mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

feat: add lanzaboote for sausebiene

Browse source
This commit is contained in:
oddlama 2025-01-12 21:01:57 +01:00
parent 7f1be2f841
commit 50bebac0e0
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
6 changed files with 372 additions and 148 deletions
Download patch file Download diff file Expand all files Collapse all files

59
README.md
View file

@ -15,7 +15,8 @@ including my homelab, external servers and my development machines.
🖥️ | Desktop | kroma | PC (AMD Ryzen 9 5900X) | Main workstation and development machine, also for some occasional gaming 🖥️ | Desktop | kroma | PC (AMD Ryzen 9 5900X) | Main workstation and development machine, also for some occasional gaming
🖥️ | Server | ward | ODROID H3 | Energy efficient SBC for my home firewall and some lightweight services using containers and microvms. 🖥️ | Server | ward | ODROID H3 | Energy efficient SBC for my home firewall and some lightweight services using containers and microvms.
🖥️ | Server | sire | Threadripper 1950X | Home media server and data storage. Runs all services as microvms. 🖥️ | Server | sire | Threadripper 1950X | Home media server and data storage. Runs all services as microvms.
🥔 | Server | zackbiene | ODROID N2+ | ARM SBC for home automation, isolating the sketchy stuff from my main network 🖥️ | Server | sausebiene | Intel N100 | Home automation and IoT network isolation
🥔 | Server | zackbiene | ODROID N2+ | Decomissioned. Old home assistant board
☁️ | VPS | sentinel | Hetzner Cloud server | Proxies and protects my local services ☁️ | VPS | sentinel | Hetzner Cloud server | Proxies and protects my local services
☁️ | VPS | envoy | Hetzner Cloud server | Mailserver ☁️ | VPS | envoy | Hetzner Cloud server | Mailserver
@ -23,15 +24,7 @@ including my homelab, external servers and my development machines.
An overview over what you will find in this repository. I usually put a lot of An overview over what you will find in this repository. I usually put a lot of
effort into all my configurations and try to go over every option in detail. effort into all my configurations and try to go over every option in detail.
These lists summarize the major parts. I've included the major components in the lists below.
I've also included a (subjective) indicator of customization (💎) so you can more
easily find the configs that are very polished or different from the basic setup
that most people would have. The configurations are sorted into three categories:
- **dotfiles**: Lists all the stuff I use on my desktop/development machines. All of this is very customized.
- **services**: Lists all my services, both homelab and external.
- **other**: Lists anything else, like general machine config, organizational and miscellaneous stuff.
#### Dotfiles #### Dotfiles
@ -47,27 +40,31 @@ that most people would have. The configurations are sorted into three categories
📷 Screenshots | Custom based on grimblast | [Link](./pkgs/scripts) | Custom scripts utilizing grimblast for [QR code detection](./pkgs/scripts/screenshot-area-scan-qr.nix) and [OCR / satty editing](./pkgs/scripts/screenshot-area.nix) 📷 Screenshots | Custom based on grimblast | [Link](./pkgs/scripts) | Custom scripts utilizing grimblast for [QR code detection](./pkgs/scripts/screenshot-area-scan-qr.nix) and [OCR / satty editing](./pkgs/scripts/screenshot-area.nix)
🗨️ Notifications | SwayNotificationCenter | [Link](./users/myuser/graphical/swaync.nix) | Notification center with customized color scheme 🗨️ Notifications | SwayNotificationCenter | [Link](./users/myuser/graphical/swaync.nix) | Notification center with customized color scheme
🎮 Gaming | Steam & Bottles | [Link](./users/myuser/graphical/games) | Setup for gaming 🎮 Gaming | Steam & Bottles | [Link](./users/myuser/graphical/games) | Setup for gaming
📫 Mail | Thunderbird | [Link](./users/myuser/graphical/thunderbird.nix) | Your regular thunderbird setup
#### Services #### Services
| ~~~~~~~~~~~~ | 💎 | Service | Source | Description | ~~~~~~~~~~~~ | Service | Source | Description
---|---|---|---|--- ---|---|---|---
🐙 Git | – | Forgejo | [Link](./hosts/ward/guests/forgejo.nix) | Forgejo with SSO 💸 Budgeting | Actual Budget | [Link](./hosts/sire/guests/actual.nix) | Budgeting application to track income and expenses
🔑 SSO | 💎 | Kanidm | [Link](./hosts/ward/guests/kanidm.nix) | Identity provider for Single Sign On on my hosted services. 💎 With custom-made secret provisioning. 🛡️ Adblock | AdGuard Home | [Link](./hosts/ward/guests/adguardhome.nix) | DNS level adblocker
🔴 DNS Adblock | – | AdGuard Home | [Link](./hosts/ward/guests/adguardhome.nix) | DNS level adblocker 🔒 SSO | Kanidm | [Link](./hosts/ward/guests/kanidm.nix) | Identity provider for Single-Sign-On on my hosted services, with provisioning.
