From 6c6d6325c93f46fca94810602a957c4f102508df Mon Sep 17 00:00:00 2001 From: mjallen18 Date: Wed, 27 Aug 2025 12:03:53 -0500 Subject: [PATCH] cleanup nas I think or something --- flake.nix | 30 +---- modules/home/programs/code/default.nix | 2 +- modules/nixos/boot/common/default.nix | 5 +- modules/nixos/boot/lanzaboote/default.nix | 20 ++- modules/nixos/boot/systemd-boot/default.nix | 27 ++++ modules/nixos/hardware/common/default.nix | 2 +- modules/nixos/home/default.nix | 5 +- modules/nixos/power/default.nix | 63 ++++++++++ .../nixos/security/{ => common}/default.nix | 0 modules/nixos/security/tpm/default.nix | 33 +++++ modules/nixos/services/samba/default.nix | 4 +- modules/nixos/services/samba/options.nix | 4 +- modules/nixos/user/default.nix | 95 +++++++------- systems/x86_64-linux/jallen-nas/boot.nix | 33 +---- systems/x86_64-linux/jallen-nas/default.nix | 81 ++++++++++-- systems/x86_64-linux/jallen-nas/samba.nix | 42 ------- systems/x86_64-linux/jallen-nas/ups.nix | 52 -------- systems/x86_64-linux/jallen-nas/users.nix | 118 +++++------------- systems/x86_64-linux/nuc-nixos/boot.nix | 54 -------- systems/x86_64-linux/nuc-nixos/default.nix | 60 +++++++-- systems/x86_64-linux/nuc-nixos/networking.nix | 59 --------- systems/x86_64-linux/nuc-nixos/sops.nix | 34 ----- systems/x86_64-linux/nuc-nixos/users.nix | 46 ------- 23 files changed, 357 insertions(+), 512 deletions(-) create mode 100644 modules/nixos/boot/systemd-boot/default.nix create mode 100644 modules/nixos/power/default.nix rename modules/nixos/security/{ => common}/default.nix (100%) create mode 100644 modules/nixos/security/tpm/default.nix delete mode 100755 systems/x86_64-linux/jallen-nas/samba.nix delete mode 100755 systems/x86_64-linux/jallen-nas/ups.nix delete mode 100755 systems/x86_64-linux/nuc-nixos/boot.nix delete mode 100755 systems/x86_64-linux/nuc-nixos/networking.nix delete mode 100755 systems/x86_64-linux/nuc-nixos/sops.nix delete mode 100755 systems/x86_64-linux/nuc-nixos/users.nix diff --git a/flake.nix b/flake.nix index 29df710..f68f39d 100644 --- a/flake.nix +++ b/flake.nix @@ -126,7 +126,7 @@ # ###################################################### # Desktop # # ###################################################### - desktop = { + matt-nixos = { modules = with inputs; [ nixos-hardware.nixosModules.common-cpu-amd nixos-hardware.nixosModules.common-cpu-amd-pstate @@ -141,7 +141,7 @@ # ###################################################### # NAS # # ###################################################### - nas = { + jallen-nas = { modules = with inputs; [ nixos-hardware.nixosModules.common-pc nixos-hardware.nixosModules.common-cpu-amd @@ -173,7 +173,7 @@ # ###################################################### # NUC # # ###################################################### - nuc = { + nuc-nixos = { modules = with inputs; [ disko.nixosModules.disko nixos-hardware.nixosModules.common-cpu-amd @@ -222,30 +222,6 @@ }; overlays = with inputs; [ nix-vscode-extensions.overlays.default ]; - - homes = { - modules = with inputs; [ - nix-index-database.homeModules.nix-index - sops-nix.homeManagerModules.sops - ]; - - overlays = with inputs; [ - nix-vscode-extensions.overlays.default - ]; - - users = { - # "matt@desktop" = { - # modules = with inputs; [ - # sops-nix.homeManagerModules.sops - # ]; - # }; - "deck@steamdeck" = { - modules = with inputs; [ - steam-rom-manager.homeManagerModules.default - ]; - }; - }; - }; }; # Configure Snowfall Lib, all of these settings are optional. diff --git a/modules/home/programs/code/default.nix b/modules/home/programs/code/default.nix index 1d7e261..b88ab16 100644 --- a/modules/home/programs/code/default.nix +++ b/modules/home/programs/code/default.nix @@ -6,7 +6,7 @@ ... }: let - isArm = "aarch64-linux" == system; + isArm = ("aarch64-linux" == system) || ("aarch64-darwin" == system); x86_only = with pkgs; [ vscode-extensions.redhat.vscode-xml ]; diff --git a/modules/nixos/boot/common/default.nix b/modules/nixos/boot/common/default.nix index 9a71ae1..27c79ed 100644 --- a/modules/nixos/boot/common/default.nix +++ b/modules/nixos/boot/common/default.nix @@ -26,7 +26,10 @@ in }; supportedFilesystems = [ "bcachefs" ]; + + consoleLogLevel = lib.mkDefault 3; + bootspec.enable = (!isArm); }; - zramSwap.enable = true; + zramSwap.enable = lib.mkDefault true; } diff --git a/modules/nixos/boot/lanzaboote/default.nix b/modules/nixos/boot/lanzaboote/default.nix index 1e2c7cd..ca3640e 100644 --- a/modules/nixos/boot/lanzaboote/default.nix +++ b/modules/nixos/boot/lanzaboote/default.nix @@ -11,13 +11,21 @@ in { imports = [ ./options.nix ]; config = mkIf cfg.enable { - boot.lanzaboote = { - enable = cfg.enable; - pkiBundle = "/etc/secureboot"; - settings = { - console-mode = "max"; + boot = { + loader = { + efi = { + canTouchEfiVariables = true; + efiSysMountPoint = "/boot"; + }; + }; + lanzaboote = { + enable = cfg.enable; + pkiBundle = "/etc/secureboot"; + settings = { + console-mode = "max"; + }; + configurationLimit = cfg.configLimit; }; - configurationLimit = cfg.configLimit; }; }; } diff --git a/modules/nixos/boot/systemd-boot/default.nix b/modules/nixos/boot/systemd-boot/default.nix new file mode 100644 index 0000000..4ef3042 --- /dev/null +++ b/modules/nixos/boot/systemd-boot/default.nix @@ -0,0 +1,27 @@ +{ config, lib, namespace, ... }: +with lib; +let + # inherit (lib.${namespace}) mkOpt; + cfg = config.${namespace}.boot.systemd-boot; +in +{ + options.${namespace}.boot.systemd-boot = { + enable = mkEnableOption "enable systemd-boot"; + }; + + config = mkIf cfg.enable { + boot = { + loader = { + systemd-boot = { + enable = mkDefault true; + configurationLimit = mkDefault 10; + }; + + efi = { + canTouchEfiVariables = mkDefault true; + efiSysMountPoint = "/boot"; + }; + }; + }; + }; +} \ No newline at end of file diff --git a/modules/nixos/hardware/common/default.nix b/modules/nixos/hardware/common/default.nix index 4df9a4a..475afc2 100644 --- a/modules/nixos/hardware/common/default.nix +++ b/modules/nixos/hardware/common/default.nix @@ -5,7 +5,7 @@ ... }: let - isArm = "aarch64-linux" == system; + isArm = ("aarch64-linux" == system) || ("aarch64-darwin" == system); in { hardware = { diff --git a/modules/nixos/home/default.nix b/modules/nixos/home/default.nix index a1ec724..c64a518 100644 --- a/modules/nixos/home/default.nix +++ b/modules/nixos/home/default.nix @@ -8,7 +8,7 @@ ... }: let - isArm = ("aarch64-linux" == system); + isArm = ("aarch64-linux" == system) || ("aarch64-darwin" == system); in { @@ -48,6 +48,9 @@ in # Pass inputs so external modules can access them extraSpecialArgs = { inherit inputs; + overlays = with inputs; [ + nix-vscode-extensions.overlays.default + ]; }; # Make ALL external HM modules available globally diff --git a/modules/nixos/power/default.nix b/modules/nixos/power/default.nix new file mode 100644 index 0000000..49abf1f --- /dev/null +++ b/modules/nixos/power/default.nix @@ -0,0 +1,63 @@ +{ config, lib, namespace, ... }: +with lib; +let + inherit (lib.${namespace}) mkOpt; + cfg = config.${namespace}.power.ups; +in +{ + options.${namespace}.power.ups = { + enable = mkEnableOption "Enable UPS support"; + + upsName = mkOpt types.str "nas-ups" "Name of the ups"; + upsUser = mkOpt types.str "nas-admin" "Name of the ups user"; + + upsdPort = mkOpt types.int 3493 "Port for upsd"; + }; + + config = mkIf cfg.enable { + power.ups = { + enable = true; + openFirewall = true; + mode = "netserver"; + + ups = { + "${cfg.upsName}" = { + description = "NAS UPS"; + driver = "usbhid-ups"; + port = "auto"; + }; + }; + + users."