tasiaiso/nixos-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

yaseen is dead, long live cave johnson

Browse source
This commit is contained in:
Tasia Iso 2025-01-24 11:31:28 +01:00
parent 308ebe941e
commit b1b72c7ad1
16 changed files with 49 additions and 52 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -70,6 +70,6 @@ Another person's laptop.
This is my Raspberry Pi 3B+ inside my electrical cabinet. This is my Raspberry Pi 3B+ inside my electrical cabinet.
### yaseen ### cave
New laptop. Main driver. New laptop. Main driver.

2
common/programs/ssh.nix
View file

@ -5,7 +5,7 @@ in {
knownHosts = { knownHosts = {
"enry".publicKey = sshKeys.host.enry; "enry".publicKey = sshKeys.host.enry;
"phoenix".publicKey = sshKeys.host.phoenix; "phoenix".publicKey = sshKeys.host.phoenix;
"yaseen".publicKey = sshKeys.host.yaseen; "cave".publicKey = sshKeys.host.cave;
}; };
}; };
} }

7
common/services/usbguard.nix
View file

@ -9,13 +9,6 @@
IPCAllowedGroups = ["wheel"]; IPCAllowedGroups = ["wheel"];
rules = '' rules = ''
# yaseen
allow id 1d6b:0002 serial "0000:00:14.0" name "xHCI Host Controller"
allow id 1d6b:0003 serial "0000:00:14.0" name "xHCI Host Controller"
allow id 0bda:0129 serial "20100201396000000" name "USB2.0-CRW"
allow id 048d:ce00 serial "" name "ITE Device(8291)"
allow id 8087:0025 serial "" name ""
# USB Drives # USB Drives
allow id 0951:1666 serial "D067E5161936F420A61181ED" name "DataTraveler 3.0" # ISO USB allow id 0951:1666 serial "D067E5161936F420A61181ED" name "DataTraveler 3.0" # ISO USB
allow id 346d:5678 serial "FC081FF86A47A" name "Disk 20" # TAILS USB allow id 346d:5678 serial "FC081FF86A47A" name "Disk 20" # TAILS USB

8
crypto/secrets.nix
View file

@ -2,14 +2,14 @@ let
sshKeys = import ./ssh-keys.nix; sshKeys = import ./ssh-keys.nix;
in { in {
"wifi.age".publicKeys = [ "wifi.age".publicKeys = [
sshKeys.host.yaseen sshKeys.host.cave
sshKeys.tasia.yaseen sshKeys.tasia.cave
]; ];
"nm-secrets.age".publicKeys = [ "nm-secrets.age".publicKeys = [
sshKeys.tasia.yaseen sshKeys.tasia.cave
sshKeys.host.enry sshKeys.host.enry
sshKeys.host.phoenix sshKeys.host.phoenix
sshKeys.host.stuff sshKeys.host.stuff
sshKeys.host.yaseen sshKeys.host.cave
]; ];
} }

