From 07b7f0cc1f080c7697b112d52b8cacc84226e439 Mon Sep 17 00:00:00 2001 From: fred Date: Tue, 12 Aug 2025 11:53:58 -0700 Subject: [PATCH] update nix config --- dotfiles/bash_files/all_hosts/bashrc | 4 +- dotfiles/bash_files/all_hosts/git | 7 +++ dotfiles/bash_files/all_hosts/global | 23 ++++++++ dotfiles/bash_files/desk/methods | 4 +- dotfiles/bash_files/desk/shortcuts | 4 +- dotfiles/gtk-3.0/bookmarks | 8 +-- dotfiles/i3/config | 35 ++---------- dotfiles/nvim/lua/community.lua | 9 ++- flake.lock | 51 +++++++++++------ flake.nix | 83 ++++++++-------------------- hosts/desk/boot.nix | 18 +++--- hosts/desk/default.nix | 23 ++++---- hosts/desk/desk_apps.nix | 23 ++++++++ hosts/desk/hardware.nix | 4 +- hosts/desk/kvm.nix | 6 +- hosts/htpc/default.nix | 1 - hosts/lap/boot.nix | 12 ++++ hosts/lap/default.nix | 75 +++++++++++++++++++++++++ hosts/lap/hardware.nix | 45 +++++++++++++++ hosts/vm_ollama/ollama.nix | 2 +- hosts/vps/boot.nix | 6 ++ hosts/{vps_fz => vps}/default.nix | 15 +++-- hosts/{vps_fz => vps}/hardware.nix | 17 ++++-- hosts/vps_fz/boot.nix | 18 ------ hosts/vps_fz/server_config.nix | 40 -------------- modules/apps/00_tui_base.nix | 8 ++- modules/apps/55_firefox.nix | 8 ++- modules/apps/99_i3_config.nix | 6 +- modules/common/default.nix | 26 ++++----- modules/dev/docker.nix | 31 ++++++++++- modules/dev/utils.nix | 12 ++++ modules/misc/polkit.nix | 1 + modules/networking/ssh.nix | 2 +- modules/user/default.nix | 1 + 34 files changed, 388 insertions(+), 240 deletions(-) create mode 100644 dotfiles/bash_files/all_hosts/git create mode 100644 dotfiles/bash_files/all_hosts/global delete mode 100644 hosts/htpc/default.nix create mode 100644 hosts/lap/boot.nix create mode 100644 hosts/lap/default.nix create mode 100644 hosts/lap/hardware.nix create mode 100644 hosts/vps/boot.nix rename hosts/{vps_fz => vps}/default.nix (73%) rename hosts/{vps_fz => vps}/hardware.nix (72%) delete mode 100644 hosts/vps_fz/boot.nix delete mode 100644 hosts/vps_fz/server_config.nix create mode 100644 modules/dev/utils.nix diff --git a/dotfiles/bash_files/all_hosts/bashrc b/dotfiles/bash_files/all_hosts/bashrc index c8c36ca..9ab30e8 100644 --- a/dotfiles/bash_files/all_hosts/bashrc +++ b/dotfiles/bash_files/all_hosts/bashrc @@ -1,7 +1,7 @@ # If not running interactively, don't do anything [[ $- != *i* ]] && return -#dont put duplicate lines or lines starting with space in the history +# dont put duplicate lines or lines starting with space in the history # See bash(1) for more options HISTCONTROL=ignoreboth HISTFILESIZE=-1 @@ -12,6 +12,8 @@ if [ -f ~/.bash_local ]; then . ~/.bash_local fi +# show tldr on terminal start +# tldr --quiet $(tldr --quiet --list | shuf -n1) PS1="\[\e[32m\][\[\e[m\]\[\e[32m\]\u\[\e[m\]\[\e[32m\]@\[\e[m\]\[\e[32m\]\h\[\e[m\]\[\e[32m\]]\[\e[m\]\[\e[34m\]\W\[\e[m\]\[\e[36m\]\\$\[\e[m\] " if [ ! -z "$SSH_CLIENT" ] diff --git a/dotfiles/bash_files/all_hosts/git b/dotfiles/bash_files/all_hosts/git new file mode 100644 index 0000000..2ffae46 --- /dev/null +++ b/dotfiles/bash_files/all_hosts/git @@ -0,0 +1,7 @@ +alias g='git' +alias ga='git add' +alias gc='git commit' +alias gs='git status' +alias gd='git diff' +alias lg='lazygit' +alias gtop="cd \$(git rev-parse --show-toplevel)" # go to top level of git repo diff --git a/dotfiles/bash_files/all_hosts/global b/dotfiles/bash_files/all_hosts/global new file mode 100644 index 0000000..ee9dd06 --- /dev/null +++ b/dotfiles/bash_files/all_hosts/global @@ -0,0 +1,23 @@ +alias cp="cp -i" # confirm before overwriting something +alias df='df -h' # human-readable sizes +alias free='free -m' # show sizes in MB +alias du='du -h' +alias diff='diff --color=auto' +alias grep='grep --color=auto' +alias ip='ip -color=auto' +alias ls='ls --color=auto' +alias vm='mv' +alias cat='bat -pp' +alias man='batman' +alias ll="ls -lhA" +alias sl='ls' +alias -- -='cd -' + +alias caddy_reload="docker exec -it caddy sh -c 'cd /etc/caddy && caddy reload'" + +mkcd() { mkdir -p "$@" && cd "$@"; } +rnd() { echo $((RANDOM%10000+1000)); } + +### NIX ### +alias rebuild="sudo nixos-rebuild switch --flake ~/nixos#$NIXHOST" +alias search="nix search nixpkgs" diff --git a/dotfiles/bash_files/desk/methods b/dotfiles/bash_files/desk/methods index 705d939..498c636 100644 --- a/dotfiles/bash_files/desk/methods +++ b/dotfiles/bash_files/desk/methods @@ -4,9 +4,7 @@ mp(){ } cs(){ - # cp -l fullpath fullpath/Documents/cheatsheet - # path=~/Documents/cheatsheet - path=/solid/dir/reference/cheatsheet/ + path=~/Documents/cheatsheet if [[ -z "$1" ]]; then ls $path else diff --git a/dotfiles/bash_files/desk/shortcuts b/dotfiles/bash_files/desk/shortcuts index 114cf0d..58a7050 100644 --- a/dotfiles/bash_files/desk/shortcuts +++ b/dotfiles/bash_files/desk/shortcuts @@ -1,7 +1,5 @@ alias ctllist="systemctl --type=service" alias esc='setxkbmap -option "caps:swapescape"' -alias checkip="curl ipinfo.io" alias hold='hold=$(pwd)' -alias ollama_up="./scripts/VM/VMmanager.sh macvtap; sudo virsh start ollama_vm" - +alias ollama_up='sh ~/scripts/VM/VMmanager.sh macvtap; sudo virsh start ollama_vm; ssh remote "/bin/bash /scripts/remote_commands.sh init_ollama"' diff --git a/dotfiles/gtk-3.0/bookmarks b/dotfiles/gtk-3.0/bookmarks index b0435a0..db41410 100644 --- a/dotfiles/gtk-3.0/bookmarks +++ b/dotfiles/gtk-3.0/bookmarks @@ -1,10 +1,6 @@ file:///home/fred/Downloads file:///home/fred/Documents file:///home/fred/scripts -file:///nfs -file:///solid/dir/reference/cheatsheet -file:///solid -file:///solid/dir/reference/scratch -file:///docker/compose docker -file:///solid/job +file:///nfs/media/music file:///home/fred/nixos +file:///ssd diff --git a/dotfiles/i3/config b/dotfiles/i3/config index 393aab1..46c73a1 100644 --- a/dotfiles/i3/config +++ b/dotfiles/i3/config @@ -4,7 +4,7 @@ exec --no-startup-id xss-lock --transfer-sleep-lock -- i3lock --nofork # applets exec --no-startup-id nm-applet -exec volumeicon +exec --no-startup-id volumeicon # Use pactl to adjust volume in PulseAudio. set $refresh_i3status killall -SIGUSR1 i3status bindsym XF86AudioRaiseVolume exec --no-startup-id pactl set-sink-volume @DEFAULT_SINK@ +10% && $refresh_i3status @@ -126,16 +126,14 @@ bindsym Mod4+Button7 resize grow width 10 px or 10 ppt # finds out, if available) bar { status_command i3blocks - tray_output HDMI-A-0 + tray_output HDMI-1 } ####session management bindsym Mod4+grave exec screens 4 bindsym Control+Shift+q kill -#bindsym Control+Shift+c reload bindsym Control+Shift+r restart -#bindsym Control+Mod1+p exec i3-msg exit bindsym Control+Mod1+p exec xfce4-session-logout --logout bindsym Control+Mod1+bracketright exec i3lock -c 000000 bindsym Control+Mod1+Delete exec i3-sensible-terminal -e 'sh $scripts/setup.sh off' @@ -163,20 +161,6 @@ bindsym Mod4+b exec mousepad bindsym --release Mod4+u exec sh $scripts/shortcuts.sh searchbar -####Function keys -#bindsym F1 exec playerctl play-pause -#bindsym F2 exec playerctl stop -#bindsym F3 exec playerctl previous -#bindsym F4 exec playerctl next -#bindsym F5 exec --no-startup-id pactl set-sink-mute 0 toggle -#bindsym F6 exec --no-startup-id pactl set-sink-volume 0 -5% -#bindsym F7 exec --no-startup-id pactl set-sink-volume 0 +5% -#bindsym --release F8 exec xdotool key Shift+Alt+b -#bindsym --release F8 exec xdotool key s -#bindsym --release F3 exec xdotool key p -#bindsym --release F4 exec xdotool key n -#bindsym --release F1 exec xdotool key space - #########XP-pen #bindsym Mod1+Up exec sh $scripts/remote/xp.sh q_up #bindsym Mod1+Down exec sh $scripts/remote/xp.sh q_down @@ -194,24 +178,17 @@ bindsym --release Mod1+0 exec sh $scripts/remote/xp.sh k10 ####startup exec --no-startup-id sh $scripts/init.sh -#workspace 1 output HDMI-2 -#workspace 2 output DP-5 -#workspace 3 output DP-6 - -workspace 1 output HDMI-A-0 -workspace 2 output DisplayPort-1 -workspace 3 output DisplayPort-2 +workspace 1 output HDMI-1 +workspace 2 output DP-2 +workspace 3 output DP-3 exec_always --no-startup-id feh --bg-scale /home/fred/Pictures/wallpaper/800252.png +exec i3-sensible-terminal -e 'vpn' exec --no-startup-id /usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1 & exec --no-startup-id xset dpms 0 0 600 & exec --no-startup-id xss-lock -- i3lock -c 000000 & -#exec --no-startup-id numlockx o -exec_always --no-startup-id exec sh $scripts/setup.sh sync exec --no-startup-id xbindkeys exec --no-startup-id i3-msg 'workspace 3; exec firefox' exec --no-startup-id solaar --window=hide exec --no-startup-id input-remapper-control --command autoload -#exec --no-startup-id /usr/lib/pentablet/PenTablet -#for_window [class="PenTablet"] move scratchpad diff --git a/dotfiles/nvim/lua/community.lua b/dotfiles/nvim/lua/community.lua index c842899..843ffe3 100644 --- a/dotfiles/nvim/lua/community.lua +++ b/dotfiles/nvim/lua/community.lua @@ -1,4 +1,4 @@ -if true then return {} end -- WARN: REMOVE THIS LINE TO ACTIVATE THIS FILE +-- if true then return {} end -- WARN: REMOVE THIS LINE TO ACTIVATE THIS FILE -- AstroCommunity: import any community modules here -- We import this file in `lazy_setup.lua` before the `plugins/` folder. @@ -8,5 +8,12 @@ if true then return {} end -- WARN: REMOVE THIS LINE TO ACTIVATE THIS FILE return { "AstroNvim/astrocommunity", { import = "astrocommunity.pack.lua" }, + { import = "astrocommunity.pack.html-css" }, + { import = "astrocommunity.pack.typescript" }, + { import = "astrocommunity.comment.ts-comments-nvim" }, + { import = "astrocommunity.pack.yaml" }, + { import = "astrocommunity.pack.tailwindcss" }, + -- { import = "astrocommunity.pack.nix" }, + -- { import = "astrocommunity.pack.ruby" }, -- import/override with your plugins folder } diff --git a/flake.lock b/flake.lock index 0236e25..5412ca8 100644 --- a/flake.lock +++ b/flake.lock @@ -3,16 +3,16 @@ "firefox-addons": { "inputs": { "nixpkgs": [ - "nixpkgs" + "nixpkgs-unstable" ] }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1747973023, - "narHash": "sha256-v2OgykASspKAyL+hYKlfa9PM4cwlFZ7/WQ1uvd256ko=", + "lastModified": 1753761817, + "narHash": "sha256-FE908x/ihUlr5yn1f+PTMyOjcwotGUodzn7Ej6zZf5U=", "owner": "rycee", "repo": "nur-expressions", - "rev": "c7ee05a5dc9b52ba7a6a660537fabaf711b7790a", + "rev": "b657cfddb78408e9b53b4a8aaeaac71fc7ea182e", "type": "gitlab" }, "original": { @@ -25,15 +25,15 @@ "home-manager": { "inputs": { "nixpkgs": [ - "nixpkgs" + "nixpkgs-unstable" ] }, "locked": { - "lastModified": 1747978958, - "narHash": "sha256-pQQnbxWpY3IiZqgelXHIe/OAE/Yv4NSQq7fch7M6nXQ=", + "lastModified": 1754060289, + "narHash": "sha256-rWc9WUHtDCnHhnKEbiyLwBmvsXxHgBf56jvmmHPMUCk=", "owner": "nix-community", "repo": "home-manager", - "rev": "7419250703fd5eb50e99bdfb07a86671939103ea", + "rev": "19f94a3e0e6c8573ea58dac685e96c36e2526cfa", "type": "github" }, "original": { @@ -42,13 +42,29 @@ "type": "github" } }, - "nixpkgs": { + "nixpkgs-stable": { "locked": { - "lastModified": 1747744144, - "narHash": "sha256-W7lqHp0qZiENCDwUZ5EX/lNhxjMdNapFnbErcbnP11Q=", + "lastModified": 1753749649, + "narHash": "sha256-+jkEZxs7bfOKfBIk430K+tK9IvXlwzqQQnppC2ZKFj4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2795c506fe8fb7b03c36ccb51f75b6df0ab2553f", + "rev": "1f08a4df998e21f4e8be8fb6fbf61d11a1a5076a", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1753939845, + "narHash": "sha256-K2ViRJfdVGE8tpJejs8Qpvvejks1+A4GQej/lBk5y7I=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "94def634a20494ee057c76998843c015909d6311", "type": "github" }, "original": { @@ -62,22 +78,23 @@ "inputs": { "firefox-addons": "firefox-addons", "home-manager": "home-manager", - "nixpkgs": "nixpkgs", + "nixpkgs-stable": "nixpkgs-stable", + "nixpkgs-unstable": "nixpkgs-unstable", "sops-nix": "sops-nix" } }, "sops-nix": { "inputs": { "nixpkgs": [ - "nixpkgs" + "nixpkgs-unstable" ] }, "locked": { - "lastModified": 1749592509, - "narHash": "sha256-VunQzfZFA+Y6x3wYi2UE4DEQ8qKoAZZCnZPUlSoqC+A=", + "lastModified": 1752544651, + "narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=", "owner": "Mic92", "repo": "sops-nix", - "rev": "50754dfaa0e24e313c626900d44ef431f3210138", + "rev": "2c8def626f54708a9c38a5861866660395bb3461", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 