diff --git a/flake.nix b/flake.nix index 95bbfca..316df4e 100644 --- a/flake.nix +++ b/flake.nix @@ -65,6 +65,17 @@ ]; }; + manatee = inputs.nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { + inherit inputs; + }; + modules = [ + ./hosts/manatee/configuration.nix + ./hosts/manatee/home.nix + ]; + }; + backwards = inputs.nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { diff --git a/hosts/manatee/boot/default.nix b/hosts/manatee/boot/default.nix new file mode 100644 index 0000000..5db298a --- /dev/null +++ b/hosts/manatee/boot/default.nix @@ -0,0 +1,43 @@ +{ + inputs, + lib, + config, + ... +}: +let + configurationLimit = config.mod.gc.configurationLimit; +in +{ + imports = [ inputs.nix-gc-env.nixosModules.default ]; + + options = { + mod.gc = { + configurationLimit = lib.mkOption { + type = lib.types.int; + default = 10; + description = "number of configuration generations to keep"; + }; + }; + }; + + config = { + nix.gc = { + automatic = true; + dates = "weekly"; + + # `delete_generations` added by nix-gc-env + delete_generations = "+${builtins.toString configurationLimit}"; + }; + + boot = { + loader = { + systemd-boot = { + enable = true; + inherit configurationLimit; + }; + + efi.canTouchEfiVariables = true; + }; + }; + }; +} diff --git a/hosts/manatee/configuration.nix b/hosts/manatee/configuration.nix new file mode 100644 index 0000000..e979561 --- /dev/null +++ b/hosts/manatee/configuration.nix @@ -0,0 +1,50 @@ +{ pkgs, ... }: +{ + imports = [ + ../../config-manager/default.nix + ./hardware-configuration.nix + ./disk-config.nix + ./modules + ]; + + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; + nixpkgs.config.allowUnfree = true; + + users.users.alex = { + isNormalUser = true; + description = "alex"; + extraGroups = [ "wheel" ]; + }; + + environment.systemPackages = with pkgs; [ + vim + git + ]; + + config-manager = { + flakePath = "/home/alex/config"; + }; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "24.11"; # Did you read the comment? + +} diff --git a/hosts/manatee/disk-config.nix b/hosts/manatee/disk-config.nix new file mode 100644 index 0000000..8be3500 --- /dev/null +++ b/hosts/manatee/disk-config.nix @@ -0,0 +1,110 @@ +{ inputs, ... }: +{ + imports = [ inputs.disko.nixosModules.disko ]; + + config = { + networking.hostId = "0a9474e7"; # Required by ZFS + disko.devices = { + disk = { + root = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + + disk1 = { + type = "disk"; + device = "/dev/disk/by-id/ata-ST8000VN004-3CP101_WWZ8QCG4"; + content = { + type = "gpt"; + partitions = { + zfs = { + size = "100%"; + content = { + type = "zfs"; + pool = "storage"; + }; + }; + }; + }; + }; + + disk2 = { + type = "disk"; + device = "/dev/disk/by-id/ata-ST8000VN004-3CP101_WWZ8QDJ5"; + content = { + type = "gpt"; + partitions = { + zfs = { + size = "100%"; + content = { + type = "zfs"; + pool = "storage"; + }; + }; + }; + }; + }; + }; + + zpool = { + storage = { + type = "zpool"; + + mode = { + topology = { + type = "topology"; + vdev = [ + { + mode = "mirror"; + members = [ + "disk1" + "disk2" + ]; + } + ]; + }; + }; + + rootFsOptions = { + mountpoint = "none"; + compression = "zstd"; + xattr = "sa"; + "com.sun:auto-snapshot" = "false"; + }; + + datasets = { + media = { + type = "zfs_fs"; + mountpoint = "/mnt/media"; + options.mountpoint = "legacy"; # otherwise we get a race between systemd and zfs; https://github.com/nix-community/disko/issues/214 + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/manatee/hardware-configuration.nix b/hosts/manatee/hardware-configuration.nix new file mode 100644 index 0000000..75410c9 --- /dev/null +++ b/hosts/manatee/hardware-configuration.nix @@ -0,0 +1,39 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ + "xhci_pci" + "nvme" + "ahci" + "usb_storage" + "usbhid" + "sd_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/manatee/home.nix b/hosts/manatee/home.nix new file mode 100644 index 0000000..9b2b4d0 --- /dev/null +++ b/hosts/manatee/home.nix @@ -0,0 +1,22 @@ +{ inputs, ... }: +{ + imports = [ inputs.home-manager.nixosModules.home-manager ]; + + config = { + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + + users.alex = { + programs.home-manager.enable = true; + + home.username = "alex"; + home.homeDirectory = "/home/alex"; + + home.packages = [ ]; + + home.stateVersion = "24.11"; + }; + }; + }; +} diff --git a/hosts/manatee/modules/age/default.nix b/hosts/manatee/modules/age/default.nix new file mode 100644 index 0000000..ff8c190 --- /dev/null +++ b/hosts/manatee/modules/age/default.nix @@ -0,0 +1,14 @@ +{ inputs, pkgs, ... }: +{ + imports = [ inputs.agenix.nixosModules.default ]; + + config = { + age = { + identityPaths = [ "/etc/ssh/manatee" ]; + }; + + environment.systemPackages = [ + inputs.agenix.packages."