mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

desktop is building I guess, idk, need to start commiting stuff eventually lmao

Browse Source
This commit is contained in:
mjallen18
2025-07-17 20:57:18 -05:00
parent 6c7c76887b
commit 442c24997d
219 changed files with 3166 additions and 3583 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
systems/aarch64-linux/pi4/adguard.nix Normal file
View File

@@ -0,0 +1,57 @@
{ ... }:
{
services.adguardhome = {
enable = true;
openFirewall = true;
allowDHCP = true;
mutableSettings = true;
settings = {
http.address = "0.0.0.0:0";
users = [
{
name = "mjallen";
password = "$2a$10$G07P7V1EnBQxWtMNGyfgTOTpAgr4d.uqYoG.cGSFCv9jQdiYWCsfq";
}
];
dns = {
upstream_dns = [
"https://dns10.quad9.net/dns-query"
"1.1.1.1"
"8.8.8.8"
];
bootstrap_dns = [
"9.9.9.10"
"149.112.112.10"
"2620:fe::10"
"2620:fe::fe:10"
];
upstream_mode = "load_balance";
trusted_proxies = [
"127.0.0.0/8"
"::1/128"
"10.0.1.3"
];
cache_optimistic = true;
};
dhcp = {
enabled = false;
interface_name = "end0";
local_domain_name = "lan";
dhcpv4 = {
gateway_ip = "10.0.1.1";
subnet_mask = "255.255.255.0";
range_start = "10.0.1.100";
range_end = "10.0.1.254";
lease_duration = 86400;
icmp_timeout_msec = 1000;
};
dhcpv6 = {
range_start = "2001::1";
lease_duration = 86400;
ra_slaac_only = false;
ra_allow_slaac = false;
};
};
};
};
}

69
systems/aarch64-linux/pi4/argononed.nix Normal file
View File

@@ -0,0 +1,69 @@
# { ... }:
# {
# programs.argon.one = {
# enable = true;
# settings = {
# # Is 'celsius' by default, can also be set to 'fahrenheit'
# displayUnits = "celsius";
# # This is the same config as the original Argon40 config.
# # This is also the default config for this flake.
# fanspeed = [
# {
# # This the temperature threshold at which this fan speed will activate.
# # The temperature is in the above specified unit.
# temperature = 55;
# # This is speed percentage at which the fan will spin.
# speed = 30;
# }
# {
# temperature = 60;
# speed = 55;
# }
# {
# temperature = 65;
# speed = 100;
# }
# ];
# ir = {
# enable = true;
# gpio.enable = true;
# keymap = {
# "POWER" = "00ff39c6";
# "UP" = "00ff53ac";
# "DOWN" = "00ff4bb4";
# "LEFT" = "00ff9966";
# "RIGHT" = "00ff837c";
# "VOLUMEUP" = "00ff01fe";
# "VOLUMEDOWN" = "00ff817e";
# "OK" = "00ff738c";
# "HOME" = "00ffd32c";
# "MENU" = "00ffb946";
# "BACK" = "00ff09f6";
# };
# };
# };
# };
# }
# { lib, stdenv, pkgs, config, ...}:
# {
# imports = let
# argononed = fetchGit {
# url = "https://github.com/mjallen18/argononed.git";
# ref = "dev"; # Or any other branches deemed suitable
# };
# in
# [ "${argononed}/OS/nixos" ];
# services.argonone = {
# enable = true;
# logLevel = 4;
# settings = {
# fanTemp0 = 36; fanSpeed0 = 10;
# fanTemp1 = 41; fanSpeed1 = 50;
# fanTemp2 = 46; fanSpeed2 = 80;
# hysteresis = 4;
# };
# };
# }

