sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add lanzaboote for sausebiene

Browse source
This commit is contained in:
oddlama 2025-01-12 21:01:57 +01:00
parent 7f1be2f841
commit 50bebac0e0
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
6 changed files with 372 additions and 148 deletions
Download patch file Download diff file Expand all files Collapse all files

59
README.md
View file

@ -15,7 +15,8 @@ including my homelab, external servers and my development machines.
🖥️ | Desktop | kroma | PC (AMD Ryzen 9 5900X) | Main workstation and development machine, also for some occasional gaming
🖥️ | Server | ward | ODROID H3 | Energy efficient SBC for my home firewall and some lightweight services using containers and microvms.
🖥️ | Server | sire | Threadripper 1950X | Home media server and data storage. Runs all services as microvms.
🥔 | Server | zackbiene | ODROID N2+ | ARM SBC for home automation, isolating the sketchy stuff from my main network
🖥️ | Server | sausebiene | Intel N100 | Home automation and IoT network isolation
🥔 | Server | zackbiene | ODROID N2+ | Decomissioned. Old home assistant board
☁️ | VPS | sentinel | Hetzner Cloud server | Proxies and protects my local services
☁️ | VPS | envoy | Hetzner Cloud server | Mailserver
@ -23,15 +24,7 @@ including my homelab, external servers and my development machines.
An overview over what you will find in this repository. I usually put a lot of
effort into all my configurations and try to go over every option in detail.
These lists summarize the major parts.
I've also included a (subjective) indicator of customization (💎) so you can more
easily find the configs that are very polished or different from the basic setup
that most people would have. The configurations are sorted into three categories:
- **dotfiles**: Lists all the stuff I use on my desktop/development machines. All of this is very customized.
- **services**: Lists all my services, both homelab and external.
- **other**: Lists anything else, like general machine config, organizational and miscellaneous stuff.
I've included the major components in the lists below.
#### Dotfiles
@ -47,27 +40,31 @@ that most people would have. The configurations are sorted into three categories
📷 Screenshots | Custom based on grimblast | [Link](./pkgs/scripts) | Custom scripts utilizing grimblast for [QR code detection](./pkgs/scripts/screenshot-area-scan-qr.nix) and [OCR / satty editing](./pkgs/scripts/screenshot-area.nix)
🗨️ Notifications | SwayNotificationCenter | [Link](./users/myuser/graphical/swaync.nix) | Notification center with customized color scheme
🎮 Gaming | Steam & Bottles | [Link](./users/myuser/graphical/games) | Setup for gaming
📫 Mail | Thunderbird | [Link](./users/myuser/graphical/thunderbird.nix) | Your regular thunderbird setup
#### Services
| ~~~~~~~~~~~~ | 💎 | Service | Source | Description
---|---|---|---|---
🐙 Git | – | Forgejo | [Link](./hosts/ward/guests/forgejo.nix) | Forgejo with SSO
🔑 SSO | 💎 | Kanidm | [Link](./hosts/ward/guests/kanidm.nix) | Identity provider for Single Sign On on my hosted services. 💎 With custom-made secret provisioning.
🔴 DNS Adblock | – | AdGuard Home | [Link](./hosts/ward/guests/adguardhome.nix) | DNS level adblocker
🔐 Passwords | – | Vaultwarden | [Link](./hosts/ward/guests/vaultwarden.nix) | Self-hosted password manager
📷 Photos | – | Immich | [Link](./hosts/sire/guests/immich.nix) | Self-hosted photo and video backup solution
🗂️ Documents | 💎 | Paperless | [Link](./hosts/sire/guests/paperless.nix) | Document management system. 💎 with per-user Samba share integration (consume & archive)
🗓️ CalDAV/CardDAV | – | Radicale | [Link](./hosts/ward/guests/radicale.nix) | Contacts, Calender and Tasks synchronization
📁 NAS | 💎 | Samba | [Link](./hosts/sire/guests/samba.nix) | Network attached storage. 💎 Cross-integration with paperless
🧱 Minecraft | 💎 | PaperMC | [Link](./hosts/sire/guests/minecraft.nix) | Minecraft game server. 💎 Autostart on connect, systemd service with background console, automatic backups
🛡️ VPN | - | Netbird | [Link](./hosts/ward/guests/netbird.nix) | Internal network gateway and wireguard VPN server with dynamic peer configuration and SSO authentication.
