diff --git a/flake.lock b/flake.lock index c388be8..f794795 100644 --- a/flake.lock +++ b/flake.lock @@ -440,6 +440,42 @@ "type": "github" } }, + "nixlib": { + "locked": { + "lastModified": 1736643958, + "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixos-generators": { + "inputs": { + "nixlib": "nixlib", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1764234087, + "narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=", + "owner": "nix-community", + "repo": "nixos-generators", + "rev": "032a1878682fafe829edfcf5fdfad635a2efe748", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-generators", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1764522689, @@ -561,6 +597,7 @@ "niri": "niri", "nix-filter": "nix-filter", "nix-vscode-extensions": "nix-vscode-extensions", + "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", "nixpkgs-unstable": "nixpkgs-unstable", "nur": "nur", diff --git a/flake.nix b/flake.nix index cdc2bf4..5894172 100644 --- a/flake.nix +++ b/flake.nix @@ -31,6 +31,10 @@ url = "github:nix-community/nix-vscode-extensions"; inputs.nixpkgs.follows = "nixpkgs"; }; + nixos-generators = { + url = "github:nix-community/nixos-generators"; + inputs.nixpkgs.follows = "nixpkgs"; + }; nur = { url = "github:nix-community/NUR"; inputs = { @@ -80,7 +84,7 @@ }; outputs = - { + inputs@{ self, nixpkgs, home-manager, @@ -88,6 +92,7 @@ lanzaboote, niri, nix-vscode-extensions, + nixos-generators, nixpkgs-unstable, servicepoint-cli, servicepoint-simulator, @@ -102,49 +107,18 @@ devices = { vinzenz-lpt2 = { system = "x86_64-linux"; - additional-modules = [ - self.nixosModules.user-vinzenz - - self.nixosModules.gnome - self.nixosModules.wine-gaming - self.nixosModules.steam - self.nixosModules.podman - self.nixosModules.vinzenz-desktop-settings - self.nixosModules.intel-graphics - self.nixosModules.secure-boot - ]; home-manager-users = { inherit (self.homeConfigurations) vinzenz; }; }; vinzenz-pc2 = { system = "x86_64-linux"; - additional-modules = [ - self.nixosModules.user-vinzenz - self.nixosModules.user-ronja - - self.nixosModules.gnome - self.nixosModules.wine-gaming - self.nixosModules.steam - self.nixosModules.podman - self.nixosModules.vinzenz-desktop-settings - self.nixosModules.amd-graphics - self.nixosModules.secure-boot - ]; home-manager-users = { - inherit (self.homeConfigurations) vinzenz ronja; + inherit (self.homeConfigurations) vinzenz; }; }; ronja-pc = { system = "x86_64-linux"; - additional-modules = [ - self.nixosModules.user-ronja - - self.nixosModules.gnome - self.nixosModules.steam - self.nixosModules.wine-gaming - self.nixosModules.vinzenz-desktop-settings - ]; home-manager-users = { inherit (self.homeConfigurations) ronja; }; @@ -154,7 +128,9 @@ }; forgejo-runner-1 = { system = "aarch64-linux"; - additional-modules = [ self.nixosModules.podman ]; + }; + epimetheus = { + system = "aarch64-linux"; }; }; inherit (nixpkgs) lib; @@ -230,104 +206,30 @@ device, system, home-manager-users ? { }, - additional-modules ? [ ], }: let - specialArgs = { - inherit device; + specialArgs = inputs // { + inherit device home-manager-users; }; in nixpkgs.lib.nixosSystem { inherit system specialArgs; modules = [ { - networking.hostName = device; + imports = [ + ./nixosConfigurations/${device} + self.nixosModules.global-settings + ] + ++ (lib.optionals (home-manager-users != { }) [ + self.nixosModules.global-settings-desktop + ]); + nixpkgs = { inherit system; hostPlatform = lib.mkDefault system; }; - system = { - stateVersion = "22.11"; - autoUpgrade.flake = "git+https://git.berlin.ccc.de/vinzenz/nixos-configuration.git"; - }; - - nixpkgs.overlays = [ - self.overlays.unstable-packages - ]; - - nix.settings.experimental-features = [ - "nix-command" - "flakes" - ]; - - documentation = { - info.enable = false; # info pages and the info command - doc.enable = false; # documentation distributed in packages' /share/doc - }; } - - ./nixosConfigurations/${device} - - # keep-sorted start - lanzaboote.nixosModules.lanzaboote - self.nixosModules.allowed-unfree-list - self.nixosModules.autoupdate - self.nixosModules.default - self.nixosModules.extra-caches - self.nixosModules.globalinstalls - self.nixosModules.lix-is-nix - self.nixosModules.openssh - self.nixosModules.prometheus-node - self.nixosModules.systemd-boot - self.nixosModules.tailscale - zerforschen-plus.nixosModules.default - # keep-sorted end - ] - ++ (nixpkgs.lib.optionals (home-manager-users != { }) [ - { - home-manager = { - extraSpecialArgs = specialArgs; - useGlobalPkgs = true; - useUserPackages = true; - }; - - time.timeZone = "Europe/Berlin"; - - home-manager.sharedModules = [ - { home.stateVersion = "22.11"; } - # keep-sorted start - self.homeModules.git - self.homeModules.gnome-extensions - self.homeModules.nano - self.homeModules.templates - self.homeModules.zsh-basics - self.homeModules.zsh-powerlevel10k - # keep-sorted end - ]; - - home-manager.users = home-manager-users; - } - - # keep-sorted start - home-manager.nixosModules.home-manager - self.nixosModules.en-de - self.nixosModules.firmware-updates - self.nixosModules.gnome - self.nixosModules.kdeconnect - self.nixosModules.modern-desktop - self.nixosModules.niri - self.nixosModules.nix-ld - self.nixosModules.pkgs-unstable - self.nixosModules.pkgs-vscode-extensions - self.nixosModules.quiet-boot - self.nixosModules.stylix - servicepoint-cli.nixosModules.default - servicepoint-simulator.nixosModules.default - servicepoint-tanks.nixosModules.default - stylix.nixosModules.stylix - # keep-sorted end - ]) - ++ additional-modules; + ]; } ); @@ -339,5 +241,22 @@ formatting = treefmt-eval.config.build.check self; } ); + + packages = forAllSystems ( + { ... }: + { + nixos-aarch64-pxvirt-lxc-template = nixos-generators.nixosGenerate { + system = "aarch64-linux"; + format = "proxmox-lxc"; + specialArgs = inputs // { + device = "nixos-aarch64-pxvirt-lxc-template"; + }; + modules = [ + self.nixosModules.global-settings + self.nixosModules.pxvirt-guest + ]; + }; + } + ); }; } diff --git a/nixosConfigurations/epimetheus/default.nix b/nixosConfigurations/epimetheus/default.nix new file mode 100644 index 0000000..02c6ae8 --- /dev/null +++ b/nixosConfigurations/epimetheus/default.nix @@ -0,0 +1,8 @@ +{ self, ... }: +{ + imports = [ self.nixosModules.pxvirt-guest ]; + + config = { + + }; +} diff --git a/nixosConfigurations/forgejo-runner-1/default.nix b/nixosConfigurations/forgejo-runner-1/default.nix index f9d3c3f..a8adb69 100644 --- a/nixosConfigurations/forgejo-runner-1/default.nix +++ b/nixosConfigurations/forgejo-runner-1/default.nix @@ -1,7 +1,9 @@ +{ self, ... }: { imports = [ ./hardware.nix ./forgejo-runner.nix + self.nixosModules.podman ]; config = { diff --git a/nixosConfigurations/ronja-pc/default.nix b/nixosConfigurations/ronja-pc/default.nix index dd22382..7630611 100644 --- a/nixosConfigurations/ronja-pc/default.nix +++ b/nixosConfigurations/ronja-pc/default.nix @@ -1,11 +1,17 @@ { config, pkgs, + self, ... }: { imports = [ ./hardware.nix + self.nixosModules.user-ronja + self.nixosModules.gnome + self.nixosModules.steam + self.nixosModules.wine-gaming + self.nixosModules.vinzenz-desktop-settings ]; config = { diff --git a/nixosConfigurations/vinzenz-lpt2/default.nix b/nixosConfigurations/vinzenz-lpt2/default.nix index 38e9a3f..6145225 100644 --- a/nixosConfigurations/vinzenz-lpt2/default.nix +++ b/nixosConfigurations/vinzenz-lpt2/default.nix @@ -1,6 +1,15 @@ +{ self, ... }: { imports = [ ./hardware.nix + self.nixosModules.user-vinzenz + self.nixosModules.gnome + self.nixosModules.wine-gaming + self.nixosModules.steam + self.nixosModules.podman + self.nixosModules.vinzenz-desktop-settings + self.nixosModules.intel-graphics + self.nixosModules.secure-boot ]; config = { @@ -53,5 +62,7 @@ nixpkgs.config.permittedInsecurePackages = [ "mbedtls-2.28.10" ]; + + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; }; } diff --git a/nixosConfigurations/vinzenz-pc2/default.nix b/nixosConfigurations/vinzenz-pc2/default.nix index 23505b1..5f68511 100644 --- a/nixosConfigurations/vinzenz-pc2/default.nix +++ b/nixosConfigurations/vinzenz-pc2/default.nix @@ -1,9 +1,18 @@ -{ pkgs, ... }: +{ pkgs, self, ... }: { imports = [ ./hardware.nix ./vscode-server.nix ./hass.nix + + self.nixosModules.user-vinzenz + self.nixosModules.gnome + self.nixosModules.wine-gaming + self.nixosModules.steam + self.nixosModules.podman + self.nixosModules.vinzenz-desktop-settings + self.nixosModules.amd-graphics + self.nixosModules.secure-boot ]; config = { @@ -27,11 +36,6 @@ ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDNpLDmctyqGpow/ElQvdhY4BLBPS/sigDJ1QEcC7wC vinzenz-lpt2-roaming'' ]; - users.users.ronja.openssh.authorizedKeys.keys = [ - ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALWKm+d6KL6Vl3grPOcGouiNTkvdhXuWJmcrdEBY2nw ssh-host-key'' - ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgN6J8KyVyQqBAz+y3drXDmIsxOPkdPB+ISgpIP9Eld Generated By Termius'' - ]; - environment.systemPackages = with pkgs; [ lact ]; networking.firewall.allowedUDPPorts = [ diff --git a/nixosModules/global-settings-desktop.nix b/nixosModules/global-settings-desktop.nix new file mode 100644 index 0000000..a92a5d2 --- /dev/null +++ b/nixosModules/global-settings-desktop.nix @@ -0,0 +1,57 @@ +{ + home-manager-users, + self, + home-manager, + servicepoint-cli, + servicepoint-simulator, + servicepoint-tanks, + stylix, + specialArgs, + ... +}: +{ + imports = [ + { + home-manager = { + extraSpecialArgs = specialArgs; + useGlobalPkgs = true; + useUserPackages = true; + }; + + time.timeZone = "Europe/Berlin"; + + home-manager.sharedModules = [ + { home.stateVersion = "22.11"; } + # keep-sorted start + self.homeModules.git + self.homeModules.gnome-extensions + self.homeModules.nano + self.homeModules.templates + self.homeModules.zsh-basics + self.homeModules.zsh-powerlevel10k + # keep-sorted end + ]; + + home-manager.users = home-manager-users; + } + + # keep-sorted start + home-manager.nixosModules.home-manager + self.nixosModules.en-de + self.nixosModules.firmware-updates + self.nixosModules.gnome + self.nixosModules.kdeconnect + self.nixosModules.modern-desktop + self.nixosModules.niri + self.nixosModules.nix-ld + self.nixosModules.pkgs-unstable + self.nixosModules.pkgs-vscode-extensions + self.nixosModules.quiet-boot + self.nixosModules.stylix + servicepoint-cli.nixosModules.default + servicepoint-simulator.nixosModules.default + servicepoint-tanks.nixosModules.default + stylix.nixosModules.stylix + # keep-sorted end + ]; +} diff --git a/nixosModules/global-settings.nix b/nixosModules/global-settings.nix new file mode 100644 index 0000000..77bddae --- /dev/null +++ b/nixosModules/global-settings.nix @@ -0,0 +1,47 @@ +{ + device, + self, + lanzaboote, + zerforschen-plus, + ... +}: +{ + imports = [ + # keep-sorted start + lanzaboote.nixosModules.lanzaboote + self.nixosModules.allowed-unfree-list + self.nixosModules.autoupdate + self.nixosModules.default + self.nixosModules.extra-caches + self.nixosModules.globalinstalls + self.nixosModules.lix-is-nix + self.nixosModules.openssh + self.nixosModules.prometheus-node + self.nixosModules.systemd-boot + self.nixosModules.tailscale + zerforschen-plus.nixosModules.default + # keep-sorted end + ]; + + config = { + networking.hostName = device; + system = { + stateVersion = "22.11"; + autoUpgrade.flake = "git+https://git.berlin.ccc.de/vinzenz/nixos-configuration.git"; + }; + + nixpkgs.overlays = [ + self.overlays.unstable-packages + ]; + + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; + + documentation = { + info.enable = false; # info pages and the info command + doc.enable = false; # documentation distributed in packages' /share/doc + }; + }; +} diff --git a/nixosModules/openssh.nix b/nixosModules/openssh.nix index ed24fe2..7ff8b18 100644 --- a/nixosModules/openssh.nix +++ b/nixosModules/openssh.nix @@ -3,7 +3,7 @@ enable = true; openFirewall = true; settings = { - PermitRootLogin = "without-password"; + PermitRootLogin = "prohibit-password"; PasswordAuthentication = false; KbdInteractiveAuthentication = false; }; diff --git a/nixosModules/pxvirt-guest.nix b/nixosModules/pxvirt-guest.nix new file mode 100644 index 0000000..067a0ec --- /dev/null +++ b/nixosModules/pxvirt-guest.nix @@ -0,0 +1,26 @@ +{ modulesPath, lib, ... }: +{ + imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") ]; + + config = { + # TODO is this needed? + # nix.settings.sandbox = false; + + proxmoxLXC = { + manageNetwork = false; + privileged = false; + }; + + # Let Proxmox host handle fstrim + services.fstrim.enable = false; + + # TODO is this needed + # Cache DNS lookups to improve performance + services.resolved.extraConfig = '' + Cache=true + CacheFromLocalhost=true + ''; + + boot.loader.systemd-boot.enable = lib.mkForce false; + }; +}