🔐 Passwords | – | Vaultwarden | [Link](./hosts/ward/guests/vaultwarden.nix) | Self-hosted password manager 🐙 Git | Forgejo | [Link](./hosts/ward/guests/forgejo.nix) | Forgejo with SSO
📷 Photos | – | Immich | [Link](./hosts/sire/guests/immich.nix) | Self-hosted photo and video backup solution 🔑 Passwords | Vaultwarden | [Link](./hosts/ward/guests/vaultwarden.nix) | Self-hosted password manager
🗂️ Documents | 💎 | Paperless | [Link](./hosts/sire/guests/paperless.nix) | Document management system. 💎 with per-user Samba share integration (consume & archive) 📷 Photos | Immich | [Link](./hosts/sire/guests/immich.nix) | Self-hosted photo and video backup solution
🗓️ CalDAV/CardDAV | – | Radicale | [Link](./hosts/ward/guests/radicale.nix) | Contacts, Calender and Tasks synchronization 📄 Documents | Paperless | [Link](./hosts/sire/guests/paperless.nix) | Document management system. With per-user Samba share integration (consume & archive)
📁 NAS | 💎 | Samba | [Link](./hosts/sire/guests/samba.nix) | Network attached storage. 💎 Cross-integration with paperless 🗓️ CalDAV/CardDAV | Radicale | [Link](./hosts/ward/guests/radicale.nix) | Contacts, Calender and Tasks synchronization
🧱 Minecraft | 💎 | PaperMC | [Link](./hosts/sire/guests/minecraft.nix) | Minecraft game server. 💎 Autostart on connect, systemd service with background console, automatic backups 📁 NAS | Samba | [Link](./hosts/sire/guests/samba.nix) | Network attached storage. Cross-integration with paperless
🛡️ VPN | - | Netbird | [Link](./hosts/ward/guests/netbird.nix) | Internal network gateway and wireguard VPN server with dynamic peer configuration and SSO authentication. 🌐 VPN | Netbird | [Link](./hosts/ward/guests/netbird.nix) | Internal network gateway and wireguard VPN server with dynamic peer configuration and SSO authentication.