${pkgs.system}".default + ]; + }; +} diff --git a/hosts/manatee/modules/default.nix b/hosts/manatee/modules/default.nix new file mode 100644 index 0000000..3cf51b3 --- /dev/null +++ b/hosts/manatee/modules/default.nix @@ -0,0 +1,17 @@ +{ lib, ... }: +let + toModulePath = dir: _: ./. + "/${dir}"; + filterDirs = dirs: lib.attrsets.filterAttrs (_: type: type == "directory") dirs; +in +{ + imports = lib.mapAttrsToList toModulePath (filterDirs (builtins.readDir ./.)); + + config = { + mod = { + gc.configurationLimit = 10; + + ssh.enable = true; + git.enable = true; + }; + }; +} diff --git a/hosts/manatee/modules/git/default.nix b/hosts/manatee/modules/git/default.nix new file mode 100644 index 0000000..d100a05 --- /dev/null +++ b/hosts/manatee/modules/git/default.nix @@ -0,0 +1,39 @@ +{ + pkgs, + lib, + config, + ... +}: +let + enabled = config.mod.git.enable; +in +{ + options = { + mod.git = { + enable = lib.mkEnableOption "enable git module"; + }; + }; + + config = lib.mkIf enabled { + home-manager.users.alex = { + programs.git = { + enable = true; + + includes = [ + { path = ./gitconfig; } + ]; + + extraConfig = { + rerere.enable = true; + }; + }; + + home.packages = [ pkgs.tig ]; + + home.file.".tigrc".text = '' + set main-view-line-number = yes + set main-view-line-number-interval = 1 + ''; + }; + }; +} diff --git a/hosts/manatee/modules/git/gitconfig b/hosts/manatee/modules/git/gitconfig new file mode 100644 index 0000000..7aa744e --- /dev/null +++ b/hosts/manatee/modules/git/gitconfig @@ -0,0 +1,9 @@ +[user] + name = Alexander Heldt + email = me@alexanderheldt.se + +[url "git@github.com:"] + insteadOf = https://github.com/ + +[url "gitea@git.ppp.pm:"] + insteadOf = https://git.ppp.pm/ diff --git a/hosts/manatee/modules/ssh/default.nix b/hosts/manatee/modules/ssh/default.nix new file mode 100644 index 0000000..58662ea --- /dev/null +++ b/hosts/manatee/modules/ssh/default.nix @@ -0,0 +1,101 @@ +{ + pkgs, + lib, + config, + ... +}: +let + enabled = config.mod.ssh.enable; + + authorizedKeysPath = "/home/alex/.ssh/authorized-keys"; + rootSSHKeyPath = "/etc/ssh"; +in +{ + options = { + mod.ssh = { + enable = lib.mkEnableOption "enable ssh module"; + }; + }; + + config = lib.mkIf enabled { + home-manager.users.alex = { + programs.ssh = { + enable = true; + + matchBlocks = { + "git.ppp.pm" = { + hostname = "git.ppp.pm"; + identityFile = "/home/alex/.ssh/alex.manatee-git.ppp.pm"; + }; + }; + }; + }; + + environment.etc."ssh/authorized_keys_command" = { + mode = "0755"; + text = '' + #!${pkgs.bash}/bin/bash + for file in ${authorizedKeysPath}/*; do + ${pkgs.coreutils}/bin/cat "$file" + done + ''; + }; + + services = { + openssh = { + enable = true; + ports = [ 1122 ]; + + hostKeys = [ + { + path = "${rootSSHKeyPath}/root.manatee"; + type = "ed25519"; + } + ]; + + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; + + authorizedKeysCommand = "/etc/ssh/authorized_keys_command"; + authorizedKeysCommandUser = "root"; + }; + }; + + networking = { + firewall = { + allowedTCPPorts = [ 1122 ]; + }; + }; + + age.secrets = { + "root.manatee" = { + file = ../../../../secrets/manatee/root.manatee.age; + path = "${rootSSHKeyPath}/root.manatee"; + }; + "root.manatee.pub" = { + file = ../../../../secrets/manatee/root.manatee.pub.age; + path = "${rootSSHKeyPath}/root.manatee.pub"; + }; + + "alex.pinwheel-manatee.pub" = { + file = ../../../../secrets/pinwheel/alex.pinwheel-manatee.pub.age; + path = "${authorizedKeysPath}/alex.pinwheel-manatee.pub"; + }; + + "alex.manatee-git.ppp.pm" = { + file = ../../../../secrets/manatee/alex.manatee-git.ppp.pm.age; + path = "/home/alex/.ssh/alex.manatee-git.ppp.pm"; + owner = "alex"; + group = "users"; + }; + "alex.manatee-git.ppp.pm.pub" = { + file = ../../../../secrets/manatee/alex.manatee-git.ppp.pm.pub.age; + path = "/home/alex/.ssh/alex.manatee-git.ppp.pm.pub"; + owner = "alex"; + group = "users"; + }; + }; + }; +} diff --git a/hosts/manatee/network/default.nix b/hosts/manatee/network/default.nix new file mode 100644 index 0000000..ac7b31d --- /dev/null +++ b/hosts/manatee/network/default.nix @@ -0,0 +1,22 @@ +{ ... }: +{ + networking = { + hostName = "manatee"; + + defaultGateway = "192.168.50.1"; + nameservers = [ "1.1.1.1" ]; + interfaces = { + enp3s0 = { + useDHCP = false; + ipv4 = { + addresses = [ + { + address = "192.168.50.203"; + prefixLength = 24; + } + ]; + }; + }; + }; + }; +}