diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..0b573f8 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &host_loki age16a4ywf6pycs9l8rn7y34c6y8pqfz9utmwwkr70d0hapknkzdaafsesn0ff +creation_rules: + - path_regex: secrets.yaml$ + key_groups: + - age: + - *host_loki diff --git a/TODO.md b/TODO.md index eda7e72..2ea53bc 100644 --- a/TODO.md +++ b/TODO.md @@ -1,4 +1,8 @@ # TODO +- [ ] Refactor {workstation,server,pi-server}/default.nix to share as much as + possible - [ ] do not do mail sync on servers - [ ] Get vim reset up +- [ ] evaluation warning: 'system' has been renamed to/replaced by + 'stdenv.hostPlatform.system' diff --git a/flake.lock b/flake.lock index fba7c86..a1f1cd0 100644 --- a/flake.lock +++ b/flake.lock @@ -25,11 +25,11 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1762198582, - "narHash": "sha256-P9giW/1Crn7ekQt4YIbONJ/hKFaHkTwyhz82FCjh+OM=", + "lastModified": 1762510976, + "narHash": "sha256-KGoSj8qMOOPaNE48RTtuNBbqOvKLTeklnRHWWvE/TXo=", "owner": "catppuccin", "repo": "nix", - "rev": "08716214674ca27914daa52e6fa809cc022b581e", + "rev": "728cb0a667ce37bb0c68557dba819c7fb54ff1c8", "type": "github" }, "original": { @@ -241,11 +241,11 @@ ] }, "locked": { - "lastModified": 1762296971, - "narHash": "sha256-Jyv3L5rrUYpecON+9zyFz2VqgTSTsIG35fXuCyuCQv0=", + "lastModified": 1762787259, + "narHash": "sha256-t2U/GLLXHa2+kJkwnFNRVc2fEJ/lUfyZXBE5iKzJdcs=", "owner": "nix-community", "repo": "home-manager", - "rev": "34fe48801d2a5301b814eaa1efb496499d06cebc", + "rev": "37a3d97f2873e0f68711117c34d04b7c7ead8f4e", "type": "github" }, "original": { @@ -298,11 +298,11 @@ "nixpkgs-regression": "nixpkgs-regression" }, "locked": { - "lastModified": 1762286227, - "narHash": "sha256-foAa58OTMJVFpH2dGuV8zL85EVDc8zcSLyAuUTDhTf8=", + "lastModified": 1762882195, + "narHash": "sha256-IwsSz/Kb6aV4qS00JlBUf3PiFiOiXgrxXiBjJlI+0Ao=", "owner": "NixOS", "repo": "nix", - "rev": "3ed42cd3543b2bf1bdd0bafa06052906c2749d87", + "rev": "af0ac14021a1de2302f89bcbb7aa3e0eb63631e0", "type": "github" }, "original": { @@ -333,11 +333,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1762267440, - "narHash": "sha256-WHjEJ80oYbWyNu0dxysBs5oMlBc5w7YYzL1/UPj4iGo=", + "lastModified": 1762847253, + "narHash": "sha256-BWWnUUT01lPwCWUvS0p6Px5UOBFeXJ8jR+ZdLX8IbrU=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "2e85ae1b7030df39269d29118b1f74944d0c8f15", + "rev": "899dc449bc6428b9ee6b3b8f771ca2b0ef945ab9", "type": "github" }, "original": { @@ -397,11 +397,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1761999846, - "narHash": "sha256-IYlYnp4O4dzEpL77BD/lj5NnJy2J8qbHkNSFiPBCbqo=", + "lastModified": 1762756533, + "narHash": "sha256-HiRDeUOD1VLklHeOmaKDzf+8Hb7vSWPVFcWwaTrpm+U=", "owner": "nixos", "repo": "nixpkgs", - "rev": "3de8f8d73e35724bf9abef41f1bdbedda1e14a31", + "rev": "c2448301fb856e351aab33e64c33a3fc8bcf637d", "type": "github" }, "original": { @@ -429,11 +429,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1761672384, - "narHash": "sha256-o9KF3DJL7g7iYMZq9SWgfS1BFlNbsm6xplRjVlOCkXI=", + "lastModified": 1762111121, + "narHash": "sha256-4vhDuZ7OZaZmKKrnDpxLZZpGIJvAeMtK6FKLJYUtAdw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "08dacfca559e1d7da38f3cf05f1f45ee9bfd213c", + "rev": "b3d51a0365f6695e7dd5cdf3e180604530ed33b4", "type": "github" }, "original": { @@ -477,11 +477,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1762111121, - "narHash": "sha256-4vhDuZ7OZaZmKKrnDpxLZZpGIJvAeMtK6FKLJYUtAdw=", + "lastModified": 1762596750, + "narHash": "sha256-rXXuz51Bq7DHBlfIjN7jO8Bu3du5TV+3DSADBX7/9YQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b3d51a0365f6695e7dd5cdf3e180604530ed33b4", + "rev": "b6a8526db03f735b89dd5ff348f53f752e7ddc8e", "type": "github" }, "original": { @@ -491,6 +491,22 @@ "type": "github" } }, + "nixpkgs_7": { + "locked": { + "lastModified": 1762361079, + "narHash": "sha256-lz718rr1BDpZBYk7+G8cE6wee3PiBUpn8aomG/vLLiY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ffcdcf99d65c61956d882df249a9be53e5902ea5", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nvf": { "inputs": { "flake-compat": "flake-compat_3", @@ -502,11 +518,11 @@ "systems": "systems_3" }, "locked": { - "lastModified": 1762093557, - "narHash": "sha256-esmyNNa8TvduITLfqYPSMroyZ9vxJr2nsvjYmHmO+Ag=", + "lastModified": 1762622004, + "narHash": "sha256-NpzzgaoMK8aRHnndHWbYNKLcZN0r1y6icCoJvGoBsoE=", "owner": "notashelf", "repo": "nvf", - "rev": "20d8fca94dceaf943686598da7fba31b37100e50", + "rev": "09470524a214ed26633ddc2b6ec0c9bf31a8b909", "type": "github" }, "original": { @@ -526,7 +542,8 @@ "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_6", "nixpkgs-stable": "nixpkgs-stable", - "nvf": "nvf" + "nvf": "nvf", + "sops-nix": "sops-nix" } }, "rust-overlay": { @@ -547,6 +564,24 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_7" + }, + "locked": { + "lastModified": 1762812535, + "narHash": "sha256-A91a+K0Q9wfdPLwL06e/kbHeAWSzPYy2EGdTDsyfb+s=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "d75e4f89e58fdda39e4809f8c52013caa22483b7", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "stable": { "locked": { "lastModified": 1750133334, diff --git a/flake.nix b/flake.nix index d0d007a..d625685 100644 --- a/flake.nix +++ b/flake.nix @@ -6,6 +6,7 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + sops-nix.url = "github:Mic92/sops-nix"; # nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.05"; # disko.inputs.nixpkgs.follows = "nixpkgs"; @@ -26,13 +27,14 @@ outputs = inputs @ { self, - nixpkgs, - nix, - nixpkgs-stable, - nixos-hardware, - home-manager, catppuccin, colmena, + home-manager, + nix, + nixos-hardware, + nixpkgs, + nixpkgs-stable, + sops-nix, ... }: let inherit (self) outputs; diff --git a/home/common/git.nix b/home/common/git.nix index 43f6dc4..3617ea1 100644 --- a/home/common/git.nix +++ b/home/common/git.nix @@ -4,17 +4,20 @@ ... }: { programs.lazygit = {settings = {os.editPreset = "nvim";};}; + programs.diff-so-fancy = { + enable = true; + enableGitIntegration = true; + }; programs.git = { enable = true; - aliases = { - co = "checkout"; - br = "branch"; - ci = "commit"; - st = "status"; - last = "cat-file commit HEAD"; - }; - diff-so-fancy = {enable = true;}; - extraConfig = { + settings = { + alias = { + co = "checkout"; + br = "branch"; + ci = "commit"; + st = "status"; + last = "cat-file commit HEAD"; + }; core = { user = "Don Harper"; email = "duck@duckland.org"; diff --git a/home/default.nix b/home/default.nix index 63ef93a..16e99d1 100644 --- a/home/default.nix +++ b/home/default.nix @@ -1,13 +1,20 @@ -{ inputs, outputs, pkgs, pkgs-stable, ... }: { - imports = [ inputs.home-manager.nixosModules.home-manager ]; +{ + inputs, + outputs, + pkgs, + pkgs-stable, + ... +}: { + imports = [inputs.home-manager.nixosModules.home-manager]; home-manager.extraSpecialArgs = { - pkgs-stable = import pkgs-stable { config.allowUnfree = true; }; + pkgs-stable = import pkgs-stable {config.allowUnfree = true;}; inherit inputs outputs; }; home-manager = { # useGlobalPkgs = true; useUserPackages = true; backupFileExtension = "home-manager-backup"; + sharedModules = [inputs.sops-nix.homeManagerModules.sops]; users = { don = { imports = [ @@ -22,8 +29,8 @@ stateVersion = "23.05"; }; programs = { - home-manager = { enable = true; }; - go = { enable = true; }; + home-manager = {enable = true;}; + go = {enable = true;}; }; }; }; diff --git a/home/gui/files/local-qutebrowser/userscripts/save-url b/home/gui/files/local-qutebrowser/userscripts/save-url new file mode 100755 index 0000000..bd75f87 --- /dev/null +++ b/home/gui/files/local-qutebrowser/userscripts/save-url @@ -0,0 +1,4 @@ +#!