dala/nixos-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Switch to colmena + drop some options + introduce okeanos + reworks

Browse source
This commit is contained in:
Victor Mignot 2024-07-30 20:42:59 +02:00
parent 6a435527fc
commit 3b37b97c76
Signed by: dala
GPG key ID: 5E7F2CE1BEAFED3D
24 changed files with 484 additions and 389 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
.sops.yaml
View file

@ -3,6 +3,7 @@ keys:
- &london_dala age19m7s6rl4l88nv0f7el70k9u9mv6fd0nq5nw5a3f6p3ffzch274lsksu3y7 - &london_dala age19m7s6rl4l88nv0f7el70k9u9mv6fd0nq5nw5a3f6p3ffzch274lsksu3y7
- &camelot_system age1qp54d5gzvpyedcv26uckz7lmy2a48m27astawa62hkey59qgmg8setufp5 - &camelot_system age1qp54d5gzvpyedcv26uckz7lmy2a48m27astawa62hkey59qgmg8setufp5
- &fuyuki_system age1lpk05l443jd7ra27hssvkc9xctpl990dy78tghmr4e8x7lfndy3qwhakwm - &fuyuki_system age1lpk05l443jd7ra27hssvkc9xctpl990dy78tghmr4e8x7lfndy3qwhakwm
- &okeanos_system age1mj6xs9qpl9xn5kwk82matuyyus75j2dysdmpvtqer5jvk8uknp8s2ttp32
- &pgp_dala 2763F2B50E63CE401A3EB9C040DE2FEE4D3C5E2C - &pgp_dala 2763F2B50E63CE401A3EB9C040DE2FEE4D3C5E2C
creation_rules: creation_rules:
@ -36,3 +37,11 @@ creation_rules:
- *fuyuki_system - *fuyuki_system
pgp: pgp:
- *pgp_dala - *pgp_dala
# Okenaos
- path_regex: configurations/okeanos/secrets/secrets.yaml$
key_groups:
- age:
- *okeanos_system
pgp:
- *pgp_dala

39
configurations/camelot/default.nix
View file

@ -5,40 +5,9 @@
... ...
}: }:
{ {
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.swraid.enable = true;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
filesystems = [
{
mountpoint = "/";
deviceUUID = "966d0ec0-7a7b-4987-91cf-6493e9f5126c";
fsType = "ext4";
}
{
mountpoint = "/srv";
deviceUUID = "329fe696-ad2f-4a86-b45f-8b143daf02d2";
fsType = "ext4";
}
{
mountpoint = "/boot";
deviceUUID = "901B-0D68";
fsType = "vfat";
}
];
imports = [ imports = [
./hardware.nix
./jellyfin.nix ./jellyfin.nix
./wireguard.nix ./wireguard.nix
./nextcloud.nix ./nextcloud.nix
@ -47,10 +16,6 @@
./forgejo.nix ./forgejo.nix
]; ];
swapDeviceUUID = "a7c628ab-c5cb-4094-89d0-19b153fbead4";
server.networking.enableSSH = true;
services.nginx = { services.nginx = {
enable = true; enable = true;
clientMaxBodySize = "40m"; clientMaxBodySize = "40m";
@ -67,8 +32,6 @@
git git
]; ];
hwAccelerationGPU = "intel";
# System secrets # System secrets
sops = { sops = {
gnupg.sshKeyPaths = [ ]; gnupg.sshKeyPaths = [ ];

38
configurations/camelot/hardware.nix Normal file
View file

@ -0,0 +1,38 @@
{ lib, config, ... }:
{
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.swraid.enable = true;
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/966d0ec0-7a7b-4987-91cf-6493e9f5126c";
fsType = "ext4";
};
"/srv" = {
device = "/dev/disk/by-uuid/329fe696-ad2f-4a86-b45f-8b143daf02d2";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-uuid/901B-0D68";
fsType = "vfat";
};
};
swapDevices = [ { device = "/dev/disk/by-uuid/a7c628ab-c5cb-4094-89d0-19b153fbead4"; } ];
hwAccelerationGPU = "intel";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

