From 11048faa79cbbb15b110dc557c3efe84efb4282b Mon Sep 17 00:00:00 2001 From: Nathan Date: Thu, 9 Apr 2026 14:25:40 -0500 Subject: [PATCH] test --- flake.nix | 3 - profiles/homebox/.sops.yaml | 7 + profiles/homebox/config.nix | 131 +++++++++++++++++ profiles/homebox/disko.nix | 148 ++++++++++++++++++++ profiles/homebox/hardware-configuration.nix | 24 ++++ profiles/homebox/secrets.yaml | 44 ++++++ profiles/laptop/.sops.yaml | 7 + profiles/laptop/config.nix | 126 +++++++++++++++++ profiles/laptop/hardware-configuration.nix | 39 ++++++ profiles/laptop/secrets.yaml | 18 +++ 10 files changed, 544 insertions(+), 3 deletions(-) create mode 100644 profiles/homebox/.sops.yaml create mode 100644 profiles/homebox/config.nix create mode 100644 profiles/homebox/disko.nix create mode 100644 profiles/homebox/hardware-configuration.nix create mode 100644 profiles/homebox/secrets.yaml create mode 100644 profiles/laptop/.sops.yaml create mode 100644 profiles/laptop/config.nix create mode 100644 profiles/laptop/hardware-configuration.nix create mode 100644 profiles/laptop/secrets.yaml diff --git a/flake.nix b/flake.nix index 305c0ee..87b853c 100644 --- a/flake.nix +++ b/flake.nix @@ -37,8 +37,6 @@ #aurora.url = "git+https://gitea.esotericbytes.com/Blunkall-Technologies/Aurora"; aurora.url = "git+file:///home/nathan/Projects/Aurora"; - - self.submodules = true; }; outputs = { ... } @ inputs: @@ -46,7 +44,6 @@ (inputs.import-tree [ ./profiles ./homes - ./machines ./system ./templates/default.nix ./flake-parts.nix diff --git a/profiles/homebox/.sops.yaml b/profiles/homebox/.sops.yaml new file mode 100644 index 0000000..ede3428 --- /dev/null +++ b/profiles/homebox/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &homebox age1640eg0pnmkruc89m5xguz0m8fek44fl4tzez6qwuzlz6kmapqewsp8esxd +creation_rules: + - path_regex: ^secrets.yaml$ + key_groups: + - age: + - *homebox diff --git a/profiles/homebox/config.nix b/profiles/homebox/config.nix new file mode 100644 index 0000000..dc11909 --- /dev/null +++ b/profiles/homebox/config.nix @@ -0,0 +1,131 @@ +{ self, inputs, ... }: { + + flake.nixosConfigurations."homebox" = inputs.nixpkgs.lib.nixosSystem { + + modules = [ + self.nixosModules.homebox + self.nixosModules.default + ]; + }; + + flake.nixosModules.homebox = { config, lib, pkgs, ... }: + + { + + imports = [ # Include the results of the hardware scan. + + (import ./disko.nix { device1 = "/dev/nvme0n1"; device2 = "/dev/nvme1n1"; device3 = "/dev/sda"; }) + ]; + + config = { + + services = { + xserver = { + enable = false; + videoDrivers = ["nvidia"]; + }; + displayManager = { + enable = false; + defaultSession = "hyprland"; + autoLogin = { + enable = true; + user = "nathan"; + }; + }; + pulseaudio.enable = false; + + hardware.openrgb = { + enable = true; + motherboard = "amd"; + }; + }; + + hardware = { + nvidia = { + open = true; + modesetting.enable = true; + nvidiaPersistenced = true; + }; + + bluetooth = { + enable = true; + powerOnBoot = false; + }; + }; + + sops = { + age.keyFile = "/var/lib/sops/age/keys.txt"; + defaultSopsFile = ./secrets.yaml; + defaultSopsFormat = "yaml"; + + secrets = { + "nathan/pass" = { + neededForUsers = true; + }; + }; + }; + + sysconfig = { + + host = "homebox"; + + docker.nvidia = true; + + remoteBuildClient = false; + + users = { + nathan = { + isSuperuser = true; + extraGroups = [ "networkmanager" "docker" ]; + ssh.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsU69CxfQk58CvItPN426h5Alnpb60SH37wet97Vb57 nathan@laptop" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnUhN2uHwAJF/SLRX3wlGRmfhV3zpP88JQAYB+gh8jW nathan@localhost" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCM7ZgIu4+ntHZbzo9iQPq5pUt7AhpOnfvvI0lWDgO4CgtkPGvyFrDnW87wjAKGKYkgKeHWHIkwq2hkEDqlPD+7xxtPpwzfyo7ZS23xlP31rL14HcG21jGHgx9SO7RmGDHHylu4PwJzz/KX59hcVmpSSV4hgB/mYA9UKe6VHv39X4y3HsjmiHwNBOKXltG4V+VkxOZD6HcZ62sgkyDTaqDpE7p+q8vHPbm6dVTKC9cMjtJmjB5EesMGKcEAy3VN2tA9M0EndtaLcBKM39vDXGpBsjURYZTu7NbQnncnO7L8kVL0nT4vA/d4mCjB51dPoXIcxn1ise0TOb9G7TxMbBQQO5YMOpiB2iuZRRvB3sYoKwbO8YfSxZi0EhvLcxkF9GBFw+pWPl0p0D2fPBbW88YQfEpoAt2EWvEu/pgaMJsTHpgaIuDwPLVQmDciX4MRoi324oElGSK8yN0P8IaCHhFchuehLBWvTi34Qot0GpnxeTzmlLzImICO9Yq0I7dk2rk= nathan@rpi-3dp" + ]; + shell = pkgs.zsh; + hashedPasswordFile = config.sops.secrets."nathan/pass".path; + home-manager = { + enable = true; + standalone = false; + extraModules = [ + { + homeconfig = { + minimal = false; + virtual-machines = true; + hyprland.enable = false; + hypridle.enable = false; + wal.enable = true; + mpd.enable = true; + calcurse.enable = true; + rofi.enable = false; + firefox.enable = false; + git.enable = true; + nh.enable = true; + }; + + services.hypridle.enable = lib.mkForce false; + + home.packages = with pkgs; [ + wayvnc + openrgb + ]; + } + ]; + }; + }; + }; + }; + + + +# This value determines the NixOS release from which the default +# settings for stateful data, like file locations and database versions +# on your system were taken. It‘s perfectly fine and recommended to leave +# this value at the release version of the first install of this system. +# Before changing this value read the documentation for this option +# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? + }; + + }; +} diff --git a/profiles/homebox/disko.nix b/profiles/homebox/disko.nix new file mode 100644 index 0000000..2f8d5ba --- /dev/null +++ b/profiles/homebox/disko.nix @@ -0,0 +1,148 @@ +{ ... }: { + + flake.diskoConfigurations.homebox = { + device1 ? throw "Set this to your disk device, e.g. /dev/sda", + device2, + device3, + ... + }: { + disko.devices = { + disk = { + main = { + device = device1; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + swap = { + size = "4G"; + content = { + type = "swap"; + resumeDevice = true; + }; + }; + root = { + name = "root"; + size = "100%"; + content = { + type = "lvm_pv"; + vg = "root_vg"; + }; + }; + }; + }; + }; + ssd1 = { + device = device2; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ssd1 = { + name = "ssd1"; + size = "100%"; + content = { + type = "lvm_pv"; + vg = "ssd1_vg"; + }; + }; + }; + }; + }; + hdd1 = { + device = device3; + type = "disk"; + content = { + type = "gpt"; + partitions = { + hdd1 = { + name = "hdd1"; + size = "100%"; + content = { + type = "lvm_pv"; + vg = "hdd1_vg"; + }; + }; + }; + }; + }; + }; + lvm_vg = { + root_vg = { + type = "lvm_vg"; + lvs = { + root = { + size = "100%FREE"; + content = { + type = "btrfs"; + extraArgs = ["-f"]; + + subvolumes = { + "/root" = { + mountpoint = "/"; + }; + + "/nix" = { + mountOptions = ["subvol=nix" "noatime"]; + mountpoint = "/nix"; + }; + }; + }; + }; + }; + }; + ssd1_vg = { + type = "lvm_vg"; + lvs = { + ssd1 = { + size = "100%FREE"; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "/ssd1" = { + mountOptions = [ "subvol=ssd1" "noatime" ]; + mountpoint = "/ssd1"; + }; + }; + }; + }; + }; + }; + hdd1_vg = { + type = "lvm_vg"; + lvs = { + hdd1 = { + size = "100%FREE"; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "/hdd1" = { + mountOptions = [ "subvol=hdd1" "noatime" ]; + mountpoint = "/hdd1"; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/profiles/homebox/hardware-configuration.nix b/profiles/homebox/hardware-configuration.nix new file mode 100644 index 0000000..7861c1c --- /dev/null +++ b/profiles/homebox/hardware-configuration.nix @@ -0,0 +1,24 @@ +{ ... }: { + + flake.nixosModules.homebox = { config, lib, pkgs, modulesPath, ... }: + + { + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + +# Enables DHCP on each ethernet and wireless interface. In case of scripted networking +# (the default) this is the recommended approach. When using systemd-networkd it's +# still possible to use this option, but it's recommended to use it in conjunction +# with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + }; +} diff --git a/profiles/homebox/secrets.yaml b/profiles/homebox/secrets.yaml new file mode 100644 index 0000000..b42abac --- /dev/null +++ b/profiles/homebox/secrets.yaml @@ -0,0 +1,44 @@ +nathan: + pass: ENC[AES256_GCM,data:HP/kF665VvIUybXmqaluJikeHWR0lvTXjA8Ry/dpbjDd3VUfiDuWFKlBkUzIZ1brAc86PV1xl4JWu2CNEz7uc3TmPuJ+GsFFOA==,iv:uPQZE7s3PvfShOaVCNRnnhXlcvA5aIiXRxi7UPbXfdU=,tag:Wg0IuCm4ljSPBmB/H2OSFA==,type:str] +traefik: + cf_email: ENC[AES256_GCM,data:ujvdfobp/aTcyC+kUYeYYeaiXQnQhoHYhg==,iv:LBzvuMMt76jX70a68rzaMgkmzHtVE2TlbrJlWE7I6o8=,tag:cTO1ApZQ214zjJyumunvPg==,type:str] + cf_api_key: ENC[AES256_GCM,data:CrtkBlhUZT3rlZAqiEHz7/OhPaoQ5nAz+deWmrh2zmwJfAp95lGZCA==,iv:qPXTm5zjTVYupot/hUkI/pSe0QNs17rapDrvdweRDTQ=,tag:VL2Cnig8Ih0iSL7myqlTgA==,type:str] +authentik: + pass: ENC[AES256_GCM,data:pTjpwRgdUVU5543T199P7Zoy,iv:93WpIK6qq+A1LhaQdBvMQ4jzuAOmMUt575y/p8m8Ugk=,tag:jTg/JED3vpdOVHF8LdIyLg==,type:str] + secret_key: ENC[AES256_GCM,data:tIWDGtB/z7Ysizz9FPQJe2EeSTAxDPkeHJnaDfytDvbqvRaiCgg7qGpEF6hAQFdZ,iv:gloup5aI0qY+SYJt8V6lvUdE+18IWH09BXtz8dRi6JE=,tag:vFwF9h1Rsa/X1bjvdSRSfQ==,type:str] +pihole: + pass: ENC[AES256_GCM,data:hintZA==,iv:HA5K8mHYlLtf5s8iaLI/QRolYgcKwG8DWCH+LXnWI4k=,tag:DlnXxG0n9dBVpk2kILlPKg==,type:str] +gitea: + dbpass: ENC[AES256_GCM,data:hVRLXACRECNSnXRn8BEP0ZFT,iv:zuIvzStek6OEu+P4Nh8Wsq9eRVt/zP8KGVXYZWjSvW0=,tag:m4t8vKNGhz8NqkDWbCRgnA==,type:str] +keycloak: + dbpass: ENC[AES256_GCM,data:tc4wIAqzY7nonBhz8s+YdAux,iv:Wg0b0/xnl6cANLTOJWBsX+gw1iF8Q/GvO/iKyKwqJrM=,tag:LORKRmo4RjcrVbPNhk2A9Q==,type:str] +netbird: + secret_key: ENC[AES256_GCM,data:isJHGh/InvgJUSqISqxpWhZH0OMN/QG7WBbSS7WqHaWTdfZDBOh//PBP8g==,iv:j0D6feM3qnDjXijXRHgZPboFLHzPwWIhT5bYz3M+QMU=,tag:pOHRxOEdOUrL3n6DgqGDsA==,type:str] +gitlab: + db_pass: ENC[AES256_GCM,data:N3KvXkXql/PDjxZSpGo/Apr/,iv:OOzhR4BEmV3T01PA50vqdJMg7D2OGKHn/8hiqKEaOd4=,tag:jzdonXH/D/5kZ5Cld2W//w==,type:str] + root_pass: ENC[AES256_GCM,data:bALaUkoJw3N0ugZP/4MCnEsD,iv:LJdJpXlyzA6o00UVlK+l5WCCFIL/sT/fQNjI8wA5LAg=,tag:BYk1o/rjubyEpeHbgYA1Sg==,type:str] + secrets: + secret: ENC[AES256_GCM,data:3/26giCD58RErtEDxQ90KxRl3aa8oH4co2Urw21r7hHCKaoSti1VpYoBtlvHdr5j,iv:SwliwLWSFfTZoc31JSm9YKBDGKiPQE7ujkiGaZmCQUc=,tag:2KT5BpJukixvhb6tnZb6lw==,type:str] + otp: ENC[AES256_GCM,data:RWOkQVPRsrJgPVtx49hiWRMAxVOszKxaDl40XQDL+QoDuoZi03wSxHiu4Ix9X2BR,iv:uO+CTR5S4r1q7n1ycQw0hYdu8JflSrvkgLiBbCmT8mk=,tag:gqCwNOqD78lFtgxUPyUw3A==,type:str] + db: ENC[AES256_GCM,data:rF4IIp1uFSGa67LVm8fy4/qFOmZLInRcG2IAfnuZG3+xtS9Z2RXpNcTZNFBDdOaD,iv:/KYwf3ZH6w48L49rY/FmaGQOt3jGdOUTZ9vFhmLZG60=,tag:f38iYIgpgdjWF34qD1fz2w==,type:str] + jws: ENC[AES256_GCM,data:C+GVDeO319QGjq2+fBMr1LaY6/6Tuz6jWomkvFVul6ydJjmMFO3A9dYI66WWY6g2iZgYEWDKUikW1qDK5sGgU5ZAZzaqS01LUsSsPHUcMqIg/AjtcRfaEvHYODYPPSEwdISzhceDaim8yqhrNTIOHUHvOxcILvtUmsI61hNfVSnOQbqifIJDgGP7bKaf96t8+qcBvp/UBwP1qHj/m4jD83yc8Pdih+ZuPmyNdo3Ew0nbLTykYVX3XsrO1RlJ/Gp+KPfRSJzVGAnqUKr8mI+32LUpXSJ96bEGA67/blSh1dbBxSVo3K83aZYuY6vvXb+Et6qd4piZYKGCxA+waSrTkYHvSgS5vJRbCGWauXKCYFASxxqmdJ3cu+rbphbshBVA3SIPHhZxun6BWaP0qTYZyfB/YsSU4J+kYiE3UEYX9GYEAY9bsO89IYZSsTsmYke2EI4KMcjyUFstZ2WTYqCpwJ6CMAuerDEMHP6N3xCO5MVDZfE4sKKHpfSCVQg8ak7IxV+3jZvZi2tUbvZZf/tYORzPeTUSEpcC4cGwwAJd3XKUetaiuDwQVkLa13xotfL0d+Lwc6eZil0e/sureLqvQM6kpWhK7yscu2hKGOzxx/OZClry2Uyc1fL5iWWxvM8Djg+ShoAS5m3Nt0R+mcLdgaylkZvMl9gNWFO1uzlnhGnJQtekVaXCJ9f9QZt5RizJYwM9pMKhSDTZ0vd4y69iZpz3YXhKtkvYX02RIFtTiqsbyU0pXVjK0SpKsb5T+yphacGeZRwQS9QadW9dE6xQsxwwYC//swm5l6ke+DyZrcsc/J+MBHFuN71D2st+jtfywZYg/YT9EcCFOMjqEgfDq7YICgyqfqRGAdVWQy660T5Mi+gYKcHqbYXaaB3VNL2RGIu/uybih/7ynGRM2+0ro9oKJ+fEbdi1alSFFJ0IvA5lU6XHd2CSyizEC9ak+HBLkYeSqOPfItfLH82jRiUtrY5u4fIlioLQTA1aKHax6q8cIf30FCGenhjM6jMj2WpXKI16+1xK9Om9mg94YmFjM+erQh3o/fbPuMbkNaNJQwabupshBK2h3caaE0cDUnDukUFUANHz9q5LVxSkw39GTjGpovxQJiZHbSdeIC/AzFXRVA1ojhzkeuefygdP27Aa+fLjEBn2x8AcdhyP1n8lQyjy0Wnxq9hJDbVXJF93FIdcCmF/JGejgHcr3YZUMY4OFG9gzISDEdgR99fYvKM+A9Pj2JNtCQ5iKCctg5opIEKA1z4RIpRQs0KmXq3JgjWhU1LeOWaX2YzS5rCJWyhxnTJXGk4a/cMvhbLRjFOKcDNNMp8yJrXk1pth7nFOJ4Put6o67jtjbgpgnPuEdelnXEEaReCfJEo2z8zka63kYqbIvcG4W2pKwsA4tT0QctVwltRdYU8YyKuOpQJtKvVdlZL0oxOwxPioTT8fOebRBaecKhQKF4fp9UGlE/GStud6oFSbN685U2TKihvYNmfLRSWQk1Y/APyCRlhOmhFLaIzJxogdlKzpg4AEg/2SRoEZPsqyZThI8uhCIT1qG0UBiZBTjey322fsEEZtNxO5nX/JeBDOVty3sIGs1OKBTjMXSZ+nzU9AIH6dek9Bz+Fix7a90IkQUB5xtgrIYgCH34L4a0o1jWy5bzT9fl53VnbzrICcT/wdRU/GznYYjxlF2uRBKIu7s0glDmsPXCZuorqvJlr2hySgN/hJKOlrCghraUD14pRk4OfRVKULkPQ7betgaCVbsihXplodrAgJ0BdIbf3tKRC8Ghx8+mYAWNXj+PtWBydEjEirCH70SJu53gjF5mNgl2EIaHNK7jqBgXhDr2/7uH97Tl+S9ue+TDlpr067T5JAqU3fOqq+ZS4wqEvqMYRfXd/V2FjNbBpoH8UW6pMuFaM06DBI+6p9O9xBl1eP3Sy3vrBwK2pCwLbi0LdJ2apQTl/51ZXp2xaaUAAh1Fu/bM21V7ENa5sGxpSTYwdSLyPnd8usqECw9W1XDNUI2EmJnp9AelD/joNwuL6U7pydrNUCguCjxHfbd+m0vc/te53GerJlSXbjEWz53f3RjSB90AaA6sOGhi1BFiHYSAjzMdqVSj4M68r+UF3YIuEuoaOzrVrkb5st3tYD0dz+ORhxo44aKEzgohseha5fg0wcTz9orqkeP/FyoOeItG2UwNVAWWGh/lBtXh8c4ILUMolZ1m2DWiYj/pyDvODVnP96u6TvyMC0H8aolgGHn7nDMTi+mCIvNFQYeXdVrRCpWS9aQik=,iv:cxdargXx2a7pET7BjCSZ/yXL7AnxNqncyDQ7CR3E3AA=,tag:2xKXfhBjynDqlvH377lpSA==,type:str] + oidc: + id: ENC[AES256_GCM,data:b6o2cCCSXJ5bIhA47InfhqwjO5Tjr0Mls+7VT5cunFfEHkdOInxplw==,iv:txren/8jnAUvCI/k9cxN29ZkSgCuPEAo0IpyREf2E9A=,tag:BFOZrM18zUJMEACpLz7KRw==,type:str] + secret: ENC[AES256_GCM,data:4HPPbVBOeDjdL81d402Rz6Luk1DZbk8InHfO+Sx/OJIvUf/shkCRyp3hStIDC03bA8HV66GeejvWFte+vQ2b5X3Fl2GXfHQi7brMFVEYfYdR2XRdra0aOeSrHtW5uUn0MpVCRwYDb1JahIWhLyqcYyOpV91xjNiIVg8S3MHr+mo=,iv:c3Q4qPMxZJuoO5XRzUDZh5XJOtff9eiMTlOx+MDMSaE=,tag:07fIkN9YXXJMEV59QEFIag==,type:str] +nextcloud: + pass: ENC[AES256_GCM,data:U/VI/uHDT1a5O4iAHUVwsz/h,iv:W0hAXBddFKhXmDWHpCB2JhjPPTEGer7721WtIRxg4Zo=,tag:OE4wzibNaaXsbfFuk0dwTA==,type:str] +sops: + age: + - recipient: age1640eg0pnmkruc89m5xguz0m8fek44fl4tzez6qwuzlz6kmapqewsp8esxd + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDVFhtcWkreVV6UmJkcW1P + WUluUTlOcjYzME1yVVNpVWJldXVsWG1vN3dNCmlvYURNV285anlIa3FrbXRVTERB + dXZDWHhEbFp3YWw5d2w4Y09vbUVCNHcKLS0tIEF4ZU5ZdWI5MVBtN0FOUUZDQUR4 + S0NMRGJSeks0Q0UrVnZmUVdyU2NqVm8KLu2kQpD1fJdU0fTdR9A2cTQzRp+waJ6M + 8vA+E8xYb2U4d7m0YnwKkGzw0CBPb0BvdEgvWvqpFViftoDwRv5KGA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-02-01T12:56:37Z" + mac: ENC[AES256_GCM,data:clu/WnwHAQaowQ99Z8tNlIKKcVnLHYeYsgQK0meftXgiQKnLyLzqNipwfaU3qjITdm6fB7wY+TcySygpwFbY2f2TKrqAk7RxdnTFa61vQDqMF7rYPG90Ub79P+R5URZI8yjv69Hmrav0Y6z92vH8ItbPSRBLtgrbYZx36IFq0LU=,iv:qzBVA0xATM979tzu6cTvMrX77firvA5K0WU2hoUggoA=,tag:Fm3IqH0GUHBq9Din6ZW6ng==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/profiles/laptop/.sops.yaml b/profiles/laptop/.sops.yaml new file mode 100644 index 0000000..19a8b0a --- /dev/null +++ b/profiles/laptop/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &laptop age1yqgyp2uxz4lzrc9f9ka0mfjl5fr6ahf8nf24nlmran2wulg6fpvq9hyp9q +creation_rules: + - path_regex: ^secrets.yaml$ + key_groups: + - age: + - *laptop diff --git a/profiles/laptop/config.nix b/profiles/laptop/config.nix new file mode 100644 index 0000000..392295d --- /dev/null +++ b/profiles/laptop/config.nix @@ -0,0 +1,126 @@ +{ self, inputs, ... }: { + + flake.nixosConfigurations."laptop" = inputs.nixpkgs.lib.nixosSystem { + + modules = [ + self.nixosModules.laptop + self.nixosModules.default + ]; + }; + + flake.nixosModules.laptop = { config, pkgs, ... }: + + { + + config = { + + boot.kernelParams = [ "snd-intel-dspcfg.dsp_driver=1" ]; + + hardware = { + nvidia = { + modesetting.enable = true; + powerManagement.enable = true; + powerManagement.finegrained = true; + open = false; + nvidiaSettings = true; + package = config.boot.kernelPackages.nvidiaPackages.stable; + + prime = { +# Make sure to use the correct Bus ID values for your system! + intelBusId = "PCI:0:2:0"; + nvidiaBusId = "PCI:1:0:0"; +# WARNING: sync and offload are mutually exclusive. +# You can only pick one!! +#sync.enable = true; + offload = { + enable = true; + enableOffloadCmd = true; + }; + }; + }; + }; + + sops = { + defaultSopsFile = ./secrets.yaml; + secrets = { + "nathan/pass" = { + neededForUsers = true; + }; + + remoteBuildKey = {}; + }; + }; + + services.wyoming.satellite.user = "nathan"; + + sysconfig = { + + host = "laptop"; + + services = { + wyoming = { + enable = true; + satellite = true; + }; + }; + + remoteBuildClient = true; + + users = { + nathan = { + isSuperuser = true; + extraGroups = [ "networkmanager" ]; + hashedPasswordFile = config.sops.secrets."nathan/pass".path; + shell = pkgs.zsh; + home-manager = { + enable = true; + standalone = false; + extraModules = [ + { + homeconfig = { + minimal = false; + graphical = true; + + virtual-machines = true; + hyprland.enable = true; + hypridle.enable = true; + wal.enable = true; + mpd.enable = true; + calcurse.enable = true; + rofi.enable = true; + firefox.enable = true; + git.enable = true; + nh.enable = true; + + aurora.enable = true; + }; + +#monitor=eDP-1, addreserved, 40,0,0,0 + wayland.windowManager.hyprland.extraConfig = '' + monitor=eDP-1,1920x1080@60,0x0,1 + bind = CTRL SHIFT, XF86Launch2, exec, bash -c 'if [[ $(hyprctl monitors | grep 0x0 | sed -n -e "s/\t*1920x1080@//" -e "s/.[1234567890]* at 0x0//p") == 300 ]]; then pkexec --user root /nix/var/nix/profiles/system/bin/switch-to-configuration switch; else pkexec --user root /nix/var/nix/profiles/system/specialisation/docked/bin/switch-to-configuration switch; fi' + bind = ALT, Escape, exec, if [[ $(hyprctl monitors | grep 0x0 | sed -n -e "s/\t*1920x1080@//" -e "s/.[1234567890]* at 0x0//p") == 300 ]]; then hyprctl keyword monitor eDP-1,1920x1080@60,0x0,1; else hyprctl keyword monitor eDP-1,1920x1080@300,0x0,1; fi + ''; + + } + ]; + }; + }; + }; + }; + + + services.xserver.videoDrivers = [ "nvidia" ]; + + +# This value determines the NixOS release from which the default +# settings for stateful data, like file locations and database versions +# on your system were taken. It‘s perfectly fine and recommended to leave +# this value at the release version of the first install of this system. +# Before changing this value read the documentation for this option +# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? + }; + + }; +} diff --git a/profiles/laptop/hardware-configuration.nix b/profiles/laptop/hardware-configuration.nix new file mode 100644 index 0000000..3892a07 --- /dev/null +++ b/profiles/laptop/hardware-configuration.nix @@ -0,0 +1,39 @@ +{ ... }: { + + flake.nixosModules.laptop = { config, lib, pkgs, modulesPath, ... }: + + { + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "sdhci_pci" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/78c0964d-c09e-4e31-8a73-eb719d79917a"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/AE5E-AC86"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = [ ]; + +# Enables DHCP on each ethernet and wireless interface. In case of scripted networking +# (the default) this is the recommended approach. When using systemd-networkd it's +# still possible to use this option, but it's recommended to use it in conjunction +# with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; +# networking.interfaces.eno1.useDHCP = lib.mkDefault true; +# networking.interfaces.wlo1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + }; +} diff --git a/profiles/laptop/secrets.yaml b/profiles/laptop/secrets.yaml new file mode 100644 index 0000000..fa2e25d --- /dev/null +++ b/profiles/laptop/secrets.yaml @@ -0,0 +1,18 @@ +nathan: + pass: ENC[AES256_GCM,data:H/duNPyclGoCF/Z90TQcqaUymowHOLRDmcfDxSubNGdmijknsCq+UH5PaWUmXGZ7uZqcpYWBcsVbYfQO/98OHH/kbwAFD/Hgkw==,iv:74M2PQqVzAgMXA8Z4RVLJKawt0Lzh94IKbn8YCTx3tY=,tag:B/xgA4mrhWEccaXQ+qvjCA==,type:str] +remoteBuildKey: ENC[AES256_GCM,data:CN7AyOCV4iYzYrwVh2Af5YB0nwR4raXfj5FbbeIZg5Bfha0sUPnLAG+oqVUyzVQA3yftFhfwPGaALOyb6VlT13pTifG+uEoyiq1dQP6dimlmk/p/6kVtg4aiETJ/61EUeQF/HTVTZ3F7akgQRsKNFQYbF2srcurPQSY0Q2gjlkkFA3A3aLoN2LrkFPJvtnNP6SJzXDFHVOTPmbc/DvF9UbMiYu0viIlfiPqeBs26lAqcOWhrYlOxKqEL2IoP3kADDncedxT42c1rCPB/2kGvKg+mXSlaIH3a0Hb8hrnjVUB0edyqYnNCurVhPF8mg2yoqrtyaxRkZKvUsa5LBZwS+iL9bYQdU/4hxT9c7wRC+ZtWkwF4l/gy8Ggc+VuB+YT9JUCJY96o8f2wKFup0BS+oiYLGJKpcOLMFrPJLEtOMrqPN/Z6+gZ9LVbhlSliIV/yUTJAa26el0w6tP9Ebs6tHiFakpkMahsBbRxmHBmqkHW5zfa5YpvD5Ii/EC+F8Vb/Efn6LkBZBwSB6K33NSOy,iv:4i0bGQe7wiDSvmygY2VNSEhuYfYIi9YY1g7qLgDTcMo=,tag:MJqOovOcZ97COsVjxZus8w==,type:str] +sops: + age: + - recipient: age1yqgyp2uxz4lzrc9f9ka0mfjl5fr6ahf8nf24nlmran2wulg6fpvq9hyp9q + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2MEIyRjR0a25UU3hnR2Zw + WXFaaXJYNWFSMmZsR1FsYVB1WlBkZWptSHhzCkRGRitnNkc3MEtjV05KRXlXT3RR + TVhnVlpUdzFiSEwxbHNOT3dyQ0dzbG8KLS0tIElMc3g4SHRxZTVnOCtVcktRb25D + Y2ZpR25VNGVoMi9ibW8wbW5rYTQ3R00Ka6/KLXSSRP9WJDV0RBHHS5nALfd/3xDu + y+QS+Ueh56kQT2zbYpYBRIPDgI3LZgwlTifQCDJ9ZPq0LGgu4XbEqQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-08-23T03:46:50Z" + mac: ENC[AES256_GCM,data:QJLMqnmkrgtTqqmLN9NCfV8PPm5N/F0gtGw/XlX+nnfbesGVeYubSjtHmYWmY7ha41jEvLYu8rmIXaxDepfogyOf4wzuRPLkJxO7Wu0UVdr5uZlHNrcxZh4Ex6YGgg8Lbcjs0iVCev66lWfuhuxuvPOKsGLZvoNTq0V1hLpo/Fw=,iv:VFrL0L6tC1JvWM3BOJP4Dh+q1xSMBecCtPnNcY/loAU=,tag:p5VmBaGPTxyTmm1Ha9Le3Q==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2