Compare commits

...

33 commits

Author SHA1 Message Date
Antoine Martin 3e3d7153f9 services: nginx: fix acme option warning 2022-02-07 17:24:33 +01:00
Antoine Martin 565b33dd3e poseidon: setup agenix secrets 2022-02-07 17:16:52 +01:00
Antoine Martin 81193b919b poseidon: include personal modules in config 2022-02-07 17:11:56 +01:00
Antoine Martin 66006be931 home: tridactylrc: use tridactylrc-mode in emacs 2022-02-07 17:11:01 +01:00
Antoine Martin 8739ada74c ci: don't be so verbose 2022-02-07 16:06:11 +01:00
Antoine Martin d82c403da5 home: i3bar: i3status-rs no longer needs binaries 2022-02-07 15:00:11 +01:00
Antoine Martin c07edc8fd2 overlays: i3status-rust needs lm_sensors now 2022-02-07 14:59:57 +01:00
Antoine Martin 47c0008169 Revert "flake: add temp fix for broken PAM in unstable"
This reverts commit d5813bfdb6.

No longer necessary!
2022-02-07 14:28:11 +01:00
Antoine Martin 6fd28159a7 flake.lock: Update
Flake lock file changes:

• Updated input 'emacs-overlay':
    'github:nix-community/emacs-overlay/261aed7731d92414fcb29f09a9bb7d4ed41d9455' (2022-01-30)
  → 'github:nix-community/emacs-overlay/02d47fdf48e54598f9838f01a9d172bfa206b63e' (2022-02-07)
• Updated input 'home-manager':
    'github:nix-community/home-manager/acf824c9ed70f623b424c2ca41d0f6821014c67c' (2022-01-28)
  → 'github:nix-community/home-manager/63dccc4e60422c1db2c3929b2fd1541f36b7e664' (2022-02-04)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/5bb20f9dc70e9ee16e21cc404b6508654931ce41' (2022-01-28)
  → 'github:NixOS/nixpkgs/9f697d60e4d9f08eacf549502528bfaed859d33b' (2022-02-05)
• Updated input 'nixpkgs-unstable-small':
    'github:NixOS/nixpkgs/709f7b3c61dfa01db3ddc7356620a9c319a429d1' (2022-01-30)
  → 'github:NixOS/nixpkgs/64cb9c78e14d0ffc9ee627772a972aa4b59bbfd8' (2022-02-07)
2022-02-07 14:27:38 +01:00
Antoine Martin 994343705f add .gitignore 2022-02-02 17:49:59 +01:00
Antoine Martin 6afc0eb13a pkgs: spot: bump to 2.10.4 2022-02-02 11:15:28 +01:00
Antoine Martin d5813bfdb6 flake: add temp fix for broken PAM in unstable
See NixOS/nixpkgs#157112
2022-01-31 16:21:13 +01:00
Antoine Martin 5f8454285e base: nix: adapt renamed settings 2022-01-30 15:59:08 +01:00
Antoine Martin 9e511da8d7 flake.lock: Update
Flake lock file changes:

• Updated input 'emacs-overlay':
    'github:nix-community/emacs-overlay/dcdd04c92e9175c82087536fcde3daae21837a75' (2022-01-24)
  → 'github:nix-community/emacs-overlay/261aed7731d92414fcb29f09a9bb7d4ed41d9455' (2022-01-30)
• Updated input 'home-manager':
    'github:nix-community/home-manager/c47c350f6518ed39c2a16e4fadf9137b6c559ddc' (2022-01-22)
  → 'github:nix-community/home-manager/acf824c9ed70f623b424c2ca41d0f6821014c67c' (2022-01-28)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/689b76bcf36055afdeb2e9852f5ecdd2bf483f87' (2022-01-23)
  → 'github:NixOS/nixpkgs/5bb20f9dc70e9ee16e21cc404b6508654931ce41' (2022-01-28)
• Updated input 'nixpkgs-unstable-small':
    'github:NixOS/nixpkgs/4ad9f4e242df6a8babd3f3787a2cf8bbdc60a0fb' (2022-01-24)
  → 'github:NixOS/nixpkgs/709f7b3c61dfa01db3ddc7356620a9c319a429d1' (2022-01-30)
2022-01-30 13:30:25 +01:00
Antoine Martin 791d55253b flake.lock: Update
Flake lock file changes:

• Updated input 'emacs-overlay':
    'github:nix-community/emacs-overlay/4075922d23e44a2b4c73e8c08f8b008ec6391ef2' (2022-01-20)
  → 'github:nix-community/emacs-overlay/dcdd04c92e9175c82087536fcde3daae21837a75' (2022-01-24)
• Updated input 'home-manager':
    'github:nix-community/home-manager/7eb5106548eaab99ebeb21c87f93092de54fe931' (2022-01-20)
  → 'github:nix-community/home-manager/c47c350f6518ed39c2a16e4fadf9137b6c559ddc' (2022-01-22)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/6d8215281b2f87a5af9ed7425a26ac575da0438f' (2022-01-19)
  → 'github:NixOS/nixpkgs/689b76bcf36055afdeb2e9852f5ecdd2bf483f87' (2022-01-23)
• Updated input 'nixpkgs-unstable-small':
    'github:NixOS/nixpkgs/1c0f3cd8dfb451fcde1e164426ef9211f7c595c1' (2022-01-20)
  → 'github:NixOS/nixpkgs/4ad9f4e242df6a8babd3f3787a2cf8bbdc60a0fb' (2022-01-24)
2022-01-24 13:24:59 +01:00
Antoine Martin 096c2abb02 secrets: list secrets used on host explicitly 2022-01-21 01:40:53 +01:00
Antoine Martin 8881850730 home: fix home-manager setting double definition 2022-01-21 01:05:42 +01:00
Antoine Martin 3958162fe0 flake.lock: Update
Flake lock file changes:

• Updated input 'emacs-overlay':
    'github:nix-community/emacs-overlay/cdd347f1b966415c5473b3e3f4640c0d0fd13b55' (2022-01-16)
  → 'github:nix-community/emacs-overlay/4075922d23e44a2b4c73e8c08f8b008ec6391ef2' (2022-01-20)
• Updated input 'home-manager':
    'github:nix-community/home-manager/46bba772f26f89b62811f487d2b0d5357c91bc32' (2022-01-16)
  → 'github:nix-community/home-manager/7eb5106548eaab99ebeb21c87f93092de54fe931' (2022-01-20)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/5aaed40d22f0d9376330b6fa413223435ad6fee5' (2022-01-13)
  → 'github:NixOS/nixpkgs/6d8215281b2f87a5af9ed7425a26ac575da0438f' (2022-01-19)
• Updated input 'nixpkgs-unstable-small':
    'github:NixOS/nixpkgs/0a223c8d509cea6b4be3906f9c39820ff195fad2' (2022-01-15)
  → 'github:NixOS/nixpkgs/1c0f3cd8dfb451fcde1e164426ef9211f7c595c1' (2022-01-20)
2022-01-21 00:47:21 +01:00
Antoine Martin 1d2de38dd2 ci: shorten workflow titles to fit in UI 2022-01-21 00:41:24 +01:00
Antoine Martin ceac41132e boreal: get rid of git crypt secrets for this host
Also move to restic-backup
2022-01-21 00:31:41 +01:00
Antoine Martin 38fb614309 base: disable wifi when on ethernet 2022-01-18 15:09:23 +01:00
Antoine Martin 94a1f76ad6 zephyrus: ensure home is mounted for agenix 2022-01-18 14:40:33 +01:00
Antoine Martin 562701109f home: i3bar: remove bluetooth mouse item 2022-01-18 12:03:55 +01:00
Antoine Martin c712d25398 ci: build nixos configurations 2022-01-18 11:59:00 +01:00
Antoine Martin a83c9a4644 secrets: move hashed passwords to agenix 2022-01-18 11:41:37 +01:00
Antoine Martin e5d6210912 zephyrus: don't depend on git-crypt secrets at all 2022-01-18 11:20:25 +01:00
Antoine Martin 0589894ec6 zephyrus: configure timer for backup service 2022-01-18 09:05:36 +01:00
Antoine Martin 1d0fd8d461 services: restic: allow configuring timer 2022-01-18 09:05:22 +01:00
Antoine Martin 56f84fcb36 hosts: fix backup exclude wildcard 2022-01-17 23:39:45 +01:00
Antoine Martin b0c90137dd base: ignore lid switch on laptop 2022-01-17 22:02:26 +01:00
Antoine Martin c3fcb0154f zephyrus: setup restic backup with agenix secrets 2022-01-17 22:01:35 +01:00
Antoine Martin a0ead30194 services: restic: support custom secret filepaths 2022-01-17 21:57:00 +01:00
Antoine Martin c4fe135612 secrets: setup agenix 2022-01-17 21:56:41 +01:00
38 changed files with 340 additions and 96 deletions