76
configurations/fuyuki/default.nix
View file

@ -6,65 +6,21 @@
... ...
}: }:
{ {
boot.initrd.availableKernelModules = [
"xhci_pci" imports = [
"nvme" ./hardware.nix
"usb_storage" ./wireguard.nix
"sd_mod"
]; ];
boot.initrd.kernelModules = [
"dm-snapshot" deployment.targetHost = null;
"i915" boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
services.tlp.enable = true;
useLatestKernel = true; useLatestKernel = true;
hwAccelerationGPU = "intel";
isProfessional = false; isProfessional = false;
allowUnfreePackages = true; allowUnfreePackages = true;
keymap = "us"; keymap = "us";
luksDevices = [
{
name = "crypted-nixos";
deviceUUID = "401036ff-8ad8-4738-a249-85391dac0430";
isPreLVM = true;
}
];
filesystems = [
{
mountpoint = "/";
deviceUUID = "663f1c4a-dce6-48b2-b8e2-a602e812c49b";
fsType = "ext4";
}
{
mountpoint = "/boot";
deviceUUID = "3F42-7C9B";
fsType = "vfat";
}
{
mountpoint = "/nix";
deviceUUID = "148a5295-396b-495b-b46e-1fa4e99cf9d0";
fsType = "ext4";
}
{
mountpoint = "/home";
deviceUUID = "16b6bd32-465c-4a42-a082-df42d912e5e5";
fsType = "ext4";
}
];
swapDeviceUUID = "0bc27219-00dd-4ae9-b946-ab65a68cbdf1";
sops = { sops = {
gnupg.sshKeyPaths = [ ]; gnupg.sshKeyPaths = [ ];
age = { age = {
@ -75,24 +31,6 @@
secrets.wg0_private = { }; secrets.wg0_private = { };
}; };
networking.wg-quick.interfaces.wg0 = {
address = [ "10.100.0.3/24" ];
listenPort = 51820;
privateKeyFile = config.sops.secrets.wg0_private.path;
dns = [ "10.100.0.1" ];
peers = [
# RockPro 64
{
publicKey = "XVmG3/rNsCqc8KCmOx3+UUn9DJOnJ40Uxid5JGdChR4=";
endpoint = "${extraInfo.wireguard.rockProEndpoint}:51820";
allowedIPs = [ "10.100.0.1/32" ];
persistentKeepalive = 25;
}
];
};
machineUsers = { machineUsers = {
dala = { dala = {
description = "Dala"; description = "Dala";

52
configurations/fuyuki/hardware.nix Normal file
View file

@ -0,0 +1,52 @@
{ lib, config, ... }:
{
boot.initrd.availableKernelModules = [
"xhci_pci"
"nvme"
"usb_storage"
"sd_mod"
];
boot.initrd.kernelModules = [
"dm-snapshot"
"i915"
];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
hwAccelerationGPU = "intel";
boot.initrd.luks.devices = {
crypted-nixos = {
device = "401036ff-8ad8-4738-a249-85391dac0430";
preLVM = true;
};
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/663f1c4a-dce6-48b2-b8e2-a602e812c49b";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-uuid/3F42-7C9B";
fsType = "vfat";
};
"/nix" = {
device = "/dev/disk/by-uuid/148a5295-396b-495b-b46e-1fa4e99cf9d0";
fsType = "ext4";
};
"/home" = {
device = "/dev/disk/by-uuid/16b6bd32-465c-4a42-a082-df42d912e5e5";
fsType = "ext4";
};
};
swapDevices = [ { device = "/dev/disk/by-uuid/0bc27219-00dd-4ae9-b946-ab65a68cbdf1"; } ];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
services.tlp.enable = true;
}

20
configurations/fuyuki/wireguard.nix Normal file
View file

@ -0,0 +1,20 @@
{ config, extraInfo, ... }:
{
networking.wg-quick.interfaces.wg0 = {
address = [ "10.100.0.3/24" ];
listenPort = 51820;
privateKeyFile = config.sops.secrets.wg0_private.path;
dns = [ "10.100.0.1" ];
peers = [
# RockPro 64
{
publicKey = "XVmG3/rNsCqc8KCmOx3+UUn9DJOnJ40Uxid5JGdChR4=";
endpoint = "${extraInfo.wireguard.rockProEndpoint}:51820";
allowedIPs = [ "10.100.0.1/32" ];
persistentKeepalive = 25;
}
];
};
}

