mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

temm

Browse Source
This commit is contained in:
mjallen18
2024-10-24 11:08:13 -05:00
parent 768fafe442
commit ca8065c851
9 changed files with 266 additions and 152 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
flake.lock generated
View File

@@ -306,10 +306,10 @@
"type": "github" "type": "github"
} }
}, },
"home-manager_2": { "home-manager-stable": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs-unstable" "nixpkgs-stable"
] ]
}, },
"locked": { "locked": {
@@ -326,6 +326,27 @@
"type": "github" "type": "github"
} }
}, },
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1726989464,
"narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-24.05",
"repo": "home-manager",
"type": "github"
}
},
"impermanence": { "impermanence": {
"locked": { "locked": {
"lastModified": 1729068498, "lastModified": 1729068498,
@@ -576,6 +597,22 @@
} }
}, },
"nixpkgs-stable_3": { "nixpkgs-stable_3": {
"locked": {
"lastModified": 1729449015,
"narHash": "sha256-Gf04dXB0n4q0A9G5nTGH3zuMGr6jtJppqdeljxua1fo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "89172919243df199fe237ba0f776c3e3e3d72367",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_4": {
"locked": { "locked": {
"lastModified": 1729357638, "lastModified": 1729357638,
"narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=", "narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=",
@@ -749,11 +786,13 @@
"chaotic": "chaotic", "chaotic": "chaotic",
"cosmic": "cosmic", "cosmic": "cosmic",
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
"home-manager-stable": "home-manager-stable",
"impermanence": "impermanence", "impermanence": "impermanence",
"lanzaboote": "lanzaboote", "lanzaboote": "lanzaboote",
"nix-darwin": "nix-darwin", "nix-darwin": "nix-darwin",
"nixos-apple-silicon": "nixos-apple-silicon", "nixos-apple-silicon": "nixos-apple-silicon",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs-stable": "nixpkgs-stable_3",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"nixpkgs-unstable-small": "nixpkgs-unstable-small", "nixpkgs-unstable-small": "nixpkgs-unstable-small",
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
@@ -824,7 +863,7 @@
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs_5", "nixpkgs": "nixpkgs_5",
"nixpkgs-stable": "nixpkgs-stable_3" "nixpkgs-stable": "nixpkgs-stable_4"
}, },
"locked": { "locked": {
"lastModified": 1729587807, "lastModified": 1729587807,

18
flake.nix
View File

@@ -9,7 +9,7 @@
nixpkgs-unstable-small.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixpkgs-unstable-small.url = "github:NixOS/nixpkgs/nixos-unstable-small";
# nixpgs # nixpgs
# nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-24.05"; nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-24.05";
# Authentik # Authentik
authentik-nix.url = "github:nix-community/authentik-nix"; authentik-nix.url = "github:nix-community/authentik-nix";
@@ -22,10 +22,15 @@
# Home Manager # Home Manager
home-manager = { home-manager = {
url = "github:nix-community/home-manager"; url = "github:nix-community/home-manager/release-24.05";
inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.nixpkgs.follows = "nixpkgs-unstable";
}; };
home-manager-stable = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs-stable";
};
# Lanzaboote # Lanzaboote
lanzaboote = { lanzaboote = {
url = "github:nix-community/lanzaboote/v0.4.1"; url = "github:nix-community/lanzaboote/v0.4.1";
@@ -55,11 +60,12 @@
self, self,
nixpkgs-unstable, nixpkgs-unstable,
nixpkgs-unstable-small, nixpkgs-unstable-small,
# nixpkgs-stable, nixpkgs-stable,
chaotic, chaotic,
lanzaboote, lanzaboote,
impermanence, impermanence,
home-manager, home-manager,
home-manager-stable,
nixos-hardware, nixos-hardware,
nix-darwin, nix-darwin,
nixos-apple-silicon, nixos-apple-silicon,
@@ -106,7 +112,7 @@
}; };
# NAS # NAS
"jallen-nas" = nixpkgs-unstable.lib.nixosSystem { "jallen-nas" = nixpkgs-stable.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = { specialArgs = {
inherit inputs outputs; inherit inputs outputs;
@@ -115,9 +121,9 @@
impermanence.nixosModules.impermanence impermanence.nixosModules.impermanence
./hosts/nas/configuration.nix ./hosts/nas/configuration.nix
./hosts/nas/impermanence.nix ./hosts/nas/impermanence.nix
home-manager.nixosModules.home-manager home-manager-stable.nixosModules.home-manager
{ {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = false;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
home-manager.users.admin = import ./hosts/nas/home.nix; home-manager.users.admin = import ./hosts/nas/home.nix;
home-manager.backupFileExtension = "backup"; home-manager.backupFileExtension = "backup";