${cfg.upsUser}" = { + passwordFile = config.sops.secrets."jallen-nas/ups_password".path; + actions = [ "ALL" ]; + instcmds = [ "ALL" ]; + upsmon = "primary"; + }; + + upsmon = { + enable = true; + monitor."${cfg.upsName}" = { + passwordFile = config.sops.secrets."jallen-nas/ups_password".path; + user = cfg.upsUser; + }; + }; + + upsd = { + enable = true; + listen = [ + { + address = "0.0.0.0"; + port = 3493; + } + ]; + }; + }; + + services = { + apcupsd = { + enable = true; + }; + }; + }; +} \ No newline at end of file diff --git a/modules/nixos/security/default.nix b/modules/nixos/security/common/default.nix similarity index 100% rename from modules/nixos/security/default.nix rename to modules/nixos/security/common/default.nix diff --git a/modules/nixos/security/tpm/default.nix b/modules/nixos/security/tpm/default.nix new file mode 100644 index 0000000..b30e46e --- /dev/null +++ b/modules/nixos/security/tpm/default.nix @@ -0,0 +1,33 @@ +{ config, lib, namespace, ... }: +with lib; +let + # inherit (lib.${namespace}) mkOpt; + cfg = config.${namespace}.security.tpm; +in +{ + options.${namespace}.security.tpm = { + enable = mkEnableOption "enable tpm"; + }; + + config = mkIf cfg.enable { + + security.tpm2 = { + enable = lib.mkDefault true; + }; + + boot = { + initrd = { + kernelModules = [ + "tpm" + "tpm_tis" + "tpm_crb" + "tpm_infineon" + ]; + systemd = { + enable = lib.mkDefault true; + tpm2.enable = lib.mkDefault true; + }; + }; + }; + }; +} \ No newline at end of file diff --git a/modules/nixos/services/samba/default.nix b/modules/nixos/services/samba/default.nix index e3f0894..651593e 100755 --- a/modules/nixos/services/samba/default.nix +++ b/modules/nixos/services/samba/default.nix @@ -1,7 +1,7 @@ -{ lib, config, ... }: +{ lib, config, namespace, ... }: with lib; let - cfg = config.nas-samba; + cfg = config.${namespace}.samba; sambaShares = let make = diff --git a/modules/nixos/services/samba/options.nix b/modules/nixos/services/samba/options.nix index c5784c0..50b8961 100755 --- a/modules/nixos/services/samba/options.nix +++ b/modules/nixos/services/samba/options.nix @@ -1,7 +1,7 @@ -{ lib, ... }: +{ lib, namespace, ... }: with lib; { - options.nas-samba = { + options.${namespace}.samba = { enable = mkEnableOption "nas samba service"; autoStart = mkOption { diff --git a/modules/nixos/user/default.nix b/modules/nixos/user/default.nix index b4f9027..c74de25 100644 --- a/modules/nixos/user/default.nix +++ b/modules/nixos/user/default.nix @@ -10,8 +10,6 @@ let inherit (lib.mjallen) mkOpt mkBoolOpt; cfg = config.${namespace}.user; - isRoot = (cfg.name == "root"); - # Common SSH keys used across systems commonSshKeys = [ # MacBook @@ -42,7 +40,11 @@ in enableCommonSshKeys = mkBoolOpt true "Whether to include common SSH keys used across systems."; - uid = mkOpt int (if isRoot then ids.uids.root else 1000) "The user ID for the user account."; + uid = mkOpt int 1000 "The user ID for the user account."; + + group = mkOpt str "wheel" "Group of the user"; + + gid = mkOpt int 1000 "gid of the group"; packages = mkOpt (listOf package) [ ] "List of packages to install for this user."; @@ -60,50 +62,55 @@ in }; config = { - users.mutableUsers = cfg.mutableUsers; + users = { + mutableUsers = cfg.mutableUsers; + groups.${cfg.group}.gid = lib.mkForce cfg.gid; + users.${cfg.name} = { + inherit (cfg) + name + uid + linger + packages + password + hashedPassword + hashedPasswordFile + ; - users.users.