48
configurations/london/default.nix
View file

@ -6,56 +6,14 @@
... ...
}: }:
{ {
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"ahci"
"usbhid"
];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.extraModulePackages = [ ];
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; imports = [ ./hardware.nix ];
# Meta # Meta
isProfessional = false; isProfessional = false;
# Volumes deployment.targetHost = null;
luksDevices = [ boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
{
name = "crypted-nixos";
deviceUUID = "5a1ac4ae-d74f-4599-bc5a-fc0a3501a196";
isPreLVM = true;
}
];
filesystems = [
{
mountpoint = "/";
deviceUUID = "8dd700f8-7bf7-426c-8869-d31687e343df";
fsType = "ext4";
}
{
mountpoint = "/boot";
deviceUUID = "F2B6-C8CA";
fsType = "vfat";
}
{
mountpoint = "/nix";
deviceUUID = "b7a643f6-a78e-4e32-a1a3-22b321465bf6";
fsType = "ext4";
}
{
mountpoint = "/home";
deviceUUID = "e26f6727-3712-4830-b8e8-fdbce5e3584b";
fsType = "ext4";
}
];
swapDeviceUUID = "5fe5e76b-df3d-43ce-abf9-d2b63078df09";
# Linux kernel # Linux kernel
useLatestKernel = true; useLatestKernel = true;

45
configurations/london/hardware.nix Normal file
View file

@ -0,0 +1,45 @@
{ lib, config, ... }:
{
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"ahci"
"usbhid"
];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.extraModulePackages = [ ];
# Volumes
boot.initrd.luks.devices = {
crypted-nixos = {
device = "/dev/disk/by-uuid/5a1ac4ae-d74f-4599-bc5a-fc0a3501a196";
preLVM = true;
};
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/8dd700f8-7bf7-426c-8869-d31687e343df";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-uuid/F2B6-C8CA";
fsType = "vfat";
};
"/nix" = {
device = "/dev/disk/by-uuid/b7a643f6-a78e-4e32-a1a3-22b321465bf6";
fsType = "ext4";
};
"/home" = {
device = "/dev/disk/by-uuid/e26f6727-3712-4830-b8e8-fdbce5e3584b";
fsType = "ext4";
};
};
swapDevices = [ { device = "/dev/disk/by-uuid/5fe5e76b-df3d-43ce-abf9-d2b63078df09"; } ];
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

38
configurations/okeanos/default.nix Normal file
View file

@ -0,0 +1,38 @@
{ pkgs, lib, ... }:
{
imports = [
./hardware.nix
./unbound.nix
./wireguard.nix
];
# Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
boot.loader.grub.enable = false;
enableSystemdBoot = false;
# Enables the generation of /boot/extlinux/extlinux.conf
boot.loader.generic-extlinux-compatible.enable = true;
machineUsers = {
dala = {
description = "Dala";
groups = [ "wheel" ];
uid = 1000;
shell = pkgs.bash;
};
};
sops = {
gnupg.sshKeyPaths = [ ];
age = {
sshKeyPaths = [ ];
keyFile = "/var/lib/sops-nix/key.txt";
};
defaultSopsFile = ./secrets/secrets.yaml;
secrets = {
wg0_private = { };
};
};
}

15
configurations/okeanos/hardware.nix Normal file
View file

@ -0,0 +1,15 @@
{ lib, ... }:
{
boot.initrd.availableKernelModules = [ ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/1544d801-dbc4-492b-ae30-892f4d4cc349";
fsType = "ext4";
};
swapDevices = [ ];
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