7
hosts/nas/boot.nix
View File

@@ -1,7 +1,7 @@
{ pkgs, ... }: { pkgs,... }:
let let
configLimit = 5; configLimit = 5;
kernel = pkgs.linuxPackages_latest; kernel = pkgs.unstable.linuxPackages_latest;
in in
{ {
# Configure bootloader with lanzaboot and secureboot # Configure bootloader with lanzaboot and secureboot
@@ -45,7 +45,8 @@ in
]; ];
systemd = { systemd = {
enable = true; enable = true;
tpm2.enable = true; # tpm2.enable = true;
enableTpm2 = true;
}; };
}; };
}; };

1
hosts/nas/configuration.nix
View File

@@ -97,6 +97,7 @@ in
ninja ninja
nix-inspect nix-inspect
nix-ld nix-ld
networkmanagerapplet
nmon nmon
nodejs-18_x nodejs-18_x
nut nut

181
hosts/nas/networking.nix
View File

@@ -23,62 +23,63 @@ in
hostId = "4b501480"; hostId = "4b501480";
# Disable Network Manager # Disable Network Manager
networkmanager.enable = false; networkmanager.enable = true;
interfaces = { # interfaces = {
wlp7s0 = { # wlp7s0 = {
useDHCP = true; # useDHCP = true;
ipv4.addresses = [ # ipv4.addresses = [
{ # {
address = ipAddress; # address = ipAddress;
prefixLength = 24; # prefixLength = 24;
} # }
]; # ];
}; # };
wlp6s0 = { # wlp6s0 = {
useDHCP = true; # useDHCP = true;
ipv4.addresses = [ # ipv4.addresses = [
{ # {
address = ipAddress2; # address = ipAddress2;
prefixLength = 24; # prefixLength = 24;
} # }
]; # ];
}; # };
}; # };
defaultGateway = { # defaultGateway = {
interface = "wlp7s0"; # interface = "wlp7s0";
address = gateway; # address = gateway;
metric = 1; # metric = 1;
}; # };
nameservers = [ gateway ]; # nameservers = [ gateway ];
wireless = { # wireless = {
enable = true; # enable = false;
userControlled.enable = true; # userControlled.enable = true;
secretsFile = config.sops.secrets."wifi".path; # # secretsFile = config.sops.secrets."wifi".path;
allowAuxiliaryImperativeNetworks = true; # environmentFile = config.sops.secrets."wifi".path;
interfaces = [ # allowAuxiliaryImperativeNetworks = true;
"wlp6s0" # interfaces = [
"wlp7s0" # "wlp6s0"
]; # "wlp7s0"
networks = { # ];
"Joey's Jungle 6G" = { # networks = {
# pskRaw = "ext:PSK"; # "Joey's Jungle 6G" = {
priority = 1000; # pskRaw = "ext:PSK";
psk = "kR8v&3Qd"; # priority = 1000;
extraConfig = '' # # psk = "kR8v&3Qd";
key_mgmt=SAE # extraConfig = ''
ieee80211w=2 # key_mgmt=SAE
''; # ieee80211w=2
}; # '';
# "Joey's Jungle 5G" = { # };
# pskRaw = "ext:PSK"; # "Joey's Jungle 5G" = {
# priority = -100; # pskRaw = "ext:PSK";
# }; # priority = -100;
}; # };
}; # };
# };
firewall = { firewall = {
enable = true; enable = true;
@@ -91,49 +92,49 @@ in
trustedInterfaces = [ "tailscale0" ]; trustedInterfaces = [ "tailscale0" ];
}; };
nat = { # nat = {
enable = true; # enable = true;
externalInterface = "wlp7s0"; # externalInterface = "wlp7s0";
internalInterfaces = [ "wg0" ]; # internalInterfaces = [ "wg0" ];
}; # };
wireguard.interfaces = { # wireguard.interfaces = {
# "wg0" is the network interface name. You can name the interface arbitrarily. # # "wg0" is the network interface name. You can name the interface arbitrarily.
wg0 = { # wg0 = {
# Determines the IP address and subnet of the server's end of the tunnel interface. # # Determines the IP address and subnet of the server's end of the tunnel interface.
ips = [ "10.0.100.1/24" ]; # ips = [ "10.0.100.1/24" ];
# The port that WireGuard listens to. Must be accessible by the client. # # The port that WireGuard listens to. Must be accessible by the client.
listenPort = 51820; # listenPort = 51820;
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN # # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients # # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
postSetup = '' # postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.100.0/24 -o wlp7s0 -j MASQUERADE # ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.100.0/24 -o wlp7s0 -j MASQUERADE
''; # '';
# This undoes the above command # # This undoes the above command
postShutdown = '' # postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.100.0/24 -o wlp7s0 -j MASQUERADE # ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.100.0/24 -o wlp7s0 -j MASQUERADE
''; # '';
# Path to the private key file. # # Path to the private key file.
# # #
# Note: The private key can also be included inline via the privateKey option, # # Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is # # but this makes the private key world-readable; thus, using privateKeyFile is
# recommended. # # recommended.
privateKeyFile = wireguard-private; # privateKeyFile = wireguard-private;
peers = [ # peers = [
# List of allowed peers. # # List of allowed peers.
{ # Feel free to give a meaning full name # { # Feel free to give a meaning full name
# Public key of the peer (not a file path). # # Public key of the peer (not a file path).
publicKey = wireguard-public; # publicKey = wireguard-public;
# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. # # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
allowedIPs = [ "10.0.100.2/32" ]; # allowedIPs = [ "10.0.100.2/32" ];
} # }
]; # ];
}; # };
}; # };
}; };
} }

