arch/dotfiles
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
dotfiles/Systems.org
Gabriel Simmer 0556866761
Update dotfiles, nix config, home-manager
2022-12-29 18:31:28 +00:00

341 lines
10 KiB
Org Mode
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#+title: NixOS System Configurations
#+PROPERTY: header-args :mkdirp yes
* Systems
I have opted to use NixOS for my systems moving forward. You can read a bit more
about this move [[https://blog.gabrielsimmer.com/posts/from-guix-to-nixos][here]]. I haven't dabbled with custom configuration too much so
this is pretty close to the default configuration.
** London
London is my primary desktop.
Be sure to import the hardware configuration the Nix installer generates.
#+begin_src nix :tangle nix/configuration.nix
# Tangled in ../Systems.org
{ config, pkgs, ... }:
{
imports =
[
./hardware-configuration.nix
];
#+end_src
Bootloader is GRUB so I can dual boot Windows. =enableCryptodisk= is annoying but apparently neccesary.
#+begin_src nix :tangle nix/configuration.nix
boot.loader.grub = {
enable = true;
version = 2;
device = "nodev";
useOSProber = true;
efiSupport = true;
enableCryptodisk = true;
canTouchEfiVariables = true;
efiSysMountPoint = "/boot/efi";
};
#+end_src
Basic system stuff that I won't really touch by hand. Importantly, enabled nix flakes.
#+begin_src nix :tangle nix/configuration.nix
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
boot.kernelPackages = pkgs.linuxPackages_6_0;
# Setup keyfile
boot.initrd.secrets = {
"/crypto_keyfile.bin" = null;
};
# Enable swap on luks
boot.initrd.luks.devices."luks-63100442-37df-4579-a787-cb2f2c67b3d1".device = "/dev/disk/by-uuid/63100442-37df-4579-a787-cb2f2c67b3d1";
boot.initrd.luks.devices."luks-63100442-37df-4579-a787-cb2f2c67b3d1".keyFile = "/crypto_keyfile.bin";
nix.settings.experimental-features = [ "nix-command" "flakes" ];
time.timeZone = "Europe/London";
i18n.defaultLocale = "en_GB.utf8";
#+end_src
Networking stuff. I use Tailscale as a mesh VPN, and Mullvad for "privacy".
#+begin_src nix :tangle nix/configuration.nix
networking.hostName = "LONDON"; # Define your hostname.
# Enable networking
networking.networkmanager.enable = true;
systemd.services.NetworkManager-wait-online.enable = false;
networking.firewall.checkReversePath = "loose";
networking.firewall.allowedTCPPorts = [ 3389 ]; # for RDP
services.mullvad-vpn.enable = true;
services.tailscale.enable = true;
#+end_src
Next, X11! I haven't quite made the switch to Wayland. Theoretically Plasma supports it but it doesn't seem to want to work. Long term I want to run Sway on an ultrawide. I also enable RDP in case I need to remote back into my desktop (if I can't use SSH for whatever reason). Also enable the nvidia drivers here.
#+begin_src nix :tangle nix/configuration.nix
# Enable the X11 windowing system.
services.xserver.enable = true;
# Enable the KDE Plasma Desktop Environment.
services.xserver.displayManager.sddm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
services.xrdp.enable = true;
services.xrdp.defaultWindowManager = "startplasma-x11";
# Configure keymap in X11
services.xserver = {
layout = "us";
xkbVariant = "";
};
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
services.xserver.videoDrivers = [ "nvidia" ];
hardware.opengl.enable = true;
#+end_src
Basic user setup. I use home-manager for my profile applications so just give me vim and that's it (I actually use emacs, but it doesn't hurt to have a fallback).
#+begin_src nix :tangle nix/configuration.nix
programs.zsh.enable = true;
environment.shells = with pkgs; [ zsh ];
users.users.gsimmer = {
shell = pkgs.zsh;
isNormalUser = true;
description = "Gabriel Simmer";
extraGroups = [ "networkmanager" "wheel" ];
packages = with pkgs; [ vim ];
};
#+end_src
Misc. utilities. Printing, sound, Docker, Steam, fonts. Why is Steam installed at a system level? I don't know. I think I got confused. This will be move to home-manager at some point.
