karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Graduate eirene

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-05-29 19:05:37 +01:00
parent 9273514e2a
commit fba4691ae0
33 changed files with 189 additions and 842 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@@ -40,8 +40,7 @@ Below is a table of all hosts, with links to their respective README files, whic
| Host | README | | Host | README |
| ------------- | ------------------------------------------------------------ | | ------------- | ------------------------------------------------------------ |
| `installer` | [hosts/installer/README.md](./hosts/installer/README.md) | | `installer` | [hosts/installer/README.md](./hosts/installer/README.md) |
| `eirene` | [hosts/eirene/README.md](./hosts/eirene/README.md) |
| `elara` | [hosts/elara/README.md](./hosts/elara/README.md) |
| `himalia` | [hosts/himalia/README.md](./hosts/himalia/README.md) | | `himalia` | [hosts/himalia/README.md](./hosts/himalia/README.md) |
| `elara` | [hosts/elara/README.md](./hosts/elara/README.md) |
| `jupiter` | [hosts/jupiter/README.md](./hosts/jupiter/README.md) | | `jupiter` | [hosts/jupiter/README.md](./hosts/jupiter/README.md) |
| `jupiter-vps` | [hosts/jupiter-vps/README.md](./hosts/jupiter-vps/README.md) | | `jupiter-vps` | [hosts/jupiter-vps/README.md](./hosts/jupiter-vps/README.md) |

10
flake.nix
View File

@@ -137,9 +137,9 @@
specialArgs = { inherit inputs system; }; specialArgs = { inherit inputs system; };
}; };
eirene = nixpkgs.lib.nixosSystem rec { himalia = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ ./hosts/eirene ]; modules = [ ./hosts/himalia ];
specialArgs = { inherit inputs system; }; specialArgs = { inherit inputs system; };
}; };
@@ -149,12 +149,6 @@
specialArgs = { inherit inputs system; }; specialArgs = { inherit inputs system; };
}; };
himalia = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux";
modules = [ ./hosts/himalia ];
specialArgs = { inherit inputs system; };
};
jupiter = nixpkgs.lib.nixosSystem rec { jupiter = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ ./hosts/jupiter ]; modules = [ ./hosts/jupiter ];

18
hosts/common/configs/system/impermanence/default.nix
View File

@@ -1,4 +1,9 @@
{ config, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
{ {
imports = [ ./options.nix ]; imports = [ ./options.nix ];
@@ -8,22 +13,11 @@
# https://git.eisfunke.com/config/nixos/-/blob/e65e1dc21d06d07b454005762b177ef151f8bfb6/nixos/machine-id.nix # https://git.eisfunke.com/config/nixos/-/blob/e65e1dc21d06d07b454005762b177ef151f8bfb6/nixos/machine-id.nix
sops.secrets.machineId.mode = "0444"; sops.secrets.machineId.mode = "0444";
fileSystems."/persist".neededForBoot = true;
environment = { environment = {
impermanence.enable = true; impermanence.enable = true;
etc.machine-id.source = pkgs.runCommandLocal "machine-id-link" { } '' etc.machine-id.source = pkgs.runCommandLocal "machine-id-link" { } ''
ln -s ${config.sops.secrets.machineId.path} $out ln -s ${config.sops.secrets.machineId.path} $out
''; '';
persistence = {
"/persist/user"."/etc/nixos" = { };
"/persist/state" = {
"/var/lib/nixos" = { };
"/var/lib/systemd" = { };
"/var/log" = { };
};
};
}; };
} }

12
hosts/common/configs/system/impermanence/options.nix
View File

@@ -210,8 +210,6 @@ in
}; };
}; };
fileSystems = builtins.mapAttrs (_: _: { neededForBoot = true; }) cfg;
systemd = { systemd = {
mounts = builtins.map (c: { mounts = builtins.map (c: {
description = c.path; description = c.path;
@@ -274,12 +272,18 @@ in
); );
}; };
environment.persistence."/persist" = { fileSystems = builtins.mapAttrs (_: _: { neededForBoot = true; }) cfg // {
"/etc/nixos" = { }; "/persist".neededForBoot = true;
};
environment.persistence = {
"/persist/user"."/etc/nixos" = { };
"/persist/state" = {
"/var/lib/nixos" = { }; "/var/lib/nixos" = { };
"/var/lib/systemd" = { }; "/var/lib/systemd" = { };
"/var/log" = { }; "/var/log" = { };
}; };
};
assertions = assertions =
let let

2
hosts/common/configs/system/sops/default.nix
View File

@@ -26,7 +26,7 @@
sshKeyPaths = sshKeyPaths =
if config.environment.impermanence.enable then if config.environment.impermanence.enable then
[ config.environment.persistence."/persist"."/etc/ssh/ssh_host_ed25519_key".source ] [ config.environment.persistence."/persist/state"."/etc/ssh/ssh_host_ed25519_key".source ]
else else
[ "/etc/ssh/ssh_host_ed25519_key" ]; [ "/etc/ssh/ssh_host_ed25519_key" ];
}; };

