lukas/puter
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

pluh 🗣

Browse source
This commit is contained in:
Lukas Wurzinger 2025-03-01 22:21:00 +01:00
parent 3ad9944baa
commit 668140531b
No known key found for this signature in database
59 changed files with 985 additions and 219 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
README.md
View file

@ -1,3 +1,11 @@
# :snowflake: puter
This is my cobbled together NixOS configuration. There are many like it, but this one is mine. Copy at your own risk.
## TODO
- [ ] lanzaboote
- [ ] monitoring (prometheus)
- [ ] logging (loki)
- [ ] kiosk
- [ ] tailscale and headscale

15
classes/headful/cosmic.nix Normal file
View file

@ -0,0 +1,15 @@
{inputs, ...}: {
imports = [
inputs.nixos-cosmic.nixosModules.default
];
nix.settings = {
substituters = ["https://cosmic.cachix.org/"];
trusted-public-keys = ["cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="];
};
services = {
desktopManager.cosmic.enable = true;
displayManager.cosmic-greeter.enable = true;
};
}

15
classes/headful/fs.nix
View file

@ -1,15 +0,0 @@
{
boot.initrd.luks.devices.main.device = "/dev/disk/by-label/cryptmain";
fileSystems = {
"/" = {
fsType = "ext4";
device = "/dev/mapper/main";
options = ["noatime"];
};
"/boot" = {
label = "BOOT";
fsType = "vfat";
};
};
}

5
classes/headful/gtk.nix Normal file
View file

@ -0,0 +1,5 @@
{
xdg.portal.extraPortals = [pkgs.xdg-desktop-portal-gtk];
programs.dconf.enable = true;
}

5
classes/headful/hardware.nix
View file

@ -7,15 +7,10 @@
opentabletdriver.enable = true;
graphics = {
enable = true;
enable32Bit = true;
extraPackages = [
pkgs.libvdpau-va-gl
pkgs.vaapiVdpau
];
extraPackages32 = [
pkgs.pkgsi686Linux.libvdpau-va-gl
pkgs.pkgsi686Linux.vaapiVdpau
];
};
};
}

27
classes/headful/plasma.nix
View file

@ -1,27 +0,0 @@
{pkgs, ...}: {
services = {
desktopManager.plasma6.enable = true;
displayManager.sddm = {
enable = true;
wayland.enable = true;
};
};
environment.systemPackages = [
pkgs.kdePackages.sddm-kcm
pkgs.kdePackages.discover
pkgs.kdePackages.kate
];
programs = {
kdeconnect.enable = true;
partition-manager.enable = true;
};
xdg.portal = {
xdgOpenUsePortal = true;
extraPortals = [pkgs.xdg-desktop-portal-gtk];
};
programs.dconf.enable = true;
}

43
classes/headless/grafana.nix Normal file
View file

@ -0,0 +1,43 @@
{
services.grafana = {
enable = true;
domain = "grafana.pele";
port = 9010;
addr = "127.0.0.1";
# WARNING: this should match nginx setup!
# prevents "Request origin is not authorized"
rootUrl = "http://192.168.1.10:8010"; # helps with nginx / ws / live
protocol = "http";
analytics.reporting.enable = false;
provision = {
enable = true;
datasources = [
{
name = "Prometheus";
type = "prometheus";
access = "proxy";
url = "http://127.0.0.1:${toString config.services.prometheus.port}";
}
{
name = "Loki";
type = "loki";
access = "proxy";
url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}";
}
];
};
};
services.nginx.virtualHosts.${config.services.grafana.domain} = {
locations."/" = {
proxyPass = "http://${lib.formatHostPort {
host = config.services.grafana.addr;
inherit (config.services.grafana) port;
}}";
proxyWebsockets = true;
};
};
}

79
classes/headless/loki.nix Normal file
View file

@ -0,0 +1,79 @@
{
services.loki = {
enable = true;
configuration = {
server.http_listen_port = 3030;
auth_enabled = false;
ingester = {
lifecycler = {
address = "127.0.0.1";
ring = {
kvstore = {
store = "inmemory";
};
replication_factor = 1;
};
};
chunk_idle_period = "1h";
max_chunk_age = "1h";
chunk_target_size = 999999;
chunk_retain_period = "30s";
max_transfer_retries = 0;
};
schema_config = {
configs = [
{
from = "2022-06-06";
store = "boltdb-shipper";
object_store = "filesystem";
schema = "v12";
index = {
prefix = "index_";
period = "24h";
};
}
];
};
storage_config = {
boltdb_shipper = {
active_index_directory = "/var/lib/loki/boltdb-shipper-active";
cache_location = "/var/lib/loki/boltdb-shipper-cache";
cache_ttl = "24h";
shared_store = "filesystem";
};
filesystem = {
directory = "/var/lib/loki/chunks";
};
};
limits_config = {
reject_old_samples = true;
reject_old_samples_max_age = "168h";
};
chunk_store_config = {
max_look_back_period = "0s";
};
table_manager = {
retention_deletes_enabled = false;
retention_period = "0s";
};
compactor = {
working_directory = "/var/lib/loki";
shared_store = "filesystem";
compactor_ring = {
kvstore = {
store = "inmemory";
};
};
};
};
# user, group, dataDir, extraFlags, (configFile)
};
}

