diff --git a/nixos/common/global/age.nix b/nixos/common/global/age.nix new file mode 100644 index 0000000..9020ce9 --- /dev/null +++ b/nixos/common/global/age.nix @@ -0,0 +1,24 @@ +{ config, pkgs, ... }: +let + hostname = config.networking.hostName; +in +{ + environment.systemPackages = with pkgs; [ + agenix-rekey + ]; + + age = { + # Master identity used for decryption + rekey.masterIdentities = [ ../users/sajenim/agenix-rekey.pub ]; + # Pubkey for rekeying + rekey.hostPubkey = ../../${hostname}/ssh_host_ed25519_key.pub; + # As user not a trusted-users in our nix.conf + # we must add age.rekey.cacheDir as a global extra sandbox path + rekey.cacheDir = "/var/tmp/agenix-rekey/\"$UID\""; + }; + + # Required to persist `/var/tmp/agenix-rekey` + environment.persistence."/persist".directories = [ + { directory = "/var/tmp/agenix-rekey"; mode = "1777"; } + ]; +} diff --git a/nixos/common/global/default.nix b/nixos/common/global/default.nix index 39c36b5..f6382be 100644 --- a/nixos/common/global/default.nix +++ b/nixos/common/global/default.nix @@ -1,14 +1,21 @@ -{ outputs, ... }: +{ inputs, outputs, ... }: { imports = [ + inputs.home-manager.nixosModules.home-manager + inputs.agenix.nixosModules.default + inputs.agenix-rekey.nixosModules.default + ./age.nix + ./env.nix ./nix.nix ./ssh.nix - ./system-tools.nix ]; nixpkgs = { overlays = [ + # Overlays exported from other flakes + inputs.agenix-rekey.overlays.default + # Overlays our own flake exports outputs.overlays.additions outputs.overlays.modifications outputs.overlays.unstable-packages diff --git a/nixos/common/global/system-tools.nix b/nixos/common/global/env.nix similarity index 86% rename from nixos/common/global/system-tools.nix rename to nixos/common/global/env.nix index 9fd6107..ff33597 100644 --- a/nixos/common/global/system-tools.nix +++ b/nixos/common/global/env.nix @@ -2,6 +2,8 @@ { environment = { + binsh = "${pkgs.bash}/bin/bash"; + shells = with pkgs; [ zsh ]; systemPackages = with pkgs; [ # Ensure home-manager is on all systems home-manager @@ -25,5 +27,6 @@ unrar # extract roshal archive unzip # extract zip archive ]; + pathsToLink = [ "/share/zsh" ]; }; } diff --git a/nixos/common/global/ssh.nix b/nixos/common/global/ssh.nix index 01f59b2..eabf9f3 100644 --- a/nixos/common/global/ssh.nix +++ b/nixos/common/global/ssh.nix @@ -7,7 +7,6 @@ PermitRootLogin = "no"; PasswordAuthentication = false; }; - ports = [ 48654 ]; openFirewall = true; }; } diff --git a/nixos/common/optional/key.nix b/nixos/common/optional/key.nix new file mode 100644 index 0000000..0006b83 --- /dev/null +++ b/nixos/common/optional/key.nix @@ -0,0 +1,24 @@ +{ pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + # Configure your YubiKey via the command line + yubikey-manager + # Enables files to be encrypted to age identities stored on YubiKeys + age-plugin-yubikey + ]; + + # GPG and SSH support + services.udev.packages = [ pkgs.yubikey-personalization ]; + + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + # Use our yubikey as a user login or for sudo access + security.pam.services = { + login.u2fAuth = true; + sudo.u2fAuth = true; + }; +} diff --git a/nixos/common/optional/persist.nix b/nixos/common/optional/persist.nix index 26d3b1b..8e18250 100644 --- a/nixos/common/optional/persist.nix +++ b/nixos/common/optional/persist.nix @@ -1,6 +1,10 @@ -{ ... }: +{ inputs, ... }: { + imports = [ + inputs.impermanence.nixosModules.impermanence + ]; + # Files and directories we with to keep between reboots environment.persistence."