From 17d4e870560113f63148afff7de8ae49eac70322 Mon Sep 17 00:00:00 2001 From: mjallen18 Date: Tue, 15 Jul 2025 17:08:36 -0500 Subject: [PATCH] t --- flake.nix | 109 +++++++++++++++++++++++++++++++----- hosts/mac/homebrew.nix | 1 + hosts/nuc/boot.nix | 58 +++++++++++++++++++ hosts/nuc/configuration.nix | 55 ++++++++++++++++++ hosts/nuc/impermanence.nix | 32 +++++++++++ hosts/nuc/networking.nix | 60 ++++++++++++++++++++ hosts/nuc/sops.nix | 84 +++++++++++++++++++++++++++ hosts/nuc/users.nix | 40 +++++++++++++ modules/home/vscode.nix | 2 +- 9 files changed, 425 insertions(+), 16 deletions(-) create mode 100755 hosts/nuc/boot.nix create mode 100644 hosts/nuc/configuration.nix create mode 100755 hosts/nuc/impermanence.nix create mode 100755 hosts/nuc/networking.nix create mode 100755 hosts/nuc/sops.nix create mode 100755 hosts/nuc/users.nix diff --git a/flake.nix b/flake.nix index ac5171a..4d6746a 100755 --- a/flake.nix +++ b/flake.nix @@ -322,6 +322,47 @@ inputs.nixpkgs.follows = "mac-nixpkgs"; }; + ##################################################### + # NUC # + ##################################################### + + # nixpgs + nuc-nixpkgs = { + # url = "github:NixOS/nixpkgs/nixos-24.11"; + url = "github:NixOS/nixpkgs/nixos-unstable"; + }; + + # Home Manager + nuc-home-manager = { + # url = "github:nix-community/home-manager/release-24.11"; + url = "github:nix-community/home-manager"; + inputs.nixpkgs.follows = "nuc-nixpkgs"; + }; + + # Impermenance + nuc-impermanence = { + url = "github:nix-community/impermanence"; + }; + + # Lanzaboote + nuc-lanzaboote = { + url = "github:nix-community/lanzaboote/v0.4.2"; + inputs.nixpkgs.follows = "nuc-nixpkgs"; + }; + + # Sops-nix + nuc-sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nuc-nixpkgs"; + }; + + nuc-disko = { + # the fork is needed for partition attributes support + url = "github:nvmd/disko/gpt-attrs"; + # url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nuc-nixpkgs"; + }; + ##################################################### # Common # ##################################################### @@ -409,6 +450,13 @@ mac-impermanence, mac-sops-nix, + nuc-nixpkgs, + nuc-home-manager, + nuc-impermanence, + nuc-lanzaboote, + nuc-sops-nix, + nuc-disko, + # Common nixpkgs-unstable, nixpkgs-stable, @@ -791,22 +839,53 @@ ]; }; - # home assistant - # "jallen-hass" = nixpkgs-unstable.lib.nixosSystem { - # system = "x86_64-linux"; - # modules = [ - # impermanence.nixosModules.impermanence - # ./hosts/homeassistant/configuration.nix - # sops-nix.nixosModules.sops + # NUC + "nuc-nixos" = nuc-nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { + inherit inputs outputs; + }; + modules = [ + ./hosts/base/base-nogui + ./hosts/nuc/configuration.nix - # home-manager.nixosModules.home-manager - # { - # home-manager.useGlobalPkgs = true; - # home-manager.useUserPackages = true; - # home-manager.users.hass-admin = import ./hosts/homeassistant/home.nix; - # } - # ]; - # }; + nuc-lanzaboote.nixosModules.lanzaboote + + nuc-impermanence.nixosModules.impermanence + ./hosts/nuc/impermanence.nix + + nuc-disko.nixosModules.disko + ./modules/disko/disko.nix + + nuc-home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = false; + home-manager.useUserPackages = true; + home-manager.users.admin = + { ... }: + { + imports = [ + ./hosts/nuc/home.nix + ./modules/home/defaults.nix + ./modules/home/git.nix + ./modules/home/shell.nix + nuc-sops-nix.homeManagerModules.sops + ]; + }; + home-manager.users.root = + { ... }: + { + imports = [ + ./modules/root-user + nuc-sops-nix.homeManagerModules.sops + ]; + }; + home-manager.backupFileExtension = "backup"; + } + + nuc-sops-nix.nixosModules.sops + ]; + }; }; darwinConfigurations = { diff --git a/hosts/mac/homebrew.nix b/hosts/mac/homebrew.nix index 51e6404..009eb2f 100644 --- a/hosts/mac/homebrew.nix +++ b/hosts/mac/homebrew.nix @@ -50,6 +50,7 @@ "vlc" "vscodium" "wine-stable" + "xpipe" "xquartz" ]; masApps = { diff --git a/hosts/nuc/boot.nix b/hosts/nuc/boot.nix new file mode 100755 index 0000000..2173425 --- /dev/null +++ b/hosts/nuc/boot.nix @@ -0,0 +1,58 @@ +{ pkgs, ... }: +let + configLimit = 20; + kernel = pkgs.linuxPackages_latest; +in +{ + # Configure bootloader with lanzaboot and secureboot + boot = { + kernelModules = [ "nct6775" ]; + loader = { + systemd-boot = { + enable = true; + configurationLimit = configLimit; + }; + + efi = { + canTouchEfiVariables = true; + efiSysMountPoint = "/boot"; + }; + }; + + lanzaboote = { + enable = false; + pkiBundle = "/etc/secureboot"; + settings = { + console-mode = "max"; + }; + configurationLimit = configLimit; + }; + + # Override kernel to latest + kernelPackages = kernel; + + kernelParams = [ + "nohibernate" + ]; + + consoleLogLevel = 3; + bootspec.enable = true; + + initrd = { + kernelModules = [ + # "tpm" + # "tpm_tis" + # "tpm_crb" + # "tpm_infineon" + ]; + systemd = { + enable = true; + tpm2.enable = true; + }; + }; + }; + + zramSwap = { + enable = true; + }; +} diff --git a/hosts/nuc/configuration.nix b/hosts/nuc/configuration.nix new file mode 100644 index 0000000..e3a18b8 --- /dev/null +++ b/hosts/nuc/configuration.nix @@ -0,0 +1,55 @@ +{ + config, + pkgs, + lib, + inputs, + ... +}: +{ + imports = [ + ./boot.nix + ./networking.nix + ./users.nix + ./sops.nix + ]; + + security.tpm2 = { + enable = true; + }; + + # Enable nix flakes and nix-command tools + nix = { + settings = { + substituters = [ + "https://nix-community.cachix.org" + "https://cache.nixos.org/" + ]; + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + warn-dirty = lib.mkForce false; + experimental-features = lib.mkForce [ + "nix-command" + "flakes" + ]; + trusted-users = [ "@wheel" ]; + }; + + # Garbage collect automatically every week + gc.automatic = lib.mkDefault true; + gc.options = lib.mkDefault "--delete-older-than 30d"; + + optimise.automatic = lib.mkDefault true; + }; + + # Nixpkgs configuration + nixpkgs = { + config = { + allowUnfree = lib.mkForce true; + allowUnsupportedSystem = true; + permittedInsecurePackages = [ + # ... + ]; + }; + }; +} \ No newline at end of file diff --git a/hosts/nuc/impermanence.nix b/hosts/nuc/impermanence.nix new file mode 100755 index 0000000..2d21877 --- /dev/null +++ b/hosts/nuc/impermanence.nix @@ -0,0 +1,32 @@ +{ ... }: +{ + # Set up impernance configuration for things like bluetooth + # In this configuration with /etc and /var/log being persistent, only directories outside of that need to be done here. See hardware configuration for all mountpoints. + + environment.persistence."