1
hosts/common/configs/system/ssh/default.nix
View File

@@ -2,7 +2,6 @@
{ {
programs.ssh.knownHosts = { programs.ssh.knownHosts = {
installer.publicKeyFile = ../../../../installer/secrets/ssh_host_ed25519_key.pub; installer.publicKeyFile = ../../../../installer/secrets/ssh_host_ed25519_key.pub;
eirene.publicKeyFile = ../../../../eirene/secrets/ssh_host_ed25519_key.pub;
elara.publicKeyFile = ../../../../elara/secrets/ssh_host_ed25519_key.pub; elara.publicKeyFile = ../../../../elara/secrets/ssh_host_ed25519_key.pub;
himalia.publicKeyFile = ../../../../himalia/secrets/ssh_host_ed25519_key.pub; himalia.publicKeyFile = ../../../../himalia/secrets/ssh_host_ed25519_key.pub;

1
hosts/eirene/README.md
View File

@@ -1 +0,0 @@
# eirene

67
hosts/eirene/default.nix
View File

@@ -1,67 +0,0 @@
{ inputs, ... }:
{
imports = [
inputs.disko.nixosModules.disko
./format.nix
./hardware
../common/configs/system/backup
../common/configs/system/bluetooth
../common/configs/system/boot
../common/configs/system/brightnessctl
../common/configs/system/btrfs
../common/configs/system/cpu
../common/configs/system/documentation
../common/configs/system/getty
../common/configs/system/git
../common/configs/system/gpg-agent
../common/configs/system/impermanence
../common/configs/system/libvirt
../common/configs/system/neovim
../common/configs/system/networkmanager
../common/configs/system/nix
../common/configs/system/nix-cleanup
../common/configs/system/nix-install
../common/configs/system/nix-ld
../common/configs/system/nix-update
../common/configs/system/nixpkgs
../common/configs/system/ntp
../common/configs/system/pipewire
../common/configs/system/podman
../common/configs/system/powertop
../common/configs/system/printing
../common/configs/system/smartmontools
../common/configs/system/sops
../common/configs/system/ssh
../common/configs/system/ssh-agent
../common/configs/system/sshd
../common/configs/system/sudo
../common/configs/system/system
../common/configs/system/timezone
../common/configs/system/tlp
../common/configs/system/tmux
../common/configs/system/tree
../common/configs/system/upower
../common/configs/system/users
../common/configs/system/zsh
./users/nick
];
networking.hostName = "eirene";
boot.supportedFilesystems = [ "ntfs" ];
fileSystems."/mnt/windows" = {
device = "/dev/disk/by-id/nvme-Samsung_SSD_980_PRO_2TB_S69ENF0R841140X-part3";
fsType = "ntfs3";
noCheck = true;
options = [
"users"
"nofail"
"sys_immutable"
"windows_names"
];
};
}

87
hosts/eirene/format.nix
View File

@@ -1,87 +0,0 @@
{
disko.devices = {
disk.main = {
device = "/dev/disk/by-id/nvme-SAMSUNG_MZVL22T0HBLB-00BL2_S64RNE0R602762";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
name = "boot";
size = "1M";
type = "EF02";
};
esp = {
name = "esp";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
swap = {
name = "swap";
size = "32G";
content = {
type = "swap";
resumeDevice = true;
};
};
root = {
name = "root";
size = "100%";
content = {
name = "main";
type = "luks";
passwordFile = "/tmp/keyfile";
settings = {
allowDiscards = true;
};
content = {
type = "btrfs";
extraArgs = [ "-f" ];
subvolumes =
let
mountOptions = [
"compress=zstd:1"
"noatime"
"user_subvol_rm_allowed"
];
in
{
"@" = {
mountpoint = "/";
inherit mountOptions;
};
"@persist" = {
mountpoint = "/persist";
inherit mountOptions;
};
"@persist/user" = {
mountpoint = "/persist/user";
inherit mountOptions;
};
"@persist/state" = {
mountpoint = "/persist/state";
inherit mountOptions;
};
"@persist/cache" = {
mountpoint = "/persist/cache";
inherit mountOptions;
};
"@nix" = {
mountpoint = "/nix";
inherit mountOptions;
};
};
};
};
};
};
};
};
};
}

12
hosts/eirene/hardware/card.sh
View File

@@ -1,12 +0,0 @@
# shellcheck shell=bash
AMD=/dev/dri/by-path/pci-0000:06:00.0-card
NVIDIA=/dev/dri/by-path/pci-0000:01:00.0-card
if [[ -e "$AMD" ]]; then
card=$AMD
else
card=$NVIDIA
fi
ln -sf "$card" "$HOME"/.config/hypr/card

