Move systems.org contents
This commit is contained in:
parent
61fe57871e
commit
5855f350e4
341
Systems.org
341
Systems.org
|
@ -1,340 +1 @@
|
||||||
#+title: NixOS System Configurations
|
Moved to [[https://vancouver.scorpion-ghost.ts.net/git/arch/infra][arch/infra]].
|
||||||
#+PROPERTY: header-args :mkdirp yes
|
|
||||||
|
|
||||||
* Systems
|
|
||||||
|
|
||||||
I have opted to use NixOS for my systems moving forward. You can read a bit more
|
|
||||||
about this move [[https://blog.gabrielsimmer.com/posts/from-guix-to-nixos][here]]. I haven't dabbled with custom configuration too much so
|
|
||||||
this is pretty close to the default configuration.
|
|
||||||
|
|
||||||
** London
|
|
||||||
|
|
||||||
London is my primary desktop.
|
|
||||||
|
|
||||||
Be sure to import the hardware configuration the Nix installer generates.
|
|
||||||
|
|
||||||
#+begin_src nix :tangle nix/configuration.nix
|
|
||||||
# Tangled in ../Systems.org
|
|
||||||
{ config, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
imports =
|
|
||||||
[
|
|
||||||
./hardware-configuration.nix
|
|
||||||
];
|
|
||||||
#+end_src
|
|
||||||
|
|
||||||
Bootloader is GRUB so I can dual boot Windows. =enableCryptodisk= is annoying but apparently neccesary.
|
|
||||||
|
|
||||||
#+begin_src nix :tangle nix/configuration.nix
|
|
||||||
boot.loader.grub = {
|
|
||||||
enable = true;
|
|
||||||
version = 2;
|
|
||||||
device = "nodev";
|
|
||||||
useOSProber = true;
|
|
||||||
efiSupport = true;
|
|
||||||
enableCryptodisk = true;
|
|
||||||
canTouchEfiVariables = true;
|
|
||||||
efiSysMountPoint = "/boot/efi";
|
|
||||||
};
|
|
||||||
#+end_src
|
|
||||||
|
|
||||||
Basic system stuff that I won't really touch by hand. Importantly, enabled nix flakes.
|
|
||||||
|
|
||||||
#+begin_src nix :tangle nix/configuration.nix
|
|
||||||
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
|
|
||||||
boot.kernelPackages = pkgs.linuxPackages_6_0;
|
|
||||||
|
|
||||||
# Setup keyfile
|
|
||||||
boot.initrd.secrets = {
|
|
||||||
"/crypto_keyfile.bin" = null;
|
|
||||||
};
|
|
||||||
|
|
||||||
# Enable swap on luks
|
|
||||||
boot.initrd.luks.devices."luks-63100442-37df-4579-a787-cb2f2c67b3d1".device = "/dev/disk/by-uuid/63100442-37df-4579-a787-cb2f2c67b3d1";
|
|
||||||
boot.initrd.luks.devices."luks-63100442-37df-4579-a787-cb2f2c67b3d1".keyFile = "/crypto_keyfile.bin";
|
|
||||||
|
|
||||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
|
||||||
|
|
||||||
time.timeZone = "Europe/London";
|
|
||||||
i18n.defaultLocale = "en_GB.utf8";
|
|
||||||
#+end_src
|
|
||||||
|
|
||||||
Networking stuff. I use Tailscale as a mesh VPN, and Mullvad for "privacy".
|
|
||||||
|
|
||||||
#+begin_src nix :tangle nix/configuration.nix
|
|
||||||
networking.hostName = "LONDON"; # Define your hostname.
|
|
||||||
# Enable networking
|
|
||||||
networking.networkmanager.enable = true;
|
|
||||||
systemd.services.NetworkManager-wait-online.enable = false;
|
|
||||||
networking.firewall.checkReversePath = "loose";
|
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 3389 ]; # for RDP
|
|
||||||
|
|
||||||
services.mullvad-vpn.enable = true;
|
|
||||||
services.tailscale.enable = true;
|
|
||||||
#+end_src
|
|
||||||
|
|
||||||
Next, X11! I haven't quite made the switch to Wayland. Theoretically Plasma supports it but it doesn't seem to want to work. Long term I want to run Sway on an ultrawide. I also enable RDP in case I need to remote back into my desktop (if I can't use SSH for whatever reason). Also enable the nvidia drivers here.
