mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

stuffs

Browse Source
This commit is contained in:
mjallen18
2026-02-02 11:13:19 -06:00
parent 187b478c5d
commit 8fa82bce90
9 changed files with 56 additions and 117 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
lib/module/default.nix
View File

@@ -70,6 +70,9 @@ rec {
systemd.services.${serviceName} = {
requires = [ "media-nas-main.mount" ];
after = lib.mkForce [
"media-nas-main.mount"
];
};
services = {

38
modules/nixos/boot/common/default.nix
View File

@@ -25,6 +25,7 @@ in
boot = {
kernelModules = [ "kvm" ];
kernelParams = lib.mkDefault [ "quiet" "splash" "udev.log_level=3" ];
binfmt = lib.mkIf isArm {
registrations."x86_64-linux" = {
@@ -38,37 +39,20 @@ in
};
};
supportedFilesystems = [ "bcachefs" ];
supportedFilesystems = lib.mkDefault [ "bcachefs" ];
consoleLogLevel = lib.mkForce 3;
consoleLogLevel = lib.mkDefault 0;
bootspec.enable = (!isArm);
initrd = {
# secrets = {
# "/etc/clevis/nuc-nixos.jwe" = (lib.snowfall.fs.get-file "secrets/nuc-nixos.jwe");
# };
# systemd.services."unlock-disk" = {
# enable = false;
# path = [
# pkgs.clevis
# pkgs.bcachefs-tools
# ];
# script = ''
# ${pkgs.clevis}/bin/clevis decrypt < "/etc/clevis/nuc-nixos.jwe"
# # | ${pkgs.bcachefs-tools}/bin/bcachefs unlock -k session /dev/disk/by-label/disk-main-nuc-nixos-bcachefs-root
# '';
# wantedBy = [ "initrd-root-fs.target" ];
# requiredBy = [ "initrd-root-fs.target" ];
# serviceConfig = {
# Type = "oneshot";
# TimeoutSec = "10s";
# };
# };
# clevis = mkIf (config.${namespace}.hardware.disko.filesystem == "bcachefs"){
# enable = true;
# };
verbose = lib.mkDefault false;
availableKernelModules = [ "bcachefs" ];
kernelModules = {
bcachefs = true;
};
systemd.storePaths = with pkgs; [
bcachefs-tools
];
luks = mkIf cfg.yubikeyEncryption {
devices = {

2
modules/nixos/services/arrs/default.nix
View File

@@ -37,6 +37,8 @@ let
templates = {
"sabnzbd.ini" = {
mode = "660";
owner = "nix-apps";
group = "jallen-nas";
restartUnits = [ "sabnzbd.service" ];
content = ''
misc.password=${config.sops.placeholder."jallen-nas/sabnzbd/password"}

4
modules/nixos/sops/default.nix
View File

@@ -42,6 +42,10 @@ in
group = config.users.users."${user}".group;
};
"disk-key" = {
mode = "0600";
};
# ------------------------------
# SSH keys
# ------------------------------

