From fdc031ea4d27370c7ced25fa18f3e8a4d5548e3c Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 13:24:21 +0200 Subject: [PATCH 01/21] feat: write cursed function so that secrets are host-based --- modules/core/sops.nix | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/modules/core/sops.nix b/modules/core/sops.nix index d57f4d9..ddb6ee7 100644 --- a/modules/core/sops.nix +++ b/modules/core/sops.nix @@ -2,18 +2,29 @@ pkgs, inputs, username, + host, ... }: { imports = [ inputs.sops-nix.nixosModules.sops ]; sops = { - defaultSopsFile = ../../secrets/secrets.yaml; + defaultSopsFile = ../../secrets/${host}/secrets.yaml; defaultSopsFormat = "yaml"; age.keyFile = "/home/${username}/.config/sops/age/keys.txt"; - secrets = { - "systemMailerPassword" = { }; - }; + secrets = + if (host == "violet") then + { + "systemMailerPassword" = { }; + "forgejoWorkerSecret" = { }; + "matrixRegistrationSecret" = { }; + } + else if (host == "sakura") then + { + "systemMailerPassword" = { }; + } + else + { }; }; environment.systemPackages = with pkgs; [ From d1c0a81809285e9f750068e599d151d3763ee4d2 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 13:24:40 +0200 Subject: [PATCH 02/21] feat: adds key group for `violet` --- .sops.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.sops.yaml b/.sops.yaml index 69afeda..071f3c5 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,6 +3,10 @@ keys: - &violet age1zegau3chyn53tqvkwud6tuyggpkazc88pdkqv8cknavaudu49enqm2f0h3 creation_rules: - path_regex: secrets/secrets.yaml + key_groups: + - age: + - *sakura + - path_regex: secrets/violet/secrets.yaml key_groups: - age: - *sakura From 783b52e6812a874f697a0c406e27ebd266b39f8f Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 13:37:50 +0200 Subject: [PATCH 03/21] feat: enable some services for `violet` --- modules/services/violet.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/services/violet.nix b/modules/services/violet.nix index d036137..dc09fbd 100644 --- a/modules/services/violet.nix +++ b/modules/services/violet.nix @@ -19,9 +19,12 @@ ++ [ (import ./monitoring.nix) ] ++ [ (import ./ntfy.nix) ] ++ [ (import ./nginx.nix) ] + ++ [ (import ./nix-serve.nix) ] ++ [ (import ./radicale.nix) ] + ++ [ (import ./remote-build.nix) ] ++ [ (import ./readarr.nix) ] ++ [ (import ./sharkey-proxy.nix) ] + ++ [ (import ./smokeping.nix) ] # ++ [ (import ./komga.nix) ] # ++ [ (import ./xmpp.nix) ] ++ [ (import ./tailscale.nix) ] From d8d6bc67d8e492c5c7f16d5466d19c35d9bbe8f1 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 13:38:07 +0200 Subject: [PATCH 04/21] feat: adds `vaultwarden` configuration --- modules/services/vaultwarden.nix | 34 ++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 modules/services/vaultwarden.nix diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix new file mode 100644 index 0000000..38a2192 --- /dev/null +++ b/modules/services/vaultwarden.nix @@ -0,0 +1,34 @@ +{ config, ... }: +{ + services.vaultwarden = { + enable = true; + dbBackend = "sqlite"; + config = { + SIGNUPS_ALLOWED = false; + ENABLE_WEBSOCKET = true; + SENDS_ALLOWED = true; + INVITATIONS_ENABLED = true; + EMERGENCY_ACCESS_ALLOWED = true; + EMAIL_ACCESS_ALLOWED = true; + DOMAIN = "https://passwords.liv.town"; + ROCKET_ADDRESS = "0.0.0.0"; + ROCKET_PORT = 8003; + }; + }; + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts = { + "passwords.liv.town" = { + forceSSL = true; + sslCertificate = "/var/lib/acme/liv.town/cert.pem"; + sslCertificateKey = "/var/lib/acme/liv.town/key.pem"; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}/"; + proxyWebsockets = true; + }; + }; + }; + }; +} From b663614fa5448ac604fa16b5f82b655a2ce6621b Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 13:54:14 +0200 Subject: [PATCH 05/21] feat: update `forgejo` settings to include `mailer` and `gitea-actions-runner` configuration now that we have `sops-nix` --- modules/services/forgejo.nix | 97 +++++++++++++++++++----------------- 1 file changed, 52 insertions(+), 45 deletions(-) diff --git a/modules/services/forgejo.nix b/modules/services/forgejo.nix index 52e94bc..8291bcc 100644 --- a/modules/services/forgejo.nix +++ b/modules/services/forgejo.nix @@ -9,57 +9,64 @@ let srv = cfg.settings.server; in { - services.forgejo = { - enable = true; - # database.type = "postgres"; - # Enable support for Git Large File Storage - lfs.enable = true; - settings = { - server = { - DOMAIN = "code.liv.town"; - # You need to specify this to remove the port from URLs in the web UI. - ROOT_URL = "https://${srv.DOMAIN}/"; - HTTP_PORT = 3050; - }; - # You can temporarily allow registration to create an admin user. - service.DISABLE_REGISTRATION = true; - # Add support for actions, based on act: https://github.com/nektos/act - actions = { - ENABLED = true; - DEFAULT_ACTIONS_URL = "github"; - }; - # Sending emails is completely optional - # You can send a test email from the web UI at: - # Profile Picture > Site Administration > Configuration > Mailer Configuration - # mailer = { - # ENABLED = true; - # SMTP_ADDR = "mail.example.com"; - # FROM = "noreply@${srv.DOMAIN}"; - # USER = "noreply@${srv.DOMAIN}"; - # }; - }; - # mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path; - }; - # gitea-actions-runner = { - # package = pkgs.forgejo-runner; - # instances.my-forgejo-instance = { - # enable = true; - # name = "forgejo-01"; - # token = ""; # TODO: fill in tokens etc - # url = "https://code.liv.town"; - # labels = [ - # "node-22:docker://node:22-bookworm" - # "nixos-latest:docker://nixos/nix" - # ]; - # }; - # }; services = { + forgejo = { + enable = true; + # database.type = "postgres"; + # Enable support for Git Large File Storage + lfs.enable = true; + settings = { + server = { + DOMAIN = "code.liv.town"; + # You need to specify this to remove the port from URLs in the web UI. + ROOT_URL = "https://${srv.DOMAIN}/"; + HTTP_PORT = 3050; + }; + # You can temporarily allow registration to create an admin user. + service.DISABLE_REGISTRATION = true; + # Add support for actions, based on act: https://github.com/nektos/act + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "github"; + }; + # TODO: run own email server that sends users emails! + # You can send a test email from the web UI at: + # Profile Picture > Site Administration > Configuration > Mailer Configuration + mailer = { + ENABLED = true; + SMTP_ADDR = "smtp.migadu.com"; + FROM = config.liv.variables.senderEmail; + USER = config.liv.variables.senderEmail; + }; + }; + mailerPasswordFile = config.sops.secrets.systemMailerPassword.path; + }; + gitea-actions-runner = { + package = pkgs.forgejo-runner; + instances.code-liv-town = { + enable = true; + name = "forgejo-01"; + tokenFile = "${config.sops.secrets.forgejoWorkerSecret.path}"; + url = "https://code.liv.town"; + labels = [ + "node-22:docker://node:22-bookworm" + "nixos-latest:docker://nixos/nix" + ]; + }; + }; + anubis.instances.forgejo = { + settings = { + TARGET = "http://localhost:3050"; + BIND = ":3051"; + BIND_NETWORK = "tcp"; + }; + }; nginx.virtualHosts."code.liv.town" = { forceSSL = true; sslCertificate = "/var/lib/acme/liv.town/cert.pem"; sslCertificateKey = "/var/lib/acme/liv.town/key.pem"; locations."