Clean up config & add comments.

This commit is contained in:
Fern Garden 2025-07-16 18:46:12 +08:00
parent b504700e61
commit c2fc35e12d
18 changed files with 162 additions and 114 deletions

View file

@ -25,38 +25,44 @@
sops-nix,
...
} @ inputs: let
flock.lib = import ./lib inputs;
inherit (flock.lib) mergeHosts mkHost;
# Import helpers & make functions available.
helpers = import ./helpers.nix inputs;
inherit (helpers) mergeHosts mkHost;
in
mergeHosts [
# ThinkPad T480.
(mkHost "muskduck" {
suite = "desktop";
extraModules = [
hostModules = [
lanzaboote.nixosModules.lanzaboote
nixos-hardware.nixosModules.lenovo-thinkpad-t480
];
})
# Raspberry Pi 4B.
(mkHost "weebill" {
suite = "server";
platform = "aarch64-linux";
extraModules = [
hostModules = [
nixos-hardware.nixosModules.raspberry-pi-4
];
})
# VM running a Minecraft server.
(mkHost "minecraft" {
suite = "vm";
user = "docker";
suite = "server/vm";
docker = true;
})
# Container running Technitium DNS Server.
(mkHost "technitium" {
suite = "lxc";
suite = "server/lxc";
})
# Container running Mozilla's syncstorage-rs
(mkHost "firefox-syncserver" {
suite = "lxc";
extraModules = [
suite = "server/lxc";
hostModules = [
sops-nix.nixosModules.sops
];
})

95
helpers.nix Normal file
View file

@ -0,0 +1,95 @@
inputs:
with inputs;
with inputs.nixpkgs.lib; {
# Merge NixOS hosts.
mergeHosts = lists.foldl' (
a: b: attrsets.recursiveUpdate a b
) {};
# Create a NixOS host.
mkHost = hostname: {
platform ? "x86_64-linux",
suite ? "",
docker ? false,
hostModules ? [],
}: let
# System architecture.
system = platform;
# Secrets directory.
secrets = builtins.toString inputs.secrets;
# Extra modules to import.
extraModules =
hostModules # Host-specific modules.
++ optionals (docker == true) [./suites/server/docker] # Enable docker if required.
++ (filesystem.listFilesRecursive ./modules); # Custom modules.
# nixpkgs config.
pkgs = import nixpkgs {
inherit system;
config = {
# Allow installation of proprietary software.
allowUnfree = true;
# Allow the installation of packages marked as insecure in nixpkgs.
permittedInsecurePackages = [
"dotnet-sdk-6.0.428" # For WebOne.
"dotnet-runtime-6.0.36" # For WebOne.
];
};
# Import my overlay.
overlays = [
(import ./overlay.nix {inherit inputs system;})
];
};
# deploy-rs overlay.
deployPkgs = import nixpkgs {
inherit system;
overlays = [
deploy-rs.overlays.default
(self: super: {
deploy-rs = {
inherit (pkgs) deploy-rs;
lib = super.deploy-rs.lib;
};
})
];
};
in
{
nixosConfigurations.${hostname} = nixosSystem {
inherit system pkgs;
specialArgs = {
# Make some variables accesible to modules.
inherit
hostname
platform
suite
secrets
;
};
modules =
[
nixvim.nixosModules.nixvim # Neovim.
./suites/${suite} # Collection of configuration options for different types of systems.
./hosts/${hostname} # Host-specific config.
]
++ extraModules;
};
}
// optionalAttrs (strings.hasPrefix "server" suite) {
deploy.nodes.${hostname} = {
hostname = "${hostname}.local";
profiles.system = {
user = "root";
sshuser = "fern";
path = deploypkgs.deploy-rs.lib.activate.nixos self.nixosconfigurations.${hostname};
};
};
};
}

View file

@ -1,14 +1,17 @@
{
# Root filesystem.
fileSystems."/" = {
device = "/dev/disk/by-uuid/cac60222-9b38-4938-8b17-5fddd67e8e26";
fsType = "ext4";
};
fileSystems."/home/docker/volumes" = {
# Docker data directory
fileSystems."/home/fern/docker/data" = {
device = "/dev/disk/by-uuid/95461a94-ad91-43b9-b502-2b5d4496b84e";
fsType = "ext4";
};
# Swap.
swapDevices = [
{device = "/dev/disk/by-uuid/025beadb-a89b-4abe-8d0c-b55401316319";}
];

