mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

stuff

Browse Source
This commit is contained in:
mjallen18
2025-09-02 19:23:08 -05:00
parent e79ae984a3
commit a6167bf31c
16 changed files with 226 additions and 508 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
flake.lock generated
View File

@@ -523,11 +523,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1756734952, "lastModified": 1756842514,
"narHash": "sha256-H6jmduj4QIncLPAPODPSG/8ry9lpr1kRq6fYytU52qU=", "narHash": "sha256-XbtRMewPGJwTNhBC4pnBu3w/xT1XejvB0HfohC2Kga8=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "29ab63bbb3d9eee4a491f7ce701b189becd34068", "rev": "30fc1b532645a21e157b6e33e3f8b4c154f86382",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -539,11 +539,11 @@
"homebrew-cask": { "homebrew-cask": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1756765009, "lastModified": 1756852744,
"narHash": "sha256-S+1wO+FU3F16oajoL9EC247nilW43a2uP4xA7Wbou1Q=", "narHash": "sha256-U9kI3DUaBthraFDPyoaPASZCwa4beIbPioKZqk/fRE0=",
"owner": "homebrew", "owner": "homebrew",
"repo": "homebrew-cask", "repo": "homebrew-cask",
"rev": "f9926314171dc3254715a87a534c09c7d77c04f2", "rev": "e08060d99e6e06d7d0d233439b2139d2f971d1a1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -555,11 +555,11 @@
"homebrew-core": { "homebrew-core": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1756764042, "lastModified": 1756853188,
"narHash": "sha256-61qDXw6dK2OwBJzoi1F+EX26Iik4uYeQ0gFQkFJCmis=", "narHash": "sha256-lZnraCsn+6bILvM5Tv9WXGdZeTVzbwViOKB3086fw0w=",
"owner": "homebrew", "owner": "homebrew",
"repo": "homebrew-core", "repo": "homebrew-core",
"rev": "ebc12a06f7499c2dbd0c2b42ff0c4a3238075b01", "rev": "44c6c6065d93f93e90a66ddc2bfcd37746e9546b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -783,11 +783,11 @@
"nixpkgs": "nixpkgs_8" "nixpkgs": "nixpkgs_8"
}, },
"locked": { "locked": {
"lastModified": 1756692643, "lastModified": 1756778240,
"narHash": "sha256-SVos3AYuLvF6bD8Y0b6EiLABoEaiAOa4M/fTCBe0FV8=", "narHash": "sha256-fEN9e5eTYTYiLWDgIm0LpfBZ/IKEmP+BvmDtg2HeHUY=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-vscode-extensions", "repo": "nix-vscode-extensions",
"rev": "2f1d16db96f1ce8ee3c893ea9dc49c0035846988", "rev": "88023dda65dbb10c52aa03b39a0426024ad8e543",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -962,11 +962,11 @@
}, },
"nixpkgs-stable_3": { "nixpkgs-stable_3": {
"locked": { "locked": {
"lastModified": 1756617294, "lastModified": 1756754095,
"narHash": "sha256-aGnd4AHIYCWQKChAkHPpX+YYCt7pA6y2LFFA/s8q0wQ=", "narHash": "sha256-9Rsn9XEWINExosFkKEqdp8EI6Mujr1gmQiyrEcts2ls=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "b4c2c57c31e68544982226d07e4719a2d86302a8", "rev": "7c815e513adbf03c9098b2bd230c1e0525c8a7f9",
"type": "github" "type": "github"
}, },
"original": { "original": {