/persist" = { hideMounts = true; @@ -19,4 +23,5 @@ "/etc/ssh/ssh_host_ed25519_key.pub" ]; }; + programs.fuse.userAllowOther = true; } diff --git a/nixos/common/optional/wireguard/default.nix b/nixos/common/optional/wireguard/default.nix new file mode 100644 index 0000000..d124f52 --- /dev/null +++ b/nixos/common/optional/wireguard/default.nix @@ -0,0 +1,44 @@ +{ pkgs, config, ... }: + +{ + age.secrets.wireguard = { + rekeyFile = ./private.age; + owner = "root"; + group = "root"; + }; + networking = { + nat = { + enable = true; + externalInterface = "wlp2s0"; + internalInterfaces = [ "wg0" ]; + }; + wireguard.interfaces = { + wg0 = { + # IP address and subnet of the server's end of the tunnel interface + ips = [ "10.100.0.1/24" ]; + listenPort = 51820; + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o wlp2s0 -j MASQUERADE + ''; + # This undoes the above command + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o wlp2s0 -j MASQUERADE + ''; + # Path to the private key file. + privateKeyFile = config.age.secrets.wireguard.path; + peers = [ + { # Pixel 6 Pro + publicKey = "VaXMnFAXdbJCllNY5sIjPp9AcSM7ap2oA0tU9SIMK3E="; + allowedIPs = [ "10.100.0.2/32" ]; + } + { # Samsung S23 Ultra + publicKey = "dL91i7+VDWfeLCOr53JlzQ32WJ3lRJGqdecoqUpEnlQ="; + allowedIPs = [ "10.100.0.3/32" ]; + } + ]; + }; + }; + }; +} diff --git a/nixos/common/optional/wireguard/private.age b/nixos/common/optional/wireguard/private.age new file mode 100644 index 0000000..b4cdc1b --- /dev/null +++ b/nixos/common/optional/wireguard/private.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> piv-p256 hdSnGw A/NcMAzxWqwfIj8WgcgfTBJvEnL5WgdKHwUnYfXN68pi +P6/BFTnqTakpTcVNayWomuXrE8E8dSHftODD+3E8aps +-> ]@Y:GoO$-grease 6 +v+HE7AkcnlS/pBdhL19CdYHTJGL7EZrvPfRs8j54LnxzJ9hjaBtydX4N/sIo6mjI +444BncysktRop1LB7A +--- 0sHzYGeQ0FGC5gJFdFNs5PZfVuR5cleMoPz7ry29fXU +qZçöóQ3Â’DF;žõ±þCÊ6%Æ«âspïgSRmP¾4»Œ8]:ÌMZåPƒ»G>òd«Å—g?ß(¢Œ93öM¯7÷, \ No newline at end of file diff --git a/nixos/common/users/sajenim/agenix-rekey.pub b/nixos/common/users/sajenim/agenix-rekey.pub new file mode 100644 index 0000000..8b9c719 --- /dev/null +++ b/nixos/common/users/sajenim/agenix-rekey.pub @@ -0,0 +1 @@ +AGE-PLUGIN-YUBIKEY-1S6XLYQYZSH22WXCHDCFRJ diff --git a/nixos/common/users/sajenim/default.nix b/nixos/common/users/sajenim/default.nix index 56df9bb..202557e 100644 --- a/nixos/common/users/sajenim/default.nix +++ b/nixos/common/users/sajenim/default.nix @@ -1,16 +1,12 @@ -{ inputs, outputs, pkgs, ... }: +{ inputs, outputs, pkgs, config, ... }: { - imports = [ - "${inputs.self}/nixos/common/optional/steam.nix" - ]; - users.users.sajenim = { isNormalUser = true; extraGroups = [ "audio" "docker" "networkmanager" "wheel" ]; shell = pkgs.zsh; openssh.authorizedKeys.keyFiles = [ - "${inputs.self}/home-manager/sabrina/id_ed25519.pub" + "${inputs.self}/home-manager/sajenim/sajenim_sk.pub" ]; hashedPassword = "$y$j9T$qIhW5qL9J9w.w6JWa.bGo/$oddG3HJyOZ1mwHzYnYPJ/MzN38oHEBEvPDc0sB3rAf9"; }; @@ -19,7 +15,7 @@ home-manager = { extraSpecialArgs = { inherit inputs outputs; }; users = { - sajenim = import "${inputs.self}/home-manager/sajenim/home.nix"; + sajenim = import "${inputs.self}/home-manager/sajenim/${config.networking.hostName}.nix"; }; }; } diff --git a/nixos/fuchsia/configuration.nix b/nixos/fuchsia/configuration.nix index 8681745..a1c92d8 100644 --- a/nixos/fuchsia/configuration.nix +++ b/nixos/fuchsia/configuration.nix @@ -1,12 +1,11 @@ -{ inputs, pkgs, ... }: +{ pkgs, ... }: { imports = [ - inputs.impermanence.nixosModules.impermanence - inputs.home-manager.nixosModules.home-manager - ../common/global ../common/users/sajenim + ../common/optional/key.nix + ../common/optional/steam.nix ./hardware-configuration.nix ]; @@ -48,55 +47,13 @@ networkmanager.enable = true; }; - fonts = { - packages = with pkgs; [ - fantasque-sans-mono - fira-code - ibm-plex - inconsolata - iosevka - jetbrains-mono - ]; - }; - - environment = { - # Symlink /bin/sh to POSIX-Complient shell - binsh = "${pkgs.bash}/bin/bash"; - shells = with pkgs; [ zsh ]; - # Install packages, prefix with 'unstable.' to use overlay - systemPackages = with pkgs; [ - # Audio - pulsemixer - # Code editors - emacs vscode - # Browsers - firefox - # Graphics - gimp inkscape krita - # Printing - blender freecad openscad prusa-slicer - # Misc - openrgb protonup-ng - # Hardware - libratbag piper - ]; - # Completions for system packages - pathsToLink = [ "/share/zsh" ]; - }; - programs = { zsh.enable = true; - gnupg.agent = { - enable = true; - enableSSHSupport = true; - }; - fuse.userAllowOther = true; direnv.enable = true; }; services = { udev.packages = with pkgs; [ - yubikey-personalization openrgb qmk-udev-rules ]; @@ -113,6 +70,7 @@ displayManager.startx.enable = true; }; ratbagd.enable = true; + pcscd.enable = true; }; virtualisation.docker = { @@ -120,11 +78,6 @@ liveRestore = false; }; - security.pam.services = { - login.u2fAuth = true; - sudo.u2fAuth = true; - }; - # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion system.stateVersion = "22.11"; } diff --git a/nixos/fuchsia/hardware-configuration.nix b/nixos/fuchsia/hardware-configuration.nix index 7363f73..b4742db 100644 --- a/nixos/fuchsia/hardware-configuration.nix +++ b/nixos/fuchsia/hardware-configuration.nix @@ -10,7 +10,7 @@ availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; kernelModules = [ "kvm-amd" ]; }; - loader= { + loader = { systemd-boot.enable = true; efi = { canTouchEfiVariables = true; @@ -31,7 +31,6 @@ ]; networking.useDHCP = lib.mkDefault true; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/nixos/viridian/configuration.nix b/nixos/viridian/configuration.nix index a74383a..8f7d6fc 100644 --- a/nixos/viridian/configuration.nix +++ b/nixos/viridian/configuration.nix @@ -1,120 +1,20 @@ -# This is your system's configuration file. -# Use this to configure your system environment (it replaces /etc/nixos/configuration.nix) +{ outputs, pkgs, ... }: + { - inputs, - outputs, - lib, - config, - pkgs, - ... -}: { - # You can import other NixOS modules here imports = [ - # If you want to use modules your own flake exports (from modules/nixos): - # outputs.nixosModules.example - outputs.nixosModules.qbittorrent + ../common/global + ../common/users/sajenim + ../common/optional/wireguard - # Or modules from other flakes (such as nixos-hardware): - - # You can also split up your configuration and import pieces of it here: - # ./users.nix - - # Import common configurations - ../common/system-tools.nix - - # Import containers - ./containers/dashboard - ./containers/microbin - ./containers/multimedia - - # Import services - ./services/adguardhome - ./services/borgbackup - ./services/home-assistant - ./services/minecraft-server - ./services/traefik - - # Import your generated (nixos-generate-config) hardware configuration + ./services + ./containers ./hardware-configuration.nix + + outputs.nixosModules.qbittorrent ]; - age.secrets.wireguard = { - # Private key for wireguard - file = inputs.self + /secrets/wireguard.age; - owner = "root"; - group = "root"; - }; - - nixpkgs = { - # You can add overlays here - overlays = [ - # Add overlays your own flake exports (from overlays and pkgs dir): - outputs.overlays.additions - outputs.overlays.modifications - outputs.overlays.unstable-packages - - # You can also add overlays exported from other flakes: - # neovim-nightly-overlay.overlays.default - - # Or define it inline, for example: - # (final: prev: { - # hi = final.hello.overrideAttrs (oldAttrs: { - # patches = [ ./change-hello-to-hi.patch ]; - # }); - # }) - ]; - # Configure your nixpkgs instance - config = { - # Disable if you don't want unfree packages - allowUnfree = true; - packageOverrides = pkgs: { - # enable vaapi on OS-level - vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; - }; - }; - }; - - nix = { - gc = { - # Automatically run the garbage collector an a specified time. - automatic = true; - dates = "weekly"; - options = "--delete-older-than 30d"; - }; - - # This will add each flake input as a registry - # To make nix3 commands consistent with your flake - registry = lib.mapAttrs (_: value: {flake = value;}) inputs; - - # This will additionally add your inputs to the system's legacy channels - # Making legacy nix commands consistent as well, awesome! - nixPath = lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry; - - settings = { - # Enable flakes and new 'nix' command - experimental-features = "nix-command flakes"; - # Deduplicate and optimize nix store - auto-optimise-store = true; - }; - }; - - # Select internationalisation properties - i18n.defaultLocale = "en_AU.UTF-8"; - # Set timezone - time.timeZone = "Australia/Perth"; - - boot = { - loader = { - systemd-boot.enable = true; - efi = { - canTouchEfiVariables = true; - efiSysMountPoint = "/boot/efi"; - }; - }; - kernel.sysctl = { - # Allow listening on TCP & UDP ports below 1024 - "net.ipv4.ip_unprivileged_port_start" = 0; - }; + boot.kernel.sysctl = { + "net.ipv4.ip_unprivileged_port_start" = 0; }; hardware.opengl = { @@ -124,21 +24,13 @@ vaapiIntel vaapiVdpau libvdpau-va-gl - intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in) + intel-compute-runtime ]; }; networking = { hostName = "viridian"; - domain = "kanto.dev"; networkmanager.enable = true; - # Required for wireguard - nat = { - enable = true; - externalInterface = "wlp2s0"; - internalInterfaces = [ "wg0" ]; - }; - # Setup our firewall firewall = { enable = true; allowedTCPPorts = [ @@ -155,82 +47,15 @@ 51820 # Wireguard ]; }; - - # Setup our Home network VPN - wireguard.interfaces = { - wg0 = { - # IP address and subnet of the server's end of the tunnel interface - ips = [ "10.100.0.1/24" ]; - listenPort = 51820; - # This allows the wireguard server to route your traffic to the internet and hence be like a VPN - # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients - postSetup = '' - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o wlp2s0 -j MASQUERADE - ''; - # This undoes