34
classes/headless/prometheus.nix Normal file
View file

@ -0,0 +1,34 @@
{
config,
lib,
...
}: {
services.prometheus = {
enable = true;
port = 3020;
exporters = {
node = {
enable = true;
port = 3021;
enabledCollectors = ["systemd"];
};
};
scrapeConfigs = [
{
job_name = "nodes";
static_configs = [
{
targets = let
target = lib.formatHostPort {
host = config.services.prometheus.exporters.node.listenAddr;
inherit (config.services.prometheus.exporters.node) port;
};
in [target];
}
];
}
];
};
}

42
classes/headless/promtail.nix Normal file
View file

@ -0,0 +1,42 @@
{config, ...}: {
services.promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 3031;
grpc_listen_port = 0;
};
positions = {
filename = "/tmp/positions.yaml";
};
clients = [
{
url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
}
];
scrape_configs = [
{
job_name = "journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = "pihole";
};
};
relabel_configs = [
{
source_labels = ["__journal__systemd_unit"];
target_label = "unit";
}
];
}
];
};
# extraFlags
};
}

31
classes/kiosk/cosmic.nix Normal file
View file

@ -0,0 +1,31 @@
{
config,
inputs,
pkgs,
...
}: {
imports = [
inputs.nixos-cosmic.nixosModules.default
];
nix.settings = {
substituters = ["https://cosmic.cachix.org/"];
trusted-public-keys = ["cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="];
};
services = {
desktopManager.cosmic.enable = true;
displayManager.cosmic-greeter.enable = true;
greetd.settings.initial_session = {
user = config.users.mainUser;
command = ''
${lib.getExe' pkgs.coreutils "env"} XCURSOR_THEME="''${XCURSOR_THEME:-Pop}" systemd-cat --identifier start-cosmic ${lib.getExe' pkgs.cosmic-session "start-cosmic"}
'';
};
};
environment.cosmic.excludePackages = [
pkgs.cosmic-store
];
}

14
classes/kiosk/flatpak.nix Normal file
View file

@ -0,0 +1,14 @@
{inputs, ...}: {
imports = [
inputs.flatpak.nixosModules.nix-flatpak
];
services.flatpak = {
enable = true;
update.auto = {
enable = true;
onCalendar = "weekly";
};
};
}

26
classes/kiosk/fonts.nix Normal file
View file

@ -0,0 +1,26 @@
{pkgs, ...}: {
fonts = {
enableDefaultPackages = true;
packages = [
pkgs.noto-fonts
pkgs.noto-fonts-extra
pkgs.noto-fonts-cjk-sans
pkgs.noto-fonts-cjk-serif
pkgs.noto-fonts-monochrome-emoji
pkgs.noto-fonts-color-emoji
];
fontconfig = {
enable = true;
defaultFonts = {
monospace = ["Noto Sans Mono"];
sansSerif = ["Noto Sans"];
serif = ["Noto Serif"];
emoji = ["Noto Color Emoji" "Noto Emoji"];
};
};
fontDir.enable = true;
};
}

5
classes/kiosk/gtk.nix Normal file
View file

@ -0,0 +1,5 @@
{
xdg.portal.extraPortals = [pkgs.xdg-desktop-portal-gtk];
programs.dconf.enable = true;
}

16
classes/kiosk/hardware.nix Normal file
View file

@ -0,0 +1,16 @@
{pkgs, ...}: {
hardware = {
bluetooth.enable = true;
steam-hardware.enable = true;
xone.enable = true;
xpadneo.enable = true;
opentabletdriver.enable = true;
graphics = {
enable = true;
extraPackages = [
pkgs.libvdpau-va-gl
pkgs.vaapiVdpau
];
};
};
}

3
classes/kiosk/location.nix Normal file
View file

@ -0,0 +1,3 @@
{
location.provider = "geoclue2";
}

6
classes/kiosk/mullvad.nix Normal file
View file

@ -0,0 +1,6 @@
{pkgs, ...}: {
services.mullvad-vpn = {
enable = true;
package = pkgs.mullvad-vpn;
};
}

10
classes/kiosk/networking.nix Normal file
View file

@ -0,0 +1,10 @@
{config, ...}: {
services.resolved.enable = true;
networking.networkmanager = {
enable = true;
dns = "systemd-resolved";
};
users.groups.networkmanager.members = config.users.normalUsers;
}

11
classes/kiosk/pipewire.nix Normal file
View file

@ -0,0 +1,11 @@
{
security.rtkit.enable = true;
services.pipewire = {
enable = true;
wireplumber.enable = true;
alsa.enable = true;
pulse.enable = true;
jack.enable = true;
};
}

6
classes/kiosk/wayland.nix Normal file
View file

@ -0,0 +1,6 @@
{
environment.sessionVariables = {
NIXOS_OZONE_WL = "1";
SDL_VIDEODRIVER = "wayland";
};
}

3
classes/kiosk/xdg.nix Normal file
View file

@ -0,0 +1,3 @@
{
xdg.portal.xdgOpenUsePortal = true;
}

5
common/boot.nix
View file

@ -1,4 +1,9 @@
{
fileSystems."/boot" = {
label = "BOOT";
fsType = "vfat";
};
boot = {
loader = {
systemd-boot = {