${cfg.name} = { - inherit (cfg) - name - uid - linger - packages - password - hashedPassword - hashedPasswordFile - ; + extraGroups = [ + "wheel" + "keys" + "networkmanager" + "ratbagd" + "scanner" + "systemd-journal" + "mpd" + "audio" + "video" + "input" + "plugdev" + "lp" + "tss" + "power" + "nix" + "i2c" + "media" + "nscd" + "avahi" + "podman" + "libvirtd" + ] + ++ cfg.extraGroups; - extraGroups = [ - "wheel" - "keys" - "networkmanager" - "ratbagd" - "scanner" - "systemd-journal" - "mpd" - "audio" - "video" - "input" - "plugdev" - "lp" - "tss" - "power" - "nix" - "i2c" - ] - ++ cfg.extraGroups; - - group = "users"; - home = "/home/${cfg.name}"; - isNormalUser = (!isRoot); - isSystemUser = isRoot; - shell = lib.mkForce pkgs.zsh; - - # SSH keys - combine user-specific and common keys - openssh.authorizedKeys.keys = cfg.sshKeys ++ (lib.optionals cfg.enableCommonSshKeys commonSshKeys); - } - // cfg.extraOptions; + group = cfg.group; + home = "/home/${cfg.name}"; + isNormalUser = true; + shell = lib.mkForce pkgs.zsh; + # SSH keys - combine user-specific and common keys + openssh.authorizedKeys.keys = cfg.sshKeys ++ (lib.optionals cfg.enableCommonSshKeys commonSshKeys); + } + // cfg.extraOptions; + }; assertions = [ { assertion = diff --git a/systems/x86_64-linux/jallen-nas/boot.nix b/systems/x86_64-linux/jallen-nas/boot.nix index cbdc76c..34877c5 100755 --- a/systems/x86_64-linux/jallen-nas/boot.nix +++ b/systems/x86_64-linux/jallen-nas/boot.nix @@ -5,47 +5,16 @@ ... }: let - kernel = pkgs.linuxPackages; # linuxPackages_latest; + kernel = pkgs.linuxPackages; in { # Configure bootloader with lanzaboot and secureboot boot = { - loader = { - efi = { - canTouchEfiVariables = true; - efiSysMountPoint = "/boot"; - }; - }; - - kernel.sysctl = { - "net.ipv4.ip_forward" = 1; - "net.ipv6.conf.all.forwarding" = 1; - "vm.swappiness" = 60; - }; - # Override kernel to latest kernelPackages = kernel; - - kernelParams = [ - "nohibernate" - ]; - - consoleLogLevel = 3; - bootspec.enable = true; - plymouth.enable = lib.mkForce false; initrd = { - kernelModules = [ - "tpm" - "tpm_tis" - "tpm_crb" - "tpm_infineon" - ]; - systemd = { - enable = true; - tpm2.enable = true; - }; clevis = { enable = true; devices = { diff --git a/systems/x86_64-linux/jallen-nas/default.nix b/systems/x86_64-linux/jallen-nas/default.nix index 9b82f85..17f3b51 100755 --- a/systems/x86_64-linux/jallen-nas/default.nix +++ b/systems/x86_64-linux/jallen-nas/default.nix @@ -12,9 +12,7 @@ imports = [ ./boot.nix ./apps.nix - ./ups.nix ./users.nix - ./samba.nix ./services.nix ./sops.nix ]; @@ -85,6 +83,7 @@ # ################################################### network = { + hostName = "jallen-nas"; ipv4 = { address = "10.0.1.3/24"; method = "manual"; @@ -131,14 +130,61 @@ }; # ################################################### - # # User # # + # # Power # # # ################################################### - user = { - name = "admin"; - linger = true; + power.ups.enable = true; + + # ################################################### + # # Samba # # + # ################################################### + + samba = { + enable = true; + hostsAllow = "10.0.1."; + enableTimeMachine = true; + timeMachinePath = "/media/nas/main/timemachine"; + + shares = { + "3d_printer" = { + public = true; + sharePath = "/media/nas/main/3d_printer"; + }; + Backup = { + public = true; + sharePath = "/media/nas/main/backup"; + }; + Documents = { + public = true; + sharePath = "/media/nas/main/documents"; + }; + isos = { + public = true; + sharePath = "/media/nas/main/isos"; + }; + TimeMachine = { + public = false; + sharePath = "/media/nas/main/timemachine"; + enableTimeMachine = true; + timeMachineMaxSize = "1T"; + }; + app_data = { + public = true; + sharePath = "/media/nas/main/ssd_app_data"; + }; + nix-config = { + public = true; + sharePath = "/home/matt/nix-config"; + }; + }; }; + # ################################################### + # # Security # # + # ################################################### + + security.tpm.enable = true; + # ################################################### # # Services # # # ################################################### @@ -146,6 +192,24 @@ services = { grafana.enable = true; }; + + # ################################################### + # # User # # + # ################################################### + + user = { + name = "admin"; + hashedPasswordFile = config.sops.secrets."jallen-nas/admin_password".path; + linger = true; + extraGroups = [ + "nix-apps" + "jallen-nas" + "grafana" + "traefik" + "62900" + "1001" + ]; + }; }; # ################################################### @@ -158,10 +222,6 @@ mountPoint = "/media/nas/main"; }; - security.tpm2 = { - enable = true; - }; - # Configure environment environment = { systemPackages = with pkgs; [ @@ -174,6 +234,7 @@ efibootmgr ffmpeg ipset + keyutils llama-cpp networkmanagerapplet nut diff --git a/systems/x86_64-linux/jallen-nas/samba.nix b/systems/x86_64-linux/jallen-nas/samba.nix deleted file mode 100755 index 1ceb3b1..0000000 --- a/systems/x86_64-linux/jallen-nas/samba.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ ... }: -{ - nas-samba = { - enable = true; - hostsAllow = "10.0.1."; - enableTimeMachine = true; - timeMachinePath = "/media/nas/main/timemachine"; - - shares = { - "3d_printer" = { - public = true; - sharePath = "/media/nas/main/3d_printer"; - }; - Backup = { - public = true; - sharePath = "/media/nas/main/backup"; - }; - Documents = { - public = true; - sharePath = "/media/nas/main/documents"; - }; - isos = { - public = true; - sharePath = "/media/nas/main/isos"; - }; - TimeMachine = { - public = false; - sharePath = "/media/nas/main/timemachine"; - enableTimeMachine = true; - timeMachineMaxSize = "1T"; - }; - app_data = { - public = true; - sharePath = "/media/nas/main/ssd_app_data"; - }; - nix-config = { - public = true; - sharePath = "/home/matt/nix-config"; - }; - }; - }; -} diff --git a/systems/x86_64-linux/jallen-nas/ups.nix b/systems/x86_64-linux/jallen-nas/ups.nix deleted file mode 100755 index e546004..0000000 --- a/systems/x86_64-linux/jallen-nas/ups.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ config, ... }: -let - enableUps = true; - upsName = "nas-ups"; - upsUser = "nas-admin"; -in -{ - power.ups = { - enable = enableUps; - openFirewall = enableUps; - mode = "netserver"; - - ups = { - "${upsName}" = { - description = "NAS UPS"; - driver = "usbhid-ups"; - port = "auto"; - }; - }; - - users."${upsUser}" = { - passwordFile = config.sops.secrets."jallen-nas/ups_password".path; - actions = [ "ALL" ]; - instcmds = [ "ALL" ]; - upsmon = "primary"; - }; - - upsmon = { - enable = enableUps; - monitor."${upsName}" = { - passwordFile = config.sops.secrets."jallen-nas/ups_password".path; - user = upsUser; - }; - }; - - upsd = { - enable = enableUps; - listen = [ - { - address = "0.0.0.0"; - port = 3493; - } - ]; - }; - }; - - services = { - apcupsd = { - enable = true; - }; - }; -} diff --git a/systems/x86_64-linux/jallen-nas/users.nix b/systems/x86_64-linux/jallen-nas/users.nix index 9ebc422..0445861 100755 --- a/systems/x86_64-linux/jallen-nas/users.nix +++ b/systems/x86_64-linux/jallen-nas/users.nix @@ -1,101 +1,47 @@ { pkgs, config, - lib, ... }: let - user = "admin"; passwordFile = config.sops.secrets."jallen-nas/admin_password".path; in { - # Define a user account. Don't forget to set a password with ‘passwd’. users = { - # See https://search.nixos.org/options?channel=unstable&show=users.mutableUsers&from=0&size=50&sort=relevance&type=packages&query=users.users - mutableUsers = false; - groups.jallen-nas.gid = 1000; # create nas group cause truenas perms - - # Admin account - users."