📧 Mailserver | 💎 | Stalwart | [Link](./hosts/envoy/stalwart-mail.nix) | Modern mail server setup with custom self-service alias management including Bitwarden integration 🏠 Home Automation | Home Assistant | [Link](./hosts/zackbiene/home-assistant.nix) | Automation with Home Assistant and many related services
📈 Dashboard | – | Grafana | [Link](./hosts/sire/guests/grafana.nix) | Logs and metrics dashboard and alerting 📧 Mailserver | Stalwart | [Link](./hosts/envoy/stalwart-mail.nix) | Modern mail server setup with custom self-service alias management including Bitwarden integration
📔 Logs DB | – | Loki | [Link](./hosts/sire/guests/loki.nix) | Central log aggregation service 🧱 Minecraft | PaperMC | [Link](./hosts/sire/guests/minecraft.nix) | Minecraft game server. Autostart on connect, systemd service with background console, automatic backups
📔 Logs | – | Promtail | [Link](./modules/promtail.nix) | Log shipping agent 🐒 Local LLM | Ollama & open-webui | [Link](./hosts/sire/guests/ai.nix) | Local LLM and AI Chat
📚 TSDB | – | Influxdb2 | [Link](./hosts/sire/guests/influxdb.nix) | Time series database for storing host metrics 📊 Dashboard | Grafana | [Link](./hosts/sire/guests/grafana.nix) | Logs and metrics dashboard and alerting
⏱️ Metrics | – | Telegraf | [Link](./modules/telegraf.nix) | Per-host collection of metrics 📔 Logs DB | Loki | [Link](./hosts/sire/guests/loki.nix) | Central log aggregation service
📔 Logs Agent | Promtail | [Link](./modules/promtail.nix) | Log shipping agent
📚 TSDB | Influxdb2 | [Link](./hosts/sire/guests/influxdb.nix) | Time series database for storing host metrics
⏱️ Metrics | Telegraf | [Link](./modules/telegraf.nix) | Per-host collection of metrics
<!-- <!--
- home assistant & subcomponents - home assistant & subcomponents
@ -80,9 +77,9 @@ that most people would have. The configurations are sorted into three categories
(WIP) (WIP)
| ~~~~~~~~~~~~ | 💎 | Source | Description | ~~~~~~~~~~~~ | Source | Description
---|---|---|--- ---|---|---
🗑️ Impermanence | – | [Link](./config/impermanence.nix) | Only persist what is necessary. ZFS rollback on boot. Most configuration is will be next to the respective service / program configuration. 🗑️ Impermanence | [Link](./config/impermanence.nix) | Only persist what is necessary. ZFS rollback on boot. Most configuration is will be next to the respective service / program configuration.
- reverse proxy with wireguard tunnel - reverse proxy with wireguard tunnel
- restic - restic

3
config/users.nix
View file

@ -40,7 +40,8 @@
plausible = uidGid 971; plausible = uidGid 971;
actual = uidGid 970; actual = uidGid 970;
flatpak = uidGid 969; flatpak = uidGid 969;
plugdev.gid = 967;
unifi = uidGid 968; unifi = uidGid 968;
plugdev.gid = 967;
tss = uidGid 966;
}; };
} }

426
flake.lock generated
View file

@ -36,11 +36,11 @@
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1735993832, "lastModified": 1736429053,
"narHash": "sha256-gmleUygegZHWfyzgLUSgj9rVe2iUCoAUB0iUkKzQYN4=", "narHash": "sha256-luGqUO7XJKGMO65+xD2xWxr4bsHWATbdFo6JUQIEzrI=",
"owner": "oddlama", "owner": "oddlama",
"repo": "agenix-rekey", "repo": "agenix-rekey",
"rev": "57e286831e3581800178b310c0110c244f2e2469", "rev": "8cd512cc5324de73de9bd47d85c15afb4fee3d9c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -149,6 +149,21 @@
"type": "github" "type": "github"
} }
}, },
"crane_3": {
"locked": {
"lastModified": 1731098351,
"narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
"owner": "ipetkov",
"repo": "crane",
"rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"darwin": { "darwin": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -368,11 +383,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1735468753, "lastModified": 1736591904,
