From b1b72c7ad10285b85aa6049700bedbbdbbe3594d Mon Sep 17 00:00:00 2001 From: Tasia Iso Date: Fri, 24 Jan 2025 11:31:28 +0100 Subject: [PATCH] yaseen is dead, long live cave johnson --- README.md | 2 +- common/programs/ssh.nix | 2 +- common/services/usbguard.nix | 7 ---- crypto/secrets.nix | 8 ++--- crypto/ssh-keys.nix | 4 +-- flake.nix | 4 +-- hosts/{yaseen => cave}/configuration.nix | 32 +++++++++---------- .../hardware-configuration.nix | 24 +++++++------- hosts/{yaseen => cave}/yubikey.nix | 0 hosts/enry/configuration.nix | 2 +- hosts/phoenix/configuration.nix | 2 +- hosts/stuff/configuration.nix | 2 +- hosts/theseus/configuration.nix | 2 +- hosts/vulpecula-vps/configuration.nix | 4 +-- hosts/vulpecula-vps/wallabag.nix | 4 ++- hosts/vulpecula/configuration.nix | 2 +- 16 files changed, 49 insertions(+), 52 deletions(-) rename hosts/{yaseen => cave}/configuration.nix (91%) rename hosts/{yaseen => cave}/hardware-configuration.nix (76%) rename hosts/{yaseen => cave}/yubikey.nix (100%) diff --git a/README.md b/README.md index 154e2ef..ed16627 100644 --- a/README.md +++ b/README.md @@ -70,6 +70,6 @@ Another person's laptop. This is my Raspberry Pi 3B+ inside my electrical cabinet. -### yaseen +### cave New laptop. Main driver. diff --git a/common/programs/ssh.nix b/common/programs/ssh.nix index 0a95655..5f91d0a 100644 --- a/common/programs/ssh.nix +++ b/common/programs/ssh.nix @@ -5,7 +5,7 @@ in { knownHosts = { "enry".publicKey = sshKeys.host.enry; "phoenix".publicKey = sshKeys.host.phoenix; - "yaseen".publicKey = sshKeys.host.yaseen; + "cave".publicKey = sshKeys.host.cave; }; }; } diff --git a/common/services/usbguard.nix b/common/services/usbguard.nix index 3852b57..b12fc52 100644 --- a/common/services/usbguard.nix +++ b/common/services/usbguard.nix @@ -9,13 +9,6 @@ IPCAllowedGroups = ["wheel"]; rules = '' - # yaseen - allow id 1d6b:0002 serial "0000:00:14.0" name "xHCI Host Controller" - allow id 1d6b:0003 serial "0000:00:14.0" name "xHCI Host Controller" - allow id 0bda:0129 serial "20100201396000000" name "USB2.0-CRW" - allow id 048d:ce00 serial "" name "ITE Device(8291)" - allow id 8087:0025 serial "" name "" - # USB Drives allow id 0951:1666 serial "D067E5161936F420A61181ED" name "DataTraveler 3.0" # ISO USB allow id 346d:5678 serial "FC081FF86A47A" name "Disk 20" # TAILS USB diff --git a/crypto/secrets.nix b/crypto/secrets.nix index 66fec31..89f854a 100644 --- a/crypto/secrets.nix +++ b/crypto/secrets.nix @@ -2,14 +2,14 @@ let sshKeys = import ./ssh-keys.nix; in { "wifi.age".publicKeys = [ - sshKeys.host.yaseen - sshKeys.tasia.yaseen + sshKeys.host.cave + sshKeys.tasia.cave ]; "nm-secrets.age".publicKeys = [ - sshKeys.tasia.yaseen + sshKeys.tasia.cave sshKeys.host.enry sshKeys.host.phoenix sshKeys.host.stuff - sshKeys.host.yaseen + sshKeys.host.cave ]; } diff --git a/crypto/ssh-keys.nix b/crypto/ssh-keys.nix index 7b5f889..c16c581 100644 --- a/crypto/ssh-keys.nix +++ b/crypto/ssh-keys.nix @@ -10,7 +10,7 @@ rec { }; tasia = { - yaseen = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLyDLtqUhEQwIsPx0XgQ9OJb2+XxL+2ra4goNJEgwf0 tasia@yaseen"; + cave = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLyDLtqUhEQwIsPx0XgQ9OJb2+XxL+2ra4goNJEgwf0 tasia@cave"; yubi-primary = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDZTEBwdL/Ey7++/Cq15+nSyeKmBHMuRu44fDJ7L2T51AAAABHNzaDo= Primary Key"; yubi-spare = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGjHm14dQiyZz70knJjwCZ6yrgkl72LE2w2jCsBNlrlHAAAABHNzaDo= Spare Key"; }; @@ -19,6 +19,6 @@ rec { enry = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCPPE7U87PZ4+BQrdJtPuD/ibf9ubyPAqcRJe6Lpc2D"; # host or user ? phoenix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4Guf38dhoseOjx30w/Tk4Snp2ltJuk/gvpoyRWKUtt"; stuff = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFwMDyMq2eQ5IckD4sUIMN5+O73hkyajz61I3XYbp5vt"; - yaseen = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFXu/iFf6yhi6A0f6Lvp+wyltMHq1YgxZan5OdCKP9gE"; + cave = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFXu/iFf6yhi6A0f6Lvp+wyltMHq1YgxZan5OdCKP9gE"; }; } diff --git a/flake.nix b/flake.nix index 0007c27..d60a701 100644 --- a/flake.nix +++ b/flake.nix @@ -124,11 +124,11 @@ ]; }; - yaseen = stable.lib.nixosSystem { + cave = stable.lib.nixosSystem { system = "x86_64-linux"; specialArgs = {inherit inputs outputs;}; modules = [ - ./hosts/yaseen/configuration.nix + ./hosts/cave/configuration.nix ]; }; diff --git a/hosts/yaseen/configuration.nix b/hosts/cave/configuration.nix similarity index 91% rename from hosts/yaseen/configuration.nix rename to hosts/cave/configuration.nix index 702eda2..7a2792e 100644 --- a/hosts/yaseen/configuration.nix +++ b/hosts/cave/configuration.nix @@ -21,13 +21,13 @@ in { #../../common/hardware/intel-cpu.nix # ../../common/hardware/tpm2.nix ../../common/hardware/wireless.nix - # ../../common/hardware/nvidia-gpu.nix + # ../../common/hardware/nvidia-gpu.nix #../../common/hardware/nvidia-gpu-offload.nix ../../common/hardware/ssd.nix ../../common/hardware/btrfs.nix # Software components - ../../common/components/de/sddm.nix + # ../../common/components/de/sddm.nix ../../common/components/de/plasma6.nix # ../../common/components/de/hyprland.nix @@ -69,7 +69,7 @@ in { #}; networking = { - hostName = "yaseen"; + hostName = "cave"; firewall = { allowedTCPPorts = [ @@ -89,7 +89,7 @@ in { }; users.users.tasia.openssh.authorizedKeys.keys = [ - sshKeys.tasia.yaseen + sshKeys.tasia.cave ]; virtualisation.docker.enable = true; @@ -141,7 +141,7 @@ in { mako # notification system developed by swaywm maintainer ]; - # Enable the gnome-keyring secrets vault. + # Enable the gnome-keyring secrets vault. # Will be exposed through DBus to programs willing to store secrets. services.gnome.gnome-keyring.enable = true; @@ -151,12 +151,12 @@ in { wrapperFeatures.gtk = true; }; -hardware.rtl-sdr.enable = true; -users.users.tasia.extraGroups = [ "plugdev" ]; + hardware.rtl-sdr.enable = true; + users.users.tasia.extraGroups = ["plugdev"]; - boot.kernelParams = [ "modprobe.blacklist=dvb_usb_rtl28xxu" ]; # blacklist this module + boot.kernelParams = ["modprobe.blacklist=dvb_usb_rtl28xxu"]; # blacklist this module -services.udev.packages = [ pkgs.rtl-sdr ]; + services.udev.packages = [pkgs.rtl-sdr]; fonts.packages = with pkgs; [ (nerdfonts.override {fonts = ["CascadiaCode"];}) @@ -215,11 +215,11 @@ services.udev.packages = [ pkgs.rtl-sdr ]; # config.adminpassFile = "/etc/nextcloud-admin-pass"; # }; -# services.rustdesk-server = { -# enable = true; -# openFirewall = true; - # relayIP = "100.91.88.2"; - # }; + # services.rustdesk-server = { + # enable = true; + # openFirewall = true; + # relayIP = "100.91.88.2"; + # }; # users.users.lol = { # isNormalUser = true; @@ -247,7 +247,7 @@ services.udev.packages = [ pkgs.rtl-sdr ]; # system-binfmt-x86_64-enable = false; # enables emulation of x86_64 binaries, default is false # repo-path = "/var/lib/thymis/repository"; # directory where the controller will store the repository holding the project # database-url = "sqlite:////var/lib/thymis/thymis.sqlite"; # URL of the database - # base-url = "https://yaseen/"; # base URL of the controller, how it will be accessed from the outside + # base-url = "https://cave/"; # base URL of the controller, how it will be accessed from the outside # auth-basic = true; # whether to enable authentication using a basic username/password # auth-basic-username = "admin"; # username for basic authentication # auth-basic-password-file = "/var/lib/thymis/auth-basic-password"; # file containing the password for basic authentication @@ -261,7 +261,7 @@ services.udev.packages = [ pkgs.rtl-sdr ]; # services.nginx = { # enable = true; # virtualHosts."thymis" = { - # serverName = "yaseen"; + # serverName = "cave"; # enableACME = true; # forceSSL = true; # }; diff --git a/hosts/yaseen/hardware-configuration.nix b/hosts/cave/hardware-configuration.nix similarity index 76% rename from hosts/yaseen/hardware-configuration.nix rename to hosts/cave/hardware-configuration.nix index 459503f..8bc7151 100644 --- a/hosts/yaseen/hardware-configuration.nix +++ b/hosts/cave/hardware-configuration.nix @@ -12,9 +12,9 @@ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "rtsx_usb_sdmmc"]; + boot.initrd.availableKernelModules = ["nvme" "ehci_pci" "xhci_pci" "sdhci_pci"]; boot.initrd.kernelModules = []; - boot.kernelModules = ["kvm-intel"]; + boot.kernelModules = ["kvm-amd"]; boot.extraModulePackages = []; fileSystems."/" = { @@ -25,18 +25,18 @@ boot.initrd.luks.devices."luks-ab9bf3d3-8c4f-415b-944e-a8e8d355d11c".device = "/dev/disk/by-uuid/ab9bf3d3-8c4f-415b-944e-a8e8d355d11c"; - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/E290-4D47"; - fsType = "vfat"; - options = ["fmask=0022" "dmask=0022"]; - }; - fileSystems."/home" = { device = "/dev/disk/by-uuid/cee0ceca-3ea6-43d8-a483-00882f9ae6bb"; fsType = "btrfs"; options = ["subvol=@home"]; }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/E290-4D47"; + fsType = "vfat"; + options = ["fmask=0022" "dmask=0022"]; + }; + swapDevices = []; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking @@ -44,11 +44,13 @@ # still possible to use this option, but it's recommended to use it in conjunction # with explicit per-interface declarations with `networking.interfaces..useDHCP`. networking.useDHCP = lib.mkDefault true; + # networking.interfaces.br-818d880dda82.useDHCP = lib.mkDefault true; + # networking.interfaces.br-b968380dbba7.useDHCP = lib.mkDefault true; # networking.interfaces.docker0.useDHCP = lib.mkDefault true; - # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true; # networking.interfaces.tailscale0.