33
configurations/okeanos/secrets/secrets.yaml Normal file
View file

@ -0,0 +1,33 @@
wg0_private: ENC[AES256_GCM,data:f+W43KoNREeBSTbmVK1Z+G5KAGhsKFQZYXR7/rAViNgEjobAUbaq03RYfZE=,iv:FjuEkb4xhXq1UqG+8USKpG59DbbPbfbzfyu02mvFR9g=,tag:izOWkkeyhE7FizxVOEvabQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1mj6xs9qpl9xn5kwk82matuyyus75j2dysdmpvtqer5jvk8uknp8s2ttp32
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUjRrVkZpTjJLa2JCbnJy
MEpBaFRFRzdIWENEMmZDbWNIbWxZRHk2NmgwCnZtVFpLejYvaUhjcFJGU0tHUnhu
ZEo1UDZ0VythdDZkYVpMMUlyL2dINkkKLS0tIHFUMUpWUlBqUjltdVg2bFo1N2FS
VWN1UnlDajAxbE1ySStHQmhDajVReGcKr9nNx6jVFjU1xEC8dw2yZlx3xHusSzPY
5dOglp4QVfFm3WjLXrfiIa09dPnKCiRswy33tshfWCObwEvvuOFoTQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-30T11:25:30Z"
mac: ENC[AES256_GCM,data:aC/QmbhvtNepBYp2pstcxh1a458caCVBEV5dw04aZzqqflLOT4zzoyrDPBGd8PV2sqzoC0K23bpxz5LcvzwHmHAiLaewOfT++/+VZ7d+4G3oAkZsDW4S4Zat4IJDQE6Rf2SjbltMGMxALvKj4qZNzeFYZRMLd2vj7FsnXGSEhG0=,iv:DtyXx+bSzXMvXc/ucTn1VK/YBkXerj+s0RPimJPjMPs=,tag:Vu4mrMt3N1xMPDaBR1Lg4g==,type:str]
pgp:
- created_at: "2024-07-30T11:24:39Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4D0ZiEKlLM+TsSAQdAGrKWvgORZik4MmMVAlf4LVC7RuWCoJpwZJsXgCLDkQEw
vq1SJTftj2mSLPgJh1b1UkWIoScJIxh3Dw87XYe2sFQ5AvwoNI9932KfbETt3MB3
1GgBCQIQbrhFZNgQQoTpzLilPprVqpBEIiz2mfQiTUyCvmKhHVkKIykaxTtwH8dt
mwG0/dRryUyHLUtoQ1P/9danDRZfllHGXwEqo7BetVGuItLtaUoc59C8dRYB+zDv
gyG5IlOUShUhNg==
=fM1u
-----END PGP MESSAGE-----
fp: 2763F2B50E63CE401A3EB9C040DE2FEE4D3C5E2C
unencrypted_suffix: _unencrypted
version: 3.9.0

71
configurations/okeanos/unbound.nix Normal file
View file

@ -0,0 +1,71 @@
{ extraInfo, ... }:
let
localIps = extraInfo.hostsLocalIps;
in
{
# Resolvconf
networking.nameservers = [
"127.0.0.1"
"::1"
];
# DNS resolver configuration
services.adguardhome.enable = true;
networking.firewall = {
allowedUDPPorts = [ 53 ];
allowedTCPPorts = [
80
443
];
};
services.unbound = {
enable = true;
settings = {
server = {
interface = [ "127.0.0.1" ];
port = "5354";
access-control = [ "127.0.0.0/8 allow" ];
root-hints = "/var/lib/unbound/root.hints";
do-ip4 = true;
do-tcp = true;
do-udp = true;
do-ip6 = false;
prefer-ip6 = false;
harden-glue = true;
harden-dnssec-stripped = true;
use-caps-for-id = false;
edns-buffer-size = 1232;
prefetch = true;
so-rcvbuf = "1m";
private-address = [
"192.168.0.0/16"
"10.0.0.0/24"
];
# Do not check DNSSEC for ntp.org, as RockPro64 has no BIOS battery
domain-insecure = [ "ntp.org" ];
};
remote-control = {
control-enable = true;
};
local-data = [
"\"london A ${localIps.london}\""
"\"camelot A ${localIps.camelot}\""
"\"okeanos A ${localIps.okeanos}\""
"\"fuyuki A ${localIps.fuyuki}\""
];
};
};
}

37
configurations/okeanos/wireguard.nix Normal file
View file

@ -0,0 +1,37 @@
{ config, pkgs, ... }:
{
environment.systemPackages = with pkgs; [ wireguard-tools ];
networking.firewall.allowedUDPPorts = [ 51820 ];
networking.wg-quick.interfaces.wg0 = {
address = [ "10.100.0.1/8" ];
listenPort = 51820;
privateKeyFile = config.sops.secrets.wg0_private.path;
peers = [
{
# PC Portable
publicKey = "maCF41/gOh5p0BBgOh0x9S/ourGSM7qrFfEgmB+XGHY=";
allowedIPs = [ "10.100.0.3" ];
}
{
# PC Fixe
publicKey = "AvW61c9iSO0NiMrXpPsdeWigTO3JTCadqY5Wq5xLPH8=";
allowedIPs = [ "10.100.0.4" ];
}
{
# Mate 20 Pro
publicKey = "JoW+Iwysip46WWKJINneXWWG2YszzKEKlI3dW4SIjg0=";
allowedIPs = [ "10.100.0.5" ];
}
# Camelot
{
publicKey = "lDGxdsruARpkOlZHCkdkNg4v+eEU9m+jt0VO0v747gk=";
allowedIPs = [ "10.100.0.6" ];
}
];
};
}

