From 9bacc4fb8078c3cda951c08848f8bfcc96dd596b Mon Sep 17 00:00:00 2001 From: Mira Date: Wed, 31 Jul 2024 13:40:07 -0400 Subject: [PATCH] (auxin) changes --- auxin/configuration.nix | 211 +++++++++++++++++++++-------- auxin/hardware-configuration.nix | 31 +++-- common.nix | 36 ++--- flake.lock | 48 +++---- flake.nix | 32 +++++ gastrin/hardware-configuration.nix | 40 +++--- vm.nix | 13 ++ 7 files changed, 279 insertions(+), 132 deletions(-) create mode 100644 vm.nix diff --git a/auxin/configuration.nix b/auxin/configuration.nix index 56ceb91..538ac11 100644 --- a/auxin/configuration.nix +++ b/auxin/configuration.nix @@ -3,24 +3,69 @@ lib, pkgs, ... -}: { +}: let + ports = [ + 22 # SSH + 22000 # syncthing + 2222 # Gitea SSH + 2377 + 25565 # Minecraft + 3001 # Gitea(->3000) + 443 # HTTPS + 445 + 7359 # jellyfin (dlna?) + 7946 + 80 # HTTP + 8080 # qbittorrent + 8089 # traefik (->8080) + 8096 # Jellyfin + 8191 # flaresolverr + 8420 # Website (->4321) + 8842 # Crowdsec (-> 8842) + 8888 # Kodi + 9000 # Portainer (-> 9443) + 2049 # NFS + 4001 # Lockd + 4002 # Mountd + ]; +in { imports = [ # Include the results of the hardware scan. - ./hardware-configuration.nix + # ./hardware-configuration.nix ]; - - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; + nixpkgs = { + config = { + allowUnfree = true; + kodi.enableAdvancedLauncher = true; + pulseaudio = true; + }; + }; networking = { - hostName = "auxin"; # Define your hostname. - nameservers = ["192.168.1.208"]; - networkmanager.enable = true; # Easiest to use and most distros use this by default. + # hostName = "auxin"; # Define your hostname. + nameservers = ["192.168.1.207"]; firewall = { enable = true; - allowedUDPPorts = [22 80 443 2222 25565 8080 8842 8191 3001 8096 7359 8420 8888 9000 8089 445 2377 22000 7946]; - allowedTCPPorts = [22 80 443 2222 25565 8080 8842 8191 3001 8096 7359 8420 8888 9000 8089 445 2377 22000 7946]; + allowedUDPPorts = ports; + allowedTCPPorts = ports; + }; + bridges = { + "br0" = { + interfaces = [ + "enp9s0" + + "enp0s20f0u4" + ]; + }; + }; + interfaces.br0.ipv4.addresses = [ + { + address = "192.168.1.153"; + prefixLength = 24; + } + ]; + defaultGateway = { + address = "192.168.1.1"; }; }; @@ -30,46 +75,15 @@ gcc go hyperfine + sof-firmware jellyfin-media-player - kodiPackages.jellyfin - kodiPackages.steam-controller lazydocker + gamescope lazygit nil nodePackages.nodejs nodePackages.pnpm - python3 ]; - services = { - k3s = { - enable = true; - role = "server"; - token = "uwubernetes"; # TODO: change this - extraFlags = toString [ - "--write-kubeconfig-mode \"0644\"" - "--cluster-init" - # "--disable localstorage" - ]; - }; - # Enable the X11 windowing system. - xserver = { - enable = true; - - desktopManager.xfce.enable = false; - - # Kodi - desktopManager.kodi.enable = true; - }; - displayManager.sddm = { - enable = true; - settings = { - Autologin = { - Session = "kodi.desktop"; - User = "mira"; - }; - }; - }; - }; # Define a user account. Don't forget to set a password with ‘passwd’. users = { users = { @@ -92,11 +106,15 @@ }; }; }; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; programs = { + steam = { + gamescopeSession.enable = true; + enable = true; + remotePlay.openFirewall = true; + dedicatedServer.openFirewall = true; + localNetworkGameTransfers.openFirewall = true; + }; + nh = { enable = true; clean.enable = true; @@ -122,10 +140,72 @@ }; }; - # List services that you want to enable: - - # Enable the OpenSSH daemon. services = { + nfs.server = { + enable = true; + mountdPort = 4002; + lockdPort = 4001; + exports = '' + /raid/swarm 192.168.1.0/24(rw) + ''; + }; + gvfs.enable = true; + xrdp = { + enable = true; + openFirewall = true; + }; + x2goserver.enable = true; + + k3s = { + enable = false; + role = "server"; + token = "uwubernetes"; # TODO: change