9
common/nix.nix
View file

@ -9,9 +9,14 @@
nixPath = lib.mapAttrsToList (key: _: "${key}=flake:${key}") config.nix.registry;
optimise.automatic = true;
settings = {
trusted-users = config.users.normalUsers;
experimental-features = "nix-command flakes";
trusted-users = ["root"] ++ config.users.normalUsers;
experimental-features = [
"nix-command"
"flakes"
];
auto-optimise-store = true;
};
};

9
common/puter.nix
View file

@ -3,7 +3,10 @@
self,
...
}: {
environment.systemPackages = [
self.packages.${pkgs.system}.puter
];
environment = {
systemPackages = [
self.packages.${pkgs.system}.puter
];
sessionVariables.PUTER_FLAKEREF = "git+https://forgejo@tea.wrz.one/lukas/puter.git";
};
}

3
common/users.nix
View file

@ -15,7 +15,8 @@ in {
users = {
root = {
hashedPassword = "!";
openssh.authorizedKeys.keys = builtins.attrValues config.pubkeys.hosts;
# TODO define this more granularly
openssh.authorizedKeys.keys = [];
};
${mainUser} = {
description = "Lukas Wurzinger";

280
flake.lock
View file

@ -35,11 +35,11 @@
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1728672398,
"narHash": "sha256-KxuGSoVUFnQLB2ZcYODW7AVPAh9JqRlD5BrfsC/Q4qs=",
"lastModified": 1737621947,
"narHash": "sha256-8HFvG7fvIFbgtaYAY2628Tb89fA55nPm2jSiNs0/Cws=",
"owner": "cachix",
"repo": "cachix",
"rev": "aac51f698309fd0f381149214b7eee213c66ef0a",
"rev": "f65a3cd5e339c223471e64c051434616e18cc4f5",
"type": "github"
},
"original": {
@ -49,6 +49,21 @@
"type": "github"
}
},
"crane": {
"locked": {
"lastModified": 1731098351,
"narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
"owner": "ipetkov",
"repo": "crane",
"rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
@ -80,11 +95,11 @@
"nixpkgs": "nixpkgs_4"
},
"locked": {
"lastModified": 1737973553,
"narHash": "sha256-mHi+KLwCPEgGg2x4WVvvNU4BvBSq6HJUkilzrQUShsg=",
"lastModified": 1740678151,
"narHash": "sha256-q0tKL+Yny0wkLCHRBHQ97YhjorNLnbnyjc+FnQZyKkM=",
"owner": "cachix",
"repo": "devenv",
"rev": "252cfc8ca213dd3627100339d3fcc829fb2d960a",
"rev": "af151da5e3d7391fe778050da00d8e7cefa2d087",
"type": "github"
},
"original": {
@ -106,6 +121,22 @@
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1733328505,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
@ -121,7 +152,7 @@
"type": "github"
}
},
"flake-compat_2": {
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1733328505,
@ -164,11 +195,11 @@
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1736143030,
"narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
"lastModified": 1738453229,
"narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
"rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
"type": "github"
},
"original": {
@ -177,6 +208,43 @@
"type": "github"
}
},
"flake-parts_3": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1730504689,
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flatpak": {
"locked": {
"lastModified": 1739444422,
"narHash": "sha256-iAVVHi7X3kWORftY+LVbRiStRnQEob2TULWyjMS6dWg=",
"owner": "gmodena",
"repo": "nix-flatpak",
"rev": "5e54c3ca05a7c7d968ae1ddeabe01d2a9bc1e177",
"type": "github"
},
"original": {
"owner": "gmodena",
"ref": "latest",
"repo": "nix-flatpak",
"type": "github"
}
},
"git-hooks": {
"inputs": {
"flake-compat": [
@ -189,11 +257,11 @@
]
},
"locked": {
"lastModified": 1737301351,
"narHash": "sha256-2UNmLCKORvdBRhPGI8Vx0b6l7M8/QBey/nHLIxOl4jE=",
"lastModified": 1737465171,
"narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "15a87cedeb67e3dbc8d2f7b9831990dffcf4e69f",
"rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
"type": "github"
},
"original": {
@ -224,13 +292,35 @@
"type": "github"
}
},
"gitignore_2": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"hardware": {
"locked": {
"lastModified": 1737751639,
"narHash": "sha256-ZEbOJ9iT72iwqXsiEMbEa8wWjyFvRA9Ugx8utmYbpz4=",
"lastModified": 1740646007,
"narHash": "sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "dfad538f751a5aa5d4436d9781ab27a6128ec9d4",
"rev": "009b764ac98a3602d41fc68072eeec5d24fc0e49",
"type": "github"
},
"original": {
@ -260,6 +350,30 @@
"type": "github"
}
},
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts_3",
"nixpkgs": "nixpkgs_5",
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1737639419,
"narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.4.2",
"repo": "lanzaboote",
"type": "github"