26
flake.lock
View file

@ -23,11 +23,11 @@
}, },
"extra-config": { "extra-config": {
"locked": { "locked": {
"lastModified": 1712861099, "lastModified": 1722362784,
"narHash": "sha256-IRN1siAfi/JY5mVRrEepdNIA6Q6K/LSR4ifX34pRe04=", "narHash": "sha256-BREwW6SlaX5kshXXRCkDgJUVvgf+Wd1/icSx6jALPR0=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "98fe4b816f2b3d9f2cdb0765c08156bea9ab72de", "rev": "14fdbdd08db2759d733a6f349e1920c0c636c6d1",
"revCount": 4, "revCount": 5,
"type": "git", "type": "git",
"url": "ssh://forgejo@git.dalaran.fr/dala/nixos-config-extra.git" "url": "ssh://forgejo@git.dalaran.fr/dala/nixos-config-extra.git"
}, },
@ -204,11 +204,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1722119539, "lastModified": 1722321190,
"narHash": "sha256-2kU90liMle0vKR8exJx1XM4hZh9CdNgZGHCTbeA9yzY=", "narHash": "sha256-WeVWVRqkgrbLzmk6FfJoloJ7Xe7HWD27Pv950IUG2kI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "d0240a064db3987eb4d5204cf2400bc4452d9922", "rev": "4fcd54df7cbb1d79cbe81209909ee8514d6b17a4",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -346,11 +346,11 @@
}, },
"nixpkgs-stable_2": { "nixpkgs-stable_2": {
"locked": { "locked": {
"lastModified": 1722087241, "lastModified": 1722221733,
"narHash": "sha256-2ShmEaFi0kJVOEEu5gmlykN5dwjWYWYUJmlRTvZQRpU=", "narHash": "sha256-sga9SrrPb+pQJxG1ttJfMPheZvDOxApFfwXCFO0H9xw=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "8c50662509100d53229d4be607f1a3a31157fa12", "rev": "12bf09802d77264e441f48e25459c10c93eada2e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -378,11 +378,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1722062969, "lastModified": 1722185531,
"narHash": "sha256-QOS0ykELUmPbrrUGmegAUlpmUFznDQeR4q7rFhl8eQg=", "narHash": "sha256-veKR07psFoJjINLC8RK4DiLniGGMgF3QMlS4tb74S6k=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "b73c2221a46c13557b1b3be9c2070cc42cf01eb3", "rev": "52ec9ac3b12395ad677e8b62106f0b98c1f8569d",
"type": "github" "type": "github"
}, },
"original": { "original": {

