diff --git a/flake.nix b/flake.nix index bdb77a1..22f1926 100644 --- a/flake.nix +++ b/flake.nix @@ -20,6 +20,7 @@ nixpkgs.url = "https://channels.nixos.org/nixpkgs-unstable/nixexprs.tar.xz"; nixpkgs-lib.follows = "nixpkgs"; nixvim.url = "github:nix-community/nixvim"; + agenix.url = "github:ryantm/agenix"; dms = { url = "github:AvengeMedia/DankMaterialShell/stable"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/modules/base/default.nix b/modules/base/default.nix index ace3a9a..1887adf 100644 --- a/modules/base/default.nix +++ b/modules/base/default.nix @@ -108,6 +108,11 @@ in "networkmanager" "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvXWZOPOJJDAoF+Sx/ZLoAVu6G/7/MAWoknBgMAzjul dennis@dnsc-mac" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKnmuxDkpDIku5t1Tykz21u78xoQ7LJR8JEcfth32LGu dennis@dnsc-work" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF8LXdDU3C4PcCHb/BEm1xQIZyo2KTR5Dcuw6ni+SxmH dennis@dnsc-machine" + ]; }; }; } diff --git a/modules/cli-tools/default.nix b/modules/cli-tools/default.nix index 8898ef3..f98e22b 100644 --- a/modules/cli-tools/default.nix +++ b/modules/cli-tools/default.nix @@ -17,6 +17,8 @@ let usbutils opencode lazygit + wget + btop ]; in { diff --git a/modules/hosts/dnsc-server/_hardware-configuration.nix b/modules/hosts/dnsc-server/_hardware-configuration.nix new file mode 100644 index 0000000..22b0247 --- /dev/null +++ b/modules/hosts/dnsc-server/_hardware-configuration.nix @@ -0,0 +1,52 @@ +{ + config, + lib, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ + "vmd" + "xhci_pci" + "ahci" + "usb_storage" + "usbhid" + "sd_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/89318ceb-c0c6-47f2-9cad-99612498bd75"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/EE6C-978E"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" + ]; + }; + + swapDevices = [ + { device = "/dev/disk/by-uuid/9c843b67-418a-4d11-8700-6a0eb866c02c"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/modules/hosts/dnsc-server/default.nix b/modules/hosts/dnsc-server/default.nix new file mode 100644 index 0000000..7d7e199 --- /dev/null +++ b/modules/hosts/dnsc-server/default.nix @@ -0,0 +1,41 @@ +{ inputs, config, ... }: +let + hostname = "dnsc-server"; +in +{ + flake.nixosConfigurations.${hostname} = inputs.nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = with config.flake.modules.nixos; [ + agenix.nixosModules.default + home-manager + base + git + ssh + zfs + ups + cli-tools + nix + jellyfin + restic + samba-share + + { + imports = [ ./_hardware-configuration.nix ]; + samba-share.path = "/main/share"; + samba-share.allowedHosts = "192.168.178. 127.0.0.1 localhost"; + networking.hostName = hostname; + system.stateVersion = "24.11"; + + # Secrets for this machine + age = { + identityPaths = [ + "${config.users.users.dennis.home}/.ssh/id_ed25519" + ]; + secrets."restic/password" = { + file = ../../secrets/restic/password.age; + }; + }; + } + ]; + }; +} diff --git a/modules/jellyfin/default.nix b/modules/jellyfin/default.nix new file mode 100644 index 0000000..ed35cca --- /dev/null +++ b/modules/jellyfin/default.nix @@ -0,0 +1,32 @@ +{ ... }: +{ + flake.modules.nixos.jellyfin = + { pkgs, ... }: + { + services.jellyfin = { + enable = true; + openFirewall = true; + }; + + nixpkgs.config.packageOverrides = pkgs: { + vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; + }; + + hardware.graphics = { + enable = true; + extraPackages = with pkgs; [ + intel-media-driver + intel-vaapi-driver + libva-vdpau-driver + intel-compute-runtime + vpl-gpu-rt + ]; + }; + + environment.systemPackages = with pkgs; [ + jellyfin + jellyfin-web + jellyfin-ffmpeg + ]; + }; +} diff --git a/modules/restic/default.nix b/modules/restic/default.nix new file mode 100644 index 0000000..eb0fbf8 --- /dev/null +++ b/modules/restic/default.nix @@ -0,0 +1,40 @@ +{ inputs, ... }: +{ + flake.modules.nixos.restic = + { pkgs, config, ... }: + { + # Root SSH for storage box + programs.ssh = { + extraConfig = '' + Host dnsc-storage + AddKeysToAgent yes + Hostname u295965.your-storagebox.de + User u295965 + IdentityFile /root/.ssh/id_ed25519 + IdentitiesOnly yes + Port 23 + ''; + }; + + services.restic.backups = { + "dnsc-storage" = { + initialize = true; + passwordFile = config.age.secrets."restic/password".path; + repository = "sftp:dnsc-storage:restic/dnsc-server"; + createWrapper = true; + paths = [ + "/main/share" + "/data/actual-server" + ]; + pruneOpts = [ + "--keep-last 3" + ]; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + RandomizedDelaySec = "5h"; + }; + }; + }; + }; +} diff --git a/modules/samba-share/default.nix b/modules/samba-share/default.nix new file mode 100644 index 0000000..3293633 --- /dev/null +++ b/modules/samba-share/default.nix @@ -0,0 +1,56 @@ +{ lib, ... }: +{ + flake.modules.nixos.samba-share = + { pkgs, config, lib, ... }: + { + options.samba-share = { + path = lib.mkOption { + type = lib.types.str; + description = "Path to the directory to share via Samba."; + }; + allowedHosts = lib.mkOption { + type = lib.types.str; + description = "Space-separated list of allowed hosts/subnets (e.g. \"192.168.1. 127.0.0.1\")."; + }; + }; + + config = { + services.samba = { + enable = true; + openFirewall = true; + settings = { + global = { + "workgroup" = "WORKGROUP"; + "security" = "user"; + "hosts allow" = config.samba-share.allowedHosts; + "hosts deny" = "0.0.0.0/0"; + "guest account" = "nobody"; + "map to guest" = "bad user"; + }; + "share" = { + "path" = config.samba-share.path; + "browseable" = "yes"; + "writeable" = "yes"; + "read only" = "no"; + "guest ok" = "yes"; + "force user" = "dennis"; + "force group" = "users"; + }; + }; + }; + + services.samba-wsdd = { + enable = true; + openFirewall = true; + }; + + services.avahi = { + publish.enable = true; + publish.userServices = true; + nssmdns4 = true; + enable = true; + openFirewall = true; + }; + }; + }; +} diff --git a/modules/scrolling-desktop/niri/dms/colors.kdl b/modules/scrolling-desktop/niri/dms/colors.kdl index 705b90e..149182f 100644 --- a/modules/scrolling-desktop/niri/dms/colors.kdl +++ b/modules/scrolling-desktop/niri/dms/colors.kdl @@ -5,14 +5,14 @@ layout { background-color "transparent" focus-ring { - active-color "#c3c0ff" - inactive-color "#928f9a" + active-color "#d2bcfd" + inactive-color "#948f99" urgent-color "#ffb4ab" } border { - active-color "#c3c0ff" - inactive-color "#928f9a" + active-color "#d2bcfd" + inactive-color "#948f99" urgent-color "#ffb4ab" } @@ -21,19 +21,19 @@ layout { } tab-indicator { - active-color "#c3c0ff" - inactive-color "#928f9a" + active-color "#d2bcfd" + inactive-color "#948f99" urgent-color "#ffb4ab" } insert-hint { - color "#c3c0ff80" + color "#d2bcfd80" } } recent-windows { highlight { - active-color "#424078" + active-color "#4f3d74" urgent-color "#ffb4ab" } } diff --git a/modules/ssh/default.nix b/modules/ssh/default.nix index 432b27d..dafaa63 100644 --- a/modules/ssh/default.nix +++ b/modules/ssh/default.nix @@ -3,7 +3,15 @@ flake.modules.nixos.ssh = { pkgs, ... }: { - services.openssh.enable = true; + services.openssh = { + enable = true; + settings = { + X11Forwarding = false; + PermitRootLogin = "no"; + PasswordAuthentication = false; + }; + openFirewall = true; + }; home-manager.sharedModules = [ inputs.self.modules.homeManager.ssh diff --git a/modules/ups/default.nix b/modules/ups/default.nix new file mode 100644 index 0000000..241a268 --- /dev/null +++ b/modules/ups/default.nix @@ -0,0 +1,22 @@ +{ ... }: +{ + flake.modules.nixos.ups = + { pkgs, ... }: + { + power.ups = { + enable = true; + + ups."eaton-ups" = { + driver = "usbhid-ups"; + port = "auto"; + }; + + users.upsmon = { + passwordFile = "/etc/upsmon.passwd"; + upsmon = "primary"; + }; + + upsmon.monitor."eaton-ups".user = "upsmon"; + }; + }; +} diff --git a/modules/zfs/default.nix b/modules/zfs/default.nix new file mode 100644 index 0000000..4fc5f04 --- /dev/null +++ b/modules/zfs/default.nix @@ -0,0 +1,15 @@ +{ ... }: +{ + flake.modules.nixos.zfs = + { pkgs, ... }: + { + boot.supportedFilesystems = [ "zfs" ]; + boot.zfs.forceImportRoot = false; + boot.zfs.extraPools = [ "main" ]; + + services.zfs = { + autoSnapshot.enable = true; + trim.enable = true; + }; + }; +} diff --git a/secrets/restic/password.age b/secrets/restic/password.age new file mode 100644 index 0000000..fff06c2 --- /dev/null +++ b/secrets/restic/password.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 JIw3cQ u0VpHg/TVASeIVR7/mfbllXrlM71vNpqQhgnfya6vQY +HKopl3RT1S2+W1Sb95eFUhdH4Fh35KS5l6KLYyfdw/Y +-> ssh-ed25519 HufN+g Vfe9hzCZm69hjyk9S0/ZFbVkuvTe3nGbNw9BZfuiiAM +4H1Nfgd8usdv34RuCf3R3J+jyqHj4rnbNHmgkav7VDs +-> ssh-ed25519 cTYF0w H4NeFzgk/mTkEe6uPXutoh6r6wfpNS0SNJYUi1VNRgg +AAjgzAkbXLXBVLtMZAPfXOfgGnpgsF6DvH1BK/vW6E0 +--- rEeM9TuloOX1HuwGmtdxk+Mi+NnWYsHndCStBbCqSh4 +aǓ][&[|er'EZB?Hv4MrM E1fJrƫ% \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..cedfc8a --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,26 @@ +let + dnsc-air = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvXWZOPOJJDAoF+Sx/ZLoAVu6G/7/MAWoknBgMAzjul dennis@dnsc-mac"; + dnsc-vps-sm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF/sUA38t7TI1LYADLBn898Hh0MTR4maiHVwEtDoN9W5 dnsc-vps-sm"; + dnsc-server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM3mkEgvHrwjsEReHQHpLbMP71JLvp6XxMPyW7PTaLCd dennis@dnsc-server"; + systems = [ + dnsc-air + dnsc-vps-sm + dnsc-server + ]; +in +{ + # Add like this: "secret1.age".publicKeys = systems; + "vaultwarden/env.age".publicKeys = systems; + "restic/password.age".publicKeys = systems; +} + +# 1. Create a file with secret +# nix run github:ryantm/agenix -- -e $FILE_PATH +# +# 2. Reference the file in NixOS config: +# { +# age.secrets.secret1.file = ../secrets/secret1.age; +# } +# +# 3. And use it like this: +# passwordFile = config.age.secrets.secret1.path; diff --git a/secrets/vaultwarden/env.age b/secrets/vaultwarden/env.age new file mode 100644 index 0000000..0f82068 Binary files /dev/null and b/secrets/vaultwarden/env.age differ