From cbcf3a0e3db223d5f76d7dc06914012a4120ea4b Mon Sep 17 00:00:00 2001 From: Sebastian Moser Date: Tue, 21 Nov 2023 13:53:05 +0100 Subject: [PATCH] ... --- common/all.nix | 8 ++- common/nixos-headless.nix | 18 ++++++ common/nixos.nix | 4 +- flake.nix | 35 +++------- hosts/acern.nix | 26 ++++++++ hosts/{luna.nix => lush.nix} | 0 hosts/main.nix | 11 +++- hosts/rpi.md | 66 +++++++++++++++++++ hosts/rpi.nix | 122 +++++++++++++++++++++++++++++++++++ users/me/default.nix | 6 +- users/me/headless.nix | 17 +++++ users/me/home-headless.nix | 78 ++++++++++++++++++++++ users/me/home.nix | 100 ++++++---------------------- 13 files changed, 377 insertions(+), 114 deletions(-) create mode 100644 hosts/acern.nix rename hosts/{luna.nix => lush.nix} (100%) create mode 100644 hosts/rpi.md create mode 100644 hosts/rpi.nix create mode 100644 users/me/headless.nix create mode 100644 users/me/home-headless.nix diff --git a/common/all.nix b/common/all.nix index c39d277..c640758 100644 --- a/common/all.nix +++ b/common/all.nix @@ -1,4 +1,4 @@ -{ inputs, self, secretsDir, specialArgs, ... }: +{ lib, inputs, self, secretsDir, specialArgs, ... }: # config that i use on all my hosts @@ -25,8 +25,10 @@ export PATH=$PATH:${self}/mybin ''; - - nix.settings.experimental-features = [ "nix-command" "flakes" ]; + nix.settings = { + experimental-features = lib.mkDefault "nix-command flakes"; + trusted-users = [ "root" "@wheel" ]; + }; home-manager.backupFileExtension = "backup"; diff --git a/common/nixos-headless.nix b/common/nixos-headless.nix index e69de29..6fabcd8 100644 --- a/common/nixos-headless.nix +++ b/common/nixos-headless.nix @@ -0,0 +1,18 @@ +{ lib, ... }: + +# config that i use on all my hosts, that run native nixos +# excluding for example my phone phone + +{ + system.stateVersion = lib.mkDefault "23.05"; # Did you read the comment? + + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + #keyMap = "at"; + useXkbConfig = true; # use xkbOptions in tty. + }; +} + diff --git a/common/nixos.nix b/common/nixos.nix index d011c5e..605f581 100644 --- a/common/nixos.nix +++ b/common/nixos.nix @@ -1,9 +1,11 @@ -{ ... }: +{ lib, ... }: # config that i use on all my hosts, that run native nixos # excluding for example my phone phone { + system.stateVersion = "23.05"; # Did you read the comment? + # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; diff --git a/flake.nix b/flake.nix index b04a1c5..885ace2 100644 --- a/flake.nix +++ b/flake.nix @@ -95,20 +95,23 @@ "rpi" = nixpkgs.lib.nixosSystem { inherit specialArgs; system = "x86_64-linux"; + modules = [ + ./hosts/rpi.nix + ]; }; # my raspberry to try out stuff with - "luna" = nixpkgs.lib.nixosSystem { + "lush" = nixpkgs.lib.nixosSystem { system = "aarch64-linux"; modules = [ "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" inputs.nixos-hardware.nixosModules.raspberry-pi-4 - ./hosts/luna.nix + ./hosts/lush.nix { system.stateVersion = "23.05"; # Did you read the comment? nixpkgs.hostPlatform.system = "aarch64-linux"; - nixpkgs.buildPlatform.system = "x86_64-linux"; #If you build on x86 other wise changes this. + nixpkgs.buildPlatform.system = "x86_64-linux"; hardware.enableRedistributableFirmware = true; } @@ -134,29 +137,11 @@ ]; }; - "wsl" = nixpkgs.lib.nixosSystem { + "acern" = nixpkgs.lib.nixosSystem { inherit specialArgs; system = "x86_64-linux"; modules = [ - inputs.nix-wsl.nixosModules.wsl - { - wsl.enable = true; - - services.openssh = { - enable = true; - ports = [ 2222 ]; - - settings.PasswordAuthentication = false; - settings.KbdInteractiveAuthentication = false; - }; - - users.users.nixos.