100
hosts/eirene/hardware/default.nix
View File

@@ -1,100 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
imports = [ ./display.nix ];
# https://github.com/NixOS/nixos-hardware/tree/master/lenovo/legion/16achg6
hardware = {
enableAllFirmware = true;
cpu = {
cores = 8;
threads = 16;
amd.updateMicrocode = true;
};
nvidia = {
open = true;
powerManagement.enable = true;
dynamicBoost.enable = true;
prime = {
offload = {
enable = true;
enableOffloadCmd = true;
};
nvidiaBusId = "PCI:1:0:0";
amdgpuBusId = "PCI:6:0:0";
};
};
graphics = {
enable32Bit = true;
extraPackages = with pkgs; [
amdvlk
driversi686Linux.amdvlk
rocmPackages.clr
rocmPackages.clr.icd
];
};
nvidia-container-toolkit.enable = (
config.virtualisation.containerd.enable
|| config.virtualisation.docker.enable
|| config.virtualisation.podman.enable
);
};
boot = {
kernelParams = [ "amd_pstate=active" ];
kernelModules = [ "kvm-amd" ];
initrd.kernelModules = [
"nvme"
"ahci"
"usbhid"
"amdgpu"
];
};
nixpkgs.config = {
cudaSupport = true;
rocmSupport = true;
};
powerManagement.enable = true;
services = {
xserver.videoDrivers = [ "nvidia" ];
fstrim.enable = true;
tlp.settings.DISK_DEVICES = lib.mkDefault "nvme0n1 nvme1n1";
};
programs.gamescope.env = {
__NV_PRIME_RENDER_OFFLOAD = "1";
__VK_LAYER_NV_optimus = "NVIDIA_only";
__GLX_VENDOR_LIBRARY_NAME = "nvidia";
};
home-manager.sharedModules = [
{
wayland.windowManager.hyprland.settings = {
env = [ "AQ_DRM_DEVICES,$HOME/.config/hypr/card" ];
device = [
{
name = "syna2ba6:00-06cb:ce44-touchpad";
sensitivity = 0.5;
}
];
gestures.workspace_swipe_distance = 600;
};
programs.zsh.loginExtra = lib.mkBefore (builtins.readFile ./card.sh);
}
];
}

32
hosts/eirene/hardware/display.nix
View File

@@ -1,32 +0,0 @@
{ pkgs, ... }:
{
boot.kernelParams = [ "video=eDP-1:2560x1600@165" ];
programs.steam.package = pkgs.steam.override { extraEnv.STEAM_FORCE_DESKTOPUI_SCALING = 1.25; };
home-manager.sharedModules = [
{
wayland.windowManager.hyprland.settings = {
monitor = [
"eDP-1, preferred, 0x0, 1.25"
", maxwidth, auto-center-up, 1"
];
workspace = [
"1, monitor:eDP-1, layoutopt:orientation:left"
"2, monitor:eDP-1, layoutopt:orientation:left"
"3, monitor:eDP-1, layoutopt:orientation:left"
"4, monitor:eDP-1, layoutopt:orientation:left"
"5, monitor:eDP-1, layoutopt:orientation:left"
"6, monitor:eDP-1, layoutopt:orientation:left"
"7, monitor:eDP-1, layoutopt:orientation:left"
"8, monitor:eDP-1, layoutopt:orientation:left"
"9, monitor:eDP-1, layoutopt:orientation:left"
"10, monitor:eDP-1, layoutopt:orientation:left"
];
};
programs.vscode.profiles.default.userSettings."window.zoomLevel" = (1.25 - 1) / 0.2;
}
];
}

1
hosts/eirene/secrets/ssh_host_ed25519_key.pub
View File

@@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFG/ImO80n4+M8AIkS75leQiju6/zu09qV0keROjE6VC root@eirene

48
hosts/eirene/users/nick/configs/console/git/default.nix
View File

@@ -1,48 +0,0 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{
config,
inputs,
lib,
system,
...
}:
let
hmConfig = config.home-manager.users.${user};
selfPkgs = inputs.self.packages.${system};
in
{
home-manager.users.${user} = {
sops = {
secrets = {
"git/credentials/git.karaolidis.com/admin/username".sopsFile =
../../../../../../../secrets/personal/secrets.yaml;
"git/credentials/git.karaolidis.com/admin/password".sopsFile =
../../../../../../../secrets/personal/secrets.yaml;
};
templates."git/credentials" = {
content = ''
https://${hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/admin/username"}:${
hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/admin/password"
}@git.karaolidis.com
'';
path = "${home}/.config/git/credentials";
};
};
programs.ssh = {
matchBlocks = {
"github.com" = {
hostname = "github.com";
user = "git";
identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
};
};
userKnownHostsFiles = with selfPkgs; [ ssh-known-hosts-github ];
};
};
}

18
hosts/eirene/users/nick/configs/console/gpg/default.nix
View File

@@ -1,18 +0,0 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ config, ... }:
let
hmConfig = config.home-manager.users.${user};
in
{
home-manager.users.${user} = {
sops.secrets = {
"gpg/key".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
"gpg/pass".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
};
programs.clipbook.bookmarks."GPG Passphrase".source = hmConfig.sops.secrets."gpg/pass".path;
};
}

