diff --git a/README.md b/README.md index 2972a32..dff92b5 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,8 @@ -# About +[Hosts](#hosts) \| [Programs](#programs--services) \| [Structure](./STRUCTURE.md) + +![2024-01-04T21:24:51+01:00-fullscreen](https://github.com/oddlama/nix-config/assets/31919558/f473b473-0715-4323-89f2-5a79140ba54c) + +## ❄️ My NixOS Configuration This is my personal nix config. It's still in the making, but this is what I got so far: @@ -17,68 +21,55 @@ Desktop machines: - System-wide theme using [stylix](https://github.com/danth/stylix) --> - - -Server related stuff: +Server related stuff: - Log and system monitoring through [grafana](https://github.com/grafana/grafana) using - [influxdb2](https://github.com/influxdata/influxdb) and [telegraf](https://github.com/influxdata/telegraf) for metrics - [loki](https://github.com/grafana/loki) and [promtail](https://grafana.com/docs/loki/latest/clients/promtail/) for logs - Single-Sign-On for all services using oauth2 via [kanidm](https://github.com/kanidm/kanidm) - Zoned nftables firewall via [nixos-nftables-firewall](https://github.com/thelegy/nixos-nftables-firewall) -- Service isolation using nixos-containers and [microvms](https://github.com/astro/microvm.nix) - +- Service isolation using [microvms](https://github.com/astro/microvm.nix) and nixos-containers ## Hosts -| | Name | Type | Purpose ----|---|---|--- -💻 | nom | Gigabyte AERO 15-W8 (i7-8750H) | My laptop and my main portable development machine Framework when? -🖥️ | kroma | PC (AMD Ryzen 9 5900X) | Main workstation and development machine, also for some occasional gaming -🖥️ | ward | ODROID H3 | Energy efficient SBC for my home firewall and some lightweight services using containers and microvms. -🥔 | zackbiene | ODROID N2+ | ARM SBC for home automation, isolating the sketchy stuff from my main network -☁️ | envoy | Hetzner Cloud server | Mailserver -☁️ | sentinel | Hetzner Cloud server | Proxies and protects my local services +| | Type | Name | Hardware | Purpose +---|---|---|---|--- +💻 | Laptop | nom | Gigabyte AERO 15-W8 (i7-8750H) | My laptop and my main portable development machine Framework when? +🖥️ | Desktop | kroma | PC (AMD Ryzen 9 5900X) | Main workstation and development machine, also for some occasional gaming +🖥️ | Server | ward | ODROID H3 | Energy efficient SBC for my home firewall and some lightweight services using containers and microvms. +🖥️ | Server | sire | Threadripper 1950X | Home media server and data storage. Runs all services as microvms. +🥔 | Server | zackbiene | ODROID N2+ | ARM SBC for home automation, isolating the sketchy stuff from my main network +☁️ | VPS | sentinel | Hetzner Cloud server | Proxies and protects my local services +☁️ | VPS | envoy | Hetzner Cloud server | Mailserver (WIP, still on gentoo) - +## Programs & Services - -not yet nixified: my main development machine, the powerful home server, and some services (still in transition from gentoo :/) - - -## Programs +#### Desktop Programs | | | |---|---| **Shell** | zsh with [starship](https://github.com/starship/starship), fzf plugins and sqlite history **Terminal** | [kitty](https://github.com/kovidgoyal/kitty) -**Editor** | [neovim](https://github.com/neovim/neovim) +**Editor** | [neovim](https://github.com/neovim/neovim) via [nixvim](https://github.com/nix-community/nixvim) **WM** | [sway](https://github.com/swaywm/sway) & [i3](https://github.com/i3/i3) (still need X11 for gaming) +**Browser** | [Firefox](https://www.mozilla.org/en-US/firefox/new/) +**Notifications** | [wired-notify](https://github.com/Toqozz/wired-notify) +**Screenshots** | [Flameshot](https://github.com/flameshot-org/flameshot) with custom [QR code detection](./pkgs/scripts/screenshot-area-scan-qr.nix) and [OCR to clipboard](./pkgs/scripts/screenshot-area.nix) +**Gaming** | [Steam](https://store.steampowered.com/) and [Bottles](https://github.com/bottlesdevs/Bottles) - +**Git** | Forgejo +**SSO** | Kanidm +**Logs** | Loki +**Time Series DB** | Influxdb +**Monitoring** | Grafana +**DNS AdBlock** | AdGuard Home +**Passwords** | Vaultwarden +**Photos** | Immich +**Documents** | Paperless ## Structure @@ -89,13 +80,11 @@ but here's a quick breakdown of the what you will find where. | | | |---|---| -`apps/` | runnable actions for flake maintenance `hosts/` | top-level configuration for `` `lib/` | library functions overlayed on top of `nixpkgs.lib` `modules/config/` | global configuration for all hosts `modules/optional/` | optional configuration included by hosts -`modules/meta/` | simplified setup for existing modules and cross-host config -`modules/*/` | classical reusable configuration modules +`modules/*` | classical reusable configuration modules `nix/` | library functions and flake plumbing `pkgs/` | Custom