diff --git a/flake.lock b/flake.lock index c5b6d3d..d99f75a 100755 --- a/flake.lock +++ b/flake.lock @@ -139,7 +139,7 @@ "gen-luarc", "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { "lastModified": 1723803910, @@ -301,15 +301,15 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1720386169, - "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=", - "owner": "NixOS", + "lastModified": 1729181673, + "narHash": "sha256-LDiPhQ3l+fBjRATNtnuDZsBS7hqoBtPkKBkhpoBHv3I=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "194846768975b7ad2c4988bdb82572c00222c0d7", + "rev": "4eb33fe664af7b41a4c446f87d20c9a0a6321fa3", "type": "github" }, "original": { - "owner": "NixOS", + "owner": "nixos", "ref": "nixos-24.05", "repo": "nixpkgs", "type": "github" @@ -332,6 +332,22 @@ } }, "nixpkgs-stable_3": { + "locked": { + "lastModified": 1720386169, + "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "194846768975b7ad2c4988bdb82572c00222c0d7", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_4": { "locked": { "lastModified": 1728156290, "narHash": "sha256-uogSvuAp+1BYtdu6UWuObjHqSbBohpyARXDWqgI12Ss=", @@ -377,7 +393,7 @@ "nixpkgs": [ "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable_2" + "nixpkgs-stable": "nixpkgs-stable_3" }, "locked": { "lastModified": 1728651332, @@ -400,6 +416,7 @@ "nix-index-database": "nix-index-database", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", + "nixpkgs-stable": "nixpkgs-stable", "nvim": "nvim", "pre-commit-hooks": "pre-commit-hooks", "sops-nix": "sops-nix", @@ -412,7 +429,7 @@ "nixpkgs": [ "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable_3" + "nixpkgs-stable": "nixpkgs-stable_4" }, "locked": { "lastModified": 1728345710, diff --git a/flake.nix b/flake.nix index e69c54f..2a1bd11 100755 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,7 @@ inputs = { nixos-hardware.url = "github:NixOS/nixos-hardware"; nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.05"; pre-commit-hooks = { url = "github:cachix/pre-commit-hooks.nix"; inputs.nixpkgs.follows = "nixpkgs"; @@ -35,6 +36,7 @@ outputs = { self, nixpkgs, + nixpkgs-stable, systems, ... } @ inputs: let @@ -48,16 +50,20 @@ overlays = [ (_final: _prev: { steam = pkgs.writeShellScriptBin "steam" '' - flatpak run com.valvesoftware.Steam -pipewire "$@" + ${_prev.steam.outPath}/bin/steam -pipewire "$@" ''; }) inputs.nvim.overlays.default ]; }; + pkgs-stable = import nixpkgs-stable { + inherit system; + config.allowUnfree = true; + }; eachSystem = f: nixpkgs.lib.genAttrs (import systems) (system: f nixpkgs.legacyPackages.${system}); treefmtEval = eachSystem (pkgs: inputs.treefmt-nix.lib.evalModule pkgs ./treefmt.nix); in { - nixosConfigurations = import ./nixos {inherit inputs pkgs attrs system;}; + nixosConfigurations = import ./nixos {inherit inputs pkgs pkgs-stable attrs system;}; homeConfigurations = import ./home-manager {inherit inputs pkgs attrs;}; checks = { pre-commit-check = inputs.pre-commit-hooks.lib.${system}.run { @@ -78,6 +84,15 @@ path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.consensus; }; }; + nc = { + hostname = "nc.10110110.xyz"; + sshUser = "root"; + remoteBuild = true; + profiles.system = { + user = "root"; + path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.nc; + }; + }; }; formatter = eachSystem (pkgs: treefmtEval.${pkgs.system}.config.build.wrapper); devShells.