diff --git a/flake.nix b/flake.nix index bb45831..a1e7a06 100755 --- a/flake.nix +++ b/flake.nix @@ -25,38 +25,44 @@ sops-nix, ... } @ inputs: let - flock.lib = import ./lib inputs; - inherit (flock.lib) mergeHosts mkHost; + # Import helpers & make functions available. + helpers = import ./helpers.nix inputs; + inherit (helpers) mergeHosts mkHost; in mergeHosts [ + # ThinkPad T480. (mkHost "muskduck" { suite = "desktop"; - extraModules = [ + hostModules = [ lanzaboote.nixosModules.lanzaboote nixos-hardware.nixosModules.lenovo-thinkpad-t480 ]; }) + # Raspberry Pi 4B. (mkHost "weebill" { suite = "server"; platform = "aarch64-linux"; - extraModules = [ + hostModules = [ nixos-hardware.nixosModules.raspberry-pi-4 ]; }) + # VM running a Minecraft server. (mkHost "minecraft" { - suite = "vm"; - user = "docker"; + suite = "server/vm"; + docker = true; }) + # Container running Technitium DNS Server. (mkHost "technitium" { - suite = "lxc"; + suite = "server/lxc"; }) + # Container running Mozilla's syncstorage-rs (mkHost "firefox-syncserver" { - suite = "lxc"; - extraModules = [ + suite = "server/lxc"; + hostModules = [ sops-nix.nixosModules.sops ]; }) diff --git a/helpers.nix b/helpers.nix new file mode 100644 index 0000000..e54b25a --- /dev/null +++ b/helpers.nix @@ -0,0 +1,95 @@ +inputs: +with inputs; +with inputs.nixpkgs.lib; { + # Merge NixOS hosts. + mergeHosts = lists.foldl' ( + a: b: attrsets.recursiveUpdate a b + ) {}; + + # Create a NixOS host. + mkHost = hostname: { + platform ? "x86_64-linux", + suite ? "", + docker ? false, + hostModules ? [], + }: let + # System architecture. + system = platform; + + # Secrets directory. + secrets = builtins.toString inputs.secrets; + + # Extra modules to import. + extraModules = + hostModules # Host-specific modules. + ++ optionals (docker == true) [./suites/server/docker] # Enable docker if required. + ++ (filesystem.listFilesRecursive ./modules); # Custom modules. + + # nixpkgs config. + pkgs = import nixpkgs { + inherit system; + + config = { + # Allow installation of proprietary software. + allowUnfree = true; + # Allow the installation of packages marked as insecure in nixpkgs. + permittedInsecurePackages = [ + "dotnet-sdk-6.0.428" # For WebOne. + "dotnet-runtime-6.0.36" # For WebOne. + ]; + }; + + # Import my overlay. + overlays = [ + (import ./overlay.nix {inherit inputs system;}) + ]; + }; + + # deploy-rs overlay. + deployPkgs = import nixpkgs { + inherit system; + overlays = [ + deploy-rs.overlays.default + (self: super: { + deploy-rs = { + inherit (pkgs) deploy-rs; + lib = super.deploy-rs.lib; + }; + }) + ]; + }; + in + { + nixosConfigurations.${hostname} = nixosSystem { + inherit system pkgs; + + specialArgs = { + # Make some variables accesible to modules. + inherit + hostname + platform + suite + secrets + ; + }; + + modules = + [ + nixvim.nixosModules.nixvim # Neovim. + ./suites/${suite} # Collection of configuration options for different types of systems. + ./hosts/${hostname} # Host-specific config. + ] + ++ extraModules; + }; + } + // optionalAttrs (strings.hasPrefix "server" suite) { + deploy.nodes.${hostname} = { + hostname = "${hostname}.local"; + profiles.system = { + user = "root"; + sshuser = "fern"; + path = deploypkgs.deploy-rs.lib.activate.nixos self.nixosconfigurations.${hostname}; + }; + }; + }; +} diff --git a/hosts/docker.nix b/hosts/docker/default.nix similarity index 76% rename from hosts/docker.nix rename to hosts/docker/default.nix index 09e8f47..a64744e 100644 --- a/hosts/docker.nix +++ b/hosts/docker/default.nix @@ -1,14 +1,17 @@ { + # Root filesystem. fileSystems."