mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

cleanup nas I think or something

Browse Source
This commit is contained in:
mjallen18
2025-08-27 12:03:53 -05:00
parent 83f8b3543c
commit 6c6d6325c9
23 changed files with 357 additions and 512 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
flake.nix
View File

@@ -126,7 +126,7 @@
# ###################################################### # ######################################################
# Desktop # # Desktop #
# ###################################################### # ######################################################
desktop = { matt-nixos = {
modules = with inputs; [ modules = with inputs; [
nixos-hardware.nixosModules.common-cpu-amd nixos-hardware.nixosModules.common-cpu-amd
nixos-hardware.nixosModules.common-cpu-amd-pstate nixos-hardware.nixosModules.common-cpu-amd-pstate
@@ -141,7 +141,7 @@
# ###################################################### # ######################################################
# NAS # # NAS #
# ###################################################### # ######################################################
nas = { jallen-nas = {
modules = with inputs; [ modules = with inputs; [
nixos-hardware.nixosModules.common-pc nixos-hardware.nixosModules.common-pc
nixos-hardware.nixosModules.common-cpu-amd nixos-hardware.nixosModules.common-cpu-amd
@@ -173,7 +173,7 @@
# ###################################################### # ######################################################
# NUC # # NUC #
# ###################################################### # ######################################################
nuc = { nuc-nixos = {
modules = with inputs; [ modules = with inputs; [
disko.nixosModules.disko disko.nixosModules.disko
nixos-hardware.nixosModules.common-cpu-amd nixos-hardware.nixosModules.common-cpu-amd
@@ -222,30 +222,6 @@
}; };
overlays = with inputs; [ nix-vscode-extensions.overlays.default ]; overlays = with inputs; [ nix-vscode-extensions.overlays.default ];
homes = {
modules = with inputs; [
nix-index-database.homeModules.nix-index
sops-nix.homeManagerModules.sops
];
overlays = with inputs; [
nix-vscode-extensions.overlays.default
];
users = {
# "matt@desktop" = {
# modules = with inputs; [
# sops-nix.homeManagerModules.sops
# ];
# };
"deck@steamdeck" = {
modules = with inputs; [
steam-rom-manager.homeManagerModules.default
];
};
};
};
}; };
# Configure Snowfall Lib, all of these settings are optional. # Configure Snowfall Lib, all of these settings are optional.

2
modules/home/programs/code/default.nix
View File

@@ -6,7 +6,7 @@
... ...
}: }:
let let
isArm = "aarch64-linux" == system; isArm = ("aarch64-linux" == system) || ("aarch64-darwin" == system);
x86_only = with pkgs; [ x86_only = with pkgs; [
vscode-extensions.redhat.vscode-xml vscode-extensions.redhat.vscode-xml
]; ];

5
modules/nixos/boot/common/default.nix
View File

@@ -26,7 +26,10 @@ in
}; };
supportedFilesystems = [ "bcachefs" ]; supportedFilesystems = [ "bcachefs" ];
consoleLogLevel = lib.mkDefault 3;
bootspec.enable = (!isArm);
}; };
zramSwap.enable = true; zramSwap.enable = lib.mkDefault true;
} }

20
modules/nixos/boot/lanzaboote/default.nix
View File

@@ -11,13 +11,21 @@ in
{ {
imports = [ ./options.nix ]; imports = [ ./options.nix ];
config = mkIf cfg.enable { config = mkIf cfg.enable {
boot.lanzaboote = { boot = {
enable = cfg.enable; loader = {
pkiBundle = "/etc/secureboot"; efi = {
settings = { canTouchEfiVariables = true;
console-mode = "max"; efiSysMountPoint = "/boot";
};
};
lanzaboote = {
enable = cfg.enable;
pkiBundle = "/etc/secureboot";
settings = {
console-mode = "max";
};
configurationLimit = cfg.configLimit;
}; };
configurationLimit = cfg.configLimit;
}; };
}; };
} }