View file

@ -1,13 +1,16 @@
name: "Build packages for cachix" name: "Populate Cachix binary cache"
on: on:
push: push:
paths: paths:
- '**.nix'
- '**.age'
- 'pkgs/**' - 'pkgs/**'
- 'flake.nix' - 'flake.nix'
- 'flake.lock' - 'flake.lock'
- '.github/workflows/*' - '.github/workflows/*'
jobs: jobs:
build: build-pkgs:
name: Nix packages
runs-on: ubuntu-latest runs-on: ubuntu-latest
strategy: strategy:
@ -32,4 +35,29 @@ jobs:
extraPullNames: "nix-community" extraPullNames: "nix-community"
- name: Build package - name: Build package
run: nix build --verbose -L .#"${{ matrix.name }}" run: nix build -L .#"${{ matrix.name }}"
build-configs:
name: NixOS configs
runs-on: ubuntu-latest
needs: [ build-pkgs ]
strategy:
matrix:
name:
- boreal
- zephyrus
steps:
- uses: actions/checkout@v2
- uses: cachix/install-nix-action@v16
- uses: cachix/cachix-action@v10
with:
name: alarsyo
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
extraPullNames: "nix-community"
- name: Build package
run: nix build -L .#nixosConfigurations."${{ matrix.name }}".config.system.build.toplevel

1
.gitignore vendored
View file

@ -0,0 +1 @@
/result

View file

@ -26,6 +26,8 @@ in
xkbVariant = "us"; xkbVariant = "us";
libinput.enable = true; libinput.enable = true;
}; };
logind.lidSwitch = "ignore";
}; };
environment.systemPackages = builtins.attrValues { environment.systemPackages = builtins.attrValues {
@ -53,7 +55,40 @@ in
inherit (pkgs.unstable) discord; inherit (pkgs.unstable) discord;
}; };
networking.networkmanager.enable = true; networking.networkmanager = {
enable = true;
dispatcherScripts = [
{
source =
let
grep = "${pkgs.gnugrep}/bin/grep";
nmcli = "${pkgs.networkmanager}/bin/nmcli";
in pkgs.writeShellScript "disable_wifi_on_ethernet" ''
export LC_ALL=C
enable_disable_wifi ()
{
result=$(${nmcli} dev | ${grep} "ethernet" | ${grep} -w "connected")
if [ -n "$result" ]; then
${nmcli} radio wifi off
else
${nmcli} radio wifi on
fi
}
if [ "$2" = "up" ]; then
enable_disable_wifi
fi
if [ "$2" = "down" ]; then
enable_disable_wifi
fi
'';
type = "basic";
}
];
};
programs.nm-applet.enable = true; programs.nm-applet.enable = true;
programs.steam.enable = true; programs.steam.enable = true;

View file

@ -8,15 +8,16 @@
experimental-features = nix-command flakes experimental-features = nix-command flakes
''; '';
trustedUsers = [ "@wheel" ]; settings = {
trusted-users = [ "@wheel" ];
binaryCaches = [ substituters = [
"https://alarsyo.cachix.org" "https://alarsyo.cachix.org"
"https://nix-community.cachix.org" "https://nix-community.cachix.org"
]; ];
binaryCachePublicKeys = [ trusted-public-keys = [
"alarsyo.cachix.org-1:A6BmcaJek5+ZDWWv3fPteHhPm6U8liS9CbDbmegPfmk=" "alarsyo.cachix.org-1:A6BmcaJek5+ZDWWv3fPteHhPm6U8liS9CbDbmegPfmk="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
]; ];
}; };
};
} }

View file

@ -53,6 +53,8 @@
# nix pkgs lookup # nix pkgs lookup
nix-index nix-index
agenix
; ;
inherit (pkgs.llvmPackages_11) inherit (pkgs.llvmPackages_11)