/usr/bin/env bash + +VAULT="/home/don/src/nixos/RepoUrls.md" +echo "* [${QUTE_TITLE}](${QUTE_URL})" >>"${VAULT}" diff --git a/home/gui/qutebrowser.nix b/home/gui/qutebrowser.nix index 483095c..86ed3f1 100644 --- a/home/gui/qutebrowser.nix +++ b/home/gui/qutebrowser.nix @@ -9,8 +9,8 @@ loadAutoconfig = true; keyBindings = { normal = { - ",J" = "spawn /home/don/bin/vdi"; ",L" = "spawn --userscript qute-bitwarden --password-only"; + ",N" = "spawn --userscript saveurl"; ",O" = "spawn --userscript obsidian-import-lite"; ",R" = "spawn --userscript obsidian-import -r"; ",U" = "spawn --userscript sendurl"; @@ -18,8 +18,7 @@ ",d" = "spawn --userscript open_download"; ",l" = "spawn --userscript qute-bitwarden"; ",m" = "spawn --userscript mymail"; - ",n" = '' - config-cycle content.user_stylesheets /home/don/src/solarized-everything-css/css/mine.css ""''; + ",n" = ''config-cycle content.user_stylesheets /home/don/src/solarized-everything-css/css/mine.css ""''; ",o" = "spawn --userscript obsidian-import"; ",r" = "spawn --userscript recipe"; ",t" = "spawn --userscript qute-bitwarden --totp-only"; @@ -57,12 +56,8 @@ crhs = "https://www.katyisd.org/CRHS"; crhs-absence = "https://www.katyisd.org/domain/5809"; cups = "http://localhost:631/printers/printer"; - darkroom = "https://thedarkroom.com/photodashboard/"; disk = "https://smart.trex-halfbeak.ts.net/web/dashboard"; - driversed = "https://driving.aceable.com/teacher/log?studentId=I89fno2YEZo4hQ40"; - droplet = "https://cloud.digitalocean.com/droplets?i=a8b99f"; ercot = "https://www.ercot.com/gridmktinfo/dashboards"; - fiesta = "https://www.fiestamart.com/weekly-ads/?store_code=66"; flood = "https://www.harriscountyfws.org/"; gatus = "https://gatus.trex-halfbeak.ts.net/"; gcal = "https://calendar.google.com/calendar/r"; diff --git a/home/gui/sway.nix b/home/gui/sway.nix index ae69258..5680dc8 100644 --- a/home/gui/sway.nix +++ b/home/gui/sway.nix @@ -317,6 +317,7 @@ exec ~/bin/configure-gtk exec ~/bin/dovideo.sh exec ~/bin/auto-start + exec ${pkgs.sway-audio-idle-inhibit}/bin/sway-audio-idle-inhibit exec ${pkgs.swaynotificationcenter}/bin/swaync exec ${pkgs.networkmanagerapplet}/bin/nm-applet exec ${pkgs.kdePackages.kdeconnect-kde}/bin/kdeconnect-indicator diff --git a/home/gui/terminals.nix b/home/gui/terminals.nix index 9448435..b85b1d6 100644 --- a/home/gui/terminals.nix +++ b/home/gui/terminals.nix @@ -1,4 +1,8 @@ -{ config, pkgs, ... }: { +{ + config, + pkgs, + ... +}: { programs = { kitty = { enable = true; @@ -7,26 +11,28 @@ size = 16; }; settings = { - mouse_hide_wait = "3.0"; + mouse_hide_wait = "-3.0"; url_style = "double"; copy_on_select = "no"; background_opacity = "0.75"; scrollback_lines = 4000; scrollback_pager_history_size = 2048; + notify_on_cmd_finish = "unfocused 10"; }; }; foot = { enable = true; - server = { enable = true; }; + server = {enable = true;}; settings = { - main = { term = "tmux-256color"; }; - mouse = { hide-when-typing = "yes"; }; - bell = { urgent = "yes"; }; + main = {term = "tmux-256color";}; + mouse = {hide-when-typing = "yes";}; + bell = {urgent = "yes";}; }; }; - yazi = { # terminal fm ala ranger/vifm + yazi = { + # terminal fm ala ranger/vifm enable = true; - flavors = { dark = pkgs.yaziPlugins.yatline-catppuccin; }; + flavors = {dark = pkgs.yaziPlugins.yatline-catppuccin;}; }; }; } diff --git a/hosts/ace/default.nix b/hosts/ace/default.nix index ae079e8..090c9e1 100644 --- a/hosts/ace/default.nix +++ b/hosts/ace/default.nix @@ -1,5 +1,13 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { imports = [ + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix # ../disko/mmcblk.nix ../workstation @@ -11,5 +19,5 @@ gui.enable = true; kmscon.enable = true; }; - wm = { sway.enable = true; }; + wm = {sway.enable = true;}; } diff --git a/hosts/book/default.nix b/hosts/book/default.nix index 3d24dd2..268cdbc 100644 --- a/hosts/book/default.nix +++ b/hosts/book/default.nix @@ -8,6 +8,7 @@ }: { imports = [ inputs.nixos-hardware.nixosModules.google-pixelbook + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix # ../disko/mmcblk.nix ../workstation diff --git a/hosts/display/default.nix b/hosts/display/default.nix index 05218d3..af4eaf5 100644 --- a/hosts/display/default.nix +++ b/hosts/display/default.nix @@ -1,6 +1,14 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { imports = [ inputs.nixos-hardware.nixosModules.raspberry-pi-4 + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix ../pi-server ./kiosk.nix @@ -10,7 +18,7 @@ nixpkgs.overlays = [ (final: super: { makeModulesClosure = x: - super.makeModulesClosure (x // { allowMissing = true; }); + super.makeModulesClosure (x // {allowMissing = true;}); }) ]; } diff --git a/hosts/dragon/default.nix b/hosts/dragon/default.nix index c90f6f0..03b7149 100644 --- a/hosts/dragon/default.nix +++ b/hosts/dragon/default.nix @@ -1,5 +1,11 @@ -{ inputs, config, pkgs, ... }: { +{ + inputs, + config, + pkgs, + ... +}: { imports = [ + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix inputs.nixos-hardware.nixosModules.common-cpu-intel inputs.nixos-hardware.nixosModules.common-gpu-intel @@ -15,5 +21,5 @@ kmscon.enable = true; auto-cpufreq.enable = true; }; - wm = { sway.enable = true; }; + wm = {sway.enable = true;}; } diff --git a/hosts/eve/default.nix b/hosts/eve/default.nix index d399499..54bc6a9 100644 --- a/hosts/eve/default.nix +++ b/hosts/eve/default.nix @@ -1,6 +1,14 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { imports = [ inputs.nixos-hardware.nixosModules.google-pixelbook + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix # ../disko/mmcblk.nix ../workstation @@ -14,5 +22,5 @@ kmscon.enable = true; auto-cpufreq.enable = true; }; - wm = { sway.enable = true; }; + wm = {sway.enable = true;}; } diff --git a/hosts/fred/default.nix b/hosts/fred/default.nix index c593b19..29e24ea 100644 --- a/hosts/fred/default.nix +++ b/hosts/fred/default.nix @@ -1,5 +1,13 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { imports = [ + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix ../server ./docker.nix @@ -9,13 +17,15 @@ networking.hostName = "fred"; variables.address = "100.72.236.170"; boot = { - binfmt.emulatedSystems = [ "aarch64-linux" ]; + binfmt.emulatedSystems = ["aarch64-linux"]; loader = { - systemd-boot = { enable = true; }; + systemd-boot = {enable = true;}; efi = { canTouchEfiVariables = true; efiSysMountPoint = "/boot"; }; }; }; + + primary.enable = true; } diff --git a/hosts/harper/default.nix b/hosts/harper/default.nix index ff0dc57..d115583 100644 --- a/hosts/harper/default.nix +++ b/hosts/harper/default.nix @@ -1,5 +1,16 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { - imports = [ ./hardware-configuration.nix ../../server ]; +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { + imports = [ + inputs.sops-nix.nixosModules.sops + ./hardware-configuration.nix + ../../server + ]; networking.hostName = "harper"; variables.address = "100.72.0.3"; } diff --git a/hosts/harper2/default.nix b/hosts/harper2/default.nix index eaea630..cdce096 100644 --- a/hosts/harper2/default.nix +++ b/hosts/harper2/default.nix @@ -1,5 +1,16 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { - imports = [ ./hardware-configuration.nix ../../server ]; +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { + imports = [ + inputs.sops-nix.nixosModules.sops + ./hardware-configuration.nix + ../../server + ]; networking.hostName = "harper2"; variables.address = "100.72.0.4"; } diff --git a/hosts/loki/default.nix b/hosts/loki/default.nix index ad0a609..ec8cc08 100644 --- a/hosts/loki/default.nix +++ b/hosts/loki/default.nix @@ -8,6 +8,7 @@ }: { imports = [ inputs.nixos-hardware.nixosModules.framework-amd-ai-300-series + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix # ../disko/nvme.nix ../workstation @@ -25,6 +26,7 @@ auto-cpufreq.enable = true; gnome-calendar.enable = true; }; - primary.enable = true; + primary.enable = false; + ollama.enable = true; wm = {sway.enable = true;}; } diff --git a/hosts/nuwww/default.nix b/hosts/nuwww/default.nix index f5e6844..9a72ac6 100644 --- a/hosts/nuwww/default.nix +++ b/hosts/nuwww/default.nix @@ -1,5 +1,16 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { - imports = [ ./hardware-configuration.nix ../../server ]; +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { + imports = [ + inputs.sops-nix.nixosModules.sops + ./hardware-configuration.nix + ../../server + ]; networking.hostName = "nuwww"; variables.address = "100.72.2.1"; } diff --git a/hosts/pi-server/default.nix b/hosts/pi-server/default.nix index 6486158..88e1f69 100644 --- a/hosts/pi-server/default.nix +++ b/hosts/pi-server/default.nix @@ -126,6 +126,7 @@ environment.systemPackages = with pkgs; [ python313 + age base16-schemes bash-completion btop diff --git a/hosts/pi1/default.nix b/hosts/pi1/default.nix index b791108..f6dc824 100644 --- a/hosts/pi1/default.nix +++ b/hosts/pi1/default.nix @@ -1,4 +1,16 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { - imports = [ ./hardware-configuration.nix ../pi-server ./kiosk.nix ]; +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { + imports = [ + inputs.sops-nix.nixosModules.sops + ./hardware-configuration.nix + ../pi-server + ./kiosk.nix + ]; networking.hostName = "pi1"; } diff --git a/hosts/pihole/default.nix b/hosts/pihole/default.nix index e595ddf..6134b3b 100644 --- a/hosts/pihole/default.nix +++ b/hosts/pihole/default.nix @@ -1,4 +1,15 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { - imports = [ ./hardware-configuration.nix ../../server ]; +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { + imports = [ + inputs.sops-nix.nixosModules.sops + ./hardware-configuration.nix + ../../server + ]; networking.hostName = "pihole"; } diff --git a/hosts/pocket2/default.nix b/hosts/pocket2/default.nix index 03c06c9..fef4063 100644 --- a/hosts/pocket2/default.nix +++ b/hosts/pocket2/default.nix @@ -7,6 +7,7 @@ ... }: { imports = [ + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix inputs.nixos-hardware.nixosModules.common-cpu-intel inputs.nixos-hardware.nixosModules.common-gpu-intel diff --git a/hosts/server/default.nix b/hosts/server/default.nix index 6e3f469..41563c7 100644 --- a/hosts/server/default.nix +++ b/hosts/server/default.nix @@ -35,6 +35,7 @@ in { ../vars.nix # ./tailscale.nix ./upgrade-diff.nix + ./systemd-primary.nix ../../modules/beszel-agent.nix ]; @@ -156,6 +157,7 @@ in { environment.systemPackages = with pkgs; [ python-with-my-packages + age aspell aspellDicts.en base16-schemes diff --git a/hosts/server/systemd-primary.nix b/hosts/server/systemd-primary.nix new file mode 100644 index 0000000..f7ec3f8 --- /dev/null +++ b/hosts/server/systemd-primary.nix @@ -0,0 +1,70 @@ +{ pkgs, lib, config, ... }: +with lib; +let cfg = config.primary; +in { + options.primary = { enable = mkEnableOption "is primary host"; }; + config = mkIf cfg.enable { + systemd = { + user = { + services = { + do_agenda = { + description = "Send today's agenda"; + unitConfig = { Type = "simple"; }; + serviceConfig = { + Type = "oneshot"; + Environment = + "PATH=/run/current-system/sw/bin:/etc/profiles/per-user/don/bin:/home/don/bin"; + ExecStart = "/home/don/bin/do_agenda"; + }; + }; + do_agenda_tomorrow = { + description = "Send tomorrow's agenda"; + unitConfig = { Type = "simple"; }; + serviceConfig = { + Type = "oneshot"; + Environment = + "PATH=/run/current-system/sw/bin:/etc/profiles/per-user/don/bin:/home/don/bin"; + ExecStart = "/home/don/bin/do_agenda_tomorrow"; + }; + }; + gosleep = { + description = "Adjust tailscale MTU based on location"; + unitConfig = { Type = "simple"; }; + serviceConfig = { + Type = "oneshot"; + Environment = + "PATH=/run/current-system/sw/bin:/etc/profiles/per-user/don/bin:/home/don/bin"; + ExecStart = "/home/don/bin/gosleep"; + }; + }; + }; + timers = { + do_agenda = { + wantedBy = [ "timers.target" ]; + partOf = [ "do_agenda.service" ]; + timerConfig = { + OnCalendar = "05:00"; + Unit = "do_agenda.service"; + }; + }; + do_agenda_tomorrow = { + wantedBy = [ "timers.target" ]; + partOf = [ "do_agenda_tomorrow.service" ]; + timerConfig = { + OnCalendar = "20:00"; + Unit = "do_agenda_tomorrow.service"; + }; + }; + gosleep = { + wantedBy = [ "timers.target" ]; + partOf = [ "gosleep.service" ]; + timerConfig = { + OnCalendar = "1m"; + Unit = "gosleep.service"; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/smaug/default.nix b/hosts/smaug/default.nix index 717356c..0ea7c3f 100644 --- a/hosts/smaug/default.nix +++ b/hosts/smaug/default.nix @@ -1,8 +1,16 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { imports = [ inputs.nixos-hardware.nixosModules.lenovo-thinkpad-x260 inputs.nixos-hardware.nixosModules.common-pc-laptop inputs.nixos-hardware.nixosModules.common-pc-ssd + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix # ../disko/sda.nix ../workstation @@ -17,5 +25,5 @@ auto-cpufreq.enable = true; gnome-calendar.enable = true; }; - wm = { sway.enable = true; }; + wm = {sway.enable = true;}; } diff --git a/hosts/template/default.nix b/hosts/template/default.nix index 3ae972a..7fcc8ce 100644 --- a/hosts/template/default.nix +++ b/hosts/template/default.nix @@ -1,5 +1,13 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { imports = [ + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix # ../disko/mmcblk.nix ../workstation diff --git a/hosts/vm/default.nix b/hosts/vm/default.nix index c7a922b..fcfc608 100644 --- a/hosts/vm/default.nix +++ b/hosts/vm/default.nix @@ -1,4 +1,15 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { - imports = [ ./hardware-configuration.nix ../server ]; +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { + imports = [ + inputs.sops-nix.nixosModules.sops + ./hardware-configuration.nix + ../server + ]; networking.hostName = "vm"; } diff --git a/hosts/vm1/default.nix b/hosts/vm1/default.nix index 2e22e73..07d54a4 100644 --- a/hosts/vm1/default.nix +++ b/hosts/vm1/default.nix @@ -1,4 +1,14 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { - imports = [ ./hardware-configuration.nix ]; +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { + imports = [ + inputs.sops-nix.nixosModules.sops + ./hardware-configuration.nix + ]; networking.hostName = "vm1"; } diff --git a/hosts/w1/default.nix b/hosts/w1/default.nix index 96fef6a..2347dfb 100644 --- a/hosts/w1/default.nix +++ b/hosts/w1/default.nix @@ -1,5 +1,13 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { imports = [ + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix ./network.nix ../server @@ -10,9 +18,8 @@ variables.address = "100.72.16.240"; boot = { initrd = { - availableKernelModules = - [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; - kernelModules = [ "nvme" ]; + availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"]; + kernelModules = ["nvme"]; }; loader = { grub = { diff --git a/hosts/w2/default.nix b/hosts/w2/default.nix index eebffb6..56b798d 100644 --- a/hosts/w2/default.nix +++ b/hosts/w2/default.nix @@ -1,5 +1,13 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { imports = [ + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix ./network.nix ../server @@ -8,9 +16,8 @@ networking.hostName = "w1"; boot = { initrd = { - availableKernelModules = - [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; - kernelModules = [ "nvme" ]; + availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"]; + kernelModules = ["nvme"]; }; loader = { grub = { diff --git a/hosts/workstation/default.nix b/hosts/workstation/default.nix index d9518f9..65ac42c 100644 --- a/hosts/workstation/default.nix +++ b/hosts/workstation/default.nix @@ -34,7 +34,7 @@ in { }; imports = [ inputs.catppuccin.nixosModules.catppuccin - # ./tailscale.nix + ./tailscale.nix ../../home ../../home/gui ../../home/gui/gnome-calenar.nix @@ -47,6 +47,7 @@ in { ../themes.nix ./detect-reboot-needed.nix ./kmscon.nix + ./ollama.nix ./systemd.nix ./systemd-primary.nix ./auto-cpufreq.nix @@ -55,6 +56,52 @@ in { ./wine.nix ]; + sops = { + age.keyFile = "/home/don/.config/sops/age/keys.txt"; + + defaultSopsFile = ../../secrets.yaml; + # defaultSymlinkPath = "/run/user/1000/secrets"; + # defaultSecretsMountPoint = "/run/user/1000/secrets.d"; + + secrets = { + "users/root_password" = { + owner = "root"; + mode = "0400"; + }; + "users/root_sshauth" = { + owner = "root"; + mode = "0400"; + path = "/etc/ssh/authorized_keys.d/root"; + }; + "users/don_password" = { + owner = "don"; + mode = "0400"; + }; + "users/don_sshauth" = { + owner = "don"; + mode = "0400"; + path = "/etc/ssh/authorized_keys.d/don"; + }; + "users/vicky_password" = { + owner = "don"; + mode = "0400"; + }; + "users/vicky_sshauth" = { + owner = "don"; + mode = "0400"; + path = "/etc/ssh/authorized_keys.d/vicky"; + }; + "smtp/smtp_password" = { + owner = "root"; + mode = "0444"; + }; + "tailscale/ts_api" = { + owner = "root"; + mode = "0400"; + }; + }; + }; + networking = { networkmanager.enable = true; enableIPv6 = true; @@ -222,28 +269,18 @@ in { users = { root = { initialPassword = "changeme"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINd8AdVbQQ/Fmw+b9mI8EMYqIoRkwmSwAOtmlte3incL don@loki" - ]; + openssh.authorizedKeys.keys = [config.sops.secrets."users/root_sshauth".path]; }; don = { isNormalUser = true; initialPassword = "changeme"; description = "Don Harper"; extraGroups = ["networkmanager" "wheel" "scanner" "lp" "video" "mlocate" "disk"]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINd8AdVbQQ/Fmw+b9mI8EMYqIoRkwmSwAOtmlte3incL don@loki" - ]; + openssh.authorizedKeys.keys = [config.sops.secrets."users/don_sshauth".path]; }; }; }; - zramSwap = { - enable = true; - memoryPercent = 25; - memoryMax = 2147483648; - }; - # Allow unfree packages nixpkgs = { config = { @@ -274,6 +311,7 @@ in { environment.systemPackages = with pkgs; [ python-with-my-packages acpi + age aspell aspellDicts.en base16-schemes @@ -364,7 +402,7 @@ in { from = "don@donharper.org"; host = "smtp.smtp2go.com"; user = "donharper.org"; - passwordeval = "cat /home/don/.smtp_password.txt"; + passwordeval = "cat ${config.sops.secrets."smtp/smtp_password".path}"; }; }; }; diff --git a/hosts/workstation/ollama.nix b/hosts/workstation/ollama.nix new file mode 100644 index 0000000..2afe3af --- /dev/null +++ b/hosts/workstation/ollama.nix @@ -0,0 +1,19 @@ +{ + pkgs, + lib, + config, + ... +}: +with lib; let + cfg = config.ollama; +in { + options.ollama = {enable = mkEnableOption "is ollama host";}; + config = mkIf cfg.enable { + services.ollama = { + enable = true; + package = pkgs.ollama-rocm; + # Optional: preload models, see https://ollama.com/library + loadModels = ["qwen2.5-coder:1.5b"]; + }; + }; +} diff --git a/hosts/workstation/tailscale.nix b/hosts/workstation/tailscale.nix index 517ad8d..d43a5f1 100644 Binary files a/hosts/workstation/tailscale.nix and b/hosts/workstation/tailscale.nix differ diff --git a/hosts/www2/default.nix b/hosts/www2/default.nix index d7cd327..2748d3c 100644 --- a/hosts/www2/default.nix +++ b/hosts/www2/default.nix @@ -1,4 +1,11 @@ -{ inputs, outputs, lib, config, pkgs, ... }: { - imports = [ ./hardware-configuration.nix ../../server ]; +{ + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { + imports = [inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix ../../server]; networking.hostName = "www2"; } diff --git a/secrets.yaml b/secrets.yaml new file mode 100644 index 0000000..8ef827e --- /dev/null +++ b/secrets.yaml @@ -0,0 +1,29 @@ +#ENC[AES256_GCM,data:ZNxS2TSn,iv:29wdug8DNsqXK9gi3+HNSW1eeJGTcMtvccH2nFLk1DY=,tag:S3qAU5HB8Y5595dA6ItCmQ==,type:comment] +users: + root_password: ENC[AES256_GCM,data:c38DypOUaA==,iv:wwpjTEgTBMy3J7PzKnLO9IbLnq9HOMgQG/EQD+07U38=,tag:J/U8ddG2gqtRLUADWiJ8Bw==,type:str] + root_sshauth: ENC[AES256_GCM,data:1z7lTmMn2QB177S2re4+BIoiQ7XAmx9zKscUlUQKywQLqLDQJdvWJ0PvcKNfi0dyCJf5lWG3V3aZhGvIKMUizrZ0JMIZfRStbbLZKSnh0xsSvBdxo4NSd/k=,iv:iXnrcRN7l0uBboJsx/N1uCPkyqPWwbiR3Cp1RJVCVBU=,tag:h1rKlReNxKJ8uBTWVRAPgA==,type:str] + don_password: ENC[AES256_GCM,data:m9Jf4fvpSg==,iv:Z40H6ZSqjRFwvBdak22ijX0s4NVIjqbT1qfRkFnmp6c=,tag:K41k1JQUavKSZ47MkqF6PQ==,type:str] + don_sshauth: ENC[AES256_GCM,data:a7m3lzi9cRMfjSTZAUV6BUmSjcJcTTAex5vFmfC/narajIpmeo2So52cJKV9YYOgKaOCXEmMuokH8kXXZ9QL0zx5HhaCWSxCbsqh+wHEFiRdQFxBn1YLzM4=,iv:x2n+KQjbpReHIZDRnlNUd5HIHfowrnMD0dD4FxdDos8=,tag:PwzOCm3YjF/EiEStFpBGtg==,type:str] + vicky_password: ENC[AES256_GCM,data:KrTs/5d2,iv:ykzA5NMzD6EZJKLpFdgYm0E8/l+K8C96qsUJVm9qovY=,tag:xFzOmny25ytR/64SX0TPyA==,type:str] + vicky_sshauth: ENC[AES256_GCM,data:jFedFDYzaHtHOjKTc3iei3+dw3gpm9mZLncye9henZfx/fK1cbaH6SugnvsEZTtOEt7cjWkBhAKzRxCemhp0WENa2w9cQXrMtnzniIz4k7NsPkKWdBy+n34=,iv:cRPy89hstypZ5RhTlI2dQ28DIsCv9qjGglRdau5A53M=,tag:QosA7AeYaX8Su6wOX7XTVg==,type:str] +#ENC[AES256_GCM,data:wPhrf7k=,iv:2HQ4jzpjasLF1gZCfVCGv30xajhBUzhAXsi9s5Cy9JM=,tag:aCM86v27N+TAGVrxbuO5tg==,type:comment] +smtp: + smtp_password: ENC[AES256_GCM,data:YP3NqVQjuWPyCuTgmxBwSw==,iv:1eyDvHplyh9pKfdY795ndJzzl1LLFudYZB2eqkjYmlw=,tag:Jvb9escI5pNorDmIiXuFrw==,type:str] +#ENC[AES256_GCM,data:SFZglQQ16U0jDBTmBuxHH2TGFRt9rOxZTzc=,iv:MnzSRM4bte5WACvlTDSVTqFTBJMFFv8l8e7p1lu/bZE=,tag:v6JKaBu6dl+1jrK0VmpPBg==,type:comment] +tailscale: + ts_api: ENC[AES256_GCM,data:mchei6FdVpcn7A2m/1D/e7RbZ8YLdte2lZ1b8M1e6C5NqzzDzRSNS7Wne2bm7szPe6nzeDGVZZ/jp5WR26M=,iv:/DZsAk+W+Ev+ZS7XNvLbNXCARL9YjUgvrae5bUppWBY=,tag:Uj8FT/gCpO4XmMRDykz8ZA==,type:str] +sops: + age: + - recipient: age16a4ywf6pycs9l8rn7y34c6y8pqfz9utmwwkr70d0hapknkzdaafsesn0ff + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvWkF2Q21TTW9NTE9EVXFI + NlI4Y1pZdWZaUkNDQUZxR0lzS1k5ZTZSb2xvCk9jVE9KQytFQXlZdWZXWGgrM3ZV + dnd2TlZlMDV6RlF6RitTeE9BWnJERzgKLS0tIEdKT0xHaDFpMlR1YmJCRkdnaDBp + em9ZMDljK2tXVnVDN1Q2UnYrZWVwblEKE/z1PQsld/r4AEWFyUgt6zNf7QfcLNYh + Btn5qGBPYizmYzAwleNOq5PDINUAlfT9fTfU6QBdRYkarbVjqDV6Pg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-11-13T20:50:08Z" + mac: ENC[AES256_GCM,data:+pKY3n9B2nJCYuaGKD9abxQPS2sWALStnQLmbR1UVsIbimDmTaqh6bVbyAaY08MGi7s8oEejaixbeR3fyRUO1Unx23Xu89vHg7x+XQMfty3/AnGCROjFmMv2/1WAONi8U9cNKwTVnLfABse0nO8y7X2Bk/KXfaxG+Wcd2y5K8Nw=,iv:E2bY/lV23VEM72DTLAwD9qVACWRk01nbUc6KHda9Sn8=,tag:KdI2sS4EPbp85LoY1lcygQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0