78
systems/aarch64-linux/pi4/boot.nix Executable file
View File

@@ -0,0 +1,78 @@
# { pkgs, lib, ... }:
# let
# uefi_pi4 = pkgs.callPackage ./pi4-uefi.nix { };
# in
# {
# boot = {
# loader = {
# systemd-boot.enable = lib.mkForce false;
# efi.canTouchEfiVariables = false;
# generic-extlinux-compatible.enable = lib.mkForce true;
# };
# plymouth.enable = false;
# kernelPackages = pkgs.linuxPackages_rpi4;
# kernelModules = [ "i2c-dev" "i2c-bcm2835" ];
# initrd.kernelModules = [ "i2c-dev" "i2c-bcm2835" ];
# };
# # environment.systemPackages = [ uefi_pi4 ];
# # Copy UEFI firmware files to the boot partition
# # system.activationScripts.installUEFIFirmware.text = ''
# # cp -r ${uefi_pi4}/share/uefi_rpi4/* /boot/firmware/
# # '';
# }
{ pkgs, lib, ... }:
let
kernelBundle = pkgs.linuxAndFirmware.latest;
in
{
boot = {
loader.raspberryPi.firmwarePackage = kernelBundle.raspberrypifw;
kernelPackages = kernelBundle.linuxPackages_rpi4;
};
hardware.raspberry-pi.config = {
all = { # [all] conditional filter, https://www.raspberrypi.com/documentation/computers/config_txt.html#conditional-filters
base-dt-params = {
i2c_arm = {
enable = true;
value = "on";
};
i2c = {
enable = true;
value = "on";
};
spi = {
enable = true;
value = "on";
};
};
options = {
# https://www.raspberrypi.com/documentation/computers/config_txt.html#enable_uart
# in conjunction with `console=serial0,115200` in kernel command line (`cmdline.txt`)
# creates a serial console, accessible using GPIOs 14 and 15 (pins
# 8 and 10 on the 40-pin header)
enable_uart = {
enable = true;
value = true;
};
# https://www.raspberrypi.com/documentation/computers/config_txt.html#uart_2ndstage
# enable debug logging to the UART, also automatically enables
# UART logging in `start.elf`
uart_2ndstage = {
enable = true;
value = true;
};
};
# Base DTB parameters
# https://github.com/raspberrypi/linux/blob/a1d3defcca200077e1e382fe049ca613d16efd2b/arch/arm/boot/dts/overlays/README#L132
base-dt-params = {
};
};
};
}