88
flake.nix
View file

@ -51,53 +51,75 @@
}: }:
let let
machines = import ./machines.nix; machines = import ./machines.nix;
in lixModules = {
{ stable = lix-module-stable;
nixosConfigurations = builtins.mapAttrs ( unstable = lix-module-unstable;
name: value: };
let nixpkgsVersions = {
nixpkgs = if value.nixpkgsUnstable then nixpkgs-unstable else nixpkgs-stable; stable = nixpkgs-stable;
lix-module = if value.nixpkgsUnstable then lix-module-unstable else lix-module-stable; unstable = nixpkgs-unstable;
in };
nixpkgs.lib.nixosSystem { machinesNodes = builtins.mapAttrs (
system = value.system; name: config:
{ ... }:
specialArgs = { {
machineInfos = { imports = [
hostname = name; lixModules.${config.nixpkgs}.nixosModules.default
} // value;
sopsHmModule = sops-nix.homeManagerModules.sops;
extraInfo = extra-config.extraSecrets;
};
modules = [
./configurations/${name} ./configurations/${name}
./modules/common (if (config.type == "workstation") then ./modules/workstation else ./modules/server)
(if (value.machineType == "workstation") then ./modules/workstation else ./modules/server)
( (
if (value.machineType == "workstation" && value.enableHomeManager) then if (config.type == "workstation" && config.enableHomeManager) then
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
else else
{ } { }
) )
sops-nix.nixosModules.sops (if (config.system == "x86_64-linux") then lanzaboote.nixosModules.lanzaboote else { })
lix-module.nixosModules.default
lanzaboote.nixosModules.lanzaboote
]; ];
deployment.allowLocalDeployment = config.localDeployment;
networking.hostName = name;
system.stateVersion = config.stateVersion;
} }
) machines; ) machines;
buildOptionnalSpecialArgsForMachine =
config:
{
machineProps = config;
}
// (if config.enableHomeManager then { sopsHmModule = sops-nix.homeManagerModules.sops; } else { });
in
{
colmena = {
meta = {
name = "dala's infrastructure";
# Here we have to set this value because colmena needs it, but it will be overriden on all hosts
# by the nodeNixpkgs attribute
nixpkgs = import nixpkgsVersions.stable { system = "x86_64-linux"; };
nodeNixpkgs = builtins.mapAttrs (
name: config: import nixpkgsVersions.${config.nixpkgs} { system = config.system; }
) machines;
nodeSpecialArgs = builtins.mapAttrs (
name: config:
{ extraInfo = extra-config.extraSecrets; } // (buildOptionnalSpecialArgsForMachine config)
) machines;
};
defaults =
{ ... }:
{
imports = [ sops-nix.nixosModules.sops ];
};
} // machinesNodes;
formatter = builtins.listToAttrs ( formatter = builtins.listToAttrs (
map (system: { map (system: {
name = system; name = system;
value = nixpkgs-unstable.legacyPackages.${system}.nixfmt-rfc-style; value = nixpkgsVersions.unstable.legacyPackages.${system}.nixfmt-rfc-style;
}) flake-utils.lib.defaultSystems }) flake-utils.lib.defaultSystems
); );
hydraJobs = {
nixos = builtins.mapAttrs (_: cfg: cfg.config.system.build.toplevel) self.nixosConfigurations;
};
}; };
} }

24
machines.nix
View file

@ -1,25 +1,37 @@
{ {
london = { london = {
machineType = "workstation"; type = "workstation";
nixpkgsUnstable = true; nixpkgs = "unstable";
system = "x86_64-linux"; system = "x86_64-linux";
enableHomeManager = true; enableHomeManager = true;
stateVersion = "23.11"; stateVersion = "23.11";
localDeployment = true;
}; };
camelot = { camelot = {
machineType = "server"; type = "server";
nixpkgsUnstable = false; nixpkgs = "stable";
system = "x86_64-linux"; system = "x86_64-linux";
enableHomeManager = false; enableHomeManager = false;
stateVersion = "23.11"; stateVersion = "23.11";
localDeployment = false;
}; };
fuyuki = { fuyuki = {
machineType = "workstation"; type = "workstation";
nixpkgsUnstable = true; nixpkgs = "unstable";
system = "x86_64-linux"; system = "x86_64-linux";
enableHomeManager = true; enableHomeManager = true;
stateVersion = "22.05"; stateVersion = "22.05";
localDeployment = true;
};
okeanos = {
type = "server";
nixpkgs = "stable";
system = "aarch64-linux";
enableHomeManager = false;
stateVersion = "23.05";
localDeployment = false;
}; };
} }

