karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Graduate eirene

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-05-29 19:05:37 +01:00
parent 9273514e2a
commit fba4691ae0
33 changed files with 189 additions and 842 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@@ -40,8 +40,7 @@ Below is a table of all hosts, with links to their respective README files, whic
| Host | README |
| ------------- | ------------------------------------------------------------ |
| `installer` | [hosts/installer/README.md](./hosts/installer/README.md) |
| `eirene` | [hosts/eirene/README.md](./hosts/eirene/README.md) |
| `elara` | [hosts/elara/README.md](./hosts/elara/README.md) |
| `himalia` | [hosts/himalia/README.md](./hosts/himalia/README.md) |
| `elara` | [hosts/elara/README.md](./hosts/elara/README.md) |
| `jupiter` | [hosts/jupiter/README.md](./hosts/jupiter/README.md) |
| `jupiter-vps` | [hosts/jupiter-vps/README.md](./hosts/jupiter-vps/README.md) |

10
flake.nix
View File

@@ -137,9 +137,9 @@
specialArgs = { inherit inputs system; };
};
eirene = nixpkgs.lib.nixosSystem rec {
himalia = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux";
modules = [ ./hosts/eirene ];
modules = [ ./hosts/himalia ];
specialArgs = { inherit inputs system; };
};
@@ -149,12 +149,6 @@
specialArgs = { inherit inputs system; };
};
himalia = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux";
modules = [ ./hosts/himalia ];
specialArgs = { inherit inputs system; };
};
jupiter = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux";
modules = [ ./hosts/jupiter ];

18
hosts/common/configs/system/impermanence/default.nix
View File

@@ -1,4 +1,9 @@
{ config, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
{
imports = [ ./options.nix ];
@@ -8,22 +13,11 @@
# https://git.eisfunke.com/config/nixos/-/blob/e65e1dc21d06d07b454005762b177ef151f8bfb6/nixos/machine-id.nix
sops.secrets.machineId.mode = "0444";
fileSystems."/persist".neededForBoot = true;
environment = {
impermanence.enable = true;
etc.machine-id.source = pkgs.runCommandLocal "machine-id-link" { } ''
ln -s ${config.sops.secrets.machineId.path} $out
'';
persistence = {
"/persist/user"."/etc/nixos" = { };
"/persist/state" = {
"/var/lib/nixos" = { };
"/var/lib/systemd" = { };
"/var/log" = { };
};
};
};
}

18
hosts/common/configs/system/impermanence/options.nix
View File

@@ -210,8 +210,6 @@ in
};
};
fileSystems = builtins.mapAttrs (_: _: { neededForBoot = true; }) cfg;
systemd = {
mounts = builtins.map (c: {
description = c.path;
@@ -274,11 +272,17 @@ in
);
};
environment.persistence."/persist" = {
"/etc/nixos" = { };
"/var/lib/nixos" = { };
"/var/lib/systemd" = { };
"/var/log" = { };
fileSystems = builtins.mapAttrs (_: _: { neededForBoot = true; }) cfg // {
"/persist".neededForBoot = true;
};
environment.persistence = {
"/persist/user"."/etc/nixos" = { };
"/persist/state" = {
"/var/lib/nixos" = { };
"/var/lib/systemd" = { };
"/var/log" = { };
};
};
assertions =

2
hosts/common/configs/system/sops/default.nix
View File

@@ -26,7 +26,7 @@
sshKeyPaths =
if config.environment.impermanence.enable then
[ config.environment.persistence."/persist"."/etc/ssh/ssh_host_ed25519_key".source ]
[ config.environment.persistence."/persist/state"."/etc/ssh/ssh_host_ed25519_key".source ]
else
[ "/etc/ssh/ssh_host_ed25519_key" ];
};

1
hosts/common/configs/system/ssh/default.nix
View File

@@ -2,7 +2,6 @@
{
programs.ssh.knownHosts = {
installer.publicKeyFile = ../../../../installer/secrets/ssh_host_ed25519_key.pub;
eirene.publicKeyFile = ../../../../eirene/secrets/ssh_host_ed25519_key.pub;
elara.publicKeyFile = ../../../../elara/secrets/ssh_host_ed25519_key.pub;
himalia.publicKeyFile = ../../../../himalia/secrets/ssh_host_ed25519_key.pub;