|
|
||||||
|
|
||||||
#+begin_src nix :tangle nix/configuration.nix
|
|
||||||
|
|
||||||
# Enable the X11 windowing system.
|
|
||||||
services.xserver.enable = true;
|
|
||||||
|
|
||||||
# Enable the KDE Plasma Desktop Environment.
|
|
||||||
services.xserver.displayManager.sddm.enable = true;
|
|
||||||
services.xserver.desktopManager.plasma5.enable = true;
|
|
||||||
|
|
||||||
services.xrdp.enable = true;
|
|
||||||
services.xrdp.defaultWindowManager = "startplasma-x11";
|
|
||||||
|
|
||||||
# Configure keymap in X11
|
|
||||||
services.xserver = {
|
|
||||||
layout = "us";
|
|
||||||
xkbVariant = "";
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
# Allow unfree packages
|
|
||||||
nixpkgs.config.allowUnfree = true;
|
|
||||||
services.xserver.videoDrivers = [ "nvidia" ];
|
|
||||||
hardware.opengl.enable = true;
|
|
||||||
#+end_src
|
|
||||||
|
|
||||||
Basic user setup. I use home-manager for my profile applications so just give me vim and that's it (I actually use emacs, but it doesn't hurt to have a fallback).
|
|
||||||
|
|
||||||
#+begin_src nix :tangle nix/configuration.nix
|
|
||||||
programs.zsh.enable = true;
|
|
||||||
environment.shells = with pkgs; [ zsh ];
|
|
||||||
users.users.gsimmer = {
|
|
||||||
shell = pkgs.zsh;
|
|
||||||
isNormalUser = true;
|
|
||||||
description = "Gabriel Simmer";
|
|
||||||
extraGroups = [ "networkmanager" "wheel" ];
|
|
||||||
packages = with pkgs; [ vim ];
|
|
||||||
};
|
|
||||||
#+end_src
|
|
||||||
|
|
||||||
Misc. utilities. Printing, sound, Docker, Steam, fonts. Why is Steam installed at a system level? I don't know. I think I got confused. This will be move to home-manager at some point.
|
|
||||||
|
|
||||||
#+begin_src nix :tangle nix/configuration.nix
|
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
os-prober
|
|
||||||
tailscale
|
|
||||||
cifs-utils
|
|
||||||
pinentry-curses
|
|
||||||
];
|
|
||||||
|
|
||||||
# Enable CUPS to print documents.
|
|
||||||
services.printing.enable = true;
|
|
||||||
|
|
||||||
# Enable sound with pipewire.
|
|
||||||
sound.enable = true;
|
|
||||||
hardware.pulseaudio.enable = false;
|
|
||||||
security.rtkit.enable = true;
|
|
||||||
services.pipewire = {
|
|
||||||
enable = true;
|
|
||||||
alsa.enable = true;
|
|
||||||
alsa.support32Bit = true;
|
|
||||||
pulse.enable = true;
|
|
||||||
# If you want to use JACK applications, uncomment this
|
|
||||||
#jack.enable = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
virtualisation = {
|
|
||||||
docker = {
|
|
||||||
enable = true;
|
|
||||||
rootless = {
|
|
||||||
enable = true;
|
|
||||||
setSocketVariable = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
programs.dconf.enable = true;
|
|
||||||
|
|
||||||
programs.steam = {
|
|
||||||
enable = true;
|
|
||||||
remotePlay.openFirewall = true;
|
|
||||||
dedicatedServer.openFirewall = false;
|
|
||||||
};
|
|
||||||
|
|
||||||
fonts.fonts = with pkgs; [
|
|
||||||
ibm-plex
|
|
||||||
jetbrains-mono
|
|
||||||
];
|
|
||||||
|
|
||||||
services.yubikey-agent.enable = true;
|
|
||||||
services.pcscd.enable = true;
