diff --git a/.sops.yaml b/.sops.yaml index 9593357..8121c36 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,7 +3,25 @@ keys: - &laptop age1yqgyp2uxz4lzrc9f9ka0mfjl5fr6ahf8nf24nlmran2wulg6fpvq9hyp9q - &android age12pnf36uqesjmy3e0lythfnpwam3zg5mv8m936fc4jphy4ces2fdqwn0s74 creation_rules: - - path_regex: system/secrets.yaml$ + - path_regex: features/secrets.yaml$ + key_groups: + - age: + - *laptop + - *homebox + - *android + - path_regex: live/secrets.yaml$ + key_groups: + - age: + - *laptop + - *homebox + - *android + - path_regex: container/secrets.yaml$ + key_groups: + - age: + - *laptop + - *homebox + - *android + - path_regex: users/.*/secrets.yaml$ key_groups: - age: - *laptop diff --git a/flake.lock b/flake.lock index c3f31fc..81d810b 100644 --- a/flake.lock +++ b/flake.lock @@ -20,11 +20,11 @@ ] }, "locked": { - "lastModified": 1775558810, - "narHash": "sha256-fy95EdPnqQlpbP8+rk0yWKclWShCUS5VKs6P7/1MF2c=", + "lastModified": 1776702787, + "narHash": "sha256-qc5uwEWbuubzYthmZcfCapooZGXhoYZWfTQ24TozbCQ=", "owner": "hyprwm", "repo": "aquamarine", - "rev": "7371b669b22aa2af980f913fc312a786d2f1abb2", + "rev": "9a1ca6b8cb4d86a599787a55b78f2ddf809bf945", "type": "github" }, "original": { @@ -61,11 +61,11 @@ ] }, "locked": { - "lastModified": 1773889306, - "narHash": "sha256-PAqwnsBSI9SVC2QugvQ3xeYCB0otOwCacB1ueQj2tgw=", + "lastModified": 1776613567, + "narHash": "sha256-gC9Cp5ibBmGD5awCA9z7xy6MW6iJufhazTYJOiGlCUI=", "owner": "nix-community", "repo": "disko", - "rev": "5ad85c82cc52264f4beddc934ba57f3789f28347", + "rev": "32f4236bfc141ae930b5ba2fb604f561fed5219d", "type": "github" }, "original": { @@ -82,11 +82,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1775880170, - "narHash": "sha256-63PLZ7lspPAqpV/+d0oNtDHLCWQf1MVFRG2DOeDK+nU=", + "lastModified": 1777003388, + "narHash": "sha256-IS8oeyaqYS/MPpDp0Z7i86PwcdTqJ2dritgdRtWzkew=", "owner": "rycee", "repo": "nur-expressions", - "rev": "28b164d30b5ab6820ef7e17281ae55c539ae9ff5", + "rev": "03d4270c1f75494910b7b8039b1a050bc7055c97", "type": "gitlab" }, "original": { @@ -254,11 +254,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1776885253, - "narHash": "sha256-vslJ5ezhyD+HBMEqzsPLOBfalILmPrAABR68yxrhEuM=", + "lastModified": 1777004352, + "narHash": "sha256-SV+9PgNwZ8jHVCjK6YaCBzaheLSW7cDnm5DpOYrD8Vw=", "owner": "nix-community", "repo": "home-manager", - "rev": "d79c987e654347083e903ab6d2a89ed3d0752177", + "rev": "6012cf1fed3eba66115f3fd117b9be6bd2a15b2f", "type": "github" }, "original": { @@ -283,11 +283,11 @@ ] }, "locked": { - "lastModified": 1772461003, - "narHash": "sha256-pVICsV7FtcEeVwg5y/LFh3XFUkVJninm/P1j/JHzEbM=", + "lastModified": 1776511930, + "narHash": "sha256-fCpwFiTW0rT7oKJqr3cqHMnkwypSwQKpbtUEtxdkgrM=", "owner": "hyprwm", "repo": "hyprcursor", - "rev": "b62396457b9cfe2ebf24fe05404b09d2a40f8ed7", + "rev": "39435900785d0c560c6ae8777d29f28617d031ef", "type": "github" }, "original": { @@ -312,11 +312,11 @@ ] }, "locked": { - "lastModified": 1775496928, - "narHash": "sha256-Ds759WU03mGWtu3I43J+5GF5Ni8TvF+GYQUFD+fVeMo=", + "lastModified": 1776426399, + "narHash": "sha256-RUESLKNikIeEq9ymGJ6nmcDXiSFQpUW1IhJ245nL3xM=", "owner": "hyprwm", "repo": "hyprgraphics", - "rev": "cf95d93d17baa18f1d9b016b3afe27f820521a6e", + "rev": "68d064434787cf1ed4a2fe257c03c5f52f33cf84", "type": "github" }, "original": { @@ -342,11 +342,11 @@ "xdph": "xdph" }, "locked": { - "lastModified": 1775828308, - "narHash": "sha256-mKW54+ilZNBVsU3GnzHhZUb041H7L/R8aPA0GD+1oKQ=", + "lastModified": 1776947531, + "narHash": "sha256-BnUJwexEDpt10Csws8UNq/34r5zaUl8oXNrDHd6oJVA=", "ref": "refs/heads/main", - "rev": "f7755322fc515108cc9eed8113c09492d4a352c1", - "revCount": 7141, + "rev": "b65714e3b8e123fb2febd507905d25fa6abd0400", + "revCount": 7171, "submodules": true, "type": "git", "url": "https://github.com/hyprwm/Hyprland" @@ -390,11 +390,11 @@ ] }, "locked": { - "lastModified": 1774710575, - "narHash": "sha256-p7Rcw13+gA4Z9EI3oGYe3neQ3FqyOOfZCleBTfhJ95Q=", + "lastModified": 1776426575, + "narHash": "sha256-KI6nIfVihn/DPaeB5Et46Xg3dkNHrrEtUd5LBBVomB0=", "owner": "hyprwm", "repo": "hyprland-guiutils", - "rev": "0703df899520001209646246bef63358c9881e36", + "rev": "a968d211048e3ed538e47b84cb3649299578f19d", "type": "github" }, "original": { @@ -444,11 +444,11 @@ ] }, "locked": { - "lastModified": 1772459629, - "narHash": "sha256-/iwvNUYShmmnwmz/czEUh6+0eF5vCMv0xtDW0STPIuM=", + "lastModified": 1776426736, + "narHash": "sha256-rl7i4aY+9p8LysJp7o8uRWahCkpFznCgGHXszlTw7b0=", "owner": "hyprwm", "repo": "hyprlang", - "rev": "7615ee388de18239a4ab1400946f3d0e498a8186", + "rev": "7833ff33b2e82d3406337b5dcf0d1cec595d83e9", "type": "github" }, "original": { @@ -521,11 +521,11 @@ ] }, "locked": { - "lastModified": 1774911391, - "narHash": "sha256-c4YVwO33Mmw+FIV8E0u3atJZagHvGTJ9Jai6RtiB8rE=", + "lastModified": 1776428866, + "narHash": "sha256-XfRlBolGtjvalTHJp3XvvpYLBjkMhaZLLU0WqZ91Fcg=", "owner": "hyprwm", "repo": "hyprutils", - "rev": "e6caa3d4d1427eedbdf556cf4ceb70f2d9c0b56d", + "rev": "eedd60805cd96d4442586f2ba5fe51d549b12674", "type": "github" }, "original": { @@ -546,11 +546,11 @@ ] }, "locked": { - "lastModified": 1772459835, - "narHash": "sha256-978jRz/y/9TKmZb/qD4lEYHCQGHpEXGqy+8X2lFZsak=", + "lastModified": 1776430932, + "narHash": "sha256-Yv3RPiUvl7CAsJgwIVsqcj7akn1gLyJP1F/mocof5hA=", "owner": "hyprwm", "repo": "hyprwayland-scanner", - "rev": "0a692d4a645165eebd65f109146b8861e3a925e7", + "rev": "4c2fcc06dc9722c97dbb54ba649c69b18ce83d2e", "type": "github" }, "original": { @@ -575,11 +575,11 @@ ] }, "locked": { - "lastModified": 1775414057, - "narHash": "sha256-mDpHnf+MkdOxEqIM1TnckYYh9p1SXR8B3KQfNZ12M8s=", + "lastModified": 1776728575, + "narHash": "sha256-z9eGphrArEBpl1O/GCH0wlY6z4K9vA6yWh2gAS6qytU=", "owner": "hyprwm", "repo": "hyprwire", - "rev": "86012ee01b0fdd8bf3101ef38816f2efbee42490", + "rev": "f3a80888783702a39691b684d099e16b83ed4702", "type": "github" }, "original": { @@ -618,6 +618,22 @@ "type": "github" } }, + "nixos-hardware": { + "locked": { + "lastModified": 1776983936, + "narHash": "sha256-ZOQyNqSvJ8UdrrqU1p7vaFcdL53idK+LOM8oRWEWh6o=", + "owner": "nixos", + "repo": "nixos-hardware", + "rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "master", + "repo": "nixos-hardware", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1775423009, @@ -713,11 +729,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1775423009, - "narHash": "sha256-vPKLpjhIVWdDrfiUM8atW6YkIggCEKdSAlJPzzhkQlw=", + "lastModified": 1776548001, + "narHash": "sha256-ZSK0NL4a1BwVbbTBoSnWgbJy9HeZFXLYQizjb2DPF24=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "68d8aa3d661f0e6bd5862291b5bb263b2a6595c9", + "rev": "b12141ef619e0a9c1c84dc8c684040326f27cdcc", "type": "github" }, "original": { @@ -729,11 +745,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1775811116, - "narHash": "sha256-t+HZK42pB6N+i5RGbuy7Xluez/VvWbembBdvzsc23Ss=", + "lastModified": 1776734388, + "narHash": "sha256-vl3dkhlE5gzsItuHoEMVe+DlonsK+0836LIRDnm6MXQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "54170c54449ea4d6725efd30d719c5e505f1c10e", + "rev": "10e7ad5bbcb421fe07e3a4ad53a634b0cd57ffac", "type": "github" }, "original": { @@ -791,6 +807,22 @@ "type": "github" } }, + "nixpkgs_8": { + "locked": { + "lastModified": 1772047000, + "narHash": "sha256-7DaQVv4R97cii/Qdfy4tmDZMB2xxtyIvNGSwXBBhSmo=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "1267bb4920d0fc06ea916734c11b0bf004bbe17e", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-25.