diff --git a/home-manager/shared/programs/dev.nix b/home-manager/shared/programs/dev.nix index 019f57e..558cf46 100644 --- a/home-manager/shared/programs/dev.nix +++ b/home-manager/shared/programs/dev.nix @@ -6,13 +6,14 @@ gnumake jq tree - jjui + unzip #devops k9s kubectl nerdctl gh + opentofu #golang go diff --git a/home-manager/shared/wayland/hyprland/default.nix b/home-manager/shared/wayland/hyprland/default.nix index 6b8339b..bf87fad 100644 --- a/home-manager/shared/wayland/hyprland/default.nix +++ b/home-manager/shared/wayland/hyprland/default.nix @@ -14,6 +14,19 @@ gaps_out = 0; layout = "master"; }; + group = { + groupbar = { + priority = 99; + enabled = true; + "col.active" = "rgb(4d7d90)"; + "col.inactive" = "rgb(101d20)"; + gaps_in = 0; + gaps_out = 0; + gradients = true; + text_color = "rgb(101d20)"; + text_color_inactive = "rgb(ffffff)"; + }; + }; misc = { disable_hyprland_logo = true; on_focus_under_fullscreen = 1; diff --git a/home-manager/t14/home.nix b/home-manager/t14/home.nix index 7e0d939..8df1503 100755 --- a/home-manager/t14/home.nix +++ b/home-manager/t14/home.nix @@ -33,6 +33,7 @@ appimage-run wireguard-tools android-tools + incus ]; sessionVariables = { MOZ_ENABLE_WAYLAND = 1; diff --git a/nixos/base/configuration.nix b/nixos/base/configuration.nix new file mode 100644 index 0000000..d5cce31 --- /dev/null +++ b/nixos/base/configuration.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: +with pkgs; +{ + security.sudo.enable = lib.mkForce false; + networking = { + useHostResolvConf = lib.mkForce false; + }; +} diff --git a/nixos/default.nix b/nixos/default.nix index 887d293..f098d03 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -73,4 +73,17 @@ in ./oracle/configuration.nix ]; }; + base = inputs.nixpkgs-stable.lib.nixosSystem { + pkgs = pkgs.nixos-stable; + specialArgs = { + inherit inputs system attrs; + host = { + hostName = "nixos"; + inherit (attrs) username; + }; + }; + modules = defaultModules ++ [ + ./base/configuration.nix + ]; + }; } diff --git a/nixos/modules/net.nix b/nixos/modules/net.nix index 2c68e8d..d2de8dc 100644 --- a/nixos/modules/net.nix +++ b/nixos/modules/net.nix @@ -94,25 +94,25 @@ in }; }; systemd = { - mounts = [ - { - type = "nfs"; - mountConfig = { - Options = "noatime"; - }; - what = "zen:/tank/home"; - where = "/mnt/home"; - } - ]; - automounts = [ - { - wantedBy = [ "multi-user.target" ]; - automountConfig = { - TimeoutIdleSec = "600"; - }; - where = "/mnt/home"; - } - ]; + # mounts = [ + # { + # type = "nfs"; + # mountConfig = { + # Options = "noatime"; + # }; + # what = "zen:/tank/home"; + # where = "/mnt/home"; + # } + # ]; + # automounts = [ + # { + # wantedBy = [ "multi-user.target" ]; + # automountConfig = { + # TimeoutIdleSec = "600"; + # }; + # where = "/mnt/home"; + # } + # ]; }; }; } diff --git a/nixos/zen/configuration.nix b/nixos/zen/configuration.nix index 8a9a491..efc255c 100644 --- a/nixos/zen/configuration.nix +++ b/nixos/zen/configuration.nix @@ -9,152 +9,12 @@ imports = [ ./hardware-configuration.nix ]; - boot = { - kernel.sysctl = { - "vm.swappiness" = 6; - }; - }; - sops = { - secrets = { - "password".sopsFile = ../../secrets/k8s.yaml; - forgejo-runner.sopsFile = ../../secrets/forgejo-runner.yaml; - "b2-immich/env".sopsFile = ../../secrets/restic.yaml; - "b2-immich/repo".sopsFile = ../../secrets/restic.yaml; - "b2-immich/password".sopsFile = ../../secrets/restic.yaml; - "cf-dns-key".sopsFile = ../../secrets/cf-acme.yaml; - }; - }; - services.restic.backups = { - b2-immich = { - initialize = true; - environmentFile = config.sops.secrets."b2-immich/env".path; - repositoryFile = config.sops.secrets."b2-immich/repo".path; - passwordFile = config.sops.secrets."b2-immich/password".path; - - paths = [ - "/tank/immich" - ]; - timerConfig = { - OnCalendar = "06:00"; - }; - pruneOpts = [ - "--keep-daily 31" - "--keep-monthly 6" - "--keep-yearly 1" - ]; - }; - }; - networking = { - hostId = "44238132"; - firewall = { - allowedTCPPorts = [ - 22 - 80 - 443 - 2049 # nfs - ]; - interfaces."podman+" = { - allowedTCPPorts = [ 33393 ]; - }; - }; - }; + machine.sys.zram = false; + machine.sys.swap = false; services = { zfs.autoScrub.enable = true; zfs.autoSnapshot.enable = true; fstrim.enable = true; nfs.server.enable = true; - immich = { - enable = true; - package = pkgs-unstable.immich; - port = 2283; - host = "localhost"; - openFirewall = true; - machine-learning.enable = true; - mediaLocation = "/tank/immich"; - accelerationDevices = null; - }; - nginx = { - enable = true; - virtualHosts."img.10110110.xyz" = { - forceSSL = true; - useACMEHost = "10110110.xyz"; - locations."/" = { - proxyPass = "http://localhost:${toString config.services.immich.port}"; - proxyWebsockets = true; - recommendedProxySettings = true; - extraConfig = '' - client_max_body_size 50000M; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - send_timeout 600s; - ''; - }; - }; - }; - }; - services.gitea-actions-runner = { - package = pkgs.forgejo-runner; - instances.default = { - enable = true; - name = host.hostName; - settings = { - runner.capacity = 3; - container = { - force_pull = true; - valid_volumes = [ - "/nix/store" - "/nix/var/nix/daemon-socket" - ]; - }; - }; - url = "https://git.10110110.xyz"; - tokenFile = config.sops.secrets.forgejo-runner.path; - labels = [ - "ubuntu-latest:docker://node:24-bullseye" - "nix-upstream-latest:docker://nixos/nix:latest" - "nix-latest:docker://git.10110110.xyz/ci/nix" - ]; - }; - }; - # services.k3s = { - # enable = true; - # role = "agent"; - # extraFlags = toString [ - # "--flannel-iface=tailscale0" - # ]; - # tokenFile = config.sops.secrets."password".path; - # serverAddr = "https://consensus:6443"; - # }; - # systemd.services.k3s = { - # preStart = '' - # until ${pkgs.tailscale}/bin/tailscale status; do - # sleep 1 - # done - # ''; - # }; - - security.acme = { - acceptTerms = true; - defaults.email = "acme@10110110.xyz"; - certs = { - "10110110.xyz" = { - domain = "*.10110110.xyz"; - group = config.services.nginx.group; - dnsProvider = "cloudflare"; - environmentFile = config.sops.secrets."cf-dns-key".path; - }; - }; - }; - virtualisation.podman.enable = true; - hardware = { - graphics.enable = true; - nvidia = { - modesetting.enable = true; - nvidiaSettings = true; - open = false; - package = config.boot.kernelPackages.nvidiaPackages.stable; - }; - enableRedistributableFirmware = true; - firmware = [ pkgs.linux-firmware ]; }; } diff --git a/nixos/zen/hardware-configuration.nix b/nixos/zen/hardware-configuration.nix index 8475e91..949fc1d 100644 --- a/nixos/zen/hardware-configuration.nix +++ b/nixos/zen/hardware-configuration.nix @@ -1,69 +1,37 @@ { config, lib, + pkgs, modulesPath, ... }: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") + imports = [ ]; + + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; - boot = { - extraModulePackages = [ ]; - initrd = { - availableKernelModules = [ - "xhci_pci" - "ahci" - "usbhid" - "usb_storage" - "sd_mod" - ]; - kernelModules = [ - "dm-snapshot" - "nvme" - ]; - }; - kernelModules = [ "kvm-amd" ]; - loader = { - efi = { - canTouchEfiVariables = true; - }; - systemd-boot = { - enable = true; - }; - }; - supportedFilesystems = [ - "zfs" - "nfs" - ]; - zfs = { - # extraPools = [ "rice" ]; - forceImportRoot = false; - }; + fileSystems."