${user}" = { - isNormalUser = true; - linger = true; - extraGroups = [ - "wheel" - "networkmanager" - "docker" - "podman" - "libvirtd" - "nix-apps" - "jallen-nas" - "media" - "nscd" - "grafana" - "traefik" - "avahi" - "62900" - "1001" - ]; - hashedPasswordFile = lib.mkForce passwordFile; - shell = pkgs.zsh; - packages = with pkgs; [ - cachix - fastfetch - git - parted - aspell - aspellDicts.en - aspellDicts.en-computers - aspellDicts.en-science - aha - papirus-icon-theme - firefox - swtpm - tigervnc - ]; - openssh.authorizedKeys.keys = [ - # macBook - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCw9zq8DLGByI5v2gAn95hKNyOsm3g61a2buxu2BBMFysQJgmZPCCLUqRJKhSM5Vm/JOgsAmdpRBRZQoHD+6S844CJHb4v4VIbjkyQgYCuM7Rst2IOZ5QybvsA2/D0nwytZ+HXQqDj2AagUYDbz0gyyIHkDQ5YGBMkvkWz/h1Vci6aoBM7VihEDM4KlWoTVuPeASGM8r5IZ2FS83Djbqo4ov6AYvLMrKB9Z7hmFgH6R3LE0gxOkzbGVXtSuvJyrjvgytoT22UhATjjxSQ9D+YJXXkQoB3lUdg8OoIquUPjMZpl4mR8ffvseWPfcvD1XlD5t+TOHFqKpESO547tlOBYhdpew+NSgAXpamCU6oyV8tDCywLQu2ucxHRn78u6WXzWHkDtffdhzmk6TZaPhWqVHuTGjR4higBgGqUfSaKOMszt+FDRZAr3HtuQ2+zJ8bowK9fW5OqilTtK2HtQqroD9ApegDNbqOz6kGy5IycSXvqPURy/M4lxZxbtBPuemcJs= mattjallen@MacBook-Pro.local" - # desktop windows - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ2PYPjZddOzR8OJj16G88KcUhCDLkvrEmpUQP0wKHDUuA27HQQ2ORo66asadwGHY3k1VDZ1ei9l9H++SIIeKOaaUr5yZdktvj4POUNtbd9ZhcS7sZU7BSF+NMDM+h3tImh6z0S7mWvRQOUv3ZM+ZER+5xTWJVG1OOJEpb1drxJk6Qz0wbZKSR7TPNFBLLXlVy7hkNYf07RtDyhCCxNB3hJfa8c+oztnWumwDhDQWLqiUXWIU2QH6iRLGl/WYnujtNvVVaV/Hn3JJkS6MM9dnV3cpoIO0+J7+WfsN9rZ0wXt5yY3GhiGXwmcO5eYVli8lHlLWtK7aYSETyry6CBsLbojzOQO5rSqhpwfF2njAAFAQU0UjLc8PahisIuFKCwHH4iyXXOagiv5K1Mc/0Ak+WhhMPee6vV2p7NTyNpXRvouDbWy5cSRH31WgQ9fK5mIGe5v8nGGqtEhUubUkiOgP+H3UbT2V/nTv/TFKdJcKw+WmizvTrxBmaMjWALlkYl+s= mattl@Jallen-PC" - # desktop nixos - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBMydhOc6SnOdB5WrEd7X07DrboAtagCUgXiOJjLov matt@matt-nixos" - ]; - }; - - # Nix app account - users.nix-apps = { - isSystemUser = true; - uid = 911; - group = "jallen-nas"; - extraGroups = [ - "jallen-nas" - "docker" - "podman" - ]; - hashedPasswordFile = passwordFile; - }; - groups.nut.name = "nut"; - users.upsuser = { - group = "nut"; - isNormalUser = false; - isSystemUser = true; - createHome = true; - home = "/var/lib/nut"; - homeMode = "750"; - hashedPasswordFile = passwordFile; + groups."jallen-nas".name = "jallen-nas"; + # Nix app account + users = { + nix-apps = { + isSystemUser = true; + uid = 911; + group = "jallen-nas"; + extraGroups = [ + "jallen-nas" + "docker" + "podman" + ]; + hashedPasswordFile = passwordFile; + }; + nextcloud = { + isNormalUser = true; + extraGroups = [ + "jallen-nas" + "nix-apps" + ]; + hashedPasswordFile = passwordFile; + }; + upsuser = { + group = "nut"; + isNormalUser = false; + isSystemUser = true; + createHome = true; + home = "/var/lib/nut"; + homeMode = "750"; + hashedPasswordFile = passwordFile; + }; + root.shell = pkgs.zsh; }; - - users.nextcloud = { - isNormalUser = true; - extraGroups = [ - "jallen-nas" - "nix-apps" - ]; - hashedPasswordFile = passwordFile; - }; - - users.root.shell = pkgs.zsh; }; } diff --git a/systems/x86_64-linux/nuc-nixos/boot.nix b/systems/x86_64-linux/nuc-nixos/boot.nix deleted file mode 100755 index 0a5aad9..0000000 --- a/systems/x86_64-linux/nuc-nixos/boot.