this + extraFlags = toString [ + "--write-kubeconfig-mode \"0644\"" + "--cluster-init" + # "--disable localstorage" + ]; + }; + # Enable the X11 windowing system. + xserver = { + enable = true; + + desktopManager.xfce.enable = false; + + # Kodi + desktopManager.kodi = { + enable = true; + package = pkgs.kodi.withPackages (pkgs: + with pkgs; [ + jellyfin + jellycon + sendtokodi + sponsorblock + steam-library + youtube + libretro + libretro-mgba + steam-controller + steam-launcher + visualization-matrix + visualization-spectrum + visualization-waveform + inputstream-adaptive + ]); + }; + }; + displayManager.sddm = { + enable = true; + settings = { + Autologin = { + Session = "kodi.desktop"; + User = "mira"; + }; + }; + }; + btrbk = {}; # TODO: + caddy = {}; # TODO: + ceph = {}; # TODO: fail2ban = { enable = true; ignoreIP = [ @@ -135,6 +215,10 @@ ]; bantime-increment.enable = true; }; + samba-wsdd = { + enable = true; + openFirewall = true; + }; # TODO: check security settings samba = { enable = true; @@ -146,6 +230,15 @@ }; }; }; + pipewire = { + enable = false; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + audio.enable = true; + # If you want to use JACK applications, uncomment this + #jack.enable = true; + }; }; virtualisation.docker = { storageDriver = "overlay2"; @@ -153,15 +246,11 @@ enable = true; autoPrune.enable = true; extraOptions = "--userns-remap=default"; - liveRestore = false; + liveRestore = false; # NOTE: Incompatible with swarm }; - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. # TODO: - powerManagement.enable = false; + powerManagement.enable = lib.mkForce false; systemd = { targets = { sleep.enable = false; @@ -177,7 +266,7 @@ services = { "qbittorrent-healthcheck" = { script = '' - ${pkgs.docker} exec qbittorrent ping -c 1 -w 5 -I protonwire0 8.8.8.8 || ${pkgs.docker} restart qbittorrent + ${pkgs.docker}/bin/docker exec qbittorrent ping -c 1 -w 5 -I protonwire0 8.8.8.8 || ${pkgs.docker}/bin/docker restart qbittorrent ''; serviceConfig = { Type = "oneshot"; @@ -208,7 +297,9 @@ # Copy the NixOS configuration file and link it from the resulting system # (/run/current-system/configuration.nix). This is useful in case you # accidentally delete configuration.nix. - # system.copySystemConfiguration = true; + system = { + # copySystemConfiguration = true; # NOTE: Doesn't work with flakes - system.stateVersion = "23.11"; # Don't fuck with this + stateVersion = "23.11"; # NOTE: Don't fuck with this + }; } diff --git a/auxin/hardware-configuration.nix b/auxin/hardware-configuration.nix index 31c8f0d..f424953 100644 --- a/auxin/hardware-configuration.nix +++ b/auxin/hardware-configuration.nix @@ -12,11 +12,17 @@ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod"]; - boot.initrd.kernelModules = []; - boot.kernelModules = ["kvm-intel"]; - boot.extraModulePackages = []; - + # Use the systemd-boot EFI boot loader. + boot = { + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod"]; + initrd.kernelModules = []; + kernelModules = ["kvm-intel"]; + extraModulePackages = []; + }; fileSystems."/" = { device = "/dev/disk/by-uuid/b6931dc5-1ccb-4d81-abf6-38b6febc6176"; fsType = "btrfs"; @@ -58,13 +64,14 @@ # still possible to use this option, but it's recommended to use it in conjunction # with explicit per-interface declarations with `networking.interfaces..useDHCP`. networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true; - # networking.interfaces.enp3s0f1.useDHCP = lib.mkDefault true; - # networking.interfaces.enp4s0f0.useDHCP = lib.mkDefault true; - # networking.interfaces.enp4s0f1.useDHCP = lib.mkDefault true; - # networking.interfaces.enp9s0.