Compare commits

..

97 Commits

Author SHA1 Message Date
Sam 4b3aa6463e Merge branch 'master' of git.bitlab21.com:sam/nixos 2025-01-24 12:33:25 +00:00
Sam 04695d4526 print server for merlin 2025-01-24 12:33:21 +00:00
System administrator a8b91ff861 manual declare hw conf for sparky 2025-01-24 11:55:11 +00:00
Sam c5d3d7c7df sparky autoupgrade and change home persistence 2025-01-24 10:58:35 +00:00
Sam 4308e476fb add homeshare nfs client to semita 2025-01-24 10:35:24 +00:00
Sam cc351fda28 modify nixos update script to add remote build 2025-01-24 00:21:13 +00:00
Sam d131fe3cc2 modify nixos update script to add remote build 2025-01-24 00:14:51 +00:00
Sam f1e58a9285 add remote build to update script 2025-01-23 23:40:11 +00:00
Sam ab4d9e6f81 add nvidia support to docker container 2025-01-23 21:20:44 +00:00
Sam 302ce2a84f add blackbox exporter 2025-01-23 15:28:41 +00:00
Sam 7c12cd2dc7 flake.lock: Update
Flake lock file updates:

• Updated input 'nix-bitcoin':
    'github:fort-nix/nix-bitcoin/33dbb41d581b86decf421cb3835c426d557e0e9c?narHash=sha256-JN/PFBOVqWKc76zSdOunYoG5Q0m8W4zfrEh3V4EOIuk%3D' (2024-12-18)
  → 'github:fort-nix/nix-bitcoin/dc4d14e07324e43b8773e3eb5eb2a10c6b469287?narHash=sha256-FJ0ATgYWavH3ZeA0ofTEMS%2B22HqYN2Lqu3G6IsqbKIg%3D' (2025-01-21)
• Updated input 'nix-bitcoin/nixpkgs-unstable':
    'github:NixOS/nixpkgs/71a6392e367b08525ee710a93af2e80083b5b3e2?narHash=sha256-0XovF7BYP50rTD2v4r55tR5MuBLet7q4xIz6Rgh3BBU%3D' (2024-12-13)
  → 'github:NixOS/nixpkgs/300081d0cc72df578b02d914df941b8ec62240e6?narHash=sha256-hFA6SmioeqvGW/XvZa9bxniAeulksCOcj3kokdNT/YE%3D' (2025-01-20)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/0d6514cc638f30997676f5be71317c7dc917ef0f?narHash=sha256-w5xL1oUVRZRC6mZ9CcuhfLn3b1vB5SXEMyzBQH8btvc%3D' (2025-01-22)
  → 'github:nixos/nixpkgs/f7b572b004be8e60c6727b3856a13efe17323212?narHash=sha256-xP8UQqo3XSXy92tQ%2BwFvps46rVHnIc8W7ShQ5CUQALo%3D' (2025-01-22)
• Updated input 'nur':
    'github:nix-community/NUR/71551eca173cc56fbf4b3d781ac5d152635e05d9?narHash=sha256-%2BU9pqH8KBC0QrwkqtA8RzmKXyxLTzmUBElR0JBRS11c%3D' (2025-01-22)
  → 'github:nix-community/NUR/80b6ff6a51dbebbe0bcc71858ae9a299e1207704?narHash=sha256-Jr7tmhsZVAebD/TCpijDqcxr4w15wnPCOrlk%2Bt4lrJA%3D' (2025-01-23)
2025-01-23 03:18:10 +00:00
Sam 19cdd825af remove pihole and bitcoind from restic backup 2025-01-22 23:25:04 +00:00
Sam 41e0737541 Merge branch 'development' 2025-01-22 20:47:01 +00:00
Sam d89fe5e5e7 change qbittorrent data mount dir 2025-01-22 20:46:37 +00:00
Sam 46cc81b5e9 port forwarding in gluetun container 2025-01-22 20:08:13 +00:00
Sam acf5706bf6 change data drive locations and minor backup modifications 2025-01-22 19:15:53 +00:00
Sam daef8c69a5 flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/eea315cf7d26ae50d3873d56dcf87e8845a23fc5?narHash=sha256-qA5D6Wm9JzrvUvD7zOvK29x5SvemGRyk9oahasLtHXI%3D' (2025-01-21)
  → 'github:nixos/nixpkgs/0d6514cc638f30997676f5be71317c7dc917ef0f?narHash=sha256-w5xL1oUVRZRC6mZ9CcuhfLn3b1vB5SXEMyzBQH8btvc%3D' (2025-01-22)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/5df43628fdf08d642be8ba5b3625a6c70731c19c?narHash=sha256-Tbk1MZbtV2s5aG%2BiM99U8FqwxU/YNArMcWAv6clcsBc%3D' (2025-01-16)
  → 'github:nixos/nixpkgs/9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab?narHash=sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk%3D' (2025-01-21)
• Updated input 'nur':
    'github:nix-community/NUR/34215e55d69fe1292c4fee669444983d79cce53f?narHash=sha256-R0z3fxhP6YZXZ7MCAmx3yhqBgOldZyQMHK4eJJY4gS8%3D' (2025-01-21)
  → 'github:nix-community/NUR/71551eca173cc56fbf4b3d781ac5d152635e05d9?narHash=sha256-%2BU9pqH8KBC0QrwkqtA8RzmKXyxLTzmUBElR0JBRS11c%3D' (2025-01-22)
• Updated input 'nur/nixpkgs':
    'github:nixos/nixpkgs/5df43628fdf08d642be8ba5b3625a6c70731c19c?narHash=sha256-Tbk1MZbtV2s5aG%2BiM99U8FqwxU/YNArMcWAv6clcsBc%3D' (2025-01-16)
  → 'github:nixos/nixpkgs/9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab?narHash=sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk%3D' (2025-01-21)
2025-01-22 03:22:21 +00:00
Sam b1374413d5 citadel downgrade linux kernel due to build errors 2025-01-21 23:43:44 +00:00
Sam ec85809206 modify distributed builds local machine 2025-01-21 23:36:46 +00:00
Sam 47245c4844 add subnet ip variable to fileserver and update secrets 2025-01-21 23:24:21 +00:00
Sam b0f9e82700 Merge branch 'master' of git.bitlab21.com:sam/nixos 2025-01-21 17:20:01 +00:00
Sam ba170a0ee4 deactivate auto updates on semita 2025-01-21 17:19:55 +00:00
Sam 33275e894f add rest of containers to merlin 2025-01-21 17:18:17 +00:00
Sam 4e57f67e92 Merge branch 'development' of git.bitlab21.com:sam/nixos into development 2025-01-21 17:17:57 +00:00
Sam 1d5dc592ad remove containers and mounts from semita] 2025-01-21 17:17:27 +00:00
Sam ca31181af0 add containers to merlin 2025-01-21 13:06:21 +00:00
Sam 235cdd4442 minor modification 2025-01-21 11:41:30 +00:00
Sam b79add0811 update flake.lock 2025-01-21 11:37:15 +00:00
Sam 2208bcf968 modify bootstrap script and change btrfsMountDevice in merlin 2025-01-21 11:05:08 +00:00
Sam ef393ba038 flake.lock: Update
Flake lock file updates:

• Updated input 'nur':
    'github:nix-community/NUR/2a1db46a5c59c4e367483fb159ef0ac429c40551?narHash=sha256-I5D1H9ah8ZHZ01VX1H8JGvHe4dqsYKAQhY17IW39uYk%3D' (2025-01-20)
  → 'github:nix-community/NUR/ebc0c383da65e99b2b04a616e9911556d09bbc9b?narHash=sha256-5N2pMCQYz%2B6aBXHh648if/IIqPZtk/mvaBP3dPnFlmM%3D' (2025-01-21)
2025-01-21 06:23:41 +00:00
Sam b0da513526 flake.lock: Update
Flake lock file updates:

• Updated input 'nur':
    'github:nix-community/NUR/f9cf00fbb45d981304918dfddc20fe46521c8e1d?narHash=sha256-KcLYxT0seQnwjOOCI13qHTq1WNb8UIaxNMSu2w3b%2B7c%3D' (2025-01-20)
  → 'github:nix-community/NUR/2a1db46a5c59c4e367483fb159ef0ac429c40551?narHash=sha256-I5D1H9ah8ZHZ01VX1H8JGvHe4dqsYKAQhY17IW39uYk%3D' (2025-01-20)
• Updated input 'sops-nix':
    'github:mic92/sops-nix/4c4fb93f18b9072c6fa1986221f9a3d7bf1fe4b6?narHash=sha256-GXUE9%2BFgxoZU8v0p6ilBJ8NH7k8nKmZjp/7dmMrCv3o%3D' (2025-01-17)
  → 'github:mic92/sops-nix/015d461c16678fc02a2f405eb453abb509d4e1d4?narHash=sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw%3D' (2025-01-20)
2025-01-21 03:05:09 +00:00
Sam 3b1a73bfb4 Merge branch 'development' 2025-01-20 23:28:07 +00:00
Sam c156ef427e added remotebuilder public key 2025-01-20 23:27:51 +00:00
Sam 597cec2099 update flake.lock 2025-01-20 23:16:23 +00:00
Sam 515e653f9e flake update 2025-01-20 21:37:42 +00:00
Sam 4c98876b31 Merge branch 'development' of git.bitlab21.com:sam/nixos into development 2025-01-20 21:31:06 +00:00
Sam 224bba965c change autoupdate merlin to 3am 2025-01-20 21:31:01 +00:00
Sam 48bcee3ed6 change semita push autoupdate 2025-01-20 21:29:46 +00:00
Sam 03cd70fc86 update flake secrets and add remote builder to merlin 2025-01-20 21:28:31 +00:00
Sam a76cdbb0c8 add push updates to merlin 2025-01-20 21:16:52 +00:00
Sam bc033a9e57 Add auto updates to merlin, mount btcnode disk and minor refactor 2025-01-20 21:13:01 +00:00
Sam 6b44db92ca Merge branch 'development' of git.bitlab21.com:sam/nixos into development 2025-01-20 16:40:49 +00:00
Sam e87b6ca768 ADD: nvidia x11 drivers 2025-01-20 16:40:44 +00:00
Sam a48f13668e Merge git.bitlab21.com:sam/nixos into development 2025-01-20 16:38:54 +00:00
Sam 6df5c71ea1 ADD: nvidia drivers 2025-01-20 10:26:01 +00:00
Sam 92a5c93e6a ADD: default editor to admin hm session.vars 2025-01-20 10:01:53 +00:00
Sam dd46fb52a8 Merge branch 'development' of git.bitlab21.com:sam/nixos into development 2025-01-20 10:00:29 +00:00
Sam b737c360e5 MODIFY: add ssh keys to admin user 2025-01-20 09:58:16 +00:00
Sam a92ed489cb flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/1a0411805bc16f5a9571683e986aa1e583673b50?narHash=sha256-nN3e6WnE6cP4GLbDnDRY/cO1vB3HmWViht7m17vXgOE%3D' (2025-01-19)
  → 'github:nixos/nixpkgs/890f8d10603772918fbc568506ddd61f2264d3df?narHash=sha256-GlClp1IHdAImlw2xlQX0j74geniodHZhYnHocFwBFuI%3D' (2025-01-19)
• Updated input 'nur':
    'github:nix-community/NUR/de30640a76ddbada94babffe43f5e457282bed08?narHash=sha256-zWmNplzxsbMus2InIAVS9L9O1fscm%2BSG1XNjMUZxwqQ%3D' (2025-01-19)
  → 'github:nix-community/NUR/e7161d719b6e296bb4341f88ece66a89ac7322a9?narHash=sha256-IEp1dmer6FraEFyQEww2%2BH08TlRZbluGW5DMDKytcSk%3D' (2025-01-20)
2025-01-20 06:26:06 +00:00
Sam 27a5149ad2 MODIFY: port forwarding on semita for tailscale router 2025-01-20 00:07:37 +00:00
Sam ecebf8427d MODIFY: root pwd 2025-01-19 20:07:50 +00:00
Sam 59ed91f5de ADD: zpool to merlin persist 2025-01-19 19:52:24 +00:00
Sam d6fb0ed23c FIX: add persistance config for merlin 2025-01-19 19:42:02 +00:00
Sam 9345729ae2 MODIFY: persist admin homedir 2025-01-19 19:40:01 +00:00
Sam 2b67f11eab MODIFY: merlin host setup 2025-01-19 19:18:31 +00:00
Sam 1854ee0f33 MODIFY: merlin host setup 2025-01-19 14:57:00 +00:00
Sam 1187131524 Merge branch 'master' of git.bitlab21.com:sam/nixos 2025-01-19 12:31:03 +00:00
Sam dd3d73f0a3 FIX: persist tailscale dir 2025-01-19 12:30:51 +00:00
Sam ba181205c4 FEATURE: setup nfs-client on citadel 2025-01-19 12:22:50 +00:00
Sam ee98b5cf89 MODIFY: update flake secrets 2025-01-19 12:22:29 +00:00
Sam 6a9add44bd minor fix 2025-01-19 11:33:25 +00:00
Sam 59fb1d7193 MODIFY: remove bind-mounts from semita 2025-01-19 11:33:03 +00:00
Sam d783ee2665 MODIFY: change docker to homeshareDataLocation in configVars 2025-01-19 11:31:56 +00:00
Sam 84d5521949 FEATURE: add nfs-server configuration 2025-01-19 11:31:33 +00:00
Sam 8d69a14fb6 FEATURE: add nfs-clients for new fileserver 2025-01-19 11:30:52 +00:00
Sam 4453af9e45 MODIFY: remove bind-mounts from fileserver 2025-01-19 11:30:04 +00:00
Sam 4534d564f2 MODIFY: update flake.lock secrets 2025-01-19 11:28:47 +00:00
Sam 82b89bd6d0 FEATURE: add bind mounts for homeshare
- mount homeshare directories to media from homeshareDataLocation in configVars
2025-01-19 10:30:46 +00:00
Sam 6e236ff544 flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/8773174492fc61571b578f34a59953baba46471a?narHash=sha256-9mWmMXCto7e8U9hM8ZFozElv4dgOMTe308SSc7rEEFs%3D' (2025-01-18)
  → 'github:nixos/nixpkgs/eacdab35066b0bb1c9413c96898e326b76398a81?narHash=sha256-r3fxHvh%2BM/mBgCZXOACzRFPsJdix2QSsKazb7VCXXo0%3D' (2025-01-19)
• Updated input 'nur':
    'github:nix-community/NUR/cca606d5ab57ea665046167db8a486155e1cfbb0?narHash=sha256-JgZyCTqBWYo0RKhG6v3I3wS9kcpQhVHP0o5lvPLEvFw%3D' (2025-01-18)
  → 'github:nix-community/NUR/0b2b53ac3bd61384876cf8461d32e698064297ea?narHash=sha256-Ue2TumKTw%2B6VUSKdgHE93gViUTOJDmS2I0HjLbmrHls%3D' (2025-01-19)
2025-01-19 06:23:06 +00:00
Sam 3f0409ce73 Merge branch 'development' of git.bitlab21.com:sam/nixos into development 2025-01-18 11:48:37 +00:00
Sam 68c7d6d852 BUGFIX: fix conditional script construction in nixosAutoUpgrade.nix module 2025-01-18 11:48:32 +00:00
Sam 7559c51120 Merge branch 'development' of git.bitlab21.com:sam/nixos into development 2025-01-18 11:16:04 +00:00
Sam d20f09ac39 flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/e406743d5e0b2e40c53919aad5ece69af4ab54eb?narHash=sha256-ZYuYx2w2m86425CHyAyZLqu9NPE3zVFaQGNuKoTx/hw%3D' (2025-01-17)
  → 'github:nixos/nixpkgs/8773174492fc61571b578f34a59953baba46471a?narHash=sha256-9mWmMXCto7e8U9hM8ZFozElv4dgOMTe308SSc7rEEFs%3D' (2025-01-18)
• Updated input 'nur':
    'github:nix-community/NUR/92679ee687f57ed49dc9af0d4bdc6cbe6127c3da?narHash=sha256-mST0rIiY0ZURqfJUCeS7ziUg2QO5QhUxoGfmDxT2M7M%3D' (2025-01-17)
  → 'github:nix-community/NUR/cca606d5ab57ea665046167db8a486155e1cfbb0?narHash=sha256-JgZyCTqBWYo0RKhG6v3I3wS9kcpQhVHP0o5lvPLEvFw%3D' (2025-01-18)
2025-01-18 06:02:15 +00:00
Sam 1a81ffe2dc update flake.lock 2025-01-18 00:26:01 +00:00
Sam 34cc27cbc5 add metrics server to semita 2025-01-18 00:24:28 +00:00
Sam b65fcf82d2 remove unnecessary docker config from metrics server container 2025-01-17 20:33:16 +00:00
Sam 8d6469407f add metrics-server container 2025-01-17 20:28:27 +00:00
Sam 996f9e782f upgrade flake secrets 2025-01-17 20:05:18 +00:00
Sam efd30e3968 Merge branch 'master' of git.bitlab21.com:sam/nixos 2025-01-17 20:04:28 +00:00
Sam 6862e4e813 update flake secrets 2025-01-17 20:04:23 +00:00
Sam 9c86422497 fix photoprism config file path issue 2025-01-17 19:10:26 +00:00
Sam f087d7d933 flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/0ab8bdef1a34b67d2ecc8f86763cbb3cb5297699?narHash=sha256-%2BVpCgelbCgJvxos%2B4sAVaKfwYRKrkflsWcYVOhG0mXg%3D' (2025-01-17)
  → 'github:nixos/nixpkgs/3cbc78cfa611511c04f47c4932509f9dbdf4381a?narHash=sha256-Zql7TDxEMAOASLSu0wBlfM5SIY%2B4Pz2R/k17O/asCYc%3D' (2025-01-17)
• Updated input 'nur':
    'github:nix-community/NUR/af9410660d59f7ef2d1c5d375e62ecfd739ae737?narHash=sha256-RQvEM5nMQ7UUuatWk9ytnYv5DyKZhocfdGzHYuDk3B8%3D' (2025-01-17)
  → 'github:nix-community/NUR/b65350213a768bdf4d2da001537a6635edcd562a?narHash=sha256-pBF7pAmSRlmmObXbS71v0YM5sEC4/4HvesFV3oz2xQU%3D' (2025-01-17)
• Updated input 'sops-nix':
    'github:mic92/sops-nix/553c7cb22fed19fd60eb310423fdc93045c51ba8?narHash=sha256-wlgdf/n7bJMLBheqt1jmPoxJFrUP6FByKQFXuM9YvIk%3D' (2025-01-13)
  → 'github:mic92/sops-nix/4c4fb93f18b9072c6fa1986221f9a3d7bf1fe4b6?narHash=sha256-GXUE9%2BFgxoZU8v0p6ilBJ8NH7k8nKmZjp/7dmMrCv3o%3D' (2025-01-17)
2025-01-17 09:53:44 +00:00
Sam 23bdee5e1d Merge branch 'development' 2025-01-17 09:50:47 +00:00
Sam 6521a7240b Merge branch 'nixvim' 2025-01-17 09:43:10 +00:00
Sam b1335769d3 import nixosUpgrade module for sparky 2025-01-17 09:42:40 +00:00
Sam da1b00ac33 import nixosUpgrade module for sparky 2025-01-17 09:40:29 +00:00
Sam 2122159495 Merge branch 'development' 2025-01-17 09:38:36 +00:00
Sam 50801de960 remove deprecated opengl option 2025-01-17 09:37:50 +00:00
Sam af18b2507d Merge branch 'development' 2025-01-17 09:36:12 +00:00
Sam 0f4a0ba18b add autoUpgrade to sparky 2025-01-17 09:35:16 +00:00
Sam 0bebf6dac4 Merge branch 'master' of git.bitlab21.com:sam/nixos 2025-01-17 09:33:07 +00:00
Sam dea819ed0d modify restic RandomizedDelaySec to 4h and timer to 8pm 2025-01-17 09:31:24 +00:00
Sam de0b2ab001 flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/957c1f6e206281625f8e71a5d8944e9834a5699d?narHash=sha256-GcyT76HPi%2BHoWmUw0YfLJ48CqDOIxHXBSmjOSlfFQvA%3D' (2025-01-16)
  → 'github:nixos/nixpkgs/0ab8bdef1a34b67d2ecc8f86763cbb3cb5297699?narHash=sha256-%2BVpCgelbCgJvxos%2B4sAVaKfwYRKrkflsWcYVOhG0mXg%3D' (2025-01-17)
• Updated input 'nur':
    'github:nix-community/NUR/515f3082e8381194afd691a797802efd31b2bae3?narHash=sha256-mWu8%2BPtK4cFlcWoixvQjODGzG4405tVczi7Gv7%2BXjXw%3D' (2025-01-16)
  → 'github:nix-community/NUR/af9410660d59f7ef2d1c5d375e62ecfd739ae737?narHash=sha256-RQvEM5nMQ7UUuatWk9ytnYv5DyKZhocfdGzHYuDk3B8%3D' (2025-01-17)
2025-01-17 06:12:47 +00:00
Sam d68a83e503 fix timerConfig for restic backups 2025-01-16 23:31:40 +00:00
Sam 833f511ce1 modify citadel autoUpgrade time to 8am 2025-01-16 23:30:20 +00:00
Sam dc883d2d9a modify restic backup timer 2025-01-16 23:25:53 +00:00
Sam ab5b75a3cf modify semita autoUpdate time 2025-01-16 23:14:01 +00:00
46 changed files with 1060 additions and 451 deletions

