diff --git a/flake.lock b/flake.lock index b749617..f71c425 100644 --- a/flake.lock +++ b/flake.lock @@ -523,11 +523,11 @@ ] }, "locked": { - "lastModified": 1756734952, - "narHash": "sha256-H6jmduj4QIncLPAPODPSG/8ry9lpr1kRq6fYytU52qU=", + "lastModified": 1756842514, + "narHash": "sha256-XbtRMewPGJwTNhBC4pnBu3w/xT1XejvB0HfohC2Kga8=", "owner": "nix-community", "repo": "home-manager", - "rev": "29ab63bbb3d9eee4a491f7ce701b189becd34068", + "rev": "30fc1b532645a21e157b6e33e3f8b4c154f86382", "type": "github" }, "original": { @@ -539,11 +539,11 @@ "homebrew-cask": { "flake": false, "locked": { - "lastModified": 1756765009, - "narHash": "sha256-S+1wO+FU3F16oajoL9EC247nilW43a2uP4xA7Wbou1Q=", + "lastModified": 1756852744, + "narHash": "sha256-U9kI3DUaBthraFDPyoaPASZCwa4beIbPioKZqk/fRE0=", "owner": "homebrew", "repo": "homebrew-cask", - "rev": "f9926314171dc3254715a87a534c09c7d77c04f2", + "rev": "e08060d99e6e06d7d0d233439b2139d2f971d1a1", "type": "github" }, "original": { @@ -555,11 +555,11 @@ "homebrew-core": { "flake": false, "locked": { - "lastModified": 1756764042, - "narHash": "sha256-61qDXw6dK2OwBJzoi1F+EX26Iik4uYeQ0gFQkFJCmis=", + "lastModified": 1756853188, + "narHash": "sha256-lZnraCsn+6bILvM5Tv9WXGdZeTVzbwViOKB3086fw0w=", "owner": "homebrew", "repo": "homebrew-core", - "rev": "ebc12a06f7499c2dbd0c2b42ff0c4a3238075b01", + "rev": "44c6c6065d93f93e90a66ddc2bfcd37746e9546b", "type": "github" }, "original": { @@ -783,11 +783,11 @@ "nixpkgs": "nixpkgs_8" }, "locked": { - "lastModified": 1756692643, - "narHash": "sha256-SVos3AYuLvF6bD8Y0b6EiLABoEaiAOa4M/fTCBe0FV8=", + "lastModified": 1756778240, + "narHash": "sha256-fEN9e5eTYTYiLWDgIm0LpfBZ/IKEmP+BvmDtg2HeHUY=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "2f1d16db96f1ce8ee3c893ea9dc49c0035846988", + "rev": "88023dda65dbb10c52aa03b39a0426024ad8e543", "type": "github" }, "original": { @@ -962,11 +962,11 @@ }, "nixpkgs-stable_3": { "locked": { - "lastModified": 1756617294, - "narHash": "sha256-aGnd4AHIYCWQKChAkHPpX+YYCt7pA6y2LFFA/s8q0wQ=", + "lastModified": 1756754095, + "narHash": "sha256-9Rsn9XEWINExosFkKEqdp8EI6Mujr1gmQiyrEcts2ls=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b4c2c57c31e68544982226d07e4719a2d86302a8", + "rev": "7c815e513adbf03c9098b2bd230c1e0525c8a7f9", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 09eb1f4..4998f24 100644 --- a/flake.nix +++ b/flake.nix @@ -193,7 +193,10 @@ disko.nixosModules.disko nixos-raspberrypi.nixosModules.raspberry-pi-4.base nixos-raspberrypi.nixosModules.raspberry-pi-4.display-vc4 + nixos-raspberrypi.nixosModules.nixpkgs-rpi + nixos-raspberrypi.nixosModules.trusted-nix-caches nixos-raspberrypi.lib.inject-overlays + nixos-raspberrypi.lib.inject-overlays-global ]; }; @@ -206,7 +209,10 @@ nixos-raspberrypi.nixosModules.raspberry-pi-5.base nixos-raspberrypi.nixosModules.raspberry-pi-5.display-vc4 nixos-raspberrypi.nixosModules.raspberry-pi-5.bluetooth + nixos-raspberrypi.nixosModules.nixpkgs-rpi + nixos-raspberrypi.nixosModules.trusted-nix-caches nixos-raspberrypi.lib.inject-overlays + nixos-raspberrypi.lib.inject-overlays-global ]; }; @@ -221,7 +227,9 @@ }; }; - overlays = with inputs; [ nix-vscode-extensions.overlays.default ]; + overlays = with inputs; [ + nix-vscode-extensions.overlays.default + ]; }; # Configure Snowfall Lib, all of these settings are optional. @@ -242,6 +250,12 @@ channels-config = { allowUnfree = true; + permittedInsecurePackages = [ + # ... + # "libsoup-2.74.3" + # "libxml2-2.13.8" + "qtwebengine-5.15.19" + ]; }; outputs-builder = channels: { diff --git a/modules/nixos/boot/lanzaboote/default.nix b/modules/nixos/boot/lanzaboote/default.nix index ca3640e..8a4751d 100644 --- a/modules/nixos/boot/lanzaboote/default.nix +++ b/modules/nixos/boot/lanzaboote/default.nix @@ -10,6 +10,7 @@ let in { imports = [ ./options.nix ]; + config = mkIf cfg.enable { boot = { loader = { diff --git a/modules/nixos/hardware/raspberry-pi/default.nix b/modules/nixos/hardware/raspberry-pi/default.nix index fe1110c..34f087e 100644 --- a/modules/nixos/hardware/raspberry-pi/default.nix +++ b/modules/nixos/hardware/raspberry-pi/default.nix @@ -26,34 +26,18 @@ in environment.systemPackages = with pkgs; [ + i2c-tools libraspberrypi raspberrypi-eeprom raspberrypifw raspberrypiWirelessFirmware raspberrypi-armstubs - ] - ++ lib.optionals (cfg.variant == "4") [ - i2c-tools - ] - ++ lib.optionals (cfg.variant == "5") [ erofs-utils fex squashfuse squashfsTools ]; - # Common nixpkgs overlays for Raspberry Pi - nixpkgs.overlays = lib.mkAfter [ - (_self: super: { - # This is used in (modulesPath + "/hardware/all-firmware.nix") when at least - # enableRedistributableFirmware is enabled - inherit (super) raspberrypiWirelessFirmware; - # Some derivations want to use it as an input, - # e.g. raspberrypi-dtbs, omxplayer, sd-image-* modules - inherit (super) raspberrypifw; - }) - ]; - # Common Bluetooth configuration systemd.services.btattach = { before = [ "bluetooth.service" ]; @@ -65,14 +49,13 @@ in }; # Common hardware settings - hardware.i2c.enable = lib.mkIf (cfg.variant == "4") true; + hardware.i2c.enable = lib.mkDefault true; - # Pi 5 specific settings - hardware.graphics.enable32Bit = lib.mkIf (cfg.variant == "5") (lib.mkForce false); - zramSwap.enable = lib.mkIf (cfg.variant == "5") true; + # Pi specific settings + hardware.graphics.enable32Bit = lib.mkForce false; - # Pi 5 specific system tags - system.nixos.tags = lib.mkIf (cfg.variant == "5") ( + # Pi specific system tags + system.nixos.tags = ( let bootCfg = config.boot.loader.raspberry-pi; in diff --git a/modules/nixos/impermanence/default.nix b/modules/nixos/impermanence/default.nix index bb8752f..86328cb 100755 --- a/modules/nixos/impermanence/default.nix +++ b/modules/nixos/impermanence/default.nix @@ -23,11 +23,6 @@ in "/var/lib/systemd/coredump" "/etc/NetworkManager/system-connections" "/var/lib/tailscale" - "/var/lib/homeassistant" - "/var/lib/mosquitto" - "/var/lib/music-assistant" - "/var/lib/postgresql" - "/var/lib/zigbee2mqtt" { directory = "/var/lib/colord"; user = "colord"; @@ -40,12 +35,6 @@ in group = "root"; mode = "u=rwx,g=rx,o=rx"; } - { - directory = "/var/lib/private/authentik/media"; - user = "authentik"; - group = "authentik"; - mode = "u=rwx,g=,o="; - } { directory = "/var/lib/private"; mode = "u=rwx,g=rx,o="; @@ -56,203 +45,15 @@ in group = "jallen-nas"; mode = "u=rwx,g=rx,o=rx"; } - { - directory = "/var/lib/crowdsec"; - user = "crowdsec"; - group = "crowdsec"; - mode = "u=rwx,g=rwx,o=rx"; - } - { - directory = "/plugins-storage"; - user = "traefik"; - group = "traefik"; - mode = "u=rwx,g=rwx,o=rx"; - } - ]; + ] ++ cfg.extraDirectories; files = [ "/etc/machine-id" - ]; + ] ++ cfg.extraFiles; }; security.sudo.extraConfig = '' # rollback results in sudo lectures after each reboot Defaults lecture = never ''; - - # system.activationScripts = { - # "var-lib-private-permissions" = { - # deps = [ "createPersistentStorageDirs" ]; - # text = '' - # mkdir -p /var/lib/private - # chmod 0700 /var/lib/private - # ''; - # }; - # }; - - # boot.initrd.systemd.services.rootfs-cleanup = { - # description = "Clean file system root"; - # wantedBy = [ - # "initrd.target" - # ]; - # after = [ - # "initrd-root-device.target" - # ]; - # before = [ - # "sysroot.mount" - # ]; - # unitConfig.DefaultDependencies = "no"; - # serviceConfig.Type = "oneshot"; - # script = - # if (hasAttr "/" config.fileSystems) && (config.fileSystems."/".fsType == "btrfs") then - # '' - # # workaround for machines without working rtc battery - # # The time may not yet be correctly set, so wait until it is - # if [[ $(date '+%s') -lt 1730469314 ]]; then - # sleep 30 # this should hopefully be enough - # fi - # mkdir /btrfs_tmp - # mount ${config.fileSystems."/".device} -t btrfs /btrfs_tmp - # if [[ -e /btrfs_tmp/root ]]; then - # mkdir -p /btrfs_tmp/old_roots - # timestamp=$(date --date="@$(stat -c %X /btrfs_tmp/root)" "+%Y-%m-%d_%H:%M:%S") - # mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" - # fi - - # delete_subvolume_recursively() { - # IFS=$'\n' - # for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do - # delete_subvolume_recursively "/btrfs_tmp/$i" - # done - # btrfs subvolume delete "$1" || rm -rf "$1" - # } - - # for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -atime +30); do - # delete_subvolume_recursively "$i" - # done - - # btrfs subvolume create /btrfs_tmp/root - # umount /btrfs_tmp - # '' - # else if (hasAttr "/" config.fileSystems) && (config.fileSystems."/".fsType == "bcachefs") then - # '' - # # workaround for machines without working rtc battery - # # The time may not yet be correctly set, so wait until it is - # if [[ $(date '+%s') -lt 1730469314 ]]; then - # sleep 30 # this should hopefully be enough - # fi - # if [[ -e /root_tmp/root ]]; then - # mkdir -p /root_tmp/old_roots - # timestamp=$(date --date="@$(stat -c %X /root_tmp/root)" "+%Y-%m-%d_%H:%M:%S") - # mv /root_tmp/root "/root_tmp/old_roots/$timestamp" - # fi - - # for i in $(find /root_tmp/old_roots/ -maxdepth 1 -atime +30); do - # bcachefs subvolume delete $i - # done - - # bcachefs subvolume create /root_tmp/root - # '' - # else - # # For tmpfs or other filesystems, do nothing - # ""; - # }; - - # assertions = [ - # { - # assertion = hasAttr "/" config.fileSystems; - # message = "To use impermanence, you need to define a root volume"; - # } - - # { - # assertion = - # if hasAttr "/" config.fileSystems then - # config.fileSystems."/".fsType == "btrfs" - # || config.fileSystems."/".fsType == "bcachefs" - # || config.fileSystems."/".fsType == "tmpfs" - # else - # false; - # message = "rootfs must be btrfs, bcachefs, or tmpfs; not " + config.fileSystems."/".fsType; - # } - - # { - # assertion = - # if - # hasAttr "/" config.fileSystems - # && (config.fileSystems."/".fsType == "btrfs" || config.fileSystems."/".fsType == "bcachefs") - # then - # any ( - # t: t == "subvol=root" || t == "subvol=/root" || t == "X-mount.subdir=root" - # ) config.fileSystems."/".options - # else - # true; - # message = "btrfs or bcachefs rootfs must mount subvolume root"; - # } - # { - # assertion = !config.boot.isContainer; - # message = "impermanence is not supported in containers"; - # } - # ]; - - # environment.persistence.