/" = { - proxyPass = "http://localhost:3050"; + proxyPass = "http://localhost${toString config.services.anubis.instances.forgejo.settings.BIND}"; proxyWebsockets = true; }; }; From 3aa990e2036c370931ea7ff9e7fc399e26168033 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 14:17:17 +0200 Subject: [PATCH 06/21] chore: remove `smokeping` from `violet` as it is now a `prometheus` module --- modules/services/violet.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/services/violet.nix b/modules/services/violet.nix index dc09fbd..122aa03 100644 --- a/modules/services/violet.nix +++ b/modules/services/violet.nix @@ -24,7 +24,6 @@ ++ [ (import ./remote-build.nix) ] ++ [ (import ./readarr.nix) ] ++ [ (import ./sharkey-proxy.nix) ] - ++ [ (import ./smokeping.nix) ] # ++ [ (import ./komga.nix) ] # ++ [ (import ./xmpp.nix) ] ++ [ (import ./tailscale.nix) ] From 550fa87fbc3dc3c88f9da9e9d3be927a1aa4c3ff Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 14:20:03 +0200 Subject: [PATCH 07/21] feat: adds `prometheus` exporter for `smokeping` to see latency --- modules/services/monitoring.nix | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/modules/services/monitoring.nix b/modules/services/monitoring.nix index 43b5319..b24e67b 100644 --- a/modules/services/monitoring.nix +++ b/modules/services/monitoring.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, host, ... }: { services = { prometheus = { @@ -10,6 +10,15 @@ enabledCollectors = [ "systemd" ]; port = 9002; }; + smokeping = { + enable = true; + hosts = [ + "172.16.10.1" + "172.16.10.2" + "9.9.9.9" + "149.112.112.112" + ]; + }; }; scrapeConfigs = [ { @@ -20,6 +29,14 @@ } ]; } + { + job_name = "${host} - smokeping"; + static_configs = [ + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.smokeping.port}" ]; + } + ]; + } ]; }; }; From a042d3790d0cdfb3eee694c46400a1aaee95b213 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 14:23:14 +0200 Subject: [PATCH 08/21] sops: update --- secrets/violet/secrets.yaml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 secrets/violet/secrets.yaml diff --git a/secrets/violet/secrets.yaml b/secrets/violet/secrets.yaml new file mode 100644 index 0000000..1cfdb0b --- /dev/null +++ b/secrets/violet/secrets.yaml @@ -0,0 +1,27 @@ +systemMailerPassword: ENC[AES256_GCM,data:b1fvCLZMiA9xDu/9BKQGnCTbwj46uixlo37qer66DK09U7CEB8ZBqe+Y+DqjcOJUHHHSo8Qk1XGvGQWypkGICxmxNP8KWvmY42Woh3677APvotUdjW5fVKTgB+Y1m/6/cvXKicJFjbw5LOzZ2/JcXP01KPSkRxWb/X4xzvawSMY=,iv:vbchTqHaH2PB9Mll/s8q4zLhN6ThAsCVvhoggOhj7H4=,tag:6b+TiV1YYHWOn0P9qJZ/bQ==,type:str] +forgejoWorkerSecret: ENC[AES256_GCM,data:kmUjukTJ9SP6nJvfhIMFVTu5vAc9TIfZidUgejC7FSNBDJiP/lVlHw==,iv:jF9LpWLxtBi5i5NCC5nkLeLqJQzOAIY7H1z2NfHqUQI=,tag:3mtTcn+LQEbCESlt34nf9g==,type:str] +matrixRegistrationSecret: ENC[AES256_GCM,data:xDFYVpBJa+FHWjmLlZspJAzJcoav53nWPoctQ5+gAnDYMurtSCkmoQn8r5j6fOmiy56KQyk8AD2/kT1HeFFNKA==,iv:82eIoh1ePc0VxfTbBPxpwGhYrcdRMI6WjFhlUJhxuHk=,tag:FAYUXUy0lEQU56ni2dxvbg==,type:str] +sops: + age: + - recipient: age1yzapmznelujajfyrpw5mxmy86ckg377494w5ap4yej39jatewursfxls9w + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXeG8vNWltdmJGcHhpMFVv + L2loTVRWeUVQMjdFbXlLdDZ4NWd2czlMa1JVClErdlhXdlJKSDFrakhqVjRQMlBx + RStBKzI3bHkzWlZrdkFTZFZvRjN0eFUKLS0tIGJFaTRkVGhSbmZSbEdYZEFWV2Fz + bytGVUhvL1dKNk41cytPajJMUFdXQmMKbJZ7RDB5MXqotaLrWABIKFs2wEZtIAVm + +k+ykISzj/XhhCt2J4IWbhPqRDlivsOLvQF1srNgk02/laE+0Nz5Pg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1zegau3chyn53tqvkwud6tuyggpkazc88pdkqv8cknavaudu49enqm2f0h3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxMWV2NkVGSWR3UzBPWmFQ + S2lQRm9zZENGc29mN1VxT3hsb2c5d3k3ZGw4Ck5JWlpXQUU0WnhXT2ZocFZFSlkr + WjhZM214YVBDR3UzcU9SQ09ucWJDSUUKLS0tIE00aXVkeTQ5eG1TTTA2UnBuVnVB + S3pjSjlhZjZiSDBNakhLVzNKMjd3bWsKC2geLVXFp190lkjxtmZKq8aLN0XMNeAI + VqbwIY3a30iuWAaxqf8h1ZuCGJvbAZZBevFZraj9yktRHc54JV3Aww== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-30T11:20:39Z" + mac: ENC[AES256_GCM,data:BLP2Op9c2N9KuP6wAWT6TZZeHfUKF+J0FOtnoxfmG9yTViM21Jf39xxMvV4ZOtmp0pVFnV3NxT4So/dBpTObDe6Qv+X8Jsyt6voIQEXmah1FSol9ybUobYero1+5YmDwyGjQ6xTny+MRuG5hC7OAshVAtlFm+LH7/3hDgl6S6W8=,iv:D7FRlxPpy59jQYd5/sBT/DaFZo997GjlBKhJQldN6VY=,tag:dYsKOSjh14ZMbAOq6Vx6nQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 From 525b24ac25668834048a61347d4fa12245b28083 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 14:37:35 +0200 Subject: [PATCH 09/21] feat: set correct owner for `matrix-synapse` key --- modules/core/sops.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/core/sops.nix b/modules/core/sops.nix index ddb6ee7..1e4847a 100644 --- a/modules/core/sops.nix +++ b/modules/core/sops.nix @@ -3,6 +3,7 @@ inputs, username, host, + config, ... }: { @@ -17,7 +18,9 @@ { "systemMailerPassword" = { }; "forgejoWorkerSecret" = { }; - "matrixRegistrationSecret" = { }; + "matrixRegistrationSecret" = { + owner = "matrix-synapse"; + }; } else if (host == "sakura") then { From 11992d9506d3781a4f6bda61a4588fd9fb982111 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 14:37:59 +0200 Subject: [PATCH 10/21] sops: update --- secrets/violet/secrets.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/secrets/violet/secrets.yaml b/secrets/violet/secrets.yaml index 1cfdb0b..2d64eda 100644 --- a/secrets/violet/secrets.yaml +++ b/secrets/violet/secrets.yaml @@ -21,7 +21,7 @@ sops: S3pjSjlhZjZiSDBNakhLVzNKMjd3bWsKC2geLVXFp190lkjxtmZKq8aLN0XMNeAI VqbwIY3a30iuWAaxqf8h1ZuCGJvbAZZBevFZraj9yktRHc54JV3Aww== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-30T11:20:39Z" - mac: ENC[AES256_GCM,data:BLP2Op9c2N9KuP6wAWT6TZZeHfUKF+J0FOtnoxfmG9yTViM21Jf39xxMvV4ZOtmp0pVFnV3NxT4So/dBpTObDe6Qv+X8Jsyt6voIQEXmah1FSol9ybUobYero1+5YmDwyGjQ6xTny+MRuG5hC7OAshVAtlFm+LH7/3hDgl6S6W8=,iv:D7FRlxPpy59jQYd5/sBT/DaFZo997GjlBKhJQldN6VY=,tag:dYsKOSjh14ZMbAOq6Vx6nQ==,type:str] + lastmodified: "2025-07-30T12:37:11Z" + mac: ENC[AES256_GCM,data:pGnJaFRqa3sjouALSjy8+ClhqE+RNR4b5SMLKB356WtnHtALrGnd/RzPTMyLLTOht1td1Fk5jY8WoUy225qqfI1yy0Mne+qtnFqd9++XTmiY1b7ARBeNvvM/mMuZyp34Mz8WLx+imrLcX6TAlpRZ/SWtv5BE9nleHCwpNvFpqfc=,iv:q8bKIFQd6dRSDBk3qhipOK0E/4NZgIcVCo4Mwu9Ddf8=,tag:JjL3sFxSMx4dp1Swt2lbvg==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 From 146176af45b3eadc8c2d6baedc581ee00f483798 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 14:49:19 +0200 Subject: [PATCH 11/21] chore: remove unused files --- modules/services/matrix/secrets.yaml | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 modules/services/matrix/secrets.yaml diff --git a/modules/services/matrix/secrets.yaml b/modules/services/matrix/secrets.yaml deleted file mode 100644 index 357c281..0000000 --- a/modules/services/matrix/secrets.yaml +++ /dev/null @@ -1,3 +0,0 @@ -registration_shared_secret: "" - -report_stats: false From 4358dd95b9c5d1c42f7520a8acf1f6804c4cedfa Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 14:49:53 +0200 Subject: [PATCH 12/21] chore: remove things from gitignore --- .gitignore | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitignore b/.gitignore index 7ab9c97..b2be92b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ -modules/services/matrix/default.nix result From 3e1692f454f35f3959eeca330cb4b2181283215e Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 16:24:31 +0200 Subject: [PATCH 13/21] feat: adds `hazel` host --- hosts/hazel/default.nix | 48 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 hosts/hazel/default.nix diff --git a/hosts/hazel/default.nix b/hosts/hazel/default.nix new file mode 100644 index 0000000..03a0fad --- /dev/null +++ b/hosts/hazel/default.nix @@ -0,0 +1,48 @@ +{ + pkgs, + config, + lib, + inputs, + ... +}: +{ + imports = [ + ./hardware-configuration.nix + ./disko.nix + ./../../modules/core/default.server.nix + # ./../../modules/services/hazel.nix + ]; + + networking.hostName = "hazel"; + + nixpkgs.config.permittedInsecurePackages = [ + "jitsi-meet-1.0.8043" + "olm-3.2.16" + ]; + + time.timeZone = lib.mkForce "Europe/Paris"; + + environment.systemPackages = with pkgs; [ + kitty.terminfo + ]; + + services = { + smartd = { + enable = true; + autodetect = true; + }; + }; + + networking.firewall = { + allowedTCPPorts = [ + 9123 + ]; + }; + + boot = { + loader.grub = { + enable = true; + device = "/dev/sda"; + }; + }; +} From 13228786c89724e8b3c1bd3593ccd42ddbfbec56 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 16:25:01 +0200 Subject: [PATCH 14/21] feat: adds `hardware-configuration.nix` for `hazel` --- hosts/hazel/hardware-configuration.nix | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 hosts/hazel/hardware-configuration.nix diff --git a/hosts/hazel/hardware-configuration.nix b/hosts/hazel/hardware-configuration.nix new file mode 100644 index 0000000..bfac344 --- /dev/null +++ b/hosts/hazel/hardware-configuration.nix @@ -0,0 +1,26 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + # networking.interfaces.eno2.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} From 45be0c928d7f2320bc905fbdbb03383688bff40b Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 16:25:24 +0200 Subject: [PATCH 15/21] feat: adds disk layout for `hazel` --- hosts/hazel/disko.nix | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 hosts/hazel/disko.nix diff --git a/hosts/hazel/disko.nix b/hosts/hazel/disko.nix new file mode 100644 index 0000000..d308f8b --- /dev/null +++ b/hosts/hazel/disko.nix @@ -0,0 +1,37 @@ +{ inputs, ... }: +{ + imports = [ + inputs.disko.nixosModules.disko + ]; + disko.devices = { + disk = { + my-disk = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + type = "EF00"; + size = "500M"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} From efb7abb67e7845288441ebdda6cabdb71368295e Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 16:33:15 +0200 Subject: [PATCH 16/21] chore: adds `disko` and `hazel` host --- flake.lock | 106 +++++++++++++++++++++++++++++++++++------------------ flake.nix | 12 ++++++ 2 files changed, 83 insertions(+), 35 deletions(-) diff --git a/flake.lock b/flake.lock index c6d5cbf..3be4fca 100644 --- a/flake.lock +++ b/flake.lock @@ -54,6 +54,25 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1746728054, + "narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=", + "owner": "nix-community", + "repo": "disko", + "rev": "ff442f5d1425feb86344c028298548024f21256d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "latest", + "repo": "disko", + "type": "github" + } + }, "fenix": { "inputs": { "nixpkgs": [ @@ -231,7 +250,7 @@ }, "hypr-contrib": { "inputs": { - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1753252360, @@ -518,7 +537,7 @@ "inputs": { "hyprutils": "hyprutils_2", "hyprwayland-scanner": "hyprwayland-scanner_2", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_4", "systems": "systems_2" }, "locked": { @@ -541,7 +560,7 @@ "hyprlang": "hyprlang_2", "hyprutils": "hyprutils_3", "hyprwayland-scanner": "hyprwayland-scanner_3", - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_5", "systems": "systems_3" }, "locked": { @@ -784,29 +803,45 @@ "type": "github" } }, - "nixpkgs_2": { + "nixpkgs_10": { "locked": { - "lastModified": 1712163089, - "narHash": "sha256-Um+8kTIrC19vD4/lUCN9/cU9kcOsD1O1m+axJqQPyMM=", + "lastModified": 1753432016, + "narHash": "sha256-cnL5WWn/xkZoyH/03NNUS7QgW5vI7D1i74g48qplCvg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fd281bd6b7d3e32ddfa399853946f782553163b5", + "rev": "6027c30c8e9810896b92429f0092f624f7b1aace", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1746576598, + "narHash": "sha256-FshoQvr6Aor5SnORVvh/ZdJ1Sa2U4ZrIMwKBX5k2wu0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b3582c75c7f21ce0b429898980eddbbf05c68e55", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_3": { "locked": { - "lastModified": 1748929857, - "narHash": "sha256-lcZQ8RhsmhsK8u7LIFsJhsLh/pzR9yZ8yqpTzyGdj+Q=", + "lastModified": 1712163089, + "narHash": "sha256-Um+8kTIrC19vD4/lUCN9/cU9kcOsD1O1m+axJqQPyMM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c2a03962b8e24e669fb37b7df10e7c79531ff1a4", + "rev": "fd281bd6b7d3e32ddfa399853946f782553163b5", "type": "github" }, "original": { @@ -833,6 +868,22 @@ } }, "nixpkgs_5": { + "locked": { + "lastModified": 1748929857, + "narHash": "sha256-lcZQ8RhsmhsK8u7LIFsJhsLh/pzR9yZ8yqpTzyGdj+Q=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c2a03962b8e24e669fb37b7df10e7c79531ff1a4", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_6": { "locked": { "lastModified": 1753429684, "narHash": "sha256-9h7+4/53cSfQ/uA3pSvCaBepmZaz/dLlLVJnbQ+SJjk=", @@ -848,7 +899,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_7": { "locked": { "lastModified": 1743315132, "narHash": "sha256-6hl6L/tRnwubHcA4pfUUtk542wn2Om+D4UnDhlDW9BE=", @@ -864,7 +915,7 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_8": { "locked": { "lastModified": 1742800061, "narHash": "sha256-oDJGK1UMArK52vcW9S5S2apeec4rbfNELgc50LqiPNs=", @@ -880,7 +931,7 @@ "type": "github" } }, - "nixpkgs_8": { + "nixpkgs_9": { "locked": { "lastModified": 1753429684, "narHash": "sha256-9h7+4/53cSfQ/uA3pSvCaBepmZaz/dLlLVJnbQ+SJjk=", @@ -896,26 +947,10 @@ "type": "github" } }, - "nixpkgs_9": { - "locked": { - "lastModified": 1753432016, - "narHash": "sha256-cnL5WWn/xkZoyH/03NNUS7QgW5vI7D1i74g48qplCvg=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "6027c30c8e9810896b92429f0092f624f7b1aace", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nixvim": { "inputs": { "flake-parts": "flake-parts", - "nixpkgs": "nixpkgs_6", + "nixpkgs": "nixpkgs_7", "nixvim": "nixvim_2" }, "locked": { @@ -935,7 +970,7 @@ "nixvim_2": { "inputs": { "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs_7", + "nixpkgs": "nixpkgs_8", "nuschtosSearch": "nuschtosSearch" }, "locked": { @@ -955,7 +990,7 @@ "nur": { "inputs": { "flake-parts": "flake-parts_3", - "nixpkgs": "nixpkgs_8" + "nixpkgs": "nixpkgs_9" }, "locked": { "lastModified": 1753530457, @@ -1021,13 +1056,14 @@ "root": { "inputs": { "alejandra": "alejandra", + "disko": "disko", "home-manager": "home-manager", "hypr-contrib": "hypr-contrib", "hyprland": "hyprland", "hyprpicker": "hyprpicker", "hyprsunset": "hyprsunset", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_6", "nixvim": "nixvim", "nur": "nur", "sops-nix": "sops-nix" @@ -1052,7 +1088,7 @@ }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_9" + "nixpkgs": "nixpkgs_10" }, "locked": { "lastModified": 1752544651, diff --git a/flake.nix b/flake.nix index 1256397..ddd5625 100644 --- a/flake.nix +++ b/flake.nix @@ -15,6 +15,7 @@ nixos-hardware.url = "github:nixos/nixos-hardware"; nixvim.url = "github:ahwxorg/nixvim-config"; sops-nix.url = "github:Mic92/sops-nix"; + disko.url = "github:nix-community/disko/latest"; }; outputs = @@ -22,6 +23,7 @@ self, nixpkgs, sops-nix, + disko, ... }@inputs: let @@ -116,6 +118,16 @@ inherit self inputs username; }; }; + hazel = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + (import ./hosts/hazel) + ]; + specialArgs = { + host = "hazel"; + inherit self inputs username; + }; + }; }; }; } From 962f39659683e4f16fa07d6e7b0b38b3115e37ef Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 16:33:52 +0200 Subject: [PATCH 17/21] feat: write cursed package function --- modules/home/packages.nix | 219 +++++++++++++++++++++----------------- 1 file changed, 119 insertions(+), 100 deletions(-) diff --git a/modules/home/packages.nix b/modules/home/packages.nix index 53f5652..aa7f77d 100644 --- a/modules/home/packages.nix +++ b/modules/home/packages.nix @@ -1,107 +1,126 @@ -{ inputs, pkgs, ... }: { - home.packages = with pkgs; [ - # Environment shit - tesseract - yubikey-touch-detector - wireguard-tools - openresolv - xdg-utils - killall - libnotify - openssl - pamixer - playerctl - wl-clipboard - cliphist - poweralertd - ffmpeg - zip - unzip - wget - xxd - gcc - gnumake - python3 + inputs, + lib, + pkgs, + ... +}: +with lib; +let + guiPkgs = + if (config.liv.gui == true) then + [ + element-desktop + gajim + signal-desktop + anki-bin + obs-studio + wdisplays + librewolf # main + ungoogled-chromium # for things that don't work with librewolf + nsxiv + imv + libreoffice + xfce.thunar + spotify + spotify-player + thunderbird + lxqt.pavucontrol-qt + mpv + plasma5Packages.kdeconnect-kde + # onthespot-overlay - # CLI shit - termpdfpy - vimv - iamb - pass - lm_sensors - neofetch - hyfetch - glow - eva - exiftool - translate-shell - progress - pwgen - jq - tmux - htop - eza - file - fzf - lazygit - gitleaks - ripgrep - yt-dlp - spotify-player - nodejs_22 - yarn - cargo - rustc - wikit - reader - nmap - speedtest-go - delta - powertop - android-tools - sshpass + # Gaming + lunar-client + ] + else + [ + killall + ]; +in +{ + home.packages = + with pkgs; + [ + # Environment shit + tesseract + yubikey-touch-detector + wireguard-tools + openresolv + xdg-utils + killall + libnotify + openssl + pamixer + playerctl + wl-clipboard + cliphist + poweralertd + ffmpeg + zip + unzip + wget + xxd + gcc + gnumake + python3 - # Install pip packages - # python3 - # python3Packages.pip - # (writeShellScriptBin "install-pip-packages" '' # This script does not run, yet. - # pip install --user --break-system-packages - # '') + # CLI shit + termpdfpy + vimv + iamb + pass + lm_sensors + neofetch + hyfetch + glow + eva + exiftool + translate-shell + progress + pwgen + jq + tmux + htop + eza + file + fzf + lazygit + gitleaks + ripgrep + yt-dlp + nodejs_22 + yarn + cargo + rustc + wikit + reader + nmap + speedtest-go + delta + powertop + android-tools + sshpass + net-tools + nmap - # GUI shit - element-desktop - gajim - signal-desktop - anki-bin - obs-studio - wdisplays - librewolf # main - ungoogled-chromium # for things that don't work with librewolf - nsxiv - imv - libreoffice - xfce.thunar - spotify - thunderbird - lxqt.pavucontrol-qt - mpv - plasma5Packages.kdeconnect-kde - # onthespot-overlay + # Install pip packages + # python3 + # python3Packages.pip + # (writeShellScriptBin "install-pip-packages" '' # This script does not run, yet. + # pip install --user --break-system-packages + # '') - # Gaming - lunar-client + inputs.alejandra.defaultPackage.