View File

@ -8,71 +8,80 @@ flakeDir="${FLAKE_DIR}" # Path to the flake file (and op
update=false # Whether to update flake.lock (false by default) update=false # Whether to update flake.lock (false by default)
user=$(/run/current-system/sw/bin/whoami) # Which user account to use for git commands (defaults to whoever called the script) user=$(/run/current-system/sw/bin/whoami) # Which user account to use for git commands (defaults to whoever called the script)
reboot=false reboot=false
remainingArgs="" # All remaining arguments that haven't yet been processed (will be passed to nixos-rebuild) remote=false
remainingArgs="" # All remaining arguments that haven't yet been processed (will be passed to nixos-rebuild)
function usage() { function usage() {
echo "nixos-rebuild Operations Script (NOS) updates your system and your flake.lock file by pulling the latest versions." echo "nixos-rebuild Operations Script (NOS) updates your system and your flake.lock file by pulling the latest versions."
echo "" echo ""
echo "Running the script with no parameters performs the following operations:" echo "Running the script with no parameters performs the following operations:"
echo " 1. Pull the latest version of the config" echo " 1. Pull the latest version of the config"
echo " 2. Update your flake.lock file" echo " 2. Update your flake.lock file"
echo " 3. Commit any changes back to the repository" echo " 3. Commit any changes back to the repository"
echo " 4. Run 'nixos-rebuild switch'." echo " 4. Run 'nixos-rebuild switch'."
echo "" echo ""
echo "Advanced usage: nixos-upgrade-script.sh [-o|--operation operation] [-f|--flake path-to-flake] [extra nixos-rebuild parameters]" echo "Advanced usage: nixos-upgrade-script.sh [-o|--operation operation] [-f|--flake path-to-flake] [extra nixos-rebuild parameters]"
echo "Options:" echo "Options:"
echo " -h, --help Show this help screen." echo " -h, --help Show this help screen."
echo " -o, --operation The nixos-rebuild operation to perform." echo " -o, --operation The nixos-rebuild operation to perform."
echo " -f, --flake <path> The path to your flake.nix file (and optionally, the hostname to build)." echo " -f, --flake <path> The path to your flake.nix file (and optionally, the hostname to build)."
echo " -U, --update Update and commit flake.lock." echo " -U, --update Update and commit flake.lock."
echo " -u, --user Which user account to run git commands under." echo " -R, --build-host <user@host> Attempt build on remote host."
echo "" echo " -r, --reboot Reboots system is there is a kernel or init update"
exit 2 echo " -u, --user Which user account to run git commands under."
echo ""
exit 2
} }
# Argument processing logic shamelessly stolen from https://stackoverflow.com/questions/192249/how-do-i-parse-command-line-arguments-in-bash
POSITIONAL_ARGS=() POSITIONAL_ARGS=()
while [[ $# -gt 0 ]]; do while [[ $# -gt 0 ]]; do
case "$1" in case "$1" in
--flake|-f) --flake | -f)
flakeDir="$2" flakeDir="$2"
shift shift
shift shift
;; ;;
--update|--upgrade|-U) --operation | -o)
update=true operation="$2"
shift shift
;; shift
--reboot|-r) ;;
reboot=true --user | -u)
shift user="$2"
;; shift
--operation|-o) shift
operation="$2" ;;
shift --build-host | -R)
shift remote=true
;; host="$2"
--user|-u) shift
user="$2" shift
shift ;;
shift --update | --upgrade | -U)
;; update=true
--help|-h) shift
usage ;;
exit 0 --reboot | -r)
;; reboot=true
*) shift
POSITIONAL_ARGS+=("$1") # save positional arg ;;
shift --help | -h)
;; usage
esac exit 0
;;
*)
POSITIONAL_ARGS+=("$1") # save positional arg
shift
;;
esac
done done
remainingArgs=${POSITIONAL_ARGS[@]} remainingArgs=${POSITIONAL_ARGS[@]}
set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
if [ -z "${flakeDir}" ]; then if [ -z "${flakeDir}" ]; then
echo "Flake directory not specified. Use '--flake <path>' or set \$FLAKE_DIR." echo "Flake directory not specified. Use '--flake <path>' or set \$FLAKE_DIR."
exit 1 exit 1
fi fi
cd $flakeDir cd $flakeDir
@ -85,16 +94,22 @@ echo "Pulling the latest version of the repository..."
/run/wrappers/bin/sudo -u $user git pull /run/wrappers/bin/sudo -u $user git pull
if [ $update = true ]; then if [ $update = true ]; then
echo "Updating flake.lock..." echo "Updating flake.lock..."
/run/wrappers/bin/sudo -u $user nix flake update --commit-lock-file && /run/wrappers/bin/sudo -u $user git push /run/wrappers/bin/sudo -u $user nix flake update --commit-lock-file && /run/wrappers/bin/sudo -u $user git push
else else
echo "Skipping 'nix flake update'..." echo "Skipping 'nix flake update'..."
fi fi
options="--flake $flakeDir $remainingArgs --use-remote-sudo" options="--flake $flakeDir $remainingArgs --use-remote-sudo"
echo "Running this operation: nixos-rebuild $operation $options" echo "Running this operation: nixos-rebuild $operation $options"
/run/wrappers/bin/sudo -u root /run/current-system/sw/bin/nixos-rebuild $operation $options
if [ $remote = true ]; then
echo "Attempting remote build..."
/run/wrappers/bin/sudo -u root /run/current-system/sw/bin/nixos-rebuild $operation $options --build-host "$host"
else
/run/wrappers/bin/sudo -u root /run/current-system/sw/bin/nixos-rebuild $operation $options
fi
echo "Checking if reboot is necessary" echo "Checking if reboot is necessary"
reboot_diff=$(diff <(readlink /run/booted-system/{initrd,kernel,kernel-modules}) <(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})) reboot_diff=$(diff <(readlink /run/booted-system/{initrd,kernel,kernel-modules}) <(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules}))

View File

@ -271,11 +271,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1735882644, "lastModified": 1737043064,
"narHash": "sha256-3FZAG+pGt3OElQjesCAWeMkQ7C/nB1oTHLRQ8ceP110=", "narHash": "sha256-I/OuxGwXwRi5gnFPsyCvVR+IfFstA+QXEpHu1hvsgD8=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "a5a961387e75ae44cc20f0a57ae463da5e959656", "rev": "94ee657f6032d913fe0ef49adaa743804635b0bb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -460,11 +460,11 @@
"nixpkgs-unstable": "nixpkgs-unstable" "nixpkgs-unstable": "nixpkgs-unstable"
}, },
"locked": { "locked": {
"lastModified": 1734508046, "lastModified": 1737481937,
"narHash": "sha256-JN/PFBOVqWKc76zSdOunYoG5Q0m8W4zfrEh3V4EOIuk=", "narHash": "sha256-FJ0ATgYWavH3ZeA0ofTEMS+22HqYN2Lqu3G6IsqbKIg=",
"owner": "fort-nix", "owner": "fort-nix",
"repo": "nix-bitcoin", "repo": "nix-bitcoin",
"rev": "33dbb41d581b86decf421cb3835c426d557e0e9c", "rev": "dc4d14e07324e43b8773e3eb5eb2a10c6b469287",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -501,15 +501,16 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1736370755, "lastModified": 1736820923,
"narHash": "sha256-iWcjToBpx4PUd74uqvIGAfqqVfyrvRLRauC/SxEKIF0=", "narHash": "sha256-SDuKLOWAh8VJRXlNWQn9QE99bjeEUAAbYXqrKGbsiyk=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "57733bd1dc81900e13438e5b4439239f1b29db0e", "rev": "944c2b181792ae7ae6b20c0df3f44879c11706c9",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "lnl7", "owner": "lnl7",
"ref": "nix-darwin-24.11",
"repo": "nix-darwin", "repo": "nix-darwin",
"type": "github" "type": "github"
} }
@ -538,11 +539,11 @@
}, },
"nix-secrets": { "nix-secrets": {
"locked": { "locked": {
"lastModified": 1736984538, "lastModified": 1737643624,
"narHash": "sha256-SAoVXTVwLL4hYpHQFJqI+91eIqIS0Mug0URqh6KqeIM=", "narHash": "sha256-RAnbZSi2yagPCpNcm3U3wA6FAzbhGUi9ifvnu6Du3Rs=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "b28890d455676809e9130945ea267fa16b02d44d", "rev": "5260822187ce58af680e5aceba8fb01f10415def",
"revCount": 208, "revCount": 248,
"type": "git", "type": "git",
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
}, },
@ -584,11 +585,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1734126203, "lastModified": 1737370608,
"narHash": "sha256-0XovF7BYP50rTD2v4r55tR5MuBLet7q4xIz6Rgh3BBU=", "narHash": "sha256-hFA6SmioeqvGW/XvZa9bxniAeulksCOcj3kokdNT/YE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "71a6392e367b08525ee710a93af2e80083b5b3e2", "rev": "300081d0cc72df578b02d914df941b8ec62240e6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -600,11 +601,11 @@
}, },
"nixpkgs-unstable_2": { "nixpkgs-unstable_2": {
"locked": { "locked": {
"lastModified": 1736883708, "lastModified": 1737469691,
"narHash": "sha256-uQ+NQ0/xYU0N1CnXsa2zghgNaOPxWpMJXSUJJ9W7140=", "narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "eb62e6aa39ea67e0b8018ba8ea077efe65807dc8", "rev": "9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -632,11 +633,11 @@
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1737053689, "lastModified": 1737584761,
"narHash": "sha256-GcyT76HPi+HoWmUw0YfLJ48CqDOIxHXBSmjOSlfFQvA=", "narHash": "sha256-xP8UQqo3XSXy92tQ+wFvps46rVHnIc8W7ShQ5CUQALo=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "957c1f6e206281625f8e71a5d8944e9834a5699d", "rev": "f7b572b004be8e60c6727b3856a13efe17323212",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -648,11 +649,11 @@
}, },
"nixpkgs_4": { "nixpkgs_4": {
"locked": { "locked": {
"lastModified": 1736883708, "lastModified": 1737469691,
"narHash": "sha256-uQ+NQ0/xYU0N1CnXsa2zghgNaOPxWpMJXSUJJ9W7140=", "narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "eb62e6aa39ea67e0b8018ba8ea077efe65807dc8", "rev": "9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -677,11 +678,11 @@
"treefmt-nix": "treefmt-nix_2" "treefmt-nix": "treefmt-nix_2"
}, },
"locked": { "locked": {
"lastModified": 1736598792, "lastModified": 1737283156,
"narHash": "sha256-G6/9vT12RAxkNWQPEX9p8tTx/i8jJcmISpbVDGbEPGc=", "narHash": "sha256-FyHmM6vvz+UxCrPZo/poIaZBZejLHVKkAH4cjtUxZDA=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixvim", "repo": "nixvim",
"rev": "2004ff4547f11d25da78f393fe797dde2b831ce7", "rev": "abcbd250b8a2c7aab1f4b2b9e01598ee24b42337",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -698,11 +699,11 @@
"treefmt-nix": "treefmt-nix_3" "treefmt-nix": "treefmt-nix_3"
}, },
"locked": { "locked": {
"lastModified": 1737052979, "lastModified": 1737602136,
"narHash": "sha256-mWu8+PtK4cFlcWoixvQjODGzG4405tVczi7Gv7+XjXw=", "narHash": "sha256-Jr7tmhsZVAebD/TCpijDqcxr4w15wnPCOrlk+t4lrJA=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "515f3082e8381194afd691a797802efd31b2bae3", "rev": "80b6ff6a51dbebbe0bcc71858ae9a299e1207704",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -783,11 +784,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1736808430, "lastModified": 1737411508,
"narHash": "sha256-wlgdf/n7bJMLBheqt1jmPoxJFrUP6FByKQFXuM9YvIk=", "narHash": "sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw=",
"owner": "mic92", "owner": "mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "553c7cb22fed19fd60eb310423fdc93045c51ba8", "rev": "015d461c16678fc02a2f405eb453abb509d4e1d4",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -885,11 +886,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1736154270, "lastModified": 1737103437,
"narHash": "sha256-p2r8xhQZ3TYIEKBoiEhllKWQqWNJNoT9v64Vmg4q8Zw=", "narHash": "sha256-uPNWcYbhY2fjY3HOfRCR5jsfzdzemhfxLSxwjXYXqNc=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "13c913f5deb3a5c08bb810efd89dc8cb24dd968b", "rev": "d1ed3b385f8130e392870cfb1dbfaff8a63a1899",
"type": "github" "type": "github"
}, },
"original": { "original": {

View File

@ -1,5 +1,5 @@
{ {
description = "Nix Config"; description = "Nixos Config";
inputs = { inputs = {
# Nixpkgs # Nixpkgs
@ -118,7 +118,7 @@
merlin = nixpkgs.lib.nixosSystem { merlin = nixpkgs.lib.nixosSystem {
inherit specialArgs; inherit specialArgs;
modules = [ modules = [
./hosts/nebula ./hosts/merlin
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
{ {
home-manager.extraSpecialArgs = specialArgs; home-manager.extraSpecialArgs = specialArgs;