#+begin_src nix :tangle nix/configuration.nix
environment.systemPackages = with pkgs; [
os-prober
tailscale
cifs-utils
pinentry-curses
];
# Enable CUPS to print documents.
services.printing.enable = true;
# Enable sound with pipewire.
sound.enable = true;
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# If you want to use JACK applications, uncomment this
#jack.enable = true;
};
virtualisation = {
docker = {
enable = true;
rootless = {
enable = true;
setSocketVariable = true;
};
};
};
programs.dconf.enable = true;
programs.steam = {
enable = true;
remotePlay.openFirewall = true;
dedicatedServer.openFirewall = false;
};
fonts.fonts = with pkgs; [
ibm-plex
jetbrains-mono
];
services.yubikey-agent.enable = true;
services.pcscd.enable = true;
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
programs.gnupg.agent = {
enable = true;
pinentryFlavor = "curses";
enableSSHSupport = true;
};
system.stateVersion = "22.05";
}
#+end_src
Hardware configuration generated by the NixOS installer.
#+begin_src nix :tangle nix/hardware-configuration.nix
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/cd6f3e34-65ce-4be5-b4d4-6818e70dcff3";
fsType = "ext4";
};
boot.initrd.luks.devices."luks-0cd5d85e-e232-4f75-a8b3-087737657fef".device = "/dev/disk/by-uuid/0cd5d85e-e232-4f75-a8b3-087737657fef";
fileSystems."/boot/efi" =
{ device = "/dev/disk/by-uuid/AB23-FA19";
fsType = "vfat";
};
fileSystems."/home/gsimmer/FHG" = {
device = "/dev/disk/by-label/FHG";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/c50f2d93-2f31-4afc-ad26-4730a8f4b7f0"; }
];
networking.useDHCP = lib.mkDefault true;
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware.video.hidpi.enable = lib.mkDefault true;
}
#+end_src
** Raspberry Pis
/This section is deprecated, as my Pis now run Raspbian with k3s./
I have two Raspberry Pis - a 3B+ ("watcher"), and a 4 ("panda"). Watcher
serves as a watchdog for my self hosted services, usually living on Panda.
*** The Installer Image
Very minimal changes required here, only really need to enabled the SSH daemon and add my key so I can push the actual configuration.
I might investigate bundling the "real" configurations into the live installer image, so I have to run fewer commands.
[[https://nixos.wiki/wiki/NixOS_on_ARM#Getting_the_installer][More info on the NixOS Wiki]]
#+begin_src nix :tangle nix/image-configuration.nix
{ ... }: {
imports = [
<nixpkgs/nixos/modules/installer/sd-card/sd-image-aarch64.nix>
];
services.sshd.enable = true;
services.ntp.enable = true;
users.users.gsimmer = {
isNormalUser = true;
extraGroups = [ "wheel" ];
password = "pass"; # This gets changed. Don't get any ideas.
openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr gabriel@gitgalaxy.com"];
};
}
#+end_src
*** Watcher
Watcher is my Raspberry Pi 3B+ responsible for monitoring various
services and devices on my network (and generally the wider web).
It uses [[https://github.com/gmemstr/platypus][Platypus]] (my custom monitoring platform) for this, along
with some cron jobs to curl the services themselves.
Actually declaractive install of Platypus is TODO, once I have the
next release tagged.
#+begin_src nix :tangle nix/watcher-configuration.nix
{ config, pkgs, lib, ... }: {
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
boot.kernelPackages = pkgs.linuxPackages_latest;
services.sshd.enable = true;
services.ntp.enable = true;
users.users.gsimmer = {
isNormalUser = true;
extraGroups = [ "wheel" ];
password = "pass"; # This gets changed. Don't get any ideas.
openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr gabriel@gitgalaxy.com"];
};
environment.systemPackages = [ pkgs.git pkgs.curl ];
systemd.user.services.ensure-curlscript = {
script = ''
# At some point this will pull down a more complete script.
echo "Done!"
'';
wantedBy = [ "multi-user.target" ];
};
# Enable cron services
services.cron = {
enable = true;
systemCronJobs = [
"*/5 * * * * gsimmer curl -I -o /dev/null -w \"$(date)|\\%{http_code}\" https://pw.gmem.ca > /home/gsimmer/pw-status"
"*/5 * * * * gsimmer curl -I -o /dev/null -w \"$(date)|\\%{http_code}\" https://hue.gmem.ca > /home/gsimmer/hue-status"
];
};
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
};
networking.firewall.enable = false;
}
#+end_src
*** Panda
Panda is a general-purpose Raspberry Pi 4, responsible for hosting
some network shares and my password manager (using [[https://github.com/dani-garcia/vaultwarden][Vaultwarden]]).
Largely TODO, this currently runs Raspbian until I'm happy with my
testbed.
#+begin_src nix :tangle nix/panda-configuration.nix
{ ... }: {
imports = [
<nixpkgs/nixos/modules/installer/sd-card/sd-image-aarch64.nix>
];
# put your own configuration here, for example ssh keys:
users.extraUsers.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr gabriel@gitgalaxy.com"
];
}
#+end_src
Reference in a new issue View git blame Copy permalink