27
modules/nixos/boot/systemd-boot/default.nix Normal file
View File

@@ -0,0 +1,27 @@
{ config, lib, namespace, ... }:
with lib;
let
# inherit (lib.${namespace}) mkOpt;
cfg = config.${namespace}.boot.systemd-boot;
in
{
options.${namespace}.boot.systemd-boot = {
enable = mkEnableOption "enable systemd-boot";
};
config = mkIf cfg.enable {
boot = {
loader = {
systemd-boot = {
enable = mkDefault true;
configurationLimit = mkDefault 10;
};
efi = {
canTouchEfiVariables = mkDefault true;
efiSysMountPoint = "/boot";
};
};
};
};
}

2
modules/nixos/hardware/common/default.nix
View File

@@ -5,7 +5,7 @@
... ...
}: }:
let let
isArm = "aarch64-linux" == system; isArm = ("aarch64-linux" == system) || ("aarch64-darwin" == system);
in in
{ {
hardware = { hardware = {

5
modules/nixos/home/default.nix
View File

@@ -8,7 +8,7 @@
... ...
}: }:
let let
isArm = ("aarch64-linux" == system); isArm = ("aarch64-linux" == system) || ("aarch64-darwin" == system);
in in
{ {
@@ -48,6 +48,9 @@ in
# Pass inputs so external modules can access them # Pass inputs so external modules can access them
extraSpecialArgs = { extraSpecialArgs = {
inherit inputs; inherit inputs;
overlays = with inputs; [
nix-vscode-extensions.overlays.default
];
}; };
# Make ALL external HM modules available globally # Make ALL external HM modules available globally

63
modules/nixos/power/default.nix Normal file
View File

@@ -0,0 +1,63 @@
{ config, lib, namespace, ... }:
with lib;
let
inherit (lib.${namespace}) mkOpt;
cfg = config.${namespace}.power.ups;
in
{
options.${namespace}.power.ups = {
enable = mkEnableOption "Enable UPS support";
upsName = mkOpt types.str "nas-ups" "Name of the ups";
upsUser = mkOpt types.str "nas-admin" "Name of the ups user";
upsdPort = mkOpt types.int 3493 "Port for upsd";
};
config = mkIf cfg.enable {
power.ups = {
enable = true;
openFirewall = true;
mode = "netserver";
ups = {
"${cfg.upsName}" = {
description = "NAS UPS";
driver = "usbhid-ups";
port = "auto";
};
};
users."${cfg.upsUser}" = {
passwordFile = config.sops.secrets."jallen-nas/ups_password".path;
actions = [ "ALL" ];
instcmds = [ "ALL" ];
upsmon = "primary";
};
upsmon = {
enable = true;
monitor."${cfg.upsName}" = {
passwordFile = config.sops.secrets."jallen-nas/ups_password".path;
user = cfg.upsUser;
};
};
upsd = {
enable = true;
listen = [
{
address = "0.0.0.0";
port = 3493;
}
];
};
};
services = {
apcupsd = {
enable = true;
};
};
};
}

0
modules/nixos/security/default.nix → modules/nixos/security/common/default.nix
View File

33
modules/nixos/security/tpm/default.nix Normal file
View File

@@ -0,0 +1,33 @@
{ config, lib, namespace, ... }:
with lib;
let
# inherit (lib.${namespace}) mkOpt;
cfg = config.${namespace}.security.tpm;
in
{
options.${namespace}.security.tpm = {
enable = mkEnableOption "enable tpm";
};
config = mkIf cfg.enable {
security.tpm2 = {
enable = lib.mkDefault true;
};
boot = {
initrd = {
kernelModules = [
"tpm"
"tpm_tis"
"tpm_crb"
"tpm_infineon"
];
systemd = {
enable = lib.mkDefault true;
tpm2.enable = lib.mkDefault true;
};
};
};
};
}

