diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..b06cd3b --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,10 @@ +keys: + - &primary age16yxxp5lqg63zzh3s0f82lpslgc3phy6ugcqdnhh8y7fak65zrqkshjxt25 + - &ssh_key ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICqA7j8hk3+k0b04eDxuoUakldqKrP0aatLm+CREjFJe +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - age: + - *primary + - pgp: + - *ssh_key diff --git a/flake.lock b/flake.lock index 1bf5c4f..b680cbc 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,46 @@ { "nodes": { + "arion": { + "inputs": { + "flake-parts": "flake-parts", + "haskell-flake": "haskell-flake", + "hercules-ci-effects": "hercules-ci-effects", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722825873, + "narHash": "sha256-bFNXkD+s9NuidZePiJAjjFUnsMOwXb7hEZ4JEDdSALw=", + "owner": "hercules-ci", + "repo": "arion", + "rev": "90bc85532767c785245f5c1e29ebfecb941cf8c9", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "arion", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1729099656, + "narHash": "sha256-VftVIg7UXTy1bq+tzi1aVYOWl7PQ35IpjW88yMYjjpc=", + "owner": "nix-community", + "repo": "disko", + "rev": "d7d57edb72e54891fa67a6f058a46b2bb405663b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "dotfiles": { "flake": false, "locked": { @@ -16,6 +57,86 @@ "url": "https://github.com/nomadics9/dotfiles.git" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "arion", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722555600, + "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "arion", + "hercules-ci-effects", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1712014858, + "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", + "type": "github" + }, + "original": { + "id": "flake-parts", + "type": "indirect" + } + }, + "haskell-flake": { + "locked": { + "lastModified": 1675296942, + "narHash": "sha256-u1X1sblozi5qYEcLp1hxcyo8FfDHnRUVX3dJ/tW19jY=", + "owner": "srid", + "repo": "haskell-flake", + "rev": "c2cafce9d57bfca41794dc3b99c593155006c71e", + "type": "github" + }, + "original": { + "owner": "srid", + "ref": "0.1.0", + "repo": "haskell-flake", + "type": "github" + } + }, + "hercules-ci-effects": { + "inputs": { + "flake-parts": "flake-parts_2", + "nixpkgs": [ + "arion", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719226092, + "narHash": "sha256-YNkUMcCUCpnULp40g+svYsaH1RbSEj6s4WdZY/SHe38=", + "owner": "hercules-ci", + "repo": "hercules-ci-effects", + "rev": "11e4b8dc112e2f485d7c97e1cee77f9958f498f5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "hercules-ci-effects", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -23,11 +144,11 @@ ] }, "locked": { - "lastModified": 1728903686, - "narHash": "sha256-ZHFrGNWDDriZ4m8CA/5kDa250SG1LiiLPApv1p/JF0o=", + "lastModified": 1729165983, + "narHash": "sha256-gtcodl79t5ZbbX4TSx4RNyggasEvLdVnc/IM+RyxqJw=", "owner": "nix-community", "repo": "home-manager", - "rev": "e1aec543f5caf643ca0d94b6a633101942fd065f", + "rev": "78a7a070bbcc3b37cc36080c2a3514207d427b3b", "type": "github" }, "original": { @@ -38,16 +159,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1728492678, - "narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=", - "owner": "nixos", + "lastModified": 1725194671, + "narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7", + "rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-unstable", + "owner": "NixOS", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } @@ -68,12 +189,68 @@ "type": "github" } }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1728156290, + "narHash": "sha256-uogSvuAp+1BYtdu6UWuObjHqSbBohpyARXDWqgI12Ss=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "17ae88b569bb15590549ff478bab6494dde4a907", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1728888510, + "narHash": "sha256-nsNdSldaAyu6PE3YUA+YQLqUDJh+gRbBooMMekZJwvI=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "a3c0b3b21515f74fd2665903d4ce6bc4dc81c77c", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { + "arion": "arion", + "disko": "disko", "dotfiles": "dotfiles", "home-manager": "home-manager", - "nixpkgs": "nixpkgs", - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs": "nixpkgs_2", + "nixpkgs-stable": "nixpkgs-stable", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1728345710, + "narHash": "sha256-lpunY1+bf90ts+sA2/FgxVNIegPDKCpEoWwOPu4ITTQ=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "06535d0e3d0201e6a8080dd32dbfde339b94f01b", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 5629808..a26bfb0 100644 --- a/flake.nix +++ b/flake.nix @@ -8,6 +8,16 @@ url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; # Pin sops-nix to follow nixpkgs + }; + arion = { + url = "github:hercules-ci/arion"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + disko.url = "github:nix-community/disko"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.11"; @@ -19,7 +29,7 @@ - outputs = { self, home-manager, nixpkgs, dotfiles, ... }@inputs: + outputs = { self, home-manager, nixpkgs, dotfiles, sops-nix, arion, disko, ... }@inputs: let inherit (self) outputs; systems = [ @@ -31,23 +41,51 @@ ]; forAllSystems = nixpkgs.lib.genAttrs systems; user = "nomad"; - hostname = "unkown"; + hostname = "vps"; in { packages = forAllSystems (system: import ./pkgs nixpkgs.legacyPackages.${system}); overlays = import ./overlays { inherit inputs; }; nixosConfigurations = { - ${hostname} = nixpkgs.lib.nixosSystem { + + unkown = nixpkgs.lib.nixosSystem { specialArgs = { inherit inputs outputs user hostname; }; - modules = [ ./hosts/${hostname} ]; + modules = [ + ./hosts/${hostname} + sops-nix.nixosModules.sops + arion.nixosModules.arion + ]; + }; + + homelab = nixpkgs.lib.nixosSystem { + specialArgs = { inherit inputs outputs user; }; + modules = [ + ./hosts/homelab + arion.nixosModules.arion + disko.nixosModules.disko + sops-nix.nixosModules.sops + ]; + }; + + vps = nixpkgs.lib.nixosSystem { + specialArgs = { inherit inputs outputs user; }; + modules = [ + ./hosts/vps + arion.nixosModules.arion + disko.nixosModules.disko + sops-nix.nixosModules.sops + ]; }; }; + homeConfigurations = { "${user}@${hostname}" = home-manager.lib.homeManagerConfiguration { pkgs = nixpkgs.legacyPackages."x86_64-linux"; extraSpecialArgs = { inherit inputs outputs user; }; - modules = [ ./home/${user}/${hostname}.nix ]; + modules = [ + ./home/${user}/${hostname}.nix + ]; }; }; }; diff --git a/home/common/default.nix b/home/common/default.nix index 8b31055..96500fd 100644 --- a/home/common/default.nix +++ b/home/common/default.nix @@ -29,7 +29,11 @@ nix = { package = lib.mkDefault pkgs.nix; settings = { - experimental-features = [ "nix-command" "flakes" "repl-flake" ]; + experimental-features = [ + "nix-command" + "flakes" + #"repl-flake" + ]; warn-dirty = false; }; }; diff --git a/home/features/cli/default.nix b/home/features/cli/default.nix index 888b23c..722ba6e 100644 --- a/home/features/cli/default.nix +++ b/home/features/cli/default.nix @@ -22,6 +22,5 @@ zip exiftool nvtopPackages.full - cava ]; } diff --git a/home/nomad/home.nix b/home/nomad/home.nix deleted file mode 100644 index 102636a..0000000 --- a/home/nomad/home.nix +++ /dev/null @@ -1,141 +0,0 @@ -# This is a default home.nix generated by the follwing hone-manager command -# -# home-manager init ./ - -{ config, lib, pkgs, user, ... }: - -{ - home.username = lib.mkDefault user; - home.homeDirectory = lib.mkDefault "/home/${config.home.username}"; - # This value determines the Home Manager release that your configuration is - # compatible with. This helps avoid breakage when a new Home Manager release - # introduces backwards incompatible changes. - # - # You should not change this