32
hosts/eirene/users/nick/configs/console/podman/default.nix
View File

@@ -1,32 +0,0 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ config, pkgs, ... }:
let
hmConfig = config.home-manager.users.${user};
in
{
home-manager.users.${user}.sops = {
secrets = {
"registry/docker.io".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
"registry/registry.karaolidis.com".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
};
templates.containers-auth = {
content = builtins.readFile (
(pkgs.formats.json { }).generate "auth.json" {
auths = {
"docker.io" = {
auth = hmConfig.sops.placeholder."registry/docker.io";
};
"registry.karaolidis.com" = {
auth = hmConfig.sops.placeholder."registry/registry.karaolidis.com";
};
};
}
);
path = "${home}/.config/containers/auth.json";
};
};
}

32
hosts/eirene/users/nick/configs/console/ssh/default.nix
View File

@@ -1,32 +0,0 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ config, ... }:
let
hmConfig = config.home-manager.users.${user};
in
{
home-manager.users.${user} = {
sops.secrets = {
"ssh/key" = {
sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
path = "${home}/.ssh/ssh_personal_ed25519_key";
};
"ssh/pass".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
};
programs = {
ssh.matchBlocks = {
"karaolidis.com" = {
hostname = "karaolidis.com";
user = "nick";
identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
};
};
clipbook.bookmarks."SSH Key Passphrase".source = hmConfig.sops.secrets."ssh/pass".path;
};
};
}

17
hosts/eirene/users/nick/configs/console/syncthing/default.nix
View File

@@ -1,17 +0,0 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ ... }:
{
home-manager.users.${user}.services.syncthing.settings.folders = {
official = {
label = "Official";
path = "${home}/Documents/Official";
devices = [
"amalthea"
"ganymede"
];
};
};
}

23
hosts/eirene/users/nick/configs/gui/obsidian/default.nix
View File

@@ -1,23 +0,0 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ ... }:
{
home-manager.users.${user} = {
programs.obsidian.vaults."Documents/Obsidian/master".enable = true;
services.syncthing.settings.folders.obsidian = {
label = "Obsidian";
path = "${home}/Documents/Obsidian";
devices = [
"amalthea"
"ganymede"
];
maxConflicts = 0;
};
home.file."Documents/Obsidian/.stignore".source =
../../../../../../common/configs/user/gui/obsidian/.stignore;
};
}

21
hosts/eirene/users/nick/configs/gui/vscode/default.nix
View File

@@ -1,21 +0,0 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{ ... }:
{
home-manager.users.${user}.programs.vscode.languages = {
c.enable = true;
go.enable = true;
java.enable = true;
lua.enable = true;
markdown.enable = true;
nix.enable = true;
python.enable = true;
rest.enable = true;
rust.enable = true;
sops.enable = true;
typescript.enable = true;
yaml.enable = true;
};
}

