merge

hosts/pi5/boot.nix

@@ -0,0 +1,18 @@
+{ pkgs, lib, ... }:
+{
+  boot = {
+    kernelPackages = lib.mkDefault pkgs.linuxKernel.packages.linux_rpi4;
+    initrd.availableKernelModules = [
+      "usbhid"
+      "usb_storage"
+      "vc4"
+      "pcie_brcmstb" # required for the pcie bus to work
+      "reset-raspberrypi" # required for vl805 firmware to load
+    ];
+
+    loader = {
+      grub.enable = lib.mkDefault false;
+      generic-extlinux-compatible.enable = lib.mkForce true;
+    };
+  };
+}

hosts/pi5/configuration.nix

@@ -0,0 +1,141 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+
+{ config, lib, pkgs, ... }:
+
+let
+  user = "matt";
+  password = "$y$j9T$EkPXmsmIMFFZ.WRrBYCxS1$P0kwo6e4.WM5DsqUcEqWC3MrZp5KfCjxffraMFZWu06";
+  SSID = "Joey's Jungle 5G";
+  wifiSecrets = config.sops.secrets."wifi-password".path;
+  interface = "wlan0";
+  timezone = "America/Chicago";
+  hostname = "pi5";
+in
+{
+  imports = [
+    ./boot.nix
+    # ./hardware-configuration.nix
+    ./impermanence.nix
+#    ./sops.nix
+    ../default.nix
+  ];
+
+  raspberry-pi-nix.board = lib.mkForce "bcm2712";
+
+  # Enable nix flakes and nix-command tools
+  nix = {
+    settings = {
+      substituters = [
+        # "https://cache.mjallen.dev"
+        "https://nix-community.cachix.org"
+        "https://cache.nixos.org/"
+      ];
+      trusted-public-keys = [
+        # "cache.mjallen.dev-1:IzFmKCd8/gggI6lcCXsW65qQwiCLGFFN9t9s2iw7Lvc="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
+      warn-dirty = lib.mkForce false;
+      experimental-features = lib.mkForce [
+        "nix-command"
+        "flakes"
+      ];
+      trusted-users = lib.mkDefault [
+        "root"
+        "@wheel"
+        user
+      ];
+    };
+  };
+ 
+  services.xserver = {
+    enable = false;
+    desktopManager = {
+      budgie.enable = false;
+    };
+    displayManager = {
+      lightdm.enable = false;
+    };
+  };
+
+  hardware = {
+    raspberry-pi."4".fkms-3d.enable = false;
+    raspberry-pi."4".apply-overlays-dtmerge.enable = false;
+    raspberry-pi."4".audio.enable = false;
+    raspberry-pi."4".bluetooth.enable = false;
+    raspberry-pi."4".dwc2.enable = false;
+    raspberry-pi."4".xhci.enable = false;
+  };
+
+  # Set your time zone.
+  time.timeZone = timezone;
+
+  networking = {
+    networkmanager.enable = lib.mkForce false;
+    hostName = hostname;
+    wireless = {
+      enable = false;
+      secretsFile = wifiSecrets;
+      networks."${SSID}".psk = "ext:PSK";
+      interfaces = [ interface ];
+    };
+
+    defaultGateway.address = "10.0.1.1";
+    nameservers = [ "10.0.1.1" ];
+
+    interfaces.enabcm6e4ei0.ipv4.addresses = [ {
+     address = "10.0.1.2";
+     prefixLength = 24;
+    } ];
+
+    firewall = {
+      enable = true;
+      allowPing = true;
+      allowedTCPPorts = [ 80 53 ];
+      allowedUDPPorts = [ 80 53 ];
+    };
+  };
+
+  systemd.services.btattach = {
+    before = [ "bluetooth.service" ];
+    after = [ "dev-ttyAMA0.device" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      ExecStart = "${pkgs.bluez}/bin/btattach -B /dev/ttyAMA0 -P bcm -S 3000000";
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    argononed
+    vim
+    libraspberrypi
+    raspberrypi-eeprom
+    raspberrypifw
+    raspberrypiWirelessFirmware
+    raspberrypi-armstubs
+    htop
+    git
+  ];
+
+  services.openssh.enable = true;
+
+  programs.nix-index = {
+    enable = true;
+    enableBashIntegration = true;
+    enableZshIntegration = true;
+  };
+
+  users = {
+    mutableUsers = false;
+    users."${user}" = {
+      isNormalUser = true;
+      initialHashedPassword = password;
+      extraGroups = [
+        "wheel"
+        "docker"
+      ];
+      shell = pkgs.zsh;
+    };
+  };
+}