value, even if you update Home Manager. If you do - # want to update the value, then make sure to first check the Home Manager - # release notes. - home.stateVersion = "24.05"; # Please read the comment before changing. - - # The home.packages option allows you to install Nix packages into your - # environment. - home.packages = with pkgs; [ - # Essentials - kitty - firefox - # Apps - vlc - amberol - webcord - bottles - cava - ryujinx - mullvad-vpn - transmission_4-gtk - obsidian - tailscale - syncthing - qsyncthingtray - htop - nvtopPackages.full - exiftool - moonlight-qt - kdePackages.kdeconnect-kde - # Dev - go - python3 - nim - bun - pocketbase - edgedb - bruno - ripgrep - zip - #zed-fhs - # android-studio - # android-tools - jre17_minimal - # Nvim-Lua - lua-language-server - cowsay - - - # # Adds the 'hello' command to your environment. It prints a friendly - # # "Hello, world!" when run. - # pkgs.hello - - # # It is sometimes useful to fine-tune packages, for example, by applying - # # overrides. You can do that directly here, just don't forget the - # # parentheses. Maybe you want to install Nerd Fonts with a limited number of - # # fonts? - # (pkgs.nerdfonts.override { fonts = [ "FantasqueSansMono" ]; }) - - # # You can also create simple shell scripts directly inside your - # # configuration. For example, this adds a command 'my-hello' to your - # # environment: - # (pkgs.writeShellScriptBin "my-hello" '' - # echo "Hello, ${config.home.username}!" - # '') - ]; - - # Home Manager is pretty good at managing dotfiles. The primary way to manage - # plain files is through 'home.file'. - home.file = { - # # Building this configuration will create a copy of 'dotfiles/screenrc' in - # # the Nix store. Activating the configuration will then make '~/.screenrc' a - # # symlink to the Nix store copy. - # ".screenrc".source = dotfiles/screenrc; - - # # You can also set the file content immediately. - # ".gradle/gradle.properties".text = '' - # org.gradle.console=verbose - # org.gradle.daemon.idletimeout=3600000 - # ''; - }; - - # Home Manager can also manage your environment variables through - # 'home.sessionVariables'. If you don't want to manage your shell through Home - # Manager then you have to manually source 'hm-session-vars.sh' located at - # either - # - # ~/.nix-profile/etc/profile.d/hm-session-vars.sh - # - # or - # - # ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh - # - # or - # - # /etc/profiles/per-user/m3tam3re/etc/profile.d/hm-session-vars.sh - # - home.sessionVariables = { - BROWSER = "firefox"; - EDITOR = "nvim"; - TERMINAL = "kitty"; - NIXOS_OZONE_WL = "1"; - MOZ_ENABLE_WAYLAND = "1"; - SDL_VIDEODRIVER = "wayland"; - _JAVA_AWT_WM_NONREPARENTING = "1"; - MOZ_DRM_DEVICE = "/dev/dri/card0:/dev/dri/card1"; - WLR_DRM_DEVICES = "/dev/dri/card0:/dev/dri/card1"; - #WLR_NO_HARDWARE_CURSORS = "1"; # if no cursor,uncomment this line - GBM_BACKEND = "nvidia-drm"; - CLUTTER_BACKEND = "wayland"; - LIBVA_DRIVER_NAME = "iHD"; - WLR_RENDERER = "vulkan"; - VK_DRIVER_FILES = "/run/opengl-driver/share/vulkan/icd.d/nvidia_icd.x86_64.json"; - __GLX_VENDOR_LIBRARY_NAME = "nvidia"; - __NV_PRIME_RENDER_OFFLOAD = "1"; - XDG_CURRENT_DESKTOP = "Hyprland"; - XDG_SESSION_DESKTOP = "Hyprland"; - XDG_SESSION_TYPE = "wayland"; - GTK_USE_PORTAL = "1"; - GTK_THEME = "Nightfox-dark"; - XDG_CACHE_HOME = "${config.home.homeDirectory}/.cache"; - XDG_CONFIG_HOME = "${config.home.homeDirectory}/.config"; - XDG_BIN_HOME = "${config.home.homeDirectory}/.nix-profile/bin"; - XDG_DATA_HOME = "${config.home.homeDirectory}/.local/share"; - }; - - # Let Home Manager install and manage itself. - programs.home-manager.enable = true; -} diff --git a/home/nomad/unkown.nix b/home/nomad/unkown.nix index 64a7958..6f49912 100644 --- a/home/nomad/unkown.nix +++ b/home/nomad/unkown.nix @@ -5,7 +5,7 @@ ../features/cli ../features/desktop ../features/themes - ./home.nix + ./unkown/home.nix ]; features = { diff --git a/hosts/common/default.nix b/hosts/common/default.nix index 6130141..85e2793 100644 --- a/hosts/common/default.nix +++ b/hosts/common/default.nix @@ -4,6 +4,8 @@ imports = [ ./users ./services + ./homelab + ./vps inputs.home-manager.nixosModules.home-manager ]; diff --git a/hosts/common/services/default.nix b/hosts/common/services/default.nix index d21480d..19387f4 100644 --- a/hosts/common/services/default.nix +++ b/hosts/common/services/default.nix @@ -1,7 +1,6 @@ { imports = [ ./vm.nix - ./vfio.nix ./steam.nix ./polkit.nix ./appimage.nix diff --git a/hosts/common/users/nomad.nix b/hosts/common/users/nomad.nix index 2ea5812..f284a3f 100644 --- a/hosts/common/users/nomad.nix +++ b/hosts/common/users/nomad.nix @@ -4,26 +4,62 @@ , user , ... }: { - users.users.${user} = { - initialPassword = "4321"; - isNormalUser = true; - shell = pkgs.zsh; - description = "${user}"; - extraGroups = [ - "wheel" - "networkmanager" - "libvirtd" - "flatpak" - "audio" - "video" - "plugdev" - "input" - "kvm" - "qemu-libvirtd" - "docker" - ]; - packages = [ inputs.home-manager.packages.${pkgs.system}.default ]; + users.users = { + ${user} = { + initialPassword = "4321"; + isNormalUser = true; + shell = pkgs.zsh; + description = "${user}"; + extraGroups = [ + "wheel" + "networkmanager" + "libvirtd" + "flatpak" + "audio" + "video" + "plugdev" + "input" + "kvm" + "qemu-libvirtd" + "docker" + "key" + ]; + packages = [ inputs.home-manager.packages.${pkgs.system}.default ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICqA7j8hk3+k0b04eDxuoUakldqKrP0aatLm+CREjFJe" + ]; + }; + + root = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICqA7j8hk3+k0b04eDxuoUakldqKrP0aatLm+CREjFJe" + ]; + extraGroups = [ "key" ]; + }; }; + + # Decrypt the secrets file using sops-nix with age + + + sops.secrets = { + DUFS_USERNAME = { }; + DUFS_PASSWORD = { }; + NEXTCLOUD_DB_USERNAME = { }; + NEXTCLOUD_DB_PASSWORD = { }; + NEXTCLOUD_DB = { }; + }; + + + sops.templates."my-env.env".content = '' + DUFS_USERNAME = "${config.sops.placeholder.DUFS_USERNAME}" + DUFS_PASSWORD = "${config.sops.placeholder.DUFS_PASSWORD}" + NEXTCLOUD_DB_USERNAME = "${config.sops.placeholder.NEXTCLOUD_DB_USERNAME}" + NEXTCLOUD_DB_PASSWORD = "${config.sops.placeholder.NEXTCLOUD_DB_PASSWORD}" + NEXTCLOUD_DB = "${config.sops.placeholder.NEXTCLOUD_DB}" + ''; + + users.users = { }; + programs.zsh.enable = true; home-manager.users.${user} = import ../../../home/${user}/${config.networking.hostName}.nix; diff --git a/hosts/unkown/configuration.nix b/hosts/unkown/configuration.nix index 8d23d3d..35041ce 100644 --- a/hosts/unkown/configuration.nix +++ b/hosts/unkown/configuration.nix @@ -1,4 +1,4 @@ -{ pkgs, hostname, ... }: { +{ pkgs, hostname, inputs, user, ... }: { imports = [ # Include the results of the hardware scan. @@ -21,7 +21,7 @@ common.services.nautilus.enable = true; # Virtual Box (Virt-Manager) and GPU Passthru. you have to configure hosts/services/vfio.nix for passthrough to work! common.services.vm.enable = true; - common.services.vfio.enable = false; + #common.services.vfio.enable = false; # AppStores common.services.appimage.enable = true; common.services.steam.enable = true; @@ -37,6 +37,12 @@ # Ntfs support boot.supportedFilesystems = [ "ntfs" ]; + sops = { + age.keyFile = "/etc/nixos/sops/age/keys.txt"; + defaultSopsFile = ../../secrets/secrets.yaml; + defaultSopsFormat = "yaml"; + }; + # Enable GDM Login Manager diff --git a/hosts/unkown/hardware-configuration.nix b/hosts/unkown/hardware-configuration.nix index 6739d23..6cf65e1 100644 --- a/hosts/unkown/hardware-configuration.nix +++ b/hosts/unkown/hardware-configuration.nix @@ -12,7 +12,6 @@ boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; fileSystems."/" = {