113
systems/aarch64-linux/pi4/configuration.nix Executable file
View File

@@ -0,0 +1,113 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ config, lib, pkgs, ... }:
let
user = "matt";
# password = config.sops.secrets."pi4/matt-password".path;
kernelBundle = pkgs.linuxAndFirmware.latest;
in
{
imports = [
./adguard.nix
./boot.nix
./impermanence.nix
./networking.nix
./sops.nix
];
nix = {
settings = {
substituters = [
"https://nixos-raspberrypi.cachix.org"
"https://cache.mjallen.dev"
];
trusted-public-keys = [
"nixos-raspberrypi.cachix.org-1:4iMO9LXa8BqhU+Rpg6LQKiGa2lsNh/j2oiYLNOQ5sPI="
"cache.mjallen.dev-1:IzFmKCd8/gggI6lcCXsW65qQwiCLGFFN9t9s2iw7Lvc="
];
};
};
# Configure nixpkgs
nixpkgs = {
overlays = lib.mkAfter [
(self: super: {
# This is used in (modulesPath + "/hardware/all-firmware.nix") when at least
# enableRedistributableFirmware is enabled
# I know no easier way to override this package
inherit (kernelBundle) raspberrypiWirelessFirmware;
# Some derivations want to use it as an input,
# e.g. raspberrypi-dtbs, omxplayer, sd-image-* modules
inherit (kernelBundle) raspberrypifw;
})
];
};
system.nixos.tags = let
cfg = config.boot.loader.raspberryPi;
in [
"raspberry-pi-${cfg.variant}"
cfg.bootloader
config.boot.kernelPackages.kernel.version
];
programs.zsh.enable = true;
hardware.i2c.enable = true;
services = {
openssh = {
enable = true;
authorizedKeysFiles = [
config.sops.secrets."ssh-keys-public/pi5".path
];
hostKeys = [ ];
};
};
systemd.services.btattach = {
before = [ "bluetooth.service" ];
after = [ "dev-ttyAMA0.device" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.bluez}/bin/btattach -B /dev/ttyAMA0 -P bcm -S 3000000";
};
};
environment = {
systemPackages = with pkgs; [
i2c-tools
libraspberrypi
raspberrypi-eeprom
raspberrypifw
raspberrypiWirelessFirmware
raspberrypi-armstubs
];
};
users = {
mutableUsers = false;
users."${user}" = {
isNormalUser = true;
# hashedPasswordFile = password;
password = "BogieDudie1";
extraGroups = [
"wheel"
"docker"
"video"
];
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
# macBook
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCw9zq8DLGByI5v2gAn95hKNyOsm3g61a2buxu2BBMFysQJgmZPCCLUqRJKhSM5Vm/JOgsAmdpRBRZQoHD+6S844CJHb4v4VIbjkyQgYCuM7Rst2IOZ5QybvsA2/D0nwytZ+HXQqDj2AagUYDbz0gyyIHkDQ5YGBMkvkWz/h1Vci6aoBM7VihEDM4KlWoTVuPeASGM8r5IZ2FS83Djbqo4ov6AYvLMrKB9Z7hmFgH6R3LE0gxOkzbGVXtSuvJyrjvgytoT22UhATjjxSQ9D+YJXXkQoB3lUdg8OoIquUPjMZpl4mR8ffvseWPfcvD1XlD5t+TOHFqKpESO547tlOBYhdpew+NSgAXpamCU6oyV8tDCywLQu2ucxHRn78u6WXzWHkDtffdhzmk6TZaPhWqVHuTGjR4higBgGqUfSaKOMszt+FDRZAr3HtuQ2+zJ8bowK9fW5OqilTtK2HtQqroD9ApegDNbqOz6kGy5IycSXvqPURy/M4lxZxbtBPuemcJs= mattjallen@MacBook-Pro.local"
# desktop windows
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ2PYPjZddOzR8OJj16G88KcUhCDLkvrEmpUQP0wKHDUuA27HQQ2ORo66asadwGHY3k1VDZ1ei9l9H++SIIeKOaaUr5yZdktvj4POUNtbd9ZhcS7sZU7BSF+NMDM+h3tImh6z0S7mWvRQOUv3ZM+ZER+5xTWJVG1OOJEpb1drxJk6Qz0wbZKSR7TPNFBLLXlVy7hkNYf07RtDyhCCxNB3hJfa8c+oztnWumwDhDQWLqiUXWIU2QH6iRLGl/WYnujtNvVVaV/Hn3JJkS6MM9dnV3cpoIO0+J7+WfsN9rZ0wXt5yY3GhiGXwmcO5eYVli8lHlLWtK7aYSETyry6CBsLbojzOQO5rSqhpwfF2njAAFAQU0UjLc8PahisIuFKCwHH4iyXXOagiv5K1Mc/0Ak+WhhMPee6vV2p7NTyNpXRvouDbWy5cSRH31WgQ9fK5mIGe5v8nGGqtEhUubUkiOgP+H3UbT2V/nTv/TFKdJcKw+WmizvTrxBmaMjWALlkYl+s= mattl@Jallen-PC"
# desktop nixos
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBMydhOc6SnOdB5WrEd7X07DrboAtagCUgXiOJjLov matt@matt-nixos"
];
};
users.root.shell = pkgs.zsh;
};
}

66
systems/aarch64-linux/pi4/home.nix Executable file
View File

@@ -0,0 +1,66 @@
{ lib, ... }:
let
shellAliases = {
ll = "ls -alh";
update-boot = "sudo nixos-rebuild boot --max-jobs 10 --build-host admin@10.0.1.3";
update-switch = "sudo nixos-rebuild switch --max-jobs 10 --build-host admin@10.0.1.3";
update-flake = "nix flake update pi4-nixpkgs pi4-home-manager pi4-impermanence pi4-sops-nix pi4-nixos-hardware pi4-nixos-raspberrypi pi4-disko --flake /etc/nixos";
update-nas = "nixos-rebuild switch --use-remote-sudo --target-host admin@10.0.1.3 --build-host admin@10.0.1.3 --flake ~/nix-config#jallen-nas";
nas-ssh = "kitten ssh admin@10.0.1.3";
ducks = "du -cksh * | sort -hr | head -n 15";
};
in
{
imports = [
../../share/home/defaults.nix
../../share/home/git.nix
../../share/home/shell.nix
];
home.username = "matt";
sops = {
age.keyFile = "/home/matt/.config/sops/age/keys.txt";
defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";
validateSopsFiles = false;
secrets = {
"ssh-keys-public/pi4" = {
path = "/home/matt/.ssh/id_ed25519.pub";
mode = "0644";
};
"ssh-keys-private/pi4" = {
path = "/home/matt/.ssh/id_ed25519";
mode = "0600";
};
# "ssh-keys-public/desktop-nixos" = {
# path = "/home/matt/.ssh/authorized_keys";
# mode = "0600";
# };
# "ssh-keys-public/desktop-nixos-root" = {
# path = "/home/matt/.ssh/authorized_keys2";
# mode = "0600";
# };
# "ssh-keys-public/desktop-windows" = {
# path = "/home/matt/.ssh/authorized_keys3";
# mode = "0600";
# };
# "ssh-keys-public/macbook-macos" = {
# path = "/home/matt/.ssh/authorized_keys4";
# mode = "0600";
# };
};
};
programs = {
java.enable = lib.mkForce true;
mangohud.enable = lib.mkForce true;
zsh.shellAliases = shellAliases;
};
services = {
nextcloud-client.enable = lib.mkForce true;
};
}