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ pkgs, ... }: -let - configLimit = 20; - kernel = pkgs.linuxPackages_latest; -in -{ - # Configure bootloader with lanzaboot and secureboot - boot = { - kernelModules = [ "nct6775" ]; - loader = { - systemd-boot = { - enable = true; - configurationLimit = configLimit; - }; - - efi = { - canTouchEfiVariables = true; - efiSysMountPoint = "/boot"; - }; - }; - - lanzaboote = { - enable = false; - pkiBundle = "/etc/secureboot"; - settings = { - console-mode = "max"; - }; - configurationLimit = configLimit; - }; - - # Override kernel to latest - kernelPackages = kernel; - - kernelParams = [ - "nohibernate" - ]; - - consoleLogLevel = 3; - bootspec.enable = true; - - initrd = { - kernelModules = [ - # "tpm" - # "tpm_tis" - # "tpm_crb" - # "tpm_infineon" - ]; - systemd = { - enable = true; - tpm2.enable = true; - }; - }; - }; -} diff --git a/systems/x86_64-linux/nuc-nixos/default.nix b/systems/x86_64-linux/nuc-nixos/default.nix index 80ab821..fb3c138 100644 --- a/systems/x86_64-linux/nuc-nixos/default.nix +++ b/systems/x86_64-linux/nuc-nixos/default.nix @@ -1,26 +1,35 @@ { + pkgs, namespace, ... }: { - imports = [ - ./boot.nix - # ./hardware-configuration.nix - ./users.nix - ./sops.nix - ]; - - security.tpm2 = { - enable = true; - }; - ${namespace} = { - services.home-assistant.enable = true; + # ################################################### + # # Boot # # + # ################################################### + + boot.systemd-boot.enable = true; + + # ################################################### + # # Hardware # # + # ################################################### + hardware.disko = { enable = true; filesystem = "btrfs"; }; + + # ################################################### + # # Impermanence # # + # ################################################### + impermanence.enable = true; + + # ################################################### + # # Network # # + # ################################################### + network = { hostName = "nuc-nixos"; useNetworkd = false; @@ -47,6 +56,33 @@ allowedUDPPorts = [ 8192 ]; }; }; + + # ################################################### + # # Security # # + # ################################################### + + security.tpm.enable = true; + + # ################################################### + # # Services # # + # ################################################### + + services.home-assistant.enable = true; + + # ################################################### + # # User # # + # ################################################### + + user = { + name = "admin"; + linger = true; + }; }; + # ################################################### + # # Boot # # + # ################################################### + + boot.kernelPackages = pkgs.linuxPackages_latest; + } diff --git a/systems/x86_64-linux/nuc-nixos/networking.nix b/systems/x86_64-linux/nuc-nixos/networking.nix deleted file mode 100755 index 4c1343b..0000000 --- a/systems/x86_64-linux/nuc-nixos/networking.nix +++ /dev/null @@ -1,59 +0,0 @@ -{ config, lib, ... }: -let - ports = [ - 8192 - ]; -in -{ - # Networking configs - networking = { - hostName = lib.mkForce "nuc-nixos"; - - useNetworkd = true; - - # Disable Network Manager - networkmanager = { - enable = true; - ensureProfiles = { - environmentFiles = [ - config.sops.secrets.wifi.path - ]; - - profiles = { - "Joey's Jungle 6G" = { - connection = { - id = "Joey's Jungle 6G"; - type = "wifi"; - }; - ipv4 = lib.mkForce { - address1 = "10.0.1.4/24"; - dns = "10.0.1.1"; - gateway = "10.0.1.1"; - method = "manual"; - }; - ipv6 = { - addr-gen-mode = "stable-privacy"; - method = "auto"; - }; - wifi = { - mode = "infrastructure"; - ssid = "Joey's Jungle 6G"; - }; - wifi-security = { - key-mgmt = "sae"; - psk = "$PSK"; - }; - }; - }; - }; - }; - - firewall = { - enable = true; - allowPing = true; - - allowedTCPPorts = ports; - allowedUDPPorts = ports; - }; - }; -} diff --git a/systems/x86_64-linux/nuc-nixos/sops.nix b/systems/x86_64-linux/nuc-nixos/sops.nix deleted file mode 100755 index 0c9b448..0000000 --- a/systems/x86_64-linux/nuc-nixos/sops.