6
secrets/secrets.yaml
View File

@@ -1,7 +1,9 @@
#ENC[AES256_GCM,data:HkOno2ohMSLs46g=,iv:7KHzoElBP/GMIVubcIBya42SoFKVyt/+YRIxkgRE3Cw=,tag:U87dYHrKu/qqbLf5r7XEiA==,type:comment]
wifi: ENC[AES256_GCM,data:Rs+4Km4DogO7XatA,iv:JUv9HkNWsv/l4Fli5sFeUeYuWG1Yju95G59FJ/Q5W50=,tag:gRFCG4d5OBMRx1QayRV8Zg==,type:str]
matt_password: ENC[AES256_GCM,data:/8utn5xMoWIxXitfg2kFZCQwbqqn6rH7Pt5KYeTyGintjg5jF8T9eqdqrBGlqMdKh/YjUTwZZg4/PkNG9/gqk86pjaUtg+8C6w==,iv:BDbThvyXmzB9eKfuK0V2eR8p20g7rOOTOA3AYNCM6TI=,tag:KvIKOLFW9NMmQy97QWRfQA==,type:str]
admin_password: ENC[AES256_GCM,data:aGyn1Tm+2ld3BqXN3U1RQkew13Ln0Y3+xYiIUjErmq8Y/AkR65bhEHpVKx6lT2AZNG7bTPM0QTGd5vloD4QdrtAMv5eye6GFHg==,iv:EYLqDoqK/4tzdg+YTywpeCg0kullQEyD6mKTJMTXYB4=,tag:GJnZqZj2Lnx4YoQ+ApUBBw==,type:str]
github-token: ENC[AES256_GCM,data:FAuwS/j5kd/NvOVdwa+ROWgMZCjyOjDbIMoU11KkaUOVhnztZyLGCA==,iv:+EvAvf7cUpljLHaxVkBRloZsAYcKjceJHinUU47PCRI=,tag:p0irO6vnt5nr4sZIq9B8gA==,type:str]
disk-key: ENC[AES256_GCM,data:cJdjG1gWYT4V0idae0nZl0j9FoEQuMW5PhQer2s8t4piv2mE8XM64W92MJyhi2aNtZ3cJ9h5PSW49zLeUWXIPGJNAvwRyWVc0O+T96jlZqtFlYBYLVh4tXdpXmxvq7IhB+sR2rY7qpcJEtCyUR8Mc7uzPZLQhuicwOjYuThhMdq73v3Re4taiL358U4DsLGhaQaGVoZ/RVRqT40F0ByxZto+JbwFGJBjQJlBhxE0b5pge93hQJcyY0LiI0Ctkv43gR5pnkHpXlM5TqZvzJLQVkG+N9IaRg0fPBnTyR8IaTi6ZAqBTY9byMPbfRsMgwY/FdGCkBguLNBt8a8P4TzzKo8CwcBcSOcCMKh+tzBwIAOxFb3H6lgLiKutA5wxgOrJ1tADvPxjEOjPx3zXVZA1jzsqtH4p6s5XDKJVhSoT08gI6DN7ILhBG9v8+NDeBj8ENFkMxDnbFrEyBt2j1fwq5s2/SmioN407KVi8Jd7SqQBEcp2WHFkrc95nJTyDer0J34jVUPVtVaqmLAPlzKWr9VZyrDJbl4stwz/pjstxtDfx4urxNYn6fhs3vigU6JFrE3sVN4MMosgvDxyqiMM44Qc6V6XO1GDJxKUo9kP8CGNvLpsMZSY9ZSjQaxMUNqXfySCry3AsOZolo6XUtbEk3YGGVAiJoiUE9aogdh++zRVYi+s2pzwf8BYGK2OB+C8ojSTRtcjsTCacWlV4cCnkpC5hpQ7KBycg8hYEm3bTjMuKcqsSTl8TUgwk4gq2cq2ZqvTWE7AHcgLGiFcT4/vm05rdS8j+nq5XprBUAwcvhR+wHtgU/HcJr939hp/45ZVI5a2DtcbhFOnrX+W/TZsUHdw+pxzau4JUfMI5COc3ntD0IOwP8c/dH+DOYeI6KToV8judUnIyMKnJrXBRpGoLa9kmbslUpw2oZSnQo1jBB1rQqLiQmbjA3nybAunmgrnaMtZcZZBX,iv:Y2rQMzIP4iA4YTRReMhIaG6aKTnlQjBl/eVdxg9gipM=,tag:m9KlqWLIxQ5065DBB8u0rw==,type:str]
age-keys-private:
matt-desktop-nix: ENC[AES256_GCM,data:7/UO2Oq096iJHSpwA2cflRoiPWrKFJA2RhcuH0bJKM/MO15GbW1VktPZieEVrj+3KTYnhrWr5mEHx+uekhyL2W98SO0JkIJ/c24=,iv:w9lt2rQzkys2HSR8ls4RKJlkNsAb61a+6eB/joKDEtQ=,tag:OYkFVP9HGHumE/3PUP64PA==,type:str]
admin-jallen-nas: ENC[AES256_GCM,data:lKXCpyB0+wViUYsJgxxe7a4dD24a80xe1XEfvVLoazEb/qmoUClhXU4FI1o8ATvpND4XG/vlq8IsZ3V3Yr2FQSOQTrUxs+Yz1po=,iv:Po0jpfoHNMu4s6EePwD20Kc0HQhnY+YKnwovkqCzviI=,tag:0YHI6cNWV21OH2gMOX/Gmw==,type:str]
@@ -182,8 +184,8 @@ sops:
ZjkrUTNlbE1xTmkxVU5MbGdrYkNaNzgKrwOW1hTCSDU8Lp/zwbWBH8GoMnvCgOiQ
9nf/MXoKp+CYUHcocBQ2+0R7MF8DABSEss+QG1QH4a7NlNzPjQmg7g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-12-12T02:59:49Z"
mac: ENC[AES256_GCM,data:hOHsyujX+EHCzHM4vyAoYMohCeH1T/riacfUxV5hkMz4FQdCUG+gfHq1Ym9Z0xwSMCrtr9Oz3vmO6kZTAXa4abXLxS4VmShP+N2TIxD8aX4Z4kC99odfxHalQAxEt32RoEM5DGq5gvIOz/Eyb/av0RZ+iEs5dVQ/8Juo4Gs4mK4=,iv:GqrZitl/sK6TxRzf9smH3AbEhvGIU6dbdlk7+sMZh8M=,tag:zdsXCYGLOf8yyPc1XrpkJg==,type:str]
lastmodified: "2026-02-02T15:37:01Z"
mac: ENC[AES256_GCM,data:GL0s9MHOEBV7a/l6XlaSKU5g/urU4NrqC4SGZ9anClF0SsKTUS18swrJWSu9tnPVQCiBLOD9wiHHV6MLwrlVZIVKz52T2HcvNSK4dgJ+l3yXL8mnrkditJqWC6AHMm0+93rcjqV0SMda+5mTDDivYmgxQcYdSbWyA0DPi9FvYY0=,iv:GLb5E6Cq01O74sJSOTKZuNxRlHFKwqN47zBkh6bD8Fs=,tag:g3oyWOSdo2RwMo+JtND/vQ==,type:str]
pgp:
- created_at: "2026-01-27T18:43:55Z"
enc: |-