View file

@ -5,10 +5,10 @@ in
{ {
users.mutableUsers = false; users.mutableUsers = false;
users.users.root = { users.users.root = {
hashedPassword = secrets.shadow-hashed-password-root; passwordFile = config.age.secrets."users/root-hashed-password".path;
}; };
users.users.alarsyo = { users.users.alarsyo = {
hashedPassword = secrets.shadow-hashed-password-alarsyo; passwordFile = config.age.secrets."users/alarsyo-hashed-password".path;
isNormalUser = true; isNormalUser = true;
extraGroups = [ extraGroups = [
"media" "media"

View file

@ -1,12 +1,30 @@
{ {
"nodes": { "nodes": {
"agenix": {
"inputs": {
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1641576265,
"narHash": "sha256-G4W39k5hdu2kS13pi/RhyTOySAo7rmrs7yMUZRH0OZI=",
"owner": "ryantm",
"repo": "agenix",
"rev": "08b9c96878b2f9974fc8bde048273265ad632357",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"emacs-overlay": { "emacs-overlay": {
"locked": { "locked": {
"lastModified": 1642358862, "lastModified": 1644230579,
"narHash": "sha256-tttyyXdpOQYxFG3HkOOcK0dFxBpdaeWHRrIWWnQRZYA=", "narHash": "sha256-/3v0jBKY1QJPK6cdO0fZl+xK5E+GZhHcbgWb7RoFEN4=",
"owner": "nix-community", "owner": "nix-community",
"repo": "emacs-overlay", "repo": "emacs-overlay",
"rev": "cdd347f1b966415c5473b3e3f4640c0d0fd13b55", "rev": "02d47fdf48e54598f9838f01a9d172bfa206b63e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -39,11 +57,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1642372264, "lastModified": 1643933104,
"narHash": "sha256-SRnw7qcHmvUBxby925Vm+nhPqq7YVs1qquNqv7TRyVY=", "narHash": "sha256-NZPuFxRsZKN8pjRuHPpzlMyt6JQhcjiduBG8bMghSjE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "46bba772f26f89b62811f487d2b0d5357c91bc32", "rev": "63dccc4e60422c1db2c3929b2fd1541f36b7e664",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -71,27 +89,24 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1642104392, "lastModified": 1618628710,
"narHash": "sha256-m71b7MgMh9FDv4MnI5sg9MiBVW6DhE1zq+d/KlLWSC8=", "narHash": "sha256-9xIoU+BrCpjs5nfWcd/GlU7XCVdnNKJPffoNTxgGfhs=",
"owner": "NixOS", "path": "/nix/store/z1rf17q0fxj935cmplzys4gg6nxj1as0-source",
"repo": "nixpkgs", "rev": "7919518f0235106d050c77837df5e338fb94de5d",
"rev": "5aaed40d22f0d9376330b6fa413223435ad6fee5", "type": "path"
"type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "id": "nixpkgs",
"ref": "nixos-unstable", "type": "indirect"
"repo": "nixpkgs",
"type": "github"
} }
}, },
"nixpkgs-unstable-small": { "nixpkgs-unstable-small": {
"locked": { "locked": {
"lastModified": 1642285376, "lastModified": 1644225686,
"narHash": "sha256-LfZBVKCrPOx5k9pUoJlRsBvdz7yn1qYHenCKuqwwFGo=", "narHash": "sha256-XDslFfn44H93WjGytIhrPSduGIug1p4cPN/cEuHdIBI=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "0a223c8d509cea6b4be3906f9c39820ff195fad2", "rev": "64cb9c78e14d0ffc9ee627772a972aa4b59bbfd8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -101,13 +116,30 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_2": {
"locked": {
"lastModified": 1644033087,
"narHash": "sha256-beskas17YPhrcnanzywake9/z+k+xOWmavW24YUN8ng=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9f697d60e4d9f08eacf549502528bfaed859d33b",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix",
"emacs-overlay": "emacs-overlay", "emacs-overlay": "emacs-overlay",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"home-manager": "home-manager", "home-manager": "home-manager",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs_2",
"nixpkgs-unstable-small": "nixpkgs-unstable-small" "nixpkgs-unstable-small": "nixpkgs-unstable-small"
} }
} }