/nix/persist/system" = { + hideMounts = true; + directories = [ + "/var/lib/bluetooth" + "/var/lib/nixos" + "/var/lib/tailscale" + "/var/lib/systemd/coredump" + "/etc/NetworkManager/system-connections" + "/etc/secureboot" + { + directory = "/var/lib/private"; + mode = "u=rwx,g=rx,o="; + } + { + directory = "/var/lib/colord"; + user = "colord"; + group = "colord"; + mode = "u=rwx,g=rx,o="; + } + ]; + }; + + security.sudo.extraConfig = '' + # rollback results in sudo lectures after each reboot + Defaults lecture = never + ''; +} diff --git a/hosts/nuc/networking.nix b/hosts/nuc/networking.nix new file mode 100755 index 0000000..dd45e79 --- /dev/null +++ b/hosts/nuc/networking.nix @@ -0,0 +1,60 @@ +{ config, ... }: +let + # settings = import ./settings.nix; + ports = [ + 8192 + ]; +in +{ + # Networking configs + networking = { + hostName = "nuc-nixos";#settings.hostName; + + useNetworkd = true; + + # Disable Network Manager + networkmanager = { + enable = true; + ensureProfiles = { + environmentFiles = [ + config.sops.secrets.wifi.path + ]; + + profiles = { + "Joey's Jungle 6G" = { + connection = { + id = "Joey's Jungle 6G"; + type = "wifi"; + }; + ipv4 = { + address1 = "10.0.1.4/24"; + dns = "10.0.1.1"; + gateway = "10.0.1.1"; + method = "manual"; + }; + ipv6 = { + addr-gen-mode = "stable-privacy"; + method = "auto"; + }; + wifi = { + mode = "infrastructure"; + ssid = "Joey's Jungle 6G"; + }; + wifi-security = { + key-mgmt = "sae"; + psk = "$PSK"; + }; + }; + }; + }; + }; + + firewall = { + enable = true; + allowPing = true; + + allowedTCPPorts = ports; + allowedUDPPorts = ports; + }; + }; +} diff --git a/hosts/nuc/sops.nix b/hosts/nuc/sops.nix new file mode 100755 index 0000000..aa16d43 --- /dev/null +++ b/hosts/nuc/sops.nix @@ -0,0 +1,84 @@ +{ config, ... }: +let + user = "nix-apps"; +in +{ + # Permission modes are in octal representation (same as chmod), + # the digits represent: user|group|others + # 7 - full (rwx) + # 6 - read and write (rw-) + # 5 - read and execute (r-x) + # 4 - read only (r--) + # 3 - write and execute (-wx) + # 2 - write only (-w-) + # 1 - execute only (--x) + # 0 - none (---) + # Either a user id or group name representation of the secret owner + # It is recommended to get the user name from `config.users.users..name` to avoid misconfiguration + # Either the group id or group name representation of the secret group + # It is recommended to get the group name from `config.users.users..group` to avoid misconfiguration + sops = { + defaultSopsFile = ../../secrets/nas-secrets.yaml; + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + + # ------------------------------ + # Secrets + # ------------------------------ + secrets = { + + "wifi" = { + sopsFile = ../../secrets/secrets.yaml; + }; + + # ------------------------------ + # Secureboot keys + # ------------------------------ + + "secureboot/GUID" = { + sopsFile = ../../secrets/secrets.yaml; + path = "/etc/secureboot/GUID"; + mode = "0640"; + }; + "secureboot/keys/db-key" = { + sopsFile = ../../secrets/secrets.yaml; + path = "/etc/secureboot/keys/db/db.key"; + mode = "0640"; + }; + "secureboot/keys/db-pem" = { + sopsFile = ../../secrets/secrets.yaml; + path = "/etc/secureboot/keys/db/db.pem"; + mode = "0640"; + }; + "secureboot/keys/KEK-key" = { + sopsFile = ../../secrets/secrets.yaml; + path = "/etc/secureboot/keys/KEK/KEK.key"; + mode = "0640"; + }; + "secureboot/keys/KEK-pem" = { + sopsFile = ../../secrets/secrets.yaml; + path = "/etc/secureboot/keys/KEK/KEK.pem"; + mode = "0640"; + }; + "secureboot/keys/PK-key" = { + sopsFile = ../../secrets/secrets.yaml; + path = "/etc/secureboot/keys/PK/PK.key"; + mode = "0640"; + }; + "secureboot/keys/PK-pem" = { + sopsFile = ../../secrets/secrets.yaml; + path = "/etc/secureboot/keys/PK/PK.pem"; + mode = "0640"; + }; + "jallen-nas/attic-key" = { +# owner = "atticd"; + }; + }; + + # ------------------------------ + # Templates + # ------------------------------ + templates = { + # + }; + }; +} diff --git a/hosts/nuc/users.nix b/hosts/nuc/users.nix new file mode 100755 index 0000000..effa5d3 --- /dev/null +++ b/hosts/nuc/users.nix @@ -0,0 +1,40 @@ +{ pkgs, config, ... }: +let + user = "admin"; + # passwordFile = config.sops.secrets."jallen-nas/admin_password".path; +in +{ + # Define a user account. Don't forget to set a password with ‘passwd’. + users = { + # See https://search.nixos.org/options?channel=unstable&show=users.mutableUsers&from=0&size=50&sort=relevance&type=packages&query=users.users + mutableUsers = false; + + # Admin account + users."${user}" = { + isNormalUser = true; + linger = true; + extraGroups = [ + "wheel" + "networkmanager" + "docker" + "podman" + "libvirtd" + ]; + # hashedPasswordFile = passwordFile; + password = "BogieDudie1"; + shell = pkgs.zsh; + packages = with pkgs; [ + ]; + openssh.authorizedKeys.keys = [ + # macBook + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCw9zq8DLGByI5v2gAn95hKNyOsm3g61a2buxu2BBMFysQJgmZPCCLUqRJKhSM5Vm/JOgsAmdpRBRZQoHD+6S844CJHb4v4VIbjkyQgYCuM7Rst2IOZ5QybvsA2/D0nwytZ+HXQqDj2AagUYDbz0gyyIHkDQ5YGBMkvkWz/h1Vci6aoBM7VihEDM4KlWoTVuPeASGM8r5IZ2FS83Djbqo4ov6AYvLMrKB9Z7hmFgH6R3LE0gxOkzbGVXtSuvJyrjvgytoT22UhATjjxSQ9D+YJXXkQoB3lUdg8OoIquUPjMZpl4mR8ffvseWPfcvD1XlD5t+TOHFqKpESO547tlOBYhdpew+NSgAXpamCU6oyV8tDCywLQu2ucxHRn78u6WXzWHkDtffdhzmk6TZaPhWqVHuTGjR4higBgGqUfSaKOMszt+FDRZAr3HtuQ2+zJ8bowK9fW5OqilTtK2HtQqroD9ApegDNbqOz6kGy5IycSXvqPURy/M4lxZxbtBPuemcJs= mattjallen@MacBook-Pro.local" + # desktop windows + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ2PYPjZddOzR8OJj16G88KcUhCDLkvrEmpUQP0wKHDUuA27HQQ2ORo66asadwGHY3k1VDZ1ei9l9H++SIIeKOaaUr5yZdktvj4POUNtbd9ZhcS7sZU7BSF+NMDM+h3tImh6z0S7mWvRQOUv3ZM+ZER+5xTWJVG1OOJEpb1drxJk6Qz0wbZKSR7TPNFBLLXlVy7hkNYf07RtDyhCCxNB3hJfa8c+oztnWumwDhDQWLqiUXWIU2QH6iRLGl/WYnujtNvVVaV/Hn3JJkS6MM9dnV3cpoIO0+J7+WfsN9rZ0wXt5yY3GhiGXwmcO5eYVli8lHlLWtK7aYSETyry6CBsLbojzOQO5rSqhpwfF2njAAFAQU0UjLc8PahisIuFKCwHH4iyXXOagiv5K1Mc/0Ak+WhhMPee6vV2p7NTyNpXRvouDbWy5cSRH31WgQ9fK5mIGe5v8nGGqtEhUubUkiOgP+H3UbT2V/nTv/TFKdJcKw+WmizvTrxBmaMjWALlkYl+s= mattl@Jallen-PC" + # desktop nixos + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBMydhOc6SnOdB5WrEd7X07DrboAtagCUgXiOJjLov matt@matt-nixos" + ]; + }; + + users.root.shell = pkgs.zsh; + }; +} \ No newline at end of file diff --git a/modules/home/vscode.nix b/modules/home/vscode.nix index a0fff40..34439f3 100644 --- a/modules/home/vscode.nix +++ b/modules/home/vscode.nix @@ -40,7 +40,7 @@ in vscode-extensions.yy0931.vscode-sqlite3-editor # open-remote-ssh - # nix-vscode-extensions.open-vsx.jeanp413.open-remote-ssh + nix-vscode-extensions.open-vsx.jeanp413.open-remote-ssh ] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [ { name = "copilot-mcp";