diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/alpha/configuration.nix | 78 | ||||
-rw-r--r-- | nixos/alpha/hardware-configuration.nix | 1 | ||||
-rw-r--r-- | nixos/default.nix | 7 | ||||
-rw-r--r-- | nixos/haruka/configuration.nix | 77 | ||||
-rw-r--r-- | nixos/haruka/hardware-configuration.nix | 1 | ||||
-rw-r--r-- | nixos/kanata/configuration.nix | 83 | ||||
-rw-r--r-- | nixos/kanata/secrets/secrets.yaml | 6 |
7 files changed, 111 insertions, 142 deletions
diff --git a/nixos/alpha/configuration.nix b/nixos/alpha/configuration.nix index f0fbf27..033438f 100644 --- a/nixos/alpha/configuration.nix +++ b/nixos/alpha/configuration.nix @@ -33,24 +33,16 @@ boot.zfs.forceImportAll = false; boot.zfs.allowHibernation = true; # NOTE: disable if using swap on ZFS - # GRUB bootloader - boot.loader.efi.canTouchEfiVariables = true; - boot.loader.grub = { - enable = true; - - efiSupport = true; - configurationLimit = 10; - device = "nodev"; - useOSProber = true; - copyKernels = true; - extraEntries = '' - menuentry "Reboot" { - reboot - } - menuentry "Shutdown" { - halt - } - ''; + boot.loader.systemd-boot = { + # Managed by lanzaboote + enable = false; + editor = false; + configurationLimit = 16; + # TODO: https://github.com/NixOS/nixpkgs/pull/334526 + # bootCounting.enable = true; + # bootCounting.tries = 3; + # bootCounting.enable = true; + # bootCounting.tries = 3; }; boot.initrd.postDeviceCommands = lib.mkAfter '' @@ -115,17 +107,25 @@ services.openssh.enable = true; services.openssh.settings.PasswordAuthentication = false; - services.openssh.hostKeys = [ - { - path = "/persist/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - { - path = "/persist/ssh/ssh_host_rsa_key"; - type = "rsa"; - bits = 4096; - } - ]; + + modules = { + secure-boot.enable = true; + + persistence = { + enable = true; + storagePath = "/persist"; + setupSshHostKeys = true; + + directories = [ + "/etc/NetworkManager/system-connections" + "/var/lib/nixos" + "/var/lib/bluetooth" + "/var/lib/tailscale" + "/var/lib/libvirt" + "/etc/cups" + ]; + }; + }; sops.secrets.borg-alpha-rolling-pass = { }; services.borgbackup.jobs.alpha-rolling = { @@ -175,8 +175,6 @@ services.openssh.knownHosts."hk-s020.rsync.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcPl9x9JfRFwsn09NnDw/xBZbAN80ZQck+h6AqlVqPH"; - sound.enable = true; - services.pipewire = { enable = true; @@ -208,14 +206,6 @@ services.avahi.enable = true; services.avahi.nssmdns4 = true; - environment.persistence."