📧 Mailserver | 💎 | Stalwart | [Link](./hosts/envoy/stalwart-mail.nix) | Modern mail server setup with custom self-service alias management including Bitwarden integration
📈 Dashboard | – | Grafana | [Link](./hosts/sire/guests/grafana.nix) | Logs and metrics dashboard and alerting
📔 Logs DB | – | Loki | [Link](./hosts/sire/guests/loki.nix) | Central log aggregation service
📔 Logs | – | Promtail | [Link](./modules/promtail.nix) | Log shipping agent
📚 TSDB | – | Influxdb2 | [Link](./hosts/sire/guests/influxdb.nix) | Time series database for storing host metrics
⏱️ Metrics | – | Telegraf | [Link](./modules/telegraf.nix) | Per-host collection of metrics
| ~~~~~~~~~~~~ | Service | Source | Description
---|---|---|---
💸 Budgeting | Actual Budget | [Link](./hosts/sire/guests/actual.nix) | Budgeting application to track income and expenses
🛡️ Adblock | AdGuard Home | [Link](./hosts/ward/guests/adguardhome.nix) | DNS level adblocker
🔒 SSO | Kanidm | [Link](./hosts/ward/guests/kanidm.nix) | Identity provider for Single-Sign-On on my hosted services, with provisioning.
🐙 Git | Forgejo | [Link](./hosts/ward/guests/forgejo.nix) | Forgejo with SSO
🔑 Passwords | Vaultwarden | [Link](./hosts/ward/guests/vaultwarden.nix) | Self-hosted password manager
📷 Photos | Immich | [Link](./hosts/sire/guests/immich.nix) | Self-hosted photo and video backup solution
📄 Documents | Paperless | [Link](./hosts/sire/guests/paperless.nix) | Document management system. With per-user Samba share integration (consume & archive)
🗓️ CalDAV/CardDAV | Radicale | [Link](./hosts/ward/guests/radicale.nix) | Contacts, Calender and Tasks synchronization
📁 NAS | Samba | [Link](./hosts/sire/guests/samba.nix) | Network attached storage. Cross-integration with paperless
🌐 VPN | Netbird | [Link](./hosts/ward/guests/netbird.nix) | Internal network gateway and wireguard VPN server with dynamic peer configuration and SSO authentication.
🏠 Home Automation | Home Assistant | [Link](./hosts/zackbiene/home-assistant.nix) | Automation with Home Assistant and many related services
📧 Mailserver | Stalwart | [Link](./hosts/envoy/stalwart-mail.nix) | Modern mail server setup with custom self-service alias management including Bitwarden integration
🧱 Minecraft | PaperMC | [Link](./hosts/sire/guests/minecraft.nix) | Minecraft game server. Autostart on connect, systemd service with background console, automatic backups
🐒 Local LLM | Ollama & open-webui | [Link](./hosts/sire/guests/ai.nix) | Local LLM and AI Chat
📊 Dashboard | Grafana | [Link](./hosts/sire/guests/grafana.nix) | Logs and metrics dashboard and alerting
📔 Logs DB | Loki | [Link](./hosts/sire/guests/loki.nix) | Central log aggregation service
📔 Logs Agent | Promtail | [Link](./modules/promtail.nix) | Log shipping agent
📚 TSDB | Influxdb2 | [Link](./hosts/sire/guests/influxdb.nix) | Time series database for storing host metrics
⏱️ Metrics | Telegraf | [Link](./modules/telegraf.nix) | Per-host collection of metrics
<!--
- home assistant & subcomponents
@ -80,9 +77,9 @@ that most people would have. The configurations are sorted into three categories
(WIP)
| ~~~~~~~~~~~~ | 💎 | Source | Description
---|---|---|---
🗑️ Impermanence | – | [Link](./config/impermanence.nix) | Only persist what is necessary. ZFS rollback on boot. Most configuration is will be next to the respective service / program configuration.
