diff --git a/flake.lock b/flake.lock index 3f8112b..b38e475 100755 --- a/flake.lock +++ b/flake.lock @@ -15,6 +15,26 @@ "type": "github" } }, + "deploy-rs": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs", + "utils": "utils" + }, + "locked": { + "lastModified": 1749105467, + "narHash": "sha256-hXh76y/wDl15almBcqvjryB50B0BaiXJKk20f314RoE=", + "owner": "serokell", + "repo": "deploy-rs", + "rev": "6bc76b872374845ba9d645a2f012b764fecd765f", + "type": "github" + }, + "original": { + "owner": "serokell", + "repo": "deploy-rs", + "type": "github" + } + }, "feishin-0_17_0": { "locked": { "lastModified": 1751534869, @@ -32,6 +52,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1747046372, @@ -91,7 +127,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1731533236, @@ -176,9 +212,9 @@ "lanzaboote": { "inputs": { "crane": "crane", - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "flake-parts": "flake-parts", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "pre-commit-hooks-nix": "pre-commit-hooks-nix", "rust-overlay": "rust-overlay" }, @@ -212,6 +248,22 @@ } }, "nixpkgs": { + "locked": { + "lastModified": 1743014863, + "narHash": "sha256-jAIUqsiN2r3hCuHji80U7NNEafpIMBXiwKlSrjWMlpg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "bd3bac8bfb542dbde7ffffb6987a1a1f9d41699f", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { "locked": { "lastModified": 1751203939, "narHash": "sha256-omYD+H5LlSihz2DRfv90I8Oeo7JNEwvcHPHX+6nMIM4=", @@ -227,7 +279,7 @@ "type": "github" } }, - "nixpkgs_2": { + "nixpkgs_3": { "locked": { "lastModified": 1751741127, "narHash": "sha256-t75Shs76NgxjZSgvvZZ9qOmz5zuBE8buUaYD28BMTxg=", @@ -243,7 +295,7 @@ "type": "github" } }, - "nixpkgs_3": { + "nixpkgs_4": { "locked": { "lastModified": 1751786137, "narHash": "sha256-lIlUKVGCGsh0Q2EA7/6xRtKUZjaQ/ur8uUyY+MynHXQ=", @@ -259,7 +311,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { "lastModified": 1744868846, "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", @@ -278,9 +330,9 @@ "nixvim": { "inputs": { "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_4", "nuschtosSearch": "nuschtosSearch", - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1752099138, @@ -347,11 +399,12 @@ }, "root": { "inputs": { + "deploy-rs": "deploy-rs", "feishin-0_17_0": "feishin-0_17_0", "fluffychat-2_0_0": "fluffychat-2_0_0", "lanzaboote": "lanzaboote", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "nixvim": "nixvim", "secrets": "secrets", "sops-nix": "sops-nix" @@ -397,7 +450,7 @@ }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_5" }, "locked": { "lastModified": 1751606940, @@ -442,6 +495,39 @@ "repo": "default", "type": "github" } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index e171816..107aea0 100755 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,7 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; # Stable nixpkgs. + deploy-rs.url = "github:serokell/deploy-rs"; lanzaboote.url = "github:nix-community/lanzaboote"; # Secure boot. nixos-hardware.url = "github:NixOS/nixos-hardware"; # Hardware specific config. sops-nix.url = "github:Mic92/sops-nix"; # Secrets management. @@ -19,115 +20,52 @@ feishin-0_17_0.url = "github:NixOS/nixpkgs?ref=pull/414929/head"; # Feishin 0.17.0 }; - outputs = inputs @ { - nixpkgs, + outputs = { lanzaboote, nixos-hardware, - nixvim, sops-nix, - fluffychat-2_0_0, - feishin-0_17_0, ... - }: - with nixpkgs.lib; let - mkHost = { - hostname, - suite, - platform ? "x86_64-linux", - user ? "fern", - extraModules ? [], - }: - nixosSystem rec { - system = platform; + } @ inputs: let + helpers = import ./helpers.nix inputs; + inherit (helpers) mergeHosts mkHost; + in + mergeHosts [ + (mkHost "muskduck" { + suite = "laptop"; + extraModules = [ + lanzaboote.nixosModules.lanzaboote + nixos-hardware.nixosModules.lenovo-thinkpad-t480 + ]; + }) - pkgs = import nixpkgs { - inherit system; - config = { - allowUnfree = true; - permittedInsecurePackages = [ - "dotnet-sdk-6.0.428" - "dotnet-runtime-6.0.36" - ]; - }; - }; + (mkHost "weebill" { + suite = "server"; + platform = "aarch64-linux"; + user = "docker"; + extraModules = [ + nixos-hardware.nixosModules.raspberry-pi-4 + ]; + }) - specialArgs = { - inherit - nixpkgs - hostname - suite - platform - user - ; # Inherit variables. + # (mkHost "docker" { + # suite = "vm"; + # user = "docker"; + # }) - userPackages = { - fluffychat = fluffychat-2_0_0.legacyPackages.${system}.fluffychat; - feishin = feishin-0_17_0.legacyPackages.${system}.feishin; - webone = pkgs.callPackage ./packages/webone {}; - }; + (mkHost "minecraft" { + suite = "vm"; + user = "docker"; + }) - secrets = builtins.toString inputs.secrets; # Secrets directory. - }; + (mkHost "technitium" { + suite = "lxc"; + }) - modules = - [ - nixvim.nixosModules.nixvim - ./suites/common.nix - ./suites/${suite}.nix - ./hosts/${suite}/${hostname}.nix - ] - ++ (filesystem.listFilesRecursive ./modules) - ++ extraModules; - }; - in { - nixosConfigurations = { - # Laptops. - muskduck = mkHost { - hostname = "muskduck"; - suite = "laptop"; - extraModules = [ - lanzaboote.nixosModules.lanzaboote - nixos-hardware.nixosModules.lenovo-thinkpad-t480 - ]; - }; - - # Servers. - weebill = mkHost { - hostname = "weebill"; - suite = "server"; - platform = "aarch64-linux"; - user = "docker"; - extraModules = [ - nixos-hardware.nixosModules.raspberry-pi-4 - ]; - }; - - # Virtual machines. - vm-docker = mkHost { - hostname = "docker"; - suite = "vm"; - user = "docker"; - }; - - vm-minecraft = mkHost { - hostname = "minecraft"; - suite = "vm"; - user = "docker"; - }; - - # LXC containers. - lxc-technitium = mkHost { - hostname = "technitium"; - suite = "lxc"; - }; - - lxc-firefox-syncserver = mkHost { - hostname = "firefox-syncserver"; - suite = "lxc"; - extraModules = [ - sops-nix.nixosModules.sops - ]; - }; - }; - }; + (mkHost "firefox-syncserver" { + suite = "lxc"; + extraModules = [ + sops-nix.nixosModules.sops + ]; + }) + ]; } diff --git a/helpers.nix b/helpers.nix new file mode 100644 index 0000000..6808817 --- /dev/null +++ b/helpers.nix @@ -0,0 +1,67 @@ +inputs: +with inputs; +with inputs.nixpkgs.lib; let +in { + mergeHosts = lists.foldl' ( + a: b: attrsets.recursiveUpdate a b + ) {}; + + mkHost = hostname: { + platform ? "x86_64-linux", + suite, + user ? "fern", + extraModules ? [], + }: { + nixosConfigurations.${hostname} = nixosSystem rec { + system = platform; + + pkgs = import nixpkgs { + inherit system; + config = { + allowUnfree = true; + permittedInsecurePackages = [ + "dotnet-sdk-6.0.428" + "dotnet-runtime-6.0.36" + ]; + }; + }; + + specialArgs = { + inherit + hostname + nixpkgs + suite + platform + user + ; # Inherit variables. + + userPackages = { + fluffychat = fluffychat-2_0_0.legacyPackages.${system}.fluffychat; + feishin = feishin-0_17_0.legacyPackages.