View file

@ -15,6 +15,12 @@
ref = "nixos-unstable-small"; ref = "nixos-unstable-small";
}; };
agenix = {
type = "github";
owner = "ryantm";
repo = "agenix";
};
emacs-overlay = { emacs-overlay = {
type = "github"; type = "github";
owner = "nix-community"; owner = "nix-community";
@ -45,7 +51,7 @@
}; };
}; };
outputs = { self, nixpkgs, home-manager, ... } @inputs: { outputs = { self, nixpkgs, home-manager, agenix, ... } @inputs: {
nixosModules = { nixosModules = {
home = { home = {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
@ -74,9 +80,13 @@
inherit system; inherit system;
config.allowUnfree = true; config.allowUnfree = true;
}; };
}) })
agenix.overlay
] ++ builtins.attrValues self.overlays; ] ++ builtins.attrValues self.overlays;
sharedModules = [ sharedModules = [
agenix.nixosModules.age
home-manager.nixosModule home-manager.nixosModule
{ nixpkgs.overlays = shared_overlays; } { nixpkgs.overlays = shared_overlays; }
] ++ (nixpkgs.lib.attrValues self.nixosModules); ] ++ (nixpkgs.lib.attrValues self.nixosModules);

View file

@ -12,7 +12,6 @@
./laptop.nix ./laptop.nix
./lorri.nix ./lorri.nix
./rofi.nix ./rofi.nix
./secrets
./ssh.nix ./ssh.nix
./themes ./themes
./tmux.nix ./tmux.nix

View file

@ -16,7 +16,6 @@ in
services.lorri.enable = true; services.lorri.enable = true;
programs.direnv = { programs.direnv = {
enable = true; enable = true;
enableFishIntegration = true;
# FIXME: proper file, not lorri.nix # FIXME: proper file, not lorri.nix
nix-direnv = { nix-direnv = {
enable = true; enable = true;

View file

@ -1,19 +0,0 @@
{ lib, ... }:
let
inherit (lib)
fileContents
mkOption
types
;
in
{
options.my.secrets = mkOption {
type = types.attrs;
};
config.my.secrets = {
# I'm not sure hiding this is very important, but it *seems* like a bad idea
# to expose this
bluetooth-mouse-mac-address = fileContents ./bluetooth-mouse-mac-address.secret;
};
}

View file

@ -1,3 +1,5 @@
" -*- tridactylrc -*-
" This wipes all existing settings. This means that if a setting in this file is " This wipes all existing settings. This means that if a setting in this file is
" removed, then it will return to default. In other words, this file serves as " removed, then it will return to default. In other words, this file serves as
" as an enforced single point of truth for Tridactyl's configuration. " as an enforced single point of truth for Tridactyl's configuration.

View file

@ -35,8 +35,7 @@ in
config = mkIf isEnabled { config = mkIf isEnabled {
home.packages = builtins.attrValues { home.packages = builtins.attrValues {
inherit (pkgs) inherit (pkgs)
iw # Used by `net` block # FIXME: is this useful?
lm_sensors # Used by `temperature` block
font-awesome font-awesome
; ;
}; };
@ -105,12 +104,6 @@ in
block = "networkmanager"; block = "networkmanager";
primary_only = true; primary_only = true;
} }
{
block = "bluetooth";
mac = config.my.secrets.bluetooth-mouse-mac-address;
hide_disconnected = true;
format = "{percentage}";
}
{ {
block = "sound"; block = "sound";
driver = "pulseaudio"; driver = "pulseaudio";

View file

@ -3,15 +3,14 @@
# and in the NixOS manual (accessible by running nixos-help). # and in the NixOS manual (accessible by running nixos-help).
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let
secrets = config.my.secrets;
in
{ {
imports = imports =
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
./home.nix ./home.nix
./secrets.nix
]; ];
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_latest;
@ -46,17 +45,12 @@ in
# List services that you want to enable: # List services that you want to enable:
my.services = { my.services = {
borg-backup = { restic-backup = {
enable = true; enable = true;
repo = secrets.borg-backup.boreal-repo; repo = "b2:boreal-backup";
# for a workstation, having backups spanning the last month should be passwordFile = config.age.secrets."restic-backup/boreal-password".path;
# enough environmentFile = config.age.secrets."restic-backup/boreal-credentials".path;
prune = {
keep = {
daily = 7;
weekly = 4;
};
};
paths = [ paths = [
"/home/alarsyo" "/home/alarsyo"
]; ];
@ -64,7 +58,7 @@ in
"/home/alarsyo/Downloads" "/home/alarsyo/Downloads"
# Rust builds using half my storage capacity # Rust builds using half my storage capacity
"/home/alarsyo/*/target" "/home/alarsyo/**/target"
"/home/alarsyo/work/rust/build" "/home/alarsyo/work/rust/build"
# don't backup nixpkgs # don't backup nixpkgs

