From 62d9ad5fc98b7a72e4109cf31604b19ae553c3a9 Mon Sep 17 00:00:00 2001 From: Kabbone Date: Sat, 19 Nov 2022 21:38:55 +0100 Subject: [PATCH] hosts: create first server prototype --- hosts/configuration_desktop.nix | 186 ++++++++++++++++++ hosts/configuration_server.nix | 139 +++++++++++++ hosts/default.nix | 30 ++- hosts/home_server.nix | 60 ++++++ hosts/server/default.nix | 72 +++++++ .../1 => server/hardware-configuration.nix} | 38 ++-- hosts/server/home.nix | 56 ++++++ 7 files changed, 562 insertions(+), 19 deletions(-) create mode 100644 hosts/configuration_desktop.nix create mode 100644 hosts/configuration_server.nix create mode 100644 hosts/home_server.nix create mode 100644 hosts/server/default.nix rename hosts/{desktop/1 => server/hardware-configuration.nix} (72%) create mode 100644 hosts/server/home.nix diff --git a/hosts/configuration_desktop.nix b/hosts/configuration_desktop.nix new file mode 100644 index 0000000..829fbf4 --- /dev/null +++ b/hosts/configuration_desktop.nix @@ -0,0 +1,186 @@ +# +# Main system configuration. More information available in configuration.nix(5) man page. +# +# flake.nix +# ├─ ./hosts +# │ └─ configuration.nix * +# └─ ./modules +# └─ ./editors +# └─ ./nvim +# └─ default.nix +# + +{ config, lib, pkgs, inputs, user, location, ... }: + +{ + imports = # Import window or display manager. + [ + #../modules/editors/nvim # ! Comment this out on first install ! + ]; + + users.users.${user} = { # System User + isNormalUser = true; + extraGroups = [ "wheel" "video" "audio" "camera" "networkmanager" "lp" "kvm" "libvirtd" "adb" ]; + shell = pkgs.zsh; # Default shell + uid = 2000; +# initialPassword = "password95"; + openssh.authorizedKeys.keys = [ + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIANmaraVJ/o20c4dqVnGLp/wGck9QNHFPvO9jcEbKS29AAAABHNzaDo= kabbone@kabc" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIgo4IP8ISUohyAMiDc3zEe6ESUE3un7eN5FhVtxZHmcAAAABHNzaDo= kabbone@kabc" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKVDApb3vZ+i97V4xLJh8rUF6z5OVYfORlXYbLhdQO15AAAABHNzaDo= kabbone@hades.home.opel-online.de" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB0q++epdX7feQxvmC2m/CJEoJbkqtAJy6Ml6WKHxryZAAAABHNzaDo= kabbone@hades.home.opel-online.de" + ]; + }; + #security.sudo.wheelNeedsPassword = true; # User does not need to give password when using sudo. + + time.timeZone = "Europe/Berlin"; # Time zone and internationalisation + i18n = { + defaultLocale = "en_US.UTF-8"; + extraLocaleSettings = { # Extra locale settings that need to be overwritten + LC_TIME = "de_DE.UTF-8"; + LC_MONETARY = "de_DE.UTF-8"; + }; + }; + + console = { + font = "Lat2-Terminus16"; + keyMap = "us"; # or us/azerty/etc + }; + + security.rtkit.enable = true; + security.pki.certificateFiles = [ + ./rootCA.pem + ]; + + sound = { # ALSA sound enable + enable = true; + mediaKeys = { # Keyboard Media Keys (for minimal desktop) enable = true; + enable = true; + }; + }; + + fonts.fonts = with pkgs; [ # Fonts + carlito # NixOS + vegur # NixOS + source-code-pro + jetbrains-mono + font-awesome # Icons + hack-font + corefonts # MS + (nerdfonts.override { # Nerdfont Icons override + fonts = [ + "FiraCode" + ]; + }) + ]; + + environment = { + variables = { + TERMINAL = "alacritty"; + EDITOR = "nvim"; + VISUAL = "nvim"; + BROWSER = "firefox"; + }; + systemPackages = with pkgs; [ # Default packages install system-wide + vim + git + killall + pciutils + usbutils + wget + powertop + cpufrequtils + lm_sensors + libva-utils + at-spi2-core + ]; + }; + + services = { + pipewire = { # Sound + enable = true; + #alsa = { + # enable = true; + # support32Bit = true; + #}; + pulse.enable = true; + wireplumber.enable = true; + }; + openssh = { # SSH: secure shell (remote connection to shell of server) + enable = true; # local: $ ssh @ + # public: + # - port forward 22 TCP to server + # - in case you want to use the domain name insted of the ip: + # - for me, via cloudflare, create an A record with name "ssh" to the correct ip without proxy + # - connect via ssh @ + # generating a key: + # - $ ssh-keygen | ssh-copy-id | ssh-add + # - if ssh-add does not work: $ eval `ssh-agent -s` +# allowSFTP = true; # SFTP: secure file transfer protocol (send file to server) + # connect: $ sftp @ + # commands: + # - lpwd & pwd = print (local) parent working directory + # - put/get = send or receive file +# extraConfig = '' +# HostKeyAlgorithms +ssh-rsa +# ''; # Temporary extra config so ssh will work in guacamole + passwordAuthentication = false; + }; + pcscd.enable = true; + udev.packages = [ pkgs.yubikey-personalization ]; + #flatpak.enable = true; # download flatpak file from website - sudo flatpak install - reboot if not showing up + # sudo flatpak uninstall --delete-data (> flatpak list --app) - flatpak uninstall --unused + # List: + # com.obsproject.Studio + # com.parsecgaming.parsec + # com.usebottles.bottles + snapper.configs = { + home = { + subvolume = "/home"; + extraConfig = '' + TIMELINE_CREATE=yes + TIMELINE_CLEANUP=yes + ''; + }; + }; + }; + + #xdg.portal = { # Required for flatpak + # enable = true; + # extraPortals = [ pkgs.xdg-desktop-portal-gtk ]; + #}; + + nix = { # Nix Package Manager settings + settings ={ + auto-optimise-store = true; # Optimise syslinks + substituters = ["https://hyprland.cachix.org"]; + trusted-public-keys = ["hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="]; + }; + gc = { # Automatic garbage collection + automatic = true; + dates = "weekly"; + options = "--delete-older-than 7d"; + }; + package = pkgs.nixVersions.stable; # Enable nixFlakes on system + registry.nixpkgs.flake = inputs.nixpkgs; + extraOptions = '' + experimental-features = nix-command flakes + keep-outputs = true + keep-derivations = true + ''; + }; + nixpkgs.config.allowUnfree = true; # Allow proprietary software. + nixpkgs.config.packageOverrides = pkgs: { + nur = import (builtins.fetchTarball "https://github.com/nix-community/NUR/archive/master.tar.gz") { + inherit pkgs; + }; + }; + + system = { # NixOS settings +# autoUpgrade = { # Allow auto update +# enable = true; +# channel = "https://nixos.org/channels/nixos-unstable"; +# }; + stateVersion = "22.05"; + }; +} diff --git a/hosts/configuration_server.nix b/hosts/configuration_server.nix new file mode 100644 index 0000000..901d8ae --- /dev/null +++ b/hosts/configuration_server.nix @@ -0,0 +1,139 @@ +# +# Main system configuration. More information available in configuration.nix(5) man page. +# +# flake.nix +# ├─ ./hosts +# │ └─ configuration.nix * +# └─ ./modules +# └─ ./editors +# └─ ./nvim +# └─ default.nix +# + +{ config, lib, pkgs, inputs, user, location, ... }: + +{ + imports = # Import window or display manager. + [ + #../modules/editors/nvim # ! Comment this out on first install ! + ]; + + users.users.