119
hosts/eirene/users/nick/default.nix
View File

@@ -1,119 +0,0 @@
{ config, lib, ... }:
let
# FIXME: https://github.com/NixOS/nixpkgs/issues/24570
# FIXME: https://github.com/NixOS/nixpkgs/issues/305643
user = "nick";
home = "/home/nick";
in
{
imports = [
../../../common/configs/user/options.nix
(import ../../../common/configs/user/console/android { inherit user home; })
(import ../../../common/configs/user/console/bashmount { inherit user home; })
(import ../../../common/configs/user/console/brightnessctl { inherit user home; })
(import ../../../common/configs/user/console/btop { inherit user home; })
(import ../../../common/configs/user/console/dive { inherit user home; })
(import ../../../common/configs/user/console/fastfetch { inherit user home; })
(import ../../../common/configs/user/console/ffmpeg { inherit user home; })
(import ../../../common/configs/user/console/git { inherit user home; })
(import ../../../common/configs/user/console/gpg-agent { inherit user home; })
(import ../../../common/configs/user/console/home-manager { inherit user home; })
(import ../../../common/configs/user/console/imagemagick { inherit user home; })
(import ../../../common/configs/user/console/ip { inherit user home; })
(import ../../../common/configs/user/console/jq { inherit user home; })
(import ../../../common/configs/user/console/libvirt { inherit user home; })
(import ../../../common/configs/user/console/lsof { inherit user home; })
(import ../../../common/configs/user/console/ncdu { inherit user home; })
(import ../../../common/configs/user/console/neovim { inherit user home; })
(import ../../../common/configs/user/console/nix { inherit user home; })
(import ../../../common/configs/user/console/nix-cleanup { inherit user home; })
(import ../../../common/configs/user/console/nix-develop { inherit user home; })
(import ../../../common/configs/user/console/nix-direnv { inherit user home; })
(import ../../../common/configs/user/console/pipewire { inherit user home; })
(import ../../../common/configs/user/console/podman { inherit user home; })
(import ../../../common/configs/user/console/ranger { inherit user home; })
(import ../../../common/configs/user/console/sops { inherit user home; })
(import ../../../common/configs/user/console/ssh { inherit user home; })
(import ../../../common/configs/user/console/ssh-agent { inherit user home; })
(import ../../../common/configs/user/console/syncthing { inherit user home; })
(import ../../../common/configs/user/console/tmux { inherit user home; })
(import ../../../common/configs/user/console/tree { inherit user home; })
(import ../../../common/configs/user/console/unzip { inherit user home; })
(import ../../../common/configs/user/console/wget { inherit user home; })
(import ../../../common/configs/user/console/xdg { inherit user home; })
(import ../../../common/configs/user/console/yt-dlp { inherit user home; })
(import ../../../common/configs/user/console/zsh { inherit user home; })
(import ../../../common/configs/user/gui/astal { inherit user home; })
(import ../../../common/configs/user/gui/bluetooth { inherit user home; })
(import ../../../common/configs/user/gui/brightnessctl { inherit user home; })
(import ../../../common/configs/user/gui/btop { inherit user home; })
(import ../../../common/configs/user/gui/chromium { inherit user home; })
(import ../../../common/configs/user/gui/clipbook { inherit user home; })
(import ../../../common/configs/user/gui/cliphist { inherit user home; })
(import ../../../common/configs/user/gui/darktable { inherit user home; })
(import ../../../common/configs/user/gui/discord { inherit user home; })
(import ../../../common/configs/user/gui/emoji { inherit user home; })
(import ../../../common/configs/user/gui/firefox { inherit user home; })
(import ../../../common/configs/user/gui/gtk { inherit user home; })
(import ../../../common/configs/user/gui/hyprland { inherit user home; })
(import ../../../common/configs/user/gui/hyprshot { inherit user home; })
(import ../../../common/configs/user/gui/kitty { inherit user home; })
(import ../../../common/configs/user/gui/libreoffice { inherit user home; })
(import ../../../common/configs/user/gui/networkmanager { inherit user home; })
(import ../../../common/configs/user/gui/obs { inherit user home; })
(import ../../../common/configs/user/gui/obsidian { inherit user home; })
(import ../../../common/configs/user/gui/pipewire { inherit user home; })
(import ../../../common/configs/user/gui/qalculate { inherit user home; })
(import ../../../common/configs/user/gui/qt { inherit user home; })
(import ../../../common/configs/user/gui/rofi { inherit user home; })
(import ../../../common/configs/user/gui/rquickshare { inherit user home; })
(import ../../../common/configs/user/gui/spicetify { inherit user home; })
(import ../../../common/configs/user/gui/steam { inherit user home; })
(import ../../../common/configs/user/gui/swww { inherit user home; })
(import ../../../common/configs/user/gui/theme { inherit user home; })
(import ../../../common/configs/user/gui/transmission { inherit user home; })
(import ../../../common/configs/user/gui/vscode { inherit user home; })
(import ../../../common/configs/user/gui/wev { inherit user home; })
(import ../../../common/configs/user/gui/wl-clipboard { inherit user home; })
(import ../../../common/configs/user/gui/x11 { inherit user home; })
(import ../../../common/configs/user/gui/xdg { inherit user home; })
(import ./configs/console/git { inherit user home; })
(import ./configs/console/gpg { inherit user home; })
(import ./configs/console/podman { inherit user home; })
(import ./configs/console/ssh { inherit user home; })
(import ./configs/console/syncthing { inherit user home; })
(import ./configs/gui/obsidian { inherit user home; })
(import ./configs/gui/vscode { inherit user home; })
];
# echo "password" | mkpasswd -s
sops.secrets."${user}-password" = {
sopsFile = ../../../../secrets/personal/secrets.yaml;
key = "password";
neededForUsers = true;
};
users.users.${user} = {
inherit home;
isNormalUser = true;
email = "nick@karaolidis.com";
fullName = "Nikolaos Karaolidis";
description = "Nikolaos Karaolidis";
hashedPasswordFile = config.sops.secrets."${user}-password".path;
extraGroups = [ "wheel" ];
linger = true;
uid = lib.strings.toInt (builtins.readFile ./uid);
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWDA5vnIB7KE2VG28Ovg5rXtQqxFwMXsfozLsH0BNZS nick@karaolidis.com"
];
};
home-manager.users.${user}.home = {
username = user;
homeDirectory = home;
};
}

1
hosts/eirene/users/nick/uid
View File

@@ -1 +0,0 @@
1000

2
hosts/himalia/hardware/default.nix
View File

@@ -22,7 +22,7 @@
nvidia = { nvidia = {
open = true; open = true;
powerManagement.enable = true; powerManagement.enable = true;
# TODO # TODO: Enable
# dynamicBoost.enable = true; # dynamicBoost.enable = true;
prime = { prime = {

16
hosts/installer/README.md
View File

@@ -8,22 +8,8 @@ I have automated myself out of a job. How to use:
3. Connect to the internet with `nmcli` 3. Connect to the internet with `nmcli`
- Scan for available networks:
```bash ```bash
nmcli device wifi list sudo nmcli device wifi connect "<SSID>" [--ask]
```
- For an open network:
```bash
nmcli device wifi connect "<SSID>"
```
- For a secured network:
```bash
nmcli device wifi connect "<SSID>" password "<password>"
``` ```
4. Run `sudo nix-install /etc/nixos -m install|repair -h host [-k key] [-c] [-r]"` 4. Run `sudo nix-install /etc/nixos -m install|repair -h host [-k key] [-c] [-r]"`

