mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

t

Browse Source
This commit is contained in:
mjallen18
2025-07-15 17:08:36 -05:00
parent 0fcb6e07f7
commit 17d4e87056
9 changed files with 425 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

109
flake.nix
View File

@@ -322,6 +322,47 @@
inputs.nixpkgs.follows = "mac-nixpkgs"; inputs.nixpkgs.follows = "mac-nixpkgs";
}; };
#####################################################
# NUC #
#####################################################
# nixpgs
nuc-nixpkgs = {
# url = "github:NixOS/nixpkgs/nixos-24.11";
url = "github:NixOS/nixpkgs/nixos-unstable";
};
# Home Manager
nuc-home-manager = {
# url = "github:nix-community/home-manager/release-24.11";
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nuc-nixpkgs";
};
# Impermenance
nuc-impermanence = {
url = "github:nix-community/impermanence";
};
# Lanzaboote
nuc-lanzaboote = {
url = "github:nix-community/lanzaboote/v0.4.2";
inputs.nixpkgs.follows = "nuc-nixpkgs";
};
# Sops-nix
nuc-sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nuc-nixpkgs";
};
nuc-disko = {
# the fork is needed for partition attributes support
url = "github:nvmd/disko/gpt-attrs";
# url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nuc-nixpkgs";
};
##################################################### #####################################################
# Common # # Common #
##################################################### #####################################################
@@ -409,6 +450,13 @@
mac-impermanence, mac-impermanence,
mac-sops-nix, mac-sops-nix,
nuc-nixpkgs,
nuc-home-manager,
nuc-impermanence,
nuc-lanzaboote,
nuc-sops-nix,
nuc-disko,
# Common # Common
nixpkgs-unstable, nixpkgs-unstable,
nixpkgs-stable, nixpkgs-stable,
@@ -791,22 +839,53 @@
]; ];
}; };
# home assistant # NUC
# "jallen-hass" = nixpkgs-unstable.lib.nixosSystem { "nuc-nixos" = nuc-nixpkgs.lib.nixosSystem {
# system = "x86_64-linux"; system = "x86_64-linux";
# modules = [ specialArgs = {
# impermanence.nixosModules.impermanence inherit inputs outputs;
# ./hosts/homeassistant/configuration.nix };
# sops-nix.nixosModules.sops modules = [
./hosts/base/base-nogui
./hosts/nuc/configuration.nix
# home-manager.nixosModules.home-manager nuc-lanzaboote.nixosModules.lanzaboote
# {
# home-manager.useGlobalPkgs = true; nuc-impermanence.nixosModules.impermanence
# home-manager.useUserPackages = true; ./hosts/nuc/impermanence.nix
# home-manager.users.hass-admin = import ./hosts/homeassistant/home.nix;
# } nuc-disko.nixosModules.disko
# ]; ./modules/disko/disko.nix
# };
nuc-home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = false;
home-manager.useUserPackages = true;
home-manager.users.admin =
{ ... }:
{
imports = [
./hosts/nuc/home.nix
./modules/home/defaults.nix
./modules/home/git.nix
./modules/home/shell.nix
nuc-sops-nix.homeManagerModules.sops
];
};
home-manager.users.root =
{ ... }:
{
imports = [
./modules/root-user
nuc-sops-nix.homeManagerModules.sops
];
};
home-manager.backupFileExtension = "backup";
}
nuc-sops-nix.nixosModules.sops
];
};
}; };
darwinConfigurations = { darwinConfigurations = {

1
hosts/mac/homebrew.nix
View File

@@ -50,6 +50,7 @@
"vlc" "vlc"
"vscodium" "vscodium"
"wine-stable" "wine-stable"
"xpipe"
"xquartz" "xquartz"
]; ];
masApps = { masApps = {

58
hosts/nuc/boot.nix Executable file
View File

@@ -0,0 +1,58 @@
{ pkgs, ... }:
let
configLimit = 20;
kernel = pkgs.linuxPackages_latest;
in
{
# Configure bootloader with lanzaboot and secureboot
boot = {
kernelModules = [ "nct6775" ];
loader = {
systemd-boot = {
enable = true;
configurationLimit = configLimit;
};
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot";
};
};
lanzaboote = {
enable = false;
pkiBundle = "/etc/secureboot";
settings = {
console-mode = "max";
};
configurationLimit = configLimit;
};
# Override kernel to latest
kernelPackages = kernel;
kernelParams = [
"nohibernate"
];
consoleLogLevel = 3;
bootspec.enable = true;
initrd = {
kernelModules = [
# "tpm"
# "tpm_tis"
# "tpm_crb"
# "tpm_infineon"
];
systemd = {
enable = true;
tpm2.enable = true;
};
};
};
zramSwap = {
enable = true;
};
}