16
flake.nix
View File

@@ -193,7 +193,10 @@
disko.nixosModules.disko disko.nixosModules.disko
nixos-raspberrypi.nixosModules.raspberry-pi-4.base nixos-raspberrypi.nixosModules.raspberry-pi-4.base
nixos-raspberrypi.nixosModules.raspberry-pi-4.display-vc4 nixos-raspberrypi.nixosModules.raspberry-pi-4.display-vc4
nixos-raspberrypi.nixosModules.nixpkgs-rpi
nixos-raspberrypi.nixosModules.trusted-nix-caches
nixos-raspberrypi.lib.inject-overlays nixos-raspberrypi.lib.inject-overlays
nixos-raspberrypi.lib.inject-overlays-global
]; ];
}; };
@@ -206,7 +209,10 @@
nixos-raspberrypi.nixosModules.raspberry-pi-5.base nixos-raspberrypi.nixosModules.raspberry-pi-5.base
nixos-raspberrypi.nixosModules.raspberry-pi-5.display-vc4 nixos-raspberrypi.nixosModules.raspberry-pi-5.display-vc4
nixos-raspberrypi.nixosModules.raspberry-pi-5.bluetooth nixos-raspberrypi.nixosModules.raspberry-pi-5.bluetooth
nixos-raspberrypi.nixosModules.nixpkgs-rpi
nixos-raspberrypi.nixosModules.trusted-nix-caches
nixos-raspberrypi.lib.inject-overlays nixos-raspberrypi.lib.inject-overlays
nixos-raspberrypi.lib.inject-overlays-global
]; ];
}; };
@@ -221,7 +227,9 @@
}; };
}; };
overlays = with inputs; [ nix-vscode-extensions.overlays.default ]; overlays = with inputs; [
nix-vscode-extensions.overlays.default
];
}; };
# Configure Snowfall Lib, all of these settings are optional. # Configure Snowfall Lib, all of these settings are optional.
@@ -242,6 +250,12 @@
channels-config = { channels-config = {
allowUnfree = true; allowUnfree = true;
permittedInsecurePackages = [
# ...
# "libsoup-2.74.3"
# "libxml2-2.13.8"
"qtwebengine-5.15.19"
];
}; };
outputs-builder = channels: { outputs-builder = channels: {

1
modules/nixos/boot/lanzaboote/default.nix
View File

@@ -10,6 +10,7 @@ let
in in
{ {
imports = [ ./options.nix ]; imports = [ ./options.nix ];
config = mkIf cfg.enable { config = mkIf cfg.enable {
boot = { boot = {
loader = { loader = {

29
modules/nixos/hardware/raspberry-pi/default.nix
View File

@@ -26,34 +26,18 @@ in
environment.systemPackages = environment.systemPackages =
with pkgs; with pkgs;
[ [
i2c-tools
libraspberrypi libraspberrypi
raspberrypi-eeprom raspberrypi-eeprom
raspberrypifw raspberrypifw
raspberrypiWirelessFirmware raspberrypiWirelessFirmware
raspberrypi-armstubs raspberrypi-armstubs
]
++ lib.optionals (cfg.variant == "4") [
i2c-tools
]
++ lib.optionals (cfg.variant == "5") [
erofs-utils erofs-utils
fex fex
squashfuse squashfuse
squashfsTools squashfsTools
]; ];
# Common nixpkgs overlays for Raspberry Pi
nixpkgs.overlays = lib.mkAfter [
(_self: super: {
# This is used in (modulesPath + "/hardware/all-firmware.nix") when at least
# enableRedistributableFirmware is enabled
inherit (super) raspberrypiWirelessFirmware;
# Some derivations want to use it as an input,
# e.g. raspberrypi-dtbs, omxplayer, sd-image-* modules
inherit (super) raspberrypifw;
})
];
# Common Bluetooth configuration # Common Bluetooth configuration
systemd.services.btattach = { systemd.services.btattach = {
before = [ "bluetooth.service" ]; before = [ "bluetooth.service" ];
@@ -65,14 +49,13 @@ in
}; };
# Common hardware settings # Common hardware settings
hardware.i2c.enable = lib.mkIf (cfg.variant == "4") true; hardware.i2c.enable = lib.mkDefault true;
# Pi 5 specific settings # Pi specific settings
hardware.graphics.enable32Bit = lib.mkIf (cfg.variant == "5") (lib.mkForce false); hardware.graphics.enable32Bit = lib.mkForce false;
zramSwap.enable = lib.mkIf (cfg.variant == "5") true;
# Pi 5 specific system tags # Pi specific system tags
system.nixos.tags = lib.mkIf (cfg.variant == "5") ( system.nixos.tags = (
let let
bootCfg = config.boot.loader.raspberry-pi; bootCfg = config.boot.loader.raspberry-pi;
in in

