suites}/common.nix | 24 ++- .../desktop.nix => suites/laptop.nix | 21 +-- .../containers/common.nix => suites/lxc.nix | 10 +- suites/server.nix | 23 +++ {configuration/server => suites}/vm.nix | 11 +- 14 files changed, 173 insertions(+), 164 deletions(-) delete mode 100644 configuration/server/common.nix delete mode 100755 configuration/server/docker.nix rename hosts/{ => laptop}/muskduck.nix (58%) rename {configuration/server/containers => hosts/lxc}/firefox-syncserver.nix (90%) rename {configuration/server/containers => hosts/lxc}/technitium.nix (72%) create mode 100644 hosts/server/weebill.nix rename hosts/{vm-docker.nix => vm/docker.nix} (100%) rename hosts/{vm-minecraft.nix => vm/minecraft.nix} (100%) rename {configuration => suites}/common.nix (86%) rename configuration/desktop.nix => suites/laptop.nix (90%) rename configuration/server/containers/common.nix => suites/lxc.nix (54%) create mode 100644 suites/server.nix rename {configuration/server => suites}/vm.nix (80%) diff --git a/configuration/server/common.nix b/configuration/server/common.nix deleted file mode 100644 index c204671..0000000 --- a/configuration/server/common.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ - # Passwordless sudo - security.sudo.wheelNeedsPassword = false; - - # Enable all terminfo (for ghostty) - environment.enableAllTerminfo = true; - - # Enable SSH server - services.openssh.enable = true; -} diff --git a/configuration/server/docker.nix b/configuration/server/docker.nix deleted file mode 100755 index 78f4321..0000000 --- a/configuration/server/docker.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ - # Define a user account. - users.users.docker = { - isNormalUser = true; - linger = true; - extraGroups = [ - "wheel" - "docker" - ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETPyuxUVEmYyEW6PVC6BXqkhULHd/RvMm8fMbYhjTMV fern@muskduck" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzW4epTmK01kGVXcuAXUNJQPltnogf4uab9FA5m8S3n fern@pardalote" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBEJYq1fMxVOzCMfE/td6DtWS8nUk76U9seYD3Z9RYAz u0_a399@fairywren" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMoJvPcUJDVVzO4dHROCFNlgJdDZSP5xyPx2s40zcx5QAAAABHNzaDo= YubiKey5NFC" - ]; - }; - - # Auto login - services.getty.autologinUser = "docker"; - - # Enable docker - virtualisation.docker.enable = true; -} diff --git a/flake.nix b/flake.nix index a73feb3..1617fde 100755 --- a/flake.nix +++ b/flake.nix @@ -6,11 +6,12 @@ lanzaboote.url = "github:nix-community/lanzaboote"; # Secure boot. nixos-hardware.url = "github:NixOS/nixos-hardware"; # Hardware specific config. sops-nix.url = "github:Mic92/sops-nix"; # Secrets management. + # Secrets repo. secrets = { url = "git+ssh://git@docker.local:222/fern/secrets?ref=main"; flake = false; - }; # Secrets repo. - + }; + # Updated packages. fluffychat2.url = "github:NixOS/nixpkgs?ref=pull/419632/head"; # FluffyChat 2.0.0 feishin0_17.url = "github:NixOS/nixpkgs?ref=pull/414929/head"; # Feishin 0.17.0 @@ -27,97 +28,88 @@ feishin0_17, ... }: + let + mkHost = + with nixpkgs.lib; + { + hostname, + suite, + platform, + user ? "fern", + extraModules ? [ ], + }: + nixosSystem rec { + system = platform; + + specialArgs = { + inherit user; + secrets = builtins.toString inputs.secrets; + fluffychat2 = import fluffychat2 { inherit system; }; + feishin0_17 = import feishin0_17 { inherit system; }; + }; + + modules = [ + ./suites/common.nix + ./suites/${suite}.nix + ./hosts/${suite}/${hostname}.nix + { networking.hostName = hostname; } + ] ++ extraModules; + }; + in { - # ThinkPad T480 - nixosConfigurations.muskduck = nixpkgs.lib.nixosSystem rec { - system = "x86_64-linux"; - - specialArgs = { - fluffychat2 = import fluffychat2 { inherit system; }; - feishin0_17 = import feishin0_17 { inherit system; }; + nixosConfigurations = { + # Laptops. + muskduck = mkHost { + hostname = "muskduck"; + suite = "laptop"; + platform = "x86_64-linux"; + extraModules = [ + lanzaboote.nixosModules.lanzaboote + nixos-hardware.nixosModules.lenovo-thinkpad-t480 + ]; }; - modules = [ - { networking.hostName = "muskduck"; } - - lanzaboote.nixosModules.lanzaboote - nixos-hardware.nixosModules.lenovo-thinkpad-t480 - - ./configuration/common.nix - ./configuration/desktop.nix - - ./hosts/muskduck.nix # Include the results of the hardware scan. - ]; - }; - - ### Proxmox Guests ### - - nixosConfigurations.vm-minecraft = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - - modules = [ - { networking.hostName = "minecraft"; } - - ./configuration/common.nix - - ./configuration/server/common.nix - ./configuration/server/vm.nix - ./configuration/server/docker.nix - - ./hosts/vm-minecraft.nix # Include the results of the hardware scan. - ]; - }; - - nixosConfigurations.vm-docker = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - - modules = [ - { networking.hostName = "docker"; } - - ./configuration/common.nix - - ./configuration/server/common.nix - ./configuration/server/vm.nix - ./configuration/server/docker.nix - - ./hosts/vm-docker.nix # Include the results of the hardware scan. - ]; - }; - - nixosConfigurations.lxc-technitium = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - - modules = [ - { networking.hostName = "technitium"; } - - ./configuration/common.nix - - ./configuration/server/common.nix - ./configuration/server/containers/common.nix - - ./configuration/server/containers/technitium.nix - ]; - }; - - nixosConfigurations.lxc-firefox-syncserver = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - - specialArgs = { - secrets = builtins.toString inputs.secrets; + # Servers. + weebill = mkHost { + hostname = "weebill"; + suite = "server"; + platform = "aarch64-linux"; + user = "docker"; + extraModules = [ + nixos-hardware.nixosModules.raspberry-pi-4 + ]; }; - modules = [ - sops-nix.nixosModules.sops - - { networking.hostName = "firefox-syncserver"; } - - ./configuration/common.nix + # Virtual machines. + vm-docker = mkHost { + hostname = "docker"; + suite = "vm"; + user = "docker"; + platform = "x86_64-linux"; + }; - ./configuration/server/common.nix - ./configuration/server/containers/common.nix + vm-minecraft = mkHost { + hostname = "minecraft"; + suite = "vm"; + user = "docker"; + platform = "x86_64-linux"; + }; - ./configuration/server/containers/firefox-syncserver.nix - ]; + # LXC containers. + lxc-technitium = mkHost { + hostname = "technitium"; + suite = "lxc"; + platform = "x86_64-linux"; + }; + + lxc-firefox-syncserver = mkHost { + hostname = "firefox-syncserver"; + suite = "lxc"; + platform = "x86_64-linux"; + extraModules = [ + sops-nix.nixosModules.sops + ]; + }; }; }; } diff --git a/hosts/muskduck.nix b/hosts/laptop/muskduck.nix similarity index 58% rename from hosts/muskduck.nix rename to hosts/laptop/muskduck.nix index 5ca5cf0..035504c 100644 --- a/hosts/muskduck.nix +++ b/hosts/laptop/muskduck.nix @@ -1,24 +1,12 @@ { - config, - lib, - modulesPath, - ... -}: - -{ - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; fileSystems."/" = { device = "/dev/disk/by-uuid/63d79656-aa5b-466a-b369-be5eac3f51ab"; @@ -37,10 +25,5 @@ ]; }; - swapDevices = [ ]; - - networking.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.cpu.intel.updateMicrocode = true; } diff --git a/configuration/server/containers/firefox-syncserver.nix b/hosts/lxc/firefox-syncserver.nix similarity index 90% rename from configuration/server/containers/firefox-syncserver.nix rename to hosts/lxc/firefox-syncserver.nix index e4b4836..5d178f6 100644 --- a/configuration/server/containers/firefox-syncserver.nix +++ b/hosts/lxc/firefox-syncserver.nix @@ -7,7 +7,7 @@ secrets."firefox_syncserver/sync_master_secret" = {}; }; - # syncserver-rs service. + # Enable Firefox sync service. services.mysql.package = pkgs.mariadb; services.firefox-syncserver = { @@ -22,5 +22,6 @@ }; }; + # Open Firefox sync service port. networking.firewall.allowedTCPPorts = [ 5000 ]; } diff --git a/configuration/server/containers/technitium.nix b/hosts/lxc/technitium.nix similarity index 72% rename from configuration/server/containers/technitium.nix rename to hosts/lxc/technitium.nix index e75ca4d..818bf8e 100644 --- a/configuration/server/containers/technitium.nix +++ b/hosts/lxc/technitium.nix @@ -1,4 +1,5 @@ { + # Enable Technitium DNS server. services.technitium-dns-server = { enable = true; openFirewall = true; diff --git a/hosts/server/weebill.nix b/hosts/server/weebill.nix new file mode 100644 index 0000000..01a8731 --- /dev/null +++ b/hosts/server/weebill.nix @@ -0,0 +1,26 @@ +{ pkgs, ... }: +{ + boot = { + kernelPackages = pkgs.linuxKernel.packages.linux_rpi4; + initrd.availableKernelModules = [ + "xhci_pci" + "usbhid" + "usb_storage" + ]; + loader = { + grub.enable = false; + generic-extlinux-compatible.enable = true; + }; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + options = [ "noatime" ]; + }; + }; + + # Open ports for DHCP server. + networking.firewall.allowedUDPPorts = [ 53 67 ]; +} diff --git a/hosts/vm-docker.nix b/hosts/vm/docker.nix similarity index 100% rename from hosts/vm-docker.nix rename to hosts/vm/docker.nix diff --git a/hosts/vm-minecraft.nix