${user} = { # System User + isNormalUser = true; + extraGroups = [ "wheel" "networkmanager" "kvm" "libvirtd" ]; + shell = pkgs.zsh; # Default shell + uid = 3000; +# initialPassword = "password95"; + openssh.authorizedKeys.keys = [ + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIANmaraVJ/o20c4dqVnGLp/wGck9QNHFPvO9jcEbKS29AAAABHNzaDo= kabbone@kabc" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIgo4IP8ISUohyAMiDc3zEe6ESUE3un7eN5FhVtxZHmcAAAABHNzaDo= kabbone@kabc" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKVDApb3vZ+i97V4xLJh8rUF6z5OVYfORlXYbLhdQO15AAAABHNzaDo= kabbone@hades.home.opel-online.de" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB0q++epdX7feQxvmC2m/CJEoJbkqtAJy6Ml6WKHxryZAAAABHNzaDo= kabbone@hades.home.opel-online.de" + ]; + }; + security.sudo.wheelNeedsPassword = true; # User does not need to give password when using sudo. + + time.timeZone = "Europe/Berlin"; # Time zone and internationalisation + i18n = { + defaultLocale = "en_US.UTF-8"; + extraLocaleSettings = { # Extra locale settings that need to be overwritten + LC_TIME = "de_DE.UTF-8"; + LC_MONETARY = "de_DE.UTF-8"; + }; + }; + + console = { + font = "Lat2-Terminus16"; + keyMap = "us"; # or us/azerty/etc + }; + + security.rtkit.enable = true; + security.pki.certificateFiles = [ + ./rootCA.pem + ]; + + fonts.fonts = with pkgs; [ # Fonts + carlito # NixOS + vegur # NixOS + source-code-pro + jetbrains-mono + font-awesome # Icons + hack-font + corefonts # MS + (nerdfonts.override { # Nerdfont Icons override + fonts = [ + "FiraCode" + ]; + }) + ]; + + environment = { + variables = { + TERMINAL = "alacritty"; + EDITOR = "nvim"; + VISUAL = "nvim"; + }; + systemPackages = with pkgs; [ # Default packages install system-wide + vim + git + killall + pciutils + usbutils + wget + powertop + cpufrequtils + lm_sensors + ]; + }; + + services = { + openssh = { # SSH: secure shell (remote connection to shell of server) + enable = true; # local: $ ssh @ + passwordAuthentication = false; + }; + + #flatpak.enable = true; # download flatpak file from website - sudo flatpak install - reboot if not showing up + # sudo flatpak uninstall --delete-data (> flatpak list --app) - flatpak uninstall --unused + snapper.configs = { + home = { + subvolume = "/home"; + extraConfig = '' + TIMELINE_CREATE=yes + TIMELINE_CLEANUP=yes + ''; + }; + }; + }; + + nix = { # Nix Package Manager settings + settings ={ + auto-optimise-store = true; # Optimise syslinks + }; + gc = { # Automatic garbage collection + automatic = true; + dates = "weekly"; + options = "--delete-older-than 7d"; + }; + package = pkgs.nixVersions.stable; # Enable nixFlakes on system + registry.nixpkgs.flake = inputs.nixpkgs; + extraOptions = '' + experimental-features = nix-command flakes + keep-outputs = true + keep-derivations = true + ''; + }; + nixpkgs.config.allowUnfree = true; # Allow proprietary software. + nixpkgs.config.packageOverrides = pkgs: { + nur = import (builtins.fetchTarball "https://github.com/nix-community/NUR/archive/master.tar.gz") { + inherit pkgs; + }; + }; + + system = { # NixOS settings +# autoUpgrade = { # Allow auto update +# enable = true; +# channel = "https://nixos.org/channels/nixos-unstable"; +# }; + stateVersion = "22.05"; + }; +} diff --git a/hosts/default.nix b/hosts/default.nix index 38ac38a..3ecb435 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -32,7 +32,7 @@ in nur.nixosModules.nur #hyprland.nixosModules.default ./desktop - ./configuration.nix + ./configuration_desktop.nix nixos-hardware.nixosModules.common-cpu-amd nixos-hardware.nixosModules.common-gpu-amd nixos-hardware.nixosModules.common-pc-ssd @@ -59,7 +59,7 @@ in nur.nixosModules.nur #hyprland.nixosModules.default ./laptop - ./configuration.nix + ./configuration_desktop.nix nixos-hardware.nixosModules.common-cpu-intel nixos-hardware.nixosModules.common-gpu-intel