1
hosts/eirene/README.md
View File

@@ -1 +0,0 @@
# eirene

67
hosts/eirene/default.nix
View File

@@ -1,67 +0,0 @@
{ inputs, ... }:
{
imports = [
inputs.disko.nixosModules.disko
./format.nix
./hardware
../common/configs/system/backup
../common/configs/system/bluetooth
../common/configs/system/boot
../common/configs/system/brightnessctl
../common/configs/system/btrfs
../common/configs/system/cpu
../common/configs/system/documentation
../common/configs/system/getty
../common/configs/system/git
../common/configs/system/gpg-agent
../common/configs/system/impermanence
../common/configs/system/libvirt
../common/configs/system/neovim
../common/configs/system/networkmanager
../common/configs/system/nix
../common/configs/system/nix-cleanup
../common/configs/system/nix-install
../common/configs/system/nix-ld
../common/configs/system/nix-update
../common/configs/system/nixpkgs
../common/configs/system/ntp
../common/configs/system/pipewire
../common/configs/system/podman
../common/configs/system/powertop
../common/configs/system/printing
../common/configs/system/smartmontools
../common/configs/system/sops
../common/configs/system/ssh
../common/configs/system/ssh-agent
../common/configs/system/sshd
../common/configs/system/sudo
../common/configs/system/system
../common/configs/system/timezone
../common/configs/system/tlp
../common/configs/system/tmux
../common/configs/system/tree
../common/configs/system/upower
../common/configs/system/users
../common/configs/system/zsh
./users/nick
];
networking.hostName = "eirene";
boot.supportedFilesystems = [ "ntfs" ];
fileSystems."/mnt/windows" = {
device = "/dev/disk/by-id/nvme-Samsung_SSD_980_PRO_2TB_S69ENF0R841140X-part3";
fsType = "ntfs3";
noCheck = true;
options = [
"users"
"nofail"
"sys_immutable"
"windows_names"
];
};
}

87
hosts/eirene/format.nix
View File

@@ -1,87 +0,0 @@
{
disko.devices = {
disk.main = {
device = "/dev/disk/by-id/nvme-SAMSUNG_MZVL22T0HBLB-00BL2_S64RNE0R602762";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
name = "boot";
size = "1M";
type = "EF02";
};
esp = {
name = "esp";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
swap = {
name = "swap";
size = "32G";
content = {
type = "swap";
resumeDevice = true;
};
};
root = {
name = "root";
size = "100%";
content = {
name = "main";
type = "luks";
passwordFile = "/tmp/keyfile";
settings = {
allowDiscards = true;
};
content = {
type = "btrfs";
extraArgs = [ "-f" ];
subvolumes =
let
mountOptions = [
"compress=zstd:1"
"noatime"
"user_subvol_rm_allowed"
];
in
{
"@" = {
mountpoint = "/";
inherit mountOptions;
};
"@persist" = {
mountpoint = "/persist";
inherit mountOptions;
};
"@persist/user" = {
mountpoint = "/persist/user";
inherit mountOptions;
};
"@persist/state" = {
mountpoint = "/persist/state";
inherit mountOptions;
};
"@persist/cache" = {
mountpoint = "/persist/cache";
inherit mountOptions;
};
"@nix" = {
mountpoint = "/nix";
inherit mountOptions;
};
};
};
};
};
};
};
};
};
}

12
hosts/eirene/hardware/card.sh
View File

@@ -1,12 +0,0 @@
# shellcheck shell=bash
AMD=/dev/dri/by-path/pci-0000:06:00.0-card
NVIDIA=/dev/dri/by-path/pci-0000:01:00.0-card
if [[ -e "$AMD" ]]; then
card=$AMD
else
card=$NVIDIA
fi
ln -sf "$card" "$HOME"/.config/hypr/card

100
hosts/eirene/hardware/default.nix
View File

@@ -1,100 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
imports = [ ./display.nix ];
# https://github.com/NixOS/nixos-hardware/tree/master/lenovo/legion/16achg6
hardware = {
enableAllFirmware = true;
cpu = {
cores = 8;
threads = 16;
amd.updateMicrocode = true;
};
nvidia = {
open = true;
powerManagement.enable = true;
dynamicBoost.enable = true;
prime = {
offload = {
enable = true;
enableOffloadCmd = true;
};
nvidiaBusId = "PCI:1:0:0";
amdgpuBusId = "PCI:6:0:0";
};
};
graphics = {
enable32Bit = true;
extraPackages = with pkgs; [
amdvlk
driversi686Linux.amdvlk
rocmPackages.clr
rocmPackages.clr.icd
];
};
nvidia-container-toolkit.enable = (
config.virtualisation.containerd.enable
|| config.virtualisation.docker.enable
|| config.virtualisation.podman.enable
);
};
boot = {
kernelParams = [ "amd_pstate=active" ];
kernelModules = [ "kvm-amd" ];
initrd.kernelModules = [
"nvme"
"ahci"
"usbhid"
"amdgpu"
];
};
nixpkgs.config = {
cudaSupport = true;
rocmSupport = true;
};
powerManagement.enable = true;
services = {
xserver.videoDrivers = [ "nvidia" ];
fstrim.enable = true;
tlp.settings.DISK_DEVICES = lib.mkDefault "nvme0n1 nvme1n1";
};
programs.gamescope.env = {
__NV_PRIME_RENDER_OFFLOAD = "1";
__VK_LAYER_NV_optimus = "NVIDIA_only";
__GLX_VENDOR_LIBRARY_NAME = "nvidia";
};
home-manager.sharedModules = [
{
wayland.windowManager.hyprland.settings = {
env = [ "AQ_DRM_DEVICES,$HOME/.config/hypr/card" ];
device = [
{
name = "syna2ba6:00-06cb:ce44-touchpad";
sensitivity = 0.5;
}
];
gestures.workspace_swipe_distance = 600;
};
programs.zsh.loginExtra = lib.mkBefore (builtins.readFile ./card.sh);
}
];
}