b/hosts/vm/minecraft.nix similarity index 100% rename from hosts/vm-minecraft.nix rename to hosts/vm/minecraft.nix diff --git a/configuration/common.nix b/suites/common.nix similarity index 86% rename from configuration/common.nix rename to suites/common.nix index f459b31..9b44417 100644 --- a/configuration/common.nix +++ b/suites/common.nix @@ -1,4 +1,10 @@ -{ pkgs, ... }: +{ + pkgs, + lib, + user, + ... +}: +with lib; { # NixOS version. system.stateVersion = "25.05"; @@ -12,6 +18,9 @@ # Allow unfree packages. nixpkgs.config.allowUnfree = true; + # Enable redistributable firmware. + hardware.enableRedistributableFirmware = true; + # Set time zone. time.timeZone = "Australia/Perth"; @@ -36,6 +45,19 @@ variant = ""; }; + # Enable networking. + networking.networkmanager.enable = true; + + # Define a user account. + users.users.${user} = { + isNormalUser = true; + description = mkIf (user == "fern") "Fern Garden"; + extraGroups = [ + "wheel" + "networkmanager" + ]; + }; + # Use fish shell programs.fish = { enable = true; diff --git a/configuration/desktop.nix b/suites/laptop.nix similarity index 90% rename from configuration/desktop.nix rename to suites/laptop.nix index 5b0e8a2..4022b58 100755 --- a/configuration/desktop.nix +++ b/suites/laptop.nix @@ -5,14 +5,14 @@ fluffychat2, ... }: - +with lib; { # Configure the bootloader. boot = { # Enable secure boot. bootspec.enable = true; initrd.systemd.enable = true; - loader.systemd-boot.enable = lib.mkForce false; + loader.systemd-boot.enable = mkForce false; loader.efi.canTouchEfiVariables = true; lanzaboote = { @@ -43,19 +43,6 @@ # Enable smart card support (for YubiKey). services.pcscd.enable = true; - # Enable networking. - networking.networkmanager.enable = true; - - # Define a user account. - users.users.fern = { - isNormalUser = true; - description = "Fern Garden"; - extraGroups = [ - "networkmanager" - "wheel" - ]; - }; - # Encrypt user's home with fscrypt security.pam.enableFscrypt = true; @@ -178,7 +165,7 @@ }; # Enable CPU frequency scaling management. - services.power-profiles-daemon.enable = lib.mkForce false; # enabled by gnome + services.power-profiles-daemon.enable = mkForce false; # enabled by gnome services.tlp.enable = lib.mkForce false; # enabled by nixos-hardware services.auto-cpufreq.enable = true; -} +} \ No newline at end of file diff --git a/configuration/server/containers/common.nix b/suites/lxc.nix similarity index 54% rename from configuration/server/containers/common.nix rename to suites/lxc.nix index e84039f..ca491fe 100644 --- a/configuration/server/containers/common.nix +++ b/suites/lxc.nix @@ -1,8 +1,10 @@ -{ modulesPath, ... }: { - # Import Proxmox LXC configuration. + modulesPath, + ... +}: +{ imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") + ./server.nix ]; -} - +} \ No newline at end of file diff --git a/suites/server.nix b/suites/server.nix new file mode 100644 index 0000000..d42a5ed --- /dev/null +++ b/suites/server.nix @@ -0,0 +1,23 @@ +{ user, lib, ... }: +with lib; +{ + # Passwordless sudo + security.sudo.wheelNeedsPassword = false; + + # Enable all terminfo (for ghostty) + environment.enableAllTerminfo = true; + + # Enable SSH server + services.openssh.enable = true; + + users.users.${user}.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETPyuxUVEmYyEW6PVC6BXqkhULHd/RvMm8fMbYhjTMV fern@muskduck" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzW4epTmK01kGVXcuAXUNJQPltnogf4uab9FA5m8S3n fern@pardalote" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBEJYq1fMxVOzCMfE/td6DtWS8nUk76U9seYD3Z9RYAz u0_a399@fairywren" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMoJvPcUJDVVzO4dHROCFNlgJdDZSP5xyPx2s40zcx5QAAAABHNzaDo= YubiKey5NFC" + ]; + + # Enable docker. + virtualisation.docker.enable = mkIf (user == "docker") true; + users.users.${user}.extraGroups = mkIf (user == "docker") [ "docker" ]; +} \ No newline at end of file diff --git a/configuration/server/vm.nix b/suites/vm.nix similarity index 80% rename from configuration/server/vm.nix rename to suites/vm.nix index 9761851..32a0966 100644 --- a/configuration/server/vm.nix +++ b/suites/vm.nix @@ -1,8 +1,13 @@ -{ lib, modulesPath, ... }: { - # Import qemu guest configuration. + modulesPath, + lib, + ... +}: +with lib; +{ imports = [ (modulesPath + "/profiles/qemu-guest.nix") + ./server.nix ]; # Load kernel modules. @@ -17,7 +22,7 @@ boot.kernelModules = [ "kvm-intel" ]; # Enable DHCP. - networking.useDHCP = lib.mkDefault true; + networking.useDHCP = mkDefault true; # Configure the bootloader. boot.loader.grub = {