3
systems/x86_64-linux/jallen-nas/boot.nix
View File

@@ -13,7 +13,6 @@ in
boot = {
# Override kernel to latest
kernelPackages = kernel;
plymouth.enable = lib.mkForce false;
initrd = {
supportedFilesystems = [ "bcachefs" ];
@@ -28,6 +27,4 @@ in
# Enable binfmt emulation for ARM
binfmt.emulatedSystems = [ "aarch64-linux" ]; # --argstr system aarch64-linux
};
# environment.etc."clevis/nas_pool.jwe".source = config.sops.secrets."jallen-nas/nas_pool".path;
}

112
systems/x86_64-linux/jallen-nas/default.nix
View File

@@ -191,7 +191,7 @@ in
# ###################################################
samba = {
enable = true;
enable = false;
hostsAllow = "10.0.1.";
enableTimeMachine = true;
timeMachinePath = "/media/nas/main/timemachine";
@@ -269,96 +269,43 @@ in
# ###################################################
# # Mounts # #
# ###################################################
# fileSystems."/media/nas/main" = {
# label = "nas_pool";
# # device = "/dev/sde:/dev/sdf:/dev/sdh:/dev/sdi:/dev/sdj:/dev/nmve0n1:/dev/nvme1n1";
# fsType = "bcachefs";
# mountPoint = "/media/nas/main";
# options = [
# # "noauto"
# "nofail"
# # "x-systemd.mount-timeout=0"
# # "x-systemd.device-timeout=0"
# ];
# };
fileSystems = {
"/media/nas/main" = {
device = "UUID=adf7b4e1-dfed-4c10-a9ab-2741c1055552";
device = "/dev/disk/by-uuid/d179ff8d-151d-4e62-9890-e13b5e006fdc";
fsType = "bcachefs";
neededForBoot = true;
options = [
"nofail"
];
};
# "/media/nas/test" = {
# device = "UUID=621706d6-e3a8-48d6-9560-58b01129a846";
# fsType = "bcachefs";
# };
};
fileSystems."/etc".neededForBoot = true;
environment.etc = {
"crypttab".text = ''
hdd1-cryptroot UUID="295d4c78-41f0-4792-bd97-ac88b2455cdc" none tpm2-device=auto
hdd2-cryptroot UUID="7c9c2179-351c-40a5-9257-e9ee2a1e794a" none tpm2-device=auto
ssd1-cryptroot UUID="d78fa862-212c-4d4f-ad86-bfeead5cc054" none tpm2-device=auto,allow-discards,perf-no_read_workqueue,perf-no_write_workqueue
ssd2-cryptroot UUID="1661c173-3809-4517-9ab8-ad94c229048d" none tpm2-device=auto,allow-discards,perf-no_read_workqueue,perf-no_write_workqueue
ssd3-cryptroot UUID="cfea125e-90b1-4248-834d-16dcaf310783" none tpm2-device=auto,allow-discards,perf-no_read_workqueue,perf-no_write_workqueue
ssd4-cryptroot UUID="96055401-6d1a-4308-9e4e-2211e1e23635" none tpm2-device=auto,allow-discards,perf-no_read_workqueue,perf-no_write_workqueue
ssd5-cryptroot UUID="055e27e0-c96a-4899-8ee7-cb1cd5f21476" none tpm2-device=auto,allow-discards,perf-no_read_workqueue,perf-no_write_workqueue
ssd6-cryptroot UUID="6e830abd-2555-4558-81a3-4a990507b5a7" none tpm2-device=auto,allow-discards,perf-no_read_workqueue,perf-no_write_workqueue
'';
"/media/nas/test" = {
device = "/dev/disk/by-uuid/621706d6-e3a8-48d6-9560-58b01129a846";
fsType = "bcachefs";
neededForBoot = true;
options = [
"nofail"
];
};
"/etc".neededForBoot = true;
};
boot.initrd = {
luks.devices = {
# "621706d6-e3a8-48d6-9560-58b01129a846" = {
# device = "/dev/disk/by-uuid/621706d6-e3a8-48d6-9560-58b01129a846";
# };
hdd1-cryptroot = {
device = "/dev/disk/by-uuid/295d4c78-41f0-4792-bd97-ac88b2455cdc";
};
hdd2-cryptroot = {
device = "/dev/disk/by-uuid/7c9c2179-351c-40a5-9257-e9ee2a1e794a";
};
ssd1-cryptroot = {
device = "/dev/disk/by-uuid/d78fa862-212c-4d4f-ad86-bfeead5cc054";
allowDiscards = true;
bypassWorkqueues = true;
};
ssd2-cryptroot = {
device = "/dev/disk/by-uuid/1661c173-3809-4517-9ab8-ad94c229048d";
allowDiscards = true;
bypassWorkqueues = true;
};
ssd3-cryptroot = {
device = "/dev/disk/by-uuid/cfea125e-90b1-4248-834d-16dcaf310783";
allowDiscards = true;
bypassWorkqueues = true;
};
ssd4-cryptroot = {
device = "/dev/disk/by-uuid/96055401-6d1a-4308-9e4e-2211e1e23635";
allowDiscards = true;
bypassWorkqueues = true;
};
ssd5-cryptroot = {
device = "/dev/disk/by-uuid/055e27e0-c96a-4899-8ee7-cb1cd5f21476";
allowDiscards = true;
bypassWorkqueues = true;
};
ssd6-cryptroot = {
device = "/dev/disk/by-uuid/6e830abd-2555-4558-81a3-4a990507b5a7";
allowDiscards = true;
bypassWorkqueues = true;
};
supportedFilesystems = {
bcachefs = true;
};
# clevis = {
# enable = true;
# devices = {
# "621706d6-e3a8-48d6-9560-58b01129a846".secretFile = ../../../test.jwe;
# };
# };
clevis = {
enable = lib.mkForce true;
devices = {
"/dev/disk/by-uuid/621706d6-e3a8-48d6-9560-58b01129a846".secretFile = ../../../test.jwe; # config.sops.secrets."disk-key".path;
"/dev/disk/by-uuid/d179ff8d-151d-4e62-9890-e13b5e006fdc".secretFile = ../../../test.jwe; # config.sops.secrets."disk-key".path;
};
};
};
# boot.initrd.luks.devices.cryptroot.device = "/dev/disk/by-partlabel/disk-main-jallen-nas-cryptroot";
# Configure environment
environment = {
systemPackages = with pkgs; [
@@ -386,12 +333,7 @@ in
persistence."/media/nas/main/persist" = {
hideMounts = true;
directories = [
# {
# directory = "/var/lib/redis-ccache";
# user = "redis-ccache";
# group = "redis-ccache";
# mode = "u=rwx,g=,o=";
# }
];
};
};

5
systems/x86_64-linux/jallen-nas/disabled.nix
View File

@@ -12,6 +12,11 @@ in
specialisation = {
safe-mode = {
configuration = {
boot = {
kernelParams = [ ];
initrd.verbose = true;
consoleLogLevel = 3;
};
${namespace} = {
services = {
actual = mkForce disabled;

0
systems/test.jwe → test.jwe
View File