c2vi/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

...

Browse Source
This commit is contained in:
Sebastian Moser
2023-11-21 13:53:05 +01:00
parent 31a632d87b
commit cbcf3a0e3d
13 changed files with 377 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
common/all.nix
View File

@@ -1,4 +1,4 @@
{ inputs, self, secretsDir, specialArgs, ... }: { lib, inputs, self, secretsDir, specialArgs, ... }:
# config that i use on all my hosts # config that i use on all my hosts
@@ -25,8 +25,10 @@
export PATH=$PATH:${self}/mybin export PATH=$PATH:${self}/mybin
''; '';
nix.settings = {
nix.settings.experimental-features = [ "nix-command" "flakes" ]; experimental-features = lib.mkDefault "nix-command flakes";
trusted-users = [ "root" "@wheel" ];
};
home-manager.backupFileExtension = "backup"; home-manager.backupFileExtension = "backup";

18
common/nixos-headless.nix
View File

@@ -0,0 +1,18 @@
{ lib, ... }:
# config that i use on all my hosts, that run native nixos
# excluding for example my phone phone
{
system.stateVersion = lib.mkDefault "23.05"; # Did you read the comment?
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
#keyMap = "at";
useXkbConfig = true; # use xkbOptions in tty.
};
}

4
common/nixos.nix
View File

@@ -1,9 +1,11 @@
{ ... }: { lib, ... }:
# config that i use on all my hosts, that run native nixos # config that i use on all my hosts, that run native nixos
# excluding for example my phone phone # excluding for example my phone phone
{ {
system.stateVersion = "23.05"; # Did you read the comment?
# Select internationalisation properties. # Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8"; i18n.defaultLocale = "en_US.UTF-8";

35
flake.nix
View File

@@ -95,20 +95,23 @@
"rpi" = nixpkgs.lib.nixosSystem { "rpi" = nixpkgs.lib.nixosSystem {
inherit specialArgs; inherit specialArgs;
system = "x86_64-linux"; system = "x86_64-linux";
modules = [
./hosts/rpi.nix
];
}; };
# my raspberry to try out stuff with # my raspberry to try out stuff with
"luna" = nixpkgs.lib.nixosSystem { "lush" = nixpkgs.lib.nixosSystem {
system = "aarch64-linux"; system = "aarch64-linux";
modules = [ modules = [
"${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
inputs.nixos-hardware.nixosModules.raspberry-pi-4 inputs.nixos-hardware.nixosModules.raspberry-pi-4
./hosts/luna.nix ./hosts/lush.nix
{ {
system.stateVersion = "23.05"; # Did you read the comment? system.stateVersion = "23.05"; # Did you read the comment?
nixpkgs.hostPlatform.system = "aarch64-linux"; nixpkgs.hostPlatform.system = "aarch64-linux";
nixpkgs.buildPlatform.system = "x86_64-linux"; #If you build on x86 other wise changes this. nixpkgs.buildPlatform.system = "x86_64-linux";
hardware.enableRedistributableFirmware = true; hardware.enableRedistributableFirmware = true;
} }
@@ -134,29 +137,11 @@
]; ];
}; };
"wsl" = nixpkgs.lib.nixosSystem { "acern" = nixpkgs.lib.nixosSystem {
inherit specialArgs; inherit specialArgs;
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
inputs.nix-wsl.nixosModules.wsl ./hosts/acern.nix
{
wsl.enable = true;
services.openssh = {
enable = true;
ports = [ 2222 ];
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
};
users.users.nixos.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main"
];
programs.bash.loginShellInit = "nixos-wsl-welcome";
}
./common/all.nix
]; ];
}; };
@@ -218,11 +203,11 @@
run-vm = specialArgs.pkgs.writeScriptBin "run-vm" '' run-vm = specialArgs.pkgs.writeScriptBin "run-vm" ''
${self.nixosConfigurations.hpm.config.system.build.vm}/bin/run-hpm-vm -m 4G -cpu host -smp 4 ${self.nixosConfigurations.hpm.config.system.build.vm}/bin/run-hpm-vm -m 4G -cpu host -smp 4
''; '';
#wsl = inputs.nix-wsl.nixosConfigurations.modern.config.system.build.tarballBuilder; acern = inputs.nix-wsl.nixosConfigurations.modern.config.system.build.tarballBuilder;
#luna = (self.nixosConfigurations.luna.extendModules { #luna = (self.nixosConfigurations.luna.extendModules {
#modules = [ "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64-new-kernel-no-zfs-installer.nix" ]; #modules = [ "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64-new-kernel-no-zfs-installer.nix" ];
#}).config.system.build.sdImage; #}).config.system.build.sdImage;
luna = self.nixosConfigurations.luna.config.system.build.sdImage; lush = self.nixosConfigurations.lush.config.system.build.sdImage;
test = nixpkgs.legacyPackages.x86_64-linux.pkgsCross.raspberryPi.raspberrypi-armstubs; test = nixpkgs.legacyPackages.x86_64-linux.pkgsCross.raspberryPi.raspberrypi-armstubs;
}; };