"narHash": "sha256-2dt1nOe9zf9pDkf5Kn7FUFyPRo581s0n90jxYXJ94l0=", "narHash": "sha256-LFO8pSrPKrH8OPq2HaAuBG5skk8/MNJ/9YmK3KsnSks=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "84a5b93637cc16cbfcc61b6e1684d626df61eb21", "rev": "33827d2bd16bfe2e21b62956526c72d313595dfd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -454,6 +469,22 @@
"type": "github" "type": "github"
} }
}, },
"firefox-gnome-theme": {
"flake": false,
"locked": {
"lastModified": 1734969791,
"narHash": "sha256-A9PxLienMYJ/WUvqFie9qXrNC2MeRRYw7TG/q7DRjZg=",
"owner": "rafaelmardojai",
"repo": "firefox-gnome-theme",
"rev": "92f4890bd150fc9d97b61b3583680c0524a8cafe",
"type": "github"
},
"original": {
"owner": "rafaelmardojai",
"repo": "firefox-gnome-theme",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -502,6 +533,22 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_12": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": { "flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -583,6 +630,22 @@
} }
}, },
"flake-compat_7": { "flake-compat_7": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_8": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1673956053, "lastModified": 1673956053,
@ -598,7 +661,7 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_8": { "flake-compat_9": {
"locked": { "locked": {
"lastModified": 1696426674, "lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
@ -612,22 +675,6 @@
"url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
} }
}, },
"flake-compat_9": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": { "flake-parts": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
@ -672,11 +719,11 @@
"nixpkgs-lib": "nixpkgs-lib_2" "nixpkgs-lib": "nixpkgs-lib_2"
}, },
"locked": { "locked": {
"lastModified": 1735774679, "lastModified": 1736143030,
"narHash": "sha256-soePLBazJk0qQdDVhdbM98vYdssfs3WFedcq+raipRI=", "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "f2f7418ce0ab4a5309a4596161d154cfc877af66", "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -706,16 +753,16 @@
"flake-parts_5": { "flake-parts_5": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"nixvim", "lanzaboote",
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1735774679, "lastModified": 1730504689,
"narHash": "sha256-soePLBazJk0qQdDVhdbM98vYdssfs3WFedcq+raipRI=", "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "f2f7418ce0ab4a5309a4596161d154cfc877af66", "rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -725,6 +772,27 @@
} }
}, },
"flake-parts_6": { "flake-parts_6": {
"inputs": {
"nixpkgs-lib": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1736143030,
"narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_7": {
"inputs": { "inputs": {
"nixpkgs-lib": "nixpkgs-lib_4" "nixpkgs-lib": "nixpkgs-lib_4"
}, },
@ -742,7 +810,7 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts_7": { "flake-parts_8": {
"inputs": { "inputs": {
"nixpkgs-lib": "nixpkgs-lib_5" "nixpkgs-lib": "nixpkgs-lib_5"
}, },
@ -893,7 +961,7 @@
"nixvim", "nixvim",
"flake-compat" "flake-compat"
], ],
"gitignore": "gitignore_6", "gitignore": "gitignore_7",
"nixpkgs": [ "nixpkgs": [
"nixvim", "nixvim",
"nixpkgs" "nixpkgs"
@ -919,7 +987,7 @@
"stylix", "stylix",
"flake-compat" "flake-compat"
], ],
"gitignore": "gitignore_8", "gitignore": "gitignore_9",
"nixpkgs": [ "nixpkgs": [
"stylix", "stylix",
"nixpkgs" "nixpkgs"
@ -966,6 +1034,28 @@
"type": "github" "type": "github"
} }
}, },
"gitignore_10": {
"inputs": {
"nixpkgs": [
"whisper-overlay",
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gitignore_2": { "gitignore_2": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -1011,6 +1101,28 @@
} }
}, },