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main" - ]; - - programs.bash.loginShellInit = "nixos-wsl-welcome"; - } - ./common/all.nix + ./hosts/acern.nix ]; }; @@ -218,11 +203,11 @@ run-vm = specialArgs.pkgs.writeScriptBin "run-vm" '' ${self.nixosConfigurations.hpm.config.system.build.vm}/bin/run-hpm-vm -m 4G -cpu host -smp 4 ''; - #wsl = inputs.nix-wsl.nixosConfigurations.modern.config.system.build.tarballBuilder; + acern = inputs.nix-wsl.nixosConfigurations.modern.config.system.build.tarballBuilder; #luna = (self.nixosConfigurations.luna.extendModules { #modules = [ "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64-new-kernel-no-zfs-installer.nix" ]; #}).config.system.build.sdImage; - luna = self.nixosConfigurations.luna.config.system.build.sdImage; + lush = self.nixosConfigurations.lush.config.system.build.sdImage; test = nixpkgs.legacyPackages.x86_64-linux.pkgsCross.raspberryPi.raspberrypi-armstubs; }; diff --git a/hosts/acern.nix b/hosts/acern.nix new file mode 100644 index 0000000..fe00fd7 --- /dev/null +++ b/hosts/acern.nix @@ -0,0 +1,26 @@ +{ pkgs, inputs, ...}: +{ + imports = [ + inputs.nix-wsl.nixosModules.wsl + ./users/me/headless.nix + ./common/all.nix + ./common/nixos-headless.nix + ]; + + wsl.enable = true; + + services.openssh = { + enable = true; + ports = [ 2222 ]; + + settings.PasswordAuthentication = false; + settings.KbdInteractiveAuthentication = false; + }; + + users.users.me.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWsqiz0gEepvPONYxqhKKq4Vxfe1h+jo11k88QozUch me@bitwarden" + ]; + + programs.bash.loginShellInit = "nixos-wsl-welcome"; +} diff --git a/hosts/luna.nix b/hosts/lush.nix similarity index 100% rename from hosts/luna.nix rename to hosts/lush.nix diff --git a/hosts/main.nix b/hosts/main.nix index 7e25606..3751de5 100644 --- a/hosts/main.nix +++ b/hosts/main.nix @@ -13,7 +13,7 @@ imports = [ ../common/all.nix - ../common/nixos.nix + ../common/nixos-headless.nix ../common/nixos-graphical.nix ../common/building.nix @@ -29,6 +29,7 @@ ]; virtualisation.podman.enable = true; + hardware.bluetooth.settings = { General = { MultiProfile = "multiple"; @@ -88,7 +89,9 @@ then rm /etc/host-youtube-block else + echo old: $timeout timeout=$((timeout - 1)) + echo new: $timeout echo -en $timeout > /etc/host-youtube-block fi else @@ -144,8 +147,9 @@ security.polkit.enable = true; - networking.firewall.enable = true; + networking.firewall.allowPing = true; + networking.firewall.enable = true; services.samba.openFirewall = true; @@ -153,9 +157,10 @@ services.samba-wsdd.enable = true; # make shares visible for windows 10 clients networking.firewall.allowedTCPPorts = [ - 5357 # wsdd + 5357 # wsdd 8888 # for general usage 9999 # for general usage + 8080 # for mitm proxy ]; networking.firewall.allowedUDPPorts = [ diff --git a/hosts/rpi.md b/hosts/rpi.md new file mode 100644 index 0000000..067d440 --- /dev/null +++ b/hosts/rpi.md @@ -0,0 +1,66 @@ + + +# get pi to boot from usb-source +echo program_usb_boot_mode=1 | sudo tee -a /boot/config.txt +https://www.elektronik-kompendium.de/sites/raspberry-pi/2404241.htm + +# setup +## set static ip (192.168.1.2) +used /etc/network/interfaces (seems to be debian only) + + +## enable ssh (touch ssh file in the boot partition) + +## set root pwd (copy hash from local /etc/shadow) + +CMD: apt update +CMD: apt install