73
modules/samba/default-unstable.nix Normal file
View File

@@ -0,0 +1,73 @@
{ lib, config, ... }:
with lib;
let
cfg = config.nas-samba;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
# make shares visible for Windows clients
services.samba-wsdd = {
enable = true;
openFirewall = true;
};
services.netatalk = {
enable = cfg.enableTimeMachine;
settings = {
time-machine = {
path = cfg.timeMachinePath;
"valid users" = "whoever";
"time machine" = cfg.enableTimeMachine;
};
};
};
networking.firewall.enable = true;
networking.firewall.allowPing = true;
services.samba = {
enable = true;
openFirewall = true;
# settings = {
# create-mode = 664;
# force directory mode = 2770
# workgroup = WORKGROUP
# server string = jallen-nas
# netbios name = jallen-nas
# security = user
# #use sendfile = yes
# #max protocol = smb2
# # note: localhost is the ipv6 localhost ::1
# hosts allow = ${cfg.hostsAllow} 127.0.0.1 localhost
# hosts deny = 0.0.0.0/0
# guest account = nobody
# map to guest = bad user
# usershare allow guests = yes
# };
settings =
let
make =
name: share:
nameValuePair "${name}" {
path = share.sharePath;
public = if share.enableTimeMachine then "no" else "yes";
private = if !share.public || share.enableTimeMachine then "yes" else "no";
browseable = if share.browseable then "yes" else "no";
writable = "yes";
"force group" = "jallen-nas";
"read only" = if share.readOnly then "yes" else "no";
"guest ok" = if share.guestOk then "yes" else "no";
"create mask" = share.createMask;
"directory mask" = share.directoryMask;
"fruit:aapl" = if share.enableTimeMachine then "yes" else "no";
"fruit:time machine" = if share.enableTimeMachine then "yes" else "no";
"vfs objects" = "catia fruit streams_xattr";
"fruit:time machine max size" = share.timeMachineMaxSize;
};
in
mapAttrs' make cfg.shares;
};
};
}