View File

@ -26,7 +26,6 @@
pkgs.hunspellDicts.en_US pkgs.hunspellDicts.en_US
pkgs.set_wm_class pkgs.set_wm_class
pkgs.xorg.xkill pkgs.xorg.xkill
pkgs.krita
pkgs.R pkgs.R
pkgs.gimp pkgs.gimp
pkgs.gajim pkgs.gajim

11
home/merlin.nix Normal file
View File

@ -0,0 +1,11 @@
{
...
}: {
imports = [
./users/admin
./common/core
./common/optional/git.nix
./common/optional/sops.nix
];
}

View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, outputs, ... }: { outputs, ... }:
{ {
home.username = "admin"; home.username = "admin";
@ -7,6 +7,16 @@
imports = [ imports = [
] ++ (builtins.attrValues outputs.homeManagerModules); # import all homeManagerModules? ] ++ (builtins.attrValues outputs.homeManagerModules); # import all homeManagerModules?
programs.ssh = {
enable = true;
matchBlocks = {
"git.bitlab21.com" = {
identitiesOnly = true;
identityFile = ["~/.ssh/deploy_key-ssh-ed25519"];
};
};
};
home.packages = [ home.packages = [
]; ];
@ -17,6 +27,7 @@
]; ];
home.sessionVariables = { home.sessionVariables = {
EDITOR = "nvim";
}; };
programs.home-manager.enable = true; programs.home-manager.enable = true;

View File

@ -11,13 +11,11 @@
fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
dev = "/dev/nvme0n1"; # depends on target hardware dev = "/dev/nvme0n1"; # depends on target hardware
encrypted = true; # currrently only applies to btrfs encrypted = true; # currrently only applies to btrfs
btrfsMountDevice = btrfsMountDevice = "/dev/mapper/crypted";
if encrypted
then "/dev/mapper/crypted"
else "/dev/root_vg/root";
user = "sam"; user = "sam";
impermanence = true; impermanence = true;
piholeIp = configVars.networking.addresses.pihole.ip; piholeIp = configVars.networking.addresses.pihole.ip;
merlinIp = configVars.networking.addresses.merlin.ip;
gatewayIp = configVars.networking.addresses.gateway.ip; gatewayIp = configVars.networking.addresses.gateway.ip;
in { in {
imports = [ imports = [
@ -48,29 +46,33 @@ in {
../common/optional/pipewire.nix ../common/optional/pipewire.nix
../common/optional/openssh.nix ../common/optional/openssh.nix
../common/optional/dwm.nix ../common/optional/dwm.nix
../common/optional/nfs-mounts/media.nix
../common/optional/nfs-mounts/homeshare.nix ../common/optional/fileserver/nfs-client/media.nix
../common/optional/nfs-mounts/photos.nix ../common/optional/fileserver/nfs-client/photos.nix
../common/optional/printing.nix ../common/optional/fileserver/nfs-client/personal.nix
# ../common/optional/printing.nix
../common/optional/backlight.nix ../common/optional/backlight.nix
../common/optional/xmodmap-arrow-remaps.nix ../common/optional/xmodmap-arrow-remaps.nix
../common/optional/nix-ld.nix ../common/optional/nix-ld.nix
../common/optional/gaming.nix ../common/optional/gaming.nix
../common/optional/powersave.nix ../common/optional/powersave.nix
../common/optional/restic-backup.nix ../common/optional/restic-backup.nix
../common/optional/distributed-builds/local-machine.nix
# This machine is used for remote building
../common/optional/distributed-builds/remote-builder-machine.nix
# ../../modules/nixos # ../../modules/nixos
outputs.nixosModules.nixosAutoUpgrade outputs.nixosModules.nixosAutoUpgrade
]; ];
boot = { boot = {
supportedFilesystems = ["nfs"];
blacklistedKernelModules = ["snd_hda_intel" "snd_soc_skl"]; blacklistedKernelModules = ["snd_hda_intel" "snd_soc_skl"];
kernelModules = ["iwlwifi"]; kernelModules = ["iwlwifi"];
initrd.kernelModules = ["thinkpad-acpi" "acpi-call"]; initrd.kernelModules = ["thinkpad-acpi" "acpi-call" "nfs"];
kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest; # BUG: Using older linux kernel because of build errors
# see https://github.com/NixOS/nixpkgs/issues/375605
# kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest;
kernelPackages = pkgs.linuxKernel.packages.linux_6_12;
extraModulePackages = [ extraModulePackages = [
config.boot.kernelPackages.acpi_call config.boot.kernelPackages.acpi_call
]; ];
@ -92,9 +94,10 @@ in {
enable = true; enable = true;
persistent = true; persistent = true;
reboot = false; reboot = false;
remote = "remotebuild@${merlinIp}";
pushUpdates = false; pushUpdates = false;
configDir = "/etc/nixos"; configDir = "/etc/nixos";
onCalendar = "daily"; onCalendar = "*-*-* 08:00:00";
user = "sam"; user = "sam";
}; };
@ -104,15 +107,8 @@ in {
xkb.options = "caps:swapescape"; xkb.options = "caps:swapescape";
dpi = 196; dpi = 196;
upscaleDefaultCursor = true; upscaleDefaultCursor = true;
# FIXME this doesnt work for some reason
# displayManager.sessionCommands = pkgs.writeShellScriptBin "key-remaps" ''
# ${pkgs.xorg.xmodmap}/bin/xmodmap -e "keycode 64 = Mode_switch"
# ${pkgs.xorg.xmodmap}/bin/xmodmap -e "keycode 43 = h H Left H"
# ${pkgs.xorg.xmodmap}/bin/xmodmap -e "keycode 44 = j J Down J"
# ${pkgs.xorg.xmodmap}/bin/xmodmap -e "keycode 45 = k K Up K"
# ${pkgs.xorg.xmodmap}/bin/xmodmap -e "keycode 46 = l L Right L"
# '';
}; };
# enable oom killer when system ram drops below 5% free # enable oom killer when system ram drops below 5% free
earlyoom = { earlyoom = {
enable = true; enable = true;
@ -165,18 +161,6 @@ in {
powerManagement.finegrained = true; powerManagement.finegrained = true;
open = false; open = false;
nvidiaSettings = true; nvidiaSettings = true;
# # FIXME issue with stable nvidia driver and latest linux kernel
# # use mkDriver to specify newer nvidia driver that is compatible
# # see: https://github.com/NixOS/nixpkgs/issues/341844#issuecomment-2351075413
# # and https://discourse.nixos.org/t/builder-for-nvidia-x11-550-78-6-10-drv-failed-with-exit-code-2/49360/32
# package = config.boot.kernelPackages.nvidiaPackages.mkDriver {
# version = "555.58.02";
# sha256_64bit = "sha256-xctt4TPRlOJ6r5S54h5W6PT6/3Zy2R4ASNFPu8TSHKM=";
# sha256_aarch64 = "sha256-wb20isMrRg8PeQBU96lWJzBMkjfySAUaqt4EgZnhyF8=";
# openSha256 = "sha256-8hyRiGB+m2hL3c9MDA/Pon+Xl6E788MZ50WrrAGUVuY=";
# settingsSha256 = "sha256-ZpuVZybW6CFN/gz9rx+UJvQ715FZnAOYfHn5jt5Z2C8=";
# persistencedSha256 = "sha256-a1D7ZZmcKFWfPjjH1REqPM5j/YLWKnbkP9qfRyIyxAw=";
# };
}; };
# https://bbs.archlinux.org/viewtopic.php?id=297276 for NVreg_EnableGpuFirmware fix # https://bbs.archlinux.org/viewtopic.php?id=297276 for NVreg_EnableGpuFirmware fix
# https://discourse.nixos.org/t/how-to-use-nvidia-prime-offload-to-run-the-x-server-on-the-integrated-board/9091/15 # https://discourse.nixos.org/t/how-to-use-nvidia-prime-offload-to-run-the-x-server-on-the-integrated-board/9091/15

View File

@ -0,0 +1,36 @@
{
device ? throw "Must define a device, e.g. /dev/sda",
fsModule ? "Must specify submodule"
}:
{
disko.devices = {
disk = {
main = {
type = "disk";
inherit device;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
start = "1M";
end = "128M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = ["umask=0077"];
};
};
root = {
size = "100%";
content = import "${fsModule}";
};
};
};
};
};
};
}

View File

@ -19,7 +19,6 @@
"/swap" = { "/swap" = {
mountOptions = [ "noatime" ]; mountOptions = [ "noatime" ];
mountpoint = "/.swapvol"; mountpoint = "/.swapvol";
swap.swapfile.size = "8192M";
}; };
}; };
} }

View File

@ -1,11 +1,8 @@
{ device, fsType, encrypted, impermanence, ... }: { device, fsType, encrypted, impermanence, ... }:
let let
fsModule = if impermanence then ./${fsType}/persist.nix else ./${fsType}/standard.nix; fsModule = if impermanence then ./${fsType}/persist.nix else ./${fsType}/standard.nix;
basic = import ./${fsType}/basic.nix { inherit device; }; basic = import ./basic.nix { inherit device; fsModule = fsModule; };
lvm = import ./lvm.nix { inherit device; fsModule = fsModule; };
luks = import ./luks.nix { inherit device; fsModule = fsModule; }; luks = import ./luks.nix { inherit device; fsModule = fsModule; };
in in
if fsType == "ext4" then basic if fsType == "btrfs" && encrypted then luks
else if fsType == "btrfs" && encrypted then luks else basic
else if fsType == "btrfs" then lvm
else null

View File

@ -1,5 +1,4 @@
{config, ...}: {config, ...}: let
let
openVpnPwd = config.sops.secrets."software/proton/openvpn_password".path; openVpnPwd = config.sops.secrets."software/proton/openvpn_password".path;
openVpnUser = config.sops.secrets."software/proton/openvpn_user".path; openVpnUser = config.sops.secrets."software/proton/openvpn_user".path;
in { in {
@ -8,6 +7,18 @@ in {
"software/proton/openvpn_user" = {}; "software/proton/openvpn_user" = {};
}; };
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
6887
];
allowedUDPPorts = [
6887
];
};
};
virtualisation.arion = { virtualisation.arion = {
backend = "podman-socket"; backend = "podman-socket";
projects.arrstack = { projects.arrstack = {
@ -19,7 +30,7 @@ in {
"6887:6887/udp" # qbittorrent torrenting port "6887:6887/udp" # qbittorrent torrenting port
]; ];
image = "qmcgaw/gluetun"; image = "qmcgaw/gluetun";
capabilities = { NET_ADMIN = true; }; capabilities = {NET_ADMIN = true;};
container_name = "glutun"; container_name = "glutun";
restart = "always"; restart = "always";
volumes = [ volumes = [
@ -31,6 +42,7 @@ in {
VPN_SERVICE_PROVIDER = "protonvpn"; VPN_SERVICE_PROVIDER = "protonvpn";
VPN_TYPE = "openvpn"; VPN_TYPE = "openvpn";
SERVER_COUNTRIES = "Switzerland"; SERVER_COUNTRIES = "Switzerland";
VPN_PORT_FORWARDING = "on";
}; };
devices = ["/dev/net/tun:/dev/net/tun"]; devices = ["/dev/net/tun:/dev/net/tun"];
}; };
@ -41,18 +53,17 @@ in {
restart = "always"; restart = "always";
volumes = [ volumes = [
"/srv/docker/media-server/arrstack/qbittorrent:/config" "/srv/docker/media-server/arrstack/qbittorrent:/config"
"/media/media:/media" "/media/media/downloads:/downloads"
]; ];
environment = { environment = {
TZ="Europe/London"; TZ = "Europe/London";
WEBUI_PORT=8076; WEBUI_PORT = 8076;
TORRENTING_PORT=6887; TORRENTING_PORT = 6887;
PUID=1000; PUID = 1000;
PGID=1000; PGID = 1000;
}; };
network_mode = "service:gluetun"; network_mode = "service:gluetun";
}; };
}; };
}; };
}; };