${cfg.persistencePath} = { - # hideMounts = true; - # directories = [ - # "/var/lib/bluetooth" - # "/var/lib/iwd" - # "/var/lib/nixos" - # "/var/lib/libvirt" - # "/var/lib/waydroid" - # "/var/lib/systemd/coredump" - # "/etc/NetworkManager/system-connections" - # "/var/lib/tailscale" - # "/var/lib/homeassistant" - # "/var/lib/mosquitto" - # "/var/lib/music-assistant" - # "/var/lib/postgresql" - # "/var/lib/zigbee2mqtt" - # { - # directory = "/var/lib/colord"; - # user = "colord"; - # group = "colord"; - # mode = "u=rwx,g=rx,o="; - # } - # { - # directory = "/etc/nix"; - # user = "root"; - # group = "root"; - # mode = "u=rwx,g=rx,o=rx"; - # } - # { - # directory = "/var/lib/private/authentik/media"; - # user = "authentik"; - # group = "authentik"; - # mode = "u=rwx,g=,o="; - # } - # { - # directory = "/var/lib/private"; - # mode = "u=rwx,g=rx,o="; - # } - # { - # directory = "/media/nas"; - # user = "nas-apps"; - # group = "jallen-nas"; - # mode = "u=rwx,g=rx,o=rx"; - # } - # { - # directory = "/var/lib/crowdsec"; - # user = "crowdsec"; - # group = "crowdsec"; - # mode = "u=rwx,g=rwx,o=rx"; - # } - # { - # directory = "/plugins-storage"; - # user = "traefik"; - # group = "traefik"; - # mode = "u=rwx,g=rwx,o=rx"; - # } - # ]; - # files = [ - # "/etc/machine-id" - # ]; - # }; }; } diff --git a/modules/nixos/impermanence/options.nix b/modules/nixos/impermanence/options.nix index 11a10ee..5cfb9bd 100644 --- a/modules/nixos/impermanence/options.nix +++ b/modules/nixos/impermanence/options.nix @@ -1,6 +1,10 @@ { lib, namespace, ... }: with lib; +let + inherit (lib.mjallen) mkOpt; +in { + options.${namespace}.impermanence = { enable = mkEnableOption "enable impermanence"; persistencePath = mkOption { @@ -8,5 +12,31 @@ with lib; default = "/nix/persist/system"; description = "Path to the persistence directory"; }; + + # extraDirectories = mkOpt (types.listOf types.path) [ ] "Extra directory paths to add to impermanence"; + extraDirectories = mkOpt (types.listOf (types.either types.str (types.submodule { + options = { + directory = mkOption { + type = types.str; + description = "Directory path"; + }; + user = mkOption { + type = types.str; + default = "root"; + description = "Directory owner"; + }; + group = mkOption { + type = types.str; + default = "root"; + description = "Directory group"; + }; + mode = mkOption { + type = types.str; + default = "u=rwx,g=rx,o="; + description = "Directory permissions"; + }; + }; + }))) [ ] "Extra directory paths to add to impermanence"; + extraFiles = mkOpt (types.listOf types.path) [ ] "Extra file paths to add to impermanence"; }; } diff --git a/modules/nixos/network/default.nix b/modules/nixos/network/default.nix index b6b9b52..a2d24e7 100644 --- a/modules/nixos/network/default.nix +++ b/modules/nixos/network/default.nix @@ -7,6 +7,45 @@ with lib; let cfg = config.${namespace}.network; + + profiles = + let + make = + name: profile: + nameValuePair "${name}" { + connection = { + id = name; + type = profile.type; + autoconnect = profile.autoconnect; + autoconnect-retries = profile.autoconnect-retries; + autoconnect-priority = profile.priority; + interface-name = cfg.ipv4.interface; + }; + ipv4 = + { + method = cfg.ipv4.method; + } // (if (cfg.ipv4.method == "auto") then { } + else + { + address = cfg.ipv4.address; + gateway = cfg.ipv4.gateway; + dns = cfg.ipv4.dns; + }); + ipv6 = { + addr-gen-mode = "stable-privacy"; + method = "auto"; + }; + wifi = mkIf (profile.type == "wifi") { + mode = "infrastructure"; + ssid = profile.ssid; + }; + wifi-security = mkIf (profile.type == "wifi") { + key-mgmt = profile.keyMgmt; + psk = profile.psk; + }; + }; + in + mapAttrs' make cfg.networkmanager.profiles; in { imports = [ @@ -75,47 +114,18 @@ in }) # Enable NetworkManager when wifi is enabled and iwd is disabled - (mkIf (cfg.wifi.enable && !cfg.iwd.enable) { + (mkIf (cfg.networkmanager.enable && !cfg.iwd.enable) { enable = true; - wifi.powersave = cfg.wifi.powersave; + wifi.powersave = cfg.networkmanager.powersave; settings.connectivity.uri = mkDefault "http://nmcheck.gnome.org/check_network_status.txt"; # Configure WiFi profiles if any are defined - ensureProfiles = mkIf (cfg.wifi.profiles != { }) { + ensureProfiles = mkIf (cfg.networkmanager.profiles != { }) { environmentFiles = [ config.sops.secrets.wifi.path ]; - profiles = mapAttrs (name: profile: { - connection = { - id = name; - type = "wifi"; - }; - ipv4 = - if (cfg.ipv4.method == "auto") then - { - method = "auto"; - } - else - { - address1 = cfg.ipv4.address; - dns = cfg.ipv4.dns; - gateway = cfg.ipv4.gateway; - method = "manual"; - }; - ipv6 = { - addr-gen-mode = "stable-privacy"; - method = "auto"; - }; - wifi = { - mode = "infrastructure"; - ssid = profile.ssid; - }; - wifi-security = { - key-mgmt = profile.keyMgmt; - psk = profile.psk; - }; - }) cfg.wifi.profiles; + profiles = profiles; }; }) ]; diff --git a/modules/nixos/network/options.nix b/modules/nixos/network/options.nix index 12a04ee..099ec01 100644 --- a/modules/nixos/network/options.nix +++ b/modules/nixos/network/options.nix @@ -4,159 +4,89 @@ ... }: with lib; +let + inherit (lib.mjallen) mkOpt mkBoolOpt; +in { - options.${namespace}.network = with types; { - hostName = lib.mkOption { - type = str; - default = "nixos"; - description = "The hostname of the system."; - }; + options.${namespace}.network = { + + hostName = mkOpt types.str "nixos" "The hostname of the system."; ipv4 = { - method = mkOption { - type = types.str; - default = "auto"; - description = "Method for IPv4 configuration (auto or manual)."; - }; - address = lib.mkOption { - type = types.str; - default = "10.0.1.1/24"; - description = "IPv4 address with subnet mask (e.g., 10.0.1.1/24)."; - }; - gateway = lib.mkOption { - type = types.str; - default = "10.0.1.1"; - description = "IPv4 default gateway."; - }; - interface = lib.mkOption { - type = types.str; - default = ""; - description = "Interface for the default gateway (required when using networkd)."; - }; - dns = lib.mkOption { - type = types.str; - default = "10.0.1.1"; - description = "IPv4 DNS server."; - }; + method = mkOpt types.str "auto" "Method for IPv4 configuration (auto or manual)."; + + address = mkOpt types.str "10.0.1.1/24" "IPv4 address with subnet mask (e.g., 10.0.1.1/24)."; + + gateway = mkOpt types.str "10.0.1.1" "IPv4 default gateway."; + + interface = mkOpt types.str "" "Interface for the default gateway (required when using networkd)."; + + dns = mkOpt types.str "10.0.1.1" "IPv4 DNS server."; }; - useNetworkd = mkOption { - type = types.bool; - default = false; - description = "Whether to use systemd-networkd for networking."; - }; + useNetworkd = mkBoolOpt false "Whether to use systemd-networkd for networking."; nat = { - enable = mkOption { - type = types.bool; - default = false; - description = "Whether to enable NAT."; - }; - internalInterfaces = mkOption { - type = types.listOf types.str; - default = [ ]; - description = "List of