26
hosts/acern.nix Normal file
View File

@@ -0,0 +1,26 @@
{ pkgs, inputs, ...}:
{
imports = [
inputs.nix-wsl.nixosModules.wsl
./users/me/headless.nix
./common/all.nix
./common/nixos-headless.nix
];
wsl.enable = true;
services.openssh = {
enable = true;
ports = [ 2222 ];
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
};
users.users.me.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWsqiz0gEepvPONYxqhKKq4Vxfe1h+jo11k88QozUch me@bitwarden"
];
programs.bash.loginShellInit = "nixos-wsl-welcome";
}

0
hosts/luna.nix → hosts/lush.nix
View File

9
hosts/main.nix
View File

@@ -13,7 +13,7 @@
imports = [ imports = [
../common/all.nix ../common/all.nix
../common/nixos.nix ../common/nixos-headless.nix
../common/nixos-graphical.nix ../common/nixos-graphical.nix
../common/building.nix ../common/building.nix
@@ -29,6 +29,7 @@
]; ];
virtualisation.podman.enable = true; virtualisation.podman.enable = true;
hardware.bluetooth.settings = { hardware.bluetooth.settings = {
General = { General = {
MultiProfile = "multiple"; MultiProfile = "multiple";
@@ -88,7 +89,9 @@
then then
rm /etc/host-youtube-block rm /etc/host-youtube-block
else else
echo old: $timeout
timeout=$((timeout - 1)) timeout=$((timeout - 1))
echo new: $timeout
echo -en $timeout > /etc/host-youtube-block echo -en $timeout > /etc/host-youtube-block
fi fi
else else
@@ -144,8 +147,9 @@
security.polkit.enable = true; security.polkit.enable = true;
networking.firewall.enable = true;
networking.firewall.allowPing = true; networking.firewall.allowPing = true;
networking.firewall.enable = true;
services.samba.openFirewall = true; services.samba.openFirewall = true;
@@ -156,6 +160,7 @@
5357 # wsdd 5357 # wsdd
8888 # for general usage 8888 # for general usage
9999 # for general usage 9999 # for general usage
8080 # for mitm proxy
]; ];
networking.firewall.allowedUDPPorts = [ networking.firewall.allowedUDPPorts = [

