diff --git a/hosts/display/default.nix b/hosts/display/default.nix index d35fbbf..5e0fd18 100644 --- a/hosts/display/default.nix +++ b/hosts/display/default.nix @@ -2,7 +2,7 @@ imports = [ inputs.nixos-hardware.nixosModules.raspberry-pi-4 ./hardware-configuration.nix - ../server + ../pi-server ./kiosk.nix ]; networking.hostName = "display"; diff --git a/hosts/pi-server/default.nix b/hosts/pi-server/default.nix new file mode 100644 index 0000000..fc201c4 --- /dev/null +++ b/hosts/pi-server/default.nix @@ -0,0 +1,252 @@ +{ inputs, outputs, lib, config, pkgs, ... }: +let + my-python-packages = python-packages: + with python-packages; [ + pip + pipx + python-dateutil + setuptools + requests + ]; + python-with-my-packages = pkgs.python3Full.withPackages my-python-packages; +in { + nix = { + settings = { + experimental-features = [ "nix-command" "flakes" ]; + warn-dirty = false; + auto-optimise-store = true; + trusted-users = [ "root" "don" ]; + }; + gc = { + automatic = true; + dates = "daily"; + options = "--delete-older-than 7d"; + }; + }; + imports = [ + ../../home + ./systemd.nix + ./tailscale.nix + ./upgrade-diff.nix + ../../modules/beszel-agent.nix + ]; + + # Enable networking + networking.networkmanager.enable = true; + networking.enableIPv6 = true; + networking.useDHCP = false; + + # Set your time zone. + time = { + timeZone = "America/Chicago"; + hardwareClockInLocalTime = false; + }; + + # Select internationalisation properties. + i18n = { + defaultLocale = "en_US.utf8"; + inputMethod = { + enable = true; + type = "fcitx5"; + fcitx5.addons = with pkgs; [ fcitx5-mozc fcitx5-gtk ]; + }; + }; + + # Bootloader. + boot = { + kernelPackages = pkgs.linuxPackages_rpi4; + kernelParams = [ "consoleblank=60" ]; + #loader = { + #systemd-boot = { + #enable = true; + #}; + #efi = { + #canTouchEfiVariables = true; + #efiSysMountPoint = "/boot"; + #}; + #}; + plymouth = { enable = true; }; + kernel = { sysctl = { "vm.swappiness" = 10; }; }; + }; + + security = { + polkit = { enable = true; }; + sudo.enable = false; + doas = { + enable = true; + extraRules = [{ + users = [ "don" ]; + keepEnv = true; + noPass = true; + }]; + }; + }; + + services = { + pcscd = { enable = true; }; + beszel-agent = { enable = true; }; + avahi = { + enable = true; + nssmdns4 = true; + }; + printing = { enable = true; }; + udisks2 = { enable = true; }; + nscd = { enableNsncd = true; }; + tailscale = { enable = true; }; + locate = { + enable = true; + package = pkgs.mlocate; + }; + openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "yes"; + }; + }; + }; + + security.rtkit.enable = true; + + users.users = { + root = { + initialPassword = "changeme"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINd8AdVbQQ/Fmw+b9mI8EMYqIoRkwmSwAOtmlte3incL don@loki" + ]; + }; + don = { + isNormalUser = true; + initialPassword = "changeme"; + description = "Don Harper"; + extraGroups = [ + "disk" + "docker" + "lp" + "cdrom" + "mlocate" + "networkmanager" + "scanner" + "video" + "wheel" + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINd8AdVbQQ/Fmw+b9mI8EMYqIoRkwmSwAOtmlte3incL don@loki" + ]; + }; + }; + + zramSwap = { + enable = true; + memoryPercent = 25; + memoryMax = 2147483648; + }; + #nixpkgs.config.allowUnfree = true; + + environment.systemPackages = with pkgs; [ + # python-with-my-packages + python3Full + aspell + aspellDicts.en + base16-schemes + bash-completion + btop + colmena + dmidecode + docker-compose + git-crypt + gitFull + home-manager + hunspell + hunspellDicts.en_US + isync + just + lazydocker + lsb-release + lsof + nix-bash-completions + nixfmt + pkg-config + podman + poppler_utils + ruby + sops + udiskie + ]; + + programs = { + dconf = { enable = true; }; + mtr = { enable = true; }; + gnupg = { + agent = { + enable = true; + pinentryPackage = pkgs.pinentry-curses; + enableSSHSupport = true; + }; + }; + }; + + nixpkgs.overlays = [ + (final: super: { + khal = super.khal.overridePythonAttrs (_: { doCheck = false; }); + }) + ]; + + # Open ports in the firewall. + networking.firewall = { + enable = true; + # always allow traffic from your Tailscale network + trustedInterfaces = [ "tailscale0" ]; + checkReversePath = "loose"; + + # allow the Tailscale UDP port through the firewall + allowedUDPPorts = [ config.services.tailscale.port ]; + allowedTCPPortRanges = [{ + from = 1714; + to = 1764; + }]; + allowedUDPPortRanges = [{ + from = 1714; + to = 1764; + }]; + + # allow you to SSH in over the public internet + allowedTCPPorts = [ 22 ]; + interfaces = { + "tailscale0" = { + allowedTCPPorts = [ 22 8080 8443 ]; + allowedTCPPortRanges = [{ + from = 1714; + to = 1764; + }]; + allowedUDPPortRanges = [{ + from = 1714; + to = 1764; + }]; + }; + }; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It's perfectly fine and recommended to leavecatenate(variables, "bootdev", bootdev) + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.11"; # Did you read the comment? + programs.msmtp = { + enable = true; + accounts = { + default = { + auth = true; + tls = true; + port = 587; + from = "duck@duckland.org"; + host = "smtp.gmail.com"; + user = "duckunix@gmail.com"; + passwordeval = "cat /home/don/.smtp_password.txt"; + }; + }; + }; +} diff --git a/hosts/pi-server/systemd.nix b/hosts/pi-server/systemd.nix new file mode 100644 index 0000000..c28077e --- /dev/null +++ b/hosts/pi-server/systemd.nix @@ -0,0 +1,45 @@ +{ pkgs, ... }: +let + readlink = "${pkgs.coreutils}/bin/readlink"; + notify-send = "${pkgs.libnotify}/bin/notify-send"; +in { + systemd = { + services = { + clean-keychain = { + description = "Clean up .keychain on boot"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.coreutils-full}/bin/rm -rf /home/don/.keychain"; + }; + }; + }; + user = { + services = { + detect-reboot-for-upgrade = { + script = '' + set -eu -o pipefail + booted="$(${readlink} /run/booted-system/{initrd,kernel,kernel-modules})" + built="$(${readlink} /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})" + if [[ "''${booted}" != "''${built}" ]]; + then + echo "Looks like we need a reboot!" + ${notify-send} --urgency=low --icon=system-reboot "Reboot is needed for a NixOS upgrade." + fi + ''; + serviceConfig = { Type = "oneshot"; }; + }; + }; + timers = { + detect-reboot-for-upgrade = { + wantedBy = [ "timers.target" ]; + partOf = [ "detect-reboot-for-upgrade.service" ]; + timerConfig = { + OnCalendar = "hourly"; + Unit = "detect-reboot-for-upgrade.service"; + }; + }; + }; + }; + }; +} diff --git a/hosts/pi-server/tailscale.nix b/hosts/pi-server/tailscale.nix new file mode 100644 index 0000000..fb0c4c1 Binary files /dev/null and b/hosts/pi-server/tailscale.nix differ diff --git a/hosts/pi1/default.nix b/hosts/pi1/default.nix index b1f5300..b791108 100644 --- a/hosts/pi1/default.nix +++ b/hosts/pi1/default.nix @@ -1,4 +1,4 @@ { inputs, outputs, lib, config, pkgs, ... }: { - imports = [ ./hardware-configuration.nix ../server ./kiosk.nix ]; + imports = [ ./hardware-configuration.nix ../pi-server ./kiosk.nix ]; networking.hostName = "pi1"; }