83
modules/samba/default.nix
View File

@@ -1,9 +1,7 @@
{ lib, config, ... }: { lib, pkgs, config, ... }:
with lib; with lib;
let let cfg = config.nas-samba;
cfg = config.nas-samba; in {
in
{
imports = [ ./options.nix ]; imports = [ ./options.nix ];
config = mkIf cfg.enable { config = mkIf cfg.enable {
@@ -24,50 +22,41 @@ in
}; };
}; };
networking.firewall.enable = true;
networking.firewall.allowPing = true;
services.samba = { services.samba = {
enable = true; enable = true;
securityType = "user";
openFirewall = true; openFirewall = true;
# settings = { extraConfig = ''
# create-mode = 664; workgroup = WORKGROUP
# force directory mode = 2770 server string = smbnix
# workgroup = WORKGROUP netbios name = smbnix
# server string = jallen-nas security = user
# netbios name = jallen-nas #use sendfile = yes
# security = user #max protocol = smb2
# #use sendfile = yes # note: localhost is the ipv6 localhost ::1
# #max protocol = smb2 hosts allow = ${cfg.hostsAllow} 127.0.0.1 localhost
# # note: localhost is the ipv6 localhost ::1 hosts deny = 0.0.0.0/0
# hosts allow = ${cfg.hostsAllow} 127.0.0.1 localhost guest account = nobody
# hosts deny = 0.0.0.0/0 map to guest = bad user
# guest account = nobody '';
# map to guest = bad user shares = let
# usershare allow guests = yes make = name: share:
# }; nameValuePair "${name}" {
settings = path = share.sharePath;
let public = if share.enableTimeMachine then "no" else "yes";
make = private = if !share.public || share.enableTimeMachine then "yes" else "no";
name: share: browseable = if share.browseable then "yes" else "no";
nameValuePair "${name}" { writable = "yes";
path = share.sharePath; "read only" = if share.readOnly then "yes" else "no";
public = if share.enableTimeMachine then "no" else "yes"; "guest ok" = if share.guestOk then "yes" else "no";
private = if !share.public || share.enableTimeMachine then "yes" else "no"; "create mask" = share.createMask;
browseable = if share.browseable then "yes" else "no"; "directory mask" = share.directoryMask;
writable = "yes"; "fruit:aapl" = if share.enableTimeMachine then "yes" else "no";
"force group" = "jallen-nas"; "fruit:time machine" = if share.enableTimeMachine then "yes" else "no";
"read only" = if share.readOnly then "yes" else "no"; "vfs objects" = "catia fruit streams_xattr";
"guest ok" = if share.guestOk then "yes" else "no"; "fruit:time machine max size" = share.timeMachineMaxSize;
"create mask" = share.createMask; };
"directory mask" = share.directoryMask; in mapAttrs' make cfg.shares;
"fruit:aapl" = if share.enableTimeMachine then "yes" else "no";
"fruit:time machine" = if share.enableTimeMachine then "yes" else "no";
"vfs objects" = "catia fruit streams_xattr";
"fruit:time machine max size" = share.timeMachineMaxSize;
};
in
mapAttrs' make cfg.shares;
}; };
}; };
} }

2
share/default.nix
View File

@@ -1,7 +1,7 @@
{ ... }: { ... }:
{ {
imports = [ imports = [
./amd # ./amd
./nvidia ./nvidia
./gaming ./gaming
]; ];

8
share/nvidia/default.nix
View File

@@ -1,6 +1,7 @@
{ {
lib, lib,
config, config,
pkgs,
... ...
}: }:
with lib; with lib;
@@ -17,8 +18,10 @@ in
package = package =
if cfg.enableBeta then if cfg.enableBeta then
config.boot.kernelPackages.nvidiaPackages.beta config.boot.kernelPackages.nvidiaPackages.beta
# pkgs.unstable.kernelPackages.nvidiaPackages.beta
else else
config.boot.kernelPackages.nvidiaPackages.latest; config.boot.kernelPackages.nvidiaPackages.latest;
# pkgs.unstable.kernelPackages.nvidiaPackages.latest;
# Modesetting is required. # Modesetting is required.
modesetting.enable = true; modesetting.enable = true;
@@ -45,9 +48,10 @@ in
}; };
# Enable OpenGL # Enable OpenGL
graphics = { opengl = {
enable = true; enable = true;
enable32Bit = true; driSupport = true;
driSupport32Bit = true;
}; };
}; };