diff --git a/flake.nix b/flake.nix index 430ed36..e9040f5 100644 --- a/flake.nix +++ b/flake.nix @@ -98,6 +98,7 @@ # Systems nixos/installer.nix nixos/boxes/colony + nixos/boxes/tower # Homes home-manager/configs/castle.nix diff --git a/nixos/boxes/tower/default.nix b/nixos/boxes/tower/default.nix new file mode 100644 index 0000000..2020711 --- /dev/null +++ b/nixos/boxes/tower/default.nix @@ -0,0 +1,130 @@ +{ lib, ... }: { + nixos.systems.tower = { + system = "x86_64-linux"; + nixpkgs = "mine"; + home-manager = "mine"; + + configuration = { lib, pkgs, modulesPath, config, systems, assignments, allAssignments, ... }: + let + inherit (lib) mkIf mkMerge mkForce; + in + { + hardware = { + enableRedistributableFirmware = true; + cpu = { + intel.updateMicrocode = true; + }; + }; + + boot = { + loader.efi.canTouchEfiVariables = true; + kernelPackages = pkgs.linuxKernel.packages.linux_5_19; + kernelModules = [ "kvm-intel" ]; + kernelParams = [ "intel_iommu=on" ]; + initrd = { + availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "usbhid" "thunderbolt" ]; + luks = { + reusePassphrases = true; + devices = { + persist = { + device = "/dev/disk/by-uuid/27840c6f-445c-4b95-8c39-e69d07219f33"; + allowDiscards = true; + preLVM = false; + }; + home = { + device = "/dev/disk/by-uuid/c16c5038-7883-42c3-960a-a085a99364eb"; + allowDiscards = true; + preLVM = false; + }; + }; + }; + }; + }; + + fileSystems = { + "/boot" = { + device = "/dev/disk/by-partuuid/66bc15d3-83dd-ea47-9753-3fb88eab903f"; + fsType = "vfat"; + }; + "/nix" = { + device = "/dev/disk/by-uuid/cd597ff0-ca72-4a13-84c8-91b9c09e0a29"; + fsType = "ext4"; + }; + + "/persist" = { + device = "/dev/disk/by-uuid/1e9b6a54-bd8d-4ff3-8c06-7b214a35db57"; + fsType = "ext4"; + neededForBoot = true; + }; + "/home" = { + device = "/dev/disk/by-uuid/5dc99dd6-0d05-45b3-acb6-03c29a9b9388"; + fsType = "ext4"; + }; + }; + + console.keyMap = "uk"; + + services = { + lvm = { + boot.thin.enable = true; + dmeventd.enable = true; + }; + fstrim.enable = true; + + resolved = { + enable = true; + extraConfig = mkForce ""; + }; + }; + + networking = { + networkmanager = { + enable = true; + dns = "systemd-resolved"; + wifi = { + backend = "wpa_supplicant"; + }; + extraConfig = '' + [main] + no-auto-default=* + ''; + }; + }; + + environment.systemPackages = with pkgs; [ + dhcpcd + pciutils + usbutils + lm_sensors + linuxPackages.cpupower + brightnessctl + ]; + + systemd = { + network = { + links = { + "10-wifi" = { + matchConfig.MACAddress = "8c:f8:c5:55:96:1e"; + linkConfig.Name = "wifi"; + }; + }; + }; + }; + + my = { + user = { + tmphome = false; + }; + + #deploy.generate.system.mode = "boot"; + secrets = { + key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOU+UxJh8PZoiXV+0CRumv9Xsk6Fks4YMYRZcThmaJkB"; + }; + + firewall = { + enable = true; + }; + }; + }; + }; +} diff --git a/nixos/modules/common.nix b/nixos/modules/common.nix index 386ead8..7231311 