"gitignore_4": { "gitignore_4": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gitignore_5": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nix-topology", "nix-topology",
@ -1032,7 +1144,7 @@
"type": "github" "type": "github"
} }
}, },
"gitignore_5": { "gitignore_6": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixos-extra-modules", "nixos-extra-modules",
@ -1054,7 +1166,7 @@
"type": "github" "type": "github"
} }
}, },
"gitignore_6": { "gitignore_7": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixvim", "nixvim",
@ -1076,32 +1188,10 @@
"type": "github" "type": "github"
} }
}, },
"gitignore_7": {
"inputs": {
"nixpkgs": [
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gitignore_8": { "gitignore_8": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"stylix", "pre-commit-hooks",
"git-hooks",
"nixpkgs" "nixpkgs"
] ]
}, },
@ -1122,8 +1212,8 @@
"gitignore_9": { "gitignore_9": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"whisper-overlay", "stylix",
"pre-commit-hooks", "git-hooks",
"nixpkgs" "nixpkgs"
] ]
}, },
@ -1165,11 +1255,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1736013363, "lastModified": 1736508663,
"narHash": "sha256-P4lsS2Y5GzBfC8OfXtD/xWEucX6oHGTjOzjEjEJbXfc=", "narHash": "sha256-ZOaGwa+WnB7Zn3YXimqjmIugAnHePdXCmNu+AHkq808=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "0d7908bd09165db6699908b7e3970f137327cbf0", "rev": "2532b500c3ed2b8940e831039dcec5a5ea093afc",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1186,11 +1276,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1735979091, "lastModified": 1736508663,
"narHash": "sha256-WpFjt6+8UD81EP386c269ZTqpEmlGJgcPw+OB4b7EBs=", "narHash": "sha256-ZOaGwa+WnB7Zn3YXimqjmIugAnHePdXCmNu+AHkq808=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "11ab08541e61ac3bbf2ab27229f68622629401df", "rev": "2532b500c3ed2b8940e831039dcec5a5ea093afc",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1267,6 +1357,31 @@
"type": "github" "type": "github"
} }
}, },
"lanzaboote": {
"inputs": {
"crane": "crane_3",
"flake-compat": "flake-compat_6",
"flake-parts": "flake-parts_5",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay_3"
},
"locked": {
"lastModified": 1734994463,
"narHash": "sha256-S9MgfQjNt4J3I7obdLOVY23h+Yl/hnyibwGfOl+1uOE=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "93e6f0d77548be8757c11ebda5c4235ef4f3bc67",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "lanzaboote",
"type": "github"
}
},
"lib-net": { "lib-net": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -1289,11 +1404,11 @@
"spectrum": "spectrum" "spectrum": "spectrum"
}, },
"locked": { "locked": {
"lastModified": 1735074045, "lastModified": 1736383159,
"narHash": "sha256-CeYsC8J2dNiV2FCQOxK1oZ/jNpOF2io7aCEFHmfi95U=", "narHash": "sha256-oNIfJUvQFhFKmNp7MfKw0IghOoKBLBgPPrVolN2M18A=",
"owner": "astro", "owner": "astro",
"repo": "microvm.nix", "repo": "microvm.nix",
"rev": "2ae08de8e8068b00193b9cfbc0acc9dfdda03181", "rev": "3394c37bc8105c54f45b2b5395428a09647c1f57",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1396,11 +1511,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1735956190, "lastModified": 1736370755,
"narHash": "sha256-svzx3yVXD5tbBJZCn3Lt1RriH8GHo6CyVUPTHejf7sU=", "narHash": "sha256-iWcjToBpx4PUd74uqvIGAfqqVfyrvRLRauC/SxEKIF0=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "3feaf376d75d3d58ebf7e9a4f584d00628548ad9", "rev": "57733bd1dc81900e13438e5b4439239f1b29db0e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1416,11 +1531,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1735443188, "lastModified": 1736440205,
"narHash": "sha256-AydPpRBh8+NOkrLylG7vTsHrGO2b5L7XkMEL5HlzcA8=", "narHash": "sha256-QJgTI//KEGuEJC6FDxuI9Dq8PewIpnxD2NVx2/OHbfc=",
