All the updates after this mess, should be good now

2024-05-06 15:55:51 +02:00 · 2024-05-06 15:55:51 +02:00 · a4f8f48f4b
commit a4f8f48f4b
parent 28c916d0ef
18 changed files with 532 additions and 32 deletions
--- a/nixos/hosts/iso_server/configuration.nix
+++ b/nixos/hosts/iso_server/configuration.nix
@ -0,0 +1,127 @@
+{
+  inputs,
+  outputs,
+  lib,
+  config,
+  pkgs,
+  nixpkgs-stable,
+  ...
+}: {
+  imports = [
+    # If you want to use modules your own flake exports (from modules/home-manager):
+    # outputs.homeManagerModules.example
+    # outputs.nixosModules.contabo.wan
+    inputs.home-manager.nixosModules.home-manager
+    # Or modules exported from other flakes (such as nix-colors):
+    # inputs.nix-colors.homeManagerModules.defaults
+
+    # Import shared settings
+    ../../shared
+  ];
+
+  programs.command-not-found.enable = lib.mkForce false;
+  programs.nix-index.enable = true;
+  programs.nix-index-database.comma.enable = true;
+
+  boot.tmp.cleanOnBoot = true;
+  zramSwap.enable = false;
+  networking.domain = "";
+  services.openssh = {
+    enable = true;
+    # require public key authentication for better security
+    settings.PasswordAuthentication = false;
+    settings.KbdInteractiveAuthentication = false;
+  };
+
+  nixpkgs = {
+    # You can add overlays here
+    overlays = [
+    ];
+    # Configure your nixpkgs instance
+    config = {
+      # Disable if you don't want unfree packages
+      allowUnfree = true;
+    };
+  };
+
+  #Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys
+  sops.defaultSopsFile = ./secrets/sops.yaml;
+
+  environment.systemPackages = with pkgs; [
+    # Custom tools
+    dvd
+    dvt
+    servo
+    restart
+    install-nix
+
+    # System tools
+    aha
+    direnv
+    efitools
+    git-filter-repo
+    gnupg
+    pciutils
+    sbctl
+    tpm2-tools
+    tpm2-tss
+    zsh
+  ];
+
+  # Contabo ipv6 nameservers: "2a02:c207::1:53" "2a02:c207::2:53"
+
+  networking.firewall.enable = true;
+
+  networking.firewall.allowedTCPPorts = [22];
+
+  # Configure keymap in X11
+  services.xserver.xkb = {
+    layout = "us";
+    variant = "";
+    options = "terminate:ctrl_alt_bksp,compose:caps_toggle";
+  };
+
+  security.tpm2.enable = true;
+  security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
+  security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
+  users.users.lillian.extraGroups = ["tss"]; # tss group has access to TPM devices
+
+  # Set your time zone.
+  time.timeZone = "Europe/Amsterdam";
+
+  programs.git = {
+    enable = true;
+  };
+
+  programs.direnv = {
+    enable = true;
+  };
+
+  # Enable completion of system packages by zsh
+  environment.pathsToLink = ["/share/zsh"];
+
+  # kde power settings do not turn off screen
+  systemd = {
+    services.sshd.wantedBy = pkgs.lib.mkForce ["multi-user.target"];
+    targets = {
+      sleep.enable = false;
+      suspend.enable = false;
+      hibernate.enable = false;
+      hybrid-sleep.enable = false;
+    };
+  };
+
+  home-manager = {
+    extraSpecialArgs = {inherit inputs outputs;};
+    users = {
+      # Import your home-manager configuration
+      lillian = import ../../../home-manager/hosts/iso_server;
+    };
+  };
+
+  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
+  boot.supportedFilesystems = lib.mkForce ["bcachefs" "btrfs" "cifs" "f2fs" "jfs" "ntfs" "reiserfs" "vfat" "xfs"];
+
+  # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
+  system.stateVersion = "unstable";
+}
--- a/nixos/hosts/iso_server/secrets/sops.yaml
+++ b/nixos/hosts/iso_server/secrets/sops.yaml
@ -0,0 +1,21 @@
+lillian-password: ENC[AES256_GCM,data:kDP9LpmtLR2UEjCY0kgcdHmYAYLipOd/9I3NuiRHzLDhCX44M5QGfbQrle7bi9EOVD4eNB3uNtk+oBClr7cc21E9YtMIp5vg2g==,iv:EWB/hMRtWZfEn48Qmjo/V30BtSLrOsmo/cuEKnfW6Wk=,tag:vjiOkVga18BLKjf3GnZM2Q==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age12e00qvf4shtmsfq3ujamyaa72pjvad2qhrxkvpl9hryrjvgxev4sjhmkxz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrTFI5MDRiUkp1TGF2eHlG
+            VmwyVEdXQVR4dFJaZTNxeTRXQXZNbkN6T1dRClZyMU1LbFFmY0RwK1pmNDNWY0hW
+            bUJGYXI5ZEFIdDhUak1kMzF1WTE2SGsKLS0tIHpUQUVEWml1a251RmhQSGt1dm5E
+            a1hsN3NaVzNvRXlwcEpPd0RVQndiZk0KJ7/cnWzw1zSmgn+bOJn4Y1xRHqlk+zRM
+            Om0p+V9tUCCS5yGzacp8pFCa2DQNj0OVdyB2ZpjAiOzK7vWY8EU5XA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-03T14:29:41Z"
+    mac: ENC[AES256_GCM,data:ezq0K/lFSNSog0UzvsVNNpCewzBKmKJdsXlkWzZ8nhXN7/1lHeoONQnoEooNhNhpmFF1yCvcArZ6Suy7+R4UuybKBky+6r62fyz0BKrAO9y0Xb/HFiAJPAYwP7/5sRFq/jDdtMAbjLxJhoH128md5LoHXhUUc3sws/SIQvdan4I=,iv:/IxAO3rw4lc8ZzDWUtfJb3siGCtzCxid5NfhEnad01Q=,tag:IRg7LV7hnFmWl5WhWD2ZSg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/nixos/hosts/queen/configuration.nix
+++ b/nixos/hosts/queen/configuration.nix
@ -24,6 +24,9 @@