}
},
"libgit2": {
"flake": false,
"locked": {
@ -295,11 +409,11 @@
]
},
"locked": {
"lastModified": 1727438425,
"narHash": "sha256-X8ES7I1cfNhR9oKp06F6ir4Np70WGZU5sfCOuNBEwMg=",
"lastModified": 1734114420,
"narHash": "sha256-n52PUzub5jZWc8nI/sR7UICOheU8rNA+YZ73YaHeCBg=",
"owner": "domenkozar",
"repo": "nix",
"rev": "f6c5ae4c1b2e411e6b1e6a8181cc84363d6a7546",
"rev": "bde6a1a0d1f2af86caa4d20d23eca019f3d57eee",
"type": "github"
},
"original": {
@ -327,23 +441,39 @@
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1735774519,
"narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=",
"lastModified": 1738452942,
"narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
"url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
"url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1730741070,
"narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1730531603,
"narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
"lastModified": 1733212471,
"narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
"rev": "55d15ad12a74eb7d4646254e13638ad0c4128776",
"type": "github"
},
"original": {
@ -371,11 +501,11 @@
},
"nixpkgs_4": {
"locked": {
"lastModified": 1716977621,
"narHash": "sha256-Q1UQzYcMJH4RscmpTkjlgqQDX5yi1tZL0O345Ri6vXQ=",
"lastModified": 1733477122,
"narHash": "sha256-qamMCz5mNpQmgBwc8SB5tVMlD5sbwVIToVZtSxMph9s=",
"owner": "cachix",
"repo": "devenv-nixpkgs",
"rev": "4267e705586473d3e5c8d50299e71503f16a6fb6",
"rev": "7bd9e84d0452f6d2e63b6e6da29fe73fac951857",
"type": "github"
},
"original": {
@ -387,11 +517,27 @@
},
"nixpkgs_5": {
"locked": {
"lastModified": 1737885589,
"narHash": "sha256-Zf0hSrtzaM1DEz8//+Xs51k/wdSajticVrATqDrfQjg=",
"lastModified": 1731919951,
"narHash": "sha256-vOM6ETpl1yu9KLi/icTmLJIPbbdJCdAVYUXZceO/Ce4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "852ff1d9e153d8875a83602e03fdef8a63f0ecf8",
"rev": "04386ac325a813047fc314d4b4d838a5b1e3c7fe",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_6": {
"locked": {
"lastModified": 1740695751,
"narHash": "sha256-D+R+kFxy1KsheiIzkkx/6L63wEHBYX21OIwlFV8JvDs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6313551cd05425cd5b3e63fe47dbc324eabb15e4",
"type": "github"
},
"original": {
@ -401,13 +547,13 @@
"type": "github"
}
},
"nixpkgs_6": {
"nixpkgs_7": {
"locked": {
"lastModified": 1737525964,
"narHash": "sha256-3wFonKmNRWKq1himW9N3TllbeGIHFACI5vmLpk6moF8=",
"lastModified": 1740019556,
"narHash": "sha256-vn285HxnnlHLWnv59Og7muqECNMS33mWLM14soFIv2g=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5757bbb8bd7c0630a0cc4bb19c47e588db30b97c",
"rev": "dad564433178067be1fbdfcce23b546254b6d641",
"type": "github"
},
"original": {
@ -419,16 +565,16 @@
},
"phps": {
"inputs": {
"flake-compat": "flake-compat_2",
"nixpkgs": "nixpkgs_6",
"flake-compat": "flake-compat_3",
"nixpkgs": "nixpkgs_7",
"utils": "utils"
},
"locked": {
"lastModified": 1737949449,
"narHash": "sha256-7yVWKcXYlpvuj1roseMDRSSMMWw+m3PDnwPSwu5BO3A=",
"lastModified": 1740296995,
"narHash": "sha256-M0bsnyYP5DqO7EKL9ujwXCWKwwlg9F2xUklpMvbd/0s=",
"owner": "fossar",
"repo": "nix-phps",
"rev": "f2c3381b4ee144cb650f47e56548490c805decbe",
"rev": "6a6be7dd7f86f305deab7799a17af50aff0e3218",
"type": "github"
},
"original": {
@ -437,17 +583,67 @@
"type": "github"
}
},
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"gitignore": "gitignore_2",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1731363552,
"narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"devenv": "devenv",
"devenv-root": "devenv-root",
"flake-parts": "flake-parts_2",
"flatpak": "flatpak",
"hardware": "hardware",
"nixpkgs": "nixpkgs_5",
"lanzaboote": "lanzaboote",
"nixpkgs": "nixpkgs_6",
"phps": "phps"
}
},
"rust-overlay": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1731897198,
"narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,

2
flake.nix
View file

@ -12,6 +12,8 @@
};
devenv.url = "github:cachix/devenv";
phps.url = "github:fossar/nix-phps";
lanzaboote.url = "github:nix-community/lanzaboote/v0.4.2";
flatpak.url = "github:gmodena/nix-flatpak?ref=latest";
};
outputs = {

9
hosts/headful/flamingo/filesystems.nix Normal file
View file

@ -0,0 +1,9 @@
{
boot.initrd.luks.devices.main.device = "/dev/disk/by-label/cryptmain";
fileSystems."/" = {
fsType = "ext4";
device = "/dev/mapper/main";
options = ["noatime"];
};
}