203
modules/nixos/impermanence/default.nix
View File

@@ -23,11 +23,6 @@ in
"/var/lib/systemd/coredump" "/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections" "/etc/NetworkManager/system-connections"
"/var/lib/tailscale" "/var/lib/tailscale"
"/var/lib/homeassistant"
"/var/lib/mosquitto"
"/var/lib/music-assistant"
"/var/lib/postgresql"
"/var/lib/zigbee2mqtt"
{ {
directory = "/var/lib/colord"; directory = "/var/lib/colord";
user = "colord"; user = "colord";
@@ -40,12 +35,6 @@ in
group = "root"; group = "root";
mode = "u=rwx,g=rx,o=rx"; mode = "u=rwx,g=rx,o=rx";
} }
{
directory = "/var/lib/private/authentik/media";
user = "authentik";
group = "authentik";
mode = "u=rwx,g=,o=";
}
{ {
directory = "/var/lib/private"; directory = "/var/lib/private";
mode = "u=rwx,g=rx,o="; mode = "u=rwx,g=rx,o=";
@@ -56,203 +45,15 @@ in
group = "jallen-nas"; group = "jallen-nas";
mode = "u=rwx,g=rx,o=rx"; mode = "u=rwx,g=rx,o=rx";
} }
{ ] ++ cfg.extraDirectories;
directory = "/var/lib/crowdsec";
user = "crowdsec";
group = "crowdsec";
mode = "u=rwx,g=rwx,o=rx";
}
{
directory = "/plugins-storage";
user = "traefik";
group = "traefik";
mode = "u=rwx,g=rwx,o=rx";
}
];
files = [ files = [
"/etc/machine-id" "/etc/machine-id"
]; ] ++ cfg.extraFiles;
}; };
security.sudo.extraConfig = '' security.sudo.extraConfig = ''
# rollback results in sudo lectures after each reboot # rollback results in sudo lectures after each reboot
Defaults lecture = never Defaults lecture = never
''; '';
# system.activationScripts = {
# "var-lib-private-permissions" = {
# deps = [ "createPersistentStorageDirs" ];
# text = ''
# mkdir -p /var/lib/private
# chmod 0700 /var/lib/private
# '';
# };
# };
# boot.initrd.systemd.services.rootfs-cleanup = {
# description = "Clean file system root";
# wantedBy = [
# "initrd.target"
# ];
# after = [
# "initrd-root-device.target"
# ];
# before = [
# "sysroot.mount"
# ];
# unitConfig.DefaultDependencies = "no";
# serviceConfig.Type = "oneshot";
# script =
# if (hasAttr "/" config.fileSystems) && (config.fileSystems."/".fsType == "btrfs") then
# ''
# # workaround for machines without working rtc battery
# # The time may not yet be correctly set, so wait until it is
# if [[ $(date '+%s') -lt 1730469314 ]]; then
# sleep 30 # this should hopefully be enough
# fi
# mkdir /btrfs_tmp
# mount ${config.fileSystems."/".device} -t btrfs /btrfs_tmp
# if [[ -e /btrfs_tmp/root ]]; then
# mkdir -p /btrfs_tmp/old_roots
# timestamp=$(date --date="@$(stat -c %X /btrfs_tmp/root)" "+%Y-%m-%d_%H:%M:%S")
# mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
# fi
# delete_subvolume_recursively() {
# IFS=$'\n'
# for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
# delete_subvolume_recursively "/btrfs_tmp/$i"
# done
# btrfs subvolume delete "$1" || rm -rf "$1"
# }
# for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -atime +30); do
# delete_subvolume_recursively "$i"
# done
# btrfs subvolume create /btrfs_tmp/root
# umount /btrfs_tmp
# ''
# else if (hasAttr "/" config.fileSystems) && (config.fileSystems."/".fsType == "bcachefs") then
# ''
# # workaround for machines without working rtc battery
# # The time may not yet be correctly set, so wait until it is
# if [[ $(date '+%s') -lt 1730469314 ]]; then
# sleep 30 # this should hopefully be enough
# fi
# if [[ -e /root_tmp/root ]]; then
# mkdir -p /root_tmp/old_roots
# timestamp=$(date --date="@$(stat -c %X /root_tmp/root)" "+%Y-%m-%d_%H:%M:%S")
# mv /root_tmp/root "/root_tmp/old_roots/$timestamp"
# fi
# for i in $(find /root_tmp/old_roots/ -maxdepth 1 -atime +30); do
# bcachefs subvolume delete $i
# done
# bcachefs subvolume create /root_tmp/root
# ''
# else
# # For tmpfs or other filesystems, do nothing
# "";
# };
# assertions = [
# {
# assertion = hasAttr "/" config.fileSystems;
# message = "To use impermanence, you need to define a root volume";
# }
# {
# assertion =
# if hasAttr "/" config.fileSystems then
# config.fileSystems."/".fsType == "btrfs"
# || config.fileSystems."/".fsType == "bcachefs"
# || config.fileSystems."/".fsType == "tmpfs"
# else
# false;
# message = "rootfs must be btrfs, bcachefs, or tmpfs; not " + config.fileSystems."/".fsType;
# }
# {
# assertion =
# if
# hasAttr "/" config.fileSystems
# && (config.fileSystems."/".fsType == "btrfs" || config.fileSystems."/".fsType == "bcachefs")
# then
# any (
# t: t == "subvol=root" || t == "subvol=/root" || t == "X-mount.subdir=root"
# ) config.fileSystems."/".options
# else
# true;
# message = "btrfs or bcachefs rootfs must mount subvolume root";
# }
# {
# assertion = !config.boot.isContainer;
# message = "impermanence is not supported in containers";
# }
# ];
# environment.persistence.${cfg.persistencePath} = {
# hideMounts = true;
# directories = [
# "/var/lib/bluetooth"
# "/var/lib/iwd"
# "/var/lib/nixos"
# "/var/lib/libvirt"
# "/var/lib/waydroid"
# "/var/lib/systemd/coredump"
# "/etc/NetworkManager/system-connections"
# "/var/lib/tailscale"
# "/var/lib/homeassistant"
# "/var/lib/mosquitto"
# "/var/lib/music-assistant"
# "/var/lib/postgresql"
# "/var/lib/zigbee2mqtt"
# {
# directory = "/var/lib/colord";
# user = "colord";
# group = "colord";
# mode = "u=rwx,g=rx,o=";
# }
# {
# directory = "/etc/nix";
# user = "root";
# group = "root";
# mode = "u=rwx,g=rx,o=rx";
# }
# {
# directory = "/var/lib/private/authentik/media";
# user = "authentik";
# group = "authentik";
# mode = "u=rwx,g=,o=";
# }
# {
# directory = "/var/lib/private";
# mode = "u=rwx,g=rx,o=";
# }
# {
# directory = "/media/nas";
# user = "nas-apps";
# group = "jallen-nas";
# mode = "u=rwx,g=rx,o=rx";
# }
# {
# directory = "/var/lib/crowdsec";
# user = "crowdsec";
# group = "crowdsec";
# mode = "u=rwx,g=rwx,o=rx";
# }
# {
# directory = "/plugins-storage";
# user = "traefik";
# group = "traefik";
# mode = "u=rwx,g=rwx,o=rx";
# }
# ];
# files = [
# "/etc/machine-id"
# ];
# };
}; };
} }