32
hosts/eirene/hardware/display.nix
View File

@@ -1,32 +0,0 @@
{ pkgs, ... }:
{
boot.kernelParams = [ "video=eDP-1:2560x1600@165" ];
programs.steam.package = pkgs.steam.override { extraEnv.STEAM_FORCE_DESKTOPUI_SCALING = 1.25; };
home-manager.sharedModules = [
{
wayland.windowManager.hyprland.settings = {
monitor = [
"eDP-1, preferred, 0x0, 1.25"
", maxwidth, auto-center-up, 1"
];
workspace = [
"1, monitor:eDP-1, layoutopt:orientation:left"
"2, monitor:eDP-1, layoutopt:orientation:left"
"3, monitor:eDP-1, layoutopt:orientation:left"
"4, monitor:eDP-1, layoutopt:orientation:left"
"5, monitor:eDP-1, layoutopt:orientation:left"
"6, monitor:eDP-1, layoutopt:orientation:left"
"7, monitor:eDP-1, layoutopt:orientation:left"
"8, monitor:eDP-1, layoutopt:orientation:left"
"9, monitor:eDP-1, layoutopt:orientation:left"
"10, monitor:eDP-1, layoutopt:orientation:left"
];
};
programs.vscode.profiles.default.userSettings."window.zoomLevel" = (1.25 - 1) / 0.2;
}
];
}

1
hosts/eirene/secrets/ssh_host_ed25519_key.pub
View File

@@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFG/ImO80n4+M8AIkS75leQiju6/zu09qV0keROjE6VC root@eirene

48
hosts/eirene/users/nick/configs/console/git/default.nix
View File

@@ -1,48 +0,0 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{
config,
inputs,
lib,
system,
...
}:
let
hmConfig = config.home-manager.users.${user};
selfPkgs = inputs.self.packages.${system};
in
{
home-manager.users.${user} = {
sops = {
secrets = {
"git/credentials/git.karaolidis.com/admin/username".sopsFile =
../../../../../../../secrets/personal/secrets.yaml;
"git/credentials/git.karaolidis.com/admin/password".sopsFile =
../../../../../../../secrets/personal/secrets.yaml;
};
templates."git/credentials" = {
content = ''
https://${hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/admin/username"}:${
hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/admin/password"
}@git.karaolidis.com
'';
path = "${home}/.config/git/credentials";
};
};
programs.ssh = {
matchBlocks = {
"github.com" = {
hostname = "github.com";
user = "git";
identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
};
};
userKnownHostsFiles = with selfPkgs; [ ssh-known-hosts-github ];
};
};
}

18
hosts/eirene/users/nick/configs/console/gpg/default.nix
View File

@@ -1,18 +0,0 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ config, ... }:
let
hmConfig = config.home-manager.users.${user};
in
{
home-manager.users.${user} = {
sops.secrets = {
"gpg/key".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
"gpg/pass".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
};
programs.clipbook.bookmarks."GPG Passphrase".source = hmConfig.sops.secrets."gpg/pass".path;
};
}

32
hosts/eirene/users/nick/configs/console/podman/default.nix
View File

@@ -1,32 +0,0 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ config, pkgs, ... }:
let
hmConfig = config.home-manager.users.${user};
in
{
home-manager.users.${user}.sops = {
secrets = {
"registry/docker.io".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
"registry/registry.karaolidis.com".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
};
templates.containers-auth = {
content = builtins.readFile (
(pkgs.formats.json { }).generate "auth.json" {
auths = {
"docker.io" = {
auth = hmConfig.sops.placeholder."registry/docker.io";
};
"registry.karaolidis.com" = {
auth = hmConfig.sops.placeholder."registry/registry.karaolidis.com";
};
};
}
);
path = "${home}/.config/containers/auth.json";
};
};
}