|
|
||||||
|
|
||||||
# Some programs need SUID wrappers, can be configured further or are
|
|
||||||
# started in user sessions.
|
|
||||||
# programs.mtr.enable = true;
|
|
||||||
programs.gnupg.agent = {
|
|
||||||
enable = true;
|
|
||||||
pinentryFlavor = "curses";
|
|
||||||
enableSSHSupport = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
system.stateVersion = "22.05";
|
|
||||||
}
|
|
||||||
#+end_src
|
|
||||||
|
|
||||||
Hardware configuration generated by the NixOS installer.
|
|
||||||
|
|
||||||
#+begin_src nix :tangle nix/hardware-configuration.nix
|
|
||||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
|
||||||
# and may be overwritten by future invocations. Please make changes
|
|
||||||
# to /etc/nixos/configuration.nix instead.
|
|
||||||
{ config, lib, pkgs, modulesPath, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
imports =
|
|
||||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
|
||||||
];
|
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
|
|
||||||
boot.initrd.kernelModules = [ ];
|
|
||||||
boot.kernelModules = [ "kvm-amd" ];
|
|
||||||
boot.extraModulePackages = [ ];
|
|
||||||
|
|
||||||
fileSystems."/" =
|
|
||||||
{ device = "/dev/disk/by-uuid/cd6f3e34-65ce-4be5-b4d4-6818e70dcff3";
|
|
||||||
fsType = "ext4";
|
|
||||||
};
|
|
||||||
|
|
||||||
boot.initrd.luks.devices."luks-0cd5d85e-e232-4f75-a8b3-087737657fef".device = "/dev/disk/by-uuid/0cd5d85e-e232-4f75-a8b3-087737657fef";
|
|
||||||
|
|
||||||
fileSystems."/boot/efi" =
|
|
||||||
{ device = "/dev/disk/by-uuid/AB23-FA19";
|
|
||||||
fsType = "vfat";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/home/gsimmer/FHG" = {
|
|
||||||
device = "/dev/disk/by-label/FHG";
|
|
||||||
fsType = "ext4";
|
|
||||||
};
|
|
||||||
|
|
||||||
swapDevices =
|
|
||||||
[ { device = "/dev/disk/by-uuid/c50f2d93-2f31-4afc-ad26-4730a8f4b7f0"; }
|
|
||||||
];
|
|
||||||
|
|
||||||
networking.useDHCP = lib.mkDefault true;
|
|
||||||
|
|
||||||
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
|
||||||
hardware.video.hidpi.enable = lib.mkDefault true;
|
|
||||||
}
|
|
||||||
#+end_src
|
|
||||||
|
|
||||||
** Raspberry Pis
|
|
||||||
|
|
||||||
/This section is deprecated, as my Pis now run Raspbian with k3s./
|
|
||||||
|
|
||||||
I have two Raspberry Pis - a 3B+ ("watcher"), and a 4 ("panda"). Watcher
|
|
||||||
serves as a watchdog for my self hosted services, usually living on Panda.
|
|
||||||
|
|
||||||
*** The Installer Image
|
|
||||||
|
|
||||||
Very minimal changes required here, only really need to enabled the SSH daemon and add my key so I can push the actual configuration.
|
|
||||||
|
|
||||||
I might investigate bundling the "real" configurations into the live installer image, so I have to run fewer commands.
|
|
||||||
|
|
||||||
[[https://nixos.wiki/wiki/NixOS_on_ARM#Getting_the_installer][More info on the NixOS Wiki]]
|
|
||||||
|
|
||||||
#+begin_src nix :tangle nix/image-configuration.nix
|
|
||||||
{ ... }: {
|
|
||||||
imports = [
|
|
||||||
<nixpkgs/nixos/modules/installer/sd-card/sd-image-aarch64.nix>
|
|
||||||
];
|
|
||||||
|
|
||||||
services.sshd.enable = true;
|
|
||||||
services.ntp.enable = true;
|
|
||||||
|
|
||||||
users.users.gsimmer = {
|
|
||||||
isNormalUser = true;
|
|
||||||
extraGroups = [ "wheel" ];
|
|
||||||
password = "pass"; # This gets changed. Don't get any ideas.