30
modules/nixos/impermanence/options.nix
View File

@@ -1,6 +1,10 @@
{ lib, namespace, ... }: { lib, namespace, ... }:
with lib; with lib;
let
inherit (lib.mjallen) mkOpt;
in
{ {
options.${namespace}.impermanence = { options.${namespace}.impermanence = {
enable = mkEnableOption "enable impermanence"; enable = mkEnableOption "enable impermanence";
persistencePath = mkOption { persistencePath = mkOption {
@@ -8,5 +12,31 @@ with lib;
default = "/nix/persist/system"; default = "/nix/persist/system";
description = "Path to the persistence directory"; description = "Path to the persistence directory";
}; };
# extraDirectories = mkOpt (types.listOf types.path) [ ] "Extra directory paths to add to impermanence";
extraDirectories = mkOpt (types.listOf (types.either types.str (types.submodule {
options = {
directory = mkOption {
type = types.str;
description = "Directory path";
};
user = mkOption {
type = types.str;
default = "root";
description = "Directory owner";
};
group = mkOption {
type = types.str;
default = "root";
description = "Directory group";
};
mode = mkOption {
type = types.str;
default = "u=rwx,g=rx,o=";
description = "Directory permissions";
};
};
}))) [ ] "Extra directory paths to add to impermanence";
extraFiles = mkOpt (types.listOf types.path) [ ] "Extra file paths to add to impermanence";
}; };
} }