${system}.default = pkgs.mkShell { diff --git a/home-manager/shared/programs/shell/default.nix b/home-manager/shared/programs/shell/default.nix index 4666c5a..c1d2880 100755 --- a/home-manager/shared/programs/shell/default.nix +++ b/home-manager/shared/programs/shell/default.nix @@ -56,7 +56,7 @@ rbs = "sudo nixos-rebuild switch --flake $NIX_FLAKE#${host.hostName}"; nvim-dev = "nix run ~/dev/nvim.nix"; mpv = "mpv --no-keepaspect-window"; - cat = "bat -P"; + cat = "bat -pp"; tcd = "cd $(mktemp -d)"; }; }; diff --git a/nixos/consensus/configuration.nix b/nixos/consensus/configuration.nix index 97bb5fd..e7a4c00 100644 --- a/nixos/consensus/configuration.nix +++ b/nixos/consensus/configuration.nix @@ -4,7 +4,8 @@ ]; environment.systemPackages = with pkgs; [ git - vim + nvim-pkg + docker-compose ]; boot.tmp.cleanOnBoot = true; zramSwap.enable = false; @@ -14,6 +15,7 @@ size = 4 * 1024; } ]; + virtualisation.docker.enable = true; networking = { hostName = "consensus"; firewall = { @@ -21,19 +23,25 @@ allowedTCPPorts = [ 22 2022 + 3610 6443 25565 + 9002 30001 30303 + 30304 ]; allowedUDPPorts = [ + 9002 30001 30303 + 30304 ]; logRefusedConnections = true; }; }; services = { + tailscale.enable = true; k3s = { enable = true; role = "server"; @@ -58,7 +66,10 @@ isNormalUser = true; extraGroups = ["wheel"]; home = "/home/e"; - openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14'']; + openssh.authorizedKeys.keys = [ + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14'' + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAdo4PS8myKaKAdyIqSFj2VJ+oZ9DNRIp7PBz8IWKjjy'' + ]; }; }; security.sudo.wheelNeedsPassword = false; diff --git a/nixos/default.nix b/nixos/default.nix index aa548f0..5584c33 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -1,6 +1,7 @@ { inputs, pkgs, + pkgs-stable, attrs, system, ... @@ -38,7 +39,23 @@ in { defaultModules ++ [ ./configuration.nix - ./consensus/./configuration.nix + ./consensus/configuration.nix + ]; + }; + nc = inputs.nixpkgs-stable.lib.nixosSystem { + specialArgs = { + pkgs = pkgs-stable; + inherit inputs system attrs; + host = { + hostName = "consensus"; + inherit (attrs) username; + }; + }; + modules = + defaultModules + ++ [ + ./configuration.nix + ./nc/configuration.nix ]; }; } diff --git a/nixos/nc/configuration.nix b/nixos/nc/configuration.nix new file mode 100644 index 0000000..7de0fde --- /dev/null +++ b/nixos/nc/configuration.nix @@ -0,0 +1,87 @@ +{ + pkgs, + ... +}: { + imports = [ + ./hardware-configuration.nix + ./k3s.nix + ]; + environment.systemPackages = with pkgs; [ + vim + git + docker-compose + ]; + programs.nix-index.enableBashIntegration = false; + programs.nix-index.enableZshIntegration = false; + programs.nix-index-database.comma.enable = true; + time.timeZone = "America/Chicago"; + + virtualisation.docker = { + enable = true; + daemon.settings = { + data-root = "/eth2/docker"; + }; + }; + # Enable flakes and unfree packages + nix.settings = { + auto-optimise-store = true; + substituters = ["https://cache.nixos.org"]; + experimental-features = ["nix-command" "flakes"]; + }; + nix.gc = { + automatic = true; + dates = "00:00"; + options = "--delete-older-than 14d"; + }; + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ + 22 + 9000 + 30001 + 30303 + 30304 + ]; + logRefusedConnections = true; + }; + }; + services = { + tailscale.enable = true; + openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "prohibit-password"; + }; + }; + fail2ban.enable = true; + }; + users.users = { + root = { + openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14'']; + }; + e = { + isNormalUser = true; + extraGroups = [ + "wheel" + "docker" + ]; + openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14'']; + }; + hd = { + isNormalUser = true; + extraGroups = [ + "docker" + ]; + }; + charon = { + isNormalUser = true; + extraGroups = [ + "docker" + ]; + }; + }; + security.sudo.wheelNeedsPassword = false; + system.stateVersion = "23.11"; +} diff --git a/nixos/nc/hardware-configuration.nix b/nixos/nc/hardware-configuration.nix new file mode 100755 index 0000000..5eea1d7 --- /dev/null +++ b/nixos/nc/hardware-configuration.nix @@ -0,0 +1,20 @@ +{ + modulesPath, + lib, + config, + ... +}: { + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub.device = "/dev/vda"; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/vda3"; fsType = "ext4"; }; + boot = { + kernelModules = ["kvm-intel"]; + tmp.cleanOnBoot = true; + }; + + zramSwap.enable = false; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/nixos/nc/k3s.nix b/nixos/nc/k3s.nix new file mode 100644 index 0000000..e587fbd --- /dev/null +++ b/nixos/nc/k3s.nix @@ -0,0 +1,16 @@ +{pkgs, ...}: { + environment.systemPackages = with pkgs; [ + k3s + ]; + services.k3s = { + enable = true; + role = "server"; + extraFlags = toString [ + "--disable traefik" + "--tls-san nc.tailc353f.ts.net" + "--node-ip 100.67.112.98" + "--advertise-address 100.67.112.98" + "--node-external-ip 94.16.113.7" + ]; + }; +} diff --git a/nixos/t14/configuration.nix b/nixos/t14/configuration.nix index 47152d9..01b85cc 100755 --- a/nixos/t14/configuration.nix +++ b/nixos/t14/configuration.nix @@ -1,5 +1,4 @@ { - config, pkgs, attrs, ... @@ -9,7 +8,6 @@ in { imports = [ ./hardware-configuration.nix - ./nano.nix ./backups.nix ]; environment.systemPackages = with pkgs; [ @@ -21,14 +19,12 @@ in { boot = { loader.systemd-boot.enable = true; loader.efi.canTouchEfiVariables = true; - supportedFilesystems = ["zfs"]; - kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; - zfs.forceImportRoot = false; + kernelPackages = pkgs.linuxPackages_latest; }; # Networking networking = { hostId = "1185c58e"; - nameservers = ["1.1.1.1#one.one.one.one"]; + nameservers = ["100.114.91.10"]; networkmanager = { enable = true; dns = "systemd-resolved"; @@ -67,11 +63,8 @@ in { resolved = { enable = true; fallbackDns = [ - "1.1.1.1#one.one.one.one" + "1.1.1.1" ]; - extraConfig = '' - DNSOverTLS=yes - ''; }; tailscale.enable = true; avahi.enable = true; # chromecast @@ -80,7 +73,6 @@ in { alsa.enable = true; pulse.enable = true; }; - flatpak.enable = true; dbus.enable = true; tlp = { @@ -106,6 +98,10 @@ in { }; }; }; + udev.packages = [ + pkgs.ledger-udev-rules + pkgs.trezor-udev-rules + ]; }; # workaround for wait-online killing nixos build @@ -122,6 +118,8 @@ in { pkgs.libGL ]; }; + hardware.ledger.enable = true; + services.trezord.enable = true; # Set a sane system-wide default font fonts.packages = with pkgs; [ diff --git a/nixos/t14/nano.nix b/nixos/t14/nano.nix deleted file mode 100644 index c1d26cd..0000000 --- a/nixos/t14/nano.nix +++ /dev/null @@ -1,15 +0,0 @@ -_: { - services.udev.extraRules = '' - SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="1b7c", MODE="0660", TAG+="uaccess", TAG+="udev-acl" - SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="2b7c", MODE="0660", TAG+="uaccess", TAG+="udev-acl" - SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="3b7c", MODE="0660", TAG+="uaccess", TAG+="udev-acl" - SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="4b7c", MODE="0660", TAG+="uaccess", TAG+="udev-acl" - SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="1807", MODE="0660", TAG+="uaccess", TAG+="udev-acl" - SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="1808", MODE="0660", TAG+="uaccess", TAG+="udev-acl" - SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0000", MODE="0660", TAG+="uaccess", TAG+="udev-acl" - SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0001", MODE="0660", TAG+="uaccess", TAG+="udev-acl" - SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0004", MODE="0660", TAG+="uaccess", TAG+="udev-acl" - SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="1011", MODE="0660", GROUP="plugdev" - SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="1015", MODE="0660", GROUP="plugdev" - ''; -}