"owner": "Mic92", "owner": "Mic92",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "55ab1e1df5daf2476e6b826b69a82862dcbd7544", "rev": "a2200b499efa01ca8646173e94cdfcc93188f2b8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1439,11 +1554,11 @@
"pre-commit-hooks": "pre-commit-hooks_4" "pre-commit-hooks": "pre-commit-hooks_4"
}, },
"locked": { "locked": {
"lastModified": 1735927098, "lastModified": 1736111688,
"narHash": "sha256-bRAtYb+o9/kFrUDZt5pFD0ET+rG0g5nYM0qNKaRiv2g=", "narHash": "sha256-5z1ZgHgrr1qI0ve+mc0SjbL5PGbDLZb/3uijpmLIWT8=",
"owner": "oddlama", "owner": "oddlama",
"repo": "nix-topology", "repo": "nix-topology",
"rev": "2113ac865a077a7487268d6f1fe27400271ecd19", "rev": "ac1aa5116d858fdff131625dde59a988f74efb11",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1514,11 +1629,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1735388221, "lastModified": 1736441705,
"narHash": "sha256-e5IOgjQf0SZcFCEV/gMGrsI0gCJyqOKShBQU0iiM3Kg=", "narHash": "sha256-OL7leZ6KBhcDF3nEKe4aZVfIm6xQpb1Kb+mxySIP93o=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "7c674c6734f61157e321db595dbfcd8523e04e19", "rev": "8870dcaff63dfc6647fb10648b827e9d40b0a337",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1550,11 +1665,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1735834308, "lastModified": 1736344531,
"narHash": "sha256-dklw3AXr3OGO4/XT1Tu3Xz9n/we8GctZZ75ZWVqAVhk=", "narHash": "sha256-8YVQ9ZbSfuUk2bUf2KRj60NRraLPKPS0Q4QFTbc+c2c=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "6df24922a1400241dae323af55f30e4318a6ca65", "rev": "bffc22eb12172e6db3c5dde9e3e5628f8e3e7912",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1673,6 +1788,22 @@
} }
}, },
"nixpkgs-stable_4": { "nixpkgs-stable_4": {
"locked": {
"lastModified": 1730741070,
"narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_5": {
"locked": { "locked": {
"lastModified": 1685801374, "lastModified": 1685801374,
"narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=", "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
@ -1688,7 +1819,7 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable_5": { "nixpkgs-stable_6": {
"locked": { "locked": {
"lastModified": 1718447546, "lastModified": 1718447546,
"narHash": "sha256-JHuXsrC9pr4kA4n7LuuPfWFJUVlDBVJ1TXDVpHEuUgM=", "narHash": "sha256-JHuXsrC9pr4kA4n7LuuPfWFJUVlDBVJ1TXDVpHEuUgM=",
@ -1723,8 +1854,8 @@
"nixvim": { "nixvim": {
"inputs": { "inputs": {
"devshell": "devshell_7", "devshell": "devshell_7",
"flake-compat": "flake-compat_8", "flake-compat": "flake-compat_9",
"flake-parts": "flake-parts_5", "flake-parts": "flake-parts_6",
"git-hooks": "git-hooks", "git-hooks": "git-hooks",
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
"nix-darwin": "nix-darwin", "nix-darwin": "nix-darwin",
@ -1735,11 +1866,11 @@
"treefmt-nix": "treefmt-nix_4" "treefmt-nix": "treefmt-nix_4"
}, },
"locked": { "locked": {
"lastModified": 1735980252, "lastModified": 1736598781,
"narHash": "sha256-aVFpRYFmLP6jECp9SwsoJkSBTOSOJKYOjHgsR0RcbCQ=", "narHash": "sha256-Y0o9ahm6Kk0DumTo80/vKspkHOkbtFgKCNiICyRjhMs=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixvim", "repo": "nixvim",
"rev": "9fec10597383c024a2a1a8b71fb58d6b1f30ebb9", "rev": "2fc2132a78753fc3d7ec732044eff7ad69530055",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1839,6 +1970,33 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"gitignore": "gitignore_4",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_4"
},
"locked": {
"lastModified": 1731363552,
"narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"pre-commit-hooks_2": { "pre-commit-hooks_2": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_3", "flake-compat": "flake-compat_3",
@ -1889,8 +2047,8 @@
}, },