32
hosts/eirene/users/nick/configs/console/ssh/default.nix
View File

@@ -1,32 +0,0 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ config, ... }:
let
hmConfig = config.home-manager.users.${user};
in
{
home-manager.users.${user} = {
sops.secrets = {
"ssh/key" = {
sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
path = "${home}/.ssh/ssh_personal_ed25519_key";
};
"ssh/pass".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
};
programs = {
ssh.matchBlocks = {
"karaolidis.com" = {
hostname = "karaolidis.com";
user = "nick";
identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
};
};
clipbook.bookmarks."SSH Key Passphrase".source = hmConfig.sops.secrets."ssh/pass".path;
};
};
}

17
hosts/eirene/users/nick/configs/console/syncthing/default.nix
View File

@@ -1,17 +0,0 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ ... }:
{
home-manager.users.${user}.services.syncthing.settings.folders = {
official = {
label = "Official";
path = "${home}/Documents/Official";
devices = [
"amalthea"
"ganymede"
];
};
};
}

23
hosts/eirene/users/nick/configs/gui/obsidian/default.nix
View File

@@ -1,23 +0,0 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ ... }:
{
home-manager.users.${user} = {
programs.obsidian.vaults."Documents/Obsidian/master".enable = true;
services.syncthing.settings.folders.obsidian = {
label = "Obsidian";
path = "${home}/Documents/Obsidian";
devices = [
"amalthea"
"ganymede"
];
maxConflicts = 0;
};
home.file."Documents/Obsidian/.stignore".source =
../../../../../../common/configs/user/gui/obsidian/.stignore;
};
}

21
hosts/eirene/users/nick/configs/gui/vscode/default.nix
View File

@@ -1,21 +0,0 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ ... }:
{
home-manager.users.${user}.programs.vscode.languages = {
c.enable = true;
go.enable = true;
java.enable = true;
lua.enable = true;
markdown.enable = true;
nix.enable = true;
python.enable = true;
rest.enable = true;
rust.enable = true;
sops.enable = true;
typescript.enable = true;
yaml.enable = true;
};
}