9
hosts/headful/glacier/filesystems.nix Normal file
View file

@ -0,0 +1,9 @@
{
boot.initrd.luks.devices.main.device = "/dev/disk/by-label/cryptmain";
fileSystems."/" = {
fsType = "ext4";
device = "/dev/mapper/main";
options = ["noatime"];
};
}

3
hosts/headful/glacier/lanzaboote.nix Normal file
View file

@ -0,0 +1,3 @@
{
setups.secureBoot.enable = true;
}

9
hosts/headful/work/filesystems.nix Normal file
View file

@ -0,0 +1,9 @@
{
boot.initrd.luks.devices.main.device = "/dev/disk/by-label/cryptmain";
fileSystems."/" = {
fsType = "ext4";
device = "/dev/mapper/main";
options = ["noatime"];
};
}

5
hosts/headless/abacus/authorized-keys.nix Normal file
View file

@ -0,0 +1,5 @@
{config, ...}: {
users.users.root.openssh.authorizedKeys.keys = [
config.pubkeys.hosts.vessel
];
}

14
hosts/headless/abacus/filesystems.nix Normal file
View file

@ -0,0 +1,14 @@
{config, ...}: {
fileSystems = {
"/" = {
fsType = "ext4";
label = "main";
options = ["noatime"];
};
${config.services.navidrome.settings.MusicFolder} = {
label = "music";
fsType = "ext4";
options = ["noatime"];
};
};
}

7
hosts/headless/abacus/fs.nix
View file

@ -1,7 +0,0 @@
{config, ...}: {
fileSystems.${config.services.navidrome.settings.MusicFolder} = {
label = "music";
fsType = "ext4";
options = ["noatime"];
};
}

4
hosts/headless/abacus/hardware.nix
View file

@ -1,5 +1,7 @@
{modulesPath, ...}: {
imports = ["${modulesPath}/profiles/qemu-guest.nix"];
imports = [
"${modulesPath}/profiles/qemu-guest.nix"
];
nixpkgs.hostPlatform = "aarch64-linux";

7
classes/headless/fs.nix → hosts/headless/vessel/filesystems.nix
View file

@ -5,9 +5,10 @@
label = "main";
options = ["noatime"];
};
"/boot" = {
label = "BOOT";
fsType = "vfat";
"/srv/backup" = {
label = "backup";
fsType = "ext4";
options = ["noatime"];
};
};
}

5
hosts/kiosk/insomniac/dolphin.nix Normal file
View file

@ -0,0 +1,5 @@
{
services.flatpak.packages = [
"org.DolphinEmu.dolphin-emu"
];
}

4
hosts/headless/vessel/fs.nix → hosts/kiosk/insomniac/filesystems.nix
View file

@ -1,7 +1,7 @@
{
fileSystems."/srv/backup" = {
label = "backup";
fileSystems."/" = {
fsType = "ext4";
label = "main";
options = ["noatime"];
};
}

5
hosts/kiosk/insomniac/firefox.nix Normal file
View file

@ -0,0 +1,5 @@
{
services.flatpak.packages = [
"org.mozilla.firefox"
];
}

5
hosts/kiosk/insomniac/freetube.nix Normal file
View file

@ -0,0 +1,5 @@
{
services.flatpak.packages = [
"io.freetubeapp.FreeTube"
];
}

25
hosts/kiosk/insomniac/hardware.nix Normal file
View file

@ -0,0 +1,25 @@
{
inputs,
modulesPath,
...
}: {
imports = [
"${modulesPath}/installer/scan/not-detected.nix"
inputs.hardware.nixosModules.common-cpu-amd
inputs.hardware.nixosModules.common-gpu-amd
inputs.hardware.nixosModules.common-pc-ssd
];
nixpkgs.hostPlatform = "x86_64-linux";
boot = {
initrd = {
availableKernelModules = ["nvme" "xhci_pci" "ahci" "usb_storage" "sd_mod"];
kernelModules = ["amdgpu"];
};
kernelModules = ["kvm-amd"];
};
powerManagement.cpuFreqGovernor = "performance";
}

5
hosts/kiosk/insomniac/rmg.nix Normal file
View file

@ -0,0 +1,5 @@
{
services.flatpak.packages = [
"com.github.Rosalie241.RMG"
];
}

5
hosts/kiosk/insomniac/steam.nix Normal file
View file

@ -0,0 +1,5 @@
{
services.flatpak.packages = [
"com.valvesoftware.Steam"
];
}

3
hosts/kiosk/insomniac/system.nix Normal file
View file

@ -0,0 +1,3 @@
{
system.stateVersion = "24.11";
}

12
hosts/kiosk/insomniac/users.nix Normal file
View file

@ -0,0 +1,12 @@
{
config,
lib,
...
}: let
inherit (config.users) mainUser;
in {
users = {
mainUser = lib.mkForce "user";
users.${mainUser}.description = lib.mkForce "User";
};
}

6
lib.nix
View file

@ -9,6 +9,12 @@ lib: _: {
])
paths;
mkIfElse = condition: trueContent: falseContent:
lib.mkMerge [
(lib.mkIf condition trueContent)
(lib.mkIf (!condition) falseContent)
];
formatHostPort = {
host,
port,