/persist".directories = [ - "/etc/NetworkManager/system-connections" - "/var/lib/bluetooth" - "/var/lib/tailscale" - "/var/lib/libvirt" - "/etc/cups" - ]; - services.pcscd.enable = true; programs.dconf.enable = true; @@ -344,14 +334,14 @@ }; nixpkgs.allowedUnfree = [ "steam" "steam-original" "steam-run" "brgenml1lpr" ]; + madness.enable = true; + environment.sessionVariables = { WLR_NO_HARDWARE_CURSORS = "1"; # Prevent cursors disappearing on nouveau }; - hardware.opengl.enable = true; - hardware.opengl.driSupport = true; - hardware.opengl.driSupport32Bit = true; - hardware.opengl.extraPackages = with pkgs; [ vaapiVdpau libvdpau-va-gl ]; + hardware.graphics.enable = true; + hardware.graphics.extraPackages = with pkgs; [ vaapiVdpau libvdpau-va-gl ]; xdg.portal = { enable = true; @@ -367,8 +357,6 @@ users.mutableUsers = false; - fileSystems."/persist".neededForBoot = true; - users.users = { root.hashedPasswordFile = config.sops.secrets.root-password.path; sefidel = { diff --git a/nixos/alpha/hardware-configuration.nix b/nixos/alpha/hardware-configuration.nix index 5ec5d86..8c40065 100644 --- a/nixos/alpha/hardware-configuration.nix +++ b/nixos/alpha/hardware-configuration.nix @@ -21,6 +21,7 @@ fileSystems."/boot" = { device = "/dev/disk/by-uuid/12CE-A600"; fsType = "vfat"; + options = [ "umask=0077" ]; }; fileSystems."/nix" = diff --git a/nixos/default.nix b/nixos/default.nix index 599ba75..22593b5 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -6,8 +6,7 @@ nixpkgs = unstable; extraModules = [ inputs.sops-nix.nixosModules.sops - inputs.impermanence.nixosModules.impermanence - inputs.attic.nixosModules.atticd + inputs.madness-ld.nixosModules.madness ]; }; @@ -16,8 +15,6 @@ nixpkgs = unstable; extraModules = [ inputs.sops-nix.nixosModules.sops - inputs.impermanence.nixosModules.impermanence - inputs.attic.nixosModules.atticd ]; }; @@ -26,8 +23,6 @@ nixpkgs = unstable; extraModules = [ inputs.sops-nix.nixosModules.sops - inputs.impermanence.nixosModules.impermanence - inputs.attic.nixosModules.atticd ]; overlays = [ (final: prev: { diff --git a/nixos/haruka/configuration.nix b/nixos/haruka/configuration.nix index a36d8b3..89050f4 100644 --- a/nixos/haruka/configuration.nix +++ b/nixos/haruka/configuration.nix @@ -36,27 +36,14 @@ boot.zfs.forceImportAll = false; boot.zfs.allowHibernation = true; # NOTE: disable if using swap on ZFS - # GRUB bootloader - boot.loader.efi.canTouchEfiVariables = true; - boot.loader.grub = { - enable = true; - - efiSupport = true; - configurationLimit = 10; - device = "nodev"; - useOSProber = true; - copyKernels = true; - gfxmodeEfi = "1920x1200"; - fontSize = 32; - - extraEntries = '' - menuentry "Reboot" { - reboot - } - menuentry "Shutdown" { - halt - } - ''; + boot.loader.systemd-boot = { + # Managed by lanzaboote + enable = false; + editor = false; + configurationLimit = 16; + # TODO: https://github.com/NixOS/nixpkgs/pull/334526 + # bootCounting.enable = true; + # bootCounting.tries = 3; }; # Erase your darlings. @@ -126,17 +113,25 @@ services.openssh.enable = true; services.openssh.settings.PasswordAuthentication = false; - services.openssh.hostKeys = [ - { - path = "/persist/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - { - path = "/persist/ssh/ssh_host_rsa_key"; - type = "rsa"; - bits = 4096; - } - ]; + + modules = { + secure-boot.enable = true; + + persistence = { + enable = true; + storagePath = "/persist"; + setupSshHostKeys = true; + + directories = [ + "/etc/NetworkManager/system-connections" + "/etc/cups" + "/var/lib/nixos" + "/var/lib/fprint" + "/var/lib/bluetooth" + "/var/lib/tailscale" + ]; + }; + }; sops.secrets.borg-haruka-rolling-pass = { }; services.borgbackup.jobs.haruka-rolling = { @@ -184,8 +179,6 @@ services.openssh.knownHosts."hk-s020.rsync.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcPl9x9JfRFwsn09NnDw/xBZbAN80ZQck+h6AqlVqPH"; - sound.enable = true; - services.pipewire = { enable = true; @@ -223,14 +216,6 @@ services.avahi.enable = true; services.avahi.nssmdns4 = true; - environment.persistence."/persist".directories = [ - "/etc/NetworkManager/system-connections" - "/etc/cups" - "/var/lib/fprint" - "/var/lib/bluetooth" - "/var/lib/tailscale" - ]; - services.pcscd.enable = true; programs.dconf.enable = true; @@ -349,10 +334,8 @@ zsh.enableCompletion = true; }; - hardware.opengl.enable = true; - hardware.opengl.driSupport = true; - hardware.opengl.driSupport32Bit = true; - hardware.opengl.extraPackages = with pkgs; [ vaapiVdpau libvdpau-va-gl ]; + hardware.graphics.enable = true; + hardware.graphics.extraPackages = with pkgs; [ vaapiVdpau libvdpau-va-gl ]; xdg.portal = { enable = true; @@ -368,8 +351,6 @@ users.mutableUsers = false; - fileSystems."/persist".neededForBoot = true; - users.users = { root.hashedPasswordFile = config.sops.secrets.root-password.path; sefidel = { diff --git a/nixos/haruka/hardware-configuration.nix b/nixos/haruka/hardware-configuration.nix index 06a342f..6820226 100644 --- a/nixos/haruka/hardware-configuration.nix +++ b/nixos/haruka/hardware-configuration.nix @@ -24,6 +24,7 @@ { device = "/dev/disk/by-uuid/5382-69DE"; fsType = "vfat"; + options = [ "umask=0077" ]; }; fileSystems."/nix" = diff --git a/nixos/kanata/configuration.nix b/nixos/kanata/configuration.nix index a5ed1be..32e4cee 100644 --- a/nixos/kanata/configuration.nix +++ b/nixos/kanata/configuration.nix @@ -62,7 +62,7 @@ in modules.tailscale-initrd = { enable = true; - # XXX: This has to be manually generatd during NixOS install. + # XXX: This has to be manually generated during NixOS install. # The files are then copied to initrd secrets during activation. tailscaleStatePath = "/persist/initrd/tailscale-initrd.state"; }; @@ -70,22 +70,6 @@ in services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = maintainerKeys; - # NOTE: managed by modules.persistence - # TODO: remove? - # fileSystems."