100644 --- a/nixos/modules/common.nix +++ b/nixos/modules/common.nix @@ -86,6 +86,7 @@ in }; time.timeZone = mkDefault "Europe/Dublin"; + i18n.defaultLocale = "en_IE.UTF-8"; boot = { # Use latest LTS release by default diff --git a/nixos/modules/tmproot.nix b/nixos/modules/tmproot.nix index ee133c4..dcbff08 100644 --- a/nixos/modules/tmproot.nix +++ b/nixos/modules/tmproot.nix @@ -337,6 +337,9 @@ in "/var/lib/cni" ]; }) + (mkIf config.networking.networkmanager.enable { + my.tmproot.persistence.config.directories = [ "/var/lib/NetworkManager" ]; + }) (mkIf config.my.build.isDevVM { fileSystems = mkVMOverride { # Hijack the "root" device for persistence in the VM diff --git a/nixos/modules/user.nix b/nixos/modules/user.nix index ed78856..64dcfef 100644 --- a/nixos/modules/user.nix +++ b/nixos/modules/user.nix @@ -11,6 +11,7 @@ in options.my.user = with lib.types; { enable = mkBoolOpt' true "Whether to create a primary user."; passwordSecret = mkOpt' (nullOr str) "user-passwd.txt" "Name of user password secret."; + tmphome = mkBoolOpt' true "Whether to persist home directory files under tmproot"; config = mkOption { type = options.users.users.type.nestedTypes.elemType; default = { }; @@ -46,7 +47,7 @@ in _module.args.name = lib.mkForce user'.name; }; }; - tmproot = { + tmproot = mkIf cfg.tmphome { unsaved.ignore = [ # Auto-generated (on activation?) "/home/${user'.name}/.nix-profile" diff --git a/secrets/chatterbox/nul.ie.signing.key.age b/secrets/chatterbox/nul.ie.signing.key.age index 7ee8a48..51b24b7 100644 --- a/secrets/chatterbox/nul.ie.signing.key.age +++ b/secrets/chatterbox/nul.ie.signing.key.age @@ -1,10 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 ZB3e6Q iCLxItNihRG7KUDgcUm4vrtWQblN5hdYwvAegw0m5DQ -nQSrxGdOaWjtjYssejOg1DoNRnIYNznRzDJUEcWCUgA --> X25519 eE1k40fJ67VXFqUJ8pB2Ll8/s1K0kD3YkfMQnOqKiTw -nH9+nHG8pAVLn5krLSNGc18FEMcp6o5NKkf/ciuFPY8 --> U|8z(Y7-grease n 6 -DNyQQUnKJ9kGTrZY0pj67eeuEMpyn69awH4v0+RZiS9GaVRNPz9dv6VfzI178NDv -wb2gQLYc/5QFlvKo1pYx12AxxF3LvrwhNm8w9nvVjXUzFqn7SvoFxszxtw ---- bQBm6Njo6zu9+Xwao1BlMfBUXYL8TbytByW27Hde/Tg -v\'_H(=aJf+R,(+W{?ZnQ~a>)gFXrM4y \ No newline at end of file +-> ssh-ed25519 ZB3e6Q LYlElJVGV47nZ5AxrU6C8AfCrK3Br1DqMnozUVbzXAY +DthCj922i2ud9PJrBtVpkF6Mvs0tG/xQViIZxNewI9Q +-> X25519 D3YiBnszJ0a/e5VOVEonqGB7T0OWC7p7w3cNU7G3skc +/IQOnNqHGu/nY1g6QijCr5mpfmGEs6SAGK9/jiOqtd4 +-> $Yg5VBMZ-grease XSfpS" k} ( +EPfUi7eQKyf8bB6C9PIvVieDte6X7IR54zhP+CcmAw +--- KflE5p2fLkFzlQbOCpF/lZWO6Nq2m273tgE0/UqMeS4 + &t~Pg~kͦ_`Une{u/'i9ڪSкj;c~R^F{,/+$!