the above command - postShutdown = '' - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o wlp2s0 -j MASQUERADE - ''; - # Path to the private key file. - privateKeyFile = config.age.secrets.wireguard.path; - peers = [ - { # Pixel 6 Pro - publicKey = "VaXMnFAXdbJCllNY5sIjPp9AcSM7ap2oA0tU9SIMK3E="; - # List of IPs assigned to this peer within the tunnel subnet. - allowedIPs = [ "10.100.0.2/32" ]; - } - { # Samsung S23 Ultra - publicKey = "dL91i7+VDWfeLCOr53JlzQ32WJ3lRJGqdecoqUpEnlQ="; - allowedIPs = [ "10.100.0.3/32" ]; - } - ]; - }; - }; }; - # Setup environment - environment = { - # Symlink /bin/sh to POSIX-Complient shell - binsh = "${pkgs.bash}/bin/bash"; - shells = with pkgs; [ zsh ]; - - # Install packages, prefix with 'unstable.' to use overlay - systemPackages = with pkgs; [ - agenix.packages."${system}".default - ]; - }; - programs = { + programs = { zsh.enable = true; }; - services = { - # This setups a SSH server. Very important if you're setting up a headless system. - # Feel free to remove if you don't need it. - openssh = { - enable = true; - # Forbid root login through SSH. - settings.PermitRootLogin = "no"; - # Use keys only. Remove if you want to SSH using password (not recommended) - settings.PasswordAuthentication = false; - }; - }; - - # Virtualisation - virtualisation.docker.enable = true; - - # Configure your system-wide user settings (groups, etc), add more users as needed. - users = { - users = { - # System administator - sabrina = { - isNormalUser = true; - extraGroups = [ "networkmanager" "wheel" "media" "docker" ]; - openssh.authorizedKeys.keyFiles = [ - ../../home-manager/sajenim/id_ed25519_sk.pub - ]; - shell = pkgs.zsh; - }; - }; + virtualisation.docker = { + enable = true; + liveRestore = false; }; # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion diff --git a/nixos/viridian/hardware-configuration.nix b/nixos/viridian/hardware-configuration.nix index c56a0bd..8c8f7db 100644 --- a/nixos/viridian/hardware-configuration.nix +++ b/nixos/viridian/hardware-configuration.nix @@ -1,49 +1,46 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ config, lib, ... }: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ + ../common/optional/ephemeral-btrfs.nix + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/d9639ca2-617b-4b9f-9b6f-cc103a666b7e"; - fsType = "ext4"; + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; + kernelModules = [ "kvm-intel" ]; }; - - fileSystems."/boot/efi" = - { device = "/dev/disk/by-uuid/93DA-2CCC"; - fsType = "vfat"; + loader = { + systemd-boot.enable = true; + efi = { + canTouchEfiVariables = true; + efiSysMountPoint = "/boot"; + }; }; + }; - fileSystems."/mnt/data" = - { device = "/dev/disk/by-uuid/3548fbc6-6efd-4ed1-acc1-bd3ffed9d7a7"; - fsType = "ext4"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-label/ESP"; + fsType = "vfat"; + }; - fileSystems."/mnt/backup" = - { device = "/dev/disk/by-uuid/443fcb5a-b814-4d33-8cfb-93f6ff4aca11"; - fsType = "ext4"; - }; + fileSystems."/mnt/data" = { + device = "/dev/disk/by-label/data"; + fsType = "ext4"; + }; + fileSystems."/mnt/backup" = { + device = "/dev/disk/by-label/backup"; + fsType = "ext4"; + }; - swapDevices = [ ]; + swapDevices = [ + { device = "/swap/swapfile"; + size = 16*1024; + } + ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eno1.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;