55
hosts/nuc/configuration.nix Normal file
View File

@@ -0,0 +1,55 @@
{
config,
pkgs,
lib,
inputs,
...
}:
{
imports = [
./boot.nix
./networking.nix
./users.nix
./sops.nix
];
security.tpm2 = {
enable = true;
};
# Enable nix flakes and nix-command tools
nix = {
settings = {
substituters = [
"https://nix-community.cachix.org"
"https://cache.nixos.org/"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
warn-dirty = lib.mkForce false;
experimental-features = lib.mkForce [
"nix-command"
"flakes"
];
trusted-users = [ "@wheel" ];
};
# Garbage collect automatically every week
gc.automatic = lib.mkDefault true;
gc.options = lib.mkDefault "--delete-older-than 30d";
optimise.automatic = lib.mkDefault true;
};
# Nixpkgs configuration
nixpkgs = {
config = {
allowUnfree = lib.mkForce true;
allowUnsupportedSystem = true;
permittedInsecurePackages = [
# ...
];
};
};
}

32
hosts/nuc/impermanence.nix Executable file
View File

@@ -0,0 +1,32 @@
{ ... }:
{
# Set up impernance configuration for things like bluetooth
# In this configuration with /etc and /var/log being persistent, only directories outside of that need to be done here. See hardware configuration for all mountpoints.
environment.persistence."/nix/persist/system" = {
hideMounts = true;
directories = [
"/var/lib/bluetooth"
"/var/lib/nixos"
"/var/lib/tailscale"
"/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections"
"/etc/secureboot"
{
directory = "/var/lib/private";
mode = "u=rwx,g=rx,o=";
}
{
directory = "/var/lib/colord";
user = "colord";
group = "colord";
mode = "u=rwx,g=rx,o=";
}
];
};
security.sudo.extraConfig = ''
# rollback results in sudo lectures after each reboot
Defaults lecture = never
'';
}

60
hosts/nuc/networking.nix Executable file
View File

@@ -0,0 +1,60 @@
{ config, ... }:
let
# settings = import ./settings.nix;
ports = [
8192
];
in
{
# Networking configs
networking = {
hostName = "nuc-nixos";#settings.hostName;
useNetworkd = true;
# Disable Network Manager
networkmanager = {
enable = true;
ensureProfiles = {
environmentFiles = [
config.sops.secrets.wifi.path
];
profiles = {
"Joey's Jungle 6G" = {
connection = {
id = "Joey's Jungle 6G";
type = "wifi";
};
ipv4 = {
address1 = "10.0.1.4/24";
dns = "10.0.1.1";
gateway = "10.0.1.1";
method = "manual";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
wifi = {
mode = "infrastructure";
ssid = "Joey's Jungle 6G";
};
wifi-security = {
key-mgmt = "sae";
psk = "$PSK";
};
};
};
};
};
firewall = {
enable = true;
allowPing = true;
allowedTCPPorts = ports;
allowedUDPPorts = ports;
};
};
}

84
hosts/nuc/sops.nix Executable file
View File

@@ -0,0 +1,84 @@
{ config, ... }:
let
user = "nix-apps";
in
{
# Permission modes are in octal representation (same as chmod),
# the digits represent: user|group|others
# 7 - full (rwx)
# 6 - read and write (rw-)
# 5 - read and execute (r-x)
# 4 - read only (r--)
# 3 - write and execute (-wx)
# 2 - write only (-w-)
# 1 - execute only (--x)
# 0 - none (---)
# Either a user id or group name representation of the secret owner
# It is recommended to get the user name from `config.users.users.<?name>.name` to avoid misconfiguration
# Either the group id or group name representation of the secret group
# It is recommended to get the group name from `config.users.users.<?name>.group` to avoid misconfiguration
sops = {
defaultSopsFile = ../../secrets/nas-secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# ------------------------------
# Secrets
# ------------------------------
secrets = {
"wifi" = {
sopsFile = ../../secrets/secrets.yaml;
};
# ------------------------------
# Secureboot keys
# ------------------------------
"secureboot/GUID" = {
sopsFile = ../../secrets/secrets.yaml;
path = "/etc/secureboot/GUID";
mode = "0640";
};
"secureboot/keys/db-key" = {
sopsFile = ../../secrets/secrets.yaml;
path = "/etc/secureboot/keys/db/db.key";
mode = "0640";
};
"secureboot/keys/db-pem" = {
sopsFile = ../../secrets/secrets.yaml;
path = "/etc/secureboot/keys/db/db.pem";
mode = "0640";
};
"secureboot/keys/KEK-key" = {
sopsFile = ../../secrets/secrets.yaml;
path = "/etc/secureboot/keys/KEK/KEK.key";
mode = "0640";
};
"secureboot/keys/KEK-pem" = {
sopsFile = ../../secrets/secrets.yaml;
path = "/etc/secureboot/keys/KEK/KEK.pem";
mode = "0640";
};
"secureboot/keys/PK-key" = {
sopsFile = ../../secrets/secrets.yaml;
path = "/etc/secureboot/keys/PK/PK.key";
mode = "0640";
};
"secureboot/keys/PK-pem" = {
sopsFile = ../../secrets/secrets.yaml;
path = "/etc/secureboot/keys/PK/PK.pem";
mode = "0640";
};
"jallen-nas/attic-key" = {
# owner = "atticd";
};
};
# ------------------------------
# Templates
# ------------------------------
templates = {
#
};
};
}