4
modules/nixos/services/samba/default.nix
View File

@@ -1,7 +1,7 @@
{ lib, config, ... }: { lib, config, namespace, ... }:
with lib; with lib;
let let
cfg = config.nas-samba; cfg = config.${namespace}.samba;
sambaShares = sambaShares =
let let
make = make =

4
modules/nixos/services/samba/options.nix
View File

@@ -1,7 +1,7 @@
{ lib, ... }: { lib, namespace, ... }:
with lib; with lib;
{ {
options.nas-samba = { options.${namespace}.samba = {
enable = mkEnableOption "nas samba service"; enable = mkEnableOption "nas samba service";
autoStart = mkOption { autoStart = mkOption {

95
modules/nixos/user/default.nix
View File

@@ -10,8 +10,6 @@ let
inherit (lib.mjallen) mkOpt mkBoolOpt; inherit (lib.mjallen) mkOpt mkBoolOpt;
cfg = config.${namespace}.user; cfg = config.${namespace}.user;
isRoot = (cfg.name == "root");
# Common SSH keys used across systems # Common SSH keys used across systems
commonSshKeys = [ commonSshKeys = [
# MacBook # MacBook
@@ -42,7 +40,11 @@ in
enableCommonSshKeys = mkBoolOpt true "Whether to include common SSH keys used across systems."; enableCommonSshKeys = mkBoolOpt true "Whether to include common SSH keys used across systems.";
uid = mkOpt int (if isRoot then ids.uids.root else 1000) "The user ID for the user account."; uid = mkOpt int 1000 "The user ID for the user account.";
group = mkOpt str "wheel" "Group of the user";
gid = mkOpt int 1000 "gid of the group";
packages = mkOpt (listOf package) [ ] "List of packages to install for this user."; packages = mkOpt (listOf package) [ ] "List of packages to install for this user.";
@@ -60,50 +62,55 @@ in
}; };
config = { config = {
users.mutableUsers = cfg.mutableUsers; users = {
mutableUsers = cfg.mutableUsers;
groups.${cfg.group}.gid = lib.mkForce cfg.gid;
users.${cfg.name} = {
inherit (cfg)
name
uid
linger
packages
password
hashedPassword
hashedPasswordFile
;
users.users.${cfg.name} = { extraGroups = [
inherit (cfg) "wheel"
name "keys"
uid "networkmanager"
linger "ratbagd"
packages "scanner"
password "systemd-journal"
hashedPassword "mpd"
hashedPasswordFile "audio"
; "video"
"input"
"plugdev"
"lp"
"tss"
"power"
"nix"
"i2c"
"media"
"nscd"
"avahi"
"podman"
"libvirtd"
]
++ cfg.extraGroups;
extraGroups = [ group = cfg.group;
"wheel" home = "/home/${cfg.name}";
"keys" isNormalUser = true;
"networkmanager" shell = lib.mkForce pkgs.zsh;
"ratbagd"
"scanner"
"systemd-journal"
"mpd"
"audio"
"video"
"input"
"plugdev"
"lp"
"tss"
"power"
"nix"
"i2c"
]
++ cfg.extraGroups;
group = "users";
home = "/home/${cfg.name}";
isNormalUser = (!isRoot);
isSystemUser = isRoot;
shell = lib.mkForce pkgs.zsh;
# SSH keys - combine user-specific and common keys
openssh.authorizedKeys.keys = cfg.sshKeys ++ (lib.optionals cfg.enableCommonSshKeys commonSshKeys);
}
// cfg.extraOptions;
# SSH keys - combine user-specific and common keys
openssh.authorizedKeys.keys = cfg.sshKeys ++ (lib.optionals cfg.enableCommonSshKeys commonSshKeys);
}
// cfg.extraOptions;
};
assertions = [ assertions = [
{ {
assertion = assertion =