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixvim": { "inputs": { "flake-parts": "flake-parts_3", @@ -832,6 +864,24 @@ "type": "github" } }, + "opi-zero2w": { + "inputs": { + "nixpkgs": "nixpkgs_8" + }, + "locked": { + "lastModified": 1772415536, + "narHash": "sha256-dS4XyDDVCjGEFDX4zgaalQqMlfWL7JfeLGJpLwcAAFE=", + "owner": "virusdave", + "repo": "nixos-opi-zero2w", + "rev": "1337ecfb2443f059f8971eb89eae487fbc6b0dcc", + "type": "github" + }, + "original": { + "owner": "virusdave", + "repo": "nixos-opi-zero2w", + "type": "github" + } + }, "pre-commit-hooks": { "inputs": { "flake-compat": "flake-compat", @@ -842,11 +892,11 @@ ] }, "locked": { - "lastModified": 1775036584, - "narHash": "sha256-zW0lyy7ZNNT/x8JhzFHBsP2IPx7ATZIPai4FJj12BgU=", + "lastModified": 1776796298, + "narHash": "sha256-PcRvlWayisPSjd0UcRQbhG8Oqw78AcPE6x872cPRHN8=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "4e0eb042b67d863b1b34b3f64d52ceb9cd926735", + "rev": "3cfd774b0a530725a077e17354fbdb87ea1c4aad", "type": "github" }, "original": { @@ -864,9 +914,11 @@ "home-manager": "home-manager_2", "hyprland": "hyprland", "import-tree": "import-tree_2", + "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_4", "nixpkgs-us": "nixpkgs-us", "nixvim": "nixvim", + "opi-zero2w": "opi-zero2w", "sops-nix": "sops-nix" } }, @@ -877,11 +929,11 @@ ] }, "locked": { - "lastModified": 1775682595, - "narHash": "sha256-0E9PohY/VuESLq0LR4doaH7hTag513sDDW5n5qmHd1Q=", + "lastModified": 1776771786, + "narHash": "sha256-DRFGPfFV6hbrfO9a1PH1FkCi7qR5FgjSqsQGGvk1rdI=", "owner": "Mic92", "repo": "sops-nix", - "rev": "d2e8438d5886e92bc5e7c40c035ab6cae0c41f76", + "rev": "bef289e2248991f7afeb95965c82fbcd8ff72598", "type": "github" }, "original": { @@ -948,11 +1000,11 @@ ] }, "locked": { - "lastModified": 1773601989, - "narHash": "sha256-2tJf/CQoHApoIudxHeJye+0Ii7scR0Yyi7pNiWk0Hn8=", + "lastModified": 1776608502, + "narHash": "sha256-UH8YoQxx4hFOm6qjMdjRQNRvSejFIR/wBZ8fW1p9sME=", "owner": "hyprwm", "repo": "xdg-desktop-portal-hyprland", - "rev": "a9b862d1aa000a676d310cc62d249f7ad726233d", + "rev": "4a293523d36dfa367e67ec304cc718ea66a8fec2", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 1616680..a52e34a 100644 --- a/flake.nix +++ b/flake.nix @@ -16,6 +16,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + nixos-hardware.url = "github:nixos/nixos-hardware/master"; + + opi-zero2w.url = "github:virusdave/nixos-opi-zero2w"; + #opi-zero2w.url = "git+file:///home/nathan/Projects/tests/nixos-opi-zero2w"; + sops-nix = { url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/modules/features/default.nix b/modules/features/default.nix deleted file mode 100644 index 7ca891e..0000000 --- a/modules/features/default.nix +++ /dev/null @@ -1,96 +0,0 @@ -{ inputs, ... }: { - - flake.nixosModules.default = { config, lib, pkgs, ... }: { - - imports = [ - inputs.sops-nix.nixosModules.sops - ]; - - config = { - - nix = { - nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; - channel.enable = false; - settings = { - experimental-features = [ "nix-command" "flakes" ]; - builders-use-substitutes = (config.sops.secrets ? "remoteBuildKey"); - - substituters = lib.mkIf config.programs.hyprland.enable ["https://hyprland.cachix.org"]; - trusted-substituters = lib.mkIf config.programs.hyprland.enable ["https://hyprland.cachix.org"]; - trusted-public-keys = lib.mkIf config.programs.hyprland.enable ["hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="]; - }; - - distributedBuilds = lib.mkDefault (config.sops.secrets ? "remoteBuildKey"); - buildMachines = lib.mkIf (config.sops.secrets ? "remoteBuildKey") [ - { - hostName = "esotericbytes.com"; - sshUser = "remote-builder"; - sshKey = config.sops.secrets."remoteBuildKey".path; - supportedFeatures = [ - "nixos-test" - "benchmark" - "big-parallel" - "kvm" - ]; - systems = [ "x86_64-linux" "aarch64-linux" ]; - } - ]; - }; - - users.users."remote-builder" = lib.mkIf (builtins.any - (x: (builtins.match "^remoteBuildClientKeys/.+" x) != null) - (builtins.attrNames config.sops.secrets) - ) { - isNormalUser = true; - createHome = false; - }; - - sops.templates."remote-builder" = lib.mkIf (builtins.any - (x: (builtins.match "^remoteBuildClientKeys/.+" x) != null) - (builtins.attrNames config.sops.secrets) - ) { - content = builtins.concatStringsSep ''''\n'' (builtins.map - (y: config.sops.placeholder.${y}) - (builtins.filter - (x: (builtins.match "^remoteBuildClientKeys/.+" x) != null) - (builtins.attrNames config.sops.secrets) - ) - ); - path = "/etc/ssh/authorized_keys.d/remote-builder"; - owner = "remote-builder"; - }; - - sops = { - age.keyFile = "/var/lib/sops/age/keys.txt"; - defaultSopsFormat = "yaml"; - }; - - programs.fuse.userAllowOther = true; - - home-manager = { - backupFileExtension = "backup"; - useUserPackages = true; - sharedModules = []; - }; - - time.timeZone = lib.mkDefault "America/Chicago"; - - i18n = lib.mkDefault { - defaultLocale = "en_US.UTF-8"; - - extraLocaleSettings = { - LC_ADDRESS = "en_US.UTF-8"; - LC_IDENTIFICATION = "en_US.UTF-8"; - LC_MEASUREMENT = "en_US.UTF-8"; - LC_MONETARY = "en_US.UTF-8"; - LC_NAME = "en_US.UTF-8"; - LC_NUMERIC = "en_US.UTF-8"; - LC_PAPER = "en_US.UTF-8"; - LC_TELEPHONE = "en_US.UTF-8"; - LC_TIME = "en_US.UTF-8"; - }; - }; - }; - }; -} - diff --git a/modules/features/ethdhcp.nix b/modules/features/ethdhcp.nix new file mode 100644 index 0000000..3197dcd --- /dev/null +++ b/modules/features/ethdhcp.nix @@ -0,0 +1,32 @@ +{ ... }: { + + flake.nixosModules.ethdhcp = { config, lib, ... }: { + + networking.firewall.interfaces."eno1" = { + allowedUDPPorts = [ 53 67 68 ]; + allowedTCPPorts = [ 53 67 68 ]; + }; + + networking = { + interfaces."eno1" = { + ipv4.addresses = [{ address = "192.168.121.1"; prefixLength = 24; }]; + }; + + nat = { + enable = true; + internalInterfaces = [ "eno1" ]; + externalInterface = "wlo1"; + }; + }; + + services.dnsmasq = { + enable = true; + settings = { + interface = "eno1"; + dhcp-range = [ "192.168.121.2,192.168.121.2,1h" ]; + }; + }; + + networking.networkmanager.unmanaged = [ "eno1" ]; + }; +} diff --git a/modules/features/gitea.nix b/modules/features/gitea.nix index a32c4c1..ea0d27c 100644 --- a/modules/features/gitea.nix +++ b/modules/features/gitea.nix @@ -80,6 +80,13 @@ repository = { DEFAULT_BRANCH = "master"; }; + + migrations = { + ALLOWED_DOMAINS = "*"; + ALLOW_LOCALNETWORKS = true; + SKIP_TLS_VERIFY = true; + BLOCKED_DOMAINS = ""; + }; }; database = { @@ -119,6 +126,26 @@ config = { networking.firewall.allowedTCPPorts = [ 2222 ]; + sops.secrets = { + "gitea/dbpass" = {}; + }; + + sops.templates."gitea.env".content = '' + USER_UID=1000 + USER_GID=1000 + GITEA__database__DB_TYPE=postgres + GITEA__database__HOST=${name}-db:5432 + GITEA__database__NAME=gitea + GITEA__database__USER=gitea + GITEA__database__PASSWD=${config.sops.placeholder."gitea/dbpass"} + ''; + + sops.templates."gitea-db.env".content = '' + POSTGRES_USER=gitea + POSTGRES_DB=gitea + POSTGRES_PASSWORD=${config.sops.placeholder."gitea/dbpass"} + ''; +>>>>>>> dev virtualisation.oci-containers.containers."