diff --git a/suites/common.nix b/configuration/common.nix similarity index 86% rename from suites/common.nix rename to configuration/common.nix index 9b44417..f459b31 100644 --- a/suites/common.nix +++ b/configuration/common.nix @@ -1,10 +1,4 @@ -{ - pkgs, - lib, - user, - ... -}: -with lib; +{ pkgs, ... }: { # NixOS version. system.stateVersion = "25.05"; @@ -18,9 +12,6 @@ with lib; # Allow unfree packages. nixpkgs.config.allowUnfree = true; - # Enable redistributable firmware. - hardware.enableRedistributableFirmware = true; - # Set time zone. time.timeZone = "Australia/Perth"; @@ -45,19 +36,6 @@ with lib; variant = ""; }; - # Enable networking. - networking.networkmanager.enable = true; - - # Define a user account. - users.users.${user} = { - isNormalUser = true; - description = mkIf (user == "fern") "Fern Garden"; - extraGroups = [ - "wheel" - "networkmanager" - ]; - }; - # Use fish shell programs.fish = { enable = true; diff --git a/suites/laptop.nix b/configuration/desktop.nix similarity index 90% rename from suites/laptop.nix rename to configuration/desktop.nix index 6748606..5b0e8a2 100755 --- a/suites/laptop.nix +++ b/configuration/desktop.nix @@ -5,14 +5,14 @@ fluffychat2, ... }: -with lib; + { # Configure the bootloader. boot = { # Enable secure boot. bootspec.enable = true; initrd.systemd.enable = true; - loader.systemd-boot.enable = mkForce false; + loader.systemd-boot.enable = lib.mkForce false; loader.efi.canTouchEfiVariables = true; lanzaboote = { @@ -43,6 +43,19 @@ with lib; # Enable smart card support (for YubiKey). services.pcscd.enable = true; + # Enable networking. + networking.networkmanager.enable = true; + + # Define a user account. + users.users.fern = { + isNormalUser = true; + description = "Fern Garden"; + extraGroups = [ + "networkmanager" + "wheel" + ]; + }; + # Encrypt user's home with fscrypt security.pam.enableFscrypt = true; @@ -107,7 +120,6 @@ with lib; environment.systemPackages = with pkgs; [ adwsteamgtk ansible - caligula celluloid discord feishin0_17.feishin @@ -166,7 +178,7 @@ with lib; }; # Enable CPU frequency scaling management. - services.power-profiles-daemon.enable = mkForce false; # enabled by gnome + services.power-profiles-daemon.enable = lib.mkForce false; # enabled by gnome services.tlp.enable = lib.mkForce false; # enabled by nixos-hardware services.auto-cpufreq.enable = true; -} \ No newline at end of file +} diff --git a/configuration/server/common.nix b/configuration/server/common.nix new file mode 100644 index 0000000..c204671 --- /dev/null +++ b/configuration/server/common.nix @@ -0,0 +1,10 @@ +{ + # Passwordless sudo + security.sudo.wheelNeedsPassword = false; + + # Enable all terminfo (for ghostty) + environment.enableAllTerminfo = true; + + # Enable SSH server + services.openssh.enable = true; +} diff --git a/suites/lxc.nix b/configuration/server/containers/common.nix similarity index 54% rename from suites/lxc.nix rename to configuration/server/containers/common.nix index ca491fe..e84039f 100644 --- a/suites/lxc.nix +++ b/configuration/server/containers/common.nix @@ -1,10 +1,8 @@ +{ modulesPath, ... }: { - modulesPath, - ... -}: -{ + # Import Proxmox LXC configuration. imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") - ./server.nix ]; -} \ No newline at end of file +} + diff --git a/hosts/lxc/firefox-syncserver.nix b/configuration/server/containers/firefox-syncserver.nix similarity index 90% rename from hosts/lxc/firefox-syncserver.nix rename to configuration/server/containers/firefox-syncserver.nix index 5d178f6..e4b4836 100644 --- a/hosts/lxc/firefox-syncserver.nix +++ b/configuration/server/containers/firefox-syncserver.nix @@ -7,7 +7,7 @@ secrets."firefox_syncserver/sync_master_secret" = {}; }; - # Enable Firefox sync service. + # syncserver-rs service. services.mysql.package = pkgs.mariadb; services.firefox-syncserver = { @@ -22,6 +22,5 @@ }; }; - # Open Firefox sync service port. networking.firewall.allowedTCPPorts = [ 5000 ]; } diff --git a/hosts/lxc/technitium.nix b/configuration/server/containers/technitium.nix similarity index 72% rename from hosts/lxc/technitium.nix