33
systems/x86_64-linux/jallen-nas/boot.nix
View File

@@ -5,47 +5,16 @@
... ...
}: }:
let let
kernel = pkgs.linuxPackages; # linuxPackages_latest; kernel = pkgs.linuxPackages;
in in
{ {
# Configure bootloader with lanzaboot and secureboot # Configure bootloader with lanzaboot and secureboot
boot = { boot = {
loader = {
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot";
};
};
kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
"vm.swappiness" = 60;
};
# Override kernel to latest # Override kernel to latest
kernelPackages = kernel; kernelPackages = kernel;
kernelParams = [
"nohibernate"
];
consoleLogLevel = 3;
bootspec.enable = true;
plymouth.enable = lib.mkForce false; plymouth.enable = lib.mkForce false;
initrd = { initrd = {
kernelModules = [
"tpm"
"tpm_tis"
"tpm_crb"
"tpm_infineon"
];
systemd = {
enable = true;
tpm2.enable = true;
};
clevis = { clevis = {
enable = true; enable = true;
devices = { devices = {

81
systems/x86_64-linux/jallen-nas/default.nix
View File

@@ -12,9 +12,7 @@
imports = [ imports = [
./boot.nix ./boot.nix
./apps.nix ./apps.nix
./ups.nix
./users.nix ./users.nix
./samba.nix
./services.nix ./services.nix
./sops.nix ./sops.nix
]; ];
@@ -85,6 +83,7 @@
# ################################################### # ###################################################
network = { network = {
hostName = "jallen-nas";
ipv4 = { ipv4 = {
address = "10.0.1.3/24"; address = "10.0.1.3/24";
method = "manual"; method = "manual";
@@ -131,14 +130,61 @@
}; };
# ################################################### # ###################################################
# # User # # # # Power # #
# ################################################### # ###################################################
user = { power.ups.enable = true;
name = "admin";
linger = true; # ###################################################
# # Samba # #
# ###################################################
samba = {
enable = true;
hostsAllow = "10.0.1.";
enableTimeMachine = true;
timeMachinePath = "/media/nas/main/timemachine";
shares = {
"3d_printer" = {
public = true;
sharePath = "/media/nas/main/3d_printer";
};
Backup = {
public = true;
sharePath = "/media/nas/main/backup";
};
Documents = {
public = true;
sharePath = "/media/nas/main/documents";
};
isos = {
public = true;
sharePath = "/media/nas/main/isos";
};
TimeMachine = {
public = false;
sharePath = "/media/nas/main/timemachine";
enableTimeMachine = true;
timeMachineMaxSize = "1T";
};
app_data = {
public = true;
sharePath = "/media/nas/main/ssd_app_data";
};
nix-config = {
public = true;
sharePath = "/home/matt/nix-config";
};
};
}; };
# ###################################################
# # Security # #
# ###################################################
security.tpm.enable = true;
# ################################################### # ###################################################
# # Services # # # # Services # #
# ################################################### # ###################################################
@@ -146,6 +192,24 @@
services = { services = {
grafana.enable = true; grafana.enable = true;
}; };
# ###################################################
# # User # #
# ###################################################
user = {
name = "admin";
hashedPasswordFile = config.sops.secrets."jallen-nas/admin_password".path;
linger = true;
extraGroups = [
"nix-apps"
"jallen-nas"
"grafana"
"traefik"
"62900"
"1001"
];
};
}; };
# ################################################### # ###################################################
@@ -158,10 +222,6 @@
mountPoint = "/media/nas/main"; mountPoint = "/media/nas/main";
}; };
security.tpm2 = {
enable = true;
};
# Configure environment # Configure environment
environment = { environment = {
systemPackages = with pkgs; [ systemPackages = with pkgs; [
@@ -174,6 +234,7 @@
efibootmgr efibootmgr
ffmpeg ffmpeg
ipset ipset
keyutils
llama-cpp llama-cpp
networkmanagerapplet networkmanagerapplet
nut nut