76
modules/nixos/network/default.nix
View File

@@ -7,6 +7,45 @@
with lib; with lib;
let let
cfg = config.${namespace}.network; cfg = config.${namespace}.network;
profiles =
let
make =
name: profile:
nameValuePair "${name}" {
connection = {
id = name;
type = profile.type;
autoconnect = profile.autoconnect;
autoconnect-retries = profile.autoconnect-retries;
autoconnect-priority = profile.priority;
interface-name = cfg.ipv4.interface;
};
ipv4 =
{
method = cfg.ipv4.method;
} // (if (cfg.ipv4.method == "auto") then { }
else
{
address = cfg.ipv4.address;
gateway = cfg.ipv4.gateway;
dns = cfg.ipv4.dns;
});
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
wifi = mkIf (profile.type == "wifi") {
mode = "infrastructure";
ssid = profile.ssid;
};
wifi-security = mkIf (profile.type == "wifi") {
key-mgmt = profile.keyMgmt;
psk = profile.psk;
};
};
in
mapAttrs' make cfg.networkmanager.profiles;
in in
{ {
imports = [ imports = [
@@ -75,47 +114,18 @@ in
}) })
# Enable NetworkManager when wifi is enabled and iwd is disabled # Enable NetworkManager when wifi is enabled and iwd is disabled
(mkIf (cfg.wifi.enable && !cfg.iwd.enable) { (mkIf (cfg.networkmanager.enable && !cfg.iwd.enable) {
enable = true; enable = true;
wifi.powersave = cfg.wifi.powersave; wifi.powersave = cfg.networkmanager.powersave;
settings.connectivity.uri = mkDefault "http://nmcheck.gnome.org/check_network_status.txt"; settings.connectivity.uri = mkDefault "http://nmcheck.gnome.org/check_network_status.txt";
# Configure WiFi profiles if any are defined # Configure WiFi profiles if any are defined
ensureProfiles = mkIf (cfg.wifi.profiles != { }) { ensureProfiles = mkIf (cfg.networkmanager.profiles != { }) {
environmentFiles = [ environmentFiles = [
config.sops.secrets.wifi.path config.sops.secrets.wifi.path
]; ];
profiles = mapAttrs (name: profile: { profiles = profiles;
connection = {
id = name;
type = "wifi";
};
ipv4 =
if (cfg.ipv4.method == "auto") then
{
method = "auto";
}
else
{
address1 = cfg.ipv4.address;
dns = cfg.ipv4.dns;
gateway = cfg.ipv4.gateway;
method = "manual";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
wifi = {
mode = "infrastructure";
ssid = profile.ssid;
};
wifi-security = {
key-mgmt = profile.keyMgmt;
psk = profile.psk;
};
}) cfg.wifi.profiles;
}; };
}) })
]; ];