66
hosts/rpi.md Normal file
View File

@@ -0,0 +1,66 @@
# get pi to boot from usb-source
echo program_usb_boot_mode=1 | sudo tee -a /boot/config.txt
https://www.elektronik-kompendium.de/sites/raspberry-pi/2404241.htm
# setup
## set static ip (192.168.1.2)
used /etc/network/interfaces (seems to be debian only)
## enable ssh (touch ssh file in the boot partition)
## set root pwd (copy hash from local /etc/shadow)
CMD: apt update
CMD: apt install nodejs npm
CMD: npm i -g @bitwarden/cli
## set hostname
## setup bcache
- if "sudo make-bcache -C /dev/sda3 -B /dev/md0" then no need for registering (i think)
PKG: bcache-tools git build-essential uuid-dev mdadm
CMD: sudo make-bcache -C /dev/sda3
CMD: sudo mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sdb /dev/sdc
CMD: sudo make-bcache -B /dev/md0
## other bcache things
- you can echo 1 > /sys/fs/bcache/<UUID>/unregister
- but there also is: echo 1 > /sys/block/bcache0/bcache/stop
- if seccond is not done, volumes used by this bcache device will show as "<dev> is apparently in use by the system; will not make a filesystem here!", when mkfs.ext5 <dev>
## mdadm things
- do a check: https://www.thomas-krenn.com/de/wiki/Mdadm_checkarray
## add swap file maybe
CMD: sudo vim /etc/dphys-swapfile
CMD: sudo dphys-swapfile setup
CMD: sudo dphys-swapfile swapon
# things
- users
admin - sudo without password and access to bitwarden
files - for managing files (old: dateimanager)
server - for deployed servers (podman)
mamafiles - for the mamafiles share
- swap
- mdadm
- bcache
- mount /home/files/storage
- so that other users can't read it
- smb shares
- ssh acces
- ssh config: PermitRootAccess and PasswordAuthentication
- me-net (wireguard)
- podman containers
- dyndns
- wstunnel for wireguard
- rclone mount onedrive backups
- borgmatic

122
hosts/rpi.nix Normal file
View File

@@ -0,0 +1,122 @@
{ lib, pkgs, ... }:
{
imports = [
../common/all.nix
../common/nixos-headless.nix
../users/me/default.nix
../users/root/default.nix
];
# This causes an overlay which causes a lot of rebuilding
environment.noXlibs = lib.mkForce false;
# "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" creates a
# disk with this label on first boot. Therefore, we need to keep it. It is the
# only information from the installer image that we need to keep persistent
fileSystems."/" =
{ device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
boot = {
kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
loader = {
generic-extlinux-compatible.enable = lib.mkDefault true;
grub.enable = lib.mkDefault false;
raspberryPi.firmwareConfig = ''
program_usb_boot_mode=1
'';
};
};
virtualisation.podman.enable = true;
networking.firewall.allowPing = true;
networking.firewall.enable = true;
services.samba.openFirewall = true;
networking.hostName = "rpi";
networking = {
defaultGateway = {
address = "192.168.1.1";
interface = "eth0";
};
interface."eth0" = {
#name = "eth0";
ipv4.addresses = [
{ address = "192.168.1.6"; prefixLength = 24;}
];
};
interfaces."wlan0".useDHCP = true;
wireless = {
interfaces = [ "wlan0" ];
enable = true;
networks = {
seb-phone.psk = "hellogello";
};
};
};
networking.firewall.allowedTCPPorts = [
5357 # wsdd
8888 # for general usage
9999 # for general usage
8080 # for mitm proxy
];
networking.firewall.allowedUDPPorts = [
3702 # wsdd
];
################################## ssh ######################################
services.openssh.enable = true;
users.users.me.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main"
];
################################ samba ######################################
services.samba-wsdd.enable = true; # make shares visible for windows 10 clients
services.samba = {
enable = true;
securityType = "user";
extraConfig = ''
security = user
map to guest = bad user
guest account = me
server role = standalone server
workgroup = WORKGROUP
'';
shares = {
rpi_schule = {
path = "${workDir}/rpi-schule/";
"guest ok" = "yes";
"read only" = "no";
public = "yes";
writable = "yes";
printable = "no";
comment = "share for rpi in school wlan";
};
share = {
comment = "share for sharing stuff";
path = "${workDir}/share";
public = "yes";
"guest ok" = "yes";
"read only" = "no";
writable = "yes";
};
};
};
}

