From 5855f350e401f31784811951818243688ecc8b56 Mon Sep 17 00:00:00 2001 From: Gabriel Simmer Date: Tue, 25 Jul 2023 19:46:10 +0100 Subject: [PATCH] Move systems.org contents --- Systems.org | 341 +--------------------------------------------------- 1 file changed, 1 insertion(+), 340 deletions(-) diff --git a/Systems.org b/Systems.org index 7520ab9..bd27a9f 100644 --- a/Systems.org +++ b/Systems.org @@ -1,340 +1 @@ -#+title: NixOS System Configurations -#+PROPERTY: header-args :mkdirp yes - -* Systems - -I have opted to use NixOS for my systems moving forward. You can read a bit more -about this move [[https://blog.gabrielsimmer.com/posts/from-guix-to-nixos][here]]. I haven't dabbled with custom configuration too much so -this is pretty close to the default configuration. - -** London - - London is my primary desktop. - - Be sure to import the hardware configuration the Nix installer generates. - -#+begin_src nix :tangle nix/configuration.nix -# Tangled in ../Systems.org -{ config, pkgs, ... }: - -{ - imports = - [ - ./hardware-configuration.nix - ]; -#+end_src - -Bootloader is GRUB so I can dual boot Windows. =enableCryptodisk= is annoying but apparently neccesary. - -#+begin_src nix :tangle nix/configuration.nix - boot.loader.grub = { - enable = true; - version = 2; - device = "nodev"; - useOSProber = true; - efiSupport = true; - enableCryptodisk = true; - canTouchEfiVariables = true; - efiSysMountPoint = "/boot/efi"; - }; -#+end_src - -Basic system stuff that I won't really touch by hand. Importantly, enabled nix flakes. - -#+begin_src nix :tangle nix/configuration.nix - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; - boot.kernelPackages = pkgs.linuxPackages_6_0; - - # Setup keyfile - boot.initrd.secrets = { - "/crypto_keyfile.bin" = null; - }; - - # Enable swap on luks - boot.initrd.luks.devices."luks-63100442-37df-4579-a787-cb2f2c67b3d1".device = "/dev/disk/by-uuid/63100442-37df-4579-a787-cb2f2c67b3d1"; - boot.initrd.luks.devices."luks-63100442-37df-4579-a787-cb2f2c67b3d1".keyFile = "/crypto_keyfile.bin"; - - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - - time.timeZone = "Europe/London"; - i18n.defaultLocale = "en_GB.utf8"; -#+end_src - -Networking stuff. I use Tailscale as a mesh VPN, and Mullvad for "privacy". - -#+begin_src nix :tangle nix/configuration.nix - networking.hostName = "LONDON"; # Define your hostname. - # Enable networking - networking.networkmanager.enable = true; - systemd.services.NetworkManager-wait-online.enable = false; - networking.firewall.checkReversePath = "loose"; - - networking.firewall.allowedTCPPorts = [ 3389 ]; # for RDP - - services.mullvad-vpn.enable = true; - services.tailscale.enable = true; -#+end_src - -Next, X11! I haven't quite made the switch to Wayland. Theoretically Plasma supports it but it doesn't seem to want to work. Long term I want to run Sway on an ultrawide. I also enable RDP in case I need to remote back into my desktop (if I can't use SSH for whatever reason). Also enable the nvidia drivers here. - -#+begin_src nix :tangle nix/configuration.nix - - # Enable the X11 windowing system. - services.xserver.enable = true; - - # Enable the KDE Plasma Desktop Environment. - services.xserver.displayManager.sddm.enable = true; - services.xserver.desktopManager.plasma5.enable = true; - - services.xrdp.enable = true; - services.xrdp.defaultWindowManager = "startplasma-x11"; - - # Configure keymap in X11 - services.xserver = { - layout = "us"; - xkbVariant = ""; - }; - - - # Allow unfree packages - nixpkgs.config.allowUnfree = true; - services.xserver.videoDrivers = [ "nvidia" ]; - hardware.opengl.enable = true; -#+end_src - -Basic user setup. I use home-manager for my profile applications so just give me vim and that's it (I actually use emacs, but it doesn't hurt to have a fallback). - -#+begin_src nix :tangle nix/configuration.nix - programs.zsh.enable = true; - environment.shells = with pkgs; [ zsh ]; - users.users.gsimmer = { - shell = pkgs.zsh; - isNormalUser = true; - description = "Gabriel Simmer"; - extraGroups = [ "networkmanager" "wheel" ]; - packages = with pkgs; [ vim ]; - }; -#+end_src - -Misc. utilities. Printing, sound, Docker, Steam, fonts. Why is Steam installed at a system level? I don't know. I think I got confused. This will be move to home-manager at some point. - -#+begin_src nix :tangle nix/configuration.nix - environment.systemPackages = with pkgs; [ - os-prober - tailscale - cifs-utils - pinentry-curses - ]; - - # Enable CUPS to print documents. - services.printing.enable = true; - - # Enable sound with pipewire. - sound.enable = true; - hardware.pulseaudio.enable = false; - security.rtkit.enable = true; - services.pipewire = { - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - # If you want to use JACK applications, uncomment this - #jack.enable = true; - }; - - virtualisation = { - docker = { - enable = true; - rootless = { - enable = true; - setSocketVariable = true; - }; - }; - }; - - programs.dconf.enable = true; - - programs.steam = { - enable = true; - remotePlay.openFirewall = true; - dedicatedServer.openFirewall = false; - }; - - fonts.fonts = with pkgs; [ - ibm-plex - jetbrains-mono - ]; - - services.yubikey-agent.enable = true; - services.pcscd.enable = true; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - programs.gnupg.agent = { - enable = true; - pinentryFlavor = "curses"; - enableSSHSupport = true; - }; - - system.stateVersion = "22.05"; -} -#+end_src - -Hardware configuration generated by the NixOS installer. - -#+begin_src nix :tangle nix/hardware-configuration.nix -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/cd6f3e34-65ce-4be5-b4d4-6818e70dcff3"; - fsType = "ext4"; - }; - - boot.initrd.luks.devices."luks-0cd5d85e-e232-4f75-a8b3-087737657fef".device = "/dev/disk/by-uuid/0cd5d85e-e232-4f75-a8b3-087737657fef"; - - fileSystems."/boot/efi" = - { device = "/dev/disk/by-uuid/AB23-FA19"; - fsType = "vfat"; - }; - - fileSystems."/home/gsimmer/FHG" = { - device = "/dev/disk/by-label/FHG"; - fsType = "ext4"; - }; - - swapDevices = - [ { device = "/dev/disk/by-uuid/c50f2d93-2f31-4afc-ad26-4730a8f4b7f0"; } - ]; - - networking.useDHCP = lib.mkDefault true; - - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - hardware.video.hidpi.enable = lib.mkDefault true; -} -#+end_src - -** Raspberry Pis - -/This section is deprecated, as my Pis now run Raspbian with k3s./ - -I have two Raspberry Pis - a 3B+ ("watcher"), and a 4 ("panda"). Watcher -serves as a watchdog for my self hosted services, usually living on Panda. - -*** The Installer Image - -Very minimal changes required here, only really need to enabled the SSH daemon and add my key so I can push the actual configuration. - -I might investigate bundling the "real" configurations into the live installer image, so I have to run fewer commands. - - [[https://nixos.wiki/wiki/NixOS_on_ARM#Getting_the_installer][More info on the NixOS Wiki]] - -#+begin_src nix :tangle nix/image-configuration.nix -{ ... }: { - imports = [ - - ]; - - services.sshd.enable = true; - services.ntp.enable = true; - - users.users.gsimmer = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - password = "pass"; # This gets changed. Don't get any ideas. - openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr gabriel@gitgalaxy.com"]; - }; -} -#+end_src - -*** Watcher - - Watcher is my Raspberry Pi 3B+ responsible for monitoring various - services and devices on my network (and generally the wider web). - It uses [[https://github.com/gmemstr/platypus][Platypus]] (my custom monitoring platform) for this, along - with some cron jobs to curl the services themselves. - - Actually declaractive install of Platypus is TODO, once I have the - next release tagged. - -#+begin_src nix :tangle nix/watcher-configuration.nix -{ config, pkgs, lib, ... }: { - - boot.loader.grub.enable = false; - boot.loader.generic-extlinux-compatible.enable = true; - boot.kernelPackages = pkgs.linuxPackages_latest; - - - services.sshd.enable = true; - services.ntp.enable = true; - - users.users.gsimmer = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - password = "pass"; # This gets changed. Don't get any ideas. - openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr gabriel@gitgalaxy.com"]; - }; - - environment.systemPackages = [ pkgs.git pkgs.curl ]; - - systemd.user.services.ensure-curlscript = { - script = '' - # At some point this will pull down a more complete script. - echo "Done!" - ''; - wantedBy = [ "multi-user.target" ]; - }; - - # Enable cron services - services.cron = { - enable = true; - systemCronJobs = [ - "*/5 * * * * gsimmer curl -I -o /dev/null -w \"$(date)|\\%{http_code}\" https://pw.gmem.ca > /home/gsimmer/pw-status" - "*/5 * * * * gsimmer curl -I -o /dev/null -w \"$(date)|\\%{http_code}\" https://hue.gmem.ca > /home/gsimmer/hue-status" - ]; - }; - - fileSystems = { - "/" = { - device = "/dev/disk/by-label/NIXOS_SD"; - fsType = "ext4"; - }; - }; - - networking.firewall.enable = false; - -} -#+end_src - -*** Panda - - Panda is a general-purpose Raspberry Pi 4, responsible for hosting - some network shares and my password manager (using [[https://github.com/dani-garcia/vaultwarden][Vaultwarden]]). - - Largely TODO, this currently runs Raspbian until I'm happy with my - testbed. - -#+begin_src nix :tangle nix/panda-configuration.nix -{ ... }: { - imports = [ - - ]; - # put your own configuration here, for example ssh keys: - users.extraUsers.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr gabriel@gitgalaxy.com" - ]; -} -#+end_src +Moved to [[https://vancouver.scorpion-ghost.ts.net/git/arch/infra][arch/infra]].