28
modules/secure-boot.nix Normal file
View file

@ -0,0 +1,28 @@
{
config,
lib,
inputs,
pkgs,
...
}: let
cfg = config.setups.secureBoot;
in {
imports = [
inputs.lanzaboote.nixosModules.lanzaboote
];
options.setups.secureBoot.enable = lib.mkEnableOption "Secure Boot";
config = lib.mkIf cfg.enable {
environment.systemPackages = [
pkgs.sbctl
];
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = lib.mkForce true;
pkiBundle = lib.mkDefault "/var/lib/sbctl";
};
};
}

199
packages/disk/disk.bash
View file

@ -19,50 +19,98 @@ error() {
exit 1
}
args=$(getopt --options r:m:b:l:c: --longoptions=root:,mapping:,boot-label:,main-label:,cryptmain-label: --name "$progname" -- "$@")
skip() {
if (($# < 1)); then
error 'name of value to be skipped is required'
fi
if (($# > 1)); then
error 'too many arguments'
fi
local skip=$1
for s in "${skips[@]}"; do
if [[ $s == "$skip" ]]; then
return 1
fi
done
return 0
}
args=$(
getopt \
--options r:b:l:c:m:B:M:v \
--longoptions root:,boot-label:,main-label:,cryptmain-label:,mapping:,boot-options:,main-options:,verbose \
--name "$progname" \
-- "$@"
)
eval set -- "$args"
root=/mnt
mapping=main
bootlbl=BOOT
mainlbl=main
cryptmainlbl=cryptmain
mapping=main
bootflags=
mainflags=
fatflags=()
ext4flags=()
skips=()
while true; do
case "$1" in
(-r | --root)
root=$2
shift 2
;;
(-m | --mapping)
mapping=$2
shift 2
;;
(-b | --boot-label)
bootlbl=${2^^}
shift 2
;;
(-l | --main-label)
mainlbl=$2
shift 2
;;
(-c | --cryptmain-label)
cryptmainlbl=$2
shift 2
;;
(--)
shift
break
;;
esac
case "$1" in
-r | --root)
root=$2
shift 2
;;
-b | --boot-label)
skips+=(bootlbl)
bootlbl=${2^^}
shift 2
;;
-l | --main-label)
skips+=(mainlbl)
mainlbl=$2
shift 2
;;
-c | --cryptmain-label)
skips+=(cryptmainlbl)
cryptmainlbl=$2
shift 2
;;
-m | --mapping)
skips+=(mapping)
mapping=$2
shift 2
;;
-B | --boot-options)
bootflags+=(--options "$2")
shift 2
;;
-M | --main-options)
mainflags+=(--options "$2")
shift 2
;;
-v | --verbose)
fatflags+=(-v)
ext4flags+=(-v)
shift
;;
--)
shift
break
;;
esac
done
if (( $# < 1 )); then
error 'an argument specifying the block device is required'
if (($# < 1)); then
error 'an argument specifying the block device is required'
fi
if (( $# > 1 )); then
error 'too many arguments'
if (($# > 1)); then
error 'too many arguments'
fi
blkdev=$1
@ -75,45 +123,74 @@ EOF
parts=()
json=$(sfdisk --json -- "$blkdev")
while IFS= read -r k; do
parts+=("$(jq --argjson k "$k" --raw-output '.partitiontable.partitions[$k].node' <<<"$json")")
parts+=("$(jq --argjson k "$k" --raw-output '.partitiontable.partitions[$k].node' <<<"$json")")
done < <(jq '.partitiontable.partitions | keys[]' <<<"$json")
bootfs="${parts[0]}"
mainblkdev="${parts[1]}"
mkfs.vfat -F 32 -n "$bootlbl" -- "$bootfs" >/dev/null
if ! skip bootlbl; then
read -rep "Which label should the boot file system have? [$bootlbl] " input
if [[ -n $input ]]; then
bootlbl=$input
fi
fi
mkfs.fat -F 32 -n "$bootlbl" "${fatflags[@]}" -- "$bootfs" >/dev/null
while true; do
read -r -p 'Do you want your main partition to be encrypted [y/N]? ' luks
case "$luks" in
([Yy]*)
while true; do
read -r -s -p 'Enter password: ' password
warn ''
read -r -s -p 'Re-enter password: ' repassword
warn ''
if [[ $password == "$repassword" ]]; then
read -rep 'Do you want your main partition to be encrypted? [y/N] ' input
case "$input" in
[Yy]*)
while true; do
read -rsp 'Enter password: ' password
warn ''
read -rsp 'Re-enter password: ' repassword
warn ''
if [[ $password == "$repassword" ]]; then
break
fi
done
if ! skip cryptmainlbl; then
read -rep "Which label should the main LUKS partition have? [$cryptmainlbl] " input
if [[ -n $input ]]; then
cryptmainlbl=$input
fi
fi
cryptsetup luksFormat --batch-mode --label "$cryptmainlbl" -- "$mainblkdev" <<<"$password"
if ! skip mapping; then
read -rep "Which name should the main LUKS mapping have? [$mapping] " input
if [[ -n $input ]]; then
mapping=$input
fi
fi
cryptsetup open -- "$mainblkdev" "$mapping" <<<"$password"
mainfs=/dev/mapper/$mapping
break
fi
done
cryptsetup luksFormat --batch-mode --label "$cryptmainlbl" "$mainblkdev" <<<"$password"
cryptsetup open "$mainblkdev" "$mapping" <<<"$password"
mainfs=/dev/mapper/$mapping
break
;;
('' | [Nn]*)
mainfs=$mainblkdev
break
;;
(*) warn 'Please answer with yes or no' ;;
esac
;;
'' | [Nn]*)
mainfs=$mainblkdev
break
;;
*) warn 'Please answer with yes or no' ;;
esac
done
mkfs.ext4 -q -F -L "$mainlbl" -- "$mainfs"
if ! skip mainlbl; then
read -rep "Which label should the main file system have? [$mainlbl] " input
if [[ -n $input ]]; then
mainlbl=$input
fi
fi
mkfs.ext4 -qFL "$mainlbl" "${ext4flags[@]}" -- "$mainfs"
mkdir --parents -- "$root"
mount --options noatime -- "$mainfs" "$root"
mount "${mainflags[@]}" -- "$mainfs" "$root"
mkdir -- "$root/boot"
mount -- "$bootfs" "$root/boot"
mount "${bootflags[@]}" -- "$bootfs" "$root/boot"

