Repo for nix configuration files
|
||
---|---|---|
.forgejo/workflows | ||
docs | ||
home-manager | ||
keys | ||
lib | ||
nixos | ||
secrets | ||
wallpapers@dc1085957c | ||
.gitmodules | ||
.sops.yaml | ||
flake.lock | ||
flake.nix | ||
README.md | ||
shell.nix |
NixOS Configuration Repository
NOTE: These configs expect this repo to be cloned to /etc/nixos/git/
- Installing a system from the ISO:
nixos-install <Hostname> [<Username>]
or
./docs/install.sh <Hostname> [<Username>]
- Post install:
nix develop -c /etc/nixos/git/docs/setup.sh
framework-server ToDo List
- minio is broken
- No updates on Lemmy
- cannot send email on port 25 - Link
- traccar not seeing phone
- duplicati needs database repairs
- osaka-linode-01 unable to connect to Headscale
- Matrix is unable to send/receive pictures
- Go through old sysctl.io cronjob and import what's neccesary
- Back up pass.sysctl.io to memory stick (gpg encrypted csv file)
- Get Gnome Remote Desktop / XRDP working
- Migrate to Protonmail, use the PM mail bridge docker container (Nix pkg?)
- https://github.com/shenxn/protonmail-bridge-docker#initialization
- Potentially need to set up a new PGP key for use with ProtonMail
- Try this https://www.ntop.org/products/traffic-analysis/ntop/
Raspberry Pi ToDo List
- nixos-rpi4-01 - Replace japan-rpi4
- crontab entry for rsyncing storage to /mnt/sda,b,c
- nixos-rpi4-02 - Replace piaware-rpi4
- Container running piaware software
To Do List
- Try Attic - A self-hosted Nix Binary Cache server - Link
- Try compose2nix - Docker Compose to Nix converter
- Make a dashboard for all Nixified devices (online status)
- Try deploy-rs - Link
- Set up actions/forgejo-release - Link
- Try lazy.vim - Link
- Look into hosting a binary cache locally - Link
- vscode / emacs
- Add the nix lsp - Link
- Find a way to remove all default search engines in Firefox (Google, Amazon, etc)
- Figure out what the home-manager
account
options are for. - Security hardening
- Edit the hosts file
- home-manager/common/software/cli/bash.nix - Break this out for theming -- Currently statically set to 'gruvbox'
- cronjobs
- Change wallpaper at a certain time of day
- Automatic git pull of this repo
- emacs
- Add bracket auto-completion
- Find a way to have magit save login credentials
- btrfs snapshots?
- vscodium and user-config.js file?
- rofi - bitwarden-cli / bitwarden-menu (Link)
- Server migration
- Do federated things need to be available externally?
- Pixelfed
- Mastodon
- Lemmy
- Sepearate backend/frontend
- Matrix
- Separate baackend/frontend
- Outbound ports
- traefik (80, 443)
- traccar (5055 tcp/udp)
- Can probably bring back internally, both devices will be internal to Headscale
- jitsi-jvb (10000 udp, 4443 tcp)
- minecraft (25565)
- vintage-story (42420)
- mailserver
- "25:25" # SMTP (explicit TLS => STARTTLS)
- "465:465" # ESMTP (implicit TLS)
- "587:587" # ESMTP (explicit TLS => STARTTLS)
- "143:143" # IMAP4 (explicit TLS => STARTTLS)
- "993:993" # IMAP4 (implicit TLS)
- "4190:4190" # Sieve support
- tor-relay (9001, 9030) - Probably not hosting for legal reasons
- headscale-derp (3478/udp, 1443/tcp) - Most likely can't host due to limitations of DERP/xinetd
- Headscale needs to be available externally
- Do federated things need to be available externally?
Completed ToDo List here
Information
Home Manager
NixOS
- NixOS Documentation - Stable - Link
- NixOS Packages / Options Search - Link
- Nix User Repository (NUR) Search - Link
- ARM NixOS Building - Link
- NixOS Manual - Link
Useful Links
Examples
Theming
Theming
- To change system-wide themes, see theming.md
Lanzaboote / SecureBoot
- Instructions here - Link
- Create your keys:
sbctl create-keys
- Verify your machine is ready for SecureBoot:
sbctl verify
- Everything except*-bzImage.efi
are signed - Enter Secureboot Setup mode in your EFI Settings on the motherboard (F10)
- Security -> SecureBoot -> Set to Enabled and "Reset to Setup Mode" and exit
- Enroll the keys:
sbctl enroll-keys --microsoft
- If you wish, you can select
--tpm-eventlog
, but checksums will change later (ie, at a kernel rebuild)
- If you wish, you can select
- Reboot and verify you are activated:
bootctl status
Manual: GPG Keys
- Import the user private key:
gpg --import gpg/users/albert/privkey.asc
- Mark it as trusted:
gpg --edit-key albert@sysctl.io
, then typetrust
, then5
- On each new machine, run
sudo nix-shell -p ssh-to-pgp --run "ssh-to-pgp -i /etc/ssh/ssh_host_rsa_key -o /etc/nixos/git/keys/hosts/$(hostname).asc"
- This will output the identifier you add to
.sops.yaml
- Move
HOSTNAME.asc
tokeys/hosts/
and upload to git and rename accordingly.
- This will output the identifier you add to
Secrets
- Run
nix-develop
in/etc/nixos/git
to import new keys - To edit a file:
sops secrets/file.yml"
- When you add a new machine, you must update the secrets files encryption.
- Run
sops updatekeys secrets/file.yaml
and commit the change.
- Run
Troubleshooting
- To troubleshoot issues, this command can come in handy:
nix eval .#nixosConfigurations.[CONFIG_NAME].config.disko.devices._config
Directory Structure
├── docs
├── home-manager
│ ├── common
│ │ ├── desktops
│ │ │ ├── gnome
│ │ │ │ ├── common
│ │ │ │ └── themes
│ │ │ │ ├── default
│ │ │ │ └── gruvbox
│ │ │ └── hyprland
│ │ │ ├── common
│ │ │ └── themes
│ │ │ ├── default
│ │ │ └── gruvbox
│ │ └── software
│ │ ├── cli
│ │ │ └── themes
│ │ │ ├── default
│ │ │ └── gruvbox
│ │ └── gui
│ │ └── themes
│ │ ├── default
│ │ └── gruvbox
│ ├── hosts
│ └── users
├── keys
│ ├── hosts
│ ├── ssh
│ └── users
├── lib
├── nixos
│ ├── common
│ │ ├── desktops
│ │ │ ├── gnome
│ │ │ └── hyprland
│ │ ├── modules
│ │ ├── services
│ │ └── software
│ │ ├── cli
│ │ └── gui
│ ├── hosts
│ └── users
├── secrets
└── wallpapers
├── default
└── gruvbox
Other
- Waybar inspirations
Example of passwordless SSH for deploy-rs:
nixosConfigurations.target = {
# enable passwordless elevation
security.pam.enableSSHAgentAuth = true;
};
deploy.nodes.target = {
# ssh as normal user but elevate to root after
sshUser = "me";
user = "root";
sshOpts = [ "-A" ];
};