diff --git a/.sops.yaml b/.sops.yaml index c2b0eeb..8121c36 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -9,12 +9,6 @@ creation_rules: - *laptop - *homebox - *android - - path_regex: iso/secrets.yaml$ - key_groups: - - age: - - *laptop - - *homebox - - *android - path_regex: live/secrets.yaml$ key_groups: - age: diff --git a/modules/features/netbird/netbird.nix b/modules/features/netbird/netbird.nix index bbb6d82..e9e46ce 100644 --- a/modules/features/netbird/netbird.nix +++ b/modules/features/netbird/netbird.nix @@ -31,6 +31,37 @@ }; }; + flake.nixosModules.netbird-sbc = { config, lib, pkgs, ... }: { + + config = let + pkgs-us = import inputs.nixpkgs-us { + system = "x86_64-linux"; + }; + in { + + sops.secrets."netbirdKey".sopsFile = ./../secrets.yaml; + + services.netbird = { + enable = lib.mkDefault true; + + clients.default = { + port = 51820; + name = "netbird"; + interface = "wt0"; + hardened = false; + + login = { + enable = true; + setupKeyFile = config.sops.secrets."netbirdKey".path; + }; + }; + + package = pkgs-us.netbird; + #package = pkgs.netbird; + }; + }; + }; + flake.nixosModules.netbird-docker = { config, lib, pkgs, ... }: { imports = [ diff --git a/modules/hosts/homebox/configuration.nix b/modules/hosts/homebox/configuration.nix index d327d02..9033631 100644 --- a/modules/hosts/homebox/configuration.nix +++ b/modules/hosts/homebox/configuration.nix @@ -11,7 +11,7 @@ self.nixosModules.default pipewire avahi - netbird + netbird-sbc openssh sops @@ -81,6 +81,8 @@ }; }; + sops.secrets."netbirdKey".sopsFile = lib.mkForce ./secrets.yaml; + services.netbird.clients.default.environment = { NB_EXTRA_DNS_LABELS = "server"; }; diff --git a/modules/hosts/iso/default.nix b/modules/hosts/iso/default.nix index 3c59086..fdedc86 100644 --- a/modules/hosts/iso/default.nix +++ b/modules/hosts/iso/default.nix @@ -1,6 +1,6 @@ { self, inputs, ...}: { - perSystem = { config, system, pkgs, self', inputs', ... }: { + perSystem = { ... }: { packages.iso = self.nixosConfigurations.iso.config.system.build.isoImage; }; diff --git a/modules/hosts/pi4/configuration.nix b/modules/hosts/pi4/configuration.nix index 08818ca..ae4d528 100644 --- a/modules/hosts/pi4/configuration.nix +++ b/modules/hosts/pi4/configuration.nix @@ -1,93 +1,37 @@ { self, inputs, ... }: { - flake.nixosModules.pi4 = { config, pkgs, ... }: { + flake.nixosModules.pi4-install-disko = { config, pkgs, ... }: { imports = with self.nixosModules; [ inputs.disko.nixosModules.default - inputs.home-manager.nixosModules.default + pi4-core - self.nixosModules.default - user-nathan - netbird - avahi - openssh + self.diskoConfigurations.pi4 + ]; + + config = { + + }; + }; + + + flake.nixosModules.pi4 = { config, pkgs, ... }: { + + imports = with self.nixosModules; [ + + pi4-core-disko + + netbird-sbc remoteBuilds sops ]; config = { - boot = { - loader = { - grub.enable = false; - generic-extlinux-compatible.enable = true; - }; - }; - - networking = { - hostName = "pi4"; - nameservers = [ "1.1.1.1" "1.0.0.1" ]; - networkmanager.enable = true; - }; - - time.timeZone = "America/Chicago"; - - i18n.defaultLocale = "en_US.UTF-8"; - - i18n.extraLocaleSettings = { - LC_ADDRESS = "en_US.UTF-8"; - LC_IDENTIFICATION = "en_US.UTF-8"; - LC_MEASUREMENT = "en_US.UTF-8"; - LC_MONETARY = "en_US.UTF-8"; - LC_NAME = "en_US.UTF-8"; - LC_NUMERIC = "en_US.UTF-8"; - LC_PAPER = "en_US.UTF-8"; - LC_TELEPHONE = "en_US.UTF-8"; - LC_TIME = "en_US.UTF-8"; - }; - - hardware = { - bluetooth.enable = true; - - }; - - programs.zsh.enable = true; - - environment.shells = with pkgs; [ zsh ]; - - users = { - groups.gpio = {}; - }; - - services = { - udev.extraRules = '' - SUBSYSTEM=="bcm2835-gpiomem", KERNEL=="gpiomem", GROUP="gpio",MODE="0660" - SUBSYSTEM=="gpio", KERNEL=="gpiochip*", ACTION=="add", RUN+="${pkgs.bash}/bin/bash -c 'chown root:gpio /sys/class/gpio/export /sys/class/gpio/unexport ; chmod 220 /sys/class/gpio/export /sys/class/gpio/unexport'" - SUBSYSTEM=="gpio", KERNEL=="gpio*", ACTION=="add",RUN+="${pkgs.bash}/bin/bash -c 'chown root:gpio /sys%p/active_low /sys%p/direction /sys%p/edge /sys%p/value ; chmod 660 /sys%p/active_low /sys%p/direction /sys%p/edge /sys%p/value'" - ''; - - pulseaudio = { - enable = true; - extraConfig = '' - load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1 - ''; - }; - - }; - sops = { - age.keyFile = "/var/lib/sops/age/keys.txt"; defaultSopsFile = ./secrets.yaml; - defaultSopsFormat = "yaml"; }; - - - fonts.packages = with pkgs; [ nerd-fonts.fira-code ]; - - security.rtkit.enable = true; - - system.stateVersion = "25.11"; }; }; } diff --git a/modules/hosts/pi4/core.nix b/modules/hosts/pi4/core.nix new file mode 100644 index 0000000..2768298 --- /dev/null +++ b/modules/hosts/pi4/core.nix @@ -0,0 +1,75 @@ +{ self, inputs, ... }: { + + flake.nixosModules.pi4-core = { config, pkgs, ... }: { + + imports = with self.nixosModules; [ + + inputs.home-manager.nixosModules.default + + self.nixosModules.default + user-nathan + avahi + openssh + ]; + + config = { + + boot = { + loader = { + grub.enable = false; + generic-extlinux-compatible.enable = true; + }; + kernelParams = [ "snd_bcm2835.enable_hdmi=1" "snd_bcm2835.enable_headphones=1" ]; + }; + + networking = { + hostName = "pi4"; + nameservers = [ "1.1.1.1" "1.0.0.1" ]; + networkmanager = { + enable = true; + powersave = false; + }; + }; + + hardware = { + bluetooth.enable = true; + + }; + + programs.zsh.enable = true; + + environment.shells = with pkgs; [ zsh ]; + + environment.systemPackages = with pkgs; [ + libraspberrypi + raspberrypi-eeprom + ]; + + users = { + groups.gpio = {}; + }; + + services = { + udev.extraRules = '' + SUBSYSTEM=="bcm2835-gpiomem", KERNEL=="gpiomem", GROUP="gpio",MODE="0660" + SUBSYSTEM=="gpio", KERNEL=="gpiochip*", ACTION=="add", RUN+="${pkgs.bash}/bin/bash -c 'chown root:gpio /sys/class/gpio/export /sys/class/gpio/unexport ; chmod 220 /sys/class/gpio/export /sys/class/gpio/unexport'" + SUBSYSTEM=="gpio", KERNEL=="gpio*", ACTION=="add",RUN+="${pkgs.bash}/bin/bash -c 'chown root:gpio /sys%p/active_low /sys%p/direction /sys%p/edge /sys%p/value ; chmod 660 /sys%p/active_low /sys%p/direction /sys%p/edge /sys%p/value'" + ''; + + pulseaudio = { + enable = true; + extraConfig = '' + load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1 + ''; + }; + + }; + + fonts.packages = with pkgs; [ nerd-fonts.fira-code ]; + + security.rtkit.enable = true; + + system.stateVersion = "25.11"; + }; + }; +} diff --git a/modules/hosts/pi4/default.nix b/modules/hosts/pi4/default.nix index 90c104a..93aeab1 100644 --- a/modules/hosts/pi4/default.nix +++ b/modules/hosts/pi4/default.nix @@ -1,6 +1,12 @@ { self, inputs, ... }: { - - flake.nixosConfigurations."pi4" = inputs.nixpkgs.lib.nixosSystem { + + perSystem = { ... }: { + packages.pi4-sd = self.nixosConfigurations.pi4-install.config.system.build.sdImage; + }; + + flake.nixosConfigurations.pi4 = inputs.nixpkgs.lib.nixosSystem { + + system = "aarch64-linux"; modules = [ self.nixosModules.pi4 @@ -9,4 +15,24 @@ ]; }; + flake.nixosConfigurations.pi4-install = inputs.nixpkgs.lib.nixosSystem { + + system = "aarch64-linux"; + + modules = [ + self.nixosModules.pi4-core + self.nixosModules.pi4-hardware + ]; + }; + + flake.nixosConfigurations.pi4-install-disko = inputs.nixpkgs.lib.nixosSystem { + + system = "aarch64-linux"; + + modules = [ + self.nixosModules.pi4-core-disko + self.nixosModules.pi4-hardware + self.diskoConfigurations.pi4 + ]; + }; } diff --git a/modules/users/nathan/nathan.nix b/modules/users/nathan/nathan.nix index 7ac93e1..bc1b9be 100644 --- a/modules/users/nathan/nathan.nix +++ b/modules/users/nathan/nathan.nix @@ -4,28 +4,38 @@ laptop = [ "laptop" ]; homebox = [ "homebox" ]; iso = [ "iso" ]; - #pi4 = [ "pi4" ]; - #z2w = [ "red-black" "blue-white" ]; + pi4 = [ "pi4" ]; + z2w = [ "red-black" "blue-white" ]; useWith = x: y: (lib.mkIf (builtins.any (z: z == config.networking.hostName) x) y); in { config = { users.users.nathan = { + enable = true; shell = pkgs.zsh; name = lib.mkDefault "nathan"; isNormalUser = lib.mkDefault true; hashedPassword = lib.mkIf (config.users.users.nathan.hashedPasswordFile == null) "$y$j9T$F0pn6l4C45lz4a0FTZLqE0$Fc48Ptbmz/3MJCk/Jsaqop4ff.bY3J3GcjhmJx5R7k6"; - extraGroups = [ "networkmanager" "docker" "libvirtd" "wheel" ]; + extraGroups = lib.mkMerge [ + [ "networkmanager" "wheel" ] + (useWith (homebox) [ "docker" "libvirtd" ]) + (useWith (pi4) [ "gpio" ]) + ]; openssh.authorizedKeys.keys = lib.mkMerge [ - (useWith (homebox ++ iso) [ + (useWith (homebox) [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsU69CxfQk58CvItPN426h5Alnpb60SH37wet97Vb57 nathan@laptop" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnUhN2uHwAJF/SLRX3wlGRmfhV3zpP88JQAYB+gh8jW nathan@localhost" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCM7ZgIu4+ntHZbzo9iQPq5pUt7AhpOnfvvI0lWDgO4CgtkPGvyFrDnW87wjAKGKYkgKeHWHIkwq2hkEDqlPD+7xxtPpwzfyo7ZS23xlP31rL14HcG21jGHgx9SO7RmGDHHylu4PwJzz/KX59hcVmpSSV4hgB/mYA9UKe6VHv39X4y3HsjmiHwNBOKXltG4V+VkxOZD6HcZ62sgkyDTaqDpE7p+q8vHPbm6dVTKC9cMjtJmjB5EesMGKcEAy3VN2tA9M0EndtaLcBKM39vDXGpBsjURYZTu7NbQnncnO7L8kVL0nT4vA/d4mCjB51dPoXIcxn1ise0TOb9G7TxMbBQQO5YMOpiB2iuZRRvB3sYoKwbO8YfSxZi0EhvLcxkF9GBFw+pWPl0p0D2fPBbW88YQfEpoAt2EWvEu/pgaMJsTHpgaIuDwPLVQmDciX4MRoi324oElGSK8yN0P8IaCHhFchuehLBWvTi34Qot0GpnxeTzmlLzImICO9Yq0I7dk2rk= nathan@rpi-3dp" ]) + (useWith (iso ++ pi4 ++ z2w) [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsU69CxfQk58CvItPN426h5Alnpb60SH37wet97Vb57 nathan@laptop" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnUhN2uHwAJF/SLRX3wlGRmfhV3zpP88JQAYB+gh8jW nathan@localhost" + ]) + (useWith laptop [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnUhN2uHwAJF/SLRX3wlGRmfhV3zpP88JQAYB+gh8jW nathan@localhost" ]) @@ -57,16 +67,19 @@ ''; }) - (useWith iso { - - olympus = { - packageSet = "minimal"; - }; + (useWith (iso) { wayland.windowManager.hyprland.extraConfig = '' monitor=,preferred,auto,1 ''; }) + + (useWith (iso ++ pi4 ++ z2w) { + + olympus = { + packageSet = "minimal"; + }; + }) ]; }; }; diff --git a/modules/users/nathan/sops.nix b/modules/users/nathan/sops.nix index 90af126..fe93618 100644 --- a/modules/users/nathan/sops.nix +++ b/modules/users/nathan/sops.nix @@ -13,7 +13,10 @@ sopsFile = ./secrets.yaml; }; - users.users.nathan.hashedPasswordFile = lib.mkDefault config.sops.secrets."nathan/pass".path; + users.users.nathan = { + enable = lib.mkDefault false; + hashedPasswordFile = lib.mkDefault config.sops.secrets."nathan/pass".path; + }; }; }; }