    # Import server settings
    ../../server
+
+    # Import disko
+    # ../../../disko/queen
  ];

  boot.tmp.cleanOnBoot = true;
@ -87,34 +90,34 @@
  ];

  # Create an auto-update systemd service that runs every day
-  system.autoUpgrade = {
-    flake = "git+https://git.lillianviolet.dev/Lillian-Violet/NixOS-Config.git";
-    dates = "daily";
-    enable = true;
-  };
+  # system.autoUpgrade = {
+  # flake = "git+https://git.lillianviolet.dev/Lillian-Violet/NixOS-Config.git";
+  # dates = "daily";
+  # enable = true;
+  # };

-  systemd.services.systemd-networkd.serviceConfig.Environment = "SYSTEMD_LOG_LEVEL=debug";
+  # systemd.services.systemd-networkd.serviceConfig.Environment = "SYSTEMD_LOG_LEVEL=debug";
  # Enable networking
-  networking.networkmanager.enable = true;
-  networking.nat.enable = true;
-  networking.nat.internalInterfaces = ["ve-+"];
-  networking.nat.externalInterface = "ens18";
-  networking.enableIPv6 = lib.mkForce true;
-  networking.nameservers = ["79.143.183.251" "79.143.183.252" "2a02:c207::1:53" "2a02:c207::2:53"];
+  # networking.networkmanager.enable = true;
+  # networking.nat.enable = true;
+  # networking.nat.internalInterfaces = ["ve-+"];
+  # networking.nat.externalInterface = "ens18";
+  # networking.enableIPv6 = lib.mkForce true;
+  # networking.nameservers = ["79.143.183.251" "79.143.183.252" "2a02:c207::1:53" "2a02:c207::2:53"];

-  networking.interfaces.ens18.ipv4.addresses = [
-    {
-      address = "62.171.160.195";
-      prefixLength = 32;
-    }
-  ];
+  # networking.interfaces.ens18.ipv4.addresses = [
+  #   {
+  #     address = "62.171.160.195";
+  #     prefixLength = 32;
+  #   }
+  # ];

-  networking.interfaces.ens18.ipv6.addresses = [
-    {
-      address = "2a02:c207:2063:2448::1";
-      prefixLength = 64;
-    }
-  ];
+  # networking.interfaces.ens18.ipv6.addresses = [
+  #   {
+  #     address = "2a02:c207:2063:2448::1";
+  #     prefixLength = 64;
+  #   }
+  # ];

  # Open ports in the firewall.
  networking.firewall = {
--- a/nixos/hosts/queen/hardware-configuration.nix
+++ b/nixos/hosts/queen/hardware-configuration.nix
@ -7,12 +7,21 @@
 }: {
  imports = [(modulesPath + "/profiles/qemu-guest.nix")];
  boot.loader.grub.device = "/dev/sda";
-  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"];
+  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod"];
  boot.initrd.kernelModules = ["nvme"];
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  networking.useDHCP = lib.mkDefault true;
+
  fileSystems."/" = {
-    device = "/dev/sda3";
+    device = "/dev/disk/by-uuid/dc10d09c-9394-4854-acd5-93ceccd2f448";
    fsType = "ext4";
  };
-  swapDevices = [{device = "/dev/sda2";}];
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+
+  fileSystems."/nix/store" = {
+    device = "/nix/store";
+    fsType = "none";
+    options = ["bind"];
+  };
+
+  swapDevices = [];
 }