View File

@ -1,8 +1,7 @@
{ {config, ...}: {
sops.secrets = { sops.secrets = {
"software/photoprism" = { "software/photoprism" = {
path = "/run/secrets/photoprism/config.yaml"; path = "/etc/photoprism/options.yml";
mode = "0600";
}; };
}; };
virtualisation.arion = { virtualisation.arion = {
@ -11,7 +10,7 @@
settings = { settings = {
services.photoprism.service = { services.photoprism.service = {
ports = [ ports = [
"8096:8096" "2342:2342"
]; ];
container_name = "photoprism"; container_name = "photoprism";
image = "photoprism/photoprism:latest"; image = "photoprism/photoprism:latest";
@ -21,10 +20,10 @@
"/media/photos/sam/originals:/photoprism/originals" "/media/photos/sam/originals:/photoprism/originals"
"/media/photos/sam/imports:/photoprism/import" "/media/photos/sam/imports:/photoprism/import"
"/srv/docker/photoprism/storage:/photoprism/storage" "/srv/docker/photoprism/storage:/photoprism/storage"
"/run/secrets/photoprism/config.yaml:/etc/photoprism/config.yaml" "${config.sops.secrets."software/photoprism".path}:/etc/photoprism/options.yml"
]; ];
environment = { environment = {
PHOTOPRISM_CONFIG_PATH = "/etc/photoprism/config.yaml"; PHOTOPRISM_CONFIG_PATH = "/etc/photoprism";
PHOTOPRISM_INIT = "intel"; PHOTOPRISM_INIT = "intel";
PHOTOPRISM_ORIGINALS_LIMIT = 5000; PHOTOPRISM_ORIGINALS_LIMIT = 5000;
PHOTOPRISM_HTTP_COMPRESSION = "gzip"; PHOTOPRISM_HTTP_COMPRESSION = "gzip";

View File

@ -0,0 +1,29 @@
{
virtualisation.arion = {
backend = "podman-socket";
projects.syncthing = {
settings = {
services.syncthing.service = {
ports = [
"8384:8384"
"22000:22000/tcp"
"22000:22000/udp"
"21027:21027/udp"
];
container_name = "syncthing";
image = "lscr.io/linuxserver/syncthing:latest";
restart = "always";
environment = {
PUID = "1000";
GUID = "1000";
};
volumes = [
"/srv/docker/syncthing/appdata/config:/config"
"/srv/docker/syncthing/data:/data"
];
};
};
};
};
}

View File

@ -3,29 +3,28 @@ let
remoteMachineIp = configVars.networking.addresses.remote-builder.ip; remoteMachineIp = configVars.networking.addresses.remote-builder.ip;
in in
{ {
nix.distributedBuilds = true; # nix.distributedBuilds = true;
nix.settings.builders-use-substitutes = true; # nix.settings.builders-use-substitutes = true;
nix.settings.max-jobs = 0; # nix.settings.max-jobs = 0;
nix.settings.trusted-substituters = ["ssh://${remoteMachineIp}"]; # nix.settings.trusted-substituters = ["ssh://${remoteMachineIp}"];
nix.settings.substituters = ["ssh://${remoteMachineIp}"]; # nix.settings.substituters = ["ssh://${remoteMachineIp}"];
#
# nix.buildMachines = [
# {
# hostName = "remotebuild@${remoteMachineIp}";
# speedFactor = 1;
# maxJobs = 10;
# sshKey = "/root/.ssh/remotebuild";
# system = pkgs.stdenv.hostPlatform.system;
# supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
# }
# ];
nix.buildMachines = [ programs.ssh.knownHosts = {
{ "merlin" = {
hostName = "remotebuild@${remoteMachineIp}"; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFSGyrQvwa7gj0tG/EX3siWzGT9badUkD0yw0YGkcNeQ root@merlin";
speedFactor = 1; };
maxJobs = 10; };
sshKey = "/root/.ssh/remotebuild";
system = pkgs.stdenv.hostPlatform.system;
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
}
];
# TODO: set known host here when have static ip on main server
# programs.ssh.knownHosts = {
# "merlin" = {
# publicKey = "server pubkey";
# };
# };
programs.ssh.extraConfig = '' programs.ssh.extraConfig = ''
Host ${remoteMachineIp} Host ${remoteMachineIp}

View File

@ -1,27 +0,0 @@
{...}:
{
fileSystems."/exports" = {
device = "/dev/vdb1";
fsType = "ext4";
};
services.nfs.server = {
enable = true;
# fixed rpc.statd port; for firewall
lockdPort = 4001;
mountdPort = 4002;
statdPort = 4000;
extraNfsdConfig = '''';
exports = ''
/exports *(rw,insecure,all_squash)
'';
};
# open nfs ports
networking.firewall = {
enable = true;
# for NFSv3; view with `rpcinfo -p`
allowedTCPPorts = [ 111 2049 4000 4001 4002 20048 ];
allowedUDPPorts = [ 111 2049 4000 4001 4002 20048 ];
};
}

View File

@ -0,0 +1,10 @@
{configVars, pkgs, ...}: let
fileserverIp = configVars.networking.addresses.fileserver.ip;
in {
environment.systemPackages = [pkgs.nfs-utils];
fileSystems."/media/media" = {
device = "${fileserverIp}:/srv/export/media";
fsType = "nfs";
options = ["noatime" "_netdev"];
};
}

View File

@ -0,0 +1,10 @@
{configVars, pkgs, ...}: let
fileserverIp = configVars.networking.addresses.fileserver.ip;
in {
environment.systemPackages = [pkgs.nfs-utils];
fileSystems."/media/personal" = {
device = "${fileserverIp}:/srv/export/personal";
fsType = "nfs";
options = ["noatime" "_netdev"];
};
}

View File

@ -0,0 +1,10 @@
{configVars, pkgs, ...}: let
fileserverIp = configVars.networking.addresses.fileserver.ip;
in {
environment.systemPackages = [pkgs.nfs-utils];
fileSystems."/media/photos" = {
device = "${fileserverIp}:/srv/export/photos";
fsType = "nfs";
options = ["noatime" "_netdev"];
};
}

View File

@ -0,0 +1,42 @@
{configVars, ...}:
let
homeshareDataLocation = configVars.locations.homeshareDataLocation;
subnetIp = configVars.networking.addresses.subnet.ip;
in {
fileSystems."/srv/export/photos" = {
device = "${homeshareDataLocation}/photos";
options = [ "bind" ];
};
fileSystems."/srv/export/personal" = {
device = "${homeshareDataLocation}/personal";
options = [ "bind" ];
};
fileSystems."/srv/export/media" = {
device = "${homeshareDataLocation}/media";
options = [ "bind" ];
};
services.nfs.server = {
enable = true;
# fixed rpc.statd port; for firewall
lockdPort = 4001;
mountdPort = 4002;
statdPort = 4000;
extraNfsdConfig = '''';
exports = ''
/srv/export/photos ${subnetIp}/24(rw,sync,no_subtree_check)
/srv/export/media ${subnetIp}/24(rw,sync,no_subtree_check)
/srv/export/personal ${subnetIp}/24(rw,sync,no_subtree_check)
'';
};
# open nfs ports
networking.firewall = {
enable = true;
# for NFSv3; view with `rpcinfo -p`
allowedTCPPorts = [ 111 2049 4000 4001 4002 20048 ];
allowedUDPPorts = [ 111 2049 4000 4001 4002 20048 ];
};
}

View File

@ -1,9 +0,0 @@
{
fileSystems."/media/homeshare" = {
device = "10.0.10.30:/mnt/homeshare";
fsType = "nfs";
options = [ "noatime" "_netdev" ];
};
}

View File

@ -1,9 +0,0 @@
{configVars, ...}: let
mediaDataMountPoint = configVars.locations.mediaDataMountPoint;
in {
fileSystems.${mediaDataMountPoint} = {
device = "10.0.10.30:/mnt/media";
fsType = "nfs";
options = ["noatime" "_netdev"];
};
}

View File

@ -1,9 +0,0 @@
{configVars, ...}: let
photosDataMountPoint = configVars.locations.photosDataMountPoint;
in {
fileSystems.${photosDataMountPoint} = {
device = "10.0.10.30:/mnt/photos";
fsType = "nfs";
options = ["noatime" "_netdev" "ro"];
};
}

View File

@ -65,6 +65,16 @@ in {
pkgs.apacheHttpd pkgs.apacheHttpd
]; ];
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = { services.openssh = {
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;

View File

@ -17,6 +17,14 @@ in {
]; ];
}; };
services.restic.backups = {
daily = {
paths = [
baseddataData
];
};
};
networking.nat.enable = true; networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"]; networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0"; networking.nat.externalInterface = "br0";
@ -287,6 +295,16 @@ in {
}; };
}; };
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = { services.openssh = {
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;

View File

@ -3,14 +3,15 @@
lib, lib,
inputs, inputs,
configVars, configVars,
config,
outputs,
... ...
}: let }: let
containerName = "docker"; containerName = "docker";
containerIp = configVars.networking.addresses.docker.ip; containerIp = configVars.networking.addresses.docker.ip;
gatewayIp = configVars.networking.addresses.gateway.ip; gatewayIp = configVars.networking.addresses.gateway.ip;
dockerContainerData = configVars.locations.dockerContainerData; dockerContainerData = configVars.locations.dockerContainerData;
mediaDataMountPoint = configVars.locations.mediaDataMountPoint; homeshareDataLocation = configVars.locations.homeshareDataLocation;
photosDataMountPoint = configVars.locations.photosDataMountPoint;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
arion = inputs.arion; arion = inputs.arion;
sops-nix = inputs.sops-nix; sops-nix = inputs.sops-nix;
@ -24,8 +25,6 @@ in {
paths = [ paths = [
dockerContainerData dockerContainerData
]; ];
exclude = [
];
}; };
}; };
@ -46,6 +45,14 @@ in {
]; ];
extraFlags = ["--private-users-ownership=chown"]; extraFlags = ["--private-users-ownership=chown"];
allowedDevices = [ allowedDevices = [
{
node = "/dev/nvidia0";
modifier = "rwm";
}
{
node = "/dev/nvidiactl";
modifier = "rwm";
}
{ {
node = "/dev/fuse"; node = "/dev/fuse";
modifier = "rwm"; modifier = "rwm";
@ -79,7 +86,11 @@ in {
nixpkgs = pkgs.path; nixpkgs = pkgs.path;
bindMounts = { bindMounts = {
"/media/photos" = { "/media/photos" = {
hostPath = photosDataMountPoint; hostPath = "${homeshareDataLocation}/photos";
isReadOnly = false;
};
"/run/opengl-driver/lib" = {
hostPath = "/run/opengl-driver/lib";
isReadOnly = false; isReadOnly = false;
}; };
"/dev/dri" = { "/dev/dri" = {
@ -87,7 +98,7 @@ in {
isReadOnly = false; isReadOnly = false;
}; };
"/media/media" = { "/media/media" = {
hostPath = mediaDataMountPoint; hostPath = "${homeshareDataLocation}/media";
isReadOnly = false; isReadOnly = false;
}; };
"/srv/docker" = { "/srv/docker" = {
@ -108,7 +119,13 @@ in {
secretsDirectory = builtins.toString inputs.nix-secrets; secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml"; secretsFile = "${secretsDirectory}/secrets.yaml";
in { in {
nixpkgs.overlays = [
outputs.overlays.unstable-packages
];
networking = { networking = {
enableIPv6 = false;
defaultGateway = "${gatewayIp}"; defaultGateway = "${gatewayIp}";
interfaces.eth0.ipv4.addresses = [ interfaces.eth0.ipv4.addresses = [
{ {
@ -124,6 +141,26 @@ in {
useHostResolvConf = lib.mkForce false; useHostResolvConf = lib.mkForce false;
}; };
hardware.graphics = {
enable = true;
};
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [
"nvidia-x11"
"nvidia-settings"
"nvidia-persistenced"
];
services.xserver.videoDrivers = ["nvidia"];
hardware.nvidia = {
modesetting.enable = true;
powerManagement.enable = false;
open = false;
nvidiaSettings = false;
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
services.resolved.enable = true; services.resolved.enable = true;
sops = { sops = {
@ -141,6 +178,7 @@ in {
../arion-containers/arrstack.nix ../arion-containers/arrstack.nix
../arion-containers/jellyfin.nix ../arion-containers/jellyfin.nix
../arion-containers/photoprism.nix ../arion-containers/photoprism.nix
../arion-containers/syncthing.nix
]; ];
environment.systemPackages = [ environment.systemPackages = [
@ -150,10 +188,13 @@ in {
pkgs.dive pkgs.dive
pkgs.podman-tui pkgs.podman-tui
pkgs.podman-compose pkgs.podman-compose
pkgs.unstable.nvidia-container-toolkit
]; ];
virtualisation = { virtualisation = {
containers.cdi.dynamic.nvidia.enable = true;
podman = { podman = {
enableNvidia = true;
enable = true; enable = true;
dockerSocket.enable = true; dockerSocket.enable = true;
defaultNetwork.settings.dns_enabled = true; defaultNetwork.settings.dns_enabled = true;
@ -175,6 +216,16 @@ in {
}; };
}; };
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = { services.openssh = {
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;