19
hosts/boreal/secrets.nix Normal file
View file

@ -0,0 +1,19 @@
{ config, lib, options, ... }:
{
config.age = {
secrets =
let
toSecret = name: { ... }@attrs: {
file = ./../../modules/secrets + "/${name}.age";
} // attrs;
in
lib.mapAttrs toSecret {
"restic-backup/boreal-credentials" = {};
"restic-backup/boreal-password" = {};
"users/alarsyo-hashed-password" = {};
"users/root-hashed-password" = {};
};
};
}

View file

@ -12,6 +12,7 @@ in
./hardware-configuration.nix ./hardware-configuration.nix
./home.nix ./home.nix
./secrets.nix
]; ];
# Use the GRUB 2 boot loader. # Use the GRUB 2 boot loader.

View file

@ -0,0 +1,16 @@
{ config, lib, options, ... }:
{
config.age = {
secrets =
let
toSecret = name: { ... }@attrs: {
file = ./../../modules/secrets + "/${name}.age";
} // attrs;
in
lib.mapAttrs toSecret {
"users/alarsyo-hashed-password" = {};
"users/root-hashed-password" = {};
};
};
}

View file

@ -3,14 +3,12 @@
# and in the NixOS manual (accessible by running nixos-help). # and in the NixOS manual (accessible by running nixos-help).
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let
secrets = config.my.secrets;
in
{ {
imports = imports =
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
./home.nix ./home.nix
./secrets.nix
]; ];
boot.kernelPackages = pkgs.linuxPackages; boot.kernelPackages = pkgs.linuxPackages;
@ -43,6 +41,39 @@ in
tailscale.enable = true; tailscale.enable = true;
pipewire.enable = true; pipewire.enable = true;
restic-backup = {
enable = true;
repo = "b2:zephyrus-backup";
passwordFile = config.age.secrets."restic-backup/zephyrus-password".path;
environmentFile = config.age.secrets."restic-backup/zephyrus-credentials".path;
timerConfig = {
OnCalendar = "*-*-* 13:00:00"; # laptop only gets used during the day
};
paths = [
"/home/alarsyo"
];
exclude = [
"/home/alarsyo/Downloads"
# Rust builds using half my storage capacity
"/home/alarsyo/**/target"
"/home/alarsyo/work/rust/build"
# don't backup nixpkgs
"/home/alarsyo/work/nixpkgs"
# C build crap
"*.a"
"*.o"
"*.so"
# ignore all dotfiles as .config and .cache can become quite big
"/home/alarsyo/.*"
];
};
}; };
services = { services = {
@ -53,6 +84,11 @@ in
}; };
}; };
fwupd.enable = true; fwupd.enable = true;
openssh = {
enable = true;
permitRootLogin = "no";
passwordAuthentication = false;
};
}; };
my.gui.enable = true; my.gui.enable = true;

View file

@ -29,6 +29,7 @@ in
{ device = "/dev/disk/by-uuid/6395cef1-c30b-450a-917c-cfb3c0380642"; { device = "/dev/disk/by-uuid/6395cef1-c30b-450a-917c-cfb3c0380642";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=@home" "compress=zstd" "noatime" ]; options = [ "subvol=@home" "compress=zstd" "noatime" ];
neededForBoot = true; # agenix needs my key for some root secrets
}; };
fileSystems."/nix" = fileSystems."/nix" =

View file

@ -0,0 +1,19 @@
{ config, lib, options, ... }:
{
config.age = {
secrets =
let
toSecret = name: { ... }@attrs: {
file = ./../../modules/secrets + "/${name}.age";
} // attrs;
in
lib.mapAttrs toSecret {
"restic-backup/zephyrus-credentials" = {};
"restic-backup/zephyrus-password" = {};
"users/alarsyo-hashed-password" = {};
"users/root-hashed-password" = {};
};
};
}

View file

@ -2,6 +2,7 @@
{ {
imports = [ imports = [
./sddm.nix ./sddm.nix
./secrets
./wakeonwlan.nix ./wakeonwlan.nix
]; ];
} }

View file

@ -0,0 +1,9 @@
{ config, lib, options, ... }:
{
config.age = {
identityPaths = options.age.identityPaths.default ++ [
"/home/alarsyo/.ssh/id_ed25519"
];
};
}