42
systems/x86_64-linux/jallen-nas/samba.nix
View File

@@ -1,42 +0,0 @@
{ ... }:
{
nas-samba = {
enable = true;
hostsAllow = "10.0.1.";
enableTimeMachine = true;
timeMachinePath = "/media/nas/main/timemachine";
shares = {
"3d_printer" = {
public = true;
sharePath = "/media/nas/main/3d_printer";
};
Backup = {
public = true;
sharePath = "/media/nas/main/backup";
};
Documents = {
public = true;
sharePath = "/media/nas/main/documents";
};
isos = {
public = true;
sharePath = "/media/nas/main/isos";
};
TimeMachine = {
public = false;
sharePath = "/media/nas/main/timemachine";
enableTimeMachine = true;
timeMachineMaxSize = "1T";
};
app_data = {
public = true;
sharePath = "/media/nas/main/ssd_app_data";
};
nix-config = {
public = true;
sharePath = "/home/matt/nix-config";
};
};
};
}

52
systems/x86_64-linux/jallen-nas/ups.nix
View File

@@ -1,52 +0,0 @@
{ config, ... }:
let
enableUps = true;
upsName = "nas-ups";
upsUser = "nas-admin";
in
{
power.ups = {
enable = enableUps;
openFirewall = enableUps;
mode = "netserver";
ups = {
"${upsName}" = {
description = "NAS UPS";
driver = "usbhid-ups";
port = "auto";
};
};
users."${upsUser}" = {
passwordFile = config.sops.secrets."jallen-nas/ups_password".path;
actions = [ "ALL" ];
instcmds = [ "ALL" ];
upsmon = "primary";
};
upsmon = {
enable = enableUps;
monitor."${upsName}" = {
passwordFile = config.sops.secrets."jallen-nas/ups_password".path;
user = upsUser;
};
};
upsd = {
enable = enableUps;
listen = [
{
address = "0.0.0.0";
port = 3493;
}
];
};
};
services = {
apcupsd = {
enable = true;
};
};
}