View File

@ -0,0 +1,195 @@
{
pkgs,
lib,
configVars,
...
}: let
containerName = "metrics-server";
containerIp = configVars.networking.addresses.metrics-server.ip;
dockerContainerIp = configVars.networking.addresses.docker.ip;
smWorkerIp = configVars.networking.addresses.sm-worker.ip;
merlinIp = configVars.networking.addresses.merlin.ip;
bdWorker = configVars.networking.addresses.bd-worker.ip;
pihole = configVars.networking.addresses.pihole.ip;
bitcoinNode = configVars.networking.addresses.bitcoin-node.ip;
postres = configVars.networking.addresses.postgres.ip;
backupServer = configVars.networking.addresses.backup-server.ip;
http_endpoints = configVars.metrics-server.blackbox.http_endpoints;
gatewayIp = configVars.networking.addresses.gateway.ip;
metricsServerContainerData = configVars.locations.metricsServerContainerData;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
in {
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0";
services.restic.backups = {
daily = {
paths = [
metricsServerContainerData
];
};
};
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${containerName}"
];
};
containers."${containerName}" = {
enableTun = true;
autoStart = true;
privateNetwork = true;
hostBridge = "br0";
nixpkgs = pkgs.path;
bindMounts = {
"/var/lib/" = {
hostPath = metricsServerContainerData;
isReadOnly = false;
};
};
config = {
pkgs,
lib,
config,
...
}: {
networking = {
defaultGateway = "${gatewayIp}";
interfaces.eth0.ipv4.addresses = [
{
"address" = "${containerIp}";
"prefixLength" = 24;
}
];
firewall = {
enable = true;
allowedTCPPorts = [
config.services.prometheus.port
config.services.grafana.port
config.services.prometheus.exporters.blackbox.port
];
};
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
imports = [
];
environment.systemPackages = [
pkgs.vim
pkgs.git
];
services.prometheus = {
enable = true;
port = 9001;
scrapeConfigs = [
{
job_name = "node_exporter";
static_configs = [
{
targets = [
"${dockerContainerIp}:9100"
"${smWorkerIp}:9100"
"${merlinIp}:9100"
"${bdWorker}:9100"
"${pihole}:9100"
"${bitcoinNode}:9100"
"${postres}:9100"
"${backupServer}:9100"
];
}
];
}
{
job_name = "blackbox";
scrape_interval = "30s";
scrape_timeout = "15s";
metrics_path = "/probe";
params.module = ["http_basic"];
relabel_configs = [
{
source_labels = ["__address__"];
target_label = "__param_target";
}
{
source_labels = ["__param_target"];
target_label = "instance";
}
{
target_label = "__address__";
replacement = "${config.services.prometheus.exporters.blackbox.listenAddress}:${toString config.services.prometheus.exporters.blackbox.port}";
}
];
static_configs = [
{targets = http_endpoints;}
];
}
];
};
services.grafana = {
enable = true;
settings.server = {
http_port = 2342;
http_addr = "0.0.0.0";
};
};
services.prometheus = {
exporters = {
blackbox = {
enable = true;
configFile = pkgs.writeText "blackbox-conf.yaml" ''
modules:
http_basic:
prober: http
timeout: 5s
http:
preferred_ip_protocol: ip4
valid_http_versions: ["HTTP/1.1", "HTTP/2"]
method: GET
fail_if_ssl: false
fail_if_not_ssl: true
tls_config:
insecure_skip_verify: true
tcp_connect:
prober: tcp
tcp:
preferred_ip_protocol: ip4
'';
};
node = {
enable = true;
enabledCollectors = ["systemd"];
port = 9002;
};
};
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users = {
root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
};
system.stateVersion = "24.05";
};
};
}

View File

@ -10,6 +10,7 @@
containerIp = configVars.networking.addresses.bitcoin-node.ip; containerIp = configVars.networking.addresses.bitcoin-node.ip;
mempoolPort = configVars.networking.addresses.bitcoin-node.services.mempool.port; mempoolPort = configVars.networking.addresses.bitcoin-node.services.mempool.port;
bitcoinNodeContainerData = configVars.locations.bitcoinNodeContainerData; bitcoinNodeContainerData = configVars.locations.bitcoinNodeContainerData;
bitcoindData = configVars.locations.bitcoindData;
gatewayIp = configVars.networking.addresses.gateway.ip; gatewayIp = configVars.networking.addresses.gateway.ip;
allowip = configVars.networking.addresses.bitcoin-node.services.bitcoind.allowip; allowip = configVars.networking.addresses.bitcoin-node.services.bitcoind.allowip;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
@ -21,7 +22,7 @@ in {
bitcoinNodeContainerData bitcoinNodeContainerData
]; ];
exclude = [ exclude = [
"${bitcoinNodeContainerData}/bitcoind" "${bitcoindData}"
"${bitcoinNodeContainerData}/electrs" "${bitcoinNodeContainerData}/electrs"
]; ];
}; };
@ -48,6 +49,10 @@ in {
hostPath = bitcoinNodeContainerData; hostPath = bitcoinNodeContainerData;
isReadOnly = false; isReadOnly = false;
}; };
"/var/lib/bitcoind" = {
hostPath = bitcoindData;
isReadOnly = false;
};
}; };
config = { config = {
@ -181,6 +186,16 @@ in {
lnd.public = true; lnd.public = true;
}; };
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = { services.openssh = {
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;

View File

@ -8,7 +8,7 @@
containerName = "pihole"; containerName = "pihole";
containerIp = configVars.networking.addresses.pihole.ip; containerIp = configVars.networking.addresses.pihole.ip;
gatewayIp = configVars.networking.addresses.gateway.ip; gatewayIp = configVars.networking.addresses.gateway.ip;
piholeContainerData = configVars.locations.dockerContainerData; piholeContainerData = configVars.locations.piholeContainerData;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
arion = inputs.arion; arion = inputs.arion;
in { in {
@ -16,16 +16,6 @@ in {
networking.nat.internalInterfaces = ["ve-+"]; networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0"; networking.nat.externalInterface = "br0";
services.restic.backups = {
daily = {
paths = [
piholeContainerData
];
exclude = [
];
};
};
environment.persistence."/persist" = { environment.persistence."/persist" = {
hideMounts = true; hideMounts = true;
directories = [ directories = [
@ -78,7 +68,7 @@ in {
useHostResolvConf = lib.mkForce false; useHostResolvConf = lib.mkForce false;
}; };
services.resolved.enable = true; services.resolved.enable = false;
imports = [ imports = [
arion.nixosModules.arion arion.nixosModules.arion
@ -89,6 +79,8 @@ in {
pkgs.vim pkgs.vim
pkgs.git pkgs.git
pkgs.arion pkgs.arion
pkgs.lsof
pkgs.podman-compose
]; ];
virtualisation = { virtualisation = {
@ -102,6 +94,16 @@ in {
networking.firewall.interfaces."podman+".allowedUDPPorts = [53]; networking.firewall.interfaces."podman+".allowedUDPPorts = [53];
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = { services.openssh = {
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;

View File

@ -123,6 +123,16 @@ in {
# EOF # EOF
# ''; # '';
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = { services.openssh = {
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;

View File

@ -24,6 +24,14 @@ in {
]; ];
}; };
services.restic.backups = {
daily = {
paths = [
semitamapsData
];
};
};
containers."${containerName}" = { containers."${containerName}" = {
enableTun = true; enableTun = true;
@ -100,6 +108,7 @@ in {
pkgs.vim pkgs.vim
pkgs.git pkgs.git
pkgs.arion pkgs.arion
pkgs.podman-compose
pkgs.jdk pkgs.jdk
]; ];
@ -128,6 +137,16 @@ in {
}; };
}; };
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = { services.openssh = {
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;

View File

@ -4,13 +4,10 @@
hideMounts = true; hideMounts = true;
directories = [ directories = [
"/etc/nixos" "/etc/nixos"
"/srv"
"/var/log" "/var/log"
"/var/lib/nixos" "/var/lib/nixos"
"/var/lib/systemd/coredump" "/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections" "/etc/NetworkManager/system-connections"
"/var/lib/flatpak"
"/run/secrets-for-users"
]; ];
files = [ files = [
"/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key"

View File

@ -0,0 +1,46 @@
{pkgs, ...}: {
networking.firewall = {
allowedTCPPorts = [631];
allowedUDPPorts = [631];
};
services = {
printing = {
enable = true;
drivers = [pkgs.hplip];
browsing = true;
defaultShared = true;
listenAddresses = ["*:631"];
allowFrom = ["all"];
extraConf = ''
DefaultPaperSize A4
'';
};
avahi = {
enable = true;
nssmdns = true;
openFirewall = true;
publish = {
enable = true;
userServices = true;
};
};
};
hardware.printers = {
ensurePrinters = [
{
name = "HP_Envy_6000";
location = "Home";
deviceUri = "usb://HP/ENVY%206000%20series?serial=TH0B93F08W&interface=1";
# deviceUri = "usb://Dell/1250c%20Color%20Printer?serial=YNP023240";
model = "HP/hp-deskjet_plus_6000_series.ppd.gz";
ppdOptions = {
PageSize = "A4";
};
}
];
ensureDefaultPrinter = "HP_Envy_6000";
};
}

View File

@ -29,7 +29,7 @@ in {
{ {
name = "HP_ENVY_6000"; name = "HP_ENVY_6000";
description = "Network printer hosted on bob"; description = "Network printer hosted on bob";
location = "bob"; location = "home";
deviceUri = "ipp://bob/printers/HP_ENVY_6000_series"; deviceUri = "ipp://bob/printers/HP_ENVY_6000_series";
model = "everywhere"; model = "everywhere";
ppdOptions = { ppdOptions = {

View File

@ -14,6 +14,11 @@ in {
sops.secrets = {}; sops.secrets = {};
services.restic.backups = { services.restic.backups = {
daily = { daily = {
timerConfig = {
OnCalendar = "*-*-* 20:00:00";
Persistent = true;
RandomizedDelaySec = "4h";
};
initialize = true; initialize = true;
passwordFile = passwordFile; passwordFile = passwordFile;
paths = [ paths = [