View file

@ -4,7 +4,7 @@
secrets,
...
}: {
# Secrets.
# Import secrets.
sops = {
age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
defaultSopsFile = "${secrets}/sops.yaml";

View file

@ -1,14 +1,17 @@
{
# Root filesystem.
fileSystems."/" = {
device = "/dev/disk/by-uuid/cbd70e61-fcdc-4b1f-af03-d3da8a2866ea";
fsType = "ext4";
};
fileSystems."/home/docker/volumes" = {
# Docker data directory.
fileSystems."/home/fern/docker/data" = {
device = "/dev/disk/by-uuid/3730e48a-8784-4c49-8692-473c9b4bc8c3";
fsType = "ext4";
};
# Swap.
swapDevices = [
{device = "/dev/disk/by-uuid/3123f58e-63a9-44fa-ac29-3e79dc520b8f";}
];

View file

@ -1,4 +1,5 @@
{
# Kernel modules
boot.initrd.availableKernelModules = [
"xhci_pci"
"nvme"
@ -8,6 +9,7 @@
boot.kernelModules = ["kvm-intel"];
# Root filesystem.
fileSystems."/" = {
device = "/dev/disk/by-uuid/63d79656-aa5b-466a-b369-be5eac3f51ab";
fsType = "ext4";
@ -15,6 +17,7 @@
boot.initrd.luks.devices."luks-93fa00bc-777f-4359-bad5-880c29faca0d".device = "/dev/disk/by-uuid/93fa00bc-777f-4359-bad5-880c29faca0d";
# EFI/boot partition.
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/EBD7-3E1C";
fsType = "vfat";
@ -24,7 +27,9 @@
];
};
# Allow CPU microcode.
hardware.cpu.intel.updateMicrocode = true;
# Allows remote deployment on ARM systems (ie. Raspberry Pi).
boot.binfmt.emulatedSystems = ["aarch64-linux"];
}

View file

@ -1,4 +1,5 @@
{pkgs, ...}: {
# Boot loader.
boot = {
kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
initrd.availableKernelModules = [
@ -13,12 +14,14 @@
};
fileSystems = {
# Root filesystem.
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
options = ["noatime"];
};
# AFP share.
"/srv/iMac" = {
device = "/dev/disk/by-uuid/48843b25-4d8c-4638-a5f8-fb3901e1165e";
fsType = "ext4";

View file

@ -1,81 +0,0 @@
inputs:
with inputs;
with inputs.nixpkgs.lib; {
mergeHosts = lists.foldl' (
a: b: attrsets.recursiveUpdate a b
) {};
mkHost = hostname: {
platform ? "x86_64-linux",
suite,
user ? "fern",
extraModules ? [],
}: let
system = platform;
secrets = builtins.toString inputs.secrets;
pkgs = import nixpkgs {
inherit system;
config = {
allowUnfree = true;
permittedInsecurePackages = [
"dotnet-sdk-6.0.428"
"dotnet-runtime-6.0.36"
];
};
overlays = [
(import ../overlays {inherit inputs system;})
];
};
deployPkgs = import nixpkgs {
inherit system;
overlays = [
deploy-rs.overlays.default
(self: super: {
deploy-rs = {
inherit (pkgs) deploy-rs;
lib = super.deploy-rs.lib;
};
})
];
};
in
{
nixosConfigurations.${hostname} = nixosSystem {
inherit system pkgs;
specialArgs = {
inherit
hostname
platform
suite
user
secrets
; # Inherit variables.
};
modules =
[
nixvim.nixosModules.nixvim
../suites/common.nix
../suites/${suite}.nix
../hosts/${hostname}.nix
]
++ (filesystem.listFilesRecursive ../modules)
++ extraModules;
};
}
// optionalAttrs ((suite == "server")
|| (suite == "vm")
|| (suite == "lxc")) {
deploy.nodes.${hostname} = {
hostname = "${hostname}.local";
profiles.system = {
user = "root";
sshUser = user;
path = deployPkgs.deploy-rs.lib.activate.nixos self.nixosConfigurations.${hostname};
};
};
};
}