nodejs npm +CMD: npm i -g @bitwarden/cli + +## set hostname + +## setup bcache +- if "sudo make-bcache -C /dev/sda3 -B /dev/md0" then no need for registering (i think) +PKG: bcache-tools git build-essential uuid-dev mdadm +CMD: sudo make-bcache -C /dev/sda3 +CMD: sudo mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sdb /dev/sdc +CMD: sudo make-bcache -B /dev/md0 + +## other bcache things +- you can echo 1 > /sys/fs/bcache//unregister +- but there also is: echo 1 > /sys/block/bcache0/bcache/stop + - if seccond is not done, volumes used by this bcache device will show as " is apparently in use by the system; will not make a filesystem here!", when mkfs.ext5 + +## mdadm things +- do a check: https://www.thomas-krenn.com/de/wiki/Mdadm_checkarray + +## add swap file maybe +CMD: sudo vim /etc/dphys-swapfile +CMD: sudo dphys-swapfile setup +CMD: sudo dphys-swapfile swapon + +# things +- users + admin - sudo without password and access to bitwarden + files - for managing files (old: dateimanager) + server - for deployed servers (podman) + mamafiles - for the mamafiles share +- swap +- mdadm +- bcache +- mount /home/files/storage + - so that other users can't read it +- smb shares +- ssh acces + - ssh config: PermitRootAccess and PasswordAuthentication +- me-net (wireguard) +- podman containers +- dyndns +- wstunnel for wireguard +- rclone mount onedrive backups +- borgmatic + + + + + diff --git a/hosts/rpi.nix b/hosts/rpi.nix new file mode 100644 index 0000000..2dba505 --- /dev/null +++ b/hosts/rpi.nix @@ -0,0 +1,122 @@ +{ lib, pkgs, ... }: +{ + imports = [ + ../common/all.nix + ../common/nixos-headless.nix + + ../users/me/default.nix + ../users/root/default.nix + ]; + + # This causes an overlay which causes a lot of rebuilding + environment.noXlibs = lib.mkForce false; + # "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" creates a + # disk with this label on first boot. Therefore, we need to keep it. It is the + # only information from the installer image that we need to keep persistent + + fileSystems."/" = + { device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + }; + + boot = { + kernelPackages = lib.mkForce pkgs.linuxPackages_latest; + loader = { + generic-extlinux-compatible.enable = lib.mkDefault true; + grub.enable = lib.mkDefault false; + raspberryPi.firmwareConfig = '' + program_usb_boot_mode=1 + ''; + }; + }; + + virtualisation.podman.enable = true; + + networking.firewall.allowPing = true; + networking.firewall.enable = true; + services.samba.openFirewall = true; + + networking.hostName = "rpi"; + + networking = { + defaultGateway = { + address = "192.168.1.1"; + interface = "eth0"; + }; + + interface."eth0" = { + #name = "eth0"; + ipv4.addresses = [ + { address = "192.168.1.6"; prefixLength = 24;} + ]; + }; + + interfaces."wlan0".useDHCP = true; + + wireless = { + interfaces = [ "wlan0" ]; + enable = true; + networks = { + seb-phone.psk = "hellogello"; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ + 5357 # wsdd + 8888 # for general usage + 9999 # for general usage + 8080 # for mitm proxy + ]; + + networking.firewall.allowedUDPPorts = [ + 3702 # wsdd + ]; + + + ################################## ssh ###################################### + services.openssh.enable = true; + users.users.me.