| ~~~~~~~~~~~~ | Source | Description
---|---|---
🗑️ Impermanence | [Link](./config/impermanence.nix) | Only persist what is necessary. ZFS rollback on boot. Most configuration is will be next to the respective service / program configuration.
- reverse proxy with wireguard tunnel
- restic

3
config/users.nix
View file

@ -40,7 +40,8 @@
plausible = uidGid 971;
actual = uidGid 970;
flatpak = uidGid 969;
plugdev.gid = 967;
unifi = uidGid 968;
plugdev.gid = 967;
tss = uidGid 966;
};
}

426
flake.lock generated
View file

@ -36,11 +36,11 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1735993832,
"narHash": "sha256-gmleUygegZHWfyzgLUSgj9rVe2iUCoAUB0iUkKzQYN4=",
"lastModified": 1736429053,
"narHash": "sha256-luGqUO7XJKGMO65+xD2xWxr4bsHWATbdFo6JUQIEzrI=",
"owner": "oddlama",
"repo": "agenix-rekey",
"rev": "57e286831e3581800178b310c0110c244f2e2469",
"rev": "8cd512cc5324de73de9bd47d85c15afb4fee3d9c",
"type": "github"
},
"original": {
@ -149,6 +149,21 @@
"type": "github"
}
},
"crane_3": {
"locked": {
"lastModified": 1731098351,
"narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
"owner": "ipetkov",
"repo": "crane",
"rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
@ -368,11 +383,11 @@
]
},
"locked": {
"lastModified": 1735468753,
"narHash": "sha256-2dt1nOe9zf9pDkf5Kn7FUFyPRo581s0n90jxYXJ94l0=",
"lastModified": 1736591904,
"narHash": "sha256-LFO8pSrPKrH8OPq2HaAuBG5skk8/MNJ/9YmK3KsnSks=",
"owner": "nix-community",
"repo": "disko",
"rev": "84a5b93637cc16cbfcc61b6e1684d626df61eb21",
"rev": "33827d2bd16bfe2e21b62956526c72d313595dfd",
"type": "github"
},
"original": {
@ -454,6 +469,22 @@
"type": "github"
}
},
"firefox-gnome-theme": {
"flake": false,
"locked": {
"lastModified": 1734969791,
"narHash": "sha256-A9PxLienMYJ/WUvqFie9qXrNC2MeRRYw7TG/q7DRjZg=",
"owner": "rafaelmardojai",
"repo": "firefox-gnome-theme",
"rev": "92f4890bd150fc9d97b61b3583680c0524a8cafe",
"type": "github"
},
"original": {
"owner": "rafaelmardojai",
"repo": "firefox-gnome-theme",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
@ -502,6 +533,22 @@
"type": "github"
}
},
"flake-compat_12": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
@ -583,6 +630,22 @@
}
},
"flake-compat_7": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_8": {
"flake": false,
"locked": {
"lastModified": 1673956053,
@ -598,7 +661,7 @@
"type": "github"
}
},
"flake-compat_8": {
"flake-compat_9": {
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
@ -612,22 +675,6 @@
"url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
}
},
"flake-compat_9": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
@ -672,11 +719,11 @@
"nixpkgs-lib": "nixpkgs-lib_2"
},
"locked": {
"lastModified": 1735774679,
"narHash": "sha256-soePLBazJk0qQdDVhdbM98vYdssfs3WFedcq+raipRI=",
"lastModified": 1736143030,
"narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "f2f7418ce0ab4a5309a4596161d154cfc877af66",
"rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