${name}" = { image = "docker.gitea.com/gitea:1.25.4"; @@ -134,7 +161,7 @@ labels = { "traefik.enable" = "true"; - "traefik.http.routers.${name}.entrypoints" = "localsecure"; + "traefik.http.routers.${name}.entrypoints" = "websecure"; "traefik.http.routers.${name}.rule" = "Host(`${subdomain}.esotericbytes.com`)"; "traefik.http.routers.${name}.service" = "${name}"; "traefik.http.routers.${name}.tls.certResolver" = "cloudflare"; @@ -153,15 +180,20 @@ ]; extraOptions = [ - "--ip=192.168.101.20" + "--ip=192.168.101.25" ]; volumes = [ - "vol_gitea:/data" + "/etc/gitea/data:/data" ]; - environment = { - }; + environmentFiles = [ + config.sops.templates."gitea.env".path + ]; + + dependsOn = [ + "${name}-db" + ]; }; virtualisation.oci-containers.containers."${name}-db" = { @@ -183,15 +215,16 @@ ]; extraOptions = [ - "--ip=192.168.101.21" + "--ip=192.168.101.26" ]; volumes = [ "/etc/gitea/db:/var/lib/postgresql/data" ]; - environment = { - }; + environmentFiles = [ + config.sops.templates."gitea-db.env".path + ]; }; systemd.services."docker-gitea" = { @@ -203,12 +236,10 @@ }; after = [ "docker-network-setup.service" - "docker-volume-gitea.service" "docker-gitea-db.service" ]; requires = [ "docker-network-setup.service" - "docker-volume-gitea.service" "docker-gitea-db.service" ]; partOf = [ @@ -239,21 +270,6 @@ "docker-compose-gitea-root.target" ]; }; - - systemd.services."docker-volume-gitea" = { - path = [ pkgs.docker ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = '' - docker volume inspect vol_gitea || docker volume create vol_gitea --driver=local - ''; - partOf = [ "docker-compose-gitea-root.target" ]; - wantedBy = [ "docker-compose-gitea-root.target" ]; - }; - }; }; - } diff --git a/modules/features/home-manager.nix b/modules/features/home-manager.nix new file mode 100644 index 0000000..ac24bcd --- /dev/null +++ b/modules/features/home-manager.nix @@ -0,0 +1,21 @@ +{ inputs, ... }: { + + flake.nixosModules.default = { config, lib, pkgs, ... }: { + + imports = [ + inputs.home-manager.nixosModules.default + ]; + + config = { + + programs.fuse.userAllowOther = true; + + home-manager = { + backupFileExtension = "backup"; + useUserPackages = true; + sharedModules = []; + }; + }; + }; +} + diff --git a/modules/features/hotspot.nix b/modules/features/hotspot.nix new file mode 100644 index 0000000..cfd1931 --- /dev/null +++ b/modules/features/hotspot.nix @@ -0,0 +1,55 @@ +{ ... }: { + + flake.nixosModules.hotspot = { config, lib, ... }: { + + networking.firewall.interfaces."wlo1" = { + allowedUDPPorts = [ 53 67 68 ]; + allowedTCPPorts = [ 53 67 68 ]; + }; + + networking = { + interfaces."wlo1" = { + ipv4.addresses = [{ address = "192.168.121.1"; prefixLength = 24; }]; + }; + + nat = { + enable = true; + internalInterfaces = [ "wlo1" ]; + externalInterface = "eno1"; + }; + }; + + services.dnsmasq = { + enable = true; + settings = { + interface = "wlo1"; + dhcp-range = [ "192.168.121.2,192.168.121.10,1h" ]; + }; + }; + + sops.secrets."hotspotPass".sopsFile = ./secrets.yaml; + + services.hostapd = { + enable = true; + + radios.wlo1 = { + networks.wlo1 = { + ssid = "laptopHotspot"; + authentication.saePasswords = [{ passwordFile = "${config.sops.secrets."hotspotPass".path}"; }]; + }; + + countryCode = "US"; + + band = "2g"; + + channel = 7; + + wifi4 = { + enable = true; + }; + }; + }; + + networking.networkmanager.unmanaged = [ "wlo1" ]; + }; +} diff --git a/modules/features/hyprland.nix b/modules/features/hyprland.nix index ab2d231..fdcc035 100644 --- a/modules/features/hyprland.nix +++ b/modules/features/hyprland.nix @@ -22,6 +22,8 @@ portalPackage = inputs.hyprland.packages.${system}.xdg-desktop-portal-hyprland; }; + + programs.partition-manager.enable = true; }; }; } diff --git a/modules/features/locale.nix b/modules/features/locale.nix new file mode 100644 index 0000000..394527e --- /dev/null +++ b/modules/features/locale.nix @@ -0,0 +1,27 @@ +{ ... }: { + + flake.nixosModules.default = { config, lib, pkgs, ... }: { + + config = { + + time.timeZone = lib.mkDefault "America/Chicago"; + + i18n = lib.mkDefault { + defaultLocale = "en_US.UTF-8"; + + extraLocaleSettings = { + LC_ADDRESS = "en_US.UTF-8"; + LC_IDENTIFICATION = "en_US.UTF-8"; + LC_MEASUREMENT = "en_US.UTF-8"; + LC_MONETARY = "en_US.UTF-8"; + LC_NAME = "en_US.UTF-8"; + LC_NUMERIC = "en_US.UTF-8"; + LC_PAPER = "en_US.UTF-8"; + LC_TELEPHONE = "en_US.UTF-8"; + LC_TIME = "en_US.UTF-8"; + }; + }; + }; + }; +} + diff --git a/modules/features/n8n.nix b/modules/features/n8n.nix index 25e358a..88a9747 100644 --- a/modules/features/n8n.nix +++ b/modules/features/n8n.nix @@ -42,7 +42,7 @@ ]; extraOptions = [ - "--ip=192.168.101.2" + "--ip=192.168.101.14" ]; volumes = [ diff --git a/modules/features/netbird/netbird.nix b/modules/features/netbird/netbird.nix index 95a0dc1..c8ffedc 100644 --- a/modules/features/netbird/netbird.nix +++ b/modules/features/netbird/netbird.nix @@ -31,6 +31,32 @@ }; }; + flake.nixosModules.netbird-sbc = { config, lib, pkgs, ... }: { + + config = let + pkgs-us = import inputs.nixpkgs-us { + system = "x86_64-linux"; + }; + in { + + sops.secrets."netbirdKey".sopsFile = ./../secrets.yaml; + + services.netbird = { + enable = lib.mkDefault true; + + clients.default = { + port = 51820; + name = "netbird"; + interface = "wt0"; + hardened = false; + }; + + package = pkgs-us.netbird; + #package = pkgs.netbird; + }; + }; + }; + flake.nixosModules.netbird-docker = { config, lib, pkgs, ... }: { imports = [ @@ -218,6 +244,7 @@ extraOptions = [ "--network-alias=signal" "--network=docker-main" + "--ip=192.168.101.2" ]; }; systemd.services."docker-netbird-signal" = { diff --git a/modules/features/nix.nix b/modules/features/nix.nix new file mode 100644 index 0000000..0e9cd2c --- /dev/null +++ b/modules/features/nix.nix @@ -0,0 +1,21 @@ +{ inputs, ... }: { + + flake.nixosModules.default = { config, lib, pkgs, ... }: { + + config = { + + nix = { + nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; + channel.enable = false; + settings = { + experimental-features = [ "nix-command" "flakes" ]; + + substituters = lib.mkIf