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main" + ]; + + + + ################################ samba ###################################### + services.samba-wsdd.enable = true; # make shares visible for windows 10 clients + + services.samba = { + enable = true; + securityType = "user"; + extraConfig = '' + security = user + map to guest = bad user + guest account = me + + server role = standalone server + workgroup = WORKGROUP + ''; + shares = { + rpi_schule = { + path = "${workDir}/rpi-schule/"; + "guest ok" = "yes"; + "read only" = "no"; + public = "yes"; + writable = "yes"; + printable = "no"; + comment = "share for rpi in school wlan"; + }; + + share = { + comment = "share for sharing stuff"; + path = "${workDir}/share"; + public = "yes"; + "guest ok" = "yes"; + "read only" = "no"; + writable = "yes"; + }; + }; + }; + + +} diff --git a/users/me/default.nix b/users/me/default.nix index 2ed6b1e..5329bb0 100644 --- a/users/me/default.nix +++ b/users/me/default.nix @@ -1,4 +1,4 @@ -{ pkgs, secretsDir, inputs, config, self, ... }: +{ pkgs, secretsDir, inputs, config, self, lib, ... }: { users.users.me = { isNormalUser = true; @@ -7,13 +7,13 @@ extraGroups = [ "networkmanager" "wheel" "libvirtd" ]; # Enable ‘sudo’ for the user. }; - #home-manager._module.args = { inherit inputs; }; - home-manager.users.me = import ./home.nix; home-manager.extraSpecialArgs = { inherit self; hostname = config.networking.hostName; }; + home-manager.users.me = import ./home.nix; + fonts.fonts = with pkgs; [ hack-font ]; diff --git a/users/me/headless.nix b/users/me/headless.nix new file mode 100644 index 0000000..648385d --- /dev/null +++ b/users/me/headless.nix @@ -0,0 +1,17 @@ +{ self, config, ... }: +{ + users.users.me = { + isNormalUser = true; + #passwordFile = "${secretsDir}/me-pwd"; + password = "changeme"; + extraGroups = [ "networkmanager" "wheel" "libvirtd" ]; # Enable ‘sudo’ for the user. + }; + + home-manager.extraSpecialArgs = { + inherit self; + hostname = config.networking.hostName; + }; + + home-manager.users.me = import ./home-headless.nix; + +} diff --git a/users/me/home-headless.nix b/users/me/home-headless.nix new file mode 100644 index 0000000..6ed95fe --- /dev/null +++ b/users/me/home-headless.nix @@ -0,0 +1,78 @@ +{ config, pkgs, self, secretsDir, inputs, persistentDir, ... }: +{ + # The home.stateVersion option does not have a default and must be set + home.stateVersion = "23.05"; + + imports = [ + inputs.nix-index-database.hmModules.nix-index + + # all my headless programms with their own config + ../../programs/git.nix + ../../programs/lf/default.nix + ../../programs/bash.nix + ../../programs/ssh.nix + ../../programs/neovim.nix + ]; + + programs.nix-index.enable = false; + programs.nix-index.enableBashIntegration = false; + programs.nix-index.enableZshIntegration = false; + + home.sessionVariables = { + EDITOR = "nvim"; + }; + + home.sessionPath = [ "${self}/mybin" ]; + home.file = { + ".rclone.conf".source = config.lib.file.mkOutOfStoreSymlink "${secretsDir}/rclone-conf"; + ".subversion/config".text = '' + [miscellany] + global-ignores = node_modules target + ''; # documentation for this config file: https://svnbook.red-bean.com/en/1.7/svn.advanced.confarea.html + }; + + home.packages = with pkgs; [ + vim + tree + htop + subversion + pv + nodejs + neofetch + file + lshw + zip + unzip + arp-scan + lolcat + comma + delta + jq + wget + tmux + # python.... + (python310.withPackages (p: with p; [ + pandas + click + click-aliases + ])) + (busybox.overrideAttrs (final: prev: { + # get only nslookup from busybox + # because the less would overwrite the actuall less and the busybox does not have -r + # it's a pfusch, but it works + postInstall = prev.postInstall + '' + echo ============ removing anything but nslookup ============ + mv $out/bin/nslookup $out/nslookup + mv $out/bin/busybox $out/busybox + + rm $out/bin/* + + mv $out/nslookup $out/bin/nslookup + mv $out/busybox $out/bin/busybox + ''; + })) + ]; + + + +} diff --git a/users/me/home.nix b/users/me/home.nix index c8aab32..6c24992 100644 --- a/users/me/home.nix +++ b/users/me/home.nix @@ -2,28 +2,16 @@ { config, pkgs, self, secretsDir, inputs, persistentDir, ... }: { - # The home.stateVersion option does not have a default and must be set - home.stateVersion = "23.05"; - imports = [ - inputs.nix-index-database.hmModules.nix-index + ./home-headless.nix - # all my programms with their own config - ../../programs/git.nix - ../../programs/lf/default.nix + # my gui programs ../../programs/alacritty.nix - ../../programs/bash.nix ../../programs/emacs/default.nix ../../programs/rofi/default.nix ../../programs/zathura.nix - ../../programs/ssh.nix - ../../programs/neovim.nix ]; - programs.nix-index.enable = false; - programs.nix-index.enableBashIntegration = false; - programs.nix-index.enableZshIntegration = false; - gtk.cursorTheme = { name = "Yaru"; }; @@ -37,110 +25,64 @@ services.dunst.enable = true; - home.sessionVariables = { - EDITOR = "nvim"; - }; - - home.sessionPath = [ "${self}/mybin" ]; home.file = { - ".rclone.conf".source = config.lib.file.mkOutOfStoreSymlink "${secretsDir}/rclone-conf"; - ".subversion/config".text = '' - [miscellany] - global-ignores = node_modules target - ''; # documentation for this config file: https://svnbook.red-bean.com/en/1.7/svn.advanced.confarea.html ".mysecrets/root-pwd".text = "changeme"; ".mysecrets/me-pwd".text = "changeme"; ".mozilla/firefox".source = config.lib.file.mkOutOfStoreSymlink "${persistentDir}/firefox"; ".cache/rofi-3.runcache".source = config.lib.file.mkOutOfStoreSymlink "${persistentDir}/rofi-run-cache"; - }; + home.packages = with pkgs; [ - vim + + # packages that i might not need everywhere?? + wstunnel + rclone + playerctl + alsa-utils + usbutils + android-tools + android-studio + moonlight-qt + pciutils + jmtpfs + pmutils + cntr + nil + + + # gui packages obsidian - tree xorg.xkbcomp haskellPackages.xmonad-extras haskellPackages.xmonad-contrib xorg.xev - htop - subversion - pv blueman pavucontrol spotify flameshot - nodejs - neofetch networkmanagerapplet haskellPackages.xmobar dolphin mupdf xclip - rclone stalonetray killall - nil - file - wstunnel - playerctl - alsa-utils - usbutils - pciutils - lshw - jmtpfs - pmutils - cntr signal-desktop element-desktop discord wireshark - zip - unzip - arp-scan gparted - lolcat - android-tools - moonlight-qt - comma - delta - jq xorg.xkill - wget xorg.xmodmap - tmux - android-studio # my own packages supabase-cli inputs.firefox.packages.${pkgs.system}.firefox-nightly-bin - # python.... - (python310.withPackages (p: with p; [ - pandas - click - click-aliases - ])) - - (busybox.overrideAttrs (final: prev: { - # get only nslookup from busybox - # because the less would overwrite the actuall less and the busybox does not have -r - # it's a pfusch, but it works - postInstall = prev.postInstall + '' - echo ============ removing anything but nslookup ============ - mv $out/bin/nslookup $out/nslookup - mv $out/bin/busybox $out/busybox - - rm $out/bin/* - - mv $out/nslookup $out/bin/nslookup - mv $out/busybox $out/bin/busybox - ''; - })) - # base-devel gcc