/" = { device = "/dev/disk/by-uuid/cac60222-9b38-4938-8b17-5fddd67e8e26"; fsType = "ext4"; }; - fileSystems."/home/docker/volumes" = { + # Docker data directory + fileSystems."/home/fern/docker/data" = { device = "/dev/disk/by-uuid/95461a94-ad91-43b9-b502-2b5d4496b84e"; fsType = "ext4"; }; + # Swap. swapDevices = [ {device = "/dev/disk/by-uuid/025beadb-a89b-4abe-8d0c-b55401316319";} ]; diff --git a/hosts/firefox-syncserver.nix b/hosts/firefox-syncserver/default.nix similarity index 97% rename from hosts/firefox-syncserver.nix rename to hosts/firefox-syncserver/default.nix index 157c694..ea53b6f 100644 --- a/hosts/firefox-syncserver.nix +++ b/hosts/firefox-syncserver/default.nix @@ -4,7 +4,7 @@ secrets, ... }: { - # Secrets. + # Import secrets. sops = { age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; defaultSopsFile = "${secrets}/sops.yaml"; diff --git a/hosts/minecraft.nix b/hosts/minecraft/default.nix similarity index 75% rename from hosts/minecraft.nix rename to hosts/minecraft/default.nix index e7abad8..d1f1fa3 100644 --- a/hosts/minecraft.nix +++ b/hosts/minecraft/default.nix @@ -1,14 +1,17 @@ { + # Root filesystem. fileSystems."/" = { device = "/dev/disk/by-uuid/cbd70e61-fcdc-4b1f-af03-d3da8a2866ea"; fsType = "ext4"; }; - fileSystems."/home/docker/volumes" = { + # Docker data directory. + fileSystems."/home/fern/docker/data" = { device = "/dev/disk/by-uuid/3730e48a-8784-4c49-8692-473c9b4bc8c3"; fsType = "ext4"; }; + # Swap. swapDevices = [ {device = "/dev/disk/by-uuid/3123f58e-63a9-44fa-ac29-3e79dc520b8f";} ]; diff --git a/hosts/muskduck.nix b/hosts/muskduck/default.nix similarity index 81% rename from hosts/muskduck.nix rename to hosts/muskduck/default.nix index b34de12..6c29ed5 100644 --- a/hosts/muskduck.nix +++ b/hosts/muskduck/default.nix @@ -1,4 +1,5 @@ { + # Kernel modules boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" @@ -8,6 +9,7 @@ boot.kernelModules = ["kvm-intel"]; + # Root filesystem. fileSystems."/" = { device = "/dev/disk/by-uuid/63d79656-aa5b-466a-b369-be5eac3f51ab"; fsType = "ext4"; @@ -15,6 +17,7 @@ boot.initrd.luks.devices."luks-93fa00bc-777f-4359-bad5-880c29faca0d".device = "/dev/disk/by-uuid/93fa00bc-777f-4359-bad5-880c29faca0d"; + # EFI/boot partition. fileSystems."/boot" = { device = "/dev/disk/by-uuid/EBD7-3E1C"; fsType = "vfat"; @@ -24,7 +27,9 @@ ]; }; + # Allow CPU microcode. hardware.cpu.intel.updateMicrocode = true; + # Allows remote deployment on ARM systems (ie. Raspberry Pi). boot.binfmt.emulatedSystems = ["aarch64-linux"]; } diff --git a/hosts/technitium.nix b/hosts/technitium/default.nix similarity index 100% rename from hosts/technitium.nix rename to hosts/technitium/default.nix diff --git a/hosts/weebill.nix b/hosts/weebill/default.nix similarity index 95% rename from hosts/weebill.nix rename to hosts/weebill/default.nix index 1f29ef0..78b7017 100644 --- a/hosts/weebill.nix +++ b/hosts/weebill/default.nix @@ -1,4 +1,5 @@ {pkgs, ...