78
packages/puter/puter.bash
View file

@ -19,10 +19,19 @@ error() {
exit 1
}
args=$(getopt --options f:o:t:v --longoptions=flake:,on:,to:,verbose --name "$progname" -- "$@")
args=$(
getopt \
--options F:f:o:t:v \
--longoptions flakeref:,flake:,on:,to:,verbose \
--name "$progname" \
-- "$@"
)
eval set -- "$args"
if [[ -n $PUTER_FLAKEREF ]]; then
flakeref=$PUTER_FLAKEREF
fi
flags=(
--refresh
--use-remote-sudo
@ -31,25 +40,29 @@ flags=(
verbose=false
while true; do
case $1 in
(-f | --flake)
-F | --flakeref)
flakeref=$2
shift 2
;;
-f | --flake)
flake=$2
shift 2
;;
(-o | --on)
-o | --on)
flags+=(--build-host "$2")
shift 2
;;
(-t | --to)
-t | --to)
host=$2
flags+=(--target-host "$host")
shift 2
;;
(-v | --verbose)
-v | --verbose)
flags+=(--verbose)
verbose=true
shift
;;
(--)
--)
shift
break
;;
@ -57,17 +70,26 @@ while true; do
done
if [[ ! -v flake ]]; then
if [[ -v host ]]; then
hostname=$(ssh -- "$host" hostname)
if [[ -v flakeref ]]; then
warn "using flake reference $flakeref"
if [[ -v host ]]; then
hostname=$(ssh -- "$host" hostname)
else
hostname=$(hostname)
fi
if [[ -z $hostname ]]; then
error 'hostname could not be resolved and no flake specified'
fi
flake=$flakeref#$hostname
warn "resolved to $flake"
else
hostname=$(hostname)
error 'no flake or flake reference specified'
fi
flake=git+https://forgejo@tea.wrz.one/lukas/puter.git#$hostname
fi
flags+=(--flake "$flake")
if (( $# == 0 )); then
if (($# == 0)); then
error 'a subcommand is required'
fi
@ -84,25 +106,25 @@ run() {
sub=$1
case $sub in
(s | switch)
shift
s | switch)
shift
if (( $# > 0 )); then
error 'too many arguments'
fi
if (($# > 0)); then
error 'too many arguments'
fi
run switch
;;
(b | boot)
shift
run switch
;;
b | boot)
shift
if (( $# > 0 )); then
error 'too many arguments'
fi
if (($# > 0)); then
error 'too many arguments'
fi
run boot
;;
(*)
error 'invalid subcommand'
;;
run boot
;;
*)
error 'invalid subcommand'
;;
esac

1
pubkeys.nix
View file

@ -11,5 +11,6 @@
glacier = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrKpoDV/ImivtTZVbSsQ59IbGYVvSsKls4av2Zc9Nk8";
vessel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKkYcOb1JPNLTJtob1TcuC08cH9P2APAhLR26RYd573d";
work = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHw8sMeiUSUDQu/yyIuZ2Oc6lmYace47HEYdo3nmUWSR";
insomniac = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHw8sMeiUSUDQu/yyIuZ2Oc6lmYace47HEYdo3nmUWSR";
};
}

BIN
secrets/forgejo-admin.age
View file

Binary file not shown.

BIN
secrets/forgejo-mailer.age
View file

Binary file not shown.

BIN
secrets/microbin.age
View file

Binary file not shown.

BIN
secrets/miniflux.age
View file

Binary file not shown.