54d8504..03cb0fe 100644 --- a/flake.nix +++ b/flake.nix @@ -1,72 +1,37 @@ { description = "Nixos config flake"; - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; - + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.05"; + home-manager.url = "github:nix-community/home-manager"; - home-manager.inputs.nixpkgs.follows = "nixpkgs"; + home-manager.inputs.nixpkgs.follows = "nixpkgs-unstable"; sops-nix.url = "github:Mic92/sops-nix"; - sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs-unstable"; firefox-addons.url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons"; - firefox-addons.inputs.nixpkgs.follows = "nixpkgs"; + firefox-addons.inputs.nixpkgs.follows = "nixpkgs-unstable"; }; + outputs = { nixpkgs-stable, nixpkgs-unstable, ... }@inputs: + let + mkSystem = { host_name, system ? "x86_64-linux", pkgs ? nixpkgs-unstable }: + pkgs.lib.nixosSystem { + inherit system; + specialArgs = { inherit inputs; }; + modules = [ ./hosts/${host_name} ]; + }; - outputs = { self, nixpkgs, firefox-addons, home-manager, sops-nix, ... }@inputs: { - nixosConfigurations = { - desk = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { - inherit inputs; - firefox-addons = firefox-addons.packages.x86_64-linux; - }; - modules = [ - ./hosts/desk - ]; - }; - vm_ollama = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { - inherit inputs; - }; - modules = [ - ./hosts/vm_ollama - ]; - }; - vps_fz = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { - inherit inputs; - }; - modules = [ - ./hosts/vps_fz - ]; - }; - # wip - lap = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { - inherit inputs; - firefox-addons = firefox-addons.packages.x86_64-linux; - }; - modules = [ - ./hosts/laptop - ]; - }; - # wip - htpc = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { - inherit inputs; - firefox-addons = firefox-addons.packages.x86_64-linux; - }; - modules = [ - ./hosts/htpc - ]; - }; + hosts = { + desk = {}; + lap = {}; + vm_ollama = {}; + vps_west = { pkgs = nixpkgs-stable; }; + vps_east = { pkgs = nixpkgs-stable; }; }; + in { + nixosConfigurations = builtins.mapAttrs (host_name: config: + mkSystem (config // { inherit host_name; }) + ) hosts; }; } - diff --git a/hosts/desk/boot.nix b/hosts/desk/boot.nix index 995e793..f6c37f0 100644 --- a/hosts/desk/boot.nix +++ b/hosts/desk/boot.nix @@ -1,12 +1,10 @@ { - boot.initrd.luks.devices = { - "luks-c14a978c-5752-4d1b-beb9-57fb710cd409" = { - device = "/dev/disk/by-uuid/c14a978c-5752-4d1b-beb9-57fb710cd409"; - allowDiscards = true; - keyFileSize = 4096; - keyFile = "/dev//disk/by-id/usb-Generic_Flash_Disk_C94D5655-0:0"; - fallbackToPassword = true; - preLVM = false; - }; - }; + boot.initrd.luks.devices."luks-c185ba0a-181b-4521-adaf-530b93a383b9" = { + device = "/dev/disk/by-uuid/c185ba0a-181b-4521-adaf-530b93a383b9"; + allowDiscards = true; + keyFileSize = 4096; + keyFile = "/dev/disk/by-id/usb-Generic_Flash_Disk_CE8AD7705"; + fallbackToPassword = true; + preLVM = false; + }; } diff --git a/hosts/desk/default.nix b/hosts/desk/default.nix index e0cae19..982bfbe 100644 --- a/hosts/desk/default.nix +++ b/hosts/desk/default.nix @@ -21,6 +21,7 @@ in ../../modules/apps/99_i3_config.nix ../../modules/dev/docker.nix ../../modules/dev/ruby.nix + ../../modules/dev/utils.nix ../../modules/misc/polkit.nix inputs.home-manager.nixosModules.default inputs.sops-nix.nixosModules.sops @@ -31,6 +32,7 @@ in user = "fred"; host = "desk"; sops_file = "home.yaml"; + rootless_docker = true; time.timeZone = "America/Los_Angeles"; i18n.defaultLocale = "en_US.UTF-8"; @@ -55,19 +57,16 @@ in }; ### HDD's ### - fileSystems."/run/media/fred/2tb" = - { device = "/dev/disk/by-uuid/2967e82b-a83c-4357-9939-1fbcc2618a9a"; - fsType = "ext4"; - options = hdd_opts; + environment.etc.crypttab = { + mode = "0600"; + text = '' + # [key-file] [options] + 8tb UUID=72edb411-1740-43e0-81ba-084374bb2b78 /dev/disk/by-id/usb-Generic_Flash_Disk_CE8AD7705 keyfile-size=4096,nofail + ''; }; - fileSystems."