View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 YWMQkg B5tQXcUdu751YYA4Y8uRH/DgGDi24AsXEAKkCVfg+Ro
21Gz0MsMCtWzUdVuaWdNwEU9Ts8lOQWCd7Ejf2tkxks
-> ssh-ed25519 k2gHjw NIG04WnNgq5bnSl9KmvFyvpGdFlmOFtXzuYtrsFOKXM
ZYZVyIM0jnhguRmfIpRtFg0StgYTlu/P9bgxBy9dbOg
-> u5-grease
MTgqDb6tqCuvdlXj9c2Y3XX1X7JfrdeKLM0EQ75ZJe+Hrntnpvn4fSlBr8QoOahm
fg
--- VzgNZ3/IBQVeYfOMGjnHPDRKoBDdxHth61pevk5+fLw
ŒÙúDíï° ´&…<QØ+¨úþéJoTÇ;US9.©âu'v¸œ,‘Ä@“úÿQKcëÛzÑ>v¢€ÃN1±tòÚ8w<˜Îò“w­°d<C2B0><64>>sG_øæÆšyø„u,þÅ%@J hñ"†Ev‡ÙX

Binary file not shown.

View file

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 ZQuVNA KjrRurc5ztGrYO2wx0ToE8E4Yz2sbNwPi4zCGAJUK3k
+U1Ox1U4Z9ssleGchzMJGpQjFaRoqMYSLhKHXj1F2/U
-> ssh-ed25519 k2gHjw W35K39F0sREO2igYKaa3zr1LKgF6xiU5YtMq3RYqkC4
YJV8kdjMJSoRX7iLw2bQXET9zOudFuhZeHqPqHkNjuc
-> (aAM-grease j{6WJ 3C&
Pfh0krD/ClkQcByosGU3CxPivvPei5tXWZHh6odkWxn29iqsKT6L1ihEgYJDlopA
8ODR4G4ax6ZY13O+qjc
--- ugjGDcsxbwlKmTN+4lUyrhD6GJPl0qk4i+4OLS2NRP0
]#z…ƒãp¢¶X7Ó™ ¼1mê%wýFÒ 4õÒسÄcp+Q2¹ú“<C3BA>×ì¢pmxx>ňœ)Eô;~äî<>¢ÔsÆx[S$z¥¨&øžùrBSVÄz­ÿ÷þ\SXøærdö×\ÜóŠ5Tªfÿ|¿ô

View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 ZQuVNA H3/RLTRU8T3JY99f+b9xT5oIqPCDyxjRfFbJ7iR3/zE
CTLpdnGapstc+/epugi1CxIZ3T7JZgE4Ew14B2WuanY
-> ssh-ed25519 k2gHjw wEnvcV2UApJ1MMyIQgSSkF+zhG+fugEiCieCpPBdJyc
polPsTGun9e6Bq6rogQBrmT32GQXiixxlKmuRpDDM0c
-> Jt-grease rX6~
RL6JmjlIQaG17HQQFY3hTYtTiL12Sr3RX/Scv6gO7gO8
--- eUEOS9mtYxxW2bqzEpD+ZsyYjhHWCArPd2PiFn6wMF4
ƒ*@ò-úñæÀ£’¬…9ÂÜpMDŸ¸™I{ázüke°K);‰ü+úU¥îñOZâ{ÙB Sx/ÑLI¡”G «9—‰ ”þ1É:Yݽ°4x:K—f¹Žqö9ï˜a¥Oº[jNåÇXq¡,âÏæZü=*˜'€'tׄƒÍ ²ˆö¿!vWòÛ6nÅéG&QwõÚG

View file

@ -0,0 +1,21 @@
let
alarsyo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3rrF3VSWI4n4cpguvlmLAaU3uftuX4AVV/39S/8GO9 alarsyo@thinkpad";
users = [ alarsyo ];
boreal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAagal1aqZh52wEmgsw7fkCzO41o4Cx+nV4wJGZuX1RP root@boreal";
poseidon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYhZYMbWQG9TSQ2qze8GgFo2XrZzgu/GuSOGwenByJo root@poseidon";
zephyrus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILU4JfIADH9MXUnVe+3ezYK9WXsqy/jJcm1zFkmL4aSU root@zephyrus";
machines = [ boreal poseidon zephyrus ];
all = users ++ machines;
in
{
"restic-backup/boreal-password.age".publicKeys = [ alarsyo boreal ];
"restic-backup/boreal-credentials.age".publicKeys = [ alarsyo boreal ];
"restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ];
"restic-backup/zephyrus-credentials.age".publicKeys = [ alarsyo zephyrus ];
"users/root-hashed-password.age".publicKeys = machines;
"users/alarsyo-hashed-password.age".publicKeys = machines ++ [ alarsyo ];
}

Binary file not shown.