35
systems/aarch64-linux/pi4/impermanence.nix Executable file
View File

@@ -0,0 +1,35 @@
{ ... }:
{
# Set up impernance configuration for things like bluetooth
# In this configuration with /etc and /var/log being persistent, only directories outside of that need to be done here. See hardware configuration for all mountpoints.
environment.persistence."/nix/persist/system" = {
hideMounts = true;
directories = [
"/var/lib/bluetooth"
"/var/lib/nixos"
"/var/lib/libvirt"
"/var/lib/systemd/coredump"
{
directory = "/var/lib/private";
mode = "u=rwx,g=,o=";
}
"/etc/NetworkManager/system-connections"
{
directory = "/etc/nix";
user = "root";
group = "root";
mode = "u=rwx,g=rx,o=rx";
}
];
files = [
"/etc/machine-id"
];
};
security.sudo.extraConfig = ''
# rollback results in sudo lectures after each reboot
Defaults lecture = never
'';
}

75
systems/aarch64-linux/pi4/networking.nix Executable file
View File

@@ -0,0 +1,75 @@
{ lib, config, ... }:
let
hostname = "pi4";
in
{
# Networking configs
networking = {
hostName = hostname;
defaultGateway.address = "10.0.1.1";
nameservers = [ "10.0.1.1" ];
firewall = {
enable = true;
allowPing = true;
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
# Enable Network Manager
networkmanager = {
enable = lib.mkDefault true;
wifi.powersave = lib.mkDefault false;
settings.connectivity.uri = lib.mkDefault "http://nmcheck.gnome.org/check_network_status.txt";
ensureProfiles = {
environmentFiles = [
config.sops.secrets.wifi.path
];
profiles = {
# "Joey's Jungle 5G" = {
# connection = {
# id = "Joey's Jungle 5G";
# type = "wifi";
# };
# ipv4 = {
# method = "auto";
# };
# ipv6 = {
# addr-gen-mode = "stable-privacy";
# method = "auto";
# };
# wifi = {
# mode = "infrastructure";
# ssid = "Joey's Jungle 5G";
# };
# wifi-security = {
# key-mgmt = "sae";
# psk = "$PSK";
# };
# };
"static-enabcm6e4ei0" = {
connection = {
id = "static-enabcm6e4ei0";
type = "ethernet";
interface-name = "enabcm6e4ei0";
};
ipv4 = {
method = "manual";
address = "10.0.1.2/24";
gateway = "10.0.1.1";
dns = "1.1.1.1";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
};
};
};
};
};
}

22
systems/aarch64-linux/pi4/pi4-hw.nix Normal file
View File

@@ -0,0 +1,22 @@
{ ... }:
{
hardware = {
raspberry-pi."4" = {
apply-overlays-dtmerge.enable = true;
audio.enable = true;
backlight.enable = false;
bluetooth.enable = true;
dwc2.enable = true;
i2c0.enable = true;
i2c1.enable = true;
leds = {
eth.disable = false;
act.disable = false;
pwr.disable = false;
};
fkms-3d.enable = true;
xhci.enable = true;
};
deviceTree.filter = "bcm2711-rpi-4*.dtb";
};
}