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp7s0.useDHCP = lib.mkDefault true; + networking.networkmanager.enable = lib.mkDefault true; # Easiest to use and most distros use this by default. + # BTRFS scrub + services.btrfs.autoScrub.enable = true; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware = { + cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + pulseaudio.enable = true; + pulseaudio.support32Bit = true; ## If compatibility with 32-bit applications is desired. + }; } diff --git a/common.nix b/common.nix index 2fc24a6..e84fbc6 100644 --- a/common.nix +++ b/common.nix @@ -62,7 +62,7 @@ in { openssh = { enable = true; settings = { - PermitRootLogin = "prohibit-password"; + PermitRootLogin = lib.mkForce "prohibit-password"; PasswordAuthentication = false; }; allowSFTP = true; @@ -80,19 +80,8 @@ in { nssmdns4 = true; openFirewall = true; }; - pipewire = { - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - # If you want to use JACK applications, uncomment this - #jack.enable = true; - }; # smartd smartd.enable = true; - - # BTRFS scrub - btrfs.autoScrub.enable = true; } # Mac Services // lib.optionalAttrs ((builtins.match ".*-darwin" pkgs.stdenv.hostPlatform.system) @@ -107,7 +96,7 @@ in { mira = { isNormalUser = true; group = "mira"; - extraGroups = ["wheel" "docker" "dockremap"]; + extraGroups = ["wheel" "docker" "dockremap" "audio"]; packages = with pkgs; [ firefox tree @@ -139,24 +128,35 @@ in { file fzf gdu - git hyfetch killall - lazygit lsd mcfly neovim nushell + starship ripgrep sheldon - starship statix tealdeer - tmux viddy wget - yazi zoxide zsh ]; + programs = { + tmux.enable = true; + git = { + enable = true; + lfs.enable = true; + }; + lazygit.enable = true; + yazi.enable = true; + zsh.enable = true; + thefuck.enable = true; + direnv.enable = true; + neovim.enable = true; + starship.enable = true; + fzf.fuzzyCompletion = true; + }; } diff --git a/flake.lock b/flake.lock index 0172ec2..619f8a1 100644 --- a/flake.lock +++ b/flake.lock @@ -155,11 +155,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1721108565, - "narHash": "sha256-/ZkI/yQtg3wg6GkLynAfsi6dy8cHzcOZWVBUl1muNbA=", + "lastModified": 1722232823, + "narHash": "sha256-TyBoea7IzssGHS/hn2qjqgHfrpRGdBwBj5JrzTk+LmE=", "owner": "nix-community", "repo": "neovim-nightly-overlay", - "rev": "384c3d1c1e7ae21931b75c99a787d6af91cf7abb", + "rev": "a53756a2ea77e55b662c68c9a6cf6472a10ae911", "type": "github" }, "original": { @@ -171,11 +171,11 @@ "neovim-src": { "flake": false, "locked": { - "lastModified": 1721082242, - "narHash": "sha256-qSsIx/IhwCBLxWJbOaHdOguz3UX05hBZViPfNLc0cmQ=", + "lastModified": 1722175991, + "narHash": "sha256-IlmC/5lLdIq+sLdTAPkSsVpnrMr6wOS79kXSXcowQII=", "owner": "neovim", "repo": "neovim", - "rev": "c2b51e6c41c5230af21dc4d978e896ef9e8b922a", + "rev": "5aa1a9532cbac835ad027ebdf04311c7e8fb7007", "type": "github" }, "original": { @@ -189,11 +189,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1721086468, - "narHash": "sha256-OF642LVDj5Icr0tXlY9P54vna4OP10IMhIhhiKwIRpw=", + "lastModified": 1722082646, + "narHash": "sha256-od8dBWVP/ngg0cuoyEl/w9D+TCNDj6Kh4tr151Aax7w=", "owner": "LnL7", "repo": "nix-darwin", - "rev": "7522a30d328f885d20c2815bd05eb711bc69644c", + "rev": "0413754b3cdb879ba14f6e96915e5fdf06c6aab6", "type": "github" }, "original": { @@ -204,11 +204,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1720957393, - "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=", + "lastModified": 1722062969, + "narHash": "sha256-QOS0ykELUmPbrrUGmegAUlpmUFznDQeR4q7rFhl8eQg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "693bc46d169f5af9c992095736e82c3488bf7dbb", + "rev": "b73c2221a46c13557b1b3be9c2070cc42cf01eb3", "type": "github" }, "original": { @@ -220,11 +220,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1721016451, - "narHash": "sha256-Cypl9ORr5UjtBsbjXMTJRepTe362yNVrPrntUvHiTaw=", + "lastModified": 