Binary file not shown.

View file

@ -10,6 +10,7 @@ final: prev:
buildInputs = builtins.attrValues { buildInputs = builtins.attrValues {
inherit (final) inherit (final)
dbus dbus
lm_sensors
openssl openssl
pulseaudio pulseaudio
; ;

View file

@ -3,7 +3,7 @@
, python3 , python3
}: }:
let let
version = "2.10.3"; version = "2.10.4";
in in
stdenv.mkDerivation { stdenv.mkDerivation {
inherit version; inherit version;
@ -15,6 +15,6 @@ stdenv.mkDerivation {
src = fetchurl { src = fetchurl {
url = "https://www.lrde.epita.fr/dload/spot/spot-${version}.tar.gz"; url = "https://www.lrde.epita.fr/dload/spot/spot-${version}.tar.gz";
sha256 = "sha256-iX6VSGFzdI8rZe7L2ZojS39od/IYboaNp6zlZxgEAZ8="; sha256 = "sha256-6GKc22zOgwd4JpYM0B7OUhPar5ooPW9iqvaa+gYjR4o=";
}; };
} }

View file

@ -5,6 +5,9 @@
# Default configuration # Default configuration
./base ./base
# Module definitions
./modules
# Service definitions # Service definitions
./services ./services

View file

@ -5,6 +5,5 @@ let
; ;
in in
{ {
boreal-repo = fileContents ./boreal-repo.secret;
poseidon-repo = fileContents ./poseidon-repo.secret; poseidon-repo = fileContents ./poseidon-repo.secret;
} }

View file

@ -44,7 +44,7 @@ in
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
email = "antoine97.martin@gmail.com"; defaults.email = "antoine97.martin@gmail.com";
certs = certs =
let let

View file

@ -11,7 +11,6 @@ let
; ;
cfg = config.my.services.restic-backup; cfg = config.my.services.restic-backup;
secrets = config.my.secrets;
excludeArg = "--exclude-file=" + (pkgs.writeText "excludes.txt" (concatStringsSep "\n" cfg.exclude)); excludeArg = "--exclude-file=" + (pkgs.writeText "excludes.txt" (concatStringsSep "\n" cfg.exclude));
makePruneOpts = pruneOpts: makePruneOpts = pruneOpts:
attrsets.mapAttrsToList (name: value: "--keep-${name} ${toString value}") pruneOpts; attrsets.mapAttrsToList (name: value: "--keep-${name} ${toString value}") pruneOpts;
@ -62,6 +61,23 @@ in {
monthly = 6; monthly = 6;
}; };
}; };
passwordFile = mkOption {
type = types.str;
default = "/root/restic/password";
};
environmentFile = mkOption {
type = types.str;
default = "/root/restic/creds";
};
timerConfig = mkOption {
type = types.attrsOf types.str;
default = {
OnCalendar = "daily";
};
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -73,15 +89,13 @@ in {
paths = cfg.paths; paths = cfg.paths;
repository = cfg.repo; repository = cfg.repo;
passwordFile = "/root/restic/password"; passwordFile = cfg.passwordFile;
environmentFile = "/root/restic/creds"; environmentFile = cfg.environmentFile;
extraBackupArgs = [ "--verbose=2" ] extraBackupArgs = [ "--verbose=2" ]
++ optional (builtins.length cfg.exclude != 0) excludeArg; ++ optional (builtins.length cfg.exclude != 0) excludeArg;
timerConfig = { timerConfig = cfg.timerConfig;
OnCalendar = "daily";
};
pruneOpts = makePruneOpts cfg.prune; pruneOpts = makePruneOpts cfg.prune;
}; };

View file

@ -10,9 +10,6 @@
# Service definitions # Service definitions
./services ./services
# Configuration secrets
./secrets
# Host-specific config # Host-specific config
./hosts/zephyrus ./hosts/zephyrus
]; ];