"type": "github"
},
"original": {
@ -706,16 +753,16 @@
"flake-parts_5": {
"inputs": {
"nixpkgs-lib": [
"nixvim",
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1735774679,
"narHash": "sha256-soePLBazJk0qQdDVhdbM98vYdssfs3WFedcq+raipRI=",
"lastModified": 1730504689,
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "f2f7418ce0ab4a5309a4596161d154cfc877af66",
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github"
},
"original": {
@ -725,6 +772,27 @@
}
},
"flake-parts_6": {
"inputs": {
"nixpkgs-lib": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1736143030,
"narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_7": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib_4"
},
@ -742,7 +810,7 @@
"type": "github"
}
},
"flake-parts_7": {
"flake-parts_8": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib_5"
},
@ -893,7 +961,7 @@
"nixvim",
"flake-compat"
],
"gitignore": "gitignore_6",
"gitignore": "gitignore_7",
"nixpkgs": [
"nixvim",
"nixpkgs"
@ -919,7 +987,7 @@
"stylix",
"flake-compat"
],
"gitignore": "gitignore_8",
"gitignore": "gitignore_9",
"nixpkgs": [
"stylix",
"nixpkgs"
@ -966,6 +1034,28 @@
"type": "github"
}
},
"gitignore_10": {
"inputs": {
"nixpkgs": [
"whisper-overlay",
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gitignore_2": {
"inputs": {
"nixpkgs": [
@ -1011,6 +1101,28 @@
}
},
"gitignore_4": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gitignore_5": {
"inputs": {
"nixpkgs": [
"nix-topology",
@ -1032,7 +1144,7 @@
"type": "github"
}
},
"gitignore_5": {
"gitignore_6": {
"inputs": {
"nixpkgs": [
"nixos-extra-modules",
@ -1054,7 +1166,7 @@
"type": "github"
}
},
"gitignore_6": {
"gitignore_7": {
"inputs": {
"nixpkgs": [
"nixvim",
@ -1076,32 +1188,10 @@
"type": "github"
}
},
"gitignore_7": {
"inputs": {
"nixpkgs": [
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gitignore_8": {
"inputs": {
"nixpkgs": [
"stylix",
"git-hooks",
"pre-commit-hooks",
"nixpkgs"
]
},
@ -1122,8 +1212,8 @@
"gitignore_9": {
"inputs": {
"nixpkgs": [
"whisper-overlay",
"pre-commit-hooks",
"stylix",
"git-hooks",
"nixpkgs"
]
},
@ -1165,11 +1255,11 @@
]
},
"locked": {
"lastModified": 1736013363,
"narHash": "sha256-P4lsS2Y5GzBfC8OfXtD/xWEucX6oHGTjOzjEjEJbXfc=",
"lastModified": 1736508663,
"narHash": "sha256-ZOaGwa+WnB7Zn3YXimqjmIugAnHePdXCmNu+AHkq808=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "0d7908bd09165db6699908b7e3970f137327cbf0",
"rev": "2532b500c3ed2b8940e831039dcec5a5ea093afc",
"type": "github"
},
"original": {
@ -1186,11 +1276,11 @@
]
},
"locked": {
"lastModified": 1735979091,
"narHash": "sha256-WpFjt6+8UD81EP386c269ZTqpEmlGJgcPw+OB4b7EBs=",
"lastModified": 1736508663,
"narHash": "sha256-ZOaGwa+WnB7Zn3YXimqjmIugAnHePdXCmNu+AHkq808=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "11ab08541e61ac3bbf2ab27229f68622629401df",
"rev": "2532b500c3ed2b8940e831039dcec5a5ea093afc",
"type": "github"
},
"original": {
@ -1267,6 +1357,31 @@