1
hosts/installer/default.nix
View File

@@ -7,6 +7,7 @@
./hardware ./hardware
../common/configs/system/boot ../common/configs/system/boot
../common/configs/system/brightnessctl
../common/configs/system/btrfs ../common/configs/system/btrfs
../common/configs/system/documentation ../common/configs/system/documentation
../common/configs/system/getty ../common/configs/system/getty

25
hosts/jupiter/default.nix
View File

@@ -7,7 +7,9 @@
./hardware ./hardware
../common/configs/system/boot ../common/configs/system/boot
../common/configs/system/brightnessctl
../common/configs/system/btrfs ../common/configs/system/btrfs
../common/configs/system/cpu
../common/configs/system/documentation ../common/configs/system/documentation
../common/configs/system/git ../common/configs/system/git
../common/configs/system/impermanence ../common/configs/system/impermanence
@@ -36,17 +38,18 @@
# TODO: DNS for .local # TODO: DNS for .local
networking.hostName = "jupiter"; networking.hostName = "jupiter";
fileSystems."/mnt/storage" = { # TODO: Enable
label = "storage"; # fileSystems."/mnt/storage" = {
fsType = "btrfs"; # label = "storage";
options = [ # fsType = "btrfs";
"x-initrd.mount" # options = [
"defaults" # "x-initrd.mount"
"subvol=@" # "defaults"
"compress=zstd:5" # "subvol=@"
"noatime" # "compress=zstd:5"
]; # "noatime"
}; # ];
# };
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWDA5vnIB7KE2VG28Ovg5rXtQqxFwMXsfozLsH0BNZS nick@karaolidis.com" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWDA5vnIB7KE2VG28Ovg5rXtQqxFwMXsfozLsH0BNZS nick@karaolidis.com"

136
hosts/jupiter/format.nix
View File

@@ -2,8 +2,7 @@
disko.devices = { disko.devices = {
disk = { disk = {
main = { main = {
# TODO: Set to correct device device = "/dev/disk/by-id/nvme-SAMSUNG_MZVL22T0HBLB-00BL2_S64RNE0R602762";
device = "/dev/vda";
type = "disk"; type = "disk";
content = { content = {
type = "gpt"; type = "gpt";
@@ -24,15 +23,14 @@
mountOptions = [ "umask=0077" ]; mountOptions = [ "umask=0077" ];
}; };
}; };
# TODO: Set correct swap size and enable swap = {
# swap = { name = "swap";
# name = "swap"; size = "64G";
# size = "64G"; content = {
# content = { type = "swap";
# type = "swap"; resumeDevice = true;
# resumeDevice = true; };
# }; };
# };
root = { root = {
name = "root"; name = "root";
size = "100%"; size = "100%";
@@ -63,14 +61,22 @@
mountpoint = "/persist"; mountpoint = "/persist";
inherit mountOptions; inherit mountOptions;
}; };
"@persist/user" = {
mountpoint = "/persist/user";
inherit mountOptions;
};
"@persist/state" = {
mountpoint = "/persist/state";
inherit mountOptions;
};
"@persist/cache" = {
mountpoint = "/persist/cache";
inherit mountOptions;
};
"@nix" = { "@nix" = {
mountpoint = "/nix"; mountpoint = "/nix";
inherit mountOptions; inherit mountOptions;
}; };
"@cache" = {
mountpoint = "/cache";
inherit mountOptions;
};
}; };
}; };
}; };
@@ -79,60 +85,60 @@
}; };
}; };
storage0 = {
# TODO: Set to correct device # TODO: Set to correct device
device = "/dev/vdb"; # storage0 = {
type = "disk"; # device = "/dev/vdb";
content = { # type = "disk";
type = "gpt"; # content = {
partitions = { # type = "gpt";
root = { # partitions = {
name = "root"; # root = {
size = "100%"; # name = "root";
content = { # size = "100%";
name = "storage0"; # content = {
type = "luks"; # name = "storage0";
passwordFile = "/tmp/keyfile"; # type = "luks";
settings = { # passwordFile = "/tmp/keyfile";
allowDiscards = true; # settings = {
}; # allowDiscards = true;
}; # };
}; # };
}; # };
}; # };
}; # };
# };
storage1 = {
# TODO: Set to correct device # TODO: Set to correct device
device = "/dev/vdc"; # storage1 = {
type = "disk"; # device = "/dev/vdc";
content = { # type = "disk";
type = "gpt"; # content = {
partitions = { # type = "gpt";
root = { # partitions = {
name = "root"; # root = {
size = "100%"; # name = "root";
content = { # size = "100%";
name = "storage1"; # content = {
type = "luks"; # name = "storage1";
passwordFile = "/tmp/keyfile"; # type = "luks";
settings = { # passwordFile = "/tmp/keyfile";
allowDiscards = true; # settings = {
}; # allowDiscards = true;
# };
# storageN content must be placed on last alphabetical drive # # storageN content must be placed on last alphabetical drive
content = { # content = {
type = "btrfs"; # type = "btrfs";
extraArgs = [ "-f -L storage -m raid1 -d raid1 /dev/mapper/storage0" ]; # extraArgs = [ "-f -L storage -m raid1 -d raid1 /dev/mapper/storage0" ];
subvolumes = { # subvolumes = {
"@" = { }; # "@" = { };
}; # };
}; # };
}; # };
}; # };
}; # };
}; # };
}; # };
}; };
}; };
} }