View File

@ -1,31 +1,31 @@
{ pkgs, inputs, config, lib, ... }: {
let pkgs,
ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups; inputs,
config,
lib,
...
}: let
username = "admin"; username = "admin";
pubKeys = lib.filesystem.listFilesRecursive (../keys); pubKeys = lib.filesystem.listFilesRecursive ../keys;
hostname = config.networking.hostName; hostname = config.networking.hostName;
sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/${username}".path; sopsHashedPasswordFile = config.sops.secrets."passwords/${username}".path;
secretsDirectory = builtins.toString inputs.nix-secrets; secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml"; secretsFile = "${secretsDirectory}/secrets.yaml";
in {
in
{
users.users.${username} = { users.users.${username} = {
isNormalUser = true; isNormalUser = true;
shell = pkgs.zsh; # default shell shell = pkgs.zsh;
hashedPasswordFile = sopsHashedPasswordFile; hashedPasswordFile = sopsHashedPasswordFile;
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
extraGroups = [ extraGroups = [
"wheel" "wheel"
] ++ ifTheyExist [
"docker"
"lxc"
"git"
"podman"
]; ];
};
packages = with pkgs; [ environment.persistence."/persist" = {
directories = [
"/home/${username}"
]; ];
}; };
@ -44,13 +44,16 @@ in
mode = "0644"; mode = "0644";
owner = "${username}"; owner = "${username}";
}; };
"github-access-token" = {
mode = "0655";
};
}; };
programs.zsh.enable = true; programs.zsh.enable = true;
programs.fuse.userAllowOther = true; programs.fuse.userAllowOther = true;
home-manager = { home-manager = {
extraSpecialArgs = { inherit inputs; }; extraSpecialArgs = {inherit inputs;};
users = { users = {
${username} = import ../../../../home/${hostname}.nix; ${username} = import ../../../../home/${hostname}.nix;
}; };

View File

@ -21,7 +21,6 @@ in {
extraGroups = [ extraGroups = [
"scanner" "scanner"
"lp" "lp"
"wheel"
]; ];
packages = with pkgs; [ packages = with pkgs; [
@ -31,22 +30,9 @@ in {
}; };
environment.persistence."/persist" = { environment.persistence."/persist" = {
hideMounts = true; directories = [
users.${username} = { "/home/${username}"
directories = [ ];
"Sync"
"Keep"
".ssh"
".config"
".mozilla"
".local"
".zotero"
".var"
".steam"
];
files = [
];
};
}; };
sops.secrets = { sops.secrets = {

View File

@ -133,6 +133,7 @@ in {
environment.persistence."/persist" = { environment.persistence."/persist" = {
directories = [ directories = [
"/home/${username}" "/home/${username}"
"/var/lib/tailscale"
]; ];
}; };

View File

@ -1,32 +1,71 @@
{ inputs, ... }:
let
# Disko setup
fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
dev = "/dev/disk/by-id/ata-QEMU_HARDDISK_QM00005";
encrypted = false; # currrently only applies to btrfs
impermanence = false;
user = "admin";
in
{ {
imports = inputs,
[ configVars,
# Create users for this host lib,
../common/users/${user} config,
outputs,
...
}: let
fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
dev = "/dev/disk/by-id/wwn-0x5001b448b5f7cc7f";
encrypted = false; # currrently only applies to btrfs
btrfsMountDevice = "/dev/disk/by-id/wwn-0x5001b448b5f7cc7f-part2";
impermanence = true;
# Root disk configuration homeshareDataLocation = configVars.locations.homeshareDataLocation;
inputs.disko.nixosModules.disko
(import ../common/disks { device = dev; impermanence = impermanence; fsType = fsType; encrypted = encrypted; })
# Import core options piholeIp = configVars.networking.addresses.pihole.ip;
./hardware-configuration.nix gatewayIp = configVars.networking.addresses.gateway.ip;
../common/core merlinIp = configVars.networking.addresses.merlin.ip;
in {
imports = [
# Create users for this host
../common/users/admin
# Import optional options # Disk configuration
../common/optional/openssh.nix inputs.disko.nixosModules.disko
../common/optional/docker (import ../common/disks {
../common/optional/docker/postgres.nix device = dev;
impermanence = impermanence;
fsType = fsType;
encrypted = encrypted;
})
]; # Impermanence
../common/optional/persistence.nix
(import ../common/disks/btrfs/impermanence.nix {
btrfsMountDevice = btrfsMountDevice;
lib = lib;
})
# Import core options
./hardware-configuration.nix
../common/core
# Import optional options
../common/optional/openssh.nix
../common/optional/restic-backup.nix
../common/optional/docker.nix
../common/optional/nix-ld.nix
../common/optional/fileserver/nfs-server/homeshare.nix
../common/optional/print-server.nix
# Nixos containers
../common/optional/nixos-containers/docker.nix
../common/optional/nixos-containers/baseddata-worker.nix
../common/optional/nixos-containers/pihole.nix
../common/optional/nixos-containers/semitamaps-worker.nix
../common/optional/nixos-containers/nix-bitcoin.nix
../common/optional/nixos-containers/postgres.nix
../common/optional/nixos-containers/baseddata-worker.nix
../common/optional/nixos-containers/backup-server.nix
../common/optional/nixos-containers/metrics-server.nix
# This machine is used for remote building
../common/optional/distributed-builds/remote-builder-machine.nix
outputs.nixosModules.nixosAutoUpgrade
];
boot = { boot = {
loader = { loader = {
@ -36,17 +75,102 @@ in
}; };
}; };
networking = { fileSystems."/mnt/main-ssd" = {
hostName = "merlin"; device = "/dev/disk/by-uuid/ba884006-e813-4b67-9fe6-62aea08b3b59";
networkmanager.enable = true; fsType = "ext4";
enableIPv6 = false;
}; };
boot.supportedFilesystems = [ "zfs" ]; fileSystems."/mnt/btcnode" = {
device = "/dev/disk/by-uuid/1dc56ec7-322f-44be-b6ad-79360fdfef93";
fsType = "btrfs";
};
networking = {
hostName = "merlin";
nameservers = ["${piholeIp}" "${gatewayIp}" "8.8.8.8"];
defaultGateway = "${gatewayIp}";
useDHCP = false;
enableIPv6 = false;
bridges = {
br0 = {
interfaces = ["eth0"];
};
};
interfaces.br0 = {
ipv4.addresses = [
{
"address" = "${merlinIp}";
"prefixLength" = 24;
}
];
};
};
environment.persistence."/persist" = {
directories = [
"/etc/zpool"
"/var/lib/tailscale"
];
};
services.restic.backups = {
daily = {
paths = [
homeshareDataLocation
];
};
};
# Enable OpenGL
hardware.graphics = {
enable = true;
};
# enable tailscale
services.tailscale.useRoutingFeatures = "server";
services.tailscale.enable = true;
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [
"nvidia-x11"
"nvidia-settings"
"nvidia-persistenced"
];
# Load nvidia driver
services.xserver.videoDrivers = ["nvidia"];
hardware.nvidia = {
modesetting.enable = true;
powerManagement.enable = false;
open = false;
nvidiaSettings = false;
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
system.services.nixosAutoUpgrade = {
enable = true;
persistent = false;
reboot = true;
pushUpdates = true;
configDir = "/etc/nixos";
onCalendar = "*-*-* 03:00:00";
user = "admin";
};
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
boot.supportedFilesystems = ["zfs"];
boot.zfs.forceImportRoot = false; boot.zfs.forceImportRoot = false;
networking.hostId = "18aec5d7"; networking.hostId = "18aec5d7";
boot.zfs.extraPools = [ "zspeed" ]; boot.zfs.extraPools = ["deepzfs" "nvme-zpool"];
services.libinput.enable = true; services.libinput.enable = true;
} }

View File

@ -4,9 +4,6 @@
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.initrd.kernelModules = [ "dm-snapshot" ];

View File

@ -18,6 +18,7 @@
impermanence = true; impermanence = true;
piholeIp = configVars.networking.addresses.pihole.ip; piholeIp = configVars.networking.addresses.pihole.ip;
gatewayIp = configVars.networking.addresses.gateway.ip; gatewayIp = configVars.networking.addresses.gateway.ip;
merlinIp = configVars.networking.addresses.merlin.ip;
semitaIp = configVars.networking.addresses.semita.ip; semitaIp = configVars.networking.addresses.semita.ip;
in { in {
imports = [ imports = [
@ -54,30 +55,16 @@ in {
../common/optional/gaming.nix ../common/optional/gaming.nix
../common/optional/restic-backup.nix ../common/optional/restic-backup.nix
# nfs mounts ../common/optional/fileserver/nfs-client/media.nix
../common/optional/nfs-mounts/media.nix ../common/optional/fileserver/nfs-client/photos.nix
../common/optional/nfs-mounts/homeshare.nix ../common/optional/fileserver/nfs-client/personal.nix
../common/optional/nfs-mounts/photos.nix
# nixos-containers ../common/optional/distributed-builds/local-machine.nix
../common/optional/nixos-containers/nix-bitcoin.nix
../common/optional/nixos-containers/postgres.nix
../common/optional/nixos-containers/baseddata-worker.nix
../common/optional/nixos-containers/semitamaps-worker.nix
../common/optional/nixos-containers/backup-server.nix
../common/optional/nixos-containers/docker.nix
# ../common/optional/nixos-containers/pihole.nix
# # Build nix derivations on remote machine
# ../common/optional/distributed-builds/local-machine.nix
outputs.nixosModules.nixosAutoUpgrade outputs.nixosModules.nixosAutoUpgrade
]; ];
fileSystems."/mnt/main-ssd" = { services.tailscale.useRoutingFeatures = "server";
device = "/dev/disk/by-uuid/ba884006-e813-4b67-9fe6-62aea08b3b59";
fsType = "ext4";
};
boot = { boot = {
blacklistedKernelModules = ["snd_hda_intel" "snd_soc_skl"]; blacklistedKernelModules = ["snd_hda_intel" "snd_soc_skl"];
@ -94,7 +81,7 @@ in {
dpi = 144; dpi = 144;
upscaleDefaultCursor = true; upscaleDefaultCursor = true;
}; };
# enable oom killer when system ram drops below 5% free # enable oom killer when system ram drops below 5% free
earlyoom = { earlyoom = {
enable = true; enable = true;
freeMemThreshold = 5; # <%5 free freeMemThreshold = 5; # <%5 free
@ -104,10 +91,11 @@ in {
system.services.nixosAutoUpgrade = { system.services.nixosAutoUpgrade = {
enable = true; enable = true;
persistent = true; persistent = true;
remote = "remotebuild@${merlinIp}";
reboot = false; reboot = false;
pushUpdates = true; pushUpdates = false;
configDir = "/etc/nixos"; configDir = "/etc/nixos";
onCalendar = "daily"; onCalendar = "*-*-* 06:00:00";
user = "sam"; user = "sam";
}; };