/run/media/fred/arch_home" = - { device = "/dev/disk/by-uuid/122e2d4f-3512-4077-a5ee-f80ac6e32300"; - fsType = "ext4"; - options = hdd_opts; - }; - fileSystems."/run/media/fred/arch_root" = - { device = "/dev/disk/by-uuid/56a64ba1-5ffa-426d-bca2-ede62c7b2498"; + fileSystems."/run/media/fred/8tb" = + { device = "/dev/mapper/8tb"; fsType = "ext4"; options = hdd_opts; }; @@ -81,7 +80,7 @@ in }; services.tcsd.enable = false; # prevent sysinit-reactiviation.target hang when rebuilding flake - services.xserver.displayManager.lightdm.extraSeatDefaults = "display-setup-script = ${pkgs.ddcutil}/bin/ddcutil --bus=7 setvcp 60 0x0f"; + services.xserver.displayManager.lightdm.extraSeatDefaults = "display-setup-script = ${pkgs.ddcutil}/bin/ddcutil --bus=8 setvcp 60 0x0f"; networking.firewall.allowedUDPPorts = [ 11357 ]; # ollama-docker networking.firewall.allowedTCPPorts = [ 11357 ]; # ollama-docker diff --git a/hosts/desk/desk_apps.nix b/hosts/desk/desk_apps.nix index 21ea2c4..a1eb3fa 100644 --- a/hosts/desk/desk_apps.nix +++ b/hosts/desk/desk_apps.nix @@ -1,11 +1,34 @@ { config, pkgs, ... }: { config = { + home-manager.users.${config.user} = { pkgs, ... }: { home.packages = with pkgs; [ yt-dlp freetube ]; + programs.zed-editor = { + enable = true; + userSettings = { + vim_mode = true; + telemetry = { + diagnostics = false; + metrics = false; + }; + language_models = { + ollama = { + api_url = "https://ollama.local"; + }; + }; + assistant = { + enabled = true; + default_model = { + provider = "ollama"; + model = "deepseek-coder-v2:16b"; + }; + }; + }; + }; }; }; } diff --git a/hosts/desk/hardware.nix b/hosts/desk/hardware.nix index dd8403e..bc9f5c6 100644 --- a/hosts/desk/hardware.nix +++ b/hosts/desk/hardware.nix @@ -15,12 +15,12 @@ boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "/dev/disk/by-uuid/aa4561b3-a61d-4ed9-8847-b88c6fc06525"; + { device = "/dev/disk/by-uuid/59e32983-f2f6-4ea3-b295-e8886f159002"; fsType = "ext4"; }; fileSystems."/boot" = - { device = "/dev/disk/by-uuid/6FD4-7839"; + { device = "/dev/disk/by-uuid/2B41-6F12"; fsType = "vfat"; options = [ "fmask=0077" "dmask=0077" ]; }; diff --git a/hosts/desk/kvm.nix b/hosts/desk/kvm.nix index 69d49b9..d90e02c 100644 --- a/hosts/desk/kvm.nix +++ b/hosts/desk/kvm.nix @@ -4,7 +4,11 @@ virtualisation.libvirtd = { enable = true; - qemu.ovmf.enable = true; + qemu.ovmf = { + enable = true; + packages = [ pkgs.OVMFFull ]; + }; + qemu.swtpm.enable = true; qemu.runAsRoot = false; onBoot = "ignore"; onShutdown = "shutdown"; diff --git a/hosts/htpc/default.nix b/hosts/htpc/default.nix deleted file mode 100644 index 4640904..0000000 --- a/hosts/htpc/default.nix +++ /dev/null @@ -1 +0,0 @@ -# TODO diff --git a/hosts/lap/boot.nix b/hosts/lap/boot.nix new file mode 100644 index 0000000..c3c5a40 --- /dev/null +++ b/hosts/lap/boot.nix @@ -0,0 +1,12 @@ +{ + boot.initrd.luks.devices = { + "luks-847548dd-10b5-46d1-82f4-bf982a32c1b5" = { + device = "/dev/disk/by-uuid/847548dd-10b5-46d1-82f4-bf982a32c1b5"; + allowDiscards = true; + keyFileSize = 4096; + keyFile = "/dev/disk/by-id/usb-Generic-_SD_MMC_27B8RE273ED5E"; + fallbackToPassword = true; + preLVM = false; + }; + }; +} diff --git a/hosts/lap/default.nix b/hosts/lap/default.nix new file mode 100644 index 0000000..0b4c1df --- /dev/null +++ b/hosts/lap/default.nix @@ -0,0 +1,75 @@ +{ pkgs, inputs, config, lib, ... }: + +let + nfs_opts = [ "x-systemd.automount" "noauto" "x-systemd.idle-timeout=600" ]; + hdd_opts = [ "nosuid" "nodev" "nofail" ]; +in + +{ + + imports = + [ + ./boot.nix + ./hardware.nix + # ./desk_apps.nix + ../../modules/common/default.nix + ../../modules/common/system-d_boot.nix + ../../modules/networking/ssh.nix + ../../modules/networking/hosts.nix + ../../modules/user + ../../modules/apps/99_i3_config.nix + ../../modules/dev/docker.nix + ../../modules/dev/ruby.nix + ../../modules/dev/utils.nix + ../../modules/misc/polkit.nix + inputs.home-manager.nixosModules.default + inputs.sops-nix.nixosModules.sops + ]; + + + config = { + user = "fred"; + host = "lap"; + sops_file = "home.yaml"; + + time.timeZone = "America/Los_Angeles"; + i18n.defaultLocale = "en_US.UTF-8"; + + environment.systemPackages = with pkgs; [ + nfs-utils + ddcutil + input-remapper + xorg.xinit # for vnc server + ]; + + networking.firewall.allowedUDPPorts = [ 5900 ]; # vnc-server + networking.firewall.allowedTCPPorts = [ 5900 ]; # vnc-server + #### NFS's ### + services.autofs = { + enable = true; + timeout = 60; + autoMaster = '' + /- /etc/autofs/auto.nfs_server --timeout=60 + ''; + }; + environment.etc."autofs/auto.nfs_server" = { + text = '' + /nfs -rw,soft,rsize=8192,wsize=8192 nfs:/nfs + /solid -rw,soft,rsize=8192,wsize=8192 nfs:/solid + /docker -rw,soft,rsize=8192,wsize=8192 nfs:/docker + ''; + mode = "0644"; + }; + + services.tcsd.enable = false; # prevent sysinit-reactiviation.target hang when rebuilding flake + + networking.enableIPv6 = false; + security.pki.certificates = [ (builtins.readFile ../../dotfiles/certs/mfCA.crt) ]; + + hardware.bluetooth.enable = true; + hardware.bluetooth.powerOnBoot = false; + services.blueman.enable = true; + + system.stateVersion = "25.05"; + }; +} diff --git a/hosts/lap/hardware.nix b/hosts/lap/hardware.nix new file mode 100644 index 0000000..80737ab --- /dev/null +++ b/hosts/lap/hardware.nix @@ -0,0 +1,45 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + # hardware.nvidia.open=false; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/f7766025-9e57-4b52-b47c-b158b3a894f2"; + fsType = "ext4"; + }; + + boot.initrd.luks.devices."luks-847548dd-10b5-46d1-82f4-bf982a32c1b5".device = "/dev/disk/by-uuid/847548dd-10b5-46d1-82f4-bf982a32c1b5"; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/B177-CFE7"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + + swapDevices = [{ + device = "/var/lib/swapfile"; + size = 8*1024; + }]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp61s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/vm_ollama/ollama.nix b/hosts/vm_ollama/ollama.nix index 4a581d0..ee6619e 100644 --- a/hosts/vm_ollama/ollama.nix +++ b/hosts/vm_ollama/ollama.nix @@ -30,7 +30,7 @@ models = "/mnt/ollama_models/"; rocmOverrideGfx = "10.3.0"; environmentVariables = { - OLLAMA_KEEP_ALIVE="15m"; + OLLAMA_KEEP_ALIVE="60m"; }; }; diff --git a/hosts/vps/boot.nix b/hosts/vps/boot.nix new file mode 100644 index 0000000..09537ab --- /dev/null +++ b/hosts/vps/boot.nix @@ -0,0 +1,6 @@ +{ + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/vda"; + boot.loader.grub.useOSProber = false; + boot.loader.grub.enableCryptodisk = true; +} diff --git a/hosts/vps_fz/default.nix b/hosts/vps/default.nix similarity index 73% rename from hosts/vps_fz/default.nix rename to hosts/vps/default.nix index 69d23f7..f1c783a 100644 --- a/hosts/vps_fz/default.nix +++ b/hosts/vps/default.nix @@ -10,6 +10,7 @@ ../../modules/networking/ssh.nix ../../modules/user ../../modules/apps/00_tui_base.nix + ../../modules/dev/docker.nix inputs.home-manager.nixosModules.default inputs.sops-nix.nixosModules.sops ]; @@ -17,17 +18,15 @@ config = { ### USER ### - user = "vps_fz"; - host = "vps_fz"; - sops_file = "vps_fz.yaml"; + user = "vps"; + host = "vps"; + sops_file = "vps.yaml"; + + rootless_docker = true; - ### NETWORKING ### networking.enableIPv6 = false; - networking.firewall = { - enable = true; - allowedTCPPorts = [ 80 443 ]; - }; + # firewall config in server_config system.stateVersion = "25.05"; }; diff --git a/hosts/vps_fz/hardware.nix b/hosts/vps/hardware.nix similarity index 72% rename from hosts/vps_fz/hardware.nix rename to hosts/vps/hardware.nix index 1142f41..eab2012 100644 --- a/hosts/vps_fz/hardware.nix +++ b/hosts/vps/hardware.nix @@ -14,15 +14,24 @@ boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "/dev/disk/by-uuid/0b1c3bc9-4332-4950-bc20-20e7eb8aa003"; + { device = "/dev/disk/by-uuid/f22c3def-a743-4861-a98d-569cab10b34c"; fsType = "ext4"; }; - boot.initrd.luks.devices."luks-938c9dc1-9c55-4152-bc69-4d8770518c90".device = "/dev/disk/by-uuid/938c9dc1-9c55-4152-bc69-4d8770518c90"; + # Setup keyfile + boot.initrd = { + secrets."