/" = { + device = "local/incus/containers/zen"; + fsType = "zfs"; }; - fileSystems = { - "/" = { - device = "/dev/mapper/nixos-root"; - fsType = "btrfs"; - }; - "/boot" = { - device = "/dev/disk/by-uuid/7A75-7368"; - fsType = "vfat"; - options = [ - "fmask=0022" - "dmask=0022" - ]; - }; - "/nix/store" = { - device = "/dev/mapper/nixos-store"; - fsType = "btrfs"; - }; + supportedFilesystems = [ + "zfs" + "nfs" + ]; + zfs = { + extraPools = [ "tank" ]; + forceImportRoot = false; }; + swapDevices = [ ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; system.stateVersion = "25.11"; } diff --git a/nixos/zen/old-configuration.nix b/nixos/zen/old-configuration.nix new file mode 100644 index 0000000..902cddf --- /dev/null +++ b/nixos/zen/old-configuration.nix @@ -0,0 +1,168 @@ +{ + host, + config, + pkgs, + pkgs-unstable, + ... +}: +{ + imports = [ + ./hardware-configuration.nix + ]; + # boot = { + # kernel.sysctl = { + # "vm.swappiness" = 6; + # }; + # }; + # sops = { + # secrets = { + # "password".sopsFile = ../../secrets/k8s.yaml; + # # "tailscale-auth".sopsFile = ../../secrets/tailscale.yaml; + # forgejo-runner.sopsFile = ../../secrets/forgejo-runner.yaml; + # "b2-immich/env".sopsFile = ../../secrets/restic.yaml; + # "b2-immich/repo".sopsFile = ../../secrets/restic.yaml; + # "b2-immich/password".sopsFile = ../../secrets/restic.yaml; + # "cf-dns-key".sopsFile = ../../secrets/cf-acme.yaml; + # }; + # }; + # services.restic.backups = { + # b2-immich = { + # initialize = true; + # environmentFile = config.sops.secrets."b2-immich/env".path; + # repositoryFile = config.sops.secrets."b2-immich/repo".path; + # passwordFile = config.sops.secrets."b2-immich/password".path; + # + # paths = [ + # "/tank/immich" + # ]; + # timerConfig = { + # OnCalendar = "06:00"; + # }; + # pruneOpts = [ + # "--keep-daily 31" + # "--keep-monthly 6" + # "--keep-yearly 1" + # ]; + # }; + # }; + # networking = { + # nftables.enable = true; + # hostId = "44238132"; + # firewall = { + # allowedTCPPorts = [ + # 22 + # 80 + # 443 + # 2049 # nfs + # ]; + # trustedInterfaces = [ + # "tailscale0" + # "incusbr0" + # ]; + # }; + # }; + services = { + zfs.autoScrub.enable = true; + zfs.autoSnapshot.enable = true; + fstrim.enable = true; + nfs.server.enable = true; + # immich = { + # enable = true; + # package = pkgs-unstable.immich; + # port = 2283; + # host = "localhost"; + # openFirewall = true; + # machine-learning.enable = true; + # mediaLocation = "/tank/immich"; + # accelerationDevices = null; + # }; + # nginx = { + # enable = true; + # virtualHosts."img.10110110.xyz" = { + # forceSSL = true; + # useACMEHost = "10110110.xyz"; + # locations."