From 0b4b3f70017c786a45148a76be4c7bf8e7a2eac9 Mon Sep 17 00:00:00 2001 From: Chris Dombroski Date: Fri, 5 Apr 2024 22:04:41 -0400 Subject: [PATCH] initial config --- .gitignore | 1 + flake.lock | 187 ++++++++++++ flake.nix | 38 +++ systems/orangepihole/configuration.nix | 94 ++++++ .../orangepihole/hardware-configuration.nix | 17 ++ systems/smolboi/default.nix | 273 ++++++++++++++++++ 6 files changed, 610 insertions(+) create mode 100644 .gitignore create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 systems/orangepihole/configuration.nix create mode 100644 systems/orangepihole/hardware-configuration.nix create mode 100644 systems/smolboi/default.nix diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b2be92b --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +result diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..d4bff94 --- /dev/null +++ b/flake.lock @@ -0,0 +1,187 @@ +{ + "nodes": { + "deploy-rs": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs", + "utils": "utils" + }, + "locked": { + "lastModified": 1711973905, + "narHash": "sha256-UFKME/N1pbUtn+2Aqnk+agUt8CekbpuqwzljivfIme8=", + "owner": "serokell", + "repo": "deploy-rs", + "rev": "88b3059b020da69cbe16526b8d639bd5e0b51c8b", + "type": "github" + }, + "original": { + "owner": "serokell", + "repo": "deploy-rs", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1710888565, + "narHash": "sha256-s9Hi4RHhc6yut4EcYD50sZWRDKsugBJHSbON8KFwoTw=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "f33900124c23c4eca5831b9b5eb32ea5894375ce", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-23.11", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1702272962, + "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1712168706, + "narHash": "sha256-XP24tOobf6GGElMd0ux90FEBalUtw6NkBSVh/RlA6ik=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "1487bdea619e4a7a53a4590c475deabb5a9d1bfb", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-23.11", + "type": "indirect" + } + }, + "root": { + "inputs": { + "deploy-rs": "deploy-rs", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs_2", + "utils": "utils_2" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "utils_2": { + "inputs": { + "flake-utils": "flake-utils" + }, + "locked": { + "lastModified": 1696281284, + "narHash": "sha256-xcmtTmoiiAOSk4abifbtqVZk0iwBcqJfg47iUbkwhcE=", + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "6cf1e312fb259693c4930d07ca3cbe1d07ef4a48", + "type": "github" + }, + "original": { + "owner": "gytis-ivaskevicius", + "ref": "v1.4.0", + "repo": "flake-utils-plus", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..128ca8f --- /dev/null +++ b/flake.nix @@ -0,0 +1,38 @@ +{ + description = "Chris's system configuration"; + inputs = { + nixpkgs.url = "nixpkgs/nixos-23.11"; + utils.url = github:gytis-ivaskevicius/flake-utils-plus/v1.4.0; + deploy-rs.url = github:serokell/deploy-rs; + home-manager = { + url = github:nix-community/home-manager/release-23.11; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.utils.follows = "utils"; + }; + }; + outputs = inputs@{ self, nixpkgs, utils, home-manager, deploy-rs, ... }: + let + in + utils.lib.mkFlake { + inherit self inputs; + channelsConfig = { allowUnfree = true; }; + hosts = { + #smolboi.modules = [ ./systems/smolboi/configuration.nix ]; + orangepihole = { + system = "aarch64-linux"; + modules = [ ./systems/orangepihole/configuration.nix ]; + }; + }; + deploy = { + sshUser = "root"; + nodes = { + orangepihole = { + hostname = "orangepihole"; + profiles.system.user = "root"; + profiles.system.path = deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.orangepihole; + }; + }; + }; + checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; + }; +} diff --git a/systems/orangepihole/configuration.nix b/systems/orangepihole/configuration.nix new file mode 100644 index 0000000..02e9bab --- /dev/null +++ b/systems/orangepihole/configuration.nix @@ -0,0 +1,94 @@ +{ config, lib, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + boot.loader.grub.enable = false; + boot.loader.generic-extlinux-compatible.enable = true; + boot.loader.timeout = 1; + + networking = { + hostName = "orangepihole"; # Define your hostname. + useNetworkd = true; + }; + systemd.network.enable = true; + systemd.network.networks."40-end0" = { + matchConfig.Name = "end0"; + address = [ "10.42.69.2/24" "fd72:3dd5:21ae:3c97::2/64" ]; + dns = [ "10.42.69.2" "fd72:3dd5:21ae:3c97::2" ]; + domains = [ "icanttype.org" ]; + gateway = [ "10.42.69.1" ]; + networkConfig.DHCPServer = true; + dhcpServerConfig = { + PoolOffset = 150; + EmitDNS = true; + DNS = "10.42.69.2"; + EmitRouter = true; + Router = "10.42.69.1"; + }; + networkConfig.IPv6SendRA = true; + ipv6SendRAConfig.RouterLifetimeSec = 0; + ipv6SendRAConfig.EmitDNS = false; + ipv6Prefixes = [ { ipv6PrefixConfig.Prefix = "fd72:3dd5:21ae:3c97::/64"; } ]; + }; + time.timeZone = "America/New_York"; + + zramSwap.enable = true; + swapDevices = [ {device="/swapfile"; size=1024;}]; + services.resolved.enable = true; + services.unbound = { + enable = true; + settings = { + server = { + qname-minimisation = "yes"; + interface = [ "end0" ]; + access-control = [ "10.0.0.0/8 allow" "fc::/7 allow" ]; + }; + include = [ "/etc/unbound/ads.conf" "/etc/unbound/local.conf" ]; + }; + }; + + systemd = { + services.adblock = { + startAt = "daily"; + postStop = "systemctl reload unbound"; + path = with pkgs; [ gawk wget ]; + script = '' + wget -O - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/pro.blacklist.conf > /etc/unbound/new.conf + wget -O - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/tif.blacklist.conf >> /etc/unbound/new.conf + wget -O - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/doh-vpn-proxy-bypass.blacklist.conf >> /etc/unbound/new.conf + echo 'local-zone: "iogames.space." always_nxdomain' >> /etc/unbound/new.conf + echo 'local-zone: "taming.io." always_nxdomain' >> /etc/unbound/new.conf + awk '!seen[$0]++' /etc/unbound/new.conf > /etc/unbound/ads.conf + rm /etc/unbound/new.conf + ''; + }; + }; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEApZvmNao6HvjOI3NQ96+Hu+N4MTw20KSvrx7ml8/PD4zb5GXo2sXRROHy0VclIXBEPKPKq93QGCMhfCR0jvr2tSib5CwrCMDnjjRxGJV36jhCE1mOV6TKis1MDdigg/7NSVf+eszUW4ed6CSDNFu3ooVZSwdf4Tja2672ROk1W59rDbfgs0Et7pRNnmWM1q+sTbD0eRbY9+0DXBhx5u4OVjp6eNNmO59WGErVvAAjOnZR3rw2LSX7MDrtzeCe1sdR/28WGPIIUVL8eCorlhzPB6PfrTL1Y/fbWAOGdvs6h+wTPX3ivTlrs8J5AXERCymp/CXIA1mwVjnM9zOklFhun+VvCNNJsZPSM62jrHfD4bP11y1kSt87TORGW517nWdS80oUY6MwxRcN2salwWzZA0sVjIHmvc4FkAuPHhdlMQpkym9fpFfR9taWlxU2NMP/+Quj3NaAPKksPvUGwos8lP8Z+QF5ljedNZFsC5/S0u6Fqoa26zRTnVki4KhfGPyKHXIUp9kNV7PRz4oRizHibUfp05xVMACtVIn+pQU7CaQEJCdYfLpo9gMDZ+6ZanmQX0vCUEyiaimrF/eSCkzjBtqSKMRHLd6ADEFEDxSr5nfaqgkddQVkQiBvngCnKwYcKfINA5mYIIFJZyLxpki03SHT6qGT541iHT3OX9F4MBc=" + ]; + + + environment.systemPackages = with pkgs; [ + vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + wget + ]; + + services.openssh.enable = true; + + networking.firewall.enable = false; + + system.stateVersion = "23.11"; # Did you read the comment? + system.autoUpgrade.enable = true; + system.autoUpgrade.allowReboot = false; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + nix.gc.automatic = true; + nix.gc.options = "--delete-older-than 7d"; + nix.optimise.automatic = true; + +} + diff --git a/systems/orangepihole/hardware-configuration.nix b/systems/orangepihole/hardware-configuration.nix new file mode 100644 index 0000000..43183dc --- /dev/null +++ b/systems/orangepihole/hardware-configuration.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; + fsType = "ext4"; + }; + + networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; +} + diff --git a/systems/smolboi/default.nix b/systems/smolboi/default.nix new file mode 100644 index 0000000..e4d807f --- /dev/null +++ b/systems/smolboi/default.nix @@ -0,0 +1,273 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ config, lib, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + # Use the systemd-boot EFI boot loader. + boot = { + blacklistedKernelModules = [ "k10temp" ]; + extraModulePackages = with config.boot.kernelPackages; [ zenpower ]; + kernelParams = [ "amd_pstate=passive" ]; + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + plymouth = { + enable = false; + theme = "breeze"; + }; + binfmt.emulatedSystems = [ "aarch64-linux" ]; + binfmt.registrations.appimage = { + wrapInterpreterInShell = false; + interpreter = "${pkgs.appimage-run}/bin/appimage-run"; + recognitionType = "magic"; + offset = 0; + mask = ''\xff\xff\xff\xff\x00\x00\x00\x00\xff\xff\xff''; + magicOrExtension = ''\x7fELF....AI\x02''; + }; + }; + powerManagement.cpuFreqGovernor = "schedutil"; + + + networking = { + hostName = "smolboi"; # Define your hostname. + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + networkmanager.enable = true; # Easiest to use and most distros use this by default. + firewall.allowedTCPPorts = [ 22000 ]; + }; + nix = { + settings = { + experimental-features = [ "nix-command" "flakes" ]; + sandbox = true; + }; + gc = { + automatic = true; + options = "--delete-older-than 30d"; + }; + optimise.automatic = true; + }; + nixpkgs.config = { + allowUnfree = true; + permittedInsecurePackages = [ + "electron-25.9.0" + "nix-2.16.2" + ]; + packageOverrides = pkgs: { + steam = pkgs.steam.override { + extraPkgs = pkgs: with pkgs; [ + xorg.libXcursor + xorg.libXi + xorg.libXinerama + xorg.libXScrnSaver + libpng + libpulseaudio + libvorbis + stdenv.cc.cc.lib + libkrb5 + keyutils + winetricks + ]; + }; + }; + }; + + # Set your time zone. + time.timeZone = "America/New_York"; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + # console = { + # font = "Lat2-Terminus16"; + # keyMap = "us"; + # useXkbConfig = true; # use xkb.options in tty. + # }; + + # Enable the X11 windowing system. + services = { + xserver = { + enable = true; + displayManager.sddm = { + enable = true; + autoNumlock = true; + }; + desktopManager.plasma5.enable = true; + }; + + # Configure keymap in X11 + # services.xserver.xkb.layout = "us"; + # services.xserver.xkb.options = "eurosign:e,caps:escape"; + + # Enable CUPS to print documents. + printing = { + enable = true; + drivers = [ pkgs.gutenprint ]; + }; + avahi = { + enable = true; + nssmdns = true; + openFirewall = true; + }; + printing.cups-pdf.enable = true; + pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + }; + hardware.openrgb.enable = true; + resolved.enable = true; + btrfs.autoScrub.enable = true; + }; + hardware = { + sane = { + enable = true; + extraBackends = [ pkgs.sane-airscan ]; + }; + bluetooth.enable = true; + }; + + # Enable sound. + security = { + rtkit.enable = true; + wrappers.sunshine = { + owner = "root"; + group = "root"; + capabilities = "cap_sys_admin+p"; + source = "${pkgs.sunshine}/bin/sunshine"; + }; + }; + # hardware.pulseaudio.enable = true; + + # Enable touchpad support (enabled default in most desktopManager). + # services.xserver.libinput.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + # users.users.alice = { + # isNormalUser = true; + # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + # packages = with pkgs; [ + # firefox + # tree + # ]; + # }; + users.users.cdombroski = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + uid = 1000; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment = { + systemPackages = with pkgs; [ + vim-full # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + libreoffice-qt + firefox + syncthing + chromium + skanlite + htop + git + kate + cifs-utils + sunshine + ]; + pathsToLink = [ "/share/bash-completion" ]; + }; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + programs = { + gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + steam = { + enable = true; + remotePlay.openFirewall = true; + gamescopeSession.enable = true; + }; + firefox.nativeMessagingHosts.packages = with pkgs; [keepassxc libsForQt5.plasma-browser-integration ]; + gamemode = { + enable = true; + settings = { + general = { + reaper_freq = 5; + desiredgov = "performance"; + softrealtime = "auto"; + }; + gpu = { + apply_gpu_optimisations = "accept-responsibility"; + gpu_device = 0; + amd_performance_level = "high"; + }; + }; + }; + gamescope.enable = true; + }; + # List services that you want to enable: + zramSwap = { + enable = true; + writebackDevice = "/dev/disk/by-partuuid/e8f5eaf8-46ca-40de-854a-f6dfe964b92d"; + }; + + # Enable the OpenSSH daemon. + # services.openssh.enable = true; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + networking.firewall.enable = false; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + + fileSystems = { + "/".options = [ "compress=lzo" "autodefrag" "discard=async" "defaults" ]; + "/nix".options = [ "compress=lzo" "autodefrag" "discard=async" "noatime" "defaults" ]; + "/steam-library".options = [ "compress=lzo" "autodefrag" "discard=async" "defaults" ]; + "/home".options = [ "compress=lzo" "autodefrag" "discard=async" "defaults" ]; + }; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "23.11"; # Did you read the comment? + system.autoUpgrade = { + enable = true; + flake = "/home/cdombroski/.dotfiles"; + flags = [ + "--update-input" + "nixpkgs" + ]; + }; + +} +