/boot/crypto_keyfile.bin" = null; + luks.devices."luks-d05cd87b-ba29-4daf-ad6a-c58b857026a9" = { + keyFile = "/boot/crypto_keyfile.bin"; + device = "/dev/disk/by-uuid/d05cd87b-ba29-4daf-ad6a-c58b857026a9"; + }; + }; swapDevices = - [ { device = "/dev/disk/by-uuid/7961b651-0b10-4fbf-a429-8e53a2b67b34"; } - ]; + [{ + device = "/var/lib/swapfile"; + size = 4*1024; + }]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/hosts/vps_fz/boot.nix b/hosts/vps_fz/boot.nix deleted file mode 100644 index 9f2c8fe..0000000 --- a/hosts/vps_fz/boot.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ - boot.loader.grub.enable = true; - boot.loader.grub.device = "/dev/vda"; - boot.loader.grub.useOSProber = false; - - boot.initrd.luks.devices."luks-c2ab1085-f8ec-49df-a26b-ece597abc3b7".device = "/dev/disk/by-uuid/c2ab1085-f8ec-49df-a26b-ece597abc3b7"; - # Setup keyfile - boot.initrd.secrets = { - "/boot/crypto_keyfile.bin" = null; - }; - - boot.loader.grub.enableCryptodisk = true; - - boot.initrd.luks.devices."luks-938c9dc1-9c55-4152-bc69-4d8770518c90".keyFile = "/boot/crypto_keyfile.bin"; - boot.initrd.luks.devices."luks-c2ab1085-f8ec-49df-a26b-ece597abc3b7".keyFile = "/boot/crypto_keyfile.bin"; -# boot.loader.systemd-boot.enable = true; -# boot.loader.efi.canTouchEfiVariables = true; -} diff --git a/hosts/vps_fz/server_config.nix b/hosts/vps_fz/server_config.nix deleted file mode 100644 index d6b20c0..0000000 --- a/hosts/vps_fz/server_config.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ pkgs, inputs, config, lib, ... }: { - - config = { - - # fail2ban - services.fail2ban.enable = true; - services.openssh.settings.LogLevel = "VERBOSE"; - - - # caddy - services.caddy = { - enable = true; - configFile = ../../dotfiles/caddy/Caddyfile; - }; - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - # gitea - sops.secrets."gitea_dbpass" = { - owner = "gitea"; - group = "gitea"; - }; - - services.gitea = { - enable = true; - database = { - type = "postgres"; - passwordFile = config.sops.secrets."gitea_dbpass".path; - }; - settings = { - server = { - DOMAIN = "gitea.fredzernia.com"; - ROOT_URL = "https://gitea.fredzernia.com"; - HTTP_PORT = 7904; - }; - service.DISABLE_REGISTRATION = true; - }; - }; - }; -} - diff --git a/modules/apps/00_tui_base.nix b/modules/apps/00_tui_base.nix index c4a0a23..e81b80b 100644 --- a/modules/apps/00_tui_base.nix +++ b/modules/apps/00_tui_base.nix @@ -21,11 +21,15 @@ in home-manager.users.${config.user} = { pkgs, ... }: { home.packages = with pkgs; [ bat + bat-extras.batman git + lazygit htop + btop + openssl nixpkgs-fmt - nodejs # astronvim ls, formatters, etc - ripgrep # text search in nvim + nodejs + ripgrep jq file wget diff --git a/modules/apps/55_firefox.nix b/modules/apps/55_firefox.nix index b7997f6..6a8f8cf 100644 --- a/modules/apps/55_firefox.nix +++ b/modules/apps/55_firefox.nix @@ -1,6 +1,7 @@ -{ config, pkgs, firefox-addons, ... }: +{ inputs, config, pkgs, ... }: let + firefox-addons = inputs.firefox-addons.packages.${pkgs.system} or {}; autoconfigCfg = pkgs.writeText "autoconfig.cfg" '' var {classes:Cc,interfaces:Ci,utils:Cu} = Components; /* set new tab page */ @@ -8,7 +9,7 @@ let ChromeUtils.defineESModuleGetters(this, { AboutNewTab: "resource:///modules/AboutNewTab.sys.mjs", }); - var newTabURL = "https://mainframe.local/mainframe.html"; + var newTabURL = "https://server.local/index.html"; AboutNewTab.newTabURL = newTabURL; } catch(e){Cu.reportError(e);} // report errors in the Browser Console ''; @@ -35,7 +36,7 @@ in { package = firefoxWithAutoconfig; profiles.default = { settings = { - "browser.startup.homepage" = "https://mainframe.local/mainframe.html"; + "browser.startup.homepage" = "https://server.local/index.html"; "sidebar.verticalTabs" = true; "extensions.activeThemeID" = "firefox-compact-dark@mozilla.org"; "browser.contentblocking.category" = { Value = "strict"; Status = "locked"; }; @@ -64,6 +65,7 @@ in { noscript ublock-origin sponsorblock + clearurls ]; }; policies = { diff --git a/modules/apps/99_i3_config.nix b/modules/apps/99_i3_config.nix index 984fa3d..37eb9cf 100644 --- a/modules/apps/99_i3_config.nix +++ b/modules/apps/99_i3_config.nix @@ -10,7 +10,10 @@ }; security.pam.services.i3lock.enable = true; - networking.networkmanager.enable = true; + networking.networkmanager = { + enable = true; + plugins = [ pkgs.networkmanager-openvpn ]; + }; home-manager.users.