4
crypto/ssh-keys.nix
View file

@ -10,7 +10,7 @@ rec {
}; };
tasia = { tasia = {
yaseen = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLyDLtqUhEQwIsPx0XgQ9OJb2+XxL+2ra4goNJEgwf0 tasia@yaseen"; cave = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLyDLtqUhEQwIsPx0XgQ9OJb2+XxL+2ra4goNJEgwf0 tasia@cave";
yubi-primary = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDZTEBwdL/Ey7++/Cq15+nSyeKmBHMuRu44fDJ7L2T51AAAABHNzaDo= Primary Key"; yubi-primary = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDZTEBwdL/Ey7++/Cq15+nSyeKmBHMuRu44fDJ7L2T51AAAABHNzaDo= Primary Key";
yubi-spare = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGjHm14dQiyZz70knJjwCZ6yrgkl72LE2w2jCsBNlrlHAAAABHNzaDo= Spare Key"; yubi-spare = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGjHm14dQiyZz70knJjwCZ6yrgkl72LE2w2jCsBNlrlHAAAABHNzaDo= Spare Key";
}; };
@ -19,6 +19,6 @@ rec {
enry = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCPPE7U87PZ4+BQrdJtPuD/ibf9ubyPAqcRJe6Lpc2D"; # host or user ? enry = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCPPE7U87PZ4+BQrdJtPuD/ibf9ubyPAqcRJe6Lpc2D"; # host or user ?
phoenix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4Guf38dhoseOjx30w/Tk4Snp2ltJuk/gvpoyRWKUtt"; phoenix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4Guf38dhoseOjx30w/Tk4Snp2ltJuk/gvpoyRWKUtt";
stuff = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFwMDyMq2eQ5IckD4sUIMN5+O73hkyajz61I3XYbp5vt"; stuff = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFwMDyMq2eQ5IckD4sUIMN5+O73hkyajz61I3XYbp5vt";
yaseen = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFXu/iFf6yhi6A0f6Lvp+wyltMHq1YgxZan5OdCKP9gE"; cave = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFXu/iFf6yhi6A0f6Lvp+wyltMHq1YgxZan5OdCKP9gE";
}; };
} }

4
flake.nix
View file

@ -124,11 +124,11 @@
]; ];
}; };
yaseen = stable.lib.nixosSystem { cave = stable.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = {inherit inputs outputs;}; specialArgs = {inherit inputs outputs;};
modules = [ modules = [
./hosts/yaseen/configuration.nix ./hosts/cave/configuration.nix
]; ];
}; };

24
hosts/yaseen/configuration.nix → hosts/cave/configuration.nix
View file

@ -27,7 +27,7 @@ in {
../../common/hardware/btrfs.nix ../../common/hardware/btrfs.nix
# Software components # Software components
../../common/components/de/sddm.nix # ../../common/components/de/sddm.nix
../../common/components/de/plasma6.nix ../../common/components/de/plasma6.nix
# ../../common/components/de/hyprland.nix # ../../common/components/de/hyprland.nix
@ -69,7 +69,7 @@ in {
#}; #};
networking = { networking = {
hostName = "yaseen"; hostName = "cave";
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
@ -89,7 +89,7 @@ in {
}; };
users.users.tasia.openssh.authorizedKeys.keys = [ users.users.tasia.openssh.authorizedKeys.keys = [
sshKeys.tasia.yaseen sshKeys.tasia.cave
]; ];
virtualisation.docker.enable = true; virtualisation.docker.enable = true;
@ -151,12 +151,12 @@ in {
wrapperFeatures.gtk = true; wrapperFeatures.gtk = true;
}; };
hardware.rtl-sdr.enable = true; hardware.rtl-sdr.enable = true;
users.users.tasia.extraGroups = [ "plugdev" ]; users.users.tasia.extraGroups = ["plugdev"];
boot.kernelParams = [ "modprobe.blacklist=dvb_usb_rtl28xxu" ]; # blacklist this module boot.kernelParams = ["modprobe.blacklist=dvb_usb_rtl28xxu"]; # blacklist this module
services.udev.packages = [ pkgs.rtl-sdr ]; services.udev.packages = [pkgs.rtl-sdr];
fonts.packages = with pkgs; [ fonts.packages = with pkgs; [
(nerdfonts.override {fonts = ["CascadiaCode"];}) (nerdfonts.override {fonts = ["CascadiaCode"];})
@ -215,9 +215,9 @@ services.udev.packages = [ pkgs.rtl-sdr ];
# config.adminpassFile = "/etc/nextcloud-admin-pass"; # config.adminpassFile = "/etc/nextcloud-admin-pass";
# }; # };
# services.rustdesk-server = { # services.rustdesk-server = {
# enable = true; # enable = true;
# openFirewall = true; # openFirewall = true;
# relayIP = "100.91.88.2"; # relayIP = "100.91.88.2";
# }; # };
@ -247,7 +247,7 @@ services.udev.packages = [ pkgs.rtl-sdr ];
# system-binfmt-x86_64-enable = false; # enables emulation of x86_64 binaries, default is false # system-binfmt-x86_64-enable = false; # enables emulation of x86_64 binaries, default is false
# repo-path = "/var/lib/thymis/repository"; # directory where the controller will store the repository holding the project # repo-path = "/var/lib/thymis/repository"; # directory where the controller will store the repository holding the project
# database-url = "sqlite:////var/lib/thymis/thymis.sqlite"; # URL of the database # database-url = "sqlite:////var/lib/thymis/thymis.sqlite"; # URL of the database
# base-url = "https://yaseen/"; # base URL of the controller, how it will be accessed from the outside # base-url = "https://cave/"; # base URL of the controller, how it will be accessed from the outside
# auth-basic = true; # whether to enable authentication using a basic username/password # auth-basic = true; # whether to enable authentication using a basic username/password
# auth-basic-username = "admin"; # username for basic authentication # auth-basic-username = "admin"; # username for basic authentication
# auth-basic-password-file = "/var/lib/thymis/auth-basic-password"; # file containing the password for basic authentication # auth-basic-password-file = "/var/lib/thymis/auth-basic-password"; # file containing the password for basic authentication
@ -261,7 +261,7 @@ services.udev.packages = [ pkgs.rtl-sdr ];
# services.nginx = { # services.nginx = {
# enable = true; # enable = true;
# virtualHosts."thymis" = { # virtualHosts."thymis" = {
# serverName = "yaseen"; # serverName = "cave";
# enableACME = true; # enableACME = true;
# forceSSL = true; # forceSSL = true;
# }; # };