}: { + # Boot loader. boot = { kernelPackages = pkgs.linuxKernel.packages.linux_rpi4; initrd.availableKernelModules = [ @@ -13,12 +14,14 @@ }; fileSystems = { + # Root filesystem. "/" = { device = "/dev/disk/by-label/NIXOS_SD"; fsType = "ext4"; options = ["noatime"]; }; + # AFP share. "/srv/iMac" = { device = "/dev/disk/by-uuid/48843b25-4d8c-4638-a5f8-fb3901e1165e"; fsType = "ext4"; diff --git a/lib/default.nix b/lib/default.nix deleted file mode 100644 index 168a77a..0000000 --- a/lib/default.nix +++ /dev/null @@ -1,81 +0,0 @@ -inputs: -with inputs; -with inputs.nixpkgs.lib; { - mergeHosts = lists.foldl' ( - a: b: attrsets.recursiveUpdate a b - ) {}; - - mkHost = hostname: { - platform ? "x86_64-linux", - suite, - user ? "fern", - extraModules ? [], - }: let - system = platform; - secrets = builtins.toString inputs.secrets; - - pkgs = import nixpkgs { - inherit system; - config = { - allowUnfree = true; - permittedInsecurePackages = [ - "dotnet-sdk-6.0.428" - "dotnet-runtime-6.0.36" - ]; - }; - overlays = [ - (import ../overlays {inherit inputs system;}) - ]; - }; - - deployPkgs = import nixpkgs { - inherit system; - overlays = [ - deploy-rs.overlays.default - (self: super: { - deploy-rs = { - inherit (pkgs) deploy-rs; - lib = super.deploy-rs.lib; - }; - }) - ]; - }; - in - { - nixosConfigurations.${hostname} = nixosSystem { - inherit system pkgs; - - specialArgs = { - inherit - hostname - platform - suite - user - secrets - ; # Inherit variables. - }; - - modules = - [ - nixvim.nixosModules.nixvim - ../suites/common.nix - ../suites/${suite}.nix - ../hosts/${hostname}.nix - ] - ++ (filesystem.listFilesRecursive ../modules) - ++ extraModules; - }; - } - // optionalAttrs ((suite == "server") - || (suite == "vm") - || (suite == "lxc")) { - deploy.nodes.${hostname} = { - hostname = "${hostname}.local"; - profiles.system = { - user = "root"; - sshUser = user; - path = deployPkgs.deploy-rs.lib.activate.nixos self.nixosConfigurations.${hostname}; - }; - }; - }; -} diff --git a/modules/webone.nix b/modules/webone/default.nix similarity index 90% rename from modules/webone.nix rename to modules/webone/default.nix index dc8169d..a96d853 100644 --- a/modules/webone.nix +++ b/modules/webone/default.nix @@ -10,6 +10,7 @@ in { options.services.webone.enable = mkEnableOption "Enable WebOne HTTP proxy."; config = mkIf cfg.enable { + # Create user & group for service. users.groups.webone = {}; users.users.webone = { @@ -19,6 +20,7 @@ in { group = "webone"; }; + # Create config directory and log file, and set ownership to webone user. systemd.tmpfiles.settings = { "10-webone" = { "/var/log/webone.log" = { @@ -38,6 +40,7 @@ in { }; }; + # Create a systemd service. systemd.services.webone = { description = "WebOne HTTP Proxy Server"; documentation = ["https://github.com/atauenis/webone/wiki/"]; diff --git a/overlays/default.nix b/overlay.nix similarity index 90% rename from overlays/default.nix rename to overlay.nix index 025b179..232cd7c 100644 --- a/overlays/default.nix +++ b/overlay.nix @@ -6,10 +6,10 @@ with inputs; final: prev: { # WebOne HTTP proxy. - webone = prev.pkgs.callPackage ../packages/webone {}; + webone = prev.pkgs.callPackage ./packages/webone {}; # Yazi Gruvbox theme. - yazi-flavour-gruvbox-dark = prev.pkgs.callPackage ../packages/yazi-flavour-gruvbox {}; + yazi-flavour-gruvbox-dark = prev.pkgs.callPackage ./packages/yazi-flavour-gruvbox {}; # Latest FluffyChat. fluffychat = diff --git a/packages/webone/default.nix b/packages/webone/default.nix index a393e6a..6e1f91c 100644 --- a/packages/webone/default.nix +++ b/packages/webone/default.nix @@ -18,6 +18,7 @@ buildDotnetModule rec { projectFile = "WebOne.csproj"; nugetDeps = ./deps.nix; + # Uses outdated dotnet 6. dotnet-sdk = dotnetCorePackages.sdk_6_0; dotnet-runtime = dotnetCorePackages.runtime_6_0; diff --git a/suites/common.nix b/suites/default.nix similarity index 95% rename from suites/common.nix rename to suites/default.nix index 0f3a929..fbca4d1 100644 --- a/suites/common.nix +++ b/suites/default.nix @@ -52,10 +52,10 @@ with lib; { networking.hostName = hostname; # Define a user account. - users.users.