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp5s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/hosts/yaseen/yubikey.nix b/hosts/cave/yubikey.nix similarity index 100% rename from hosts/yaseen/yubikey.nix rename to hosts/cave/yubikey.nix diff --git a/hosts/enry/configuration.nix b/hosts/enry/configuration.nix index 44c835a..4deebf0 100644 --- a/hosts/enry/configuration.nix +++ b/hosts/enry/configuration.nix @@ -41,7 +41,7 @@ in { extraGroups = ["networkmanager" "wheel" "dialout"]; initialPassword = "correcthorsebatterystaple"; openssh.authorizedKeys.keys = [ - sshKeys.tasia.yaseen + sshKeys.tasia.cave ]; }; diff --git a/hosts/phoenix/configuration.nix b/hosts/phoenix/configuration.nix index 2f29171..1fb78f3 100644 --- a/hosts/phoenix/configuration.nix +++ b/hosts/phoenix/configuration.nix @@ -39,7 +39,7 @@ in { }; users.users.user.openssh.authorizedKeys.keys = [ - sshKeys.tasia.yaseen + sshKeys.tasia.cave ]; services.btrfs.autoScrub.fileSystems = lib.mkForce ["/" "/data"]; diff --git a/hosts/stuff/configuration.nix b/hosts/stuff/configuration.nix index 757f26c..9ab5fd9 100644 --- a/hosts/stuff/configuration.nix +++ b/hosts/stuff/configuration.nix @@ -33,7 +33,7 @@ in { networking.hostName = "stuff"; users.users.user.openssh.authorizedKeys.keys = [ - sshKeys.tasia.yaseen + sshKeys.tasia.cave ]; nix.settings.trusted-users = ["root" "@wheel"]; # TODO diff --git a/hosts/theseus/configuration.nix b/hosts/theseus/configuration.nix index 296cf05..4d3b727 100644 --- a/hosts/theseus/configuration.nix +++ b/hosts/theseus/configuration.nix @@ -35,7 +35,7 @@ in { }; users.users.user.openssh.authorizedKeys.keys = [ - sshKeys.tasia.yaseen + sshKeys.tasia.cave ]; services.btrfs.autoScrub.fileSystems = lib.mkForce ["/" "/data"]; diff --git a/hosts/vulpecula-vps/configuration.nix b/hosts/vulpecula-vps/configuration.nix index ffef16f..ab9c629 100644 --- a/hosts/vulpecula-vps/configuration.nix +++ b/hosts/vulpecula-vps/configuration.nix @@ -49,7 +49,7 @@ in { extraGroups = ["networkmanager" "wheel" "dialout"]; initialPassword = "correcthorsebatterystaple"; openssh.authorizedKeys.keys = [ - sshKeys.tasia.yaseen + sshKeys.tasia.cave ]; }; @@ -81,6 +81,6 @@ in { boot.tmp.cleanOnBoot = true; zramSwap.enable = true; networking.domain = ""; - # users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLyDLtqUhEQwIsPx0XgQ9OJb2+XxL+2ra4goNJEgwf0 tasia@yaseen'' ]; + # users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLyDLtqUhEQwIsPx0XgQ9OJb2+XxL+2ra4goNJEgwf0 tasia@cave'' ]; system.stateVersion = "24.05"; } diff --git a/hosts/vulpecula-vps/wallabag.nix b/hosts/vulpecula-vps/wallabag.nix index 91f1664..a3db55c 100644 --- a/hosts/vulpecula-vps/wallabag.nix +++ b/hosts/vulpecula-vps/wallabag.nix @@ -1,7 +1,9 @@ -{config,...}: { +{config, ...}: { services.nginx.virtualHosts."wallabag.vulpecula.zone" = { addSSL = true; enableACME = true; locations."/".proxyPass = "http://localhost:62106"; }; + + # wallabag is managed through docker. } diff --git a/hosts/vulpecula/configuration.nix b/hosts/vulpecula/configuration.nix index 4db0d41..e79772b 100644 --- a/hosts/vulpecula/configuration.nix +++ b/hosts/vulpecula/configuration.nix @@ -45,7 +45,7 @@ in { extraGroups = ["networkmanager" "wheel"]; initialPassword = "correcthorsebatterystaple"; openssh.authorizedKeys.keys = [ - sshKeys.tasia.yaseen + sshKeys.tasia.cave sshKeys.tasia.yubi-primary sshKeys.tasia.yubi-spare ];