rename to configuration/server/containers/technitium.nix index 818bf8e..e75ca4d 100644 --- a/hosts/lxc/technitium.nix +++ b/configuration/server/containers/technitium.nix @@ -1,5 +1,4 @@ { - # Enable Technitium DNS server. services.technitium-dns-server = { enable = true; openFirewall = true; diff --git a/suites/server.nix b/configuration/server/docker.nix old mode 100644 new mode 100755 similarity index 56% rename from suites/server.nix rename to configuration/server/docker.nix index 01d61e1..78f4321 --- a/suites/server.nix +++ b/configuration/server/docker.nix @@ -1,25 +1,23 @@ -{ user, lib, ... }: -with lib; { - # Passwordless sudo - security.sudo.wheelNeedsPassword = false; - - # Enable all terminfo (for ghostty) - environment.enableAllTerminfo = true; - - # Enable SSH server - services.openssh.enable = true; - - users.users.${user} = { + # Define a user account. + users.users.docker = { + isNormalUser = true; + linger = true; + extraGroups = [ + "wheel" + "docker" + ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETPyuxUVEmYyEW6PVC6BXqkhULHd/RvMm8fMbYhjTMV fern@muskduck" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzW4epTmK01kGVXcuAXUNJQPltnogf4uab9FA5m8S3n fern@pardalote" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBEJYq1fMxVOzCMfE/td6DtWS8nUk76U9seYD3Z9RYAz u0_a399@fairywren" "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMoJvPcUJDVVzO4dHROCFNlgJdDZSP5xyPx2s40zcx5QAAAABHNzaDo= YubiKey5NFC" ]; - extraGroups = mkIf (user == "docker") [ "docker" ]; }; - # Enable docker. - virtualisation.docker.enable = mkIf (user == "docker") true; -} \ No newline at end of file + # Auto login + services.getty.autologinUser = "docker"; + + # Enable docker + virtualisation.docker.enable = true; +} diff --git a/suites/vm.nix b/configuration/server/vm.nix similarity index 80% rename from suites/vm.nix rename to configuration/server/vm.nix index 32a0966..9761851 100644 --- a/suites/vm.nix +++ b/configuration/server/vm.nix @@ -1,13 +1,8 @@ +{ lib, modulesPath, ... }: { - modulesPath, - lib, - ... -}: -with lib; -{ + # Import qemu guest configuration. imports = [ (modulesPath + "/profiles/qemu-guest.nix") - ./server.nix ]; # Load kernel modules. @@ -22,7 +17,7 @@ with lib; boot.kernelModules = [ "kvm-intel" ]; # Enable DHCP. - networking.useDHCP = mkDefault true; + networking.useDHCP = lib.mkDefault true; # Configure the bootloader. boot.loader.grub = { diff --git a/flake.nix b/flake.nix index 1617fde..a73feb3 100755 --- a/flake.nix +++ b/flake.nix @@ -6,12 +6,11 @@ lanzaboote.url = "github:nix-community/lanzaboote"; # Secure boot. nixos-hardware.url = "github:NixOS/nixos-hardware"; # Hardware specific config. sops-nix.url = "github:Mic92/sops-nix"; # Secrets management. - # Secrets repo. secrets = { url = "git+ssh://git@docker.local:222/fern/secrets?ref=main"; flake = false; - }; - + }; # Secrets repo. + # Updated packages. fluffychat2.url = "github:NixOS/nixpkgs?ref=pull/419632/head"; # FluffyChat 2.0.0 feishin0_17.url = "github:NixOS/nixpkgs?ref=pull/414929/head"; # Feishin 0.17.0 @@ -28,88 +27,97 @@ feishin0_17, ... }: - let - mkHost = - with nixpkgs.lib; - { - hostname, - suite, - platform, - user ? "fern", - extraModules ? [ ], - }: - nixosSystem rec { - system = platform; - - specialArgs = { - inherit user; - secrets = builtins.toString inputs.secrets; - fluffychat2 = import fluffychat2 { inherit system; }; - feishin0_17 = import feishin0_17 { inherit system; }; - }; - - modules = [ - ./suites/common.nix - ./suites/${suite}.nix - ./hosts/${suite}/${hostname}.nix - { networking.hostName = hostname; } - ] ++ extraModules; - }; - in { - nixosConfigurations = { - # Laptops. - muskduck = mkHost { - hostname = "muskduck"; - suite = "laptop"; - platform = "x86_64-linux"; - extraModules = [ - lanzaboote.nixosModules.lanzaboote - nixos-hardware.nixosModules.lenovo-thinkpad-t480 - ]; + # ThinkPad T480 + nixosConfigurations.muskduck = nixpkgs.lib.nixosSystem rec { + system = "x86_64-linux"; + + specialArgs = { + fluffychat2 = import fluffychat2 { inherit system; }; + feishin0_17 = import feishin0_17 { inherit system; }; }; - # Servers. - weebill = mkHost { - hostname = "weebill"; - suite = "server"; - platform = "aarch64-linux"; - user = "docker"; - extraModules = [ - nixos-hardware.nixosModules.raspberry-pi-4 - ]; + modules = [ + { networking.hostName = "muskduck"; } + + lanzaboote.nixosModules.lanzaboote + nixos-hardware.nixosModules.lenovo-thinkpad-t480 + + ./configuration/common.nix + ./configuration/desktop.nix + + ./hosts/muskduck.nix # Include the results of the hardware scan. + ]; + }; + + ### Proxmox Guests ### + + nixosConfigurations.vm-minecraft = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + + modules = [ + { networking.hostName = "minecraft"; } + + ./configuration/common.nix + + ./configuration/server/common.nix + ./configuration/server/vm.nix + ./configuration/server/docker.nix + + ./hosts/vm-minecraft.nix # Include the results of the hardware scan. + ]; + }; + + nixosConfigurations.vm-docker = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + + modules = [ + { networking.hostName = "docker"; } + + ./configuration/common.nix + + ./configuration/server/common.nix + ./configuration/server/vm.nix + ./configuration/server/docker.nix + + ./hosts/vm-docker.nix # Include the results of the hardware scan. + ]; + }; + + nixosConfigurations.lxc-technitium = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + + modules = [ + { networking.hostName = "technitium"; } + + ./configuration/common.nix + + ./configuration/server/common.nix + ./configuration/server/containers/common.nix + + ./configuration/server/containers/technitium.nix + ]; + }; + + nixosConfigurations.lxc-firefox-syncserver = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + + specialArgs = { + secrets = builtins.toString inputs.secrets; }; - # Virtual machines. - vm-docker = mkHost { - hostname = "docker"; - suite = "vm"; - user = "docker"; - platform = "x86_64-linux"; - }; + modules = [ + sops-nix.nixosModules.sops + + { networking.hostName = "firefox-syncserver"; } + + ./configuration/common.nix - vm-minecraft = mkHost { - hostname = "minecraft"; - suite = "vm"; - user = "docker"; - platform = "x86_64-linux"; - }; + ./configuration/server/common.nix + ./configuration/server/containers/common.nix - # LXC containers. - lxc-technitium = mkHost { - hostname = "technitium"; - suite = "lxc"; - platform = "x86_64-linux"; - }; - - lxc-firefox-syncserver = mkHost { - hostname = "firefox-syncserver"; - suite = "lxc"; - platform = "x86_64-linux"; - extraModules = [ - sops-nix.nixosModules.sops - ]; - }; + ./configuration/server/containers/firefox-syncserver.nix + ]; }; }; } diff --git a/hosts/laptop/muskduck.nix b/hosts/muskduck.nix similarity index 58% rename from hosts/laptop/muskduck.nix rename to hosts/muskduck.nix index 035504c..5ca5cf0 100644 --- a/hosts/laptop/muskduck.nix +++ b/hosts/muskduck.nix @@ -1,12 +1,24 @@ { + config, + lib, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ]; - + boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; fileSystems."/" = { device = "/dev/disk/by-uuid/63d79656-aa5b-466a-b369-be5eac3f51ab"; @@ -25,5 +37,10 @@ ]; }; - hardware.cpu.intel.updateMicrocode = true; + swapDevices = [ ]; + + networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/hosts/server/weebill.nix b/hosts/server/weebill.nix deleted file mode 100644 index 01a8731..0000000 --- a/hosts/server/weebill.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ pkgs, ... }: -{ - boot = { - kernelPackages = pkgs.linuxKernel.packages.linux_rpi4; - initrd.availableKernelModules = [ - "xhci_pci" - "usbhid" - "usb_storage" - ]; - loader = { - grub.enable = false; - generic-extlinux-compatible.enable = true; - }; - }; - - fileSystems = { - "/" = { - device = "/dev/disk/by-label/NIXOS_SD"; - fsType = "ext4"; - options = [ "noatime" ]; - }; - }; - - # Open ports for DHCP server. - networking.firewall.allowedUDPPorts = [ 53 67 ]; -} diff --git a/hosts/vm/docker.nix b/hosts/vm-docker.nix similarity index 100% rename from hosts/vm/docker.nix rename to hosts/vm-docker.nix diff --git a/hosts/vm/minecraft.nix b/hosts/vm-minecraft.nix similarity index 100% rename from hosts/vm/minecraft.nix rename to hosts/vm-minecraft.nix