View File

@ -1,34 +1,19 @@
{ {
inputs,
config,
lib, lib,
configVars, configVars,
outputs,
pkgs,
... ...
}: let }: let
# Disko setup btrfsMountDevice = "/dev/root_vg/root";
fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence merlinIp = configVars.networking.addresses.merlin.ip;
dev = "/dev/sda"; # depends on target hardware
encrypted = false; # currrently only applies to btrfs
btrfsMountDevice =
if encrypted
then "/dev/mapper/crypted"
else "/dev/root_vg/root";
impermanence = true;
piholeIp = configVars.networking.addresses.pihole.ip; piholeIp = configVars.networking.addresses.pihole.ip;
gatewayIp = configVars.networking.addresses.gateway.ip; gatewayIp = configVars.networking.addresses.gateway.ip;
in { in {
imports = [ imports = [
# Create users for this host # Create users for this host
../common/users/media ../common/users/media
./hardware-configuration.nix
# Disk configuration
inputs.disko.nixosModules.disko
(import ../common/disks {
device = dev;
impermanence = impermanence;
fsType = fsType;
encrypted = encrypted;
})
# Impermanence # Impermanence
(import ../common/disks/btrfs/impermanence.nix { (import ../common/disks/btrfs/impermanence.nix {
@ -43,20 +28,12 @@ in {
# Import optional options # Import optional options
../common/optional/openssh.nix ../common/optional/openssh.nix
../common/optional/persistence.nix ../common/optional/persistence.nix
../common/optional/nfs-mounts/media.nix ../common/optional/fileserver/nfs-client/media.nix
../common/optional/gaming.nix # ../common/optional/printing.nix
../common/optional/printing.nix ../common/optional/distributed-builds/local-machine.nix
outputs.nixosModules.nixosAutoUpgrade
]; ];
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
timeout = 3;
};
};
boot.kernelParams = ["i915.enable_psr=0"];
networking = { networking = {
hostName = "sparky"; hostName = "sparky";
networkmanager.enable = true; networkmanager.enable = true;
@ -64,20 +41,23 @@ in {
nameservers = ["${piholeIp}" "${gatewayIp}" "8.8.8.8"]; nameservers = ["${piholeIp}" "${gatewayIp}" "8.8.8.8"];
}; };
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [
# Add additional package names here
"nvidia-x11"
"nvidia-settings"
"nvidia-persistenced"
];
services.displayManager.defaultSession = "cinnamon"; services.displayManager.defaultSession = "cinnamon";
services.libinput.enable = true; services.libinput.enable = true;
system.services.nixosAutoUpgrade = {
enable = true;
persistent = true;
remote = "remotebuild@${merlinIp}";
reboot = false;
pushUpdates = false;
configDir = "/etc/nixos";
onCalendar = "*-*-* 06:00:00";
user = "root";
};
services.xserver = { services.xserver = {
enable = true; enable = true;
videoDrivers = ["nvidia"]; videoDrivers = ["modesetting"];
displayManager.lightdm.enable = true; displayManager.lightdm.enable = true;
exportConfiguration = true; exportConfiguration = true;
deviceSection = '' deviceSection = ''
@ -87,20 +67,4 @@ in {
}; };
}; };
# Enable OpenGL
hardware.opengl = {
enable = true;
driSupport = true;
driSupport32Bit = true;
};
# Load nvidia driver
hardware.nvidia = {
# https://nixos.wiki/wiki/Nvidia
modesetting.enable = true;
powerManagement.enable = false;
open = false;
nvidiaSettings = true;
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
} }

View File

@ -1,24 +1,76 @@
# Do not modify this file! It was generated by nixos-generate-config { config, lib, pkgs, ... }:
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking fileSystems."/" =
# (the default) this is the recommended approach. When using systemd-networkd it's { device = "/dev/disk/by-uuid/7e660e53-6c56-4679-ab25-3a2b1eacaebd";
# still possible to use this option, but it's recommended to use it in conjunction fsType = "btrfs";
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. options = [ "subvol=root" ];
networking.useDHCP = lib.mkDefault true; };
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
fileSystems."/persist" =
{ device = "/dev/disk/by-uuid/7e660e53-6c56-4679-ab25-3a2b1eacaebd";
fsType = "btrfs";
options = [ "subvol=persist" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/7e660e53-6c56-4679-ab25-3a2b1eacaebd";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/.swapvol" =
{ device = "/dev/disk/by-uuid/7e660e53-6c56-4679-ab25-3a2b1eacaebd";
fsType = "btrfs";
options = [ "subvol=swap" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/3DC4-7CCE";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [
{
device = "/.swapvol/swapfile";
size = 2 * 1024;
}
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# Add hardware support for intel gpus as specified here: https://nixos.wiki/wiki/Jellyfin
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override {enableHybridCodec = true;};
};
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver
intel-vaapi-driver
vaapiVdpau
libvdpau-va-gl
intel-compute-runtime
# only available on unstable
unstable.vpl-gpu-rt
intel-media-sdk
];
};
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
timeout = 3;
};
};
boot.kernelParams = ["i915.enable_psr=0"];
} }

View File

@ -25,6 +25,11 @@ in
description = "Automatically reboots the system if there is a kernel or systemd update."; description = "Automatically reboots the system if there is a kernel or systemd update.";
default = false; default = false;
}; };
remote = lib.mkOption {
type = lib.types.str;
description = "Attempts build on remote host <user@host>.";
default = "";
};
onCalendar = lib.mkOption { onCalendar = lib.mkOption {
default = "daily"; default = "daily";
type = lib.types.str; type = lib.types.str;
@ -72,11 +77,12 @@ in
unitConfig.RequiresMountsFor = cfg.configDir; unitConfig.RequiresMountsFor = cfg.configDir;
script = lib.strings.concatStrings [ script = lib.strings.concatStrings [
"${auto-update-nixos}/bin/auto-update-nixos --operation ${cfg.operation} " "${auto-update-nixos}/bin/auto-update-nixos --operation ${cfg.operation} "
(lib.mkIf (cfg.configDir != "") "--flake ${cfg.configDir} ").content (if cfg.configDir != "" then "--flake ${cfg.configDir} " else "")
(lib.mkIf (cfg.user != "") "--user ${cfg.user} ").content (if cfg.user != "" then "--user ${cfg.user} " else "")
(lib.mkIf (cfg.pushUpdates) "--update ").content (if cfg.pushUpdates then "--update " else "")
(lib.mkIf (cfg.reboot) "--reboot ").content (if cfg.reboot then "--reboot " else "")
(lib.mkIf (cfg.extraFlags != "") cfg.extraFlags).content (if cfg.remote != "" then "--build-host ${cfg.remote} " else "")
cfg.extraFlags
]; ];
}; };
timers."nixos-upgrade" = { timers."nixos-upgrade" = {

View File

@ -40,41 +40,48 @@ trap cleanup EXIT
# Create the directory for target host keys # Create the directory for target host keys
install -d -m755 "$temp$persist/etc/ssh" install -d -m755 "$temp$persist/etc/ssh"
# Create ssh keys # Extract ssh keys from secrets
echo "Creating '$hostname' ssh keys" echo "Extracting ssh keys"
ssh-keygen -t ed25519 -f "$temp$persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" ssh_private_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"ssh_keys""\"][""\"$hostname""\"][""\"id_ed25519""\"]' ~/.local/share/src/nix-secrets/secrets.yaml")
echo "$ssh_private_key" > $temp$persist/etc/ssh/ssh_host_ed25519_key
ssh_pub_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"ssh_keys""\"][""\"$hostname""\"][""\"id_ed25519.pub""\"]' ~/.local/share/src/nix-secrets/secrets.yaml")
echo "$ssh_pub_key" > $temp$persist/etc/ssh/ssh_host_ed25519_key.pub
# Extract luks key from secrets # # Extract luks key from secrets
luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ~/.local/share/src/nix-secrets/secrets.yaml") # luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ~/.local/share/src/nix-secrets/secrets.yaml")
echo "$luks_secret" > /tmp/luks_secret.key # echo "$luks_secret" > /tmp/luks_secret.key
# Generate age key from target host and user public ssh key # # Create ssh keys
echo "Generating age key from target host and user ssh key" # echo "Creating '$hostname' ssh keys"
HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp$persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age") # ssh-keygen -t ed25519 -f "$temp$persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N ""
echo -e "Host age key:\n$HOST_AGE_KEY\n"
# Update .sops.yaml with new age key: # # Generate age key from target host and user public ssh key
SOPS_FILE="$HOME/.local/share/src/nix-secrets/.sops.yaml" # echo "Generating age key from target host and user ssh key"
sed -i "{ # HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp$persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age")
# Remove any * and & entries for this host # echo -e "Host age key:\n$HOST_AGE_KEY\n"
/[*&]$hostname/ d;
# Inject a new age: entry
# n matches the first line following age: and p prints it, then we transform it while reusing the spacing
/age:/{n; p; s/\(.*- \*\).*/\1$hostname/};
# Inject a new hosts: entry
/&hosts:/{n; p; s/\(.*- &\).*/\1$hostname $HOST_AGE_KEY/}
}" "$SOPS_FILE"
# Commit and push changes to sops file # # Update .sops.yaml with new age key:
just update-sops-secrets && just update-flake-secrets && just update-flake # SOPS_FILE="$HOME/.local/share/src/nix-secrets/.sops.yaml"
# sed -i "{
# # Remove any * and & entries for this host
# /[*&]$hostname/ d;
# # Inject a new age: entry
# # n matches the first line following age: and p prints it, then we transform it while reusing the spacing
# /age:/{n; p; s/\(.*- \*\).*/\1$hostname/};
# # Inject a new hosts: entry
# /&hosts:/{n; p; s/\(.*- &\).*/\1$hostname $HOST_AGE_KEY/}
# }" "$SOPS_FILE"
# # Commit and push changes to sops file
# just update-sops-secrets && just update-flake-secrets && just update-flake
# Copy current nix config over to target # Copy current nix config over to target
echo "copying current nix config to host" echo "copying current nix config to host"
cp -pr . "$temp$persist/etc/nixos" cp -pr . "$temp$persist/etc/nixos"
# Install Nixos to target # Install Nixos to target
SHELL=/bin/sh nix run github:nix-community/nixos-anywhere/1.3.0 -- --extra-files "$temp" --disk-encryption-keys /tmp/luks_secret.key /tmp/luks_secret.key --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519" SHELL=/bin/sh nix run github:nix-community/nixos-anywhere/1.6.0 -- --extra-files "$temp" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
[ $? != 0 ] && echo "Error installing Nixos" && exit 1 echo $?
## Delete keys from local known_hosts ## Delete keys from local known_hosts
echo "Deleting host from known_hosts" echo "Deleting host from known_hosts"

View File

@ -3,18 +3,22 @@
inherit (inputs.nix-secrets) inherit (inputs.nix-secrets)
networking networking
email email
metrics-server
; ;
locations = { locations = {
mediaDataMountPoint = "/media/media"; mediaDataMountPoint = "/media/media";
photosDataMountPoint = "/media/photos"; photosDataMountPoint = "/media/photos";
personalDataMountPoint = "/media/personal";
homeshareDataLocation = "/mnt/main-ssd/homeshare";
metricsServerContainerData = "/mnt/main-ssd/metrics-server";
dockerContainerData = "/mnt/main-ssd/docker"; dockerContainerData = "/mnt/main-ssd/docker";
piholeContainerData = "/mnt/main-ssd/docker/pihole"; piholeContainerData = "/mnt/main-ssd/docker/pihole";
bitcoinNodeContainerData = "/mnt/main-ssd/nix-bitcoin";
backupContainerData = "/mnt/main-ssd/backup";
postgresContainerData = "/mnt/main-ssd/postgresql";
semitamapsData = "/mnt/main-ssd/semitamaps-data";
baseddataData = "/mnt/main-ssd/baseddata-data"; baseddataData = "/mnt/main-ssd/baseddata-data";
bitcoinNodeContainerData = "/mnt/main-ssd/nix-bitcoin";
bitcoindData = "/mnt/btcnode/bitcoind";
backupContainerData = "/mnt/deepzfs/backup";
postgresContainerData = "/mnt/nvme-zpool/postgresql";
semitamapsData = "/mnt/nvme-zpool/semitamaps-data";
}; };
} }