internal interfaces for NAT."; - }; - externalInterface = mkOption { - type = types.str; - default = ""; - description = "External interface for NAT."; - }; - enableIPv6 = mkOption { - type = types.bool; - default = false; - description = "Whether to enable IPv6 NAT."; - }; + enable = mkBoolOpt false "Whether to enable NAT."; + + internalInterfaces = mkOpt (types.listOf types.str) [ ] "List of internal interfaces for NAT."; + + externalInterface = mkOpt types.str "" "External interface for NAT."; + + enableIPv6 = mkBoolOpt false "Whether to enable IPv6 NAT."; }; firewall = { - enable = mkOption { - type = types.bool; - default = true; - description = "Whether to enable the firewall."; - }; - allowPing = mkOption { - type = types.bool; - default = true; - description = "Whether to allow ICMP ping."; - }; - allowedTCPPorts = mkOption { - type = types.listOf types.port; - default = [ ]; - description = "List of allowed TCP ports."; - }; - allowedUDPPorts = mkOption { - type = types.listOf types.port; - default = [ ]; - description = "List of allowed UDP ports."; - }; - trustedInterfaces = mkOption { - type = types.listOf types.str; - default = [ ]; - description = "List of trusted interfaces."; - }; + enable = mkBoolOpt true "Whether to enable the firewall."; + + allowPing = mkBoolOpt true "Whether to allow ICMP ping."; + + allowedTCPPorts = mkOpt (types.listOf types.port) [ ] "List of allowed TCP ports."; + + allowedUDPPorts = mkOpt (types.listOf types.port) [ ] "List of allowed UDP ports."; + + trustedInterfaces = mkOpt (types.listOf types.str) [ ] "List of trusted interfaces."; }; - wifi = { - enable = mkOption { - type = types.bool; - default = true; - description = "Whether to enable WiFi configuration."; - }; - powersave = mkOption { - type = types.bool; - default = false; - description = "Whether to enable WiFi power saving."; - }; - profiles = mkOption { - type = types.attrsOf ( + networkmanager = { + enable = mkBoolOpt true "Whether to enable WiFi configuration."; + + powersave = mkBoolOpt false "Whether to enable WiFi power saving."; + + profiles = mkOpt (types.attrsOf ( types.submodule { options = { - ssid = mkOption { - type = types.str; - description = "SSID of the WiFi network."; - }; - psk = mkOption { - type = types.str; - default = "$PSK"; - description = "PSK environment variable for the WiFi password."; - }; - keyMgmt = mkOption { - type = types.str; - default = "sae"; - description = "Key management type (e.g., sae, wpa-psk)."; - }; + ssid = mkOpt types.str "" "SSID of the WiFi network."; + + type = mkOpt types.str "wifi" "type of the network.(wifi/ethernet)"; + + autoconnect = mkBoolOpt true "autoconnect to this connection"; + + autoconnect-retries = mkOpt types.int (-1) "The number of times a connection should be tried when autoactivating before giving up. Zero means forever, -1 means the global default (4 times if not overridden)"; + + priority = mkOpt types.int 0 "connection priority in range -999 to 999. The higher number means higher priority."; + + psk = mkOpt types.str "$PSK" "PSK environment variable for the WiFi password."; + + keyMgmt = mkOpt types.str "sae" "Key management type (e.g., sae, wpa-psk)."; }; } - ); - default = { }; - description = "WiFi network profiles."; - }; + )) + { + "Joey's Jungle 6G" = { priority = -900; }; + "Joey's Jungle 5G" = { priority = -999; }; + } + "network profiles."; }; - hostId = mkOption { - type = types.str; - default = ""; - description = "Host ID for ZFS and other services."; - }; + hostId = mkOpt types.str "" "Host ID for ZFS and other services."; iwd = { - enable = mkOption { - type = types.bool; - default = false; - description = "Whether to enable iwd for wireless networking."; - }; - settings = mkOption { - type = types.attrs; - default = { }; - description = "Settings for iwd."; - }; + enable = mkBoolOpt false "Whether to enable iwd for wireless networking."; + + settings = mkOpt types.attrs { } "Settings for iwd."; }; - extraFirewallCommands = mkOption { - type = types.str; - default = ""; - description = "Extra commands for the firewall."; - }; + extraFirewallCommands = mkOpt types.str "" "Extra commands for the firewall."; }; } diff --git a/modules/nixos/nix/default.nix b/modules/nixos/nix/default.nix index 57ba915..15e01e5 100644 --- a/modules/nixos/nix/default.nix +++ b/modules/nixos/nix/default.nix @@ -35,15 +35,8 @@ nixpkgs = { config = { - allowUnfree = lib.mkForce true; cudaSupport = lib.mkDefault config.${namespace}.hardware.nvidia.enable; allowUnsupportedSystem = true; - permittedInsecurePackages = [ - # ... - "libsoup-2.74.3" - "libxml2-2.13.8" - "qtwebengine-5.15.19" - ]; }; }; } diff --git a/systems/aarch64-linux/pi4/boot.nix b/systems/aarch64-linux/pi4/boot.nix index f7c82f3..ffa97dc 100755 --- a/systems/aarch64-linux/pi4/boot.nix +++ b/systems/aarch64-linux/pi4/boot.nix @@ -1,47 +1,12 @@ -# { pkgs, lib, ... }: -# let -# uefi_pi4 = pkgs.callPackage ./pi4-uefi.nix { }; -# in -# { -# boot = { -# loader = { -# systemd-boot.enable = lib.mkForce false; -# efi.canTouchEfiVariables = false; -# generic-extlinux-compatible.enable = lib.mkForce true; -# }; -# plymouth.enable = false; -# kernelPackages = pkgs.linuxPackages_rpi4; -# kernelModules = [ "i2c-dev" "i2c-bcm2835" ]; -# initrd.kernelModules = [ "i2c-dev" "i2c-bcm2835" ]; -# }; -# # environment.systemPackages = [ uefi_pi4 ]; - -# # Copy UEFI firmware files to the boot partition -# # system.activationScripts.installUEFIFirmware.text = '' -# # cp -r ${uefi_pi4}/share/uefi_rpi4/* /boot/firmware/ -# # ''; -# } { - config, pkgs, - lib, ... }: let kernelBundle = pkgs.linuxAndFirmware.latest; in { - system.nixos.tags = - let - cfg = config.boot.loader.raspberry-pi; - in - [ - "raspberry-pi-${cfg.variant}" - cfg.bootloader - config.boot.kernelPackages.kernel.version - ]; - - boot = lib.mkForce { + boot = { loader.raspberry-pi = { firmwarePackage = kernelBundle.raspberrypifw; variant = "4"; diff --git a/systems/aarch64-linux/pi4/default.nix b/systems/aarch64-linux/pi4/default.nix index c548459..58f1dda 100755 --- a/systems/aarch64-linux/pi4/default.nix +++ b/systems/aarch64-linux/pi4/default.nix @@ -10,10 +10,20 @@ imports = [ ./adguard.nix ./boot.nix - ./networking.nix # - moved to modules/nixos/network ./sops.nix ]; + nixpkgs.overlays = [ + (_self: super: { + # This is used in (modulesPath + "/hardware/all-firmware.nix") when at least + # enableRedistributableFirmware is enabled + inherit (super) raspberrypiWirelessFirmware; + # Some derivations want to use it as an input, + # e.g. raspberrypi-dtbs, omxplayer, sd-image-* modules + inherit (super) raspberrypifw; + }) + ]; + ${namespace} = { impermanence.enable = true; hardware = { @@ -38,7 +48,7 @@ address = "10.0.1.2/24"; gateway = "10.0.1.1"; dns = "1.1.1.1"; - interface = "end0"; + interface = "enabcm6e4ei0"; }; firewall = { enable = true; @@ -46,16 +56,13 @@ allowedTCPPorts = [ 53 ]; allowedUDPPorts = [ 53 ]; }; - wifi = { - enable = true; - powersave = false; + networkmanger = { + profiles = { + "static-enabcm6e4ei0" = { + type = "ethernet"; + }; + }; }; }; }; - - # Root user configuration - explicit to avoid conflicts with home-manager - users.users.root = { - isSystemUser = true; - isNormalUser = false; - }; } diff --git a/systems/aarch64-linux/pi5/default.nix b/systems/aarch64-linux/pi5/default.nix index bb33186..d9774f0 100644 --- a/systems/aarch64-linux/pi5/default.nix +++ b/systems/aarch64-linux/pi5/default.nix @@ -30,16 +30,6 @@ }; network = { hostName = "pi5"; - ipv4 = { - method = "manual"; - gateway = "10.0.1.1"; - dns = "10.0.1.1"; - interface = "wlan0"; - }; - firewall = { - enable = true; - allowPing = true; - }; }; }; } diff --git a/systems/aarch64-linux/pi5/networking.nix b/systems/aarch64-linux/pi5/networking.nix deleted file mode 100755 index e8b0739..0000000 --- a/systems/aarch64-linux/pi5/networking.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ ... }: -let - hostname = "pi5"; -in -{ - # Networking configs - networking = { - hostName = hostname; - - defaultGateway.address = "10.0.1.1"; - nameservers = [ "10.0.1.1" ]; - - firewall = { - enable = true; - allowPing = true; - }; - }; -} diff --git a/systems/x86_64-linux/jallen-nas/default.nix b/systems/x86_64-linux/jallen-nas/default.nix index 17f3b51..a921e49 100755 --- a/systems/x86_64-linux/jallen-nas/default.nix +++ b/systems/x86_64-linux/jallen-nas/default.nix @@ -70,7 +70,29 @@ # # Impermanence # # # ################################################### - impermanence.enable = true; + impermanence = { + enable = true; + extraDirectories = [ + { + directory = "/var/lib/private/authentik/media"; + user = "authentik"; + group = "authentik"; + mode = "u=rwx,g=,o="; + } + { + directory = "/var/lib/crowdsec"; + user = "crowdsec"; + group = "crowdsec"; + mode = "u=rwx,g=rwx,o=rx"; + } + { + directory = "/plugins-storage"; + user = "traefik"; + group = "traefik"; + mode = "u=rwx,g=rwx,o=rx"; + } + ]; + }; # ################################################### # # Monitoring # # diff --git a/systems/x86_64-linux/matt-nixos/default.nix b/systems/x86_64-linux/matt-nixos/default.nix index 7e36ba6..e1eed7a 100644 --- a/systems/x86_64-linux/matt-nixos/default.nix +++ b/systems/x86_64-linux/matt-nixos/default.nix @@ -53,16 +53,6 @@ network = { hostName = "matt-nixos"; - wifi = { - enable = true; - powersave = false; - profiles = { - "Joey's Jungle 6G" = { - ssid = "Joey's Jungle 6G"; - keyMgmt = "sae"; - }; - }; - }; }; }; diff --git a/systems/x86_64-linux/nuc-nixos/default.nix b/systems/x86_64-linux/nuc-nixos/default.nix index fb3c138..c53342a 100644 --- a/systems/x86_64-linux/nuc-nixos/default.nix +++ b/systems/x86_64-linux/nuc-nixos/default.nix @@ -24,7 +24,16 @@ # # Impermanence # # # ################################################### - impermanence.enable = true; + impermanence = { + enable = true; + extraDirectories = [ + "/var/lib/homeassistant" + "/var/lib/mosquitto" + "/var/lib/music-assistant" + "/var/lib/postgresql" + "/var/lib/zigbee2mqtt" + ]; + }; # ################################################### # # Network # # @@ -40,15 +49,6 @@ dns = "10.0.1.1"; interface = "wlo1"; }; - wifi = { - enable = true; - profiles = { - "Joey's Jungle 6G" = { - ssid = "Joey's Jungle 6G"; - keyMgmt = "sae"; - }; - }; - }; firewall = { enable = true; allowPing = true;