24
hosts/yaseen/hardware-configuration.nix → hosts/cave/hardware-configuration.nix
View file

@ -12,9 +12,9 @@
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "rtsx_usb_sdmmc"]; boot.initrd.availableKernelModules = ["nvme" "ehci_pci" "xhci_pci" "sdhci_pci"];
boot.initrd.kernelModules = []; boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"]; boot.kernelModules = ["kvm-amd"];
boot.extraModulePackages = []; boot.extraModulePackages = [];
fileSystems."/" = { fileSystems."/" = {
@ -25,18 +25,18 @@
boot.initrd.luks.devices."luks-ab9bf3d3-8c4f-415b-944e-a8e8d355d11c".device = "/dev/disk/by-uuid/ab9bf3d3-8c4f-415b-944e-a8e8d355d11c"; boot.initrd.luks.devices."luks-ab9bf3d3-8c4f-415b-944e-a8e8d355d11c".device = "/dev/disk/by-uuid/ab9bf3d3-8c4f-415b-944e-a8e8d355d11c";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/E290-4D47";
fsType = "vfat";
options = ["fmask=0022" "dmask=0022"];
};
fileSystems."/home" = { fileSystems."/home" = {
device = "/dev/disk/by-uuid/cee0ceca-3ea6-43d8-a483-00882f9ae6bb"; device = "/dev/disk/by-uuid/cee0ceca-3ea6-43d8-a483-00882f9ae6bb";
fsType = "btrfs"; fsType = "btrfs";
options = ["subvol=@home"]; options = ["subvol=@home"];
}; };
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/E290-4D47";
fsType = "vfat";
options = ["fmask=0022" "dmask=0022"];
};
swapDevices = []; swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
@ -44,11 +44,13 @@
# still possible to use this option, but it's recommended to use it in conjunction # still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true; networking.useDHCP = lib.mkDefault true;
# networking.interfaces.br-818d880dda82.useDHCP = lib.mkDefault true;
# networking.interfaces.br-b968380dbba7.useDHCP = lib.mkDefault true;
# networking.interfaces.docker0.useDHCP = lib.mkDefault true; # networking.interfaces.docker0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0.useDHCP = lib.mkDefault true; # networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.tailscale0.useDHCP = lib.mkDefault true; # networking.interfaces.tailscale0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp5s0.useDHCP = lib.mkDefault true; # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

