Laurent/infrastructure
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

🔥 deprecate silicium

Browse source
This commit is contained in:
Laureηt 2024-10-05 13:46:35 +02:00
parent 4a31208f50
commit 85a271e547
Signed by: Laurent
SSH key fingerprint: SHA256:pb5NrYg80So5z9hmqQFPmp//sgr+DFeJkKhmGyU2NLk
29 changed files with 3 additions and 454 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
.vscode/extensions.json vendored
View file

@ -1,8 +0,0 @@
{
"recommendations": [
"editorconfig.editorconfig",
"kamadorueda.alejandra",
"jnoortheen.nix-ide",
"mkhl.direnv",
]
}

13
.vscode/settings.json vendored
View file

@ -1,13 +0,0 @@
{
"files.exclude": {
// defaults
"**/.git": true,
"**/.svn": true,
"**/.hg": true,
"**/CVS": true,
"**/.DS_Store": true,
"**/Thumbs.db": true,
// extras
"**/.direnv": true,
}
}

11
.vscode/tasks.json vendored
View file

@ -1,11 +0,0 @@
{
"version": "2.0.0",
"tasks": [
{
"label": "flake upgrade",
"type": "shell",
"command": "tmux new -s flake-update .vscode/upgrade.sh",
"problemMatcher": []
}
]
}

26
.vscode/upgrade.sh vendored
View file

@ -1,26 +0,0 @@
# error handler
handle_error() {
echo "Upgrade failed."
read -p "Press Enter to exit..."
exit 1
}
# stop on error
set -euxo pipefail
# trap any errors and call handle_error
trap 'handle_error "$BASH_COMMAND"' ERR
# update lock file
nix flake update
# update systems
sudo nixos-rebuild switch -L --flake .#silicium
nixos-rebuild switch -L --flake .#cesium --target-host cesium
# commit and push lock file
git add flake.lock
git commit -m "⬆️ nix flake update"
git push
echo "Upgrade successful"

3
flake.nix
View file

@ -1,9 +1,6 @@
{ {
description = "Laureηt's infrastructure"; description = "Laureηt's infrastructure";
# TODO: luks encrypt cesium (dropbear ?)
# TODO: setup disko sur silicium
inputs = { inputs = {
# core stuff # core stuff
nixpkgs = { nixpkgs = {

1
home/shell/git.nix
View file

@ -2,7 +2,6 @@
sign_key = sign_key =
{ {
"aurum" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIItSJTtS7tO0Wz/WgHAFb3xuNFZpm8SOvr/o8uR83zzy laurent@aurum"; "aurum" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIItSJTtS7tO0Wz/WgHAFb3xuNFZpm8SOvr/o8uR83zzy laurent@aurum";
"silicium" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTvwXCT99s1EwOCeGQ28jyCAH/RBoLZza9k5I7wWdEu laurent@silicium";
} }
."${osConfig.networking.hostName}"; ."${osConfig.networking.hostName}";
in { in {

2
hosts/aurum/system/impermanence/default.nix
View file

@ -12,7 +12,7 @@
files = [ files = [
"/etc/machine-id" "/etc/machine-id"
]; ];
# TODO: move this into home config, when silicium has impermanence too # TODO: move this into home config
users.laurent = { users.laurent = {
directories = [ directories = [
"Documents" "Documents"

2
hosts/cesium/system/users/default.nix
View file

@ -1,7 +1,7 @@
{...}: { {...}: {
users.mutableUsers = false; users.mutableUsers = false;
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTvwXCT99s1EwOCeGQ28jyCAH/RBoLZza9k5I7wWdEu laurent@silicium" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTvwXCT99s1EwOCeGQ28jyCAH/RBoLZza9k5I7wWdEu laurent@silicium" # TODO: remove this
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIItSJTtS7tO0Wz/WgHAFb3xuNFZpm8SOvr/o8uR83zzy laurent@aurum" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIItSJTtS7tO0Wz/WgHAFb3xuNFZpm8SOvr/o8uR83zzy laurent@aurum"
]; ];
} }

19
hosts/default.nix
View file

@ -14,25 +14,6 @@ in {
# desktop would be neon # desktop would be neon
# smartphone would be lithium # smartphone would be lithium
# personal laptop
silicium = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit inputs;
};
modules = [
./silicium
inputs.home-manager.nixosModules.home-manager
inputs.agenix.nixosModules.default
inputs.lanzaboote.nixosModules.lanzaboote
inputs.nixos-hardware.nixosModules.common-cpu-amd
inputs.nixos-hardware.nixosModules.common-gpu-nvidia-disable
inputs.nixos-hardware.nixosModules.common-pc-laptop
inputs.nixos-hardware.nixosModules.common-pc-laptop-ssd
{inherit home-manager;}
];
};
# work laptop # work laptop
aurum = nixpkgs.lib.nixosSystem { aurum = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";