194
modules/nixos/network/options.nix
View File

@@ -4,159 +4,89 @@
... ...
}: }:
with lib; with lib;
let
inherit (lib.mjallen) mkOpt mkBoolOpt;
in
{ {
options.${namespace}.network = with types; { options.${namespace}.network = {
hostName = lib.mkOption {
type = str; hostName = mkOpt types.str "nixos" "The hostname of the system.";
default = "nixos";
description = "The hostname of the system.";
};
ipv4 = { ipv4 = {
method = mkOption { method = mkOpt types.str "auto" "Method for IPv4 configuration (auto or manual).";
type = types.str;
default = "auto"; address = mkOpt types.str "10.0.1.1/24" "IPv4 address with subnet mask (e.g., 10.0.1.1/24).";
description = "Method for IPv4 configuration (auto or manual).";
}; gateway = mkOpt types.str "10.0.1.1" "IPv4 default gateway.";
address = lib.mkOption {
type = types.str; interface = mkOpt types.str "" "Interface for the default gateway (required when using networkd).";
default = "10.0.1.1/24";
description = "IPv4 address with subnet mask (e.g., 10.0.1.1/24)."; dns = mkOpt types.str "10.0.1.1" "IPv4 DNS server.";
};
gateway = lib.mkOption {
type = types.str;
default = "10.0.1.1";
description = "IPv4 default gateway.";
};
interface = lib.mkOption {
type = types.str;
default = "";
description = "Interface for the default gateway (required when using networkd).";
};
dns = lib.mkOption {
type = types.str;
default = "10.0.1.1";
description = "IPv4 DNS server.";
};
}; };
useNetworkd = mkOption { useNetworkd = mkBoolOpt false "Whether to use systemd-networkd for networking.";
type = types.bool;
default = false;
description = "Whether to use systemd-networkd for networking.";
};
nat = { nat = {
enable = mkOption { enable = mkBoolOpt false "Whether to enable NAT.";
type = types.bool;
default = false; internalInterfaces = mkOpt (types.listOf types.str) [ ] "List of internal interfaces for NAT.";
description = "Whether to enable NAT.";
}; externalInterface = mkOpt types.str "" "External interface for NAT.";
internalInterfaces = mkOption {
type = types.listOf types.str; enableIPv6 = mkBoolOpt false "Whether to enable IPv6 NAT.";
default = [ ];
description = "List of internal interfaces for NAT.";
};
externalInterface = mkOption {
type = types.str;
default = "";
description = "External interface for NAT.";
};
enableIPv6 = mkOption {
type = types.bool;
default = false;
description = "Whether to enable IPv6 NAT.";
};
}; };
firewall = { firewall = {
enable = mkOption { enable = mkBoolOpt true "Whether to enable the firewall.";
type = types.bool;
default = true; allowPing = mkBoolOpt true "Whether to allow ICMP ping.";
description = "Whether to enable the firewall.";
}; allowedTCPPorts = mkOpt (types.listOf types.port) [ ] "List of allowed TCP ports.";
allowPing = mkOption {
type = types.bool; allowedUDPPorts = mkOpt (types.listOf types.port) [ ] "List of allowed UDP ports.";
default = true;
description = "Whether to allow ICMP ping."; trustedInterfaces = mkOpt (types.listOf types.str) [ ] "List of trusted interfaces.";
};
allowedTCPPorts = mkOption {
type = types.listOf types.port;
default = [ ];
description = "List of allowed TCP ports.";
};
allowedUDPPorts = mkOption {
type = types.listOf types.port;
default = [ ];
description = "List of allowed UDP ports.";
};
trustedInterfaces = mkOption {
type = types.listOf types.str;
default = [ ];
description = "List of trusted interfaces.";
};
}; };
wifi = { networkmanager = {
enable = mkOption { enable = mkBoolOpt true "Whether to enable WiFi configuration.";
type = types.bool;
default = true; powersave = mkBoolOpt false "Whether to enable WiFi power saving.";
description = "Whether to enable WiFi configuration.";
}; profiles = mkOpt (types.attrsOf (
powersave = mkOption {
type = types.bool;
default = false;
description = "Whether to enable WiFi power saving.";
};
profiles = mkOption {
type = types.attrsOf (
types.submodule { types.submodule {
options = { options = {
ssid = mkOption { ssid = mkOpt types.str "" "SSID of the WiFi network.";
type = types.str;
description = "SSID of the WiFi network."; type = mkOpt types.str "wifi" "type of the network.(wifi/ethernet)";
};
psk = mkOption { autoconnect = mkBoolOpt true "autoconnect to this connection";
type = types.str;
default = "$PSK"; autoconnect-retries = mkOpt types.int (-1) "The number of times a connection should be tried when autoactivating before giving up. Zero means forever, -1 means the global default (4 times if not overridden)";
description = "PSK environment variable for the WiFi password.";
}; priority = mkOpt types.int 0 "connection priority in range -999 to 999. The higher number means higher priority.";
keyMgmt = mkOption {
type = types.str; psk = mkOpt types.str "$PSK" "PSK environment variable for the WiFi password.";
default = "sae";
description = "Key management type (e.g., sae, wpa-psk)."; keyMgmt = mkOpt types.str "sae" "Key management type (e.g., sae, wpa-psk).";
};
}; };
} }
); ))
default = { }; {
description = "WiFi network profiles."; "Joey's Jungle 6G" = { priority = -900; };
}; "Joey's Jungle 5G" = { priority = -999; };
}
"network profiles.";
}; };
hostId = mkOption { hostId = mkOpt types.str "" "Host ID for ZFS and other services.";
type = types.str;
default = "";
description = "Host ID for ZFS and other services.";
};
iwd = { iwd = {
enable = mkOption { enable = mkBoolOpt false "Whether to enable iwd for wireless networking.";
type = types.bool;
default = false; settings = mkOpt types.attrs { } "Settings for iwd.";
description = "Whether to enable iwd for wireless networking.";
};
settings = mkOption {
type = types.attrs;
default = { };
description = "Settings for iwd.";
};
}; };
extraFirewallCommands = mkOption { extraFirewallCommands = mkOpt types.str "" "Extra commands for the firewall.";
type = types.str;
default = "";
description = "Extra commands for the firewall.";
};
}; };
} }