|
|
||||||
openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr gabriel@gitgalaxy.com"];
|
|
||||||
};
|
|
||||||
}
|
|
||||||
#+end_src
|
|
||||||
|
|
||||||
*** Watcher
|
|
||||||
|
|
||||||
Watcher is my Raspberry Pi 3B+ responsible for monitoring various
|
|
||||||
services and devices on my network (and generally the wider web).
|
|
||||||
It uses [[https://github.com/gmemstr/platypus][Platypus]] (my custom monitoring platform) for this, along
|
|
||||||
with some cron jobs to curl the services themselves.
|
|
||||||
|
|
||||||
Actually declaractive install of Platypus is TODO, once I have the
|
|
||||||
next release tagged.
|
|
||||||
|
|
||||||
#+begin_src nix :tangle nix/watcher-configuration.nix
|
|
||||||
{ config, pkgs, lib, ... }: {
|
|
||||||
|
|
||||||
boot.loader.grub.enable = false;
|
|
||||||
boot.loader.generic-extlinux-compatible.enable = true;
|
|
||||||
boot.kernelPackages = pkgs.linuxPackages_latest;
|
|
||||||
|
|
||||||
|
|
||||||
services.sshd.enable = true;
|
|
||||||
services.ntp.enable = true;
|
|
||||||
|
|
||||||
users.users.gsimmer = {
|
|
||||||
isNormalUser = true;
|
|
||||||
extraGroups = [ "wheel" ];
|
|
||||||
password = "pass"; # This gets changed. Don't get any ideas.
|
|
||||||
openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr gabriel@gitgalaxy.com"];
|
|
||||||
};
|
|
||||||
|
|
||||||
environment.systemPackages = [ pkgs.git pkgs.curl ];
|
|
||||||
|
|
||||||
systemd.user.services.ensure-curlscript = {
|
|
||||||
script = ''
|
|
||||||
# At some point this will pull down a more complete script.
|
|
||||||
echo "Done!"
|
|
||||||
'';
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
# Enable cron services
|
|
||||||
services.cron = {
|
|
||||||
enable = true;
|
|
||||||
systemCronJobs = [
|
|
||||||
"*/5 * * * * gsimmer curl -I -o /dev/null -w \"$(date)|\\%{http_code}\" https://pw.gmem.ca > /home/gsimmer/pw-status"
|
|
||||||
"*/5 * * * * gsimmer curl -I -o /dev/null -w \"$(date)|\\%{http_code}\" https://hue.gmem.ca > /home/gsimmer/hue-status"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems = {
|
|
||||||
"/" = {
|
|
||||||
device = "/dev/disk/by-label/NIXOS_SD";
|
|
||||||
fsType = "ext4";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.firewall.enable = false;
|
|
||||||
|
|
||||||
}
|
|
||||||
#+end_src
|
|
||||||
|
|
||||||
*** Panda
|
|
||||||
|
|
||||||
Panda is a general-purpose Raspberry Pi 4, responsible for hosting
|
|
||||||
some network shares and my password manager (using [[https://github.com/dani-garcia/vaultwarden][Vaultwarden]]).
|
|
||||||
|
|
||||||
Largely TODO, this currently runs Raspbian until I'm happy with my
|
|
||||||
testbed.
|
|
||||||
|
|
||||||
#+begin_src nix :tangle nix/panda-configuration.nix
|
|
||||||
{ ... }: {
|
|
||||||
imports = [
|
|
||||||
<nixpkgs/nixos/modules/installer/sd-card/sd-image-aarch64.nix>
|
|
||||||
];
|
|
||||||
# put your own configuration here, for example ssh keys:
|
|
||||||
users.extraUsers.root.openssh.authorizedKeys.keys = [
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr gabriel@gitgalaxy.com"
|
|
||||||
];
|
|
||||||
}
|
|
||||||
#+end_src
|
|
||||||
|
|
Loading…
Reference in a new issue