-2H \ No newline at end of file diff --git a/secrets/chatterbox/synapse.yaml.age b/secrets/chatterbox/synapse.yaml.age index 647123e..d5ce637 100644 Binary files a/secrets/chatterbox/synapse.yaml.age and b/secrets/chatterbox/synapse.yaml.age differ diff --git a/secrets/dhparams.pem.age b/secrets/dhparams.pem.age index 2aee7aa..db8f587 100644 Binary files a/secrets/dhparams.pem.age and b/secrets/dhparams.pem.age differ diff --git a/secrets/estuary/netdata/powerdns.conf.age b/secrets/estuary/netdata/powerdns.conf.age index dd1fb02..0e87cb2 100644 Binary files a/secrets/estuary/netdata/powerdns.conf.age and b/secrets/estuary/netdata/powerdns.conf.age differ diff --git a/secrets/estuary/netdata/powerdns_recursor.conf.age b/secrets/estuary/netdata/powerdns_recursor.conf.age index 26a371a..80619f1 100644 Binary files a/secrets/estuary/netdata/powerdns_recursor.conf.age and b/secrets/estuary/netdata/powerdns_recursor.conf.age differ diff --git a/secrets/estuary/pdns/auth.conf.age b/secrets/estuary/pdns/auth.conf.age index acda45b..7dd41b2 100644 --- a/secrets/estuary/pdns/auth.conf.age +++ b/secrets/estuary/pdns/auth.conf.age @@ -1,10 +1,10 @@ age-encryption.org/v1 --> ssh-ed25519 n8CpUw gSOLNKBwaCiP9TqcaIBrRF7HnQrXziYl13GzjVS1ryk -kgXnpg8IMVfNnb9meGPbAYGbgkeiWF5USDd7KlJGJmA --> X25519 oL6s/UbRmFIcZ62H7766Q0Bu4KoFwzICgGPB/ogTvj0 -FTWqAvm3Eq2AzhC+5xAUGMuZYbVtrPt+c1QBtXMdv/A --> 54{PX{A-grease CyetKe> >}$Pn iQ)-0sK r -68Ze/tRYRoVy0x619dD1ibTGYaAGoljMxE2Ll5Sx+V9jRzi/DHtq/xyQTgvJfv3z -JM7E+KJZetXLLlvpOGKw3GBm ---- TWJdBHQyXz0rCxKloRqmXut0GODBw32Lwjnj9gFJAFI -!= I0rJv#(2R8 [-VI}p,}vjH#qJ?!v~P \ No newline at end of file +-> ssh-ed25519 n8CpUw +WNV+VmndEK6SO6/M0Mh7XdMSquucY7JCiP1vzoOpzo +JnOXYQ14pYWebHAmdkBz916L1CtE6vzQuIq3wi1cQT4 +-> X25519 drGGpRjQ3kFmp61N+iY00xmoBzcXwZm0FQsc6DYp/C0 +bEHnwq7dkfrFOHGiGWZC4CT9PIndHoaj4Od4U9xpcKs +-> a3$-grease +jvREqtF9g1ba8FTAJ6d6z6AjWLn8+U5dbQ5awJr5VHjIxAKeyP6W1TxtCkOXAXqE +d8Yk0M+aZi4 +--- KXJZwwgadyYXvRvO2iL3Kz9UtXhVFvJj/GphM24WH94 +ԨWW5q=b~MJ~LdB?INm=P0_Y,^Gi3 \ No newline at end of file diff --git a/secrets/estuary/pdns/recursor.conf.age b/secrets/estuary/pdns/recursor.conf.age index 2cade17..d7467c3 100644 Binary files a/secrets/estuary/pdns/recursor.conf.age and b/secrets/estuary/pdns/recursor.conf.age differ diff --git a/secrets/hercules/aws-credentials.ini.age b/secrets/hercules/aws-credentials.ini.age index 0db4f4f..5ec95cb 100644 Binary files a/secrets/hercules/aws-credentials.ini.age and b/secrets/hercules/aws-credentials.ini.age differ diff --git a/secrets/hercules/binary-caches.json.age b/secrets/hercules/binary-caches.json.age index 3a5ca76..980af15 100644 Binary files a/secrets/hercules/binary-caches.json.age and b/secrets/hercules/binary-caches.json.age differ diff --git a/secrets/hercules/cluster-join-token.key.age b/secrets/hercules/cluster-join-token.key.age index b5a571b..1eef06f 100644 Binary files a/secrets/hercules/cluster-join-token.key.age and b/secrets/hercules/cluster-join-token.key.age differ diff --git a/secrets/jackflix/mullvad-privkey.age b/secrets/jackflix/mullvad-privkey.age index 6d0ab1e..7073420 100644 Binary files a/secrets/jackflix/mullvad-privkey.age and b/secrets/jackflix/mullvad-privkey.age differ diff --git a/secrets/middleman/cloudflare-credentials.conf.age b/secrets/middleman/cloudflare-credentials.conf.age