Repo for nix configuration files
Find a file
iFargle 31e94eca6d
Some checks failed
ssh-test / ssh-test (push) Failing after 25s
test
2023-12-11 15:09:03 +09:00
.forgejo/workflows Update 2023-12-09 21:39:52 +09:00
docs Update setup script to use ed25519 keys instead of rsa 2023-12-10 12:00:41 +09:00
home-manager Update bash aliases 2023-12-10 13:54:39 +09:00
keys Add forgejo-runner key 2023-12-08 19:59:34 +09:00
lib Typo 2023-12-11 14:56:38 +09:00
nixos test 2023-12-11 13:40:51 +09:00
secrets Add Forgejo token 2023-12-06 14:47:24 +09:00
wallpapers@dc1085957c add tree command 2023-11-20 18:43:26 +09:00
.gitmodules Test 2023-10-10 22:15:42 +09:00
.sops.yaml Remove osaka-vultr-01 2023-12-06 09:09:18 +09:00
flake.lock [ACTIONS] Flake Update (2023-12-09) 2023-12-09 12:35:25 +00:00
flake.nix test 2023-12-11 13:16:55 +09:00
README.md Update README 2023-12-11 12:38:20 +09:00
shell.nix test 2023-12-11 15:09:03 +09:00

NixOS Configuration Repository

NOTE: These configs expect this repo to be cloned to /etc/nixos/git/

  • Installing a system from the ISO:
nixos-install <Hostname> [<Username>]

or

./docs/install.sh <Hostname> [<Username>]
  • Post install:
nix develop -c /etc/nixos/git/docs/setup.sh

Gruv'd Hyprland

framework-server ToDo List

  • minio is broken
  • No updates on Lemmy
  • cannot send email on port 25 - Link
  • traccar not seeing phone
  • duplicati needs database repairs
  • osaka-linode-01 unable to connect to Headscale
  • Matrix is unable to send/receive pictures
  • Go through old sysctl.io cronjob and import what's neccesary
  • Back up pass.sysctl.io to memory stick (gpg encrypted csv file)
  • Get Gnome Remote Desktop / XRDP working
  • Migrate to Protonmail, use the PM mail bridge docker container (Nix pkg?)
  • https://github.com/shenxn/protonmail-bridge-docker#initialization
  • Set up ssh keys for nix builders on forgejo
  • Set up nixos-rebuild switch --target-host $host on forgejo actions
  • Potentially need to set up a new PGP key for use with ProtonMail
  • Try this https://www.ntop.org/products/traffic-analysis/ntop/

Raspberry Pi ToDo List

  • nixos-rpi4-01 - Replace japan-rpi4
    • crontab entry for rsyncing storage to /mnt/sda,b,c
  • nixos-rpi4-02 - Replace piaware-rpi4
    • Container running piaware software

To Do List

  • Try Attic - A self-hosted Nix Binary Cache server - Link
  • Try compose2nix - Docker Compose to Nix converter
  • Make a dashboard for all Nixified devices (online status)
  • Try deploy-rs - Link
  • Set up actions/forgejo-release - Link
  • Try lazy.vim - Link
  • Look into hosting a binary cache locally - Link
  • vscode / emacs
    • Add the nix lsp - Link
  • Find a way to remove all default search engines in Firefox (Google, Amazon, etc)
  • Figure out what the home-manager account options are for.
  • Security hardening
  • Edit the hosts file
  • cronjobs
    • Change wallpaper at a certain time of day
    • Automatic git pull of this repo
  • emacs
    • Add bracket auto-completion
    • Find a way to have magit save login credentials
  • btrfs snapshots?
  • vscodium and user-config.js file?
  • rofi - bitwarden-cli / bitwarden-menu (Link)
  • Server migration
    • Do federated things need to be available externally?
      • Pixelfed
      • Mastodon
      • Lemmy
        • Sepearate backend/frontend
      • Matrix
        • Separate baackend/frontend
    • Outbound ports
      • traefik (80, 443)
      • traccar (5055 tcp/udp)
        • Can probably bring back internally, both devices will be internal to Headscale
      • jitsi-jvb (10000 udp, 4443 tcp)
      • minecraft (25565)
      • vintage-story (42420)
      • mailserver
        • "25:25" # SMTP (explicit TLS => STARTTLS)
        • "465:465" # ESMTP (implicit TLS)
        • "587:587" # ESMTP (explicit TLS => STARTTLS)
        • "143:143" # IMAP4 (explicit TLS => STARTTLS)
        • "993:993" # IMAP4 (implicit TLS)
        • "4190:4190" # Sieve support
      • tor-relay (9001, 9030) - Probably not hosting for legal reasons
      • headscale-derp (3478/udp, 1443/tcp) - Most likely can't host due to limitations of DERP/xinetd
      • Headscale needs to be available externally

