From d5d7aa7105aa7b595ba7878d0ee33d3096788f96 Mon Sep 17 00:00:00 2001
From: albert <albert@sysctl.io>
Date: Tue, 14 Jan 2025 14:58:35 -0800
Subject: [PATCH] Testing btrfs and other fixes
---
lib/default.nix | 4 +-
nixos/common/packages/default.nix | 2 -
nixos/common/services/ollama.nix | 6 +--
nixos/containers/bfl-rdesktop/default.nix | 22 ----------
nixos/containers/bfl-rdesktop/mounts.nix | 15 -------
nixos/default.nix | 22 ++--------
nixos/hosts/framework13/default.nix | 8 ----
nixos/hosts/framework16/default.nix | 9 ++++-
nixos/hosts/framework16/disks.nix | 3 +-
nixos/hosts/nuc-server/containers.nix | 28 -------------
nixos/hosts/nuc-server/default.nix | 1 -
nixos/minimal.nix | 23 -----------
nixos/small.nix | 49 +++++++++++++++++++++++
nixos/users/jared/desktop.nix | 11 -----
secrets/secrets.yaml | 10 ++++-
15 files changed, 76 insertions(+), 137 deletions(-)
delete mode 100644 nixos/containers/bfl-rdesktop/default.nix
delete mode 100644 nixos/containers/bfl-rdesktop/mounts.nix
delete mode 100644 nixos/hosts/nuc-server/containers.nix
delete mode 100644 nixos/minimal.nix
delete mode 100644 nixos/users/jared/desktop.nix
diff --git a/lib/default.nix b/lib/default.nix
index 2e76e557..b2a3e156 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -4,13 +4,15 @@
system ? "x86_64-linux",
username ? "albert"
}: {
+ # user = "deploy";
user = "root";
+ # sshUser = "deploy";
sshUser = "${username}";
hostname = "${hostname}";
sshOpts = [ "-A" "-q"];
profiles = {
- system.path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.${hostname};
+ system.path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.${hostname};
home-manager.path = inputs.deploy-rs.lib.${system}.activate.home-manager self.homeConfigurations."${username}@${hostname}";
home-manager.user = "${username}";
};
diff --git a/nixos/common/packages/default.nix b/nixos/common/packages/default.nix
index 1c552d56..49c229b0 100644
--- a/nixos/common/packages/default.nix
+++ b/nixos/common/packages/default.nix
@@ -1,6 +1,4 @@
{ pkgs, ... }: {
- imports = [ ./small.nix ];
-
# List packages installed in system profile
environment.systemPackages = with pkgs; [
dig # DNS utilities
diff --git a/nixos/common/services/ollama.nix b/nixos/common/services/ollama.nix
index aaf8ee07..a5e0c96a 100644
--- a/nixos/common/services/ollama.nix
+++ b/nixos/common/services/ollama.nix
@@ -1,14 +1,14 @@
{ pkgs, ... }: {
environment.systemPackages = [
- pkgs.oterm
+ pkgs.oterm # A text based client for Ollama
];
services.ollama = {
enable = true;
- openFirewall = true;
+ openFirewall = false;
loadModels = [
- "vanilj/Phi-4"
+ "Phi4"
"qwen2.5-coder:3b"
"qwen2.5-coder:0.5b"
];
diff --git a/nixos/containers/bfl-rdesktop/default.nix b/nixos/containers/bfl-rdesktop/default.nix
deleted file mode 100644
index 8e2d4aa9..00000000