"type": "github"
}
},
"lanzaboote": {
"inputs": {
"crane": "crane_3",
"flake-compat": "flake-compat_6",
"flake-parts": "flake-parts_5",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay_3"
},
"locked": {
"lastModified": 1734994463,
"narHash": "sha256-S9MgfQjNt4J3I7obdLOVY23h+Yl/hnyibwGfOl+1uOE=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "93e6f0d77548be8757c11ebda5c4235ef4f3bc67",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "lanzaboote",
"type": "github"
}
},
"lib-net": {
"flake": false,
"locked": {
@ -1289,11 +1404,11 @@
"spectrum": "spectrum"
},
"locked": {
"lastModified": 1735074045,
"narHash": "sha256-CeYsC8J2dNiV2FCQOxK1oZ/jNpOF2io7aCEFHmfi95U=",
"lastModified": 1736383159,
"narHash": "sha256-oNIfJUvQFhFKmNp7MfKw0IghOoKBLBgPPrVolN2M18A=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "2ae08de8e8068b00193b9cfbc0acc9dfdda03181",
"rev": "3394c37bc8105c54f45b2b5395428a09647c1f57",
"type": "github"
},
"original": {
@ -1396,11 +1511,11 @@
]
},
"locked": {
"lastModified": 1735956190,
"narHash": "sha256-svzx3yVXD5tbBJZCn3Lt1RriH8GHo6CyVUPTHejf7sU=",
"lastModified": 1736370755,
"narHash": "sha256-iWcjToBpx4PUd74uqvIGAfqqVfyrvRLRauC/SxEKIF0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "3feaf376d75d3d58ebf7e9a4f584d00628548ad9",
"rev": "57733bd1dc81900e13438e5b4439239f1b29db0e",
"type": "github"
},
"original": {
@ -1416,11 +1531,11 @@
]
},
"locked": {
"lastModified": 1735443188,
"narHash": "sha256-AydPpRBh8+NOkrLylG7vTsHrGO2b5L7XkMEL5HlzcA8=",
"lastModified": 1736440205,
"narHash": "sha256-QJgTI//KEGuEJC6FDxuI9Dq8PewIpnxD2NVx2/OHbfc=",
"owner": "Mic92",
"repo": "nix-index-database",
"rev": "55ab1e1df5daf2476e6b826b69a82862dcbd7544",
"rev": "a2200b499efa01ca8646173e94cdfcc93188f2b8",
"type": "github"
},
"original": {
@ -1439,11 +1554,11 @@
"pre-commit-hooks": "pre-commit-hooks_4"
},
"locked": {
"lastModified": 1735927098,
"narHash": "sha256-bRAtYb+o9/kFrUDZt5pFD0ET+rG0g5nYM0qNKaRiv2g=",
"lastModified": 1736111688,
"narHash": "sha256-5z1ZgHgrr1qI0ve+mc0SjbL5PGbDLZb/3uijpmLIWT8=",
"owner": "oddlama",
"repo": "nix-topology",
"rev": "2113ac865a077a7487268d6f1fe27400271ecd19",
"rev": "ac1aa5116d858fdff131625dde59a988f74efb11",
"type": "github"
},
"original": {
@ -1514,11 +1629,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1735388221,
"narHash": "sha256-e5IOgjQf0SZcFCEV/gMGrsI0gCJyqOKShBQU0iiM3Kg=",
"lastModified": 1736441705,
"narHash": "sha256-OL7leZ6KBhcDF3nEKe4aZVfIm6xQpb1Kb+mxySIP93o=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "7c674c6734f61157e321db595dbfcd8523e04e19",
"rev": "8870dcaff63dfc6647fb10648b827e9d40b0a337",
"type": "github"
},
"original": {
@ -1550,11 +1665,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1735834308,
"narHash": "sha256-dklw3AXr3OGO4/XT1Tu3Xz9n/we8GctZZ75ZWVqAVhk=",
"lastModified": 1736344531,
"narHash": "sha256-8YVQ9ZbSfuUk2bUf2KRj60NRraLPKPS0Q4QFTbc+c2c=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6df24922a1400241dae323af55f30e4318a6ca65",