${user} = { + users.users.fern = { isNormalUser = true; uid = 1000; - description = mkIf (user == "fern") "Fern Garden"; + description = "Fern Garden"; extraGroups = [ "wheel" "networkmanager" @@ -95,6 +95,9 @@ with lib; { # https://discourse.nixos.org/t/slow-build-at-building-man-cache/52365/2 documentation.man.generateCaches = false; + # Enable all terminfo (for ghostty). + environment.enableAllTerminfo = true; + # Install some packages. programs = { git.enable = true; @@ -102,9 +105,11 @@ with lib; { nixvim = { enable = true; + + # Set $EDITOR defaultEditor = true; - # For telescope. + # For telescope grep. dependencies.ripgrep.enable = true; # Space as leader. @@ -127,7 +132,10 @@ with lib; { colorschemes.gruvbox = { enable = true; - settings.contrast = "hard"; + settings = { + contrast = "hard"; + overrides.SignColumn.bg = "none"; + }; }; opts = rec { diff --git a/suites/desktop.nix b/suites/desktop/default.nix similarity index 98% rename from suites/desktop.nix rename to suites/desktop/default.nix index 2c7942d..7db574b 100755 --- a/suites/desktop.nix +++ b/suites/desktop/default.nix @@ -4,6 +4,8 @@ ... }: with lib; { + imports = [../.]; # Common config. + # Configure the bootloader. boot = { # Enable secure boot. diff --git a/suites/server.nix b/suites/server/default.nix similarity index 65% rename from suites/server.nix rename to suites/server/default.nix index bf2df0c..e358219 100644 --- a/suites/server.nix +++ b/suites/server/default.nix @@ -1,15 +1,9 @@ { - user, - lib, - ... -}: -with lib; { + imports = [../.]; # Common config. + # Passwordless sudo. security.sudo.wheelNeedsPassword = false; - # Enable all terminfo (for ghostty). - environment.enableAllTerminfo = true; - # Enable sshd. services.openssh = { enable = true; @@ -20,14 +14,11 @@ with lib; { }; }; - users.users.${user} = { + # Add authorized ssh pubkeys. + users.users.fern = { openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETPyuxUVEmYyEW6PVC6BXqkhULHd/RvMm8fMbYhjTMV fern@muskduck" "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMoJvPcUJDVVzO4dHROCFNlgJdDZSP5xyPx2s40zcx5QAAAABHNzaDo= YubiKey5NFC" ]; - extraGroups = mkIf (user == "docker") ["docker"]; # if docker is enabled. }; - - # Enable docker. - virtualisation.docker.enable = mkIf (user == "docker") true; } diff --git a/suites/server/docker/default.nix b/suites/server/docker/default.nix new file mode 100644 index 0000000..75c8aa8 --- /dev/null +++ b/suites/server/docker/default.nix @@ -0,0 +1,9 @@ +{ + # Add user to docker group. + users.users.fern = { + extraGroups = ["docker"]; + }; + + # Enable docker. + virtualisation.docker.enable = true; +} diff --git a/suites/lxc.nix b/suites/server/lxc/default.nix similarity index 78% rename from suites/lxc.nix rename to suites/server/lxc/default.nix index 4b11d63..e84aaaa 100644 --- a/suites/lxc.nix +++ b/suites/server/lxc/default.nix @@ -1,6 +1,6 @@ {modulesPath, ...}: { imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") - ./server.nix + ../. # Server config. ]; } diff --git a/suites/vm.nix b/suites/server/vm/default.nix similarity index 95% rename from suites/vm.nix rename to suites/server/vm/default.nix index 3a4d6e2..31074d4 100644 --- a/suites/vm.nix +++ b/suites/server/vm/default.nix @@ -6,7 +6,7 @@ with lib; { imports = [ (modulesPath + "/profiles/qemu-guest.nix") - ./server.nix + ../. # Server config. ]; # Load kernel modules.