119
hosts/eirene/users/nick/default.nix
View File

@@ -1,119 +0,0 @@
{ config, lib, ... }:
let
# FIXME: https://github.com/NixOS/nixpkgs/issues/24570
# FIXME: https://github.com/NixOS/nixpkgs/issues/305643
user = "nick";
home = "/home/nick";
in
{
imports = [
../../../common/configs/user/options.nix
(import ../../../common/configs/user/console/android { inherit user home; })
(import ../../../common/configs/user/console/bashmount { inherit user home; })
(import ../../../common/configs/user/console/brightnessctl { inherit user home; })
(import ../../../common/configs/user/console/btop { inherit user home; })
(import ../../../common/configs/user/console/dive { inherit user home; })
(import ../../../common/configs/user/console/fastfetch { inherit user home; })
(import ../../../common/configs/user/console/ffmpeg { inherit user home; })
(import ../../../common/configs/user/console/git { inherit user home; })
(import ../../../common/configs/user/console/gpg-agent { inherit user home; })
(import ../../../common/configs/user/console/home-manager { inherit user home; })
(import ../../../common/configs/user/console/imagemagick { inherit user home; })
(import ../../../common/configs/user/console/ip { inherit user home; })
(import ../../../common/configs/user/console/jq { inherit user home; })
(import ../../../common/configs/user/console/libvirt { inherit user home; })
(import ../../../common/configs/user/console/lsof { inherit user home; })
(import ../../../common/configs/user/console/ncdu { inherit user home; })
(import ../../../common/configs/user/console/neovim { inherit user home; })
(import ../../../common/configs/user/console/nix { inherit user home; })
(import ../../../common/configs/user/console/nix-cleanup { inherit user home; })
(import ../../../common/configs/user/console/nix-develop { inherit user home; })
(import ../../../common/configs/user/console/nix-direnv { inherit user home; })
(import ../../../common/configs/user/console/pipewire { inherit user home; })
(import ../../../common/configs/user/console/podman { inherit user home; })
(import ../../../common/configs/user/console/ranger { inherit user home; })
(import ../../../common/configs/user/console/sops { inherit user home; })
(import ../../../common/configs/user/console/ssh { inherit user home; })
(import ../../../common/configs/user/console/ssh-agent { inherit user home; })
(import ../../../common/configs/user/console/syncthing { inherit user home; })
(import ../../../common/configs/user/console/tmux { inherit user home; })
(import ../../../common/configs/user/console/tree { inherit user home; })
(import ../../../common/configs/user/console/unzip { inherit user home; })
(import ../../../common/configs/user/console/wget { inherit user home; })
(import ../../../common/configs/user/console/xdg { inherit user home; })
(import ../../../common/configs/user/console/yt-dlp { inherit user home; })
(import ../../../common/configs/user/console/zsh { inherit user home; })
(import ../../../common/configs/user/gui/astal { inherit user home; })
(import ../../../common/configs/user/gui/bluetooth { inherit user home; })
(import ../../../common/configs/user/gui/brightnessctl { inherit user home; })
(import ../../../common/configs/user/gui/btop { inherit user home; })
(import ../../../common/configs/user/gui/chromium { inherit user home; })
(import ../../../common/configs/user/gui/clipbook { inherit user home; })
(import ../../../common/configs/user/gui/cliphist { inherit user home; })
(import ../../../common/configs/user/gui/darktable { inherit user home; })
(import ../../../common/configs/user/gui/discord { inherit user home; })
(import ../../../common/configs/user/gui/emoji { inherit user home; })
(import ../../../common/configs/user/gui/firefox { inherit user home; })
(import ../../../common/configs/user/gui/gtk { inherit user home; })
(import ../../../common/configs/user/gui/hyprland { inherit user home; })
(import ../../../common/configs/user/gui/hyprshot { inherit user home; })
(import ../../../common/configs/user/gui/kitty { inherit user home; })
(import ../../../common/configs/user/gui/libreoffice { inherit user home; })
(import ../../../common/configs/user/gui/networkmanager { inherit user home; })
(import ../../../common/configs/user/gui/obs { inherit user home; })
(import ../../../common/configs/user/gui/obsidian { inherit user home; })
(import ../../../common/configs/user/gui/pipewire { inherit user home; })
(import ../../../common/configs/user/gui/qalculate { inherit user home; })
(import ../../../common/configs/user/gui/qt { inherit user home; })
(import ../../../common/configs/user/gui/rofi { inherit user home; })
(import ../../../common/configs/user/gui/rquickshare { inherit user home; })
(import ../../../common/configs/user/gui/spicetify { inherit user home; })
(import ../../../common/configs/user/gui/steam { inherit user home; })
(import ../../../common/configs/user/gui/swww { inherit user home; })
(import ../../../common/configs/user/gui/theme { inherit user home; })
(import ../../../common/configs/user/gui/transmission { inherit user home; })
(import ../../../common/configs/user/gui/vscode { inherit user home; })
(import ../../../common/configs/user/gui/wev { inherit user home; })
(import ../../../common/configs/user/gui/wl-clipboard { inherit user home; })
(import ../../../common/configs/user/gui/x11 { inherit user home; })
(import ../../../common/configs/user/gui/xdg { inherit user home; })
(import ./configs/console/git { inherit user home; })
(import ./configs/console/gpg { inherit user home; })
(import ./configs/console/podman { inherit user home; })
(import ./configs/console/ssh { inherit user home; })
(import ./configs/console/syncthing { inherit user home; })
(import ./configs/gui/obsidian { inherit user home; })
(import ./configs/gui/vscode { inherit user home; })
];
# echo "password" | mkpasswd -s
sops.secrets."${user}-password" = {
sopsFile = ../../../../secrets/personal/secrets.yaml;
key = "password";
neededForUsers = true;
};
users.users.${user} = {
inherit home;
isNormalUser = true;
email = "nick@karaolidis.com";
fullName = "Nikolaos Karaolidis";
description = "Nikolaos Karaolidis";
hashedPasswordFile = config.sops.secrets."${user}-password".path;
extraGroups = [ "wheel" ];
linger = true;
uid = lib.strings.toInt (builtins.readFile ./uid);
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWDA5vnIB7KE2VG28Ovg5rXtQqxFwMXsfozLsH0BNZS nick@karaolidis.com"
];
};
home-manager.users.${user}.home = {
username = user;
homeDirectory = home;
};
}

1
hosts/eirene/users/nick/uid
View File

@@ -1 +0,0 @@
1000

2
hosts/himalia/hardware/default.nix
View File

@@ -22,7 +22,7 @@
nvidia = {
open = true;
powerManagement.enable = true;
# TODO
# TODO: Enable
# dynamicBoost.enable = true;
prime = {

16
hosts/installer/README.md
View File

@@ -8,22 +8,8 @@ I have automated myself out of a job. How to use:
3. Connect to the internet with `nmcli`
- Scan for available networks:
```bash
nmcli device wifi list
```
- For an open network:
```bash
nmcli device wifi connect "<SSID>"
```
- For a secured network:
```bash
nmcli device wifi connect "<SSID>" password "<password>"
sudo nmcli device wifi connect "<SSID>" [--ask]
```
4. Run `sudo nix-install /etc/nixos -m install|repair -h host [-k key] [-c] [-r]"`