30
hosts/silicium/default.nix
View file

@ -1,30 +0,0 @@
{pkgs, ...}: {
imports = [
./system
./services
];
# shorter timeout for systemd services
systemd.extraConfig = ''
DefaultTimeoutStopSec=10s
'';
services.dbus.enable = true;
xdg.portal = {
enable = true;
wlr.enable = true;
config = {
common.default = ["wlr" "gtk"];
hyprland.default = ["hyprland"];
};
extraPortals = [
pkgs.xdg-desktop-portal-gtk
pkgs.xdg-desktop-portal-wlr
pkgs.xdg-desktop-portal-hyprland
];
};
# enable gnome virtual file system
services.gvfs.enable = true;
}

46
hosts/silicium/services/borgbackup/default.nix
View file

@ -1,46 +0,0 @@
{config, ...}: {
services.borgbackup.jobs.home = {
paths = "/home/laurent/";
repo = "/mnt/home_backup";
exclude = [
# Largest cache dirs
".cache"
".compose-cache"
"*/cache"
"*/cache2" # firefox
"*/Cache"
"*/Code Cache"
"*/blob_storage"
".config/Slack/logs"
".config/Code/CachedData"
".container-diff"
".npm/_cacache"
# Work related dirs
"*/node_modules"
"*/bower_components"
"*/build"
"*/_build"
"*/.tox"
"*/venv"
"*/.venv"
"*/.direnv"
];
encryption = {
mode = "repokey";
passCommand = "cat ${config.age.secrets.borgbackup.path}";
};
compression = "auto,zstd";
startAt = [];
};
services.borgbackup.jobs.keepass = {
paths = "/home/laurent/Documents/db_mdp.kdbx";
repo = "ssh://root@fainsin.bzh:624/srv/backup/keepass";
user = "laurent";
encryption = {
mode = "repokey";
passCommand = "cat ${config.age.secrets.borgbackup.path}";
};
compression = "auto,zstd";
startAt = "12:00";
};
}

6
hosts/silicium/services/default.nix
View file

@ -1,6 +0,0 @@
{...}: {
imports = [
./borgbackup
./greetd
];
}

12
hosts/silicium/services/greetd/default.nix
View file

@ -1,12 +0,0 @@
{pkgs, ...}: {
services.greetd = {
enable = true;
settings = {
default_session = {
command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd ${pkgs.hyprland}/bin/Hyprland";
user = "greeter";
};
};
};
}

7
hosts/silicium/system/adb/default.nix
View file

@ -1,7 +0,0 @@
{pkgs, ...}: {
# udev rules
services.udev.packages = [pkgs.android-udev-rules];
# adb users
users.users.laurent.extraGroups = ["adbusers"];
}

8
hosts/silicium/system/age/default.nix
View file

@ -1,8 +0,0 @@
{...}: {
age.secrets.borgbackup = {
file = ../../../../secrets/borgbackup.age;
owner = "laurent";
group = "users";
};
age.identityPaths = ["/home/laurent/.ssh/id_ed25519"];
}

7
hosts/silicium/system/audio/default.nix
View file

@ -1,7 +0,0 @@
{...}: {
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
};
}

24
hosts/silicium/system/boot/default.nix
View file

@ -1,24 +0,0 @@
{
pkgs,
config,
...
}: {
# support for mounting windaube partitions
boot.supportedFilesystems = ["ntfs"];
boot.loader.efi.canTouchEfiVariables = true;
# clean /tmp at each boot
boot.tmp.cleanOnBoot = true;
# use latest kernel
boot.kernelPackages = pkgs.linuxPackages_latest;
imports = [
./lanzaboot.nix
];
boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-amd" "v4l2loopback"];
boot.extraModulePackages = with config.boot.kernelPackages; [v4l2loopback];
}

16
hosts/silicium/system/boot/lanzaboot.nix
View file

@ -1,16 +0,0 @@
{lib, ...}: {
# This should already be here from switching to bootspec earlier.
# It's not required anymore, but also doesn't do any harm.
boot.bootspec.enable = true;
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
}

24
hosts/silicium/system/default.nix
View file

@ -1,24 +0,0 @@
{...}: {
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "24.05"; # Did you read the comment?
imports = [
./adb
./age
./audio
./boot
./docker
./fonts
./hardware
./i18n
./networking
./nix
./security
./users
];
}

12
hosts/silicium/system/docker/default.nix
View file

@ -1,12 +0,0 @@
{...}: {
virtualisation.docker = {
enable = true;
storageDriver = "btrfs";
enableOnBoot = false;
autoPrune.enable = true;
};
# docker users
users.users.laurent.extraGroups = ["docker"];
}

16
hosts/silicium/system/fonts/default.nix
View file

@ -1,16 +0,0 @@
{pkgs, ...}: {
fonts.packages = with pkgs; [
# https://notofonts.github.io/
noto-fonts # standard characters
noto-fonts-lgc-plus # latin, greek, and cyrillic
noto-fonts-cjk # chinese, japanese, and korean
noto-fonts-emoji # emojis 🐢
# https://github.com/tonsky/FiraCode
fira-code # standard characters
fira-code-symbols # unicode ligature glyphs
# https://github.com/ryanoasis/nerd-fonts
(nerdfonts.override {fonts = ["FiraCode"];})
];
}