hosts/pi5/hardware-configuration.nix

@@ -0,0 +1,76 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "none";
+      fsType = "tmpfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/7EC2-DEAC";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  fileSystems."/boot/firmware" =
+    { device = "/dev/disk/by-uuid/7E6D-6434";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-uuid/9141e15a-2ac8-4344-affe-8408800a442b";
+      fsType = "btrfs";
+      options = [ "subvol=nix" ];
+    };
+
+  fileSystems."/etc" =
+    { device = "/dev/disk/by-uuid/9141e15a-2ac8-4344-affe-8408800a442b";
+      fsType = "btrfs";
+      options = [ "subvol=etc" ];
+    };
+
+  fileSystems."/var/log" =
+    { device = "/dev/disk/by-uuid/9141e15a-2ac8-4344-affe-8408800a442b";
+      fsType = "btrfs";
+      options = [ "subvol=log" ];
+    };
+
+  fileSystems."/root" =
+    { device = "/dev/disk/by-uuid/9141e15a-2ac8-4344-affe-8408800a442b";
+      fsType = "btrfs";
+      options = [ "subvol=root" ];
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/9141e15a-2ac8-4344-affe-8408800a442b";
+      fsType = "btrfs";
+      options = [ "subvol=home" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/d390a564-9ef9-4c7d-ae1a-93951e9873dd"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.end0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}

hosts/pi5/home.nix

@@ -0,0 +1,92 @@
+{ ... }:
+let
+  shellAliases = {
+    ll = "ls -alh";
+    update-boot = "sudo nixos-rebuild boot --max-jobs 10 --build-host admin@10.0.1.18";
+    update-switch = "sudo nixos-rebuild switch --max-jobs 10 --build-host admin@10.0.1.18";
+    update-flake = "sudo nix flake update ~/nix-config";
+    update-nas = "nixos-rebuild switch --use-remote-sudo --target-host admin@10.0.1.18 --build-host admin@10.0.1.18 --flake ~/nix-config#jallen-nas";
+    nas-ssh = "kitten ssh admin@10.0.1.18";
+  };
+
+  gitAliases = {
+    co = "checkout";
+    ci = "commit";
+    cia = "commit --amend";
+    s = "status";
+    st = "status";
+    b = "branch";
+    p = "pull --rebase";
+    pu = "push";
+  };
+in
+{
+
+  home.username = "matt";
+  home.homeDirectory = "/home/matt";
+  home.stateVersion = "23.11";
+
+  sops = {
+    age.keyFile = "/home/matt/.config/sops/age/keys.txt";
+    defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";
+    validateSopsFiles = false;
+    secrets = {
+      "ssh-keys-public/pi4" = {
+        path = "/home/matt/.ssh/id_ed25519.pub";
+        mode = "0644";
+      };
+      "ssh-keys-private/pi4" = {
+        path = "/home/matt/.ssh/id_ed25519";
+        mode = "0600";
+      };
+      "ssh-keys-public/desktop-nixos" = {
+        path = "/home/matt/.ssh/authorized_keys";
+        mode = "0600";
+      };
+
+      "ssh-keys-public/desktop-nixos-root" = {
+        path = "/home/matt/.ssh/authorized_keys2";
+        mode = "0600";
+      };
+
+      "ssh-keys-public/desktop-windows" = {
+        path = "/home/matt/.ssh/authorized_keys3";
+        mode = "0600";
+      };
+
+      "ssh-keys-public/macbook-macos" = {
+        path = "/home/matt/.ssh/authorized_keys4";
+        mode = "0600";
+      };
+    };
+  };
+
+  programs = {
+    fish.enable = false;
+    mangohud.enable = true;
+    java.enable = true;
+    home-manager.enable = true;
+
+    zsh = {
+      enable = true;
+      enableCompletion = true;
+      autosuggestion.enable = true;
+      syntaxHighlighting.enable = true;
+
+      shellAliases = shellAliases;
+
+      oh-my-zsh = {
+        enable = true;
+        plugins = [ "git" ];
+        theme = "fishy";
+      };
+    };
+    
+    git = {
+      enable = true;
+      userName = "mjallen18";
+      userEmail = "matt.l.jallen@gmail.com";
+      aliases = gitAliases;
+    };
+  };
+}

hosts/pi5/impermanence.nix

@@ -0,0 +1,36 @@
+{ ... }:
+{
+  # Set up impernance configuration for things like bluetooth
+  # In this configuration with /etc and /var/log being persistent, only directories outside of that need to be done here. See hardware configuration for all mountpoints.
+
+  environment.persistence."/nix/persist/system" = {
+    hideMounts = true;
+    directories = [
+      "/var/lib/bluetooth"
+      "/var/lib/nixos"
+      "/var/lib/libvirt"
+      "/var/lib/systemd/coredump"
+      {
+        directory = "/var/lib/private";
+        mode = "u=rwx,g=,o=";
+      }
+      "/etc/NetworkManager/system-connections"
+      {
+        directory = "/etc/nix";
+        user = "root";
+        group = "root";
+        mode = "u=rwx,g=rx,o=rx";
+      }
+    ];
+#    files = [
+#      "/etc/machine-id"
+#      { file = "/etc/nix/id_rsa"; parentDirectory = { mode = "u=rwx,g=,o="; }; }
+#    ];
+  };
+
+  security.sudo.extraConfig = ''
+    # rollback results in sudo lectures after each reboot
+    Defaults lecture = never
+  '';
+
+}

hosts/pi5/sops.nix

@@ -0,0 +1,11 @@
+{ ... }:
+{
+  sops = {
+    defaultSopsFile = ../../secrets/secrets.yaml;
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+    secrets = {
+      "wifi" = { };
+    };
+  };
+}