68
modules/common/boot.nix
View file

@ -2,35 +2,10 @@
lib, lib,
config, config,
pkgs, pkgs,
machineProps,
... ...
}: }:
with lib; with lib;
let
luksDevicesModule = types.submodule {
options.name = mkOption {
type = types.str;
description = ''
The partition name.
'';
};
options.deviceUUID = mkOption {
type = types.str;
description = ''
The partition device UUID.
'';
};
options.isPreLVM = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
Whether the decrypted partition will be a LVM device.
'';
};
};
in
{ {
options.enableSystemdBoot = mkOption { options.enableSystemdBoot = mkOption {
type = types.bool; type = types.bool;
@ -42,31 +17,20 @@ in
''; '';
}; };
options.luksDevices = mkOption { config.environment.systemPackages = lib.mkIf config.enableSystemdBoot [ pkgs.sbctl ];
type = types.listOf luksDevicesModule; config.boot =
default = [ ]; {
description = '' loader.systemd-boot.enable = false;
List of LUKS devices. }
''; // (
}; if config.enableSystemdBoot then
{
config = { lanzaboote = {
boot.initrd.luks.devices = builtins.listToAttrs ( enable = true;
map (fs: { pkiBundle = "/etc/secureboot";
name = fs.name; };
value = { }
device = "/dev/disk/by-uuid/${fs.deviceUUID}"; else
preLVM = fs.isPreLVM; { }
};
}) config.luksDevices
); );
boot.loader.systemd-boot.enable = false;
boot.lanzaboote = lib.mkIf config.enableSystemdBoot {
enable = true;
pkiBundle = "/etc/secureboot";
};
environment.systemPackages = lib.mkIf config.enableSystemdBoot [ pkgs.sbctl ];
};
} }

24
modules/common/default.nix
View file

@ -2,14 +2,12 @@
lib, lib,
config, config,
pkgs, pkgs,
machineInfos,
modulesPath, modulesPath,
... ...
}: }:
with lib; with lib;
{ {
imports = [ imports = [
./filesystem.nix
./boot.nix ./boot.nix
./linux.nix ./linux.nix
./nix.nix ./nix.nix
@ -19,18 +17,6 @@ with lib;
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
]; ];
options.machineType = mkOption {
type = types.enum [
"workstation"
"server"
];
default = "workstation";
example = "server";
description = ''
What is the type of this machine.
'';
};
options.isProfessional = mkOption { options.isProfessional = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
@ -50,9 +36,6 @@ with lib;
}; };
config = { config = {
machineType = machineInfos.machineType;
system.stateVersion = machineInfos.stateVersion;
networking.hostName = machineInfos.hostname;
virtualisation.docker.enable = config.enableDocker; virtualisation.docker.enable = config.enableDocker;
# Only enable fish shell if there is at least one user using it. # Only enable fish shell if there is at least one user using it.
@ -63,12 +46,5 @@ with lib;
# We always want to disable the X server as only workstation use windows manager # We always want to disable the X server as only workstation use windows manager
# and they always use wayland. # and they always use wayland.
services.xserver.enable = false; services.xserver.enable = false;
assertions = [
{
assertion = !(config.machineType == "server" && config.isProfessional);
message = "Only workstations can be professionnal hardware";
}
];
}; };
} }

66
modules/common/filesystem.nix
View file

@ -1,66 +0,0 @@
{ lib, config, ... }:
with lib;
let
fsModule = types.submodule {
options = {
mountpoint = mkOption {
type = types.str;
description = ''
The filesystem mountpoint.
'';
};
deviceUUID = mkOption {
type = types.str;
description = ''
The volume UUID.
'';
};
fsType = mkOption {
type = types.str;
description = ''
The volume filesystem.
'';
};
};
};
in
{
options.filesystems = mkOption {
type = types.listOf fsModule;
default = [ ];
example = [
{
mountpoint = "/";
deviceUUID = "XXXXX-YYYYYY-AJDKKSKSJ";
fsType = "ext4";
}
];
description = ''
The machine filesystem tree description.
'';
};
options.swapDeviceUUID = mkOption {
type = types.nullOr types.str;
default = null;
};
config = {
fileSystems = builtins.listToAttrs (
map (fs: {
name = fs.mountpoint;
value = {
device = "/dev/disk/by-uuid/${fs.deviceUUID}";
fsType = fs.fsType;
};
}) config.filesystems
);
swapDevices = mkIf (config.swapDeviceUUID != null) [
{ device = "/dev/disk/by-uuid/${config.swapDeviceUUID}"; }
];
};
}