${config.user} = { pkgs, config, ... }: { home.packages = with pkgs; [ xorg.setxkbmap @@ -81,7 +84,6 @@ xserver = { enable = true; - videoDrivers = [ "amdgpu" ]; xkb.layout = "us"; desktopManager = { diff --git a/modules/common/default.nix b/modules/common/default.nix index 7601069..1e142fc 100644 --- a/modules/common/default.nix +++ b/modules/common/default.nix @@ -1,21 +1,21 @@ { config, pkgs, lib, ... }: { - options = { - user = lib.mkOption { - default = "${config.user}"; - description = "user"; - }; + options = { + user = lib.mkOption { + default = "${config.user}"; + description = "user"; + }; - host = lib.mkOption { - type = lib.types.str; - description = "host"; - }; + host = lib.mkOption { + type = lib.types.str; + description = "host"; + }; - sops_file = lib.mkOption { - type = lib.types.str; - description = "SOPS filename"; + sops_file = lib.mkOption { + type = lib.types.str; + description = "SOPS filename"; + }; }; - }; config = { diff --git a/modules/dev/docker.nix b/modules/dev/docker.nix index f237550..f8ec0a5 100644 --- a/modules/dev/docker.nix +++ b/modules/dev/docker.nix @@ -1,5 +1,19 @@ -{ config, pkgs, ... }: { +{ config, pkgs, lib, ... }: { + options = { + rootless_docker = lib.mkOption { + type = lib.types.bool; + description = "rootless docker"; + default = true; + }; + + privileged_ports = lib.mkOption { + type = lib.types.bool; + description = "rootless docker allowed privileged ports"; + default = false; + }; + + }; config = { home-manager.users.${config.user} = { pkgs, ... }: { @@ -8,14 +22,25 @@ ctop ]; }; + users.extraUsers.${config.user}.extraGroups = [ "docker" ]; virtualisation.docker = { enable = true; - rootless = { - #enable = false; + rootless = lib.mkIf config.rootless_docker { enable = true; setSocketVariable = true; }; }; + + # https://im.salty.fish/index.php/archives/nixos-docker-rootless-privileged-ports.html + security.wrappers = lib.mkIf config.privileged_ports { + docker-rootlesskit = { + owner = "root"; + group = "root"; + capabilities = "cap_net_bind_service+ep"; + source = "${pkgs.rootlesskit}/bin/rootlesskit"; + }; + }; + }; } diff --git a/modules/dev/utils.nix b/modules/dev/utils.nix new file mode 100644 index 0000000..2b90ed0 --- /dev/null +++ b/modules/dev/utils.nix @@ -0,0 +1,12 @@ +{ config, pkgs, ... }: { + + config = { + + home-manager.users.${config.user} = { pkgs, ... }: { + home.packages = with pkgs; [ + typescript + httpie + ]; + }; + }; +} diff --git a/modules/misc/polkit.nix b/modules/misc/polkit.nix index 627d106..e196632 100644 --- a/modules/misc/polkit.nix +++ b/modules/misc/polkit.nix @@ -6,6 +6,7 @@ if ((action.id == "org.xfce.thunar" || action.id == "org.freedesktop.policykit.exec" || action.id == "org.gnome.gparted" || + action.id == "org.freedesktop.udisks2.encrypted-unlock-system" || action.id == "org.freedesktop.udisks2.filesystem-mount-system") && subject.isInGroup("wheel")) { diff --git a/modules/networking/ssh.nix b/modules/networking/ssh.nix index cd3f10b..032d1a0 100644 --- a/modules/networking/ssh.nix +++ b/modules/networking/ssh.nix @@ -3,7 +3,7 @@ config = { services.openssh = { enable = true; - ports = [ 1876 ]; + ports = [ 1173 ]; settings = { PasswordAuthentication = false; PermitRootLogin = "no"; diff --git a/modules/user/default.nix b/modules/user/default.nix index ebebc5c..ee4d5cf 100644 --- a/modules/user/default.nix +++ b/modules/user/default.nix @@ -10,6 +10,7 @@ extraGroups = [ "wheel" ]; }; + networking.hostName = "${config.host}"; }; }