83
hosts/jupiter/hardware/default.nix
View File

@@ -1,18 +1,75 @@
{ ... }:
{ {
# TODO Remove config,
hardware.enableAllHardware = true; pkgs,
lib,
...
}:
{
imports = [ ./display.nix ];
# TODO Update hardware = {
boot.initrd.kernelModules = [ enableAllFirmware = true;
"ahci"
"xhci_pci" cpu = {
"virtio_pci" cores = 8;
"virtio_scsi" threads = 16;
"virtio_blk" amd.updateMicrocode = true;
"virtio_console" };
"sd_mod"
nvidia = {
open = true;
powerManagement.enable = true;
dynamicBoost.enable = true;
prime = {
offload = {
enable = true;
enableOffloadCmd = true;
};
nvidiaBusId = "PCI:1:0:0";
amdgpuBusId = "PCI:6:0:0";
};
};
graphics = {
enable32Bit = true;
extraPackages = with pkgs; [
amdvlk
driversi686Linux.amdvlk
rocmPackages.clr
rocmPackages.clr.icd
]; ];
};
services.fstrim.enable = true; nvidia-container-toolkit.enable = (
config.virtualisation.containerd.enable
|| config.virtualisation.docker.enable
|| config.virtualisation.podman.enable
);
};
boot = {
kernelParams = [ "amd_pstate=active" ];
kernelModules = [ "kvm-amd" ];
initrd.kernelModules = [
"nvme"
"ahci"
"usbhid"
"amdgpu"
];
};
nixpkgs.config = {
cudaSupport = true;
rocmSupport = true;
};
powerManagement.enable = true;
services = {
xserver.videoDrivers = [ "nvidia" ];
fstrim.enable = true;
tlp.settings.DISK_DEVICES = lib.mkDefault "nvme0n1 nvme1n1";
logind.lidSwitch = "ignore";
};
} }

4
hosts/jupiter/hardware/display.nix Normal file
View File

@@ -0,0 +1,4 @@
{ ... }:
{
boot.kernelParams = [ "video=eDP-1:2560x1600@165" ];
}

2
hosts/jupiter/secrets/ssh_host_ed25519_key.pub
View File

@@ -1 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMQoqvM5g/0e/UAH+GHsp0IegTd+Y1WZ+H5TRvypUv03 root@jupiter ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEoe+/nXBPhLKVZ2Fo4iif8F9WgrriBE+/oXPdANR+7G root@jupiter

4
hosts/jupiter/users/storm/configs/console/podman/outline/default.nix
View File

@@ -94,9 +94,7 @@ in
networks.outline.ref networks.outline.ref
networks.traefik.ref networks.traefik.ref
]; ];
volumes = [ volumes = [ "${volumes.outline.ref}:/var/lib/outline/data" ];
"${volumes.outline.ref}:/var/lib/outline/data"
];
environments = { environments = {
URL = "https://docs.karaolidis.com"; URL = "https://docs.karaolidis.com";
PGSSLMODE = "disable"; PGSSLMODE = "disable";

7
packages/docker/sish/default.nix
View File

@@ -1,16 +1,11 @@
{ pkgs, ... }: { pkgs, ... }:
let
sish = pkgs.sish.overrideAttrs (oldAttrs: {
patches = oldAttrs.patches or [ ] ++ [ ./proxy-ssl-termination.patch ];
});
in
pkgs.dockerTools.buildImage { pkgs.dockerTools.buildImage {
name = "sish"; name = "sish";
fromImage = import ../base { inherit pkgs; }; fromImage = import ../base { inherit pkgs; };
copyToRoot = pkgs.buildEnv { copyToRoot = pkgs.buildEnv {
name = "root"; name = "root";
paths = [ sish ]; paths = with pkgs; [ sish ];
pathsToLink = [ "/bin" ]; pathsToLink = [ "/bin" ];
}; };