"rev": "bffc22eb12172e6db3c5dde9e3e5628f8e3e7912",
"type": "github"
},
"original": {
@ -1673,6 +1788,22 @@
}
},
"nixpkgs-stable_4": {
"locked": {
"lastModified": 1730741070,
"narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_5": {
"locked": {
"lastModified": 1685801374,
"narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
@ -1688,7 +1819,7 @@
"type": "github"
}
},
"nixpkgs-stable_5": {
"nixpkgs-stable_6": {
"locked": {
"lastModified": 1718447546,
"narHash": "sha256-JHuXsrC9pr4kA4n7LuuPfWFJUVlDBVJ1TXDVpHEuUgM=",
@ -1723,8 +1854,8 @@
"nixvim": {
"inputs": {
"devshell": "devshell_7",
"flake-compat": "flake-compat_8",
"flake-parts": "flake-parts_5",
"flake-compat": "flake-compat_9",
"flake-parts": "flake-parts_6",
"git-hooks": "git-hooks",
"home-manager": "home-manager_2",
"nix-darwin": "nix-darwin",
@ -1735,11 +1866,11 @@
"treefmt-nix": "treefmt-nix_4"
},
"locked": {
"lastModified": 1735980252,
"narHash": "sha256-aVFpRYFmLP6jECp9SwsoJkSBTOSOJKYOjHgsR0RcbCQ=",
"lastModified": 1736598781,
"narHash": "sha256-Y0o9ahm6Kk0DumTo80/vKspkHOkbtFgKCNiICyRjhMs=",
"owner": "nix-community",
"repo": "nixvim",
"rev": "9fec10597383c024a2a1a8b71fb58d6b1f30ebb9",
"rev": "2fc2132a78753fc3d7ec732044eff7ad69530055",
"type": "github"
},
"original": {
@ -1839,6 +1970,33 @@
"type": "github"
}
},
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"gitignore": "gitignore_4",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_4"
},
"locked": {
"lastModified": 1731363552,
"narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"pre-commit-hooks_2": {
"inputs": {
"flake-compat": "flake-compat_3",
@ -1889,8 +2047,8 @@
},
"pre-commit-hooks_4": {
"inputs": {
"flake-compat": "flake-compat_6",
"gitignore": "gitignore_4",
"flake-compat": "flake-compat_7",
"gitignore": "gitignore_5",
"nixpkgs": [
"nix-topology",
"nixpkgs"
@ -1916,17 +2074,17 @@
},
"pre-commit-hooks_5": {
"inputs": {
"flake-compat": "flake-compat_7",
"flake-compat": "flake-compat_8",
"flake-utils": [
"nixos-extra-modules",
"flake-utils"
],
"gitignore": "gitignore_5",
"gitignore": "gitignore_6",
"nixpkgs": [
"nixos-extra-modules",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_4"
"nixpkgs-stable": "nixpkgs-stable_5"
},
"locked": {
"lastModified": 1702456155,
@ -1944,8 +2102,8 @@
},
"pre-commit-hooks_6": {
"inputs": {
"flake-compat": "flake-compat_9",
"gitignore": "gitignore_7",
"flake-compat": "flake-compat_10",
"gitignore": "gitignore_8",
"nixpkgs": [
"nixpkgs"
]
@ -1966,13 +2124,13 @@
},
"pre-commit-hooks_7": {
"inputs": {
"flake-compat": "flake-compat_11",
"gitignore": "gitignore_9",
"flake-compat": "flake-compat_12",
"gitignore": "gitignore_10",
"nixpkgs": [
"whisper-overlay",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_5"
"nixpkgs-stable": "nixpkgs-stable_6"
},
"locked": {
"lastModified": 1718879355,
@ -2083,6 +2241,7 @@
"home-manager": "home-manager",
"idmail": "idmail",