1
hosts/installer/default.nix
View File

@@ -7,6 +7,7 @@
./hardware
../common/configs/system/boot
../common/configs/system/brightnessctl
../common/configs/system/btrfs
../common/configs/system/documentation
../common/configs/system/getty

25
hosts/jupiter/default.nix
View File

@@ -7,7 +7,9 @@
./hardware
../common/configs/system/boot
../common/configs/system/brightnessctl
../common/configs/system/btrfs
../common/configs/system/cpu
../common/configs/system/documentation
../common/configs/system/git
../common/configs/system/impermanence
@@ -36,17 +38,18 @@
# TODO: DNS for .local
networking.hostName = "jupiter";
fileSystems."/mnt/storage" = {
label = "storage";
fsType = "btrfs";
options = [
"x-initrd.mount"
"defaults"
"subvol=@"
"compress=zstd:5"
"noatime"
];
};
# TODO: Enable
# fileSystems."/mnt/storage" = {
# label = "storage";
# fsType = "btrfs";
# options = [
# "x-initrd.mount"
# "defaults"
# "subvol=@"
# "compress=zstd:5"
# "noatime"
# ];
# };
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWDA5vnIB7KE2VG28Ovg5rXtQqxFwMXsfozLsH0BNZS nick@karaolidis.com"

140
hosts/jupiter/format.nix
View File

@@ -2,8 +2,7 @@
disko.devices = {
disk = {
main = {
# TODO: Set to correct device
device = "/dev/vda";
device = "/dev/disk/by-id/nvme-SAMSUNG_MZVL22T0HBLB-00BL2_S64RNE0R602762";
type = "disk";
content = {
type = "gpt";
@@ -24,15 +23,14 @@
mountOptions = [ "umask=0077" ];
};
};
# TODO: Set correct swap size and enable
# swap = {
# name = "swap";
# size = "64G";
# content = {
# type = "swap";
# resumeDevice = true;
# };
# };
swap = {
name = "swap";
size = "64G";
content = {
type = "swap";
resumeDevice = true;
};
};
root = {
name = "root";
size = "100%";
@@ -63,12 +61,20 @@
mountpoint = "/persist";
inherit mountOptions;
};
"@nix" = {
mountpoint = "/nix";
"@persist/user" = {
mountpoint = "/persist/user";
inherit mountOptions;
};
"@cache" = {
mountpoint = "/cache";
"@persist/state" = {
mountpoint = "/persist/state";
inherit mountOptions;
};
"@persist/cache" = {
mountpoint = "/persist/cache";
inherit mountOptions;
};
"@nix" = {
mountpoint = "/nix";
inherit mountOptions;
};
};
@@ -79,60 +85,60 @@
};
};
storage0 = {
# TODO: Set to correct device
device = "/dev/vdb";
type = "disk";
content = {
type = "gpt";
partitions = {
root = {
name = "root";
size = "100%";
content = {
name = "storage0";
type = "luks";
passwordFile = "/tmp/keyfile";
settings = {
allowDiscards = true;
};
};
};
};
};
};
# TODO: Set to correct device
# storage0 = {
# device = "/dev/vdb";
# type = "disk";
# content = {
# type = "gpt";
# partitions = {
# root = {
# name = "root";
# size = "100%";
# content = {
# name = "storage0";
# type = "luks";
# passwordFile = "/tmp/keyfile";
# settings = {
# allowDiscards = true;
# };
# };
# };
# };
# };
# };
storage1 = {
# TODO: Set to correct device
device = "/dev/vdc";
type = "disk";
content = {
type = "gpt";
partitions = {
root = {
name = "root";
size = "100%";
content = {
name = "storage1";
type = "luks";
passwordFile = "/tmp/keyfile";
settings = {
allowDiscards = true;
};
# TODO: Set to correct device
# storage1 = {
# device = "/dev/vdc";
# type = "disk";
# content = {
# type = "gpt";
# partitions = {
# root = {
# name = "root";
# size = "100%";
# content = {
# name = "storage1";
# type = "luks";
# passwordFile = "/tmp/keyfile";
# settings = {
# allowDiscards = true;
# };
# storageN content must be placed on last alphabetical drive
content = {
type = "btrfs";
extraArgs = [ "-f -L storage -m raid1 -d raid1 /dev/mapper/storage0" ];
subvolumes = {
"@" = { };
};
};
};
};
};
};
};
# # storageN content must be placed on last alphabetical drive
# content = {
# type = "btrfs";
# extraArgs = [ "-f -L storage -m raid1 -d raid1 /dev/mapper/storage0" ];
# subvolumes = {
# "@" = { };
# };
# };
# };
# };
# };
# };
# };
};
};
}

