diff --git a/hosts/h001/flake.nix b/hosts/h001/flake.nix index 3f5c1ff..71f3c20 100644 --- a/hosts/h001/flake.nix +++ b/hosts/h001/flake.nix @@ -64,6 +64,7 @@ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILZigrRMF/HHMhjBIwiOnS2pqbOz8Az19tch680BGvmu nix2h001" ]; + shell = pkgs.zsh; }; luser = { openssh.authorizedKeys.keys = [ @@ -75,10 +76,6 @@ "input" ]; shell = pkgs.zsh; - packages = with pkgs; [ - bitwarden - vaultwarden - ]; }; }; }; diff --git a/hosts/h001/readme.md b/hosts/h001/readme.md new file mode 100644 index 0000000..0758f91 --- /dev/null +++ b/hosts/h001/readme.md @@ -0,0 +1 @@ +Main media server and run things server, has a bunch of stuff on it I am self hosting diff --git a/hosts/h002/readme.md b/hosts/h002/readme.md new file mode 100644 index 0000000..2cb5320 --- /dev/null +++ b/hosts/h002/readme.md @@ -0,0 +1 @@ +NAS for my home network diff --git a/hosts/h003/configuration.nix b/hosts/h003/configuration.nix new file mode 100644 index 0000000..d00387c --- /dev/null +++ b/hosts/h003/configuration.nix @@ -0,0 +1,8 @@ +{ + pkgs, + config, + ... +}: +{ + +} diff --git a/hosts/h003/flake.nix b/hosts/h003/flake.nix new file mode 100644 index 0000000..5ed936f --- /dev/null +++ b/hosts/h003/flake.nix @@ -0,0 +1,101 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; + + # Use relative to get current version for testing + # common.url = "path:../../common"; + common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles"; + + ros_neovim.url = "git+https://git.joshuabell.xyz/ringofstorms/nvim"; + }; + + outputs = + { + nixpkgs, + common, + ros_neovim, + ... + }: + let + configuration_name = "h003"; + lib = nixpkgs.lib; + in + { + nixosConfigurations = { + "${configuration_name}" = ( + lib.nixosSystem { + modules = [ + common.nixosModules.default + ros_neovim.nixosModules.default + ./configuration.nix + ./hardware-configuration.nix + ( + { config, pkgs, ... }: + { + environment.systemPackages = with pkgs; [ + lua + sqlite + ]; + + ringofstorms_common = { + systemName = configuration_name; + boot.systemd.enable = true; + secrets.enable = true; + general = { + reporting.enable = true; + }; + programs = { + tailnet.enable = true; + ssh.enable = true; + podman.enable = true; + }; + users = { + admins = [ "luser" ]; # First admin is also the primary user owning nix config + users = { + root = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3riAQ8RP5JXj2eO87JpjbM/9SrfFHcN5pEJwQpRcOl nix2h003" + ]; + shell = pkgs.zsh; + }; + luser = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3riAQ8RP5JXj2eO87JpjbM/9SrfFHcN5pEJwQpRcOl nix2h003" + ]; + extraGroups = [ + "networkmanager" + "video" + "input" + ]; + shell = pkgs.zsh; + }; + }; + }; + homeManager = { + users = { + luser = { + imports = with common.homeManagerModules; [ + kitty + tmux + atuin + direnv + git + nix_deprecations + postgres + ssh + starship + zoxide + zsh + ]; + }; + }; + }; + }; + } + ) + ]; + } + ); + }; + }; +} diff --git a/hosts/h003/hardware-configuration.nix b/hosts/h003/hardware-configuration.nix new file mode 100644 index 0000000..ceaa644 --- /dev/null +++ b/hosts/h003/hardware-configuration.nix @@ -0,0 +1,56 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ + "ehci_pci" + "ahci" + "xhci_pci" + "firewire_ohci" + "usb_storage" + "usbhid" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-label/NIXROOT"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-label/NIXBOOT"; + fsType = "vfat"; + }; + + swapDevices = [ + { + device = "/.swapfile"; + size = 18 * 1024; # 18GB + } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/h003/readme.md b/hosts/h003/readme.md new file mode 100644 index 0000000..038c6f6 --- /dev/null +++ b/hosts/h003/readme.md @@ -0,0 +1 @@ +WAN Local networking computer diff --git a/hosts/lio/flake.lock b/hosts/lio/flake.lock index a22c94b..3a9f0e9 100644 --- a/hosts/lio/flake.lock +++ b/hosts/lio/flake.lock @@ -29,24 +29,19 @@ "inputs": { "home-manager": "home-manager", "nix-flatpak": "nix-flatpak", - "nixpkgs": "nixpkgs_2", "nixpkgs-unstable": "nixpkgs-unstable", "opencode": "opencode", "ragenix": "ragenix" }, "locked": { - "lastModified": 1753903580, - "narHash": "sha256-9jJqpH5vpYppWeA7BUYLxkhwHELi0sSwOJs17Nu2VWE=", - "ref": "refs/heads/master", - "rev": "05b93ea5f1228827d659b425f957c29a9abf9e7a", - "revCount": 555, - "type": "git", - "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" + "path": "../../common", + "type": "path" }, "original": { - "type": "git", - "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" - } + "path": "../../common", + "type": "path" + }, + "parent": [] }, "crane": { "locked": { @@ -196,22 +191,6 @@ } }, "nixpkgs_2": { - "locked": { - "lastModified": 1753694789, - "narHash": "sha256-cKgvtz6fKuK1Xr5LQW/zOUiAC0oSQoA9nOISB0pJZqM=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "dc9637876d0dcc8c9e5e22986b857632effeb727", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { "locked": { "lastModified": 1741379970, "narHash": "sha256-Wh7esNh7G24qYleLvgOSY/7HlDUzWaL/n4qzlBePpiw=", @@ -227,7 +206,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_3": { "locked": { "lastModified": 1752866191, "narHash": "sha256-NV4S2Lf2hYmZQ3Qf4t/YyyBaJNuxLPyjzvDma0zPp/M=", @@ -243,7 +222,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_4": { "locked": { "lastModified": 1753848940, "narHash": "sha256-jH7fqN4HzsIlj2c/SAuVWmgUIjBwDdEKVnL97xlECHY=", @@ -1141,16 +1120,16 @@ "opencode": { "flake": false, "locked": { - "lastModified": 1753893530, - "narHash": "sha256-7L50P3+u4SHQtjSdFJviPaeLFnOIGP/l4BFLHKm4pNs=", + "lastModified": 1754364004, + "narHash": "sha256-/FWvHekyAM9U5WLptAr2YbcMOZa/twjucSUnlqfu1Y4=", "owner": "sst", "repo": "opencode", - "rev": "304e86a8d4ebbaf55de27ac012aecc58028c898d", + "rev": "b8248096056d674f964d75e34b8200cf0ff1ac8b", "type": "github" }, "original": { "owner": "sst", - "ref": "v0.3.85", + "ref": "v0.3.130", "repo": "opencode", "type": "github" } @@ -1160,7 +1139,7 @@ "agenix": "agenix", "crane": "crane", "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_2", "rust-overlay": "rust-overlay" }, "locked": { @@ -1180,13 +1159,13 @@ "root": { "inputs": { "common": "common", - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_3", "ros_neovim": "ros_neovim" } }, "ros_neovim": { "inputs": { - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_4", "nvim_plugin-Almo7aya/openingh.nvim": "nvim_plugin-Almo7aya/openingh.nvim", "nvim_plugin-CopilotC-Nvim/CopilotChat.nvim": "nvim_plugin-CopilotC-Nvim/CopilotChat.nvim", "nvim_plugin-JoosepAlviste/nvim-ts-context-commentstring": "nvim_plugin-JoosepAlviste/nvim-ts-context-commentstring", diff --git a/hosts/lio/flake.nix b/hosts/lio/flake.nix index f2dd116..5a77e90 100644 --- a/hosts/lio/flake.nix +++ b/hosts/lio/flake.nix @@ -3,8 +3,8 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; # Use relative to get current version for testing - # common.url = "path:../../common"; - common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles"; + common.url = "path:../../common"; + # common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles"; ros_neovim.url = "git+https://git.joshuabell.xyz/ringofstorms/nvim"; }; diff --git a/readme.md b/readme.md index 804c598..acc0b73 100644 --- a/readme.md +++ b/readme.md @@ -21,6 +21,42 @@ ## NixOS install +1. Install nix minimal: (new with btrfs backing) + +- Partitions + - `parted /dev/DEVICE -- mklabel gpt` - make GPT partition table + - `parted /dev/DEVICE -- mkpart NIXROOT 2GB 100%` - make root partition (2GB offset for boot) + - `parted /dev/DEVICE -- mkpart ESP fat32 1MB 2GB` - make boot partition (2GB) + - `parted /dev/DEVICE -- set 2 esp on` - make boot bootable +- LUKS Encryption + - `cryptsetup luksFormat /dev/DEVICE_1` + - Create passphrase and save to bitwarden + - `cryptsetup luksOpen /dev/DEVUCE_1 cryptroot` + - Create keyfile for auto-unlock (optional) + - `dd if=/dev/random of=/tmp/keyfile bs=1024 count=4` + - `chmod 400 /tmp/keyfile` + - `cryptsetup luksAddKey /dev/DEVICE_1 /tmp/keyfile` +- Formatting + - `mkfs.btrfs -L NIXROOT /dev/mapper/cryptroot` + - `mkfs.fat -F 32 -n NIXBOOT /dev/DEVICE_2` +- Create btrfs subvolumes (for better snapshot performance) (this is optional and can technically be skipped and put everything in one but I like this setup for cleanliness) + - `mount /dev/mapper/cryptroot /mnt` + - `btrfs subvolume create /mnt/root` + - `btrfs subvolume create /mnt/nix` + - `btrfs subvolume create /mnt/snapshots` + - `umount /mnt` +- Mount + - `mount -o subvol=root,compress=zstd,noatime /dev/mapper/cryptroot /mnt` + - `mkdir -p /mnt/{nix,boot,.snapshots}` + - `mount -o subvol=nix,compress=zstd,noatime /dev/mapper/cryptroot /mnt/nix` + - `mount -o subvol=snapshots,compress=zstd,noatime /dev/mapper/cryptroot /mnt/.snapshots` + - `mount -o umask=077 /dev/disk/by-label/NIXBOOT /mnt/boot` +- Copy keyfile for auto-unlock (optional) + - `cp /tmp/keyfile /mnt/boot/keyfile` + - `chmod 400 /mnt/boot/keyfile` + +2. same as below... + 1. Install nix minimal: - Partitions