118
systems/x86_64-linux/jallen-nas/users.nix
View File

@@ -1,101 +1,47 @@
{ {
pkgs, pkgs,
config, config,
lib,
... ...
}: }:
let let
user = "admin";
passwordFile = config.sops.secrets."jallen-nas/admin_password".path; passwordFile = config.sops.secrets."jallen-nas/admin_password".path;
in in
{ {
# Define a user account. Don't forget to set a password with passwd. # Define a user account. Don't forget to set a password with passwd.
users = { users = {
# See https://search.nixos.org/options?channel=unstable&show=users.mutableUsers&from=0&size=50&sort=relevance&type=packages&query=users.users
mutableUsers = false;
groups.jallen-nas.gid = 1000; # create nas group cause truenas perms
# Admin account
users."${user}" = {
isNormalUser = true;
linger = true;
extraGroups = [
"wheel"
"networkmanager"
"docker"
"podman"
"libvirtd"
"nix-apps"
"jallen-nas"
"media"
"nscd"
"grafana"
"traefik"
"avahi"
"62900"
"1001"
];
hashedPasswordFile = lib.mkForce passwordFile;
shell = pkgs.zsh;
packages = with pkgs; [
cachix
fastfetch
git
parted
aspell
aspellDicts.en
aspellDicts.en-computers
aspellDicts.en-science
aha
papirus-icon-theme
firefox
swtpm
tigervnc
];
openssh.authorizedKeys.keys = [
# macBook
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCw9zq8DLGByI5v2gAn95hKNyOsm3g61a2buxu2BBMFysQJgmZPCCLUqRJKhSM5Vm/JOgsAmdpRBRZQoHD+6S844CJHb4v4VIbjkyQgYCuM7Rst2IOZ5QybvsA2/D0nwytZ+HXQqDj2AagUYDbz0gyyIHkDQ5YGBMkvkWz/h1Vci6aoBM7VihEDM4KlWoTVuPeASGM8r5IZ2FS83Djbqo4ov6AYvLMrKB9Z7hmFgH6R3LE0gxOkzbGVXtSuvJyrjvgytoT22UhATjjxSQ9D+YJXXkQoB3lUdg8OoIquUPjMZpl4mR8ffvseWPfcvD1XlD5t+TOHFqKpESO547tlOBYhdpew+NSgAXpamCU6oyV8tDCywLQu2ucxHRn78u6WXzWHkDtffdhzmk6TZaPhWqVHuTGjR4higBgGqUfSaKOMszt+FDRZAr3HtuQ2+zJ8bowK9fW5OqilTtK2HtQqroD9ApegDNbqOz6kGy5IycSXvqPURy/M4lxZxbtBPuemcJs= mattjallen@MacBook-Pro.local"
# desktop windows
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ2PYPjZddOzR8OJj16G88KcUhCDLkvrEmpUQP0wKHDUuA27HQQ2ORo66asadwGHY3k1VDZ1ei9l9H++SIIeKOaaUr5yZdktvj4POUNtbd9ZhcS7sZU7BSF+NMDM+h3tImh6z0S7mWvRQOUv3ZM+ZER+5xTWJVG1OOJEpb1drxJk6Qz0wbZKSR7TPNFBLLXlVy7hkNYf07RtDyhCCxNB3hJfa8c+oztnWumwDhDQWLqiUXWIU2QH6iRLGl/WYnujtNvVVaV/Hn3JJkS6MM9dnV3cpoIO0+J7+WfsN9rZ0wXt5yY3GhiGXwmcO5eYVli8lHlLWtK7aYSETyry6CBsLbojzOQO5rSqhpwfF2njAAFAQU0UjLc8PahisIuFKCwHH4iyXXOagiv5K1Mc/0Ak+WhhMPee6vV2p7NTyNpXRvouDbWy5cSRH31WgQ9fK5mIGe5v8nGGqtEhUubUkiOgP+H3UbT2V/nTv/TFKdJcKw+WmizvTrxBmaMjWALlkYl+s= mattl@Jallen-PC"
# desktop nixos
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBMydhOc6SnOdB5WrEd7X07DrboAtagCUgXiOJjLov matt@matt-nixos"
];
};
# Nix app account
users.nix-apps = {
isSystemUser = true;
uid = 911;
group = "jallen-nas";
extraGroups = [
"jallen-nas"
"docker"
"podman"
];
hashedPasswordFile = passwordFile;
};
groups.nut.name = "nut"; groups.nut.name = "nut";
users.upsuser = { groups."jallen-nas".name = "jallen-nas";
group = "nut"; # Nix app account
isNormalUser = false; users = {
isSystemUser = true; nix-apps = {
createHome = true; isSystemUser = true;
home = "/var/lib/nut"; uid = 911;
homeMode = "750"; group = "jallen-nas";
hashedPasswordFile = passwordFile; extraGroups = [
"jallen-nas"
"docker"
"podman"
];
hashedPasswordFile = passwordFile;
};
nextcloud = {
isNormalUser = true;
extraGroups = [
"jallen-nas"
"nix-apps"
];
hashedPasswordFile = passwordFile;
};
upsuser = {
group = "nut";
isNormalUser = false;
isSystemUser = true;
createHome = true;
home = "/var/lib/nut";
homeMode = "750";
hashedPasswordFile = passwordFile;
};
root.shell = pkgs.zsh;
}; };
users.nextcloud = {
isNormalUser = true;
extraGroups = [
"jallen-nas"
"nix-apps"
];
hashedPasswordFile = passwordFile;
};
users.root.shell = pkgs.zsh;
}; };
} }