9
modules/common/hardware.nix
View file

@ -2,8 +2,12 @@
lib, lib,
config, config,
pkgs, pkgs,
machineProps,
... ...
}: }:
let
hwAccelerationOptionPath = if (machineProps == "unstable") then "graphics" else "opengl";
in
with lib; with lib;
{ {
options.hwAccelerationGPU = mkOption { options.hwAccelerationGPU = mkOption {
@ -24,10 +28,9 @@ with lib;
config = { config = {
boot.kernelParams = mkIf (config.hwAccelerationGPU == "intel") [ "i915.enable_guc=2" ]; boot.kernelParams = mkIf (config.hwAccelerationGPU == "intel") [ "i915.enable_guc=2" ];
hardware.opengl = { # Small hack as this option path changes between 24.05 and unstable
hardware.${hwAccelerationOptionPath} = {
enable = config.hwAccelerationGPU != null; enable = config.hwAccelerationGPU != null;
driSupport = true;
driSupport32Bit = true;
extraPackages = with pkgs; [ extraPackages = with pkgs; [
(mkIf (config.hwAccelerationGPU == "intel") intel-media-driver) (mkIf (config.hwAccelerationGPU == "intel") intel-media-driver)
(mkIf (config.hwAccelerationGPU == "intel") intel-compute-runtime) (mkIf (config.hwAccelerationGPU == "intel") intel-compute-runtime)

29
modules/common/network.nix
View file

@ -1,38 +1,9 @@
{ lib, config, ... }: { lib, config, ... }:
with lib; with lib;
{ {
options.enableFirewall = mkOption {
type = types.bool;
default = true;
example = false;
description = ''
Whether or not to enable firewall.
'';
};
options.extraAllowedTCPPorts = mkOption {
type = types.listOf types.port;
default = [ ];
example = [ 53 ];
description = ''
List of custom TCP ports to open in the firewall.
'';
};
options.extraAllowedUDPPorts = mkOption {
type = types.listOf types.port;
default = [ ];
example = [ 53 ];
description = ''
List of custom UDP ports to open in the firewall.
'';
};
config = { config = {
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
networking.useDHCP = mkDefault true; networking.useDHCP = mkDefault true;
networking.firewall.enable = true; networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = config.extraAllowedTCPPorts;
networking.firewall.allowedUDPPorts = config.extraAllowedUDPPorts;
}; };
} }

1
modules/server/default.nix
View file

@ -1,5 +1,6 @@
{ {
imports = [ imports = [
../common
./network.nix ./network.nix
./nginx.nix ./nginx.nix
]; ];

10
modules/server/network.nix
View file

@ -1,14 +1,8 @@
{ lib, config, ... }: { lib, config, ... }:
with lib; with lib;
{ {
options.server.networking.enableSSH = mkOption {
type = types.bool;
default = true;
example = false;
};
config = { config = {
services.openssh = mkIf config.server.networking.enableSSH { services.openssh = {
enable = true; enable = true;
settings = { settings = {
StrictModes = true; StrictModes = true;
@ -21,7 +15,7 @@ with lib;
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
(mkIf config.services.nginx.enable 80) (mkIf config.services.nginx.enable 80)
(mkIf config.services.nginx.enable 443) (mkIf config.services.nginx.enable 443)
(mkIf config.server.networking.enableSSH 22) (mkIf config.services.openssh.enable 22)
]; ];
}; };
} }

7
modules/workstation/default.nix
View file

@ -2,7 +2,7 @@
lib, lib,
config, config,
pkgs, pkgs,
machineInfos, machineProps,
sopsHmModule, sopsHmModule,
... ...
}: }:
@ -10,6 +10,7 @@ with lib;
{ {
imports = [ imports = [
../common
./sound.nix ./sound.nix
./desktop.nix ./desktop.nix
./bluetooth.nix ./bluetooth.nix
@ -25,7 +26,7 @@ with lib;
}; };
config = { config = {
enableHomeManager = machineInfos.enableHomeManager; enableHomeManager = machineProps.enableHomeManager;
home-manager.useGlobalPkgs = mkIf config.enableHomeManager true; home-manager.useGlobalPkgs = mkIf config.enableHomeManager true;
home-manager.useUserPackages = mkIf config.enableHomeManager true; home-manager.useUserPackages = mkIf config.enableHomeManager true;
@ -43,7 +44,7 @@ with lib;
{ {
home.username = name; home.username = name;
home.homeDirectory = "/home/${name}"; home.homeDirectory = "/home/${name}";
home.stateVersion = machineInfos.stateVersion; home.stateVersion = machineProps.stateVersion;
programs.home-manager.enable = true; programs.home-manager.enable = true;
enableFishShell = value.shell == pkgs.fish; enableFishShell = value.shell == pkgs.fish;
isProfessional = config.isProfessional; isProfessional = config.isProfessional;