index 733d147..100e18b 100644 Binary files a/secrets/middleman/cloudflare-credentials.conf.age and b/secrets/middleman/cloudflare-credentials.conf.age differ diff --git a/secrets/middleman/nginx-sso.yaml.age b/secrets/middleman/nginx-sso.yaml.age index 986c643..7a13f3e 100644 Binary files a/secrets/middleman/nginx-sso.yaml.age and b/secrets/middleman/nginx-sso.yaml.age differ diff --git a/secrets/minio.env.age b/secrets/minio.env.age index 0b819fc..5fcf233 100644 Binary files a/secrets/minio.env.age and b/secrets/minio.env.age differ diff --git a/secrets/nix-cache-gc.ini.age b/secrets/nix-cache-gc.ini.age index 0b60d07..ef3c985 100644 Binary files a/secrets/nix-cache-gc.ini.age and b/secrets/nix-cache-gc.ini.age differ diff --git a/secrets/pdns-file-records.key.age b/secrets/pdns-file-records.key.age index 215e75c..ff7cdfc 100644 Binary files a/secrets/pdns-file-records.key.age and b/secrets/pdns-file-records.key.age differ diff --git a/secrets/user-passwd.txt.age b/secrets/user-passwd.txt.age index b59ddf6..b712c6b 100644 Binary files a/secrets/user-passwd.txt.age and b/secrets/user-passwd.txt.age differ diff --git a/secrets/vaultwarden.env.age b/secrets/vaultwarden.env.age index 8189b1d..7391acd 100644 --- a/secrets/vaultwarden.env.age +++ b/secrets/vaultwarden.env.age @@ -1,9 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 HJ/J7A A4ybdNG0bDSIBDnjktzi1DpmGrkvNt0SE+YqCHNokEg -gwL+6yhXPM3oFkq3S/4PlWzi1h43yBRW1atvYbg2Ax4 --> X25519 R8AIKLRKCLCUmJB3A/z+9iQOfwbqNRm7GgZQX1PgHXM -nP+UagGakkcI4c59CHSldzGvJLzDXJE16u+LggSLUcM --> iS[]-grease -NLqKdqlhdrhVyfNihGFsQC+jvA9wu60 ---- KDffMrsRX2L2uqdu0ReWQnIcqkYjWfNh4s7KgXTYpDA --)hi@X"ĀeƩq}Ja&rJ !I:7;~v-*=eNKbWp#BmuxqXn+BGaLȂDerO1^t]c"dIRRG|Q \ No newline at end of file +-> ssh-ed25519 HJ/J7A NqWZhc47n2idkqNF0eDDxRnSxqVUDjbcO1o0y5BP1zs +XxVv9/92wbfmVjLkcaPa2a3tG3Sum1BMah76TlwkWDo +-> X25519 PQawUoZR/P8odnakuANiD412yhi9KUrMUNJqAajHsWU +4WfDINFhcVwpUNrauwPHKcj12WUHIsBoDcfwUtfGMDs +-> u-grease s] +jQtjx5qzgSmYzBa1eg +--- I1w442aozyjdXob2uZTFHsPllJZvTUOVSYQlAf52Mt8 +fԌΓjJ1U` 4K2GUD7T*Uˋ@ 1b.^yN ssh-ed25519 /EJXvg b3pIwQhBXVof+e+HdCC16M5tc0VuUvvKF+Fj2pytlEE -NwnBuKXpj9eP1k7D+U2J7Ms7q5kbB4E2zpH34Sx7MzY --> X25519 w3Wk4YORf+FrC94zpv8TqrwEWDJpuC8IE2YWn6TWRns -xWF9B4SfS2Gun3xMJodwU0WRtd1GmC3NpyW0xb/K2Sw --> IuQD#-grease gEpQSQM` -fjTI1cPFEs0gIqaF5NDOQcqNmfLDStGXaBUjEYa/JjAV7MCTRjpdUU/5DtkH33av -Ji1k8hfgxQ ---- UTwjr4FXUeSfijgp5VAZIIGmV/lsfxGwHFUHkC9jHrg -=!b&W\0Op([[ϟ]_4J8Ai93@~I‰5 \ No newline at end of file +-> ssh-ed25519 /EJXvg zqgNJtsJoogjGP75yueFFWd3oe0H64W5CQcujNCWZ0M +cVeKmN0jo/y7n5QS2Dp4U0uxK+jGwlQnwXNxR87z020 +-> X25519 J2MeXbL+kGLV3MePB1RMphd7XUfAiL7BTfRWut5lkTE +PlaRjS9QfL0R1wTx5XJNhjOn2PCG/6QIT3x8I5QG9wo +-> |#-grease t|Z9XXy p:XF +LPPVfms2cH4f51GHS7rSwzBOBQulDAANNYGwl22AkZfSNHotvpHdguuJ0S1D+aEj +d7jlo/xce10TcNJwKYNeTn775g +--- l2P0/sNogMDU0AmwSuK8BPJnXTj3a7jwwQ0P7ho8Etw +52F4bC涹&iK/AYx&ԭ/gQ&zIg$dmd \ No newline at end of file