82
packages/docker/sish/proxy-ssl-termination.patch
View File

@@ -1,82 +0,0 @@
diff --git a/cmd/sish.go b/cmd/sish.go
index 0f7bee3..7fb1656 100644
--- a/cmd/sish.go
+++ b/cmd/sish.go
@@ -99,6 +99,7 @@ func init() {
rootCmd.PersistentFlags().BoolP("proxy-protocol", "", false, "Use the proxy-protocol while proxying connections in order to pass-on IP address and port information")
rootCmd.PersistentFlags().BoolP("proxy-protocol-use-timeout", "", false, "Use a timeout for the proxy-protocol read")
rootCmd.PersistentFlags().BoolP("proxy-protocol-listener", "", false, "Use the proxy-protocol to resolve ip addresses from user connections")
+ rootCmd.PersistentFlags().BoolP("proxy-ssl-termination", "", false, "Whether sish is running behind an SSL-terminated reverse proxy\nIf true, the displayed HTTP URL will use `https://` despite running on port 80")
rootCmd.PersistentFlags().BoolP("https", "", false, "Listen for HTTPS connections. Requires a correct --https-certificate-directory")
rootCmd.PersistentFlags().BoolP("force-all-https", "", false, "Redirect all requests to the https server")
rootCmd.PersistentFlags().BoolP("force-https", "", false, "Allow indiviual binds to request for https to be enforced")
diff --git a/config.example.yml b/config.example.yml
index 2249f5d..fbac885 100644
--- a/config.example.yml
+++ b/config.example.yml
@@ -79,6 +79,7 @@ proxy-protocol-policy: use
proxy-protocol-timeout: 200ms
proxy-protocol-use-timeout: false
proxy-protocol-version: "1"
+proxy-ssl-termination: false
redirect-root: true
redirect-root-location: https://github.com/antoniomika/sish
rewrite-host-header: true
diff --git a/docs/posts/cli.md b/docs/posts/cli.md
index f6891a0..c31ab1c 100644
--- a/docs/posts/cli.md
+++ b/docs/posts/cli.md
@@ -1,6 +1,6 @@
---
title: CLI
-description: How use sish's CLI
+description: How use sish's CLI
keywords: [sish, cli]
---
@@ -107,6 +107,7 @@ Flags:
--proxy-protocol-use-timeout Use a timeout for the proxy-protocol read
-q, --proxy-protocol-version string What version of the proxy protocol to use. Can either be 1, 2, or userdefined.
If userdefined, the user needs to add a command to SSH called proxyproto=version (ie proxyproto=1) (default "1")
+ --proxy-ssl-termination Whether sish is running behind an SSL terminated reverse proxy
--redirect-root Redirect the root domain to the location defined in --redirect-root-location (default true)
-r, --redirect-root-location string The location to redirect requests to the root domain
to instead of responding with a 404 (default "https://github.com/antoniomika/sish")
@@ -129,6 +130,7 @@ Flags:
--verify-dns Verify DNS information for hosts and ensure it matches a connecting users sha256 key fingerprint (default true)
--verify-ssl Verify SSL certificates made on proxied HTTP connections (default true)
-v, --version version for sish
+ --welcome-message string Message displayed to users upon connection (default "Press Ctrl-C to close the session.")
-y, --whitelisted-countries string A comma separated list of whitelisted countries. Applies to HTTP, TCP, and SSH connections
-w, --whitelisted-ips string A comma separated list of whitelisted ips. Applies to HTTP, TCP, and SSH connections
```
diff --git a/sshmuxer/httphandler.go b/sshmuxer/httphandler.go
index eb8ad63..833ed6a 100644
--- a/sshmuxer/httphandler.go
+++ b/sshmuxer/httphandler.go
@@ -121,16 +121,17 @@ func handleHTTPListener(check *channelForwardMsg, _ string, requestMessages stri
}
}
- httpPortString := ""
- if state.Ports.HTTPPort != 80 {
- httpPortString = fmt.Sprintf(":%d", state.Ports.HTTPPort)
- }
-
- requestMessages += fmt.Sprintf("%s: http://%s%s%s%s\r\n", aurora.BgBlue("HTTP"), userPass, pH.HTTPUrl.Host, httpPortString, pH.HTTPUrl.Path)
+ if !viper.GetBool("proxy-ssl-termination") {
+ httpPortString := ""
+ if state.Ports.HTTPPort != 80 {
+ httpPortString = fmt.Sprintf(":%d", state.Ports.HTTPPort)
+ }
- log.Printf("%s forwarding started: http://%s%s%s%s -> %s for client: %s\n", aurora.BgBlue("HTTP"), userPass, pH.HTTPUrl.Host, httpPortString, pH.HTTPUrl.Path, listenerHolder.Addr().String(), sshConn.SSHConn.RemoteAddr().String())
+ requestMessages += fmt.Sprintf("%s: http://%s%s%s%s\r\n", aurora.BgBlue("HTTP"), userPass, pH.HTTPUrl.Host, httpPortString, pH.HTTPUrl.Path)
+ log.Printf("%s forwarding started: http://%s%s%s%s -> %s for client: %s\n", aurora.BgBlue("HTTP"), userPass, pH.HTTPUrl.Host, httpPortString, pH.HTTPUrl.Path, listenerHolder.Addr().String(), sshConn.SSHConn.RemoteAddr().String())
+ }
- if viper.GetBool("https") {
+ if viper.GetBool("https") || viper.GetBool("proxy-ssl-termination") {
httpsPortString := ""
if state.Ports.HTTPSPort != 443 {
httpsPortString = fmt.Sprintf(":%d", state.Ports.HTTPSPort)