/persist".neededForBoot = true; - # - # services.openssh.hostKeys = [ - # { - # path = "/persist/ssh/ssh_host_ed25519_key"; - # type = "ed25519"; - # } - # { - # path = "/persist/ssh/ssh_host_rsa_key"; - # type = "rsa"; - # bits = 4096; - # } - # ]; - sops.defaultSopsFile = ./secrets/secrets.yaml; powerManagement.cpuFreqGovernor = "ondemand"; @@ -118,6 +102,46 @@ in enableIPv6 = true; }; + services.nscd = { + enable = true; + config = '' + # We basically use nscd as a proxy for forwarding nss requests to appropriate + # nss modules, as we run nscd with LD_LIBRARY_PATH set to the directory + # containing all such modules + # Note that we can not use `enable-cache no` As this will actually cause nscd + # to just reject the nss requests it receives, which then causes glibc to + # fallback to trying to handle the request by itself. Which won't work as glibc + # is not aware of the path in which the nss modules live. As a workaround, we + # have `enable-cache yes` with an explicit ttl of 0 + server-user nscd + + enable-cache passwd yes + positive-time-to-live passwd 0 + negative-time-to-live passwd 0 + shared passwd yes + + enable-cache group yes + positive-time-to-live group 0 + negative-time-to-live group 0 + shared group yes + + enable-cache netgroup yes + positive-time-to-live netgroup 0 + negative-time-to-live netgroup 0 + shared netgroup yes + + enable-cache hosts yes + positive-time-to-live hosts 3600 # Invidious spams DNS queries to PubSubHubBub + negative-time-to-live hosts 0 + shared hosts yes + + enable-cache services yes + positive-time-to-live services 0 + negative-time-to-live services 0 + shared services yes + ''; + }; + services.tailscale = { enable = true; useRoutingFeatures = "both"; @@ -136,6 +160,7 @@ in networking.firewall.allowedTCPPorts = [ 80 443 ]; modules = { persistence.directories = [ + "/var/lib/nixos" "/var/lib/tailscale" "/var/lib/nixos-containers" ]; @@ -143,6 +168,7 @@ in persistence = { enable = true; storagePath = "/persist"; + setupSshHostKeys = true; }; # NOTE: This module only populates route entries, @@ -285,29 +311,6 @@ in }; }; - services.changedetection-io = { - enable = true; - - listenAddress = "localhost"; - port = 4901; - - baseURL = "https://change.labs.kusanari.network"; - behindProxy = true; - webDriverSupport = true; - }; - - services.nginx.virtualHosts."change.labs.kusanari.network".locations."/" = { - proxyWebsockets = true; - extraConfig = '' - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Referer "https://change.labs.kusanari.network"; - ''; - }; - containers.v-interlink = { autoStart = true; enableTun = true; diff --git a/nixos/kanata/secrets/secrets.yaml b/nixos/kanata/secrets/secrets.yaml index a32a80f..daaa60e 100644 --- a/nixos/kanata/secrets/secrets.yaml +++ b/nixos/kanata/secrets/secrets.yaml @@ -9,7 +9,7 @@ nitter-account-jsonl: ENC[AES256_GCM,data:a7nSbFcG+E5xXnY4moLAu1ULujjZ8czGGLQNqa acme-credentials: ENC[AES256_GCM,data:6SIuFH3sRcz/Z855br7VgFKEEA1crztKmhVd3chK7ERJpfG9pTxxX0mAxG3aK5OhXwZpDMp0YkxtEphdkb5m0ZU=,iv:bUMtK0SvtrNwlhuY1k0dNVIOcJgM1OLjmbl+X+Zj01E=,tag:x6kdGrSsImZlpHrPnEAmXA==,type:str] invidious-hmac: ENC[AES256_GCM,data:uIw4aQm6oYd5heSxrJnt6Nvc+fTPLMSEDtDyZ/ayogl6qx/gPg==,iv:8AVzwO9peE0UC70nLxBxHKzTcitrzvBvy120fdQD1+c=,tag:rr7MOqgOFFxXN8W+9MKvLg==,type:str] #ENC[AES256_GCM,data:c0B2RqGRFmyxyz93TCWL5wMTYiFmnvWU9aQwZszQ137fhL7bQdENPLWQkoiWyW6o3GXTyuL2bni1VnO4eD5idWzt7dw=,iv:147La8vNPRLMnK992cQD1NmQgbDrDBLwSPEX4haeIS4=,tag:hmGGslH4O9dlTSoDTWIdIg==,type:comment] -interlink-wg-config: ENC[AES256_GCM,data:zT0yr7O4JhpmnI5++cK7aJEKkLM9rxcWGyvwJ7Q4ZR6wWLe0LnNIzEpjjMAvh/If4NYOU8qpVOUgxaREij3hIhJ1QzyAb/nF80msZWDmmMvtVLZmC1wNw+p88UKrPwRBbLIwVbwCyWJtIdnZTHzscktfSY+mC/mB8fESh8XpRXH7YW/W1+nyrSQCmJ3LGopHBukqJstLunu7qW34xZ5k37/TKToyqW4JLUxamrPsBycR1ZnfTvIHluOvXhQLOleBEJN+GyduRqPV7tAajbMZAlyZa5Y6mGVA0kcba3GpuiV4uQjFJcSiYLa2JztWSbsWFJBl1YPXdsWzWOrQ,iv:iiye6Zb2OlctZFFuRbJ7RiXW0k400/DmWDlh5SXgp+Q=,tag:qa3BedClEOaSyst+xjPe4Q==,type:str] +interlink-wg-config: ENC[AES256_GCM,data:vao5c0rUCjjd+c2bqqpk7VQZ28yWmAEpBp9sXyh1IRE2MeoWNj0m+e4EbqmEFVKfRbOFgkj5Ek5dAKs7UEb2NMxNYh+s/3cDj8i0cls7fRyb02ctMEVQN2hgArOwG4MdFHPn8BDhyChnAo+FkSS7q8p3AOLehB2jrQg+tzY31l3d01Cfcqswh1wJ8p4eSevvmx5PwNeH7fh35HOh5qzcJFrHkr+eUnKWXyF3zKiKAf/KM5cfz/3WVg4omRjrQCWRHjXrCHh53a7QGlYy1V4KFjzJGriywicGsbvLrnR5Fr2AZCK781NWO/Vxf2PiFzsLHpJ4wTmfkUKNrWDu,iv:iJNc+HrCKs6fUtMkSZ8HZJQE0+GXzxZBIAWFO13DseY=,tag:wUww5nKO+h21HAor+UUIAg==,type:str] proton-private-key: ENC[AES256_GCM,data:OnZGYf/203XOLXyDRIqrRKwLe0cN2c0RF+CkwwNtttP+ACD3AJCY0rNgKoc=,iv:IWFF95Z3r+OuSu+GfJWJjwRv5b9KZSKGMuxSnkRGqlg=,tag:QvDBvSzzGxwawhaio47MEQ==,type:str] attic-credentials: ENC[AES256_GCM,data:S25D1E4kTp2Nre1uu1WWVV1jrEpQtPz5+5XQ/W0pr0CF5pFm0UEyGn2XdJKQzyM5CYSCo581JeJNMtTKIwEKm8lYY9X5e8Jgwe2o5f5YRwmHSfvK1UAJoUdM7Q0FaAcVTU3bNis1dClqDvB0QbNjF1xsYCKCgZRe8TSenmJgPjA=,iv:m+UzkoVsEfUtKIYaGZIej4efhVuWN4EKCqMamlQwWaI=,tag:vBPq0JkRDbKmyw9qLbh1gg==,type:str] transmission-extra-config: ENC[AES256_GCM,data:lyZ8Nkjp0Mjm4HFDqRN1G6iyBksHT6dKKQDSO8Br1DpXxKLDBclQ4L2F1FqQJ3OB/7o4EqWFX8J1ZjVYDCQkQnhr6v13glvFciICQ99hPsypUS349936vDCgEF/WP0RAHOsaRq81JnMDegZvEg==,iv:bfN2oEfQ3uk4i6hwHp2ZdYCf3l7Kb0EoXSEGyOSB8CM=,tag:fZkMayEJiXzifTCiVLJq6w==,type:str] @@ -38,8 +38,8 @@ sops: YkRGS2ZBbm1keWpUQUFOWDRtTWZVa0EKc+lKEP0L/yoFLx6p1zbWfifPWc7Y9Qqh qccODSyHqzwdriHLxXuw9SCnF+SeA721te6+pDVhJj8vqv2UqHiATw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-05T15:01:25Z" - mac: ENC[AES256_GCM,data:ndnsAuHSyQSGx0G2YzECaZhGDvVbbXDbSWLdh1r2Vy6beVeX/e6JP7AxnIRfhipKfJLlhOA1rtbCOiwpq4FubozXDJOviI0oLZWU4ZDSCgWHKsUVoMdC3gqw87Qhts77PfDqdYVgglAr2/n6AzhY8NVkjuMWu4iDiD9yfb+bJ5o=,iv:J32wZYk6yiEgJBWrs6QTjM/EY6XqRfu/BkhiP9PxAWQ=,tag:eL3mcerITq55qYlxF5JhEw==,type:str] + lastmodified: "2024-06-24T14:39:04Z" + mac: ENC[AES256_GCM,data:Gnx4wfiDqSvuYt2eOzAJhvL/t5lItsPajTykw1mONpCbdv03j/7bccyayvDajXQiD110fDN+gDDkux7IVWC1Zv/Gj2M3+qRq6OHCeDxtHwLW2KVdCoine2BxKN0RuIwkyJ9xNE6GQ1P7CaIjYrT2ilztjfZvIzydAZPsxCRV3Sg=,iv:w/XrddHvz1mi+SuyWavryk9duZMQay5ICd33ZTZynIg=,tag:TV7ekS5S01MoIpr8WGczrA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 |