View file

@ -10,6 +10,7 @@ in {
options.services.webone.enable = mkEnableOption "Enable WebOne HTTP proxy.";
config = mkIf cfg.enable {
# Create user & group for service.
users.groups.webone = {};
users.users.webone = {
@ -19,6 +20,7 @@ in {
group = "webone";
};
# Create config directory and log file, and set ownership to webone user.
systemd.tmpfiles.settings = {
"10-webone" = {
"/var/log/webone.log" = {
@ -38,6 +40,7 @@ in {
};
};
# Create a systemd service.
systemd.services.webone = {
description = "WebOne HTTP Proxy Server";
documentation = ["https://github.com/atauenis/webone/wiki/"];

View file

@ -6,10 +6,10 @@
with inputs;
final: prev: {
# WebOne HTTP proxy.
webone = prev.pkgs.callPackage ../packages/webone {};
webone = prev.pkgs.callPackage ./packages/webone {};
# Yazi Gruvbox theme.
yazi-flavour-gruvbox-dark = prev.pkgs.callPackage ../packages/yazi-flavour-gruvbox {};
yazi-flavour-gruvbox-dark = prev.pkgs.callPackage ./packages/yazi-flavour-gruvbox {};
# Latest FluffyChat.
fluffychat =

View file

@ -18,6 +18,7 @@ buildDotnetModule rec {
projectFile = "WebOne.csproj";
nugetDeps = ./deps.nix;
# Uses outdated dotnet 6.
dotnet-sdk = dotnetCorePackages.sdk_6_0;
dotnet-runtime = dotnetCorePackages.runtime_6_0;

View file

@ -52,10 +52,10 @@ with lib; {
networking.hostName = hostname;
# Define a user account.
users.users.${user} = {
users.users.fern = {
isNormalUser = true;
uid = 1000;
description = mkIf (user == "fern") "Fern Garden";
description = "Fern Garden";
extraGroups = [
"wheel"
"networkmanager"
@ -95,6 +95,9 @@ with lib; {
# https://discourse.nixos.org/t/slow-build-at-building-man-cache/52365/2
documentation.man.generateCaches = false;
# Enable all terminfo (for ghostty).
environment.enableAllTerminfo = true;
# Install some packages.
programs = {
git.enable = true;
@ -102,9 +105,11 @@ with lib; {
nixvim = {
enable = true;
# Set $EDITOR
defaultEditor = true;
# For telescope.
# For telescope grep.
dependencies.ripgrep.enable = true;
# Space as leader.
@ -127,7 +132,10 @@ with lib; {
colorschemes.gruvbox = {
enable = true;
settings.contrast = "hard";
settings = {
contrast = "hard";
overrides.SignColumn.bg = "none";
};
};
opts = rec {

View file

@ -4,6 +4,8 @@
...
}:
with lib; {
imports = [../.]; # Common config.
# Configure the bootloader.
boot = {
# Enable secure boot.

View file

@ -1,15 +1,9 @@
{
user,
lib,
...
}:
with lib; {
imports = [../.]; # Common config.
# Passwordless sudo.
security.sudo.wheelNeedsPassword = false;
# Enable all terminfo (for ghostty).
environment.enableAllTerminfo = true;
# Enable sshd.
services.openssh = {
enable = true;
@ -20,14 +14,11 @@ with lib; {
};
};
users.users.${user} = {
# Add authorized ssh pubkeys.
users.users.fern = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETPyuxUVEmYyEW6PVC6BXqkhULHd/RvMm8fMbYhjTMV fern@muskduck"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMoJvPcUJDVVzO4dHROCFNlgJdDZSP5xyPx2s40zcx5QAAAABHNzaDo= YubiKey5NFC"
];
extraGroups = mkIf (user == "docker") ["docker"]; # if docker is enabled.
};
# Enable docker.
virtualisation.docker.enable = mkIf (user == "docker") true;
}

View file

@ -0,0 +1,9 @@
{
# Add user to docker group.
users.users.fern = {
extraGroups = ["docker"];
};
# Enable docker.
virtualisation.docker.enable = true;
}

View file

@ -1,6 +1,6 @@
{modulesPath, ...}: {
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
./server.nix
../. # Server config.
];
}

View file

@ -6,7 +6,7 @@
with lib; {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
./server.nix
../. # Server config.
];
# Load kernel modules.