7
modules/nixos/nix/default.nix
View File

@@ -35,15 +35,8 @@
nixpkgs = { nixpkgs = {
config = { config = {
allowUnfree = lib.mkForce true;
cudaSupport = lib.mkDefault config.${namespace}.hardware.nvidia.enable; cudaSupport = lib.mkDefault config.${namespace}.hardware.nvidia.enable;
allowUnsupportedSystem = true; allowUnsupportedSystem = true;
permittedInsecurePackages = [
# ...
"libsoup-2.74.3"
"libxml2-2.13.8"
"qtwebengine-5.15.19"
];
}; };
}; };
} }

37
systems/aarch64-linux/pi4/boot.nix
View File

@@ -1,47 +1,12 @@
# { pkgs, lib, ... }:
# let
# uefi_pi4 = pkgs.callPackage ./pi4-uefi.nix { };
# in
# {
# boot = {
# loader = {
# systemd-boot.enable = lib.mkForce false;
# efi.canTouchEfiVariables = false;
# generic-extlinux-compatible.enable = lib.mkForce true;
# };
# plymouth.enable = false;
# kernelPackages = pkgs.linuxPackages_rpi4;
# kernelModules = [ "i2c-dev" "i2c-bcm2835" ];
# initrd.kernelModules = [ "i2c-dev" "i2c-bcm2835" ];
# };
# # environment.systemPackages = [ uefi_pi4 ];
# # Copy UEFI firmware files to the boot partition
# # system.activationScripts.installUEFIFirmware.text = ''
# # cp -r ${uefi_pi4}/share/uefi_rpi4/* /boot/firmware/
# # '';
# }
{ {
config,
pkgs, pkgs,
lib,
... ...
}: }:
let let
kernelBundle = pkgs.linuxAndFirmware.latest; kernelBundle = pkgs.linuxAndFirmware.latest;
in in
{ {
system.nixos.tags = boot = {
let
cfg = config.boot.loader.raspberry-pi;
in
[
"raspberry-pi-${cfg.variant}"
cfg.bootloader
config.boot.kernelPackages.kernel.version
];
boot = lib.mkForce {
loader.raspberry-pi = { loader.raspberry-pi = {
firmwarePackage = kernelBundle.raspberrypifw; firmwarePackage = kernelBundle.raspberrypifw;
variant = "4"; variant = "4";