${system} + inputs.nixvim.packages.${pkgs.system}.default + mermaid-cli + gnuplot - inputs.alejandra.defaultPackage.${system} - inputs.nixvim.packages.${pkgs.system}.default - mermaid-cli - gnuplot - - # Email/calendar/etc - neomutt - w3m - khard - khal - vdirsyncer - ]; + # Email/calendar/etc + neomutt + w3m + khard + khal + vdirsyncer + ] + ++ guiPkgs; } From 5813c632bf9fd3191596e5db00c1ddcc90c9c180 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 16:36:26 +0200 Subject: [PATCH 18/21] fix: make `config` input available so it can find `config.liv.gui` --- modules/home/packages.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/home/packages.nix b/modules/home/packages.nix index aa7f77d..ec02ef3 100644 --- a/modules/home/packages.nix +++ b/modules/home/packages.nix @@ -2,6 +2,7 @@ inputs, lib, pkgs, + config, ... }: with lib; From 81344ed4028429790cc79b8833f3bb083f7a29d4 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 16:46:08 +0200 Subject: [PATCH 19/21] chore: update `hazel`'s configuration --- hosts/hazel/default.nix | 2 +- hosts/hazel/hardware-configuration.nix | 43 +++++++++++++++++++------- 2 files changed, 32 insertions(+), 13 deletions(-) diff --git a/hosts/hazel/default.nix b/hosts/hazel/default.nix index 03a0fad..fe687f7 100644 --- a/hosts/hazel/default.nix +++ b/hosts/hazel/default.nix @@ -42,7 +42,7 @@ boot = { loader.grub = { enable = true; - device = "/dev/sda"; + # device = "/dev/sda"; }; }; } diff --git a/hosts/hazel/hardware-configuration.nix b/hosts/hazel/hardware-configuration.nix index bfac344..37b1ec9 100644 --- a/hosts/hazel/hardware-configuration.nix +++ b/hosts/hazel/hardware-configuration.nix @@ -1,25 +1,44 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "ehci_pci" + "ahci" + "usbhid" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eno1.useDHCP = lib.mkDefault true; - # networking.interfaces.eno2.useDHCP = lib.mkDefault true; + fileSystems."/" = { + device = "/dev/disk/by-uuid/864dfbec-81f0-460f-b970-27693a0ad0e6"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/E141-F5CE"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" + ]; + }; + + swapDevices = [ ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; From cb3b12b8794113f67a728b95c3a2ea12ad2735c1 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 16:47:32 +0200 Subject: [PATCH 20/21] chore: disable `disko` as initial config is done --- hosts/hazel/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/hazel/default.nix b/hosts/hazel/default.nix index fe687f7..c350c3a 100644 --- a/hosts/hazel/default.nix +++ b/hosts/hazel/default.nix @@ -8,7 +8,7 @@ { imports = [ ./hardware-configuration.nix - ./disko.nix + # ./disko.nix ./../../modules/core/default.server.nix # ./../../modules/services/hazel.nix ]; From 274232c66b7cf3ed3205edc0e2b26cde2fb7edd6 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Wed, 30 Jul 2025 16:48:18 +0200 Subject: [PATCH 21/21] chore: adds device to `grub` on `hazel` --- hosts/hazel/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/hazel/default.nix b/hosts/hazel/default.nix index c350c3a..8bf4405 100644 --- a/hosts/hazel/default.nix +++ b/hosts/hazel/default.nix @@ -42,7 +42,7 @@ boot = { loader.grub = { enable = true; - # device = "/dev/sda"; + device = "/dev/sda"; }; }; }