54
systems/x86_64-linux/nuc-nixos/boot.nix
View File

@@ -1,54 +0,0 @@
{ pkgs, ... }:
let
configLimit = 20;
kernel = pkgs.linuxPackages_latest;
in
{
# Configure bootloader with lanzaboot and secureboot
boot = {
kernelModules = [ "nct6775" ];
loader = {
systemd-boot = {
enable = true;
configurationLimit = configLimit;
};
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot";
};
};
lanzaboote = {
enable = false;
pkiBundle = "/etc/secureboot";
settings = {
console-mode = "max";
};
configurationLimit = configLimit;
};
# Override kernel to latest
kernelPackages = kernel;
kernelParams = [
"nohibernate"
];
consoleLogLevel = 3;
bootspec.enable = true;
initrd = {
kernelModules = [
# "tpm"
# "tpm_tis"
# "tpm_crb"
# "tpm_infineon"
];
systemd = {
enable = true;
tpm2.enable = true;
};
};
};
}

60
systems/x86_64-linux/nuc-nixos/default.nix
View File

@@ -1,26 +1,35 @@
{ {
pkgs,
namespace, namespace,
... ...
}: }:
{ {
imports = [
./boot.nix
# ./hardware-configuration.nix
./users.nix
./sops.nix
];
security.tpm2 = {
enable = true;
};
${namespace} = { ${namespace} = {
services.home-assistant.enable = true; # ###################################################
# # Boot # #
# ###################################################
boot.systemd-boot.enable = true;
# ###################################################
# # Hardware # #
# ###################################################
hardware.disko = { hardware.disko = {
enable = true; enable = true;
filesystem = "btrfs"; filesystem = "btrfs";
}; };
# ###################################################
# # Impermanence # #
# ###################################################
impermanence.enable = true; impermanence.enable = true;
# ###################################################
# # Network # #
# ###################################################
network = { network = {
hostName = "nuc-nixos"; hostName = "nuc-nixos";
useNetworkd = false; useNetworkd = false;
@@ -47,6 +56,33 @@
allowedUDPPorts = [ 8192 ]; allowedUDPPorts = [ 8192 ];
}; };
}; };
# ###################################################
# # Security # #
# ###################################################
security.tpm.enable = true;
# ###################################################
# # Services # #
# ###################################################
services.home-assistant.enable = true;
# ###################################################
# # User # #
# ###################################################
user = {
name = "admin";
linger = true;
};
}; };
# ###################################################
# # Boot # #
# ###################################################
boot.kernelPackages = pkgs.linuxPackages_latest;
} }

59
systems/x86_64-linux/nuc-nixos/networking.nix
View File

@@ -1,59 +0,0 @@
{ config, lib, ... }:
let
ports = [
8192
];
in
{
# Networking configs
networking = {
hostName = lib.mkForce "nuc-nixos";
useNetworkd = true;
# Disable Network Manager
networkmanager = {
enable = true;
ensureProfiles = {
environmentFiles = [
config.sops.secrets.wifi.path
];
profiles = {
"Joey's Jungle 6G" = {
connection = {
id = "Joey's Jungle 6G";
type = "wifi";
};
ipv4 = lib.mkForce {
address1 = "10.0.1.4/24";
dns = "10.0.1.1";
gateway = "10.0.1.1";
method = "manual";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
wifi = {
mode = "infrastructure";
ssid = "Joey's Jungle 6G";
};
wifi-security = {
key-mgmt = "sae";
psk = "$PSK";
};
};
};
};
};
firewall = {
enable = true;
allowPing = true;
allowedTCPPorts = ports;
allowedUDPPorts = ports;
};
};
}

34
systems/x86_64-linux/nuc-nixos/sops.nix
View File

@@ -1,34 +0,0 @@
{ lib, ... }:
{
# Permission modes are in octal representation (same as chmod),
# the digits represent: user|group|others
# 7 - full (rwx)
# 6 - read and write (rw-)
# 5 - read and execute (r-x)
# 4 - read only (r--)
# 3 - write and execute (-wx)
# 2 - write only (-w-)
# 1 - execute only (--x)
# 0 - none (---)
# Either a user id or group name representation of the secret owner
# It is recommended to get the user name from `config.users.users.<?name>.name` to avoid misconfiguration
# Either the group id or group name representation of the secret group
# It is recommended to get the group name from `config.users.users.<?name>.group` to avoid misconfiguration
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# ------------------------------
# Secrets
# ------------------------------
secrets = {
};
# ------------------------------
# Templates
# ------------------------------
templates = {
#
};
};
}