21
secrets/restic-abacus.age
View file

@ -1,12 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 SFHVrw U+aZt7fWa449Gl55hXRDD38PUijyhzp28XAMPmRPYm0
CNCHCTxDX1OCedqbmT93DertJVC6X2eBQHSti9UpD3U
-> ssh-ed25519 S+dwQQ tga1gW8cAcAe2nmUpKGZDfPBMNWYCz8F9t6y5Z3nSUs
RNjnzz1D8IyIs5Yy1anjvPNUMU73WXNx/xN52tBsiCw
-> ssh-ed25519 bPbvlw S6OGsxSDtWeGnDkS/Pg/aM8xU3Z9ZMrLcC9QkmxsKzU
1Z0Gx7pq0q01WhSg3+20Dap7ekkzXKSGGdrXRvbmv7I
-> ssh-ed25519 ffmsLw daLmGw0eJTSfFZMBw9aPqooDYXGFP0l7k1PrMQk2iEM
BRZE2oQXWytOVU5+R0buTov74Acj1DKogJPt7TbGY44
--- 3ArhjIM9AlDiJjmn2BFe1ql/TUiveu+COhFVqN+5jsY
:0U=Ô5@<40>V½€0Ëe_í·ö"¶r ^™½“âꞘ{<7B> =»‡÷ULoUÇ %
-> ssh-ed25519 SFHVrw /OTVcIQd3fJVTG7aEwQCY/x6lfTd+EZpn7Jc4MeEcE4
31r1WrTF9ZnrL5za6p57fafVJfQAj5iyY6lLQriIwaY
-> ssh-ed25519 S+dwQQ TmWs92CYRNXJVaJCCsfQc7wWek38gofuVzaZiTchcRA
+zEDzASCzZbWn6weWXoBrCfDRLsOzKncFLLuXOTD/bc
-> ssh-ed25519 bPbvlw UuI6fU6RpT5aZBUZjgypR/q7N24usjkTxdu+hemcH2Q
AaqzU+V02ezyLuBLFpjiobv0qL87JaAI+CVur0nyuZ4
-> ssh-ed25519 ffmsLw 41XX4wfkbdkgcOGV/QobtwxXjfyYEkpYrUSGjhg1wBw
YZFSenGSwenFCuVxlmFQSLUACP1XUewZlKtRGYTuzRE
--- FwFDJ/HQQyHH1Ik5HdCF4ZHihlNCvD9BYGxgM4KOims
F=Δ\*—%]8³×l»Tp•$Ó–š4mõ>;y¿Ï9ð½µâÀ<C3A2>gvÍ!

20
secrets/restic-vessel.age
View file

@ -1,11 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 SFHVrw ijulBUOGDExmjRrr0Pyf7QpMELMNAY5gh77yM9VpnQ4
JCSSURYLwaOs/ga3dcQUcfMaWWxJugDZP5fbQhyPQ6s
-> ssh-ed25519 S+dwQQ 6Jkn/HoEbeXAcIZ5BQrpJFjBlH4VqpDFmTlWAk98SQg
fOF3+MH/4IzHQ44SKQaLo7VrILZdu+hDHIIXGv4asLs
-> ssh-ed25519 bPbvlw yvH9ggLK9QSrNoCIGkNQlpOS3UCegRz86f8LmZFUTEg
bOvwgPx3EAC4kXEV7Io6NHoPtuYLwqffjqx/cSWXeU0
-> ssh-ed25519 Sm0lOA T+w+u5UZlTnilbbTQy/Z6IFjp7/KaKg0MY2zhuSnOBI
pbqYRhd83jjTHqfQbY3Xpz5p3Znt9yr1lBc+UEa2ESo
--- xqFypHpvC9f/EaloV7W0PCvicGa/g/Igi69Rt5E9Pi4
ËæýDÜOˆÿÏ=Œ‚î$ÎÆÚÍÓ“¸ô$ÖôùÿTö;ÆHi³Ôò
-> ssh-ed25519 SFHVrw fMNDH0URM0/+vDXt7G1XjLmdD3YkQMHJjfcF3g6Tty4
k+Gc9ZrRrSkqor8Mm6k+bE18H+Tx6fDNiKaTNA+f5qA
-> ssh-ed25519 S+dwQQ jt/dEEBISxmpaUx6rjdamirV2MNzsIK9t9Eh79yA5UE
Nq4Bw8eH1vWHqCiQvfRsuYtw6fETWHR865gM5IDHPng
-> ssh-ed25519 bPbvlw pEfHE2mBNPsUCs2AFl3xBrhH935Ik6EJLpACTXmOwU8
ctFSiMorm+7by4tzDEySBfAjvjuskEQjpWIyC5BK9cg
-> ssh-ed25519 Sm0lOA /pofcFqGH/aJo7JsrmaYBD7+/Eo0WyO7L1RCbU+LfAU
ZjILSFZeV68fSTDUuXlTFfdTqda7fe6k2FdXjcK1wb8
--- SgzDlMCI5YwR8NLsV7DpKR48NAmTMGFS8vzyxMI/DF0
IÃð~Ã1Ü­\3„7<17>:;V M~kë Š|<š»¨o'9óžj‡0t\M

3
secrets/secrets.nix
View file

@ -1,5 +1,6 @@
with import ../pubkeys.nix; {
"user-lukas.age".publicKeys = (builtins.attrValues users) ++ (builtins.attrValues hosts);
"user-lukas.age".publicKeys = (builtins.attrValues users) ++ (builtins.attrValues (builtins.removeAttrs hosts ["insomniac"]));
"user-user.age".publicKeys = (builtins.attrValues users) ++ [hosts.insomniac];
"microbin.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus];

BIN
secrets/user-lukas.age
View file

Binary file not shown.

BIN
secrets/vaultwarden.age
View file

Binary file not shown.