"pre-commit-hooks_4": { "pre-commit-hooks_4": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_6", "flake-compat": "flake-compat_7",
"gitignore": "gitignore_4", "gitignore": "gitignore_5",
"nixpkgs": [ "nixpkgs": [
"nix-topology", "nix-topology",
"nixpkgs" "nixpkgs"
@ -1916,17 +2074,17 @@
}, },
"pre-commit-hooks_5": { "pre-commit-hooks_5": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_7", "flake-compat": "flake-compat_8",
"flake-utils": [ "flake-utils": [
"nixos-extra-modules", "nixos-extra-modules",
"flake-utils" "flake-utils"
], ],
"gitignore": "gitignore_5", "gitignore": "gitignore_6",
"nixpkgs": [ "nixpkgs": [
"nixos-extra-modules", "nixos-extra-modules",
"nixpkgs" "nixpkgs"
], ],
"nixpkgs-stable": "nixpkgs-stable_4" "nixpkgs-stable": "nixpkgs-stable_5"
}, },
"locked": { "locked": {
"lastModified": 1702456155, "lastModified": 1702456155,
@ -1944,8 +2102,8 @@
}, },
"pre-commit-hooks_6": { "pre-commit-hooks_6": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_9", "flake-compat": "flake-compat_10",
"gitignore": "gitignore_7", "gitignore": "gitignore_8",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ]
@ -1966,13 +2124,13 @@
}, },
"pre-commit-hooks_7": { "pre-commit-hooks_7": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_11", "flake-compat": "flake-compat_12",
"gitignore": "gitignore_9", "gitignore": "gitignore_10",
"nixpkgs": [ "nixpkgs": [
"whisper-overlay", "whisper-overlay",
"nixpkgs" "nixpkgs"
], ],
"nixpkgs-stable": "nixpkgs-stable_5" "nixpkgs-stable": "nixpkgs-stable_6"
}, },
"locked": { "locked": {
"lastModified": 1718879355, "lastModified": 1718879355,
@ -2083,6 +2241,7 @@
"home-manager": "home-manager", "home-manager": "home-manager",
"idmail": "idmail", "idmail": "idmail",
"impermanence": "impermanence", "impermanence": "impermanence",
"lanzaboote": "lanzaboote",
"microvm": "microvm", "microvm": "microvm",
"nix-index-database": "nix-index-database", "nix-index-database": "nix-index-database",
"nix-topology": "nix-topology", "nix-topology": "nix-topology",
@ -2144,6 +2303,27 @@
} }
}, },
"rust-overlay_3": { "rust-overlay_3": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1731897198,
"narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_4": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
}, },
@ -2231,7 +2411,8 @@
"base16-fish": "base16-fish", "base16-fish": "base16-fish",
"base16-helix": "base16-helix", "base16-helix": "base16-helix",
"base16-vim": "base16-vim", "base16-vim": "base16-vim",
"flake-compat": "flake-compat_10", "firefox-gnome-theme": "firefox-gnome-theme",
"flake-compat": "flake-compat_11",
"flake-utils": "flake-utils_5", "flake-utils": "flake-utils_5",
"git-hooks": "git-hooks_2", "git-hooks": "git-hooks_2",
"gnome-shell": "gnome-shell", "gnome-shell": "gnome-shell",
@ -2244,14 +2425,15 @@
"systems": "systems_7", "systems": "systems_7",
"tinted-foot": "tinted-foot", "tinted-foot": "tinted-foot",
"tinted-kitty": "tinted-kitty", "tinted-kitty": "tinted-kitty",
"tinted-tmux": "tinted-tmux" "tinted-tmux": "tinted-tmux",
"tinted-zed": "tinted-zed"
}, },
"locked": { "locked": {
"lastModified": 1736011580, "lastModified": 1736530113,
"narHash": "sha256-8gmk/i9ZA5C6LGRnqHb5sZ8UKaqT5GnS6XxeSPMSz+s=", "narHash": "sha256-a+IUtGdzESNSQEZkW99TXf5js8o4Oy9M4H2am+2ECp4=",
"owner": "danth", "owner": "danth",
"repo": "stylix", "repo": "stylix",
"rev": "7dfcdb410118dcd02ba1d85a2179a6f1c877403f", "rev": "f1e003194cb528bbd4eda50b781d1f703611782d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -2430,6 +2612,22 @@
"type": "github" "type": "github"
} }
}, },
"tinted-zed": {
"flake": false,
"locked": {
"lastModified": 1725758778,
"narHash": "sha256-8P1b6mJWyYcu36WRlSVbuj575QWIFZALZMTg5ID/sM4=",
"owner": "tinted-theming",
"repo": "base16-zed",