6
users/me/default.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, secretsDir, inputs, config, self, ... }: { pkgs, secretsDir, inputs, config, self, lib, ... }:
{ {
users.users.me = { users.users.me = {
isNormalUser = true; isNormalUser = true;
@@ -7,13 +7,13 @@
extraGroups = [ "networkmanager" "wheel" "libvirtd" ]; # Enable sudo for the user. extraGroups = [ "networkmanager" "wheel" "libvirtd" ]; # Enable sudo for the user.
}; };
#home-manager._module.args = { inherit inputs; };
home-manager.users.me = import ./home.nix;
home-manager.extraSpecialArgs = { home-manager.extraSpecialArgs = {
inherit self; inherit self;
hostname = config.networking.hostName; hostname = config.networking.hostName;
}; };
home-manager.users.me = import ./home.nix;
fonts.fonts = with pkgs; [ fonts.fonts = with pkgs; [
hack-font hack-font
]; ];

17
users/me/headless.nix Normal file
View File

@@ -0,0 +1,17 @@
{ self, config, ... }:
{
users.users.me = {
isNormalUser = true;
#passwordFile = "${secretsDir}/me-pwd";
password = "changeme";
extraGroups = [ "networkmanager" "wheel" "libvirtd" ]; # Enable sudo for the user.
};
home-manager.extraSpecialArgs = {
inherit self;
hostname = config.networking.hostName;
};
home-manager.users.me = import ./home-headless.nix;
}

78
users/me/home-headless.nix Normal file
View File

@@ -0,0 +1,78 @@
{ config, pkgs, self, secretsDir, inputs, persistentDir, ... }:
{
# The home.stateVersion option does not have a default and must be set
home.stateVersion = "23.05";
imports = [
inputs.nix-index-database.hmModules.nix-index
# all my headless programms with their own config
../../programs/git.nix
../../programs/lf/default.nix
../../programs/bash.nix
../../programs/ssh.nix
../../programs/neovim.nix
];
programs.nix-index.enable = false;
programs.nix-index.enableBashIntegration = false;
programs.nix-index.enableZshIntegration = false;
home.sessionVariables = {
EDITOR = "nvim";
};
home.sessionPath = [ "${self}/mybin" ];
home.file = {
".rclone.conf".source = config.lib.file.mkOutOfStoreSymlink "${secretsDir}/rclone-conf";
".subversion/config".text = ''
[miscellany]
global-ignores = node_modules target
''; # documentation for this config file: https://svnbook.red-bean.com/en/1.7/svn.advanced.confarea.html
};
home.packages = with pkgs; [
vim
tree
htop
subversion
pv
nodejs
neofetch
file
lshw
zip
unzip
arp-scan
lolcat
comma
delta
jq
wget
tmux
# python....
(python310.withPackages (p: with p; [
pandas
click
click-aliases
]))
(busybox.overrideAttrs (final: prev: {
# get only nslookup from busybox
# because the less would overwrite the actuall less and the busybox does not have -r
# it's a pfusch, but it works
postInstall = prev.postInstall + ''
echo ============ removing anything but nslookup ============
mv $out/bin/nslookup $out/nslookup
mv $out/bin/busybox $out/busybox
rm $out/bin/*
mv $out/nslookup $out/bin/nslookup
mv $out/busybox $out/bin/busybox
'';
}))
];
}