${system}.feishin; + webone = pkgs.callPackage ./packages/webone {}; + }; + + secrets = builtins.toString inputs.secrets; # Secrets directory. + }; + + modules = + [ + nixvim.nixosModules.nixvim + ./suites/common.nix + ./suites/${suite}.nix + ./hosts/${suite}/${hostname}.nix + ] + ++ (filesystem.listFilesRecursive ./modules) + ++ extraModules; + }; + + deploy.nodes.${hostname} = { + hostname = "${hostname}.local"; + profiles.system = { + user = "root"; + sshUser = user; + path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.${hostname}; + }; + }; + }; +} diff --git a/hosts/laptop/muskduck.nix b/hosts/laptop/muskduck.nix index 511a951..b34de12 100644 --- a/hosts/laptop/muskduck.nix +++ b/hosts/laptop/muskduck.nix @@ -25,4 +25,6 @@ }; hardware.cpu.intel.updateMicrocode = true; + + boot.binfmt.emulatedSystems = ["aarch64-linux"]; } diff --git a/hosts/server/weebill.nix b/hosts/server/weebill.nix index 89c949c..6be91cd 100644 --- a/hosts/server/weebill.nix +++ b/hosts/server/weebill.nix @@ -28,4 +28,16 @@ # Enable WebOne HTTP proxy. services.webone.enable = true; + + # Enable Netatalk AFP fileserver. + services.netatalk = { + enable = true; + settings = { + Global."uam list" = "uams_guest.so"; + iMac = { + path = "/srv/iMac"; + "read-only" = true; + }; + }; + }; } diff --git a/suites/common.nix b/suites/common.nix index c5ee193..ccc900d 100644 --- a/suites/common.nix +++ b/suites/common.nix @@ -16,6 +16,9 @@ with lib; { "flakes" ]; + # Add @wheel to trusted-users for remote deployments. + nix.settings.trusted-users = ["root" "@wheel"]; + # Set $NIX_PATH to flake input. nix.nixPath = ["nixpkgs=${nixpkgs}"]; @@ -60,6 +63,12 @@ with lib; { "wheel" "networkmanager" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETPyuxUVEmYyEW6PVC6BXqkhULHd/RvMm8fMbYhjTMV fern@muskduck" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzW4epTmK01kGVXcuAXUNJQPltnogf4uab9FA5m8S3n fern@pardalote" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBEJYq1fMxVOzCMfE/td6DtWS8nUk76U9seYD3Z9RYAz u0_a399@fairywren" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMoJvPcUJDVVzO4dHROCFNlgJdDZSP5xyPx2s40zcx5QAAAABHNzaDo= YubiKey5NFC" + ]; }; # Use fish shell @@ -123,6 +132,9 @@ with lib; { ''; }; + # https://discourse.nixos.org/t/slow-build-at-building-man-cache/52365/2 + documentation.man.generateCaches = false; + # Install some packages. programs = { git.enable = true; @@ -285,9 +297,17 @@ with lib; { yazi ]; + # Enable SSH server. + services.openssh.enable = true; + # Enable avahi hostname resolution. services.avahi = { enable = true; nssmdns4 = true; + publish = { + enable = true; + addresses = true; + domain = true; + }; }; } diff --git a/suites/server.nix b/suites/server.nix index 1f6af57..762cc11 100644 --- a/suites/server.nix +++ b/suites/server.nix @@ -10,19 +10,7 @@ with lib; { # Enable all terminfo (for ghostty). environment.enableAllTerminfo = true; - # Enable SSH server. - services.openssh.enable = true; - - users.users.${user} = { - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETPyuxUVEmYyEW6PVC6BXqkhULHd/RvMm8fMbYhjTMV fern@muskduck" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzW4epTmK01kGVXcuAXUNJQPltnogf4uab9FA5m8S3n fern@pardalote" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBEJYq1fMxVOzCMfE/td6DtWS8nUk76U9seYD3Z9RYAz u0_a399@fairywren" - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMoJvPcUJDVVzO4dHROCFNlgJdDZSP5xyPx2s40zcx5QAAAABHNzaDo= YubiKey5NFC" - ]; - extraGroups = mkIf (user == "docker") ["docker"]; - }; - # Enable docker. virtualisation.docker.enable = mkIf (user == "docker") true; + users.users.${user}.extraGroups = mkIf (user == "docker") ["docker"]; }