46
systems/x86_64-linux/nuc-nixos/users.nix
View File

@@ -1,46 +0,0 @@
{ pkgs, lib, ... }:
let
user = "admin";
# passwordFile = config.sops.secrets."jallen-nas/admin_password".path;
in
{
# Define a user account. Don't forget to set a password with passwd.
users = {
# See https://search.nixos.org/options?channel=unstable&show=users.mutableUsers&from=0&size=50&sort=relevance&type=packages&query=users.users
mutableUsers = false;
# Admin account
users = {
"${user}" = {
isNormalUser = true;
linger = true;
extraGroups = [
"wheel"
"networkmanager"
"docker"
"podman"
"libvirtd"
];
# hashedPasswordFile = passwordFile;
password = lib.mkForce "BogieDudie1";
shell = pkgs.zsh;
packages = with pkgs; [
];
openssh.authorizedKeys.keys = [
# macBook
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCw9zq8DLGByI5v2gAn95hKNyOsm3g61a2buxu2BBMFysQJgmZPCCLUqRJKhSM5Vm/JOgsAmdpRBRZQoHD+6S844CJHb4v4VIbjkyQgYCuM7Rst2IOZ5QybvsA2/D0nwytZ+HXQqDj2AagUYDbz0gyyIHkDQ5YGBMkvkWz/h1Vci6aoBM7VihEDM4KlWoTVuPeASGM8r5IZ2FS83Djbqo4ov6AYvLMrKB9Z7hmFgH6R3LE0gxOkzbGVXtSuvJyrjvgytoT22UhATjjxSQ9D+YJXXkQoB3lUdg8OoIquUPjMZpl4mR8ffvseWPfcvD1XlD5t+TOHFqKpESO547tlOBYhdpew+NSgAXpamCU6oyV8tDCywLQu2ucxHRn78u6WXzWHkDtffdhzmk6TZaPhWqVHuTGjR4higBgGqUfSaKOMszt+FDRZAr3HtuQ2+zJ8bowK9fW5OqilTtK2HtQqroD9ApegDNbqOz6kGy5IycSXvqPURy/M4lxZxbtBPuemcJs= mattjallen@MacBook-Pro.local"
# desktop windows
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ2PYPjZddOzR8OJj16G88KcUhCDLkvrEmpUQP0wKHDUuA27HQQ2ORo66asadwGHY3k1VDZ1ei9l9H++SIIeKOaaUr5yZdktvj4POUNtbd9ZhcS7sZU7BSF+NMDM+h3tImh6z0S7mWvRQOUv3ZM+ZER+5xTWJVG1OOJEpb1drxJk6Qz0wbZKSR7TPNFBLLXlVy7hkNYf07RtDyhCCxNB3hJfa8c+oztnWumwDhDQWLqiUXWIU2QH6iRLGl/WYnujtNvVVaV/Hn3JJkS6MM9dnV3cpoIO0+J7+WfsN9rZ0wXt5yY3GhiGXwmcO5eYVli8lHlLWtK7aYSETyry6CBsLbojzOQO5rSqhpwfF2njAAFAQU0UjLc8PahisIuFKCwHH4iyXXOagiv5K1Mc/0Ak+WhhMPee6vV2p7NTyNpXRvouDbWy5cSRH31WgQ9fK5mIGe5v8nGGqtEhUubUkiOgP+H3UbT2V/nTv/TFKdJcKw+WmizvTrxBmaMjWALlkYl+s= mattl@Jallen-PC"
# desktop nixos
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBMydhOc6SnOdB5WrEd7X07DrboAtagCUgXiOJjLov matt@matt-nixos"
];
};
root = {
isSystemUser = true;
isNormalUser = false;
shell = pkgs.zsh;
};
};
};
}