85
hosts/jupiter/hardware/default.nix
View File

@@ -1,18 +1,75 @@
{ ... }:
{
# TODO Remove
hardware.enableAllHardware = true;
config,
pkgs,
lib,
...
}:
{
imports = [ ./display.nix ];
# TODO Update
boot.initrd.kernelModules = [
"ahci"
"xhci_pci"
"virtio_pci"
"virtio_scsi"
"virtio_blk"
"virtio_console"
"sd_mod"
];
hardware = {
enableAllFirmware = true;
services.fstrim.enable = true;
cpu = {
cores = 8;
threads = 16;
amd.updateMicrocode = true;
};
nvidia = {
open = true;
powerManagement.enable = true;
dynamicBoost.enable = true;
prime = {
offload = {
enable = true;
enableOffloadCmd = true;
};
nvidiaBusId = "PCI:1:0:0";
amdgpuBusId = "PCI:6:0:0";
};
};
graphics = {
enable32Bit = true;
extraPackages = with pkgs; [
amdvlk
driversi686Linux.amdvlk
rocmPackages.clr
rocmPackages.clr.icd
];
};
nvidia-container-toolkit.enable = (
config.virtualisation.containerd.enable
|| config.virtualisation.docker.enable
|| config.virtualisation.podman.enable
);
};
boot = {
kernelParams = [ "amd_pstate=active" ];
kernelModules = [ "kvm-amd" ];
initrd.kernelModules = [
"nvme"
"ahci"
"usbhid"
"amdgpu"
];
};
nixpkgs.config = {
cudaSupport = true;
rocmSupport = true;
};
powerManagement.enable = true;
services = {
xserver.videoDrivers = [ "nvidia" ];
fstrim.enable = true;
tlp.settings.DISK_DEVICES = lib.mkDefault "nvme0n1 nvme1n1";
logind.lidSwitch = "ignore";
};
}

4
hosts/jupiter/hardware/display.nix Normal file
View File

@@ -0,0 +1,4 @@
{ ... }:
{
boot.kernelParams = [ "video=eDP-1:2560x1600@165" ];
}

2
hosts/jupiter/secrets/ssh_host_ed25519_key.pub
View File

@@ -1 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMQoqvM5g/0e/UAH+GHsp0IegTd+Y1WZ+H5TRvypUv03 root@jupiter
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEoe+/nXBPhLKVZ2Fo4iif8F9WgrriBE+/oXPdANR+7G root@jupiter

4
hosts/jupiter/users/storm/configs/console/podman/outline/default.nix
View File

@@ -94,9 +94,7 @@ in
networks.outline.ref
networks.traefik.ref
];
volumes = [
"${volumes.outline.ref}:/var/lib/outline/data"
];
volumes = [ "${volumes.outline.ref}:/var/lib/outline/data" ];
environments = {
URL = "https://docs.karaolidis.com";
PGSSLMODE = "disable";

7
packages/docker/sish/default.nix
View File

@@ -1,16 +1,11 @@
{ pkgs, ... }:
let
sish = pkgs.sish.overrideAttrs (oldAttrs: {
patches = oldAttrs.patches or [ ] ++ [ ./proxy-ssl-termination.patch ];
});
in
pkgs.dockerTools.buildImage {
name = "sish";
fromImage = import ../base { inherit pkgs; };
copyToRoot = pkgs.buildEnv {
name = "root";
paths = [ sish ];
paths = with pkgs; [ sish ];
pathsToLink = [ "/bin" ];
};