--- a/nixos/containers/bfl-rdesktop/default.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{ pkgs, desktop, username, ... }: {
- imports = [
- ../../users/${username}
- ../../users/jared
- ../../common/desktops/${desktop}
- ../../common/packages
- ../../common/modules/fonts.nix
- ../../common/software/cli/scripts.nix
- ];
-
- hardware.pulseaudio.extraModules = [ pkgs.pulseaudio-module-xrdp ];
-
- services.xrdp = {
- enable = true;
- openFirewall = true;
- audio = {
- enable = true;
- package = pkgs.pulseaudio-module-xrdp;
- };
- };
-
-}
diff --git a/nixos/containers/bfl-rdesktop/mounts.nix b/nixos/containers/bfl-rdesktop/mounts.nix
deleted file mode 100644
index 5cd1c7af..00000000
--- a/nixos/containers/bfl-rdesktop/mounts.nix
+++ /dev/null
@@ -1,15 +0,0 @@
-{
- "/etc/nixos/git" = {
- hostPath = "/etc/nixos/git";
- mountPoint = "/etc/nixos/git";
- isReadOnly = false;
- };
- "/home/albert/.ssh/id_ed25519" = {
- mountPoint = "/home/albert/.ssh/id_ed25519";
- isReadOnly = true;
- };
- "/home/albert/.ssh/id_ed25519.pub" = {
- mountPoint = "/home/albert/.ssh/id_ed25519.pub";
- isReadOnly = true;
- };
-}
diff --git a/nixos/default.nix b/nixos/default.nix
index 7c9aa819..803ea39f 100644
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -1,30 +1,16 @@
{ inputs, lib, hostname, username, desktop, ... }: {
imports = [
# Modules
- inputs.disko.nixosModules.disko
-
+ ./small.nix
+
# Services
- ./common/services/openssh.nix
- ./common/services/promtail.nix
- ./common/services/fail2ban.nix
- ./common/services/telegraf.nix
- ./common/services/tailscale.nix
./common/services/gnupg-agent.nix
./common/services/opensnitch.nix
# Software
- ./common/software/cli/scripts.nix
./common/packages
# NixOS Modules
- ./common/modules/fonts.nix # Font Configs
- ./common/modules/networking.nix # Initial Networking configs
- ./common/modules/nixos.nix # NixOS related items
- ./common/modules/remote-builders.nix # Add remote builders
-
- ./users/${username}
- ./hosts/${hostname}
- ] ++ lib.optional (builtins.isString desktop) ./common/desktops/${desktop};
-
- programs.fish.enable = true;
+ ./common/modules/fonts.nix
+ ];
}
diff --git a/nixos/hosts/framework13/default.nix b/nixos/hosts/framework13/default.nix
index 34db0439..4b1f97bc 100644
--- a/nixos/hosts/framework13/default.nix
+++ b/nixos/hosts/framework13/default.nix
@@ -12,15 +12,7 @@
# ../../common/services/podman.nix
../../common/services/geoclue.nix
../../common/services/syncthing.nix
- # ../../common/services/ollama.nix
];
- # TODO: Fix this
- environment.variables = {
- MOZ_ENABLE_WAYLAND = 1;
- NIXOS_OZONE_WL = "1";
- };
- services.ollama.acceleration = "rocm";
- services.ollama.package = pkgs.ollama-rocm;
hardware.bluetooth.enable = true; # enables support for Bluetooth
hardware.bluetooth.powerOnBoot = true; # powers up the default Bluetooth controller on boot
diff --git a/nixos/hosts/framework16/default.nix b/nixos/hosts/framework16/default.nix