/" = { + # proxyPass = "http://localhost:${toString config.services.immich.port}"; + # proxyWebsockets = true; + # recommendedProxySettings = true; + # extraConfig = '' + # client_max_body_size 50000M; + # proxy_read_timeout 600s; + # proxy_send_timeout 600s; + # send_timeout 600s; + # ''; + # }; + # }; + # }; + }; + # services.gitea-actions-runner = { + # package = pkgs.forgejo-runner; + # instances.default = { + # enable = true; + # name = host.hostName; + # settings = { + # runner.capacity = 3; + # container = { + # force_pull = true; + # valid_volumes = [ + # "/nix/store" + # "/nix/var/nix/daemon-socket" + # ]; + # }; + # }; + # url = "https://git.10110110.xyz"; + # tokenFile = config.sops.secrets.forgejo-runner.path; + # labels = [ + # "ubuntu-latest:docker://node:24-bullseye" + # "nix-upstream-latest:docker://nixos/nix:latest" + # "nix-latest:docker://git.10110110.xyz/ci/nix" + # ]; + # }; + # }; + # services.k3s = { + # enable = true; + # role = "server"; + # extraFlags = toString [ + # "--disable=traefik" + # "--vpn-auth=file=${config.sops.secrets."tailscale-auth".path}" + # "--node-external-ip=100.64.246.41" + # ]; + # tokenFile = config.sops.secrets."password".path; + # serverAddr = "https://zen:6443"; + # }; + # systemd.services.k3s = { + # preStart = '' + # until ${pkgs.tailscale}/bin/tailscale status; do + # sleep 1 + # done + # ''; + # }; + + # security.acme = { + # acceptTerms = true; + # defaults.email = "acme@10110110.xyz"; + # certs = { + # "10110110.xyz" = { + # domain = "*.10110110.xyz"; + # group = config.services.nginx.group; + # dnsProvider = "cloudflare"; + # environmentFile = config.sops.secrets."cf-dns-key".path; + # }; + # }; + # }; + # virtualisation = { + # podman.enable = false; + # incus.enable = true; + # }; + # hardware = { + # graphics.enable = true; + # nvidia = { + # modesetting.enable = true; + # nvidiaSettings = true; + # open = false; + # package = config.boot.kernelPackages.nvidiaPackages.stable; + # }; + # enableRedistributableFirmware = true; + # firmware = [ pkgs.linux-firmware ]; + # }; +} diff --git a/secrets/tailscale.yaml b/secrets/tailscale.yaml new file mode 100644 index 0000000..c44dea7 --- /dev/null +++ b/secrets/tailscale.yaml @@ -0,0 +1,43 @@ +tailscale-auth: ENC[AES256_GCM,data:6dagpkltnpNpS74SDfv8gyyz7HPhZLLAapzf0e3bo//6n5CDeoGABg/cDVrros5GJUaV3BDvVPWrivZyGRR6PE3YnshnzUEsrjc2znxdPgQJqFL2,iv:CQabdCJf9sWFVOqGaOF2Bg8SKyI1x2NFjWmpSynXHtM=,tag:6CabVRg/dypUl/cHIBphTQ==,type:str] +sops: + age: + - recipient: age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaanhuSnNwNnphTmtDRkFy + MEtmdEhrKzNlc01yZE5Eb08weWZLdHc0dUNzClcydUl0a1BabEJYK01mcmQwZDhw + c3I2SW1zMzZGUDdGQ3BjNUM1NitqY3MKLS0tIGQ3NFlRQW1MSld3eUVPUXoxVFdX + QnR0bittRkpYWnl5U0U3N0pzSVJnUHcKhNgibP853I6RbeXoXSSsRE61Eskw6muN + aUJHR84sV6TlLS1Z3K6H1mO/VrfeECVaqogt4d/al6KwKWtAZRRGzQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSXl0bmMxbEUrMWt1UDZJ + QkJBR1BUd29QZ0JYaC8xbFY5UVp5aVRFelRnCk9XakhJWitkSEZxYmpWM1o1WElZ + MUJod2ZYSjVwNE5GMFFNZmdEMVY1S3MKLS0tIGsxaDh2Nm5LN3dUOEEvOVpIS1M1 + aThvcm5YbXUzampaVlhDWGdGL29FcEEKOw51czIS/5pgLNtMehhKvfKBf5/KemtP + qiGAQHkzgM3wD7B5nyI7shS0FgyyoedEgu8h+plSjV3s/Va6HyIIAQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ODdQOFl1Zm5sTHB0by9E + K0k3SFdEVnZtQVAwZnJEd2E3Z20xYU9HYmdJCllPZVZjSktPVHpBRXM3ZmpMVjZp + T1RhaElJL2VxUmoxN2tpYjEyVm5POGsKLS0tIGhkTkEzV3FtWTVTYU5rdmYwdGtV + VmNXdGU0OGZjR2tMQmxPR0VpSnBTSGMK6NGw/2x6Y6YaFxXoiIMYjcSm9YbTKUjS + 5GjUG21P3MJ3nAFZYCq6vWve1pRLteKvSdSpwLnoUo8lFjIvTvhAqA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1cqgjdpyf5n9nyusvcyl83l0gmn8sx3tju45kmp5yrfgmtfy5gvusessj83 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxUytSdG1ZZFA3OTVCUmQ2 + RWpQTnZXWXNMWWZuT2xMSmJobzAxbUladndvClV5SnpOQUNaTm42VW9reWd3ckVG + MUFad2VhS1liZXk1c3ZuaDFLbk4zc1kKLS0tIEMvd0tvYWowQW5SZkZWRVRuQVdl + d2J1ZWtpSDVMRVhKcTVKWnVZOGZqdk0K74ftYUft0Rc8nrmDIgHWarY8FFZXvkqu + +SPB7iZcKY/G/M0d3PvieKq5FSl5KkFNTFntk2ZulPNyj3iX9FaG6w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-21T18:25:50Z" + mac: ENC[AES256_GCM,data:SpkdH4sBGUXlohQHpjGcRJq8Y1fMf7FSlbZ0xBbQoMT3QDEyWFSyewUoZZ/MNoTFZKPPZ5B+AXYYD/YQN/0EuavfqWZtp1MTM/OrFQ9Ofn9Lx0iAmPssvaWWHGjzzZcb39HeI7NfF7XrfdRBDACKI4xX7zVcV4k+hdcHOA1FG9s=,iv:cy6uY5MtqeYgu3WEXPErxvLkbcNlWaWKzpFLSgM68gY=,tag:M9LA4m3y164074VyJgeBMQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.1 diff --git a/terraform/incus/.gitignore b/terraform/incus/.gitignore new file mode 100644 index 0000000..d047aa2 --- /dev/null +++ b/terraform/incus/.gitignore @@ -0,0 +1,2 @@ +*.tar.xz +result diff --git a/terraform/incus/images.tf b/terraform/incus/images.tf new file mode 100644 index 0000000..971af4e --- /dev/null +++ b/terraform/incus/images.tf @@ -0,0 +1,10 @@ +resource "incus_image" "nixos-lxc-base" { + source_file = { + data_path = "lxc.tar.xz" + metadata_path = "lxc-metadata.tar.xz" + } + alias { + name = "nixos-lxc-base" + description = "Nixos Base" + } +} diff --git a/terraform/incus/instances.tf b/terraform/incus/instances.tf new file mode 100644 index 0000000..aa39453 --- /dev/null +++ b/terraform/incus/instances.tf @@ -0,0 +1,17 @@ +resource "incus_instance" "zen" { + name = "zen" + image = incus_image.nixos-lxc-base.fingerprint + + config = { + "boot.autostart" = true + "limits.cpu" = 2 + } + + device { + name = "zfs" + type = "unix-block" + properties = { + source = "/dev/disk/by-id/wwn-0x50014ee2671b7f30" + } + } +} diff --git a/terraform/incus/main.tf b/terraform/incus/main.tf new file mode 100644 index 0000000..85d50fb --- /dev/null +++ b/terraform/incus/main.tf @@ -0,0 +1,26 @@ +terraform { + required_providers { + incus = { + source = "lxc/incus" + } + } +} + +provider "incus" { + generate_client_certificates = true + accept_remote_certificate = true + default_remote = "incus" + + remote { + name = "incus" + address = "https://incus:8443" + } +} + +resource "incus_network" "enp4s0" { + name = "enp4s0" + type = "physical" + config = { + parent = "enp4s0" + } +} diff --git a/terraform/incus/make-images.fish b/terraform/incus/make-images.fish new file mode 100755 index 0000000..8f946e0 --- /dev/null +++ b/terraform/incus/make-images.fish @@ -0,0 +1,9 @@ +#!/usr/bin/env fish + +function make-image -a variant + nixos-rebuild build-image --flake .#base --image-variant $variant + and cp ./result/tarball/*.tar.xz $variant.tar.xz +end + +make-image lxc +make-image lxc-metadata diff --git a/terraform/compartment.tf b/terraform/ocf/compartment.tf similarity index 100% rename from terraform/compartment.tf rename to terraform/ocf/compartment.tf diff --git a/terraform/compute.tf b/terraform/ocf/compute.tf similarity index 100% rename from terraform/compute.tf rename to terraform/ocf/compute.tf diff --git a/terraform/main.tf b/terraform/ocf/main.tf similarity index 100% rename from terraform/main.tf rename to terraform/ocf/main.tf diff --git a/terraform/networking.tf b/terraform/ocf/networking.tf similarity index 100% rename from terraform/networking.tf rename to terraform/ocf/networking.tf diff --git a/terraform/outputs.tf b/terraform/ocf/outputs.tf similarity index 100% rename from terraform/outputs.tf rename to terraform/ocf/outputs.tf diff --git a/terraform/terraform.tfvars.example b/terraform/ocf/terraform.tfvars.example similarity index 100% rename from terraform/terraform.tfvars.example rename to terraform/ocf/terraform.tfvars.example diff --git a/terraform/variables.tf b/terraform/ocf/variables.tf similarity index 100% rename from terraform/variables.tf rename to terraform/ocf/variables.tf