33
hosts/silicium/system/hardware/default.nix
View file

@ -1,33 +0,0 @@
{...}: {
# hardware
hardware = {
enableRedistributableFirmware = true;
graphics.enable = true;
};
# logind configuration
services.logind = {
lidSwitch = "ignore";
extraConfig = ''
HandlePowerKey=suspend
'';
};
# tlp, power management
services.tlp.enable = true;
# thermald, controls temperature
services.thermald.enable = true;
# bluetooth
hardware.bluetooth.enable = true;
services.blueman.enable = true;
# backlight intensity
programs.light.enable = true;
# partitions and filesystems
imports = [
./partitions.nix
];
}

24
hosts/silicium/system/hardware/partitions.nix
View file

@ -1,24 +0,0 @@
{
config,
lib,
...
}: {
fileSystems."/" = {
device = "/dev/disk/by-uuid/b0ea5f1f-104f-4026-840a-4d46f3e827d1";
fsType = "btrfs";
options = ["subvol=nixos"];
};
boot.initrd.luks.devices."nixenc".device = "/dev/disk/by-uuid/93d0b0d8-b586-48cf-acc2-025fba1eaadb";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/6D10-BBAF";
fsType = "vfat";
};
swapDevices = [];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;
}

10
hosts/silicium/system/i18n/default.nix
View file

@ -1,10 +0,0 @@
{...}: {
# FRANCE 🇫🇷 🥖 🥐
time.timeZone = "Europe/Paris";
# azerty keyboard
console.keyMap = "fr";
# english ISO metric system
i18n.defaultLocale = "en_DK.UTF-8";
}

18
hosts/silicium/system/networking/default.nix
View file

@ -1,18 +0,0 @@
{...}: {
networking = {
# the name of the machine
hostName = "silicium";
# domain name servers, use clouflare family
nameservers = ["1.1.1.2" "1.0.0.2"];
# use networkManager, see nmcli
networkmanager.enable = true;
# firewall
firewall.enable = true;
# https://github.com/StevenBlack/hosts
stevenblack.enable = true;
};
}

47
hosts/silicium/system/nix/default.nix
View file

@ -1,47 +0,0 @@
{
lib,
pkgs,
inputs,
...
}: {
# restrict nix command to sudoers
nix.settings.allowed-users = ["root" "@wheel"];
nix.settings.trusted-users = ["root" "@wheel"];
# experimental features
nix.settings.experimental-features = ["nix-command" "flakes"];
# limit number of cores when building
nix.settings.max-jobs = 6;
# optimizations
nix.settings.auto-optimise-store = true;
nix.optimise = {
automatic = true;
dates = ["12:00"];
};
# garbage collection
nix.gc = {
automatic = true;
dates = "12:00";
options = "--delete-older-than 30d";
};
# pin nixpkgs registry
nix.registry.nixpkgs.flake = inputs.nixpkgs;
# list of allowed unfree packages
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [
"vscode"
"vscode-extension-github-copilot"
"vscode-extension-github-copilot-chat"
];
# print diff between two generations
system.activationScripts.nvd-report-changes = ''
PATH=$PATH:${lib.makeBinPath [pkgs.nvd pkgs.nix]}
nvd diff $(ls -dv /nix/var/nix/profiles/system-*-link | tail -2)
'';
}

17
hosts/silicium/system/security/default.nix
View file

@ -1,17 +0,0 @@
{pkgs, ...}: {
# enable polkit
security.polkit.enable = true;
# enable gpg agent
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
pinentryPackage = pkgs.pinentry-gnome3;
};
# secrets keyring
services.gnome.gnome-keyring.enable = true;
# allow swaylock to use pam
security.pam.services.swaylock = {};
}

13
hosts/silicium/system/users/default.nix
View file

@ -1,13 +0,0 @@
{...}: {
# disable user creation/deletion
users.mutableUsers = false;
# configure users
users = {
users.laurent = {
isNormalUser = true;
initialPassword = "laurent";
extraGroups = ["wheel" "video"];
};
};
}

2
secrets/secrets.nix
View file

@ -1,5 +1,5 @@
let let
silicium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTvwXCT99s1EwOCeGQ28jyCAH/RBoLZza9k5I7wWdEu laurent@silicium"; silicium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTvwXCT99s1EwOCeGQ28jyCAH/RBoLZza9k5I7wWdEu laurent@silicium"; # TODO: remove this
cesium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDVxpWbNJl+OXe6YImMpsJprfuTd+9UJVTiteiuyx6oP root@cesium"; cesium = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDVxpWbNJl+OXe6YImMpsJprfuTd+9UJVTiteiuyx6oP root@cesium";
in { in {
"borgbackup.age".publicKeys = [silicium]; "borgbackup.age".publicKeys = [silicium];