index 042359f1..e4c65347 100644
--- a/nixos/hosts/framework16/default.nix
+++ b/nixos/hosts/framework16/default.nix
@@ -13,10 +13,15 @@
../../common/services/geoclue.nix
../../common/services/syncthing.nix
../../common/services/ollama.nix
+ ../../common/services/btrbk.nix
];
- services.ollama.acceleration = "rocm";
- services.ollama.package = pkgs.ollama-rocm;
+ services.ollama = {
+ acceleration = "rocm";
+ package = pkgs.ollama-rocm;
+ rocmOverrideGfx = "10.3.1";
+ };
+
hardware.bluetooth.enable = true; # enables support for Bluetooth
hardware.bluetooth.powerOnBoot = true; # powers up the default Bluetooth controller on boot
diff --git a/nixos/hosts/framework16/disks.nix b/nixos/hosts/framework16/disks.nix
index 004e1ecd..4c4a5f5c 100644
--- a/nixos/hosts/framework16/disks.nix
+++ b/nixos/hosts/framework16/disks.nix
@@ -13,7 +13,8 @@
services.btrfs.autoScrub.interval = "weekly";
boot.resumeDevice = "/dev/mapper/ROOT";
- # https://sawyershepherd.org/post/hibernating-to-an-encrypted-swapfile-on-btrfs-with-nixos/
+ # https://sawyershepherd.org/post/hibernating-to-an-encrypted-swapfile-on-btrfs-with-nixos/
+ # Also in Logseq "BTRFS Offset on NixOS for Swap"
boot.kernelParams = [ "resume_offset=533760" ];
disko.devices.disk.nvme0n1 = {
diff --git a/nixos/hosts/nuc-server/containers.nix b/nixos/hosts/nuc-server/containers.nix
deleted file mode 100644
index 7d634803..00000000
--- a/nixos/hosts/nuc-server/containers.nix
+++ /dev/null
@@ -1,28 +0,0 @@
-{ lib, self, inputs, outputs, stateVersion, hmStateVersion, ... }:
-let
- libx = import ../../../lib { inherit lib self inputs outputs stateVersion hmStateVersion; };
-in {
-
- containers = {
- rdesktop = libx.mkContainer { hostname = "bfl-rdesktop"; ip = "2"; unfree = true; desktop = "gnome"; };
- };
-
- # Networking config
- networking.bridges.nix-br0.interfaces = [];
-
- # Add an IP address to the bridge interface.
- networking.localCommands = ''ip address add 192.168.2.1/24 dev nix-br0'';
-
- # Firewall commands allowing traffic to go in and out of the bridge interface
- # (and to the guest LXD instance). Also sets up the actual NAT masquerade rule.
- networking.firewall.extraCommands = ''
- iptables -A INPUT -i nix-br0 -j ACCEPT
-
- # These three technically aren't needed, since by default the FORWARD and
- # OUTPUT firewalls accept everything everything, but lets keep them in just
- # in case.
- iptables -A FORWARD -o nix-br0 -j ACCEPT
- iptables -A FORWARD -i nix-br0 -j ACCEPT
- iptables -A OUTPUT -o nix-br0 -j ACCEPT
- '';
-}
diff --git a/nixos/hosts/nuc-server/default.nix b/nixos/hosts/nuc-server/default.nix
index b940132b..59b44c1c 100644
--- a/nixos/hosts/nuc-server/default.nix
+++ b/nixos/hosts/nuc-server/default.nix
@@ -10,7 +10,6 @@
./mounts.nix
./cron.nix
./firewall.nix
- ./containers.nix
];
environment.systemPackages = [
diff --git a/nixos/minimal.nix b/nixos/minimal.nix