23
systems/aarch64-linux/pi4/pi4-uefi.nix Normal file
View File

@@ -0,0 +1,23 @@
{ stdenv, fetchzip }:
stdenv.mkDerivation rec {
pname = "uefi_rpi4";
version = "1.38";
src = fetchzip {
url = "https://github.com/pftf/RPi4/releases/download/v1.38/RPi4_UEFI_Firmware_v1.38.zip";
hash = "sha256-9tOr80jcmguFy2bSz+H3TfmG8BkKyBTFoUZkMy8x+0g=";
stripRoot = false;
};
installPhase = ''
mkdir -p $out/share/uefi_rpi4
cp -r * $out/share/uefi_rpi4
'';
meta = {
description = "UEFI Firmware for Raspberry Pi 4";
homepage = "https://github.com/pftf/RPi4";
platforms = [ "aarch64-linux" ];
};
}

58
systems/aarch64-linux/pi4/pkg.nix Normal file
View File

@@ -0,0 +1,58 @@
{ lib, stdenv, fetchFromGitHub, nix-gitignore, dtc, installShellFiles, logLevel ? 5, ... }:
let
rawSrc = fetchFromGitHub {
owner = "mjallen18";
repo = "argononed";
rev = "master"; # replace with actual commit or tag
sha256 = "sha256-PpFR+6Aa4Pz9EmxOayMSsSTKFzUR6sYIAkGZ8+SUK18="; # fill this in with actual hash
};
ignores = ''
/*
!/version
!/makefile
!/configure
!/src
!/OS
/OS/*
!/OS/_common/
!/OS/nixos/
'';
cleanSrc = nix-gitignore.gitignoreSourcePure ignores rawSrc;
in
stdenv.mkDerivation {
pname = "argononed";
version = lib.strings.fileContents "${cleanSrc}/version";
src = cleanSrc;
nativeBuildInputs = [ dtc installShellFiles ];
preConfigure = ''
patchShebangs --build ./configure
export TARGET_DISTRO=nixos
'';
patches = [
"${cleanSrc}/OS/nixos/patches/nixos.patch"
"${cleanSrc}/OS/nixos/patches/shutdown.patch"
];
buildFlags = [ "LOGLEVEL=${toString logLevel}" ];
installFlags = [ "NIX_DRVOUT=$(out)" ];
postInstall = ''
installShellCompletion --bash --name argonone-cli OS/_common/argonone-cli-complete.bash
'';
meta = {
description = "A replacement daemon for the Argon One Raspberry Pi case";
homepage = "https://gitlab.com/DarkElvenAngel/argononed";
license = lib.licenses.mit;
platforms = [ "aarch64-linux" ];
};
}

70
systems/aarch64-linux/pi4/sops.nix Executable file
View File

@@ -0,0 +1,70 @@
{ config, ... }:
let
user = "matt";
in
{
sops = {
defaultSopsFile = ../../secrets/pi4-secrets.yaml;
# age = {
# generateKey = true;
# sshKeyPaths = [ "/etc/ssd/ssh_host_ed25519_key" ];
# };
age.keyFile = "/home/matt/.config/sops/age/keys.txt";
validateSopsFiles = false;
# ------------------------------
# Secrets
# ------------------------------
secrets = {
"wifi" = {
sopsFile = ../../secrets/secrets.yaml;
};
"pi4/matt-password" = {
neededForUsers = true;
mode = "0600";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
};
# ------------------------------
# SSH keys
# ------------------------------
"ssh-keys-public/pi4" = {
sopsFile = ../../secrets/secrets.yaml;
mode = "0644";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "sshd.service" ];
};
"ssh-keys-private/pi4" = {
sopsFile = ../../secrets/secrets.yaml;
mode = "0600";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "sshd.service" ];
};
"ssh-keys-public/pi5" = {
sopsFile = ../../secrets/secrets.yaml;
neededForUsers = true;
mode = "0600";
owner = config.users.users.root.name;
group = config.users.users.root.group;
restartUnits = [ "sshd.service" ];
};
"pi4/sys-public-key" = {
neededForUsers = true;
mode = "0600";
owner = config.users.users.root.name;
group = config.users.users.root.group;
restartUnits = [ "sshd.service" ];
};
"pi4/sys-priv-key" = {
neededForUsers = true;
mode = "0600";
owner = config.users.users.root.name;
group = config.users.users.root.group;
restartUnits = [ "sshd.service" ];
};
};
};
}