"impermanence": "impermanence",
"lanzaboote": "lanzaboote",
"microvm": "microvm",
"nix-index-database": "nix-index-database",
"nix-topology": "nix-topology",
@ -2144,6 +2303,27 @@
}
},
"rust-overlay_3": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1731897198,
"narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_4": {
"inputs": {
"nixpkgs": "nixpkgs_2"
},
@ -2231,7 +2411,8 @@
"base16-fish": "base16-fish",
"base16-helix": "base16-helix",
"base16-vim": "base16-vim",
"flake-compat": "flake-compat_10",
"firefox-gnome-theme": "firefox-gnome-theme",
"flake-compat": "flake-compat_11",
"flake-utils": "flake-utils_5",
"git-hooks": "git-hooks_2",
"gnome-shell": "gnome-shell",
@ -2244,14 +2425,15 @@
"systems": "systems_7",
"tinted-foot": "tinted-foot",
"tinted-kitty": "tinted-kitty",
"tinted-tmux": "tinted-tmux"
"tinted-tmux": "tinted-tmux",
"tinted-zed": "tinted-zed"
},
"locked": {
"lastModified": 1736011580,
"narHash": "sha256-8gmk/i9ZA5C6LGRnqHb5sZ8UKaqT5GnS6XxeSPMSz+s=",
"lastModified": 1736530113,
"narHash": "sha256-a+IUtGdzESNSQEZkW99TXf5js8o4Oy9M4H2am+2ECp4=",
"owner": "danth",
"repo": "stylix",
"rev": "7dfcdb410118dcd02ba1d85a2179a6f1c877403f",
"rev": "f1e003194cb528bbd4eda50b781d1f703611782d",
"type": "github"
},
"original": {
@ -2430,6 +2612,22 @@
"type": "github"
}
},
"tinted-zed": {
"flake": false,
"locked": {
"lastModified": 1725758778,
"narHash": "sha256-8P1b6mJWyYcu36WRlSVbuj575QWIFZALZMTg5ID/sM4=",
"owner": "tinted-theming",
"repo": "base16-zed",
"rev": "122c9e5c0e6f27211361a04fae92df97940eccf9",
"type": "github"
},
"original": {
"owner": "tinted-theming",
"repo": "base16-zed",
"type": "github"
}
},
"treefmt": {
"inputs": {
"nixpkgs": [
@ -2523,11 +2721,11 @@
]
},
"locked": {
"lastModified": 1735905407,
"narHash": "sha256-1hKMRIT+QZNWX46e4gIovoQ7H8QRb7803ZH4qSKI45o=",
"lastModified": 1736154270,
"narHash": "sha256-p2r8xhQZ3TYIEKBoiEhllKWQqWNJNoT9v64Vmg4q8Zw=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "29806abab803e498df96d82dd6f34b32eb8dd2c8",
"rev": "13c913f5deb3a5c08bb810efd89dc8cb24dd968b",
"type": "github"
},
"original": {
@ -2543,11 +2741,11 @@
]
},
"locked": {
"lastModified": 1735905407,
"narHash": "sha256-1hKMRIT+QZNWX46e4gIovoQ7H8QRb7803ZH4qSKI45o=",
"lastModified": 1736154270,
"narHash": "sha256-p2r8xhQZ3TYIEKBoiEhllKWQqWNJNoT9v64Vmg4q8Zw=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "29806abab803e498df96d82dd6f34b32eb8dd2c8",
"rev": "13c913f5deb3a5c08bb810efd89dc8cb24dd968b",
"type": "github"
},
"original": {
@ -2581,7 +2779,7 @@
"whisper-overlay": {
"inputs": {
"devshell": "devshell_8",
"flake-parts": "flake-parts_6",
"flake-parts": "flake-parts_7",
"nixpkgs": [
"nixpkgs"
],
@ -2603,11 +2801,11 @@
},
"wired-notify": {
"inputs": {
"flake-parts": "flake-parts_7",
"flake-parts": "flake-parts_8",
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": "rust-overlay_3"
"rust-overlay": "rust-overlay_4"
},
"locked": {
"lastModified": 1730