Completed ToDo List here


Information

Home Manager

  • Home Manager Documentation - Link
  • Home Manager Options Search - Link

NixOS

  • NixOS Documentation - Stable - Link
  • NixOS Packages / Options Search - Link
  • Nix User Repository (NUR) Search - Link
  • ARM NixOS Building - Link
  • NixOS Manual - Link
  • FlakeHub - Link
  • Track a Nixpkgs PR - Link
  • Awesome-Hyprland - Link

Examples

  • Tons of good examples here - Link
  • NixOS Flakes Intro Guide - Link

Theming

  • Neofetch Themes - Link
  • gruvbox-factory - Link
  • Hyprland Gruvboxy - Link

Theming


Lanzaboote / SecureBoot

  • Instructions here - Link
  1. Create your keys: sbctl create-keys
  2. Verify your machine is ready for SecureBoot: sbctl verify - Everything except *-bzImage.efi are signed
  3. Enter Secureboot Setup mode in your EFI Settings on the motherboard (F10)
    • Security -> SecureBoot -> Set to Enabled and "Reset to Setup Mode" and exit
  4. Enroll the keys: sbctl enroll-keys --microsoft
    • If you wish, you can select --tpm-eventlog, but checksums will change later (ie, at a kernel rebuild)
  5. Reboot and verify you are activated: bootctl status

Manual: GPG Keys

  1. Import the user private key: gpg --import gpg/users/albert/privkey.asc
  2. Mark it as trusted: gpg --edit-key albert@sysctl.io, then type trust, then 5
  3. On each new machine, run sudo nix-shell -p ssh-to-pgp --run "ssh-to-pgp -i /etc/ssh/ssh_host_rsa_key -o /etc/nixos/git/keys/hosts/$(hostname).asc"
    • This will output the identifier you add to .sops.yaml
    • Move HOSTNAME.asc to keys/hosts/ and upload to git and rename accordingly.

Secrets

  1. Run nix-develop in /etc/nixos/git to import new keys
  2. To edit a file: sops secrets/file.yml"
  3. When you add a new machine, you must update the secrets files encryption.
    • Run sops updatekeys secrets/file.yaml and commit the change.

Troubleshooting

  1. To troubleshoot issues, this command can come in handy:
 nix eval .#nixosConfigurations.[CONFIG_NAME].config.disko.devices._config

Directory Structure

├── docs
├── home-manager
│   ├── common
│   │   ├── desktops
│   │   │   ├── gnome
│   │   │   │   ├── common
│   │   │   │   └── themes
│   │   │   │       ├── default
│   │   │   │       └── gruvbox
│   │   │   └── hyprland
│   │   │       ├── common
│   │   │       └── themes
│   │   │           ├── default
│   │   │           └── gruvbox
│   │   └── software
│   │       ├── cli
│   │       │   └── themes
│   │       │       ├── default
│   │       │       └── gruvbox
│   │       └── gui
│   │           └── themes
│   │               ├── default
│   │               └── gruvbox
│   ├── hosts
│   └── users
├── keys
│   ├── hosts
│   ├── ssh
│   └── users
├── lib
├── nixos
│   ├── common
│   │   ├── desktops
│   │   │   ├── gnome
│   │   │   └── hyprland
│   │   ├── modules
│   │   ├── services
│   │   └── software
│   │       ├── cli
│   │       └── gui
│   ├── hosts
│   └── users
├── secrets
└── wallpapers
    ├── default
    └── gruvbox

Other

Example of passwordless SSH for deploy-rs:

nixosConfigurations.target = {
  # enable passwordless elevation
  security.pam.enableSSHAgentAuth = true;
};
deploy.nodes.target = {
  # ssh as normal user but elevate to root after
  sshUser = "me";
  user = "root";
  sshOpts = [ "-A" ];
};