100
users/me/home.nix
View File

@@ -2,28 +2,16 @@
{ config, pkgs, self, secretsDir, inputs, persistentDir, ... }: { config, pkgs, self, secretsDir, inputs, persistentDir, ... }:
{ {
# The home.stateVersion option does not have a default and must be set
home.stateVersion = "23.05";
imports = [ imports = [
inputs.nix-index-database.hmModules.nix-index ./home-headless.nix
# all my programms with their own config # my gui programs
../../programs/git.nix
../../programs/lf/default.nix
../../programs/alacritty.nix ../../programs/alacritty.nix
../../programs/bash.nix
../../programs/emacs/default.nix ../../programs/emacs/default.nix
../../programs/rofi/default.nix ../../programs/rofi/default.nix
../../programs/zathura.nix ../../programs/zathura.nix
../../programs/ssh.nix
../../programs/neovim.nix
]; ];
programs.nix-index.enable = false;
programs.nix-index.enableBashIntegration = false;
programs.nix-index.enableZshIntegration = false;
gtk.cursorTheme = { gtk.cursorTheme = {
name = "Yaru"; name = "Yaru";
}; };
@@ -37,110 +25,64 @@
services.dunst.enable = true; services.dunst.enable = true;
home.sessionVariables = {
EDITOR = "nvim";
};
home.sessionPath = [ "${self}/mybin" ];
home.file = { home.file = {
".rclone.conf".source = config.lib.file.mkOutOfStoreSymlink "${secretsDir}/rclone-conf";
".subversion/config".text = ''
[miscellany]
global-ignores = node_modules target
''; # documentation for this config file: https://svnbook.red-bean.com/en/1.7/svn.advanced.confarea.html
".mysecrets/root-pwd".text = "changeme"; ".mysecrets/root-pwd".text = "changeme";
".mysecrets/me-pwd".text = "changeme"; ".mysecrets/me-pwd".text = "changeme";
".mozilla/firefox".source = config.lib.file.mkOutOfStoreSymlink "${persistentDir}/firefox"; ".mozilla/firefox".source = config.lib.file.mkOutOfStoreSymlink "${persistentDir}/firefox";
".cache/rofi-3.runcache".source = config.lib.file.mkOutOfStoreSymlink "${persistentDir}/rofi-run-cache"; ".cache/rofi-3.runcache".source = config.lib.file.mkOutOfStoreSymlink "${persistentDir}/rofi-run-cache";
}; };
home.packages = with pkgs; [ home.packages = with pkgs; [
vim
# packages that i might not need everywhere??
wstunnel
rclone
playerctl
alsa-utils
usbutils
android-tools
android-studio
moonlight-qt
pciutils
jmtpfs
pmutils
cntr
nil
# gui packages
obsidian obsidian
tree
xorg.xkbcomp xorg.xkbcomp
haskellPackages.xmonad-extras haskellPackages.xmonad-extras
haskellPackages.xmonad-contrib haskellPackages.xmonad-contrib
xorg.xev xorg.xev
htop
subversion
pv
blueman blueman
pavucontrol pavucontrol
spotify spotify
flameshot flameshot
nodejs
neofetch
networkmanagerapplet networkmanagerapplet
haskellPackages.xmobar haskellPackages.xmobar
dolphin dolphin
mupdf mupdf
xclip xclip
rclone
stalonetray stalonetray
killall killall
nil
file
wstunnel
playerctl
alsa-utils
usbutils
pciutils
lshw
jmtpfs
pmutils
cntr
signal-desktop signal-desktop
element-desktop element-desktop
discord discord
wireshark wireshark
zip
unzip
arp-scan
gparted gparted
lolcat
android-tools
moonlight-qt
comma
delta
jq
xorg.xkill xorg.xkill
wget
xorg.xmodmap xorg.xmodmap
tmux
android-studio
# my own packages # my own packages
supabase-cli supabase-cli
inputs.firefox.packages.${pkgs.system}.firefox-nightly-bin inputs.firefox.packages.${pkgs.system}.firefox-nightly-bin
# python....
(python310.withPackages (p: with p; [
pandas
click
click-aliases
]))
(busybox.overrideAttrs (final: prev: {
# get only nslookup from busybox
# because the less would overwrite the actuall less and the busybox does not have -r
# it's a pfusch, but it works
postInstall = prev.postInstall + ''
echo ============ removing anything but nslookup ============
mv $out/bin/nslookup $out/nslookup
mv $out/bin/busybox $out/busybox
rm $out/bin/*
mv $out/nslookup $out/bin/nslookup
mv $out/busybox $out/bin/busybox
'';
}))
# base-devel # base-devel
gcc gcc