82
packages/docker/sish/proxy-ssl-termination.patch
View File

@@ -1,82 +0,0 @@
diff --git a/cmd/sish.go b/cmd/sish.go
index 0f7bee3..7fb1656 100644
--- a/cmd/sish.go
+++ b/cmd/sish.go
@@ -99,6 +99,7 @@ func init() {
rootCmd.PersistentFlags().BoolP("proxy-protocol", "", false, "Use the proxy-protocol while proxying connections in order to pass-on IP address and port information")
rootCmd.PersistentFlags().BoolP("proxy-protocol-use-timeout", "", false, "Use a timeout for the proxy-protocol read")
rootCmd.PersistentFlags().BoolP("proxy-protocol-listener", "", false, "Use the proxy-protocol to resolve ip addresses from user connections")
+ rootCmd.PersistentFlags().BoolP("proxy-ssl-termination", "", false, "Whether sish is running behind an SSL-terminated reverse proxy\nIf true, the displayed HTTP URL will use `https://` despite running on port 80")
rootCmd.PersistentFlags().BoolP("https", "", false, "Listen for HTTPS connections. Requires a correct --https-certificate-directory")
rootCmd.PersistentFlags().BoolP("force-all-https", "", false, "Redirect all requests to the https server")
rootCmd.PersistentFlags().BoolP("force-https", "", false, "Allow indiviual binds to request for https to be enforced")
diff --git a/config.example.yml b/config.example.yml
index 2249f5d..fbac885 100644
--- a/config.example.yml
+++ b/config.example.yml
@@ -79,6 +79,7 @@ proxy-protocol-policy: use
proxy-protocol-timeout: 200ms
proxy-protocol-use-timeout: false
proxy-protocol-version: "1"
+proxy-ssl-termination: false
redirect-root: true
redirect-root-location: https://github.com/antoniomika/sish
rewrite-host-header: true
diff --git a/docs/posts/cli.md b/docs/posts/cli.md
index f6891a0..c31ab1c 100644
--- a/docs/posts/cli.md
+++ b/docs/posts/cli.md
@@ -1,6 +1,6 @@
---
title: CLI
-description: How use sish's CLI
+description: How use sish's CLI
keywords: [sish, cli]
---
@@ -107,6 +107,7 @@ Flags:
--proxy-protocol-use-timeout Use a timeout for the proxy-protocol read
-q, --proxy-protocol-version string What version of the proxy protocol to use. Can either be 1, 2, or userdefined.
If userdefined, the user needs to add a command to SSH called proxyproto=version (ie proxyproto=1) (default "1")
+ --proxy-ssl-termination Whether sish is running behind an SSL terminated reverse proxy
--redirect-root Redirect the root domain to the location defined in --redirect-root-location (default true)
-r, --redirect-root-location string The location to redirect requests to the root domain
to instead of responding with a 404 (default "https://github.com/antoniomika/sish")
@@ -129,6 +130,7 @@ Flags:
--verify-dns Verify DNS information for hosts and ensure it matches a connecting users sha256 key fingerprint (default true)
--verify-ssl Verify SSL certificates made on proxied HTTP connections (default true)
-v, --version version for sish
+ --welcome-message string Message displayed to users upon connection (default "Press Ctrl-C to close the session.")
-y, --whitelisted-countries string A comma separated list of whitelisted countries. Applies to HTTP, TCP, and SSH connections
-w, --whitelisted-ips string A comma separated list of whitelisted ips. Applies to HTTP, TCP, and SSH connections
```
diff --git a/sshmuxer/httphandler.go b/sshmuxer/httphandler.go
index eb8ad63..833ed6a 100644
--- a/sshmuxer/httphandler.go
+++ b/sshmuxer/httphandler.go
@@ -121,16 +121,17 @@ func handleHTTPListener(check *channelForwardMsg, _ string, requestMessages stri
}
}
- httpPortString := ""
- if state.Ports.HTTPPort != 80 {
- httpPortString = fmt.Sprintf(":%d", state.Ports.HTTPPort)
- }
-
- requestMessages += fmt.Sprintf("%s: http://%s%s%s%s\r\n", aurora.BgBlue("HTTP"), userPass, pH.HTTPUrl.Host, httpPortString, pH.HTTPUrl.Path)
+ if !viper.GetBool("proxy-ssl-termination") {
+ httpPortString := ""
+ if state.Ports.HTTPPort != 80 {
+ httpPortString = fmt.Sprintf(":%d", state.Ports.HTTPPort)
+ }
- log.Printf("%s forwarding started: http://%s%s%s%s -> %s for client: %s\n", aurora.BgBlue("HTTP"), userPass, pH.HTTPUrl.Host, httpPortString, pH.HTTPUrl.Path, listenerHolder.Addr().String(), sshConn.SSHConn.RemoteAddr().String())
+ requestMessages += fmt.Sprintf("%s: http://%s%s%s%s\r\n", aurora.BgBlue("HTTP"), userPass, pH.HTTPUrl.Host, httpPortString, pH.HTTPUrl.Path)
+ log.Printf("%s forwarding started: http://%s%s%s%s -> %s for client: %s\n", aurora.BgBlue("HTTP"), userPass, pH.HTTPUrl.Host, httpPortString, pH.HTTPUrl.Path, listenerHolder.Addr().String(), sshConn.SSHConn.RemoteAddr().String())
+ }
- if viper.GetBool("https") {
+ if viper.GetBool("https") || viper.GetBool("proxy-ssl-termination") {
httpsPortString := ""
if state.Ports.HTTPSPort != 443 {
httpsPortString = fmt.Sprintf(":%d", state.Ports.HTTPSPort)