nixos-hardware.nixosModules.common-pc-ssd @@ -78,6 +78,32 @@ in ]; }; + dmz-services = lib.nixosSystem { # Desktop profile + inherit system; + user = "dmz-user"; + specialArgs = { inherit inputs user location nixos-hardware nur; }; + modules = [ + nur.nixosModules.nur + ./server + ./configuration_server.nix + nixos-hardware.nixosModules.common-cpu-intel + nixos-hardware.nixosModules.common-pc-ssd + + home-manager.nixosModules.home-manager { + nixpkgs.overlays = [ + nur.overlay + ]; + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.extraSpecialArgs = { inherit user; }; + home-manager.users.${user} = { + imports = [(import ./home_server.nix)] ++ [(import ./server/home.nix)]; + }; + } + ]; + }; + + q920 = lib.nixosSystem { # Laptop profile inherit system; specialArgs = { inherit inputs user location hyprland; }; diff --git a/hosts/home_server.nix b/hosts/home_server.nix new file mode 100644 index 0000000..fa5bab0 --- /dev/null +++ b/hosts/home_server.nix @@ -0,0 +1,60 @@ +# +# General Home-manager configuration +# +# flake.nix +# ├─ ./hosts +# │ └─ home.nix * +# └─ ./modules +# ├─ ./editors +# │ └─ default.nix +# ├─ ./programs +# │ └─ default.nix +# ├─ ./services +# │ └─ default.nix +# └─ ./shell +# └─ default.nix +# + +{ config, lib, pkgs, user, ... }: + +{ + imports = # Home Manager Modules + (import ../modules/editors) ++ + #(import ../modules/programs) ++ + #(import ../modules/programs/configs) ++ + #(import ../modules/services) ++ + (import ../modules/shell); + + home = { + username = "${user}"; + homeDirectory = "/home/${user}"; + + packages = with pkgs; [ + # Terminal + btop # Resource Manager + pfetch # Minimal fetch + ranger # File Manager + gnupg # sign and authorize 2nd Fac + + #xdg-utils + + # Video/Audio + #libva-utils # vainfo + + # Apps + hdparm + python3Full + + # File Management + rsync # Syncer $ rsync -r dir1/ dir2/ + #unzip # Zip files + #unrar # Rar files + + ]; + stateVersion = "22.05"; + }; + + programs = { + home-manager.enable = true; + }; +} diff --git a/hosts/server/default.nix b/hosts/server/default.nix new file mode 100644 index 0000000..06d568b --- /dev/null +++ b/hosts/server/default.nix @@ -0,0 +1,72 @@ +# +# Specific system configuration settings for desktop +# +# flake.nix +# ├─ ./hosts +# │ └─ ./laptop +# │ ├─ default.nix * +# │ └─ hardware-configuration.nix +# └─ ./modules +# ├─ ./desktop +# │ └─ ./hyprland +# │ └─ hyprland.nix +# ├─ ./modules +# │ └─ ./programs +# │ └─ waybar.nix +# └─ ./hardware +# └─ default.nix +# + +{ config, pkgs, user, ... }: + +{ + imports = # For now, if applying to other system, swap files + [(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix + [(import ../../modules/desktop/virtualisation/docker.nix)] ++ # Docker + (import ../../modules/hardware); # Hardware devices + + boot = { # Boot options + kernelPackages = pkgs.linuxPackages_latest; + + loader = { # EFI Boot + systemd-boot.enable = true; + efi = { + canTouchEfiVariables = true; + efiSysMountPoint = "/boot"; + }; + timeout = 1; # Grub auto select time + }; + }; + +# environment = { +# systemPackages = with pkgs; [ +## simple-scan +## intel-media-driver +## alacritty +# ]; +# }; + + programs = { # No xbacklight, this is the alterantive + ssh.startAgent = false; + gnupg.agent = { + enable = true; + enableSSHSupport = true; + pinentryFlavor = "curses"; + }; + }; + + services = { + #auto-cpufreq.enable = true; + avahi = { # Needed to find wireless printer + enable = true; + nssmdns = true; + publish = { # Needed for detecting the scanner + enable = true; + addresses = true; + userServices = true; + }; + }; + + }; + +} diff --git a/hosts/desktop/1 b/hosts/server/hardware-configuration.nix similarity index 72% rename from hosts/desktop/1 rename to hosts/server/hardware-configuration.nix index 73990a7..c8ac54d 100644 --- a/hosts/desktop/1 +++ b/hosts/server/hardware-configuration.nix @@ -17,37 +17,43 @@ [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" "rtsx_usb_sdmmc" ]; + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" "vfio_virqfd" ]; - boot.kernelModules = [ "kvm" ]; + boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "/dev/disk/by-label/ROOT"; + { device = "/dev/disk/by-label/NIXROOT"; fsType = "btrfs"; - options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@" ]; + options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ]; }; fileSystems."/home" = - { device = "/dev/disk/by-label/ROOT"; + { device = "/dev/disk/by-label/NIXROOT"; fsType = "btrfs"; - options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home" ]; + options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ]; }; - fileSystems."/opt" = - { device = "/dev/disk/by-label/ROOT"; + fileSystems."/home/.snapshots" = + { device = "/dev/disk/by-label/NIXROOT"; fsType = "btrfs"; - options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@opt" ]; + options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@snapshots,discard=async" ]; }; fileSystems."/srv" = - { device = "/dev/disk/by-label/ROOT"; + { device = "/dev/disk/by-label/NIXROOT"; fsType = "btrfs"; - options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv" ]; + options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ]; + }; + + fileSystems."/nix" = + { device = "/dev/disk/by-label/NIXROOT"; + fsType = "btrfs"; + options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ]; }; fileSystems."/boot" = - { device = "/dev/disk/by-label/BOOT"; + { device = "/dev/disk/by-label/NIXBOOT"; fsType = "vfat"; }; @@ -68,12 +74,12 @@ networking = { useDHCP = false; # Deprecated - hostName = "hades"; + hostName = "dmz"; networkmanager = { enable = true; }; interfaces = { - eth0 = { + enp34s0 = { useDHCP = true; # For versatility sake, manually edit IP on nm-applet. #ipv4.addresses = [ { # address = "192.168.0.51"; @@ -90,7 +96,5 @@ #}; }; - #hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - # high-resolution display - hardware.video.hidpi.enable = lib.mkDefault true; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/hosts/server/home.nix b/hosts/server/home.nix new file mode 100644 index 0000000..db6f970 --- /dev/null +++ b/hosts/server/home.nix @@ -0,0 +1,56 @@ +# +# Home-manager configuration for laptop +# +# flake.nix +# ├─ ./hosts +# │ └─ ./laptop +# │ └─ home.nix * +# └─ ./modules +# └─ ./desktop +# └─ ./hyprland +# └─ hyprland.nix +# + +{ pkgs, ... }: + +{ + imports = + [ + ../../modules/home.nix # Window Manager + ]; + + home = { # Specific packages for laptop + packages = with pkgs; [ + # Applications + libreoffice # Office packages + #firefox + chromium + thunderbird + streamlink + streamlink-twitch-gui-bin + element-desktop + pulsemixer + yubioath-desktop + nitrokey-app + + # Display + #light # xorg.xbacklight not supported. Other option is just use xrandr. + + # Power Management + #auto-cpufreq # Power management + #tlp # Power management + ]; + }; + + programs = { + alacritty.settings.font.size = 11; + }; + + services = { # Applets + blueman-applet.enable = true; # Bluetooth + network-manager-applet.enable = true; # Network + }; + + xsession.preferStatusNotifierItems = true; + +}