From 0bb00184501291c0766efbf664ab6838240224e2 Mon Sep 17 00:00:00 2001 From: Vinzenz Schroeter Date: Thu, 11 Dec 2025 20:27:18 +0100 Subject: [PATCH 1/3] move host specific module imports into hosts default.nix --- flake.nix | 39 ++----------------- .../forgejo-runner-1/default.nix | 2 + nixosConfigurations/ronja-pc/default.nix | 6 +++ nixosConfigurations/vinzenz-lpt2/default.nix | 9 +++++ nixosConfigurations/vinzenz-pc2/default.nix | 16 +++++--- 5 files changed, 30 insertions(+), 42 deletions(-) diff --git a/flake.nix b/flake.nix index cdc2bf4..6667dad 100644 --- a/flake.nix +++ b/flake.nix @@ -102,49 +102,18 @@ devices = { vinzenz-lpt2 = { system = "x86_64-linux"; - additional-modules = [ - self.nixosModules.user-vinzenz - - self.nixosModules.gnome - self.nixosModules.wine-gaming - self.nixosModules.steam - self.nixosModules.podman - self.nixosModules.vinzenz-desktop-settings - self.nixosModules.intel-graphics - self.nixosModules.secure-boot - ]; home-manager-users = { inherit (self.homeConfigurations) vinzenz; }; }; vinzenz-pc2 = { system = "x86_64-linux"; - additional-modules = [ - self.nixosModules.user-vinzenz - self.nixosModules.user-ronja - - self.nixosModules.gnome - self.nixosModules.wine-gaming - self.nixosModules.steam - self.nixosModules.podman - self.nixosModules.vinzenz-desktop-settings - self.nixosModules.amd-graphics - self.nixosModules.secure-boot - ]; home-manager-users = { - inherit (self.homeConfigurations) vinzenz ronja; + inherit (self.homeConfigurations) vinzenz; }; }; ronja-pc = { system = "x86_64-linux"; - additional-modules = [ - self.nixosModules.user-ronja - - self.nixosModules.gnome - self.nixosModules.steam - self.nixosModules.wine-gaming - self.nixosModules.vinzenz-desktop-settings - ]; home-manager-users = { inherit (self.homeConfigurations) ronja; }; @@ -154,7 +123,6 @@ }; forgejo-runner-1 = { system = "aarch64-linux"; - additional-modules = [ self.nixosModules.podman ]; }; }; inherit (nixpkgs) lib; @@ -230,11 +198,11 @@ device, system, home-manager-users ? { }, - additional-modules ? [ ], }: let specialArgs = { inherit device; + my-nixos-modules = self.nixosModules; }; in nixpkgs.lib.nixosSystem { @@ -326,8 +294,7 @@ servicepoint-tanks.nixosModules.default stylix.nixosModules.stylix # keep-sorted end - ]) - ++ additional-modules; + ]); } ); diff --git a/nixosConfigurations/forgejo-runner-1/default.nix b/nixosConfigurations/forgejo-runner-1/default.nix index f9d3c3f..16cf0e5 100644 --- a/nixosConfigurations/forgejo-runner-1/default.nix +++ b/nixosConfigurations/forgejo-runner-1/default.nix @@ -1,7 +1,9 @@ +{ my-nixos-modules, ... }: { imports = [ ./hardware.nix ./forgejo-runner.nix + my-nixos-modules.podman ]; config = { diff --git a/nixosConfigurations/ronja-pc/default.nix b/nixosConfigurations/ronja-pc/default.nix index dd22382..18058a5 100644 --- a/nixosConfigurations/ronja-pc/default.nix +++ b/nixosConfigurations/ronja-pc/default.nix @@ -1,11 +1,17 @@ { config, pkgs, + my-nixos-modules, ... }: { imports = [ ./hardware.nix + my-nixos-modules.user-ronja + my-nixos-modules.gnome + my-nixos-modules.steam + my-nixos-modules.wine-gaming + my-nixos-modules.vinzenz-desktop-settings ]; config = { diff --git a/nixosConfigurations/vinzenz-lpt2/default.nix b/nixosConfigurations/vinzenz-lpt2/default.nix index 38e9a3f..1478a41 100644 --- a/nixosConfigurations/vinzenz-lpt2/default.nix +++ b/nixosConfigurations/vinzenz-lpt2/default.nix @@ -1,6 +1,15 @@ +{ my-nixos-modules, ... }: { imports = [ ./hardware.nix + my-nixos-modules.user-vinzenz + my-nixos-modules.gnome + my-nixos-modules.wine-gaming + my-nixos-modules.steam + my-nixos-modules.podman + my-nixos-modules.vinzenz-desktop-settings + my-nixos-modules.intel-graphics + my-nixos-modules.secure-boot ]; config = { diff --git a/nixosConfigurations/vinzenz-pc2/default.nix b/nixosConfigurations/vinzenz-pc2/default.nix index 23505b1..6ebbc16 100644 --- a/nixosConfigurations/vinzenz-pc2/default.nix +++ b/nixosConfigurations/vinzenz-pc2/default.nix @@ -1,9 +1,18 @@ -{ pkgs, ... }: +{ pkgs, my-nixos-modules, ... }: { imports = [ ./hardware.nix ./vscode-server.nix ./hass.nix + + my-nixos-modules.user-vinzenz + my-nixos-modules.gnome + my-nixos-modules.wine-gaming + my-nixos-modules.steam + my-nixos-modules.podman + my-nixos-modules.vinzenz-desktop-settings + my-nixos-modules.amd-graphics + my-nixos-modules.secure-boot ]; config = { @@ -27,11 +36,6 @@ ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDNpLDmctyqGpow/ElQvdhY4BLBPS/sigDJ1QEcC7wC vinzenz-lpt2-roaming'' ]; - users.users.ronja.openssh.authorizedKeys.keys = [ - ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALWKm+d6KL6Vl3grPOcGouiNTkvdhXuWJmcrdEBY2nw ssh-host-key'' - ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgN6J8KyVyQqBAz+y3drXDmIsxOPkdPB+ISgpIP9Eld Generated By Termius'' - ]; - environment.systemPackages = with pkgs; [ lact ]; networking.firewall.allowedUDPPorts = [ From 6bfa995c4d29917fb47bf26a9949fdf132891739 Mon Sep 17 00:00:00 2001 From: Vinzenz Schroeter Date: Thu, 11 Dec 2025 22:13:32 +0100 Subject: [PATCH 2/3] move more stuf out of flake.nix --- flake.nix | 100 +++--------------- nixosConfigurations/epimetheus/default.nix | 8 ++ .../forgejo-runner-1/default.nix | 4 +- nixosConfigurations/ronja-pc/default.nix | 12 +-- nixosConfigurations/vinzenz-lpt2/default.nix | 18 ++-- nixosConfigurations/vinzenz-pc2/default.nix | 18 ++-- nixosModules/global-settings-desktop.nix | 57 ++++++++++ nixosModules/global-settings.nix | 47 ++++++++ nixosModules/openssh.nix | 2 +- nixosModules/pxvirt-guest.nix | 26 +++++ 10 files changed, 180 insertions(+), 112 deletions(-) create mode 100644 nixosConfigurations/epimetheus/default.nix create mode 100644 nixosModules/global-settings-desktop.nix create mode 100644 nixosModules/global-settings.nix create mode 100644 nixosModules/pxvirt-guest.nix diff --git a/flake.nix b/flake.nix index 6667dad..0af55eb 100644 --- a/flake.nix +++ b/flake.nix @@ -80,7 +80,7 @@ }; outputs = - { + inputs@{ self, nixpkgs, home-manager, @@ -124,6 +124,9 @@ forgejo-runner-1 = { system = "aarch64-linux"; }; + epimetheus = { + system = "aarch64-linux"; + }; }; inherit (nixpkgs) lib; forDevice = f: lib.mapAttrs (device: value: f (value // { inherit device; })) devices; @@ -200,101 +203,28 @@ home-manager-users ? { }, }: let - specialArgs = { - inherit device; - my-nixos-modules = self.nixosModules; + specialArgs = inputs // { + inherit device home-manager-users; }; in nixpkgs.lib.nixosSystem { inherit system specialArgs; modules = [ { - networking.hostName = device; + imports = [ + ./nixosConfigurations/${device} + self.nixosModules.global-settings + ] + ++ (lib.optionals (home-manager-users != { }) [ + self.nixosModules.global-settings-desktop + ]); + nixpkgs = { inherit system; hostPlatform = lib.mkDefault system; }; - system = { - stateVersion = "22.11"; - autoUpgrade.flake = "git+https://git.berlin.ccc.de/vinzenz/nixos-configuration.git"; - }; - - nixpkgs.overlays = [ - self.overlays.unstable-packages - ]; - - nix.settings.experimental-features = [ - "nix-command" - "flakes" - ]; - - documentation = { - info.enable = false; # info pages and the info command - doc.enable = false; # documentation distributed in packages' /share/doc - }; } - - ./nixosConfigurations/${device} - - # keep-sorted start - lanzaboote.nixosModules.lanzaboote - self.nixosModules.allowed-unfree-list - self.nixosModules.autoupdate - self.nixosModules.default - self.nixosModules.extra-caches - self.nixosModules.globalinstalls - self.nixosModules.lix-is-nix - self.nixosModules.openssh - self.nixosModules.prometheus-node - self.nixosModules.systemd-boot - self.nixosModules.tailscale - zerforschen-plus.nixosModules.default - # keep-sorted end - ] - ++ (nixpkgs.lib.optionals (home-manager-users != { }) [ - { - home-manager = { - extraSpecialArgs = specialArgs; - useGlobalPkgs = true; - useUserPackages = true; - }; - - time.timeZone = "Europe/Berlin"; - - home-manager.sharedModules = [ - { home.stateVersion = "22.11"; } - # keep-sorted start - self.homeModules.git - self.homeModules.gnome-extensions - self.homeModules.nano - self.homeModules.templates - self.homeModules.zsh-basics - self.homeModules.zsh-powerlevel10k - # keep-sorted end - ]; - - home-manager.users = home-manager-users; - } - - # keep-sorted start - home-manager.nixosModules.home-manager - self.nixosModules.en-de - self.nixosModules.firmware-updates - self.nixosModules.gnome - self.nixosModules.kdeconnect - self.nixosModules.modern-desktop - self.nixosModules.niri - self.nixosModules.nix-ld - self.nixosModules.pkgs-unstable - self.nixosModules.pkgs-vscode-extensions - self.nixosModules.quiet-boot - self.nixosModules.stylix - servicepoint-cli.nixosModules.default - servicepoint-simulator.nixosModules.default - servicepoint-tanks.nixosModules.default - stylix.nixosModules.stylix - # keep-sorted end - ]); + ]; } ); diff --git a/nixosConfigurations/epimetheus/default.nix b/nixosConfigurations/epimetheus/default.nix new file mode 100644 index 0000000..02c6ae8 --- /dev/null +++ b/nixosConfigurations/epimetheus/default.nix @@ -0,0 +1,8 @@ +{ self, ... }: +{ + imports = [ self.nixosModules.pxvirt-guest ]; + + config = { + + }; +} diff --git a/nixosConfigurations/forgejo-runner-1/default.nix b/nixosConfigurations/forgejo-runner-1/default.nix index 16cf0e5..a8adb69 100644 --- a/nixosConfigurations/forgejo-runner-1/default.nix +++ b/nixosConfigurations/forgejo-runner-1/default.nix @@ -1,9 +1,9 @@ -{ my-nixos-modules, ... }: +{ self, ... }: { imports = [ ./hardware.nix ./forgejo-runner.nix - my-nixos-modules.podman + self.nixosModules.podman ]; config = { diff --git a/nixosConfigurations/ronja-pc/default.nix b/nixosConfigurations/ronja-pc/default.nix index 18058a5..7630611 100644 --- a/nixosConfigurations/ronja-pc/default.nix +++ b/nixosConfigurations/ronja-pc/default.nix @@ -1,17 +1,17 @@ { config, pkgs, - my-nixos-modules, + self, ... }: { imports = [ ./hardware.nix - my-nixos-modules.user-ronja - my-nixos-modules.gnome - my-nixos-modules.steam - my-nixos-modules.wine-gaming - my-nixos-modules.vinzenz-desktop-settings + self.nixosModules.user-ronja + self.nixosModules.gnome + self.nixosModules.steam + self.nixosModules.wine-gaming + self.nixosModules.vinzenz-desktop-settings ]; config = { diff --git a/nixosConfigurations/vinzenz-lpt2/default.nix b/nixosConfigurations/vinzenz-lpt2/default.nix index 1478a41..1c08898 100644 --- a/nixosConfigurations/vinzenz-lpt2/default.nix +++ b/nixosConfigurations/vinzenz-lpt2/default.nix @@ -1,15 +1,15 @@ -{ my-nixos-modules, ... }: +{ self, ... }: { imports = [ ./hardware.nix - my-nixos-modules.user-vinzenz - my-nixos-modules.gnome - my-nixos-modules.wine-gaming - my-nixos-modules.steam - my-nixos-modules.podman - my-nixos-modules.vinzenz-desktop-settings - my-nixos-modules.intel-graphics - my-nixos-modules.secure-boot + self.nixosModules.user-vinzenz + self.nixosModules.gnome + self.nixosModules.wine-gaming + self.nixosModules.steam + self.nixosModules.podman + self.nixosModules.vinzenz-desktop-settings + self.nixosModules.intel-graphics + self.nixosModules.secure-boot ]; config = { diff --git a/nixosConfigurations/vinzenz-pc2/default.nix b/nixosConfigurations/vinzenz-pc2/default.nix index 6ebbc16..5f68511 100644 --- a/nixosConfigurations/vinzenz-pc2/default.nix +++ b/nixosConfigurations/vinzenz-pc2/default.nix @@ -1,18 +1,18 @@ -{ pkgs, my-nixos-modules, ... }: +{ pkgs, self, ... }: { imports = [ ./hardware.nix ./vscode-server.nix ./hass.nix - my-nixos-modules.user-vinzenz - my-nixos-modules.gnome - my-nixos-modules.wine-gaming - my-nixos-modules.steam - my-nixos-modules.podman - my-nixos-modules.vinzenz-desktop-settings - my-nixos-modules.amd-graphics - my-nixos-modules.secure-boot + self.nixosModules.user-vinzenz + self.nixosModules.gnome + self.nixosModules.wine-gaming + self.nixosModules.steam + self.nixosModules.podman + self.nixosModules.vinzenz-desktop-settings + self.nixosModules.amd-graphics + self.nixosModules.secure-boot ]; config = { diff --git a/nixosModules/global-settings-desktop.nix b/nixosModules/global-settings-desktop.nix new file mode 100644 index 0000000..a92a5d2 --- /dev/null +++ b/nixosModules/global-settings-desktop.nix @@ -0,0 +1,57 @@ +{ + home-manager-users, + self, + home-manager, + servicepoint-cli, + servicepoint-simulator, + servicepoint-tanks, + stylix, + specialArgs, + ... +}: +{ + imports = [ + { + home-manager = { + extraSpecialArgs = specialArgs; + useGlobalPkgs = true; + useUserPackages = true; + }; + + time.timeZone = "Europe/Berlin"; + + home-manager.sharedModules = [ + { home.stateVersion = "22.11"; } + # keep-sorted start + self.homeModules.git + self.homeModules.gnome-extensions + self.homeModules.nano + self.homeModules.templates + self.homeModules.zsh-basics + self.homeModules.zsh-powerlevel10k + # keep-sorted end + ]; + + home-manager.users = home-manager-users; + } + + # keep-sorted start + home-manager.nixosModules.home-manager + self.nixosModules.en-de + self.nixosModules.firmware-updates + self.nixosModules.gnome + self.nixosModules.kdeconnect + self.nixosModules.modern-desktop + self.nixosModules.niri + self.nixosModules.nix-ld + self.nixosModules.pkgs-unstable + self.nixosModules.pkgs-vscode-extensions + self.nixosModules.quiet-boot + self.nixosModules.stylix + servicepoint-cli.nixosModules.default + servicepoint-simulator.nixosModules.default + servicepoint-tanks.nixosModules.default + stylix.nixosModules.stylix + # keep-sorted end + ]; +} diff --git a/nixosModules/global-settings.nix b/nixosModules/global-settings.nix new file mode 100644 index 0000000..77bddae --- /dev/null +++ b/nixosModules/global-settings.nix @@ -0,0 +1,47 @@ +{ + device, + self, + lanzaboote, + zerforschen-plus, + ... +}: +{ + imports = [ + # keep-sorted start + lanzaboote.nixosModules.lanzaboote + self.nixosModules.allowed-unfree-list + self.nixosModules.autoupdate + self.nixosModules.default + self.nixosModules.extra-caches + self.nixosModules.globalinstalls + self.nixosModules.lix-is-nix + self.nixosModules.openssh + self.nixosModules.prometheus-node + self.nixosModules.systemd-boot + self.nixosModules.tailscale + zerforschen-plus.nixosModules.default + # keep-sorted end + ]; + + config = { + networking.hostName = device; + system = { + stateVersion = "22.11"; + autoUpgrade.flake = "git+https://git.berlin.ccc.de/vinzenz/nixos-configuration.git"; + }; + + nixpkgs.overlays = [ + self.overlays.unstable-packages + ]; + + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; + + documentation = { + info.enable = false; # info pages and the info command + doc.enable = false; # documentation distributed in packages' /share/doc + }; + }; +} diff --git a/nixosModules/openssh.nix b/nixosModules/openssh.nix index ed24fe2..7ff8b18 100644 --- a/nixosModules/openssh.nix +++ b/nixosModules/openssh.nix @@ -3,7 +3,7 @@ enable = true; openFirewall = true; settings = { - PermitRootLogin = "without-password"; + PermitRootLogin = "prohibit-password"; PasswordAuthentication = false; KbdInteractiveAuthentication = false; }; diff --git a/nixosModules/pxvirt-guest.nix b/nixosModules/pxvirt-guest.nix new file mode 100644 index 0000000..067a0ec --- /dev/null +++ b/nixosModules/pxvirt-guest.nix @@ -0,0 +1,26 @@ +{ modulesPath, lib, ... }: +{ + imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") ]; + + config = { + # TODO is this needed? + # nix.settings.sandbox = false; + + proxmoxLXC = { + manageNetwork = false; + privileged = false; + }; + + # Let Proxmox host handle fstrim + services.fstrim.enable = false; + + # TODO is this needed + # Cache DNS lookups to improve performance + services.resolved.extraConfig = '' + Cache=true + CacheFromLocalhost=true + ''; + + boot.loader.systemd-boot.enable = lib.mkForce false; + }; +} From 33f5a07af15ee0db93c754fa909b4bfd87b78f60 Mon Sep 17 00:00:00 2001 From: Vinzenz Schroeter Date: Sat, 3 Jan 2026 18:45:55 +0100 Subject: [PATCH 3/3] generate pxvirt lxc template tar --- flake.lock | 37 ++++++++++++++++++++ flake.nix | 22 ++++++++++++ nixosConfigurations/vinzenz-lpt2/default.nix | 2 ++ 3 files changed, 61 insertions(+) diff --git a/flake.lock b/flake.lock index c388be8..f794795 100644 --- a/flake.lock +++ b/flake.lock @@ -440,6 +440,42 @@ "type": "github" } }, + "nixlib": { + "locked": { + "lastModified": 1736643958, + "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixos-generators": { + "inputs": { + "nixlib": "nixlib", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1764234087, + "narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=", + "owner": "nix-community", + "repo": "nixos-generators", + "rev": "032a1878682fafe829edfcf5fdfad635a2efe748", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-generators", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1764522689, @@ -561,6 +597,7 @@ "niri": "niri", "nix-filter": "nix-filter", "nix-vscode-extensions": "nix-vscode-extensions", + "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", "nixpkgs-unstable": "nixpkgs-unstable", "nur": "nur", diff --git a/flake.nix b/flake.nix index 0af55eb..5894172 100644 --- a/flake.nix +++ b/flake.nix @@ -31,6 +31,10 @@ url = "github:nix-community/nix-vscode-extensions"; inputs.nixpkgs.follows = "nixpkgs"; }; + nixos-generators = { + url = "github:nix-community/nixos-generators"; + inputs.nixpkgs.follows = "nixpkgs"; + }; nur = { url = "github:nix-community/NUR"; inputs = { @@ -88,6 +92,7 @@ lanzaboote, niri, nix-vscode-extensions, + nixos-generators, nixpkgs-unstable, servicepoint-cli, servicepoint-simulator, @@ -236,5 +241,22 @@ formatting = treefmt-eval.config.build.check self; } ); + + packages = forAllSystems ( + { ... }: + { + nixos-aarch64-pxvirt-lxc-template = nixos-generators.nixosGenerate { + system = "aarch64-linux"; + format = "proxmox-lxc"; + specialArgs = inputs // { + device = "nixos-aarch64-pxvirt-lxc-template"; + }; + modules = [ + self.nixosModules.global-settings + self.nixosModules.pxvirt-guest + ]; + }; + } + ); }; } diff --git a/nixosConfigurations/vinzenz-lpt2/default.nix b/nixosConfigurations/vinzenz-lpt2/default.nix index 1c08898..6145225 100644 --- a/nixosConfigurations/vinzenz-lpt2/default.nix +++ b/nixosConfigurations/vinzenz-lpt2/default.nix @@ -62,5 +62,7 @@ nixpkgs.config.permittedInsecurePackages = [ "mbedtls-2.28.10" ]; + + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; }; }