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ lib, ... }: -{ - # Permission modes are in octal representation (same as chmod), - # the digits represent: user|group|others - # 7 - full (rwx) - # 6 - read and write (rw-) - # 5 - read and execute (r-x) - # 4 - read only (r--) - # 3 - write and execute (-wx) - # 2 - write only (-w-) - # 1 - execute only (--x) - # 0 - none (---) - # Either a user id or group name representation of the secret owner - # It is recommended to get the user name from `config.users.users..name` to avoid misconfiguration - # Either the group id or group name representation of the secret group - # It is recommended to get the group name from `config.users.users..group` to avoid misconfiguration - sops = { - age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - - # ------------------------------ - # Secrets - # ------------------------------ - secrets = { - - }; - - # ------------------------------ - # Templates - # ------------------------------ - templates = { - # - }; - }; -} diff --git a/systems/x86_64-linux/nuc-nixos/users.nix b/systems/x86_64-linux/nuc-nixos/users.nix deleted file mode 100755 index 13c5f75..0000000 --- a/systems/x86_64-linux/nuc-nixos/users.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ pkgs, lib, ... }: -let - user = "admin"; - # passwordFile = config.sops.secrets."jallen-nas/admin_password".path; -in -{ - # Define a user account. Don't forget to set a password with ‘passwd’. - users = { - # See https://search.nixos.org/options?channel=unstable&show=users.mutableUsers&from=0&size=50&sort=relevance&type=packages&query=users.users - mutableUsers = false; - - # Admin account - users = { - "${user}" = { - isNormalUser = true; - linger = true; - extraGroups = [ - "wheel" - "networkmanager" - "docker" - "podman" - "libvirtd" - ]; - # hashedPasswordFile = passwordFile; - password = lib.mkForce "BogieDudie1"; - shell = pkgs.zsh; - packages = with pkgs; [ - ]; - openssh.authorizedKeys.keys = [ - # macBook - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCw9zq8DLGByI5v2gAn95hKNyOsm3g61a2buxu2BBMFysQJgmZPCCLUqRJKhSM5Vm/JOgsAmdpRBRZQoHD+6S844CJHb4v4VIbjkyQgYCuM7Rst2IOZ5QybvsA2/D0nwytZ+HXQqDj2AagUYDbz0gyyIHkDQ5YGBMkvkWz/h1Vci6aoBM7VihEDM4KlWoTVuPeASGM8r5IZ2FS83Djbqo4ov6AYvLMrKB9Z7hmFgH6R3LE0gxOkzbGVXtSuvJyrjvgytoT22UhATjjxSQ9D+YJXXkQoB3lUdg8OoIquUPjMZpl4mR8ffvseWPfcvD1XlD5t+TOHFqKpESO547tlOBYhdpew+NSgAXpamCU6oyV8tDCywLQu2ucxHRn78u6WXzWHkDtffdhzmk6TZaPhWqVHuTGjR4higBgGqUfSaKOMszt+FDRZAr3HtuQ2+zJ8bowK9fW5OqilTtK2HtQqroD9ApegDNbqOz6kGy5IycSXvqPURy/M4lxZxbtBPuemcJs= mattjallen@MacBook-Pro.local" - # desktop windows - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ2PYPjZddOzR8OJj16G88KcUhCDLkvrEmpUQP0wKHDUuA27HQQ2ORo66asadwGHY3k1VDZ1ei9l9H++SIIeKOaaUr5yZdktvj4POUNtbd9ZhcS7sZU7BSF+NMDM+h3tImh6z0S7mWvRQOUv3ZM+ZER+5xTWJVG1OOJEpb1drxJk6Qz0wbZKSR7TPNFBLLXlVy7hkNYf07RtDyhCCxNB3hJfa8c+oztnWumwDhDQWLqiUXWIU2QH6iRLGl/WYnujtNvVVaV/Hn3JJkS6MM9dnV3cpoIO0+J7+WfsN9rZ0wXt5yY3GhiGXwmcO5eYVli8lHlLWtK7aYSETyry6CBsLbojzOQO5rSqhpwfF2njAAFAQU0UjLc8PahisIuFKCwHH4iyXXOagiv5K1Mc/0Ak+WhhMPee6vV2p7NTyNpXRvouDbWy5cSRH31WgQ9fK5mIGe5v8nGGqtEhUubUkiOgP+H3UbT2V/nTv/TFKdJcKw+WmizvTrxBmaMjWALlkYl+s= mattl@Jallen-PC" - # desktop nixos - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBMydhOc6SnOdB5WrEd7X07DrboAtagCUgXiOJjLov matt@matt-nixos" - ]; - }; - - root = { - isSystemUser = true; - isNormalUser = false; - shell = pkgs.zsh; - }; - }; - }; -}