"rev": "122c9e5c0e6f27211361a04fae92df97940eccf9",
"type": "github"
},
"original": {
"owner": "tinted-theming",
"repo": "base16-zed",
"type": "github"
}
},
"treefmt": { "treefmt": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -2523,11 +2721,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1735905407, "lastModified": 1736154270,
"narHash": "sha256-1hKMRIT+QZNWX46e4gIovoQ7H8QRb7803ZH4qSKI45o=", "narHash": "sha256-p2r8xhQZ3TYIEKBoiEhllKWQqWNJNoT9v64Vmg4q8Zw=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "29806abab803e498df96d82dd6f34b32eb8dd2c8", "rev": "13c913f5deb3a5c08bb810efd89dc8cb24dd968b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -2543,11 +2741,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1735905407, "lastModified": 1736154270,
"narHash": "sha256-1hKMRIT+QZNWX46e4gIovoQ7H8QRb7803ZH4qSKI45o=", "narHash": "sha256-p2r8xhQZ3TYIEKBoiEhllKWQqWNJNoT9v64Vmg4q8Zw=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "29806abab803e498df96d82dd6f34b32eb8dd2c8", "rev": "13c913f5deb3a5c08bb810efd89dc8cb24dd968b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -2581,7 +2779,7 @@
"whisper-overlay": { "whisper-overlay": {
"inputs": { "inputs": {
"devshell": "devshell_8", "devshell": "devshell_8",
"flake-parts": "flake-parts_6", "flake-parts": "flake-parts_7",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
@ -2603,11 +2801,11 @@
}, },
"wired-notify": { "wired-notify": {
"inputs": { "inputs": {
"flake-parts": "flake-parts_7", "flake-parts": "flake-parts_8",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"rust-overlay": "rust-overlay_3" "rust-overlay": "rust-overlay_4"
}, },
"locked": { "locked": {
"lastModified": 1730615238, "lastModified": 1730615238,

5
flake.nix
View file

@ -40,6 +40,11 @@
impermanence.url = "github:nix-community/impermanence"; impermanence.url = "github:nix-community/impermanence";
lanzaboote = {
url = "github:nix-community/lanzaboote";
inputs.nixpkgs.follows = "nixpkgs";
};
microvm = { microvm = {
url = "github:astro/microvm.nix"; url = "github:astro/microvm.nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";

24
hosts/sausebiene/default.nix
View file

@ -2,12 +2,15 @@
globals, globals,
inputs, inputs,
nodes, nodes,
pkgs,
lib,
... ...
}: }:
{ {
imports = [ imports = [
inputs.nixos-hardware.nixosModules.common-cpu-intel inputs.nixos-hardware.nixosModules.common-cpu-intel
inputs.nixos-hardware.nixosModules.common-pc-ssd inputs.nixos-hardware.nixosModules.common-pc-ssd
inputs.lanzaboote.nixosModules.lanzaboote
../../config ../../config
../../config/hardware/intel.nix ../../config/hardware/intel.nix
@ -22,6 +25,27 @@
nixpkgs.hostPlatform = "x86_64-linux"; nixpkgs.hostPlatform = "x86_64-linux";
boot.mode = "efi"; boot.mode = "efi";
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";
};
boot.initrd.availableKernelModules = [
"r8169"
"tpm_crb"
];
security.tpm2 = {
enable = true;
pkcs11.enable = true;
};
environment.systemPackages = [ pkgs.sbctl ];
environment.persistence."/persist".directories = [
{
directory = "/var/lib/sbctl";
mode = "0700";
}
];
meta.promtail = { meta.promtail = {
enable = true; enable = true;

3
hosts/sausebiene/net.nix
View file

@ -1,6 +1,5 @@
{ {
config, config,
globals,
... ...
}: }:
{ {
@ -24,7 +23,7 @@
systemd.network.networks = { systemd.network.networks = {
"10-lan" = { "10-lan" = {
address = [ "192.168.1.17/24" ]; address = [ "192.168.1.17/24" ];
gateway = [ globals.net.home-lan.vlans.services.hosts.ward.ipv4 ]; gateway = [ "192.168.1.1" ];
matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac; matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac;
networkConfig = { networkConfig = {
IPv6PrivacyExtensions = "yes"; IPv6PrivacyExtensions = "yes";