deleted file mode 100644
index 67e75116..00000000
--- a/nixos/minimal.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-{ inputs, lib, hostname, username, desktop, ... }: {
- imports = [
- # Modules
- inputs.disko.nixosModules.disko
-
- # Services
- ./common/services/openssh.nix
- ./common/services/fail2ban.nix
-
- # Software
- ./common/packages/small.nix
-
- # NixOS Modules
- ./common/modules/networking.nix # Initial Networking configs
- ./common/services/tailscale.nix # Generlc tailscale installation
- ./common/modules/nixos.nix # Common NixOS Configurations
-
- ./users/${username}
- ./hosts/${hostname}
- ] ++ lib.optional (builtins.isString desktop) ./common/desktops/${desktop};
-
- programs.fish.enable = true;
-}
diff --git a/nixos/small.nix b/nixos/small.nix
index 47ea7beb..5f7cf59d 100644
--- a/nixos/small.nix
+++ b/nixos/small.nix
@@ -24,4 +24,53 @@
] ++ lib.optional (builtins.isString desktop) ./common/desktops/${desktop};
programs.fish.enable = true;
+
+ # NOTE: This user is used to remotely build NixOS using deploy-rs
+
+ # Configure sops
+ sops = {
+ secrets."deploy/ssh_key" = {
+ sopsFile = ../secrets/secrets.yaml;
+ owner = "deploy";
+ path = "/home/deploy/.ssh/id_ed25519";
+ mode = "0600"; # Correct SSH key permissions
+ };
+ };
+
+ # Configure the user
+ users.users.deploy = {
+ isNormalUser = true;
+ createHome = true;
+ home = "/home/deploy";
+ # Only add the minimum required groups
+ extraGroups = [ "deploy" ]; # Create a dedicated group
+ # Disable interactive login
+ shell = "/run/current-system/sw/bin/nologin";
+ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyjI22cErvcrjDGkdqnnDDh/L6+5GemXL0l/sGXPuIJ deploy" ];
+ };
+
+ # Create a dedicated group
+ users.groups.deploy = {};
+
+ security.sudo = {
+ enable = true;
+ extraRules = [{
+ users = [ "deploy" ];
+ commands = [{
+ command = "/run/current-system/sw/bin/nixos-rebuild";
+ options = [ "NOPASSWD" ];
+ }];
+ }];
+ };
+
+ # Updated tmpfiles rules with Git repository access
+ systemd.tmpfiles.rules = [
+ # Give access to the Git repository directory
+ "Z /etc/nixos/git 0750 root nixos-rebuild"
+ "z /etc/nixos/git/** 0640 root nixos-rebuild"
+
+ # Ensure Git can still operate on the repository
+ "z /etc/nixos/git/.git/** 0640 root nixos-rebuild"
+ ];
+
}
diff --git a/nixos/users/jared/desktop.nix b/nixos/users/jared/desktop.nix
deleted file mode 100644
index 95f7d878..00000000
--- a/nixos/users/jared/desktop.nix
+++ /dev/null
@@ -1,11 +0,0 @@
-{ pkgs, ... }: {
- # Steam, Vintage Story areu nfree.
- environment.systemPackages = [
- pkgs.signal-desktop
-
- ];
-
- imports = [
- ../../common/software/gui/firefox.nix
- ];
-}
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index 5a82ec61..67298859 100644
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -4,14 +4,20 @@ services:
forgejo_token: ENC[AES256_GCM,data:vAH8v82+WI/P0HhtLDfrK66B3u2H49XA1AglfL1LthM6Dm+znBlx4QaFmNk3ag==,iv:/jqtUejqNC9f9kXdUqxl1+LaxKsjXSZdU+I0u+ssmdQ=,tag:+2oWh6sgc7R1PXYxIz3oVQ==,type:str]
btrfs-backups:
gotify_token: ENC[AES256_GCM,data:PP8UTJWrDKhonLxN8vEj,iv:hTGWyktK+Ce7hAd0bARztLAQDSvhWgLcKRyGqyfgVKU=,tag:2xboM6Uv8NWld89EUl2jEg==,type:str]
+btrbk:
+ ssh_key: ENC[AES256_GCM,data:HxT85XlROSSKqPOEToSmrpzc6cutWRDkLxIO8o13AENtAlqEfBtcVTe/XKKbUjx+38FkqznVuHgVxXtnWLfON0yCx2PqoWVsluPfW44QFswQdtM0dYYCFy1hK7pg0xSplIeYdNZC9VFhL+SoBYXfTHKpalPo5LwYVrtQnO9yV/PrYw07oYTEKWGVxpi0KJJ2vo4UwxONzEJJSjJU/M0haQ1mvgTU5kFS5e4cMZOy3cGpGSUOPlUDlQgUlANcK92HFZlFnRyd2r+pjYVkSeixfQ9Zq30nNoaSu1J2VZhkt1KTfAXnuGIjlByvSVE9ZF78rlZfTBmZzJEyB3N3rtWEWUOrLZx8ZCh1YIpp6VK2WNJKtW2SpCpkG0fCoKzJiBvf+GuV4P0vdBHo6/xt12CHx498XUZSP644b1vnUim+RRmDQkVnTJnjY4YilIUME8MEFMzNuGamX/IX+U+UDGYwE+/7rc1BMZyJdzQka272uj66Q+fE7f/wzgtVbtgBBkIi3pDfv3smfFU8xGQoNmGJWIy1edvDJpoxsIaZ,iv:SvcLu1ffduCYj6tEfj6cSZM9CSB9TbGXWz4CixXYnsA=,tag:enn3+zPZbDl7IfivWv82Fg==,type:str]
+ ssh_pub_key: ENC[AES256_GCM,data:Ml1yjWnnsOCe0d/iqtgDXshKn3cIrWiqhV9Vz07JKjH7kiGUB1JFMZSGu/U7iYA72DTfqJvGtT+cHzjhYVx5HcPnqTW+6e7o1tdZtpascuDr9qU65o2p,iv:KWos4jYOEWZgZAaPohbLFMg6ecytU9v9quMOrGMaeMk=,tag:jlk6JUuWOnrVJyg52tbMGQ==,type:str]
+deploy:
+ ssh_key: ENC[AES256_GCM,data:UjjdKnvDXHqJYk/n0Q8HoVTBKFbaHOZ6jaJ1IIuLdCp54RYn1AmJybciIR+/KW/Y381astJY68iLgMVrscNZ2IsI5SvdFQ6Z0fNosSsDfF1ntaT04imm++HSlKOghhZl8LtXZa+6+WcLSdCdWNVUb+xmAZh3eqTQZaR+GcqfZKQLk34ZCN3fLTiCtynQtXTON1Zng9FLVszM8G22w9RAo4PsgHCSVircH+BTKd76+YZynREScSWIm3vJrjaTTfOk0OLH1TkS/lObnHJmR9BZi3xuqRj2r16G9BqwyseIEDCMXCxiN/k0q6LAjdpzo1eleNwy9nHG/5Uu5MN3S4y65ESJlD22kk1BGT96l0cyf47Xxst1My33Gr56PT9A4Qu3AQ8mNc8s6VjQHuTF0363C2RwYv8OreRWN/kkzPKNHqXFbyQIwIJ4UsrVoZkDoggiGjXDU7CvJ3BSTXl/z8Lbh3BDEA+8kyWdDgRPAwyVs1nrwcBMOsIEFBYLDwIxYhOc/o1Y+b+jkAC5JTnA3laRji7mIZstu3UsA+FC,iv:utbR484ecLQ2Stm9aOPLr+0kHspMTmius5otq9D5fCY=,tag:vNWHrBapEMF7D8CvJDdOYA==,type:str]
+ ssh_pub_key: ENC[AES256_GCM,data:Ila55CvLNYnxxNVcLS/uzWQa707j7QjMSMGFadYbHpg4hUUXzRODhBWtusSIztrLD1euHFl8Na6M+bx84DSxcsaF0X6mexYVbtxJHF9HTdnZPZM0u+in,iv:yTDPy++YcxcVZjboh4vgAOvh+APKoBeAqtJS0ro2sWQ=,tag:SVtffDUvmyog3uQ4SaoBfA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2024-12-18T22:38:53Z"
- mac: ENC[AES256_GCM,data:Z7n4jrtHc2b8zh1Gr57QX9tdLN83x6ZwopwL8cXTmZtyTC7/e/P09QcCrxpksOYbZjsu8UPsyIYigi4M5k/jDTvTBYizI2wREa6F/L734wjpyV/mV/aQuCdkck+b1uYiORrURKPl9cN3CiDX2RKzbit5Z1NSS7MHuOL7YWGOosQ=,iv:wttgCslLasVrh18lPq73l3LmXGF94Hy5LptIxFWt/Uw=,tag:yCI/qa9ulovqJkLKpccbsw==,type:str]
+ lastmodified: "2025-01-14T20:45:34Z"
+ mac: ENC[AES256_GCM,data:KjuiBTPuq0j3FXy5qZRINYsqDoNWXOn8+MDh+QVLIDZqH3qe5iXg9r/hTlGiTOiWfnoMd4nbItcWMqGqZIFeUfBGKYWPUlMM4vxydDaXyZDbtQMGQZ6aSCqKbcO7hazFf4XAyGqKv6YA+tBRPeCXsxeFq1QLRpGoAPsY7wFeQgk=,iv:bgzBJCGcdzQvVGPW5gEha5kEksPEYcXKafyMN797i64=,tag:vnMDLJ/cX0G9TWGTdFkaXA==,type:str]
pgp:
- created_at: "2025-01-10T20:21:25Z"
enc: |-