config.programs.hyprland.enable ["https://hyprland.cachix.org"]; + trusted-substituters = lib.mkIf config.programs.hyprland.enable ["https://hyprland.cachix.org"]; + trusted-public-keys = lib.mkIf config.programs.hyprland.enable ["hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="]; + }; + }; + }; + }; +} + diff --git a/modules/features/remoteBuilds.nix b/modules/features/remoteBuilds.nix new file mode 100644 index 0000000..429c8bc --- /dev/null +++ b/modules/features/remoteBuilds.nix @@ -0,0 +1,61 @@ +{ inputs, ... }: { + + flake.nixosModules.sops = { config, lib, ... }: { + + imports = [ + inputs.sops-nix.nixosModules.sops + ]; + + config = { + + nix = { + settings = { + builders-use-substitutes = (config.sops.secrets ? "remoteBuildKey"); + + }; + + distributedBuilds = lib.mkDefault (config.sops.secrets ? "remoteBuildKey"); + + buildMachines = lib.mkIf (config.sops.secrets ? "remoteBuildKey") [ + { + hostName = "esotericbytes.com"; + sshUser = "remote-builder"; + sshKey = config.sops.secrets."remoteBuildKey".path; + supportedFeatures = [ + "nixos-test" + "benchmark" + "big-parallel" + "kvm" + ]; + systems = [ "x86_64-linux" "aarch64-linux" ]; + } + ]; + + }; + + users.users."remote-builder" = lib.mkIf (builtins.any + (x: (builtins.match "^remoteBuildClientKeys/.+" x) != null) + (builtins.attrNames config.sops.secrets) + ) { + isNormalUser = true; + createHome = true; + home = "/tmp/remote-builder"; + }; + + sops.templates."remote-builder" = lib.mkIf (builtins.any + (x: (builtins.match "^remoteBuildClientKeys/.+" x) != null) + (builtins.attrNames config.sops.secrets) + ) { + content = builtins.concatStringsSep ''''\n'' (builtins.map + (y: config.sops.placeholder.${y}) + (builtins.filter + (x: (builtins.match "^remoteBuildClientKeys/.+" x) != null) + (builtins.attrNames config.sops.secrets) + ) + ); + path = "/etc/ssh/authorized_keys.d/remote-builder"; + owner = "remote-builder"; + }; + }; + }; +} diff --git a/modules/features/secrets.yaml b/modules/features/secrets.yaml index 561990b..e26a760 100644 --- a/modules/features/secrets.yaml +++ b/modules/features/secrets.yaml @@ -2,6 +2,7 @@ remoteBuildClientKeys: laptop: ENC[AES256_GCM,data:SZRAZ36nSueWVLcdvpgZpltp/aORqAObFWhgqtIrTYccoK/3F7l0J+VJzF51FASa6spbGJL2BSbzOygyal609pvJc9Hb9bIN85GMzV1P4lha62iC8dkuVLXezPU=,iv:veQJxL4QTxFg2UKm2+I3RQXyuwW2rXEV/gXIQ7nBtlY=,tag:9C9Ltzwz823yY029p9K41A==,type:str] pi4: ENC[AES256_GCM,data:zT7V70DbBj5OIl5dTkUjvdqrxSiPcc+oFvL7R2ZAuytSQWdo9MR+WuuhN1Zeo0Ho9eGcbS+Qwr/Vs+yIYU+XaUlgawHM6aiUXoQmQE/yJFOPYUcmi0R4mxD0nkPZ0w==,iv:HQ+bxpeHZq9cezF6omZ1OMecfOw74pXzBujndhXnLPM=,tag:AM5O21nYzb4xzybOPvBwRg==,type:str] android: ENC[AES256_GCM,data:srkEb7oAxcN5++sTWQo43C8M4JNpfeeJlcGLGUA6gp74kcES1HnIs87ZtCik121oMSYD15LZ8p/x/AV2QdGMobQFxoMQ2NEehhP66n2EoXcEos3BXqUlbphiBGMRfVK9+w==,iv:bmDbVfVSZLU+EsZh/GBBY9QVcfHZJB9gLZYeI3NYoGY=,tag:biE4/DN7z2wRyFBjK7vEnQ==,type:str] +hotspotPass: ENC[AES256_GCM,data:str2NCiO3mkWQiNWC1fouqHl,iv:gtwKki5hs9PHMzrK516QxZ4iLx8raIV7vCdJ7RpPd/E=,tag:j+Yw431Mghqt//bFUQnSSA==,type:str] sops: age: - recipient: age1yqgyp2uxz4lzrc9f9ka0mfjl5fr6ahf8nf24nlmran2wulg6fpvq9hyp9q @@ -31,7 +32,7 @@ sops: NXNhczV5Y3o3dmJ2RVk3eDBRd1FDdEkK4ELlB6suN3R3GJ6XRQCvE9mgiXUOMFs3 Yi+VfJTi3pkUQEi8MZP64Nl6IR5dXjUoPXFhBNcplmLf09JDjH4LJQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-08-26T22:28:31Z" - mac: ENC[AES256_GCM,data:hTEenm/UO84leu7alRdWlicKKrwNlaRR7ZQzhDtOCUcXemvwe30WkSq2mdzOnSo0uMSg1HZIlna8oRUd31ENe1aWfl69PlYPxEicmN5UHykVboXydw6m0yPoAqHj+nqG/vkWsVp0JN8HvTc59mzD+1DfydhJA3m0juaa81w5GsY=,iv:HBkE78QhX1wZANpvDW7nOIOTKBdCv0/dUc1Xv5+OQmQ=,tag:6I2z8MgZxnXjqd4iikA9nQ==,type:str] + lastmodified: "2026-04-24T23:13:22Z" + mac: ENC[AES256_GCM,data:m/4/y5r+BTeq5AtR6u3+vKxgTopGu+kIOGjaKMtNp/SSY1x086hzBfnB8p3BtLFijxYVrEqM/4JxvKU3m41jOtx4/1oSM/BXjHRUl+7diDSOcBaBtJMH2xam2b7Jlg4J0bW4ai3QnEQVF1A00dcmmEUqa/LZInFYSOXjB+FICCo=,iv:RcqpkSk8BSkcreVG1cY5f2OukCgcT36vqCyOfqoNXIs=,tag:aIDe4Tv5BygBYbyQ8GGr5Q==,type:str] unencrypted_suffix: _unencrypted - version: 3.10.2 + version: 3.12.1 diff --git a/modules/features/sops.nix b/modules/features/sops.nix new file mode 100644 index 0000000..dfaee86 --- /dev/null +++ b/modules/features/sops.nix @@ -0,0 +1,21 @@ +{ inputs, ... }: { + + flake.nixosModules.sops = { config, lib, ... }: { + + imports = [ + inputs.sops-nix.nixosModules.sops + ]; + + config = { + + sops = { + age = { + keyFile = "/var/lib/sops/age/keys.txt"; + #generateKey = true; + }; + + defaultSopsFormat = "yaml"; + }; + }; + }; +} diff --git a/modules/features/traefik/config/routing.yml b/modules/features/traefik/config/routing.yml index 60acba4..a555b40 100644 --- a/modules/features/traefik/config/routing.yml +++ b/modules/features/traefik/config/routing.yml @@ -8,7 +8,7 @@ http: rule: "Host(`esotericbytes.com`) || Host(`www.esotericbytes.com`)" service: "homepage" middlewares: - - authentik + - authentik@docker tls: certResolver: "cloudflare" @@ -20,15 +20,6 @@ http: tls: certResolver: "cloudflare" - gitea: - entryPoints: - - "localsecure" - - "websecure" - rule: "Host(`gitea.esotericbytes.com`)" - service: "gitea" - tls: - certResolver: "cloudflare" - octoprint: entryPoints: - "localsecure" @@ -49,27 +40,9 @@ http: servers: - url: "http://192.168.100.31:4444" - gitea: - loadBalancer: - servers: - - url: "http://192.168.100.20:3000" - octoprint: loadBalancer: servers: - url: "http://rpi-3dp.local" passHostHeader: true -tcp: - routers: - gitea-ssh: - entryPoints: - - "gitea-ssh" - rule: "HostSNI(`*`)" - service: "gitea-ssh" - - services: - gitea-ssh: - loadBalancer: - servers: - - address: "192.168.100.20:2222" diff --git a/modules/hosts/homebox/secrets.yaml b/modules/hosts/homebox/secrets.yaml index b42abac..64f0c47 100644 --- a/modules/hosts/homebox/secrets.yaml +++ b/modules/hosts/homebox/secrets.yaml @@ -14,6 +14,7 @@ keycloak: dbpass: ENC[AES256_GCM,data:tc4wIAqzY7nonBhz8s+YdAux,iv:Wg0b0/xnl6cANLTOJWBsX+gw1iF8Q/GvO/iKyKwqJrM=,tag:LORKRmo4RjcrVbPNhk2A9Q==,type:str] netbird: secret_key: ENC[AES256_GCM,data:isJHGh/InvgJUSqISqxpWhZH0OMN/QG7WBbSS7WqHaWTdfZDBOh//PBP8g==,iv:j0D6feM3qnDjXijXRHgZPboFLHzPwWIhT5bYz3M+QMU=,tag:pOHRxOEdOUrL3n6DgqGDsA==,type:str] +netbirdKey: ENC[AES256_GCM,data:NSOx62QO2/BMgsV6B+Bi20XN1s8PUYDogRVj4XXYeqhF2QZE,iv:FiJzCpy+4Et58KJlG25A/GqeYscFQ9yzLj5i1ZEVDos=,tag:nlviBvsFJBGsAmwVt3agTg==,type:str] gitlab: db_pass: ENC[AES256_GCM,data:N3KvXkXql/PDjxZSpGo/Apr/,iv:OOzhR4BEmV3T01PA50vqdJMg7D2OGKHn/8hiqKEaOd4=,tag:jzdonXH/D/5kZ5Cld2W//w==,type:str] root_pass: ENC[AES256_GCM,data:bALaUkoJw3N0ugZP/4MCnEsD,iv:LJdJpXlyzA6o00UVlK+l5WCCFIL/sT/fQNjI8wA5LAg=,tag:BYk1o/rjubyEpeHbgYA1Sg==,type:str] @@ -38,7 +39,7 @@ sops: S0NMRGJSeks0Q0UrVnZmUVdyU2NqVm8KLu2kQpD1fJdU0fTdR9A2cTQzRp+waJ6M 8vA+E8xYb2U4d7m0YnwKkGzw0CBPb0BvdEgvWvqpFViftoDwRv5KGA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-02-01T12:56:37Z" - mac: ENC[AES256_GCM,data:clu/WnwHAQaowQ99Z8tNlIKKcVnLHYeYsgQK0meftXgiQKnLyLzqNipwfaU3qjITdm6fB7wY+TcySygpwFbY2f2TKrqAk7RxdnTFa61vQDqMF7rYPG90Ub79P+R5URZI8yjv69Hmrav0Y6z92vH8ItbPSRBLtgrbYZx36IFq0LU=,iv:qzBVA0xATM979tzu6cTvMrX77firvA5K0WU2hoUggoA=,tag:Fm3IqH0GUHBq9Din6ZW6ng==,type:str] + lastmodified: "2026-04-26T03:37:06Z" + mac: ENC[AES256_GCM,data:gFZhelYC2ToiyRQmX2XiEmmMy3XeSFiF9EARogNcEIv+V/3Z4jKIDGwIvnP94s9ylgb+VZ2IoJLYb6zYSgYx/muOCoeoLifNwZOO+zA2hEgUf0kAhsM08HkuuwvifPwBZXO0P3VXTfP21QymetYVstX9ifYT3K5BIB2m9Unudu0=,iv:+Pr8idIxArX7eQEQaxigjhAGEOQRl7pz3p182yh6+Tg=,tag:qlpBKB4vg3BRFd/s+vDaDw==,type:str] unencrypted_suffix: _unencrypted - version: 3.11.0 + version: 3.12.1 diff --git a/modules/hosts/iso/configuration.nix b/modules/hosts/iso/configuration.nix index ed81d84..bf42fb5 100644 --- a/modules/hosts/iso/configuration.nix +++ b/modules/hosts/iso/configuration.nix @@ -2,14 +2,19 @@ flake.nixosModules.iso = { lib, pkgs, modulesPath, ... }: { - imports = with inputs; [ + imports = with self.nixosModules; [ (modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix") + inputs.home-manager.nixosModules.default + self.nixosModules.default - self.nixosModules.aurora-greeter - - home-manager.nixosModules.default + aurora-greeter + hyprland + pipewire + avahi + netbird + openssh ]; @@ -32,9 +37,21 @@ ]; }; + environment.etc."wallpaper.jpg".source = ./../../users/nathan/home-manager/dotfiles/Wallpaper/bluescape.jpg; + + system.activationScripts."wallpaperInit" = { + text = '' + mkdir -p /tmp/aurora/wallpaper + cp /etc/wallpaper.jpg /tmp/aurora/wallpaper/wallpaper.jpg + ''; + }; + users.users.nixos.enable = lib.mkForce false; networking = { + + hostName = "iso"; + nameservers = [ "1.1.1.1" "1.0.0.1" ]; networkmanager.enable = true; }; diff --git a/modules/hosts/iso/default.nix b/modules/hosts/iso/default.nix index bc619bd..fdedc86 100644 --- a/modules/hosts/iso/default.nix +++ b/modules/hosts/iso/default.nix @@ -1,13 +1,14 @@ { self, inputs, ...}: { - perSystem = { config, system, pkgs, self', inputs', ... }: { + perSystem = { ... }: { packages.iso = self.nixosConfigurations.iso.config.system.build.isoImage; }; flake.nixosConfigurations.iso = inputs.nixpkgs.lib.nixosSystem { - modules = [ - self.nixosModules.iso + modules = with self.nixosModules; [ + iso + user-nathan ]; }; diff --git a/modules/hosts/laptop/configuration.nix b/modules/hosts/laptop/configuration.nix index 2ba04d0..ee91382 100644 --- a/modules/hosts/laptop/configuration.nix +++ b/modules/hosts/laptop/configuration.nix @@ -15,6 +15,7 @@ avahi netbird openssh + sops ]; config = { @@ -31,6 +32,7 @@ efi.canTouchEfiVariables = true; timeout = null; }; + binfmt.emulatedSystems = [ "aarch64-linux" ]; }; systemd.settings.Manager.DefaultLimitNOFILE = 2048; @@ -47,7 +49,6 @@ }; - programs.partition-manager.enable = true; services.pulseaudio.enable = false; environment.systemPackages = with pkgs; [ @@ -81,7 +82,7 @@ ]; networkmanager = { enable = true; - dns = "none"; + #dns = "none"; }; useDHCP = false; dhcpcd.enable = false; @@ -89,6 +90,14 @@ services.openssh.openFirewall = false; + specialisation = { + ethdhcp = { + configuration = with self.nixosModules; lib.mkMerge [ + ethdhcp + ]; + }; + }; + fonts.packages = with pkgs; [ nerd-fonts.fira-code ]; diff --git a/modules/hosts/pi4/configuration.nix b/modules/hosts/pi4/configuration.nix index 4a22b06..ea24734 100644 --- a/modules/hosts/pi4/configuration.nix +++ b/modules/hosts/pi4/configuration.nix @@ -1,87 +1,50 @@ -{ inputs, ... }: { +{ self, inputs, ... }: { - flake.nixosModules.pi4 = { config, pkgs, ... }: { + flake.nixosModules.pi4-install-sd = { config, pkgs, modulesPath, ... }: { - imports = [ - inputs.disko.nixosModules.default + imports = with self.nixosModules; [ + + (modulesPath + "/installer/sd-card/sd-image-aarch64.nix") + pi4-core - inputs.home-manager.nixosModules.default ]; config = { - boot = { - loader = { - grub.enable = false; - generic-extlinux-compatible.enable = true; - }; - }; + }; + }; - networking = { - hostName = "pi4"; - nameservers = [ "1.1.1.1" "1.0.0.1" ]; - networkmanager.enable = true; - }; + flake.nixosModules.pi4-install-disko = { config, pkgs, ... }: { - time.timeZone = "America/Chicago"; + imports = with self.nixosModules; [ + inputs.disko.nixosModules.default - i18n.defaultLocale = "en_US.UTF-8"; + pi4-core - i18n.extraLocaleSettings = { - LC_ADDRESS = "en_US.UTF-8"; - LC_IDENTIFICATION = "en_US.UTF-8"; - LC_MEASUREMENT = "en_US.UTF-8"; - LC_MONETARY = "en_US.UTF-8"; - LC_NAME = "en_US.UTF-8"; - LC_NUMERIC = "en_US.UTF-8"; - LC_PAPER = "en_US.UTF-8"; - LC_TELEPHONE = "en_US.UTF-8"; - LC_TIME = "en_US.UTF-8"; - }; + self.diskoConfigurations.pi4 + ]; - hardware = { - bluetooth.enable = true; + config = { - }; + }; + }; - programs.zsh.enable = true; + flake.nixosModules.pi4 = { config, pkgs, ... }: { - environment.shells = with pkgs; [ zsh ]; + imports = with self.nixosModules; [ - users = { - groups.gpio = {}; - }; + pi4-core - services = { - udev.extraRules = '' - SUBSYSTEM=="bcm2835-gpiomem", KERNEL=="gpiomem", GROUP="gpio",MODE="0660" - SUBSYSTEM=="gpio", KERNEL=="gpiochip*", ACTION=="add", RUN+="${pkgs.bash}/bin/bash -c 'chown root:gpio /sys/class/gpio/export /sys/class/gpio/unexport ; chmod 220 /sys/class/gpio/export /sys/class/gpio/unexport'" - SUBSYSTEM=="gpio", KERNEL=="gpio*", ACTION=="add",RUN+="${pkgs.bash}/bin/bash -c 'chown root:gpio /sys%p/active_low /sys%p/direction /sys%p/edge /sys%p/value ; chmod 660 /sys%p/active_low /sys%p/direction /sys%p/edge /sys%p/value'" - ''; + netbird-sbc + remoteBuilds + sops + ]; - pulseaudio = { - enable = true; - extraConfig = '' - load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1 - ''; - }; - - }; + config = { sops = { - age.keyFile = "/var/lib/sops/age/keys.txt"; defaultSopsFile = ./secrets.yaml; - defaultSopsFormat = "yaml"; }; - - - fonts.packages = with pkgs; [ nerd-fonts.fira-code ]; - - sound.enable = true; - - security.rtkit.enable = true; - - system.stateVersion = "25.05"; }; }; } diff --git a/modules/hosts/pi4/core.nix b/modules/hosts/pi4/core.nix new file mode 100644 index 0000000..eaf1256 --- /dev/null +++ b/modules/hosts/pi4/core.nix @@ -0,0 +1,72 @@ +{ self, inputs, ... }: { + + flake.nixosModules.pi4-core = { config, pkgs, ... }: { + + imports = with self.nixosModules; [ + + inputs.home-manager.nixosModules.default + + self.nixosModules.default + user-nathan + avahi + openssh + ]; + + config = { + + boot = { + loader = { + grub.enable = false; + generic-extlinux-compatible.enable = true; + }; + kernelParams = [ "snd_bcm2835.enable_hdmi=1" "snd_bcm2835.enable_headphones=1" ]; + }; + + networking = { + hostName = "pi4"; + nameservers = [ "1.1.1.1" "1.0.0.1" ]; + networkmanager.enable = true; + }; + + hardware = { + bluetooth.enable = true; + + }; + + programs.zsh.enable = true; + + environment.shells = with pkgs; [ zsh ]; + + environment.systemPackages = with pkgs; [ + libraspberrypi + raspberrypi-eeprom + ]; + + users = { + groups.gpio = {}; + }; + + services = { + udev.extraRules = '' + SUBSYSTEM=="bcm2835-gpiomem", KERNEL=="gpiomem", GROUP="gpio",MODE="0660" + SUBSYSTEM=="gpio", KERNEL=="gpiochip*", ACTION=="add", RUN+="${pkgs.bash}/bin/bash -c 'chown root:gpio /sys/class/gpio/export /sys/class/gpio/unexport ; chmod 220 /sys/class/gpio/export /sys/class/gpio/unexport'" + SUBSYSTEM=="gpio", KERNEL=="gpio*", ACTION=="add",RUN+="${pkgs.bash}/bin/bash -c 'chown root:gpio /sys%p/active_low /sys%p/direction /sys%p/edge /sys%p/value ; chmod 660 /sys%p/active_low /sys%p/direction /sys%p/edge /sys%p/value'" + ''; + + pulseaudio = { + enable = true; + extraConfig = '' + load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1 + ''; + }; + + }; + + fonts.packages = with pkgs; [ nerd-fonts.fira-code ]; + + security.rtkit.enable = true; + + system.stateVersion = "25.11"; + }; + }; +} diff --git a/modules/hosts/pi4/default.nix b/modules/hosts/pi4/default.nix index 90c104a..2128487 100644 --- a/modules/hosts/pi4/default.nix +++ b/modules/hosts/pi4/default.nix @@ -1,12 +1,48 @@ { self, inputs, ... }: { - - flake.nixosConfigurations."pi4" = inputs.nixpkgs.lib.nixosSystem { + + perSystem = { ... }: { + packages.pi4-sd = self.nixosConfigurations.pi4-install-sd.config.system.build.sdImage; + }; + + flake.nixosConfigurations.pi4 = inputs.nixpkgs.lib.nixosSystem { + + system = "aarch64-linux"; modules = [ self.nixosModules.pi4 self.nixosModules.pi4-hardware - self.diskoConfigurations.pi4 + #self.diskoConfigurations.pi4 ]; }; + flake.nixosConfigurations.pi4-install = inputs.nixpkgs.lib.nixosSystem { + + system = "aarch64-linux"; + + modules = [ + self.nixosModules.pi4-core + self.nixosModules.pi4-hardware + ]; + }; + + flake.nixosConfigurations.pi4-install-sd = inputs.nixpkgs.lib.nixosSystem { + + system = "aarch64-linux"; + + modules = [ + self.nixosModules.pi4-install-sd + self.nixosModules.pi4-hardware + ]; + }; + + flake.nixosConfigurations.pi4-install-disko = inputs.nixpkgs.lib.nixosSystem { + + system = "aarch64-linux"; + + modules = [ + self.nixosModules.pi4-install-disko + self.nixosModules.pi4-hardware + self.diskoConfigurations.pi4 + ]; + }; } diff --git a/modules/hosts/z2w/configuration.nix b/modules/hosts/z2w/configuration.nix new file mode 100644 index 0000000..d8d80c9 --- /dev/null +++ b/modules/hosts/z2w/configuration.nix @@ -0,0 +1,35 @@ +{ self, ... }: { + + flake.nixosModules.z2w-install-sd = { config, pkgs, modulesPath, ... }: { + + imports = with self.nixosModules; [ + + (modulesPath + "/installer/sd-card/sd-image-aarch64.nix") + z2w-core + + ]; + + config = { + + }; + }; + + flake.nixosModules.z2w = { config, pkgs, ... }: { + + imports = with self.nixosModules; [ + + z2w-install-sd + + netbird-sbc + remoteBuilds + sops + ]; + + config = { + + sops = { + defaultSopsFile = ./secrets.yaml; + }; + }; + }; +} diff --git a/modules/hosts/z2w/core.nix b/modules/hosts/z2w/core.nix new file mode 100644 index 0000000..fd6b4ac --- /dev/null +++ b/modules/hosts/z2w/core.nix @@ -0,0 +1,66 @@ +{ self, inputs, ... }: { + + flake.nixosModules.z2w-core = { config, lib, pkgs, ... }: { + + imports = with self.nixosModules; [ + + inputs.home-manager.nixosModules.default + + self.nixosModules.default + user-nathan + avahi + openssh + ]; + + config = { + + /*boot = { + loader = { + grub.enable = false; + generic-extlinux-compatible.enable = true; + }; + };*/ + + networking = { + hostName = lib.mkDefault "z2w"; + nameservers = [ "1.1.1.1" "1.0.0.1" ]; + #networkmanager.enable = true; + #wireless.enable = lib.mkForce false; + }; + + + /*hardware = { + bluetooth.enable = true; + + };*/ + + programs.zsh.enable = true; + + environment.shells = with pkgs; [ zsh ]; +/* + users = { + groups.gpio = {}; + }; + + services = { + udev.extraRules = '' + SUBSYSTEM=="bcm2835-gpiomem", KERNEL=="gpiomem", GROUP="gpio",MODE="0660" + SUBSYSTEM=="gpio", KERNEL=="gpiochip*", ACTION=="add", RUN+="${pkgs.bash}/bin/bash -c 'chown root:gpio /sys/class/gpio/export /sys/class/gpio/unexport ; chmod 220 /sys/class/gpio/export /sys/class/gpio/unexport'" + SUBSYSTEM=="gpio", KERNEL=="gpio*", ACTION=="add",RUN+="${pkgs.bash}/bin/bash -c 'chown root:gpio /sys%p/active_low /sys%p/direction /sys%p/edge /sys%p/value ; chmod 660 /sys%p/active_low /sys%p/direction /sys%p/edge /sys%p/value'" + ''; + + pulseaudio = { + enable = true; + extraConfig = '' + load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1 + ''; + }; + + }; +*/ + fonts.packages = with pkgs; [ nerd-fonts.fira-code ]; + + system.stateVersion = "25.11"; + }; + }; +} diff --git a/modules/hosts/z2w/default.nix b/modules/hosts/z2w/default.nix new file mode 100644 index 0000000..82e7b05 --- /dev/null +++ b/modules/hosts/z2w/default.nix @@ -0,0 +1,26 @@ +{ self, inputs, ... }: { + + perSystem = { ... }: { + packages.z2w-sd = self.nixosConfigurations.z2w-install-sd.config.system.build.sdImage; + }; + + flake.nixosConfigurations.z2w = inputs.nixpkgs.lib.nixosSystem { + + system = "aarch64-linux"; + + modules = inputs.opi-zero2w.lib.withOpiZero2wEssentials [ + self.nixosModules.z2w + #self.nixosModules.z2w-hardware + ]; + }; + + flake.nixosConfigurations.z2w-install-sd = inputs.nixpkgs.lib.nixosSystem { + + system = "aarch64-linux"; + + modules = inputs.opi-zero2w.lib.withOpiZero2wInstallerEssentials [ + self.nixosModules.z2w-install-sd + #self.nixosModules.z2w-hardware + ]; + }; +} diff --git a/modules/users/nathan/home-manager/.sops.yaml b/modules/users/nathan/home-manager/.sops.yaml deleted file mode 100644 index 45c4006..0000000 --- a/modules/users/nathan/home-manager/.sops.yaml +++ /dev/null @@ -1,11 +0,0 @@ -keys: - - &homebox age1640eg0pnmkruc89m5xguz0m8fek44fl4tzez6qwuzlz6kmapqewsp8esxd - - &laptop age1yqgyp2uxz4lzrc9f9ka0mfjl5fr6ahf8nf24nlmran2wulg6fpvq9hyp9q - - &android age12pnf36uqesjmy3e0lythfnpwam3zg5mv8m936fc4jphy4ces2fdqwn0s74 -creation_rules: - - path_regex: ^secrets.yaml$ - key_groups: - - age: - - *laptop - - *homebox - - *android diff --git a/modules/users/nathan/home-manager/default.nix b/modules/users/nathan/home-manager/default.nix index 86f2b61..c0686c1 100644 --- a/modules/users/nathan/home-manager/default.nix +++ b/modules/users/nathan/home-manager/default.nix @@ -1,11 +1,8 @@ -{ self, inputs, ... }: { +{ self, ... }: { flake.homeModules.nathan = { config, lib, pkgs, ... }: { imports = with self.homeModules; [ - inputs.sops-nix.homeManagerModules.sops - - nathan-terminal nathan-mpd nathan-nh @@ -41,35 +38,8 @@ iconTheme.name = "rose-pine-moon"; }; - sops = { - age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt"; - defaultSopsFile = ./secrets.yaml; - defaultSopsFormat = "yaml"; - -#secrets."remoteBuildKey" = {}; - }; - services.mpris-proxy.enable = true; - programs.ssh = { - enable = true; - - matchBlocks = { - "builder" = { - hostname = "esotericbytes.com"; - user = "remote-builder"; - identityFile = "${config.home.homeDirectory}/.ssh/id_ed25519"; - port = 22; - }; - - "remote" = { - hostname = "esotericbytes.com"; - user = "nathan"; - identityFile = "${config.home.homeDirectory}/.ssh/id_ed25519"; - port = 22; - }; - }; - }; }; }; } diff --git a/modules/users/nathan/home-manager/features/git.nix b/modules/users/nathan/home-manager/features/git.nix index d3f2ff8..6393647 100644 --- a/modules/users/nathan/home-manager/features/git.nix +++ b/modules/users/nathan/home-manager/features/git.nix @@ -4,26 +4,9 @@ config = { - sops = { - secrets = { - "git/username" = {}; - "git/email" = {}; - }; - - templates.gitconfig.content = '' - [user] - name = "${config.sops.placeholder."git/username"}" - email = "${config.sops.placeholder."git/email"}" - ''; - }; - programs.git = { enable = true; - includes = [ - { path = "${config.sops.templates.gitconfig.path}"; } - ]; - settings = { init = { defaultBranch = "master"; @@ -38,6 +21,11 @@ ]; }; }; + + user = { + name = "Nathan"; + email = "nathanblunkall5@gmail.com"; + }; }; }; }; diff --git a/modules/users/nathan/home-manager/features/packages.nix b/modules/users/nathan/home-manager/features/packages.nix index dcd9c7e..08416cf 100644 --- a/modules/users/nathan/home-manager/features/packages.nix +++ b/modules/users/nathan/home-manager/features/packages.nix @@ -2,6 +2,11 @@ flake.homeModules.nathan = { config, lib, pkgs, ... }: { + options.olympus.packageSet = lib.mkOption { + type = lib.types.str; + default = "full"; + }; + config = with lib; mkMerge [ { @@ -17,17 +22,6 @@ unzip rsync curl - - (python314.withPackages (ps: with ps; [ - gpustat - numpy - matplotlib - scipy - pandas - pyaudio - pyusb - requests - ])) cava android-tools @@ -44,11 +38,6 @@ (mkIf config.wayland.windowManager.hyprland.enable { - nixpkgs.config = { - allowUnfree = true; - }; - - home.packages = with pkgs; [ grim @@ -56,13 +45,42 @@ wl-clipboard xfce.thunar blueberry + brightnessctl + libdbusmenu-gtk3 + ]; + }) + + (mkIf (pkgs.stdenv.hostPlatform.system == "x86_64-linux") { + + home.packages = with pkgs; [ + + (python314.withPackages (ps: with ps; [ + gpustat + numpy + matplotlib + scipy + pandas + pyaudio + pyusb + requests + ])) + + ]; + }) + + (mkIf (config.olympus.packageSet == "full") { + + nixpkgs.config = { + allowUnfree = true; + }; + + + home.packages = with pkgs; [ handbrake quickemu bottles - brightnessctl - libdbusmenu-gtk3 lmms #unfree { diff --git a/modules/users/nathan/home-manager/features/sops.nix b/modules/users/nathan/home-manager/features/sops.nix new file mode 100644 index 0000000..9530c68 --- /dev/null +++ b/modules/users/nathan/home-manager/features/sops.nix @@ -0,0 +1,23 @@ +{ inputs, ... }: { + + flake.homeModules.nathan-sops = { config, lib, pkgs, ... }: { + + imports = [ + inputs.sops-nix.homeManagerModules.sops + ]; + + config = { + + sops = { + age = { + keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt"; + generateKey = true; + }; + + defaultSopsFormat = "yaml"; + +#secrets."remoteBuildKey" = {}; + }; + }; + }; +} diff --git a/modules/users/nathan/home-manager/features/ssh.nix b/modules/users/nathan/home-manager/features/ssh.nix index e149ded..d5ff552 100644 --- a/modules/users/nathan/home-manager/features/ssh.nix +++ b/modules/users/nathan/home-manager/features/ssh.nix @@ -1,27 +1,41 @@ { ... }: { - flake.homeModules.nathan-terminal = { ... }: { + flake.homeModules.nathan-terminal = { config, ... }: { programs.ssh = { - enable = true; -# defaults as of 25.11 - matchBlocks."*" = { - forwardAgent = false; - addKeysToAgent = "no"; - compression = false; - serverAliveInterval = 0; - serverAliveCountMax = 3; - hashKnownHosts = false; - userKnownHostsFile = "~/.ssh/known_hosts"; - controlMaster = "no"; - controlPath = "~/.ssh/master-%r@%n:%p"; - controlPersist = "no"; - }; enableDefaultConfig = false; + matchBlocks = { + "*" = { + forwardAgent = false; + addKeysToAgent = "no"; + compression = false; + serverAliveInterval = 0; + serverAliveCountMax = 3; + hashKnownHosts = false; + userKnownHostsFile = "~/.ssh/known_hosts"; + controlMaster = "no"; + controlPath = "~/.ssh/master-%r@%n:%p"; + controlPersist = "no"; + }; + + "builder" = { + hostname = "esotericbytes.com"; + user = "remote-builder"; + identityFile = "${config.home.homeDirectory}/.ssh/id_ed25519"; + port = 22; + }; + + "remote" = { + hostname = "esotericbytes.com"; + user = "nathan"; + identityFile = "${config.home.homeDirectory}/.ssh/id_ed25519"; + port = 22; + }; + }; }; }; } diff --git a/modules/users/nathan/home-manager/secrets.yaml b/modules/users/nathan/home-manager/secrets.yaml deleted file mode 100644 index c521a86..0000000 --- a/modules/users/nathan/home-manager/secrets.yaml +++ /dev/null @@ -1,36 +0,0 @@ -git: - username: ENC[AES256_GCM,data:418z4cCK,iv:tgPmynsW8fEJs6n+OGfm6IypOjNNhVdVaqFImeKXpC4=,tag:V5zI47vb9FnSO/OWurbJ+A==,type:str] - email: ENC[AES256_GCM,data:xp6HlIO1pTgvrXpGAOQwl0UvcnY4zrLrmw==,iv:LzGkluWeSe8MQqPXQMnNOv062UY+BkQE1fGjGqd/nCg=,tag:Y9nwo+Hjcg4ea2GxGKWApA==,type:str] -sops: - age: - - recipient: age1yqgyp2uxz4lzrc9f9ka0mfjl5fr6ahf8nf24nlmran2wulg6fpvq9hyp9q - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvMktJdFhxRjhaT0MyZ0N3 - YVBMYlNkRnl1eU8zajZLWXRPajZzWDBGQWxVCkhMcEdsNlVKQ1VHR2hjZWdsR1gx - MkhCeVZGUDJwdkdDTiswRW40QjRRYWMKLS0tIENIN2pheisyR21YZkIzblVZZ1cw - bHpLWEdPdUc4d2ZSS1FjUDM0QWRQUWsKqvlH0oWHH/PhMDTYT5KhCTzaEffsf1jM - r0o60YUCe6pUFs0qPvOxEPM3bq+7MkUpH4eXVAw3tCov3nUkmwlVZg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1640eg0pnmkruc89m5xguz0m8fek44fl4tzez6qwuzlz6kmapqewsp8esxd - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5K3ovcmpPck1reGVPQ0lm - YTYvNGtaSk4vLzlYSW0rSkpHcjZWUnBMS2dBCmt3RU1PMkJ1VU5wNUc1NC9lbGFk - cjl6cXp6M292enFHckkyamwwaDRia2MKLS0tIGRUTzFGdDZFaS9LdkRjMW56U25B - emRDTncvNnlycHF3V2VJN3NlZTNVSjgK8RUx9qImdqjHBHisnwY+qRZ9vuafl3MN - jnJsIsKSdF51dWYskEMVnPYwn9HdOKkAh6amwSITcw3ZCcK7ftfT+g== - -----END AGE ENCRYPTED FILE----- - - recipient: age12pnf36uqesjmy3e0lythfnpwam3zg5mv8m936fc4jphy4ces2fdqwn0s74 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRWXVTSVQvNEhsMkQ2QkRl - SlZLTWN2eUdMa3MwdTBHZE8vdENKTTRKYVF3Ck01N2VNQUJPeHBwVHZTNWYzbXR5 - ZS9hUDQydy9nQnR0SVpiUHV6ejhPb0EKLS0tIEZKeXV5QnpZYzBCVDR3WjVSV2Vv - TmJkL3VUbTRLNGNISGhFaGpmaXJ1cDAKpiZ8Nfml0KFq46JRg+394BCyZmnpE4XC - zqxRrNlGH/EDp00q5/jN84vQA+bOhGHcScQpvRCDKMXehQn3H4jksw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-08-16T16:08:48Z" - mac: ENC[AES256_GCM,data:3/ztJNXhOIPqgQ47QxjM5KTeAJwXPpUuVtvI5/xJsMOOZhXYRt+uhL584F98rJiMHhnbsuGIZi+jGlYRiE6c+GJ9X7TKLj9yRqKvCMSCdWHGzY721GH5kMPcjD2YDYZ4tt+olIMePNJBPjC1XJgfhfOvs43o2HyDTCS95cEQzB4=,iv:qofZBAwxbTrc/hPyuSi8nxibJ0bGhoytZpUTZwwzbuI=,tag:z1SJXutJmlJ+j6RnV4u29Q==,type:str] - unencrypted_suffix: _unencrypted - version: 3.10.2 diff --git a/modules/users/nathan/nathan.nix b/modules/users/nathan/nathan.nix index 66ee9bb..86c2bcc 100644 --- a/modules/users/nathan/nathan.nix +++ b/modules/users/nathan/nathan.nix @@ -1,29 +1,41 @@ { self, inputs, ... }: { flake.nixosModules.user-nathan = { config, lib, pkgs, ... }: let - laptop = [ "laptop" ]; - homebox = [ "homebox" ]; - #both = laptop ++ homebox; - useWith = x: y: (lib.mkIf (builtins.any (z: z == config.networking.hostName) x) y); - in { - + laptop = [ "laptop" ]; + homebox = [ "homebox" ]; + iso = [ "iso" ]; + pi4 = [ "pi4" ]; + z2w = [ "red-black" "blue-white" "z2w" ]; + useWith = x: y: (lib.mkIf (builtins.any (z: z == config.networking.hostName) x) y); + in { + config = { - sops.secrets."nathan/pass".neededForUsers = true; - users.users.nathan = { + enable = true; shell = pkgs.zsh; name = lib.mkDefault "nathan"; isNormalUser = lib.mkDefault true; -#hashedPasswordFile = lib.mkIf (cfg.hashedPasswordFile != null) cfg.hashedPasswordFile; - extraGroups = [ "networkmanager" "docker" "libvirtd" "wheel" ]; + hashedPassword = lib.mkIf + (config.users.users.nathan.hashedPasswordFile == null) + "$y$j9T$F0pn6l4C45lz4a0FTZLqE0$Fc48Ptbmz/3MJCk/Jsaqop4ff.bY3J3GcjhmJx5R7k6"; + extraGroups = lib.mkMerge [ + [ "networkmanager" "wheel" ] + (useWith (homebox) [ "docker" "libvirtd" ]) + (useWith (pi4) [ "gpio" ]) + ]; openssh.authorizedKeys.keys = lib.mkMerge [ - (useWith homebox [ + (useWith (homebox) [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsU69CxfQk58CvItPN426h5Alnpb60SH37wet97Vb57 nathan@laptop" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnUhN2uHwAJF/SLRX3wlGRmfhV3zpP88JQAYB+gh8jW nathan@localhost" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCM7ZgIu4+ntHZbzo9iQPq5pUt7AhpOnfvvI0lWDgO4CgtkPGvyFrDnW87wjAKGKYkgKeHWHIkwq2hkEDqlPD+7xxtPpwzfyo7ZS23xlP31rL14HcG21jGHgx9SO7RmGDHHylu4PwJzz/KX59hcVmpSSV4hgB/mYA9UKe6VHv39X4y3HsjmiHwNBOKXltG4V+VkxOZD6HcZ62sgkyDTaqDpE7p+q8vHPbm6dVTKC9cMjtJmjB5EesMGKcEAy3VN2tA9M0EndtaLcBKM39vDXGpBsjURYZTu7NbQnncnO7L8kVL0nT4vA/d4mCjB51dPoXIcxn1ise0TOb9G7TxMbBQQO5YMOpiB2iuZRRvB3sYoKwbO8YfSxZi0EhvLcxkF9GBFw+pWPl0p0D2fPBbW88YQfEpoAt2EWvEu/pgaMJsTHpgaIuDwPLVQmDciX4MRoi324oElGSK8yN0P8IaCHhFchuehLBWvTi34Qot0GpnxeTzmlLzImICO9Yq0I7dk2rk= nathan@rpi-3dp" ]) + (useWith (iso ++ pi4 ++ z2w) [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsU69CxfQk58CvItPN426h5Alnpb60SH37wet97Vb57 nathan@laptop" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnUhN2uHwAJF/SLRX3wlGRmfhV3zpP88JQAYB+gh8jW nathan@localhost" + ]) + (useWith laptop [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEnUhN2uHwAJF/SLRX3wlGRmfhV3zpP88JQAYB+gh8jW nathan@localhost" ]) @@ -37,14 +49,15 @@ home-manager.users.nathan = with self.homeModules; lib.mkMerge [ self.homeModules.nathan - (useWith laptop nathan-aurora) - (useWith laptop nathan-firefox) - (useWith laptop nathan-rofi) - (useWith laptop nathan-hypridle) - (useWith laptop nathan-hyprland) - (useWith laptop nathan-kitty) - (useWith laptop nathan-scripts) - (useWith laptop nathan-pywal) + (useWith (laptop ++ iso) nathan-aurora) + (useWith (laptop ++ iso) nathan-firefox) + (useWith (laptop ++ iso) nathan-rofi) + (useWith (laptop ++ iso) nathan-hypridle) + (useWith (laptop ++ iso) nathan-hyprland) + (useWith (laptop ++ iso) nathan-kitty) + (useWith (laptop ++ iso) nathan-scripts) + (useWith (laptop ++ iso) nathan-pywal) + (useWith (laptop ++ homebox) nathan-sops) (useWith laptop { wayland.windowManager.hyprland.extraConfig = '' @@ -53,13 +66,35 @@ bind = ALT, Escape, exec, if [[ $(hyprctl monitors | grep 0x0 | sed -n -e "s/\t*1920x1080@//" -e "s/.[1234567890]* at 0x0//p") == 300 ]]; then hyprctl keyword monitor eDP-1,1920x1080@60,0x0,1; else hyprctl keyword monitor eDP-1,1920x1080@300,0x0,1; fi ''; }) + + (useWith (iso) { + + wayland.windowManager.hyprland.extraConfig = '' + monitor=,preferred,auto,1 + ''; + }) + + (useWith (iso ++ pi4 ++ z2w ++ homebox) { + + olympus = { + packageSet = "minimal"; + }; + }) ]; }; }; - flake.homeModules.nathan-standalone = { lib, ... }: + flake.homeModules.nathan-sops = { ... }: { + imports = [ + inputs.sops-nix.homeManagerModules.sops + ]; + + config = { + sops.defaultSopsFile = ./secrets.yaml; + }; + }; - { + flake.homeModules.nathan-standalone = { ... }: { config = { @@ -83,6 +118,7 @@ modules = [ self.homeModules.nathan + self.homeModules.nathan-standalone ]; }; } diff --git a/modules/users/nathan/secrets.yaml b/modules/users/nathan/secrets.yaml new file mode 100644 index 0000000..7c405b4 --- /dev/null +++ b/modules/users/nathan/secrets.yaml @@ -0,0 +1,35 @@ +nathan: + pass: ENC[AES256_GCM,data:QCpcdtN8Bzn4UnrIdwcEv5jkpW1Xfsmhy7iMyOmBUuMFqqmKrJcFbIUJCuNUSqtRgRl4KO7gzUuXfZbaDX0tm+B/YDEt8vAWxQ==,iv:3GYAq0I2uqJ91YewyTVoTQNR6cnwJROQr2ipgHvbmSo=,tag:oHnAjSNqIIp39LLI8kSONQ==,type:str] +sops: + age: + - recipient: age1yqgyp2uxz4lzrc9f9ka0mfjl5fr6ahf8nf24nlmran2wulg6fpvq9hyp9q + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNOWVVVVpVdGFMMmNaTmU2 + ZStjR0liZVVKSHcyQUhiVkdCeWhCZUVGMzFRCkFRc0xpdUJ5R0lMUHZzcVN3TTd3 + OXVuNHhqSVBoYnFveFljbHlBbGRoZVkKLS0tIHgvOFA2cGxMaTFBUGFrQVBmRVJ1 + N3ZvV3VKbmhNUGx1ckhhdWZVemRCMGcKLwZZ+wlV8EOCk7F5eaBFR4HPPCjvPI/+ + UyQFJSzc9gGCNrhGicFtrDLx0m/JCzU/jILFUXav9IUTZ8ZRi01BOA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1640eg0pnmkruc89m5xguz0m8fek44fl4tzez6qwuzlz6kmapqewsp8esxd + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWQ1hRVHIrWHp0ZnlFVmJR + ODk4VzZPWnBLaTMxK3pLR2VxQk9LY0tMWWhVCjFqUzMxb01JNXZuaWVIdEE2NkxL + UWp2UytEYVl0SnZHQm4veGNva1p1a2MKLS0tIEphZVU4VjJJblpDRzdNZ3hJbTAx + c3lUMjBXMjVUY2VlSm9SRTNHUEdJd1kK/hotdiVc5La4c6k4U73URA/26y6EMzDL + iHqVcXZmgkipQtFB5Fvfs/6Zuc0E2f4zQmZSaGw2hQheVl1snm5xiw== + -----END AGE ENCRYPTED FILE----- + - recipient: age12pnf36uqesjmy3e0lythfnpwam3zg5mv8m936fc4jphy4ces2fdqwn0s74 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJMDl4bWVPNnpxYXZmWG1h + N2krT2lqN09IOHlvS1FaL1hTNFpsZS9XUmdrCkRFc3YyaWNjejJobVlrdEFReW9N + RlRHdVc1RHNxUE0vV0VvTzdlMm11R3MKLS0tIEpDMUVVME9PdFVNVnVEeG5Oay9l + UU50YWtqSG5SYjc2YUhFWmNZc3NpNTAKPaL3XXAUMD0wjI3PkXEWN4epQPSURN+J + b7di0rMlc6JtJrtzU3HdfmXneMfd4Da9Xk1SeFIxKHS0AsD4cJyt2w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-04-24T01:30:18Z" + mac: ENC[AES256_GCM,data:1tuKI1VMDSiCNWZ2fXp4G3Z0OmhxdyF8IlTaoEFCq324qNgaIfUX7TLfzzEF7ogctf1VBwdu2klGNRKAwjaVIZ8/9U7RgjtkbP5KGJMtXiVkDh1gNV31mlE9ogddxixkQiM9j3wI3RbgsAJaBwo3WGNwEeRrqO21unlE28BrMo0=,iv:Asdx7jYvylRDxWRu7XALP9FpPxWvban8pldJ5b/O9to=,tag:cECR7vjAR05RyLhEWIIrcA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.1 diff --git a/modules/users/nathan/sops.nix b/modules/users/nathan/sops.nix new file mode 100644 index 0000000..fe93618 --- /dev/null +++ b/modules/users/nathan/sops.nix @@ -0,0 +1,22 @@ +{ inputs, ... }: { + + flake.nixosModules.sops = { config, lib, ... }: { + + imports = [ + inputs.sops-nix.nixosModules.sops + ]; + + config = { + + sops.secrets."nathan/pass" = { + neededForUsers = true; + sopsFile = ./secrets.yaml; + }; + + users.users.nathan = { + enable = lib.mkDefault false; + hashedPasswordFile = lib.mkDefault config.sops.secrets."nathan/pass".path; + }; + }; + }; +}