29
systems/aarch64-linux/pi4/default.nix
View File

@@ -10,10 +10,20 @@
imports = [ imports = [
./adguard.nix ./adguard.nix
./boot.nix ./boot.nix
./networking.nix # - moved to modules/nixos/network
./sops.nix ./sops.nix
]; ];
nixpkgs.overlays = [
(_self: super: {
# This is used in (modulesPath + "/hardware/all-firmware.nix") when at least
# enableRedistributableFirmware is enabled
inherit (super) raspberrypiWirelessFirmware;
# Some derivations want to use it as an input,
# e.g. raspberrypi-dtbs, omxplayer, sd-image-* modules
inherit (super) raspberrypifw;
})
];
${namespace} = { ${namespace} = {
impermanence.enable = true; impermanence.enable = true;
hardware = { hardware = {
@@ -38,7 +48,7 @@
address = "10.0.1.2/24"; address = "10.0.1.2/24";
gateway = "10.0.1.1"; gateway = "10.0.1.1";
dns = "1.1.1.1"; dns = "1.1.1.1";
interface = "end0"; interface = "enabcm6e4ei0";
}; };
firewall = { firewall = {
enable = true; enable = true;
@@ -46,16 +56,13 @@
allowedTCPPorts = [ 53 ]; allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ]; allowedUDPPorts = [ 53 ];
}; };
wifi = { networkmanger = {
enable = true; profiles = {
powersave = false; "static-enabcm6e4ei0" = {
type = "ethernet";
};
};
}; };
}; };
}; };
# Root user configuration - explicit to avoid conflicts with home-manager
users.users.root = {
isSystemUser = true;
isNormalUser = false;
};
} }

10
systems/aarch64-linux/pi5/default.nix
View File

@@ -30,16 +30,6 @@
}; };
network = { network = {
hostName = "pi5"; hostName = "pi5";
ipv4 = {
method = "manual";
gateway = "10.0.1.1";
dns = "10.0.1.1";
interface = "wlan0";
};
firewall = {
enable = true;
allowPing = true;
};
}; };
}; };
} }

18
systems/aarch64-linux/pi5/networking.nix
View File

@@ -1,18 +0,0 @@
{ ... }:
let
hostname = "pi5";
in
{
# Networking configs
networking = {
hostName = hostname;
defaultGateway.address = "10.0.1.1";
nameservers = [ "10.0.1.1" ];
firewall = {
enable = true;
allowPing = true;
};
};
}

24
systems/x86_64-linux/jallen-nas/default.nix
View File

@@ -70,7 +70,29 @@
# # Impermanence # # # # Impermanence # #
# ################################################### # ###################################################
impermanence.enable = true; impermanence = {
enable = true;
extraDirectories = [
{
directory = "/var/lib/private/authentik/media";
user = "authentik";
group = "authentik";
mode = "u=rwx,g=,o=";
}
{
directory = "/var/lib/crowdsec";
user = "crowdsec";
group = "crowdsec";
mode = "u=rwx,g=rwx,o=rx";
}
{
directory = "/plugins-storage";
user = "traefik";
group = "traefik";
mode = "u=rwx,g=rwx,o=rx";
}
];
};
# ################################################### # ###################################################
# # Monitoring # # # # Monitoring # #

10
systems/x86_64-linux/matt-nixos/default.nix
View File

@@ -53,16 +53,6 @@
network = { network = {
hostName = "matt-nixos"; hostName = "matt-nixos";
wifi = {
enable = true;
powersave = false;
profiles = {
"Joey's Jungle 6G" = {
ssid = "Joey's Jungle 6G";
keyMgmt = "sae";
};
};
};
}; };
}; };

20
systems/x86_64-linux/nuc-nixos/default.nix
View File

@@ -24,7 +24,16 @@
# # Impermanence # # # # Impermanence # #
# ################################################### # ###################################################
impermanence.enable = true; impermanence = {
enable = true;
extraDirectories = [
"/var/lib/homeassistant"
"/var/lib/mosquitto"
"/var/lib/music-assistant"
"/var/lib/postgresql"
"/var/lib/zigbee2mqtt"
];
};
# ################################################### # ###################################################
# # Network # # # # Network # #
@@ -40,15 +49,6 @@
dns = "10.0.1.1"; dns = "10.0.1.1";
interface = "wlo1"; interface = "wlo1";
}; };
wifi = {
enable = true;
profiles = {
"Joey's Jungle 6G" = {
ssid = "Joey's Jungle 6G";
keyMgmt = "sae";
};
};
};
firewall = { firewall = {
enable = true; enable = true;
allowPing = true; allowPing = true;