packages and scripts `secrets/` | Global secrets and age identities @@ -111,7 +100,7 @@ but here's a quick breakdown of the what you will find where. - Create hosts/ - Fill net.nix - Fill fs.nix (you need to know the device /dev/by-id paths in advance for partitioning to work!) -- Run generate-secrets +- Run `agenix generate` and `agenix rekey` (create's dummy secrets for initial deploy) #### Initial deploy diff --git a/STRUCTURE.md b/STRUCTURE.md index 74cbe0d..946358e 100644 --- a/STRUCTURE.md +++ b/STRUCTURE.md @@ -3,8 +3,6 @@ If you are interested in parts of my configuration, you probably want to examine the contents of `users/`, `modules/` and `hosts/`. Make sure to utilize the github search if you know what you need! -- `apps/` Additional runnable actions for flake maintenance, like showing wireguard QR codes. - - `hosts/` contains the top-level configuration for ``. Follow the imports from there to see what it entails. diff --git a/apps/default.nix b/apps/default.nix deleted file mode 100644 index 3bd0e6c..0000000 --- a/apps/default.nix +++ /dev/null @@ -1,24 +0,0 @@ -{self, ...} @ inputs: system: let - pkgs = self.pkgs.${system}; - inherit - (pkgs.lib) - flip - nameValuePair - removeSuffix - ; - mkApp = drv: { - type = "app"; - program = "${drv}"; - }; - args = inputs // {inherit pkgs;}; - apps = [ - ./format-secrets.nix - ./show-wireguard-qr.nix - ]; -in - builtins.listToAttrs (flip map apps ( - appPath: - nameValuePair - (removeSuffix ".nix" (builtins.baseNameOf appPath)) - (mkApp (import appPath args)) - )) diff --git a/apps/format-secrets.nix b/apps/format-secrets.nix deleted file mode 100644 index d69f16a..0000000 --- a/apps/format-secrets.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ - self, - pkgs, - nixpkgs, - ... -}: let - inherit (nixpkgs.lib) concatStringsSep; - inherit (extraLib) rageEncryptArgs; -in - pkgs.writeShellScript "format-secrets" '' - set -euo pipefail - [[ -d .git ]] && [[ -f flake.nix ]] || { echo "error: Please execute this from the project's root folder (the folder with flake.nix)" >&2; exit 1; } - for f in $(find . -type f -name '*.nix.age'); do - echo "Formatting $f ..." - decrypted=$(${../rage-decrypt-and-cache.sh} --print-out-path "$f" ${concatStringsSep " " self.secretsConfig.masterIdentities}) \ - || { echo "error: Failed to decrypt!" >&2; exit 1; } - formatted=$(${pkgs.alejandra}/bin/alejandra --quiet < "$decrypted") \ - || { echo "error: Failed to format $decrypted!" >&2; exit 1; } - ${pkgs.rage}/bin/rage -e ${rageEncryptArgs} <<< "$formatted" > "$f" \ - || { echo "error: Failed to re-encrypt!" >&2; exit 1; } - done - '' diff --git a/apps/show-wireguard-qr.nix b/apps/show-wireguard-qr.nix deleted file mode 100644 index 0d21f71..0000000 --- a/apps/show-wireguard-qr.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ - self, - pkgs, - ... -}: let - inherit - (pkgs.lib) - attrNames - concatMap - concatStringsSep - escapeShellArg - unique - ; - - nodeNames = attrNames self.nodes; - wireguardNetworks = unique (concatMap (n: attrNames self.nodes.${n}.config.meta.wireguard) nodeNames); - - externalPeersForNet = wgName: - concatMap (serverNode: - map - (peer: {inherit wgName serverNode peer;}) - (attrNames self.nodes.${serverNode}.config.meta.wireguard.${wgName}.server.externalPeers)) - (self.extraLib.wireguard wgName).participatingServerNodes; - allExternalPeers = concatMap externalPeersForNet wireguardNetworks; -in - pkgs.writeShellScript "show-wireguard-qr" '' - set -euo pipefail - json_sel=$(echo ${escapeShellArg (concatStringsSep "\n" (map (x: "${builtins.toJSON x}\t${x.wgName}.${x.serverNode}.${x.peer}") allExternalPeers))} \ - | ${pkgs.fzf}/bin/fzf --delimiter='\t' --ansi --multi --query="''${1-}" --tiebreak=end --bind=tab:down,btab:up,change:top,ctrl-space:toggle --with-nth=2.. --height='~50%' --tac \ - | ${pkgs.coreutils}/bin/cut -d$'\t' -f1) - [[ -n "$json_sel" ]] || exit 1 - - while IFS= read -r line; do - wgName=$(${pkgs.jq}/bin/jq -r .wgName <<< "$line") - serverNode=$(${pkgs.jq}/bin/jq -r .serverNode <<< "$line") - peer=$(${pkgs.jq}/bin/jq -r .peer <<< "$line") - echo "======== $wgName.$serverNode.$peer ========" - - createConfigScript=$(nix build --no-link --print-out-paths --impure --show-trace --expr \ - 'let flk = builtins.getFlake "${../../.}"; in (flk.extraLib.wireguard "'"$wgName"'").wgQuickConfigScript "${pkgs.system}" "'"$serverNode"'" "'"$peer"'"') - "$createConfigScript" | tee /dev/tty | ${pkgs.qrencode}/bin/qrencode -t ansiutf8 - done <<< "$json_sel" - '' diff --git a/flake.nix b/flake.nix index 8fac1d1..557d3a1 100644 --- a/flake.nix +++ b/flake.nix @@ -200,9 +200,6 @@ .${system}; }; - # `nix run .#` - apps = import ./apps inputs system; - # `nix flake check` checks.pre-commit-hooks = pre-commit-hooks.lib.${system}.run { src = cleanSource ./.;