40
hosts/nuc/users.nix Executable file
View File

@@ -0,0 +1,40 @@
{ pkgs, config, ... }:
let
user = "admin";
# passwordFile = config.sops.secrets."jallen-nas/admin_password".path;
in
{
# Define a user account. Don't forget to set a password with passwd.
users = {
# See https://search.nixos.org/options?channel=unstable&show=users.mutableUsers&from=0&size=50&sort=relevance&type=packages&query=users.users
mutableUsers = false;
# Admin account
users."${user}" = {
isNormalUser = true;
linger = true;
extraGroups = [
"wheel"
"networkmanager"
"docker"
"podman"
"libvirtd"
];
# hashedPasswordFile = passwordFile;
password = "BogieDudie1";
shell = pkgs.zsh;
packages = with pkgs; [
];
openssh.authorizedKeys.keys = [
# macBook
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCw9zq8DLGByI5v2gAn95hKNyOsm3g61a2buxu2BBMFysQJgmZPCCLUqRJKhSM5Vm/JOgsAmdpRBRZQoHD+6S844CJHb4v4VIbjkyQgYCuM7Rst2IOZ5QybvsA2/D0nwytZ+HXQqDj2AagUYDbz0gyyIHkDQ5YGBMkvkWz/h1Vci6aoBM7VihEDM4KlWoTVuPeASGM8r5IZ2FS83Djbqo4ov6AYvLMrKB9Z7hmFgH6R3LE0gxOkzbGVXtSuvJyrjvgytoT22UhATjjxSQ9D+YJXXkQoB3lUdg8OoIquUPjMZpl4mR8ffvseWPfcvD1XlD5t+TOHFqKpESO547tlOBYhdpew+NSgAXpamCU6oyV8tDCywLQu2ucxHRn78u6WXzWHkDtffdhzmk6TZaPhWqVHuTGjR4higBgGqUfSaKOMszt+FDRZAr3HtuQ2+zJ8bowK9fW5OqilTtK2HtQqroD9ApegDNbqOz6kGy5IycSXvqPURy/M4lxZxbtBPuemcJs= mattjallen@MacBook-Pro.local"
# desktop windows
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ2PYPjZddOzR8OJj16G88KcUhCDLkvrEmpUQP0wKHDUuA27HQQ2ORo66asadwGHY3k1VDZ1ei9l9H++SIIeKOaaUr5yZdktvj4POUNtbd9ZhcS7sZU7BSF+NMDM+h3tImh6z0S7mWvRQOUv3ZM+ZER+5xTWJVG1OOJEpb1drxJk6Qz0wbZKSR7TPNFBLLXlVy7hkNYf07RtDyhCCxNB3hJfa8c+oztnWumwDhDQWLqiUXWIU2QH6iRLGl/WYnujtNvVVaV/Hn3JJkS6MM9dnV3cpoIO0+J7+WfsN9rZ0wXt5yY3GhiGXwmcO5eYVli8lHlLWtK7aYSETyry6CBsLbojzOQO5rSqhpwfF2njAAFAQU0UjLc8PahisIuFKCwHH4iyXXOagiv5K1Mc/0Ak+WhhMPee6vV2p7NTyNpXRvouDbWy5cSRH31WgQ9fK5mIGe5v8nGGqtEhUubUkiOgP+H3UbT2V/nTv/TFKdJcKw+WmizvTrxBmaMjWALlkYl+s= mattl@Jallen-PC"
# desktop nixos
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBMydhOc6SnOdB5WrEd7X07DrboAtagCUgXiOJjLov matt@matt-nixos"
];
};
users.root.shell = pkgs.zsh;
};
}

2
modules/home/vscode.nix
View File

@@ -40,7 +40,7 @@ in
vscode-extensions.yy0931.vscode-sqlite3-editor vscode-extensions.yy0931.vscode-sqlite3-editor
# open-remote-ssh # open-remote-ssh
# nix-vscode-extensions.open-vsx.jeanp413.open-remote-ssh nix-vscode-extensions.open-vsx.jeanp413.open-remote-ssh
] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [ ] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
{ {
name = "copilot-mcp"; name = "copilot-mcp";