0
hosts/yaseen/yubikey.nix → hosts/cave/yubikey.nix
View file

2
hosts/enry/configuration.nix
View file

@ -41,7 +41,7 @@ in {
extraGroups = ["networkmanager" "wheel" "dialout"]; extraGroups = ["networkmanager" "wheel" "dialout"];
initialPassword = "correcthorsebatterystaple"; initialPassword = "correcthorsebatterystaple";
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
sshKeys.tasia.yaseen sshKeys.tasia.cave
]; ];
}; };

2
hosts/phoenix/configuration.nix
View file

@ -39,7 +39,7 @@ in {
}; };
users.users.user.openssh.authorizedKeys.keys = [ users.users.user.openssh.authorizedKeys.keys = [
sshKeys.tasia.yaseen sshKeys.tasia.cave
]; ];
services.btrfs.autoScrub.fileSystems = lib.mkForce ["/" "/data"]; services.btrfs.autoScrub.fileSystems = lib.mkForce ["/" "/data"];

2
hosts/stuff/configuration.nix
View file

@ -33,7 +33,7 @@ in {
networking.hostName = "stuff"; networking.hostName = "stuff";
users.users.user.openssh.authorizedKeys.keys = [ users.users.user.openssh.authorizedKeys.keys = [
sshKeys.tasia.yaseen sshKeys.tasia.cave
]; ];
nix.settings.trusted-users = ["root" "@wheel"]; # TODO nix.settings.trusted-users = ["root" "@wheel"]; # TODO

2
hosts/theseus/configuration.nix
View file

@ -35,7 +35,7 @@ in {
}; };
users.users.user.openssh.authorizedKeys.keys = [ users.users.user.openssh.authorizedKeys.keys = [
sshKeys.tasia.yaseen sshKeys.tasia.cave
]; ];
services.btrfs.autoScrub.fileSystems = lib.mkForce ["/" "/data"]; services.btrfs.autoScrub.fileSystems = lib.mkForce ["/" "/data"];

4
hosts/vulpecula-vps/configuration.nix
View file

@ -49,7 +49,7 @@ in {
extraGroups = ["networkmanager" "wheel" "dialout"]; extraGroups = ["networkmanager" "wheel" "dialout"];
initialPassword = "correcthorsebatterystaple"; initialPassword = "correcthorsebatterystaple";
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
sshKeys.tasia.yaseen sshKeys.tasia.cave
]; ];
}; };
@ -81,6 +81,6 @@ in {
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
zramSwap.enable = true; zramSwap.enable = true;
networking.domain = ""; networking.domain = "";
# users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLyDLtqUhEQwIsPx0XgQ9OJb2+XxL+2ra4goNJEgwf0 tasia@yaseen'' ]; # users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLyDLtqUhEQwIsPx0XgQ9OJb2+XxL+2ra4goNJEgwf0 tasia@cave'' ];
system.stateVersion = "24.05"; system.stateVersion = "24.05";
} }

4
hosts/vulpecula-vps/wallabag.nix
View file

@ -1,7 +1,9 @@
{config,...}: { {config, ...}: {
services.nginx.virtualHosts."wallabag.vulpecula.zone" = { services.nginx.virtualHosts."wallabag.vulpecula.zone" = {
addSSL = true; addSSL = true;
enableACME = true; enableACME = true;
locations."/".proxyPass = "http://localhost:62106"; locations."/".proxyPass = "http://localhost:62106";
}; };
# wallabag is managed through docker.
} }

2
hosts/vulpecula/configuration.nix
View file

@ -45,7 +45,7 @@ in {
extraGroups = ["networkmanager" "wheel"]; extraGroups = ["networkmanager" "wheel"];
initialPassword = "correcthorsebatterystaple"; initialPassword = "correcthorsebatterystaple";
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
sshKeys.tasia.yaseen sshKeys.tasia.cave
sshKeys.tasia.yubi-primary sshKeys.tasia.yubi-primary
sshKeys.tasia.yubi-spare sshKeys.tasia.yubi-spare
]; ];