1722141560, + "narHash": "sha256-Ul3rIdesWaiW56PS/Ak3UlJdkwBrD4UcagCmXZR9Z7Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a14c5d651cee9ed70f9cd9e83f323f1e531002db", + "rev": "038fb464fcfa79b4f08131b07f2d8c9a6bcc4160", "type": "github" }, "original": { @@ -236,11 +236,11 @@ }, "nixpkgs-darwin": { "locked": { - "lastModified": 1721059467, - "narHash": "sha256-0Yx4eXowxw5TATf92DZu2qKbBYXPxYh849h9tL/TQR0=", + "lastModified": 1722153173, + "narHash": "sha256-S46RmS9WkBOTLORpnWsNth4Ae6TlfJS9TKXqB55YQy4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "be45415f0f321f030f8c76723fd15d4b0f3a02fb", + "rev": "7bba2df68503b68634e0070483ddaf6d59dc6530", "type": "github" }, "original": { @@ -252,11 +252,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1721080040, - "narHash": "sha256-USDsS90/88RJibP3gEcH1AaVt+JpnX4XCUD9bAJP5I4=", + "lastModified": 1722141560, + "narHash": "sha256-Ul3rIdesWaiW56PS/Ak3UlJdkwBrD4UcagCmXZR9Z7Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b2c1f10bfbb3f617ea8e8669ac13f3f56ceb2ea2", + "rev": "038fb464fcfa79b4f08131b07f2d8c9a6bcc4160", "type": "github" }, "original": { @@ -282,11 +282,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1720954236, - "narHash": "sha256-1mEKHp4m9brvfQ0rjCca8P1WHpymK3TOr3v34ydv9bs=", + "lastModified": 1722087241, + "narHash": "sha256-2ShmEaFi0kJVOEEu5gmlykN5dwjWYWYUJmlRTvZQRpU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "53e81e790209e41f0c1efa9ff26ff2fd7ab35e27", + "rev": "8c50662509100d53229d4be607f1a3a31157fa12", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 162ebe1..bae2dcb 100644 --- a/flake.nix +++ b/flake.nix @@ -31,6 +31,37 @@ overlays = [inputs.neovim-nightly-overlay.overlays.default]; in { nixosConfigurations = { + auxin-iso = nixos-unstable.lib.nixosSystem { + modules = [ + "${nixos-unstable}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix" + "${nixos-unstable}/nixos/modules/installer/cd-dvd/channel.nix" + ./auxin/configuration.nix + ./vm.nix + ./common.nix + ]; + specialArgs = { + # inherit inputs; + meta = { + hostname = "auxin-iso"; + }; + }; + }; + auxin-vm = nixos-unstable.lib.nixosSystem { + modules = [ + # "${nixos-unstable}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix" + # "${nixos-unstable}/nixos/modules/installer/cd-dvd/channel.nix" + "${nixos-unstable}/nixos/modules/virtualisation/virtualbox-image.nix" + ./auxin/configuration.nix + ./vm.nix + ./common.nix + ]; + specialArgs = { + # inherit inputs; + meta = { + hostname = "auxin-vm"; + }; + }; + }; auxin = nixos-unstable.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { @@ -38,6 +69,7 @@ }; modules = [ ./auxin/configuration.nix + ./auxin/hardware-configuration.nix ./common.nix ]; }; diff --git a/gastrin/hardware-configuration.nix b/gastrin/hardware-configuration.nix index f3a379b..09bbeaa 100644 --- a/gastrin/hardware-configuration.nix +++ b/gastrin/hardware-configuration.nix @@ -1,29 +1,33 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; + boot.initrd.availableKernelModules = ["xhci_pci" "usb_storage" "sd_mod" "sdhci_pci"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; - fileSystems."/" = - { device = "/dev/disk/by-uuid/f7af4335-148b-4428-877e-9ab01095ac07"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/f7af4335-148b-4428-877e-9ab01095ac07"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/5C76-EFCE"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/5C76-EFCE"; + fsType = "vfat"; + }; - swapDevices = [ ]; + swapDevices = []; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/vm.nix b/vm.nix new file mode 100644 index 0000000..97971ca --- /dev/null +++ b/vm.nix @@ -0,0 +1,13 @@ +{ + config, + lib, + pkgs, + meta, + ... +}: { + nixpkgs.hostPlatform = "x86_64-linux"; + users.users.nixosvmtest.isSystemUser = true; + users.users.nixosvmtest.initialPassword = "test"; + users.users.nixosvmtest.group = "nixosvmtest"; + users.groups.nixosvmtest = {}; +}