alyraffauf/nixcfg
1
0
Fork 0
mirror of https://github.com/alyraffauf/nixcfg.git synced 2024-11-21 11:30:40 -05:00
Code Issues Actions Packages Projects Releases Wiki Activity
nixcfg/hosts
History
Aly Raffauf 98bf8a2573
upgrade 24.05 -> unstable; add pacifidlog (#114) 
* flake: update to nixos-unstable and master for hm,stylix

* common/base: remove deprecated sound.enable

* hwModules: remove deprecated driSupport

* samba: disable extraConfig pending move to services/samba.settings

* hwModules: migrate to new APIs

* flake: update lock

* aly: switch to new systemd.user.startServices syntax

* nemo: migrate to new toplevel

* tree-wide: move to new gnome/cinnamon app toplevels

* mauville/samba: migrate to settings syntax

* slateport/ddclient: migrate use -> usev4

* home/defaultApps: don't install webBrowser to temp fix build error

* lavaridge: set $FLAKE to upgrade-to-2411 branch

* lavaridge: don't force disable firefox media acceleration

* flake: bump lock

* flake: bump lock

* mauville,lavaridge,petalburg: set FLAKE to 24.11 branch

* flake: bump lock

* defaultApps: fuse finalpackage from firefox as default

* common/overlays: remove unnecessary unstable overlays

* flake.lock: Update (#115)

Flake lock file updates:

• Updated input 'nur':
    'github:nix-community/NUR/df48b722316f5a0eab0cd7d8403dd2c82848e3a2?narHash=sha256-TWYwZGe8WHQAnCb5exr23Ht9g3LDntj9qSi4Zk/8gCg%3D' (2024-10-05)
  → 'github:nix-community/NUR/7090c452983a90c066ce421bb75eaa0409f45910?narHash=sha256-OeJk7SbwTD7epbVxbxOQJrlAI4qPr518zjn/uD%2BaWFw%3D' (2024-10-05)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

* mauville: enable immich

* flake.lock: Update

* flake.lock: update

* flake.lock: Update (#119)

Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/d39ee334984fcdae6244f5a8e6ab857479cbaefe?narHash=sha256-CTKEKPzD/j8FK6H4DO3EjyixZd3HHvgAgfnCwpGFP5c%3D' (2024-10-07)
  → 'github:nix-community/disko/c7ef3964b6befa877e76316ae88f3ef251cae573?narHash=sha256-xipqQdXMZdSln1WChUWFqcrghOMYCmdRo7rgf/MtEkg%3D' (2024-10-11)
• Updated input 'home-manager':
    'github:nix-community/home-manager/038630363e7de57c36c417fd2f5d7c14773403e4?narHash=sha256-VdRTjJFyq4Q9U7Z/UoC2Q5jK8vSo6E86lHc2OanXtvc%3D' (2024-10-07)
  → 'github:nix-community/home-manager/65ae9c147349829d3df0222151f53f79821c5134?narHash=sha256-mGKzqdsRyLnGNl6WjEr7%2BsghGgBtYHhJQ4mjpgRTCsU%3D' (2024-10-11)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/c31898adf5a8ed202ce5bea9f347b1c6871f32d1?narHash=sha256-yumd4fBc/hi8a9QgA9IT8vlQuLZ2oqhkJXHPKxH/tRw%3D' (2024-10-06)
  → 'github:nixos/nixpkgs/5633bcff0c6162b9e4b5f1264264611e950c8ec7?narHash=sha256-9UTxR8eukdg%2BXZeHgxW5hQA9fIKHsKCdOIUycTryeVw%3D' (2024-10-09)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/c31898adf5a8ed202ce5bea9f347b1c6871f32d1?narHash=sha256-yumd4fBc/hi8a9QgA9IT8vlQuLZ2oqhkJXHPKxH/tRw%3D' (2024-10-06)
  → 'github:nixos/nixpkgs/5633bcff0c6162b9e4b5f1264264611e950c8ec7?narHash=sha256-9UTxR8eukdg%2BXZeHgxW5hQA9fIKHsKCdOIUycTryeVw%3D' (2024-10-09)
• Updated input 'nur':
    'github:nix-community/NUR/ff3b3af88896deca3b69f519e6db8d2f725c82fa?narHash=sha256-bAUXaMfUU6ZxGT2GOmdy0A5FCgEpYMawPnBVN52kx6U%3D' (2024-10-08)
  → 'github:nix-community/NUR/80d65008a1f68533bdfb343fb53b543f4ce2305c?narHash=sha256-es6boz1HSERc5HwhSo0mWX7Bd7DMawYAH1LcBR9EvgE%3D' (2024-10-11)
• Updated input 'stylix':
    'github:danth/stylix/63426a59e714c4389c5a8e559dee05a0087a3043?narHash=sha256-z01cTK5VeLFOUekhAXrJHLDzE74uAxxMwE2p6%2BWp9Sg%3D' (2024-10-07)
  → 'github:danth/stylix/f95022bb6e74f726a87975aec982a5aa9fad8691?narHash=sha256-JH2%2BRXJNooFtZIN6ZhaGZWn2KChMrso4H7Fkp1Ujrdo%3D' (2024-10-11)
• Updated input 'stylix/tinted-kitty':
    'github:tinted-theming/tinted-kitty/06bb401fa9a0ffb84365905ffbb959ae5bf40805?narHash=sha256-aRaizTYPpuWEcvoYE9U%2BYRX%2BWsc8%2BiG0guQJbvxEdJY%3D' (2022-10-05)
  → 'github:tinted-theming/tinted-kitty/eb39e141db14baef052893285df9f266df041ff8?narHash=sha256-2xF3sH7UIwegn%2B2gKzMpFi3pk5DlIlM18%2Bvj17Uf82U%3D' (2024-05-23)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

* lavaridge: added monitor description

* add pacifidlog (legion go) (#120)

* flake: add jovian input

* hosts/pacifidlog: add initial output and config

* pacifidlog: set jovian desktopSession to gamescope-wayland

* pacifidlog: use latest kernel

* github: add pacifidlog build

* pacifidlog: disable jovian

* pacifidlog: remove swapfile

* create pacifidlog hardware config

* pacifidlog: enable jovian

* secrets: add pacifidlog

* pacifidlog: add monitor settings

* pacifidlog/hyprland: map touch to screen transformation

* pacifidlog: set desktopSession to hyprland

* pacifidlog: fixup hyprland input settings

* secrets: add aly@pacifidlog and rekey

* pacifidlog: use lanzaboote

* pacifidog: disable steam desktop due to conficts with jovian

* pacifidlog: transform touch device in hyprland

* pacifidlog: enable tabletmode

* reformat

* pacifidlog: add legion module

* pacifidlog: set consoleMode to max

* pacifidlog: enable amdgpu in initrd

* lenovo/legion/go: disable legion module due to build failure

* accidentally changed petalburg :\

* pacifidlog: try consoleMode 1

* pacifidlog: add hdd-decky

* pacifidlog: disable missing plugins

* pacifidlog: run decky loader as root

* decky-loader: add python

* pacifidlog: clean up dekcy oader

* pacifidlog: set jovian has.amd.gpu = true

* legion go: add acpi_call

* add nix-gaming and jovian-nixos substituters

* pacifidlog: add hdd adjustor

* legion go: disable ppd

* pacifidlog: add hdd-ui

* pacifidlog: test systemd hhd-ui

* pacifidlog: add README

* cleanup before merge

* create pkgs/

* adjustor,hhd-ui: update to latest versions

* flake.lock: Update (#121)

Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/c7ef3964b6befa877e76316ae88f3ef251cae573?narHash=sha256-xipqQdXMZdSln1WChUWFqcrghOMYCmdRo7rgf/MtEkg%3D' (2024-10-11)
  → 'github:nix-community/disko/b6215392ec3bd05e9ebfbb2f7945c414096fce8f?narHash=sha256-KOp33tls7jRAhcmu77aVxKpSMou8QgK0BC%2BY3sYLuGo%3D' (2024-10-12)
• Updated input 'home-manager':
    'github:nix-community/home-manager/65ae9c147349829d3df0222151f53f79821c5134?narHash=sha256-mGKzqdsRyLnGNl6WjEr7%2BsghGgBtYHhJQ4mjpgRTCsU%3D' (2024-10-11)
  → 'github:nix-community/home-manager/64c6325b28ebd708653dd41d88f306023f296184?narHash=sha256-nr5QiXwQcZmf6/auC1UpX8iAtINMtdi2mH%2BOkqJQVmU%3D' (2024-10-13)
• Updated input 'nur':
    'github:nix-community/NUR/80d65008a1f68533bdfb343fb53b543f4ce2305c?narHash=sha256-es6boz1HSERc5HwhSo0mWX7Bd7DMawYAH1LcBR9EvgE%3D' (2024-10-11)
  → 'github:nix-community/NUR/8952169dd073e0cd2c482c346a088868f61cfb77?narHash=sha256-7zRl4QJD5iK1Y4jyyysUEHcsx%2Bv1jI1C3vP%2Bq3IKLps%3D' (2024-10-13)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

* pkgs/hhd-ui: simplify depends

* pacifidlog: add mauville samba shares

* pacifidlog/README: update and fmt

* pacifidlog: disable laptopMode

* p;acifidlog: add further steam optimizations; flake: add nix-gaming

* pacifidlog: set jovian steam environment for native color management and refresh limits

* pacifidlog: set zram to 100%

* pacifidlog: disable steam WSI

* pacifidlog: use steamOSConfig from jovian

* pacifidlog: kernel optimizations + qol improvements (#122)

* pacifidlog: use xanmod kernel

* pacifidlog: add heroic and lutris

* legion go: use zenpower

* legion go: fix boot params

* common/cpu/amd: remove redundant(?) amd_pstate=active param

* hwModules: simplify device specific imports

* pkgs: update hashes

* hosts: remove FLAKE overrides

* flake: remove nixpkgs-unstable

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-10-14 23:53:48 -04:00
..
fallarbor home: move gammastep settings to hosts 2024-09-28 19:58:05 -04:00
lavaridge upgrade 24.05 -> unstable; add pacifidlog (#114) 2024-10-14 23:53:48 -04:00
mauville upgrade 24.05 -> unstable; add pacifidlog (#114) 2024-10-14 23:53:48 -04:00
pacifidlog upgrade 24.05 -> unstable; add pacifidlog (#114) 2024-10-14 23:53:48 -04:00
petalburg petalburg: update wallpaper 2024-09-28 22:55:43 -04:00
rustboro rustboro: hyprland by default 2024-10-06 18:44:14 -04:00
slateport upgrade 24.05 -> unstable; add pacifidlog (#114) 2024-10-14 23:53:48 -04:00
README.md hosts: update README.md 2024-08-24 15:54:14 -04:00

README.md

Hosts

Overview

Host-specific configuration + common modules that aren't better expressed as options & flake outputs. All hosts are configured with agenix, disko, and nixhw.

Automatic Updates

These hosts update themselves automatically, once a day, by rebuilding from one of two sources: directly from this repository's master branch or from FlakeHub. This can be adjusted by overriding the value of config.environment.variables.FLAKE.

FlakeHub allows semantic versioning, which means that these hosts build from the lattest tag published to FlakeHub with format v0.0.0. I try to follow the semantic versioning 2.0 standard, though this may not always be the case.

You can access the latest tagged commit from this repository with this url: https://flakehub.com/f/alyraffauf/nixcfg/*.tar.gz.

Declarative WiFi Connections

WiFi networks can be configured declaratiely in wifi.nix using config.networking.networkmanager.ensureProfiles.profiles, provided by nixpkgs. I also provide helper functions for common wifi security types.

nm2nix can generate nix code for all WiFi networks currently configured in /etc/NetworkManager/system-connections/ and /run/NetworkManager/system-connections with the following command:

sudo su -c "cd /etc/NetworkManager/system-connections && nix --extra-experimental-features 'nix-command flakes' run github:Janik-Haag/nm2nix | nix --extra-experimental-features 'nix-command flakes' run nixpkgs#nixfmt-rfc-style"

Secrets (passwords, certificates, and identities) are supported, but must be declared and available as variables with agenix. They will be replaced upon activation with envsubst.

In short,

  1. Manually configure the WiFi network on one device.
  2. Export configuration to nix with nm2nix.
  3. Add secrets to secrets/wifi.age as variables (e.g. MYPSK=1234567890)
  4. Edit the code generated by nm2nix to reference $MYPSK instead of directly declaring the WPA password.
  5. Commit and push changes.
  6. Rebuild hosts as required to propogate your new WiFi configuration.

Provisioning New Devices

  1. Create hosts/$HOSTNAME/default.nix and other host-specific nix modules (e.g. disko.nix,hardware.nix, and home.nix).
  2. Add host to nixosConfigurations in flake.nix.
  3. (OPTIONAL) Generate a cert.pem, key.pem, and device ID for Syncthing with syncthing -generate=$HOSTNAME. Find the device ID in the generated config.xml and add it to nixosModules/services/syncthing/default.nix, encrypt the cert and key with agenix, and set them as appropriate in the host configuration.
  4. Install NixOS from this flake. Secrets will not be available on first boot without a valid SSH private key.
  5. On a separate PC, copy the new system's public SSH key (/etc/ssh/ssh_host_ed25519_key.pub) to the host configuration (secrets/publicKeys/root_$HOSTNAME.pub).
  6. Add the new public key to secrets/secrets.nix, rekey all secrets with agenix --rekey, and push your changes to master.
  7. Rebuild the new system from git. Secrets will be automatically decrypted and immediately available in /run/agenix/ for NixOS and $XDG_RUNTIME_DIR/agenix/ for users.
  8. (OPTIONAL) Generate a new user SSH key and add it to nixosModules/users/default.nix in order to enable passwordless logins to other hosts.

Secure Boot

  1. Generate secure boot keys:

    sudo nix run nixpkgs#sbctl create-keys

  2. Enable lanzaboote in NixOS host configuration:

    boot = {
  initrd.systemd.enable = true; # For automatic decryption with TPM.
  loader.systemd-boot.enable = lib.mkForce false; # Interferes with lanzaboote and must be force-disabled.

  lanzaboote = {
    enable = true;
    pkiBundle = "/etc/secureboot";
  };
};

  3. In UEFI, set secure boot to "setup mode" or erase platform keys.

  4. Enroll your secure boot keys:

    sudo nix run nixpkgs#sbctl -- enroll-keys --microsoft

  5. Reboot, make sure secure boot is enabled in UEFI.

  6. Check secure boot status with bootctl status:

    System:
      Firmware: UEFI 2.70 (American Megatrends 5.17)
Firmware Arch: x64
  Secure Boot: enabled (user)
  TPM2 Support: yes
  Measured UKI: yes
  Boot into FW: supported

  7. If your root drive is encrypted with LUKS, you can have the TPM automatically decrypt it on boot:

    sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+7+12 --wipe-slot=tpm2 /dev/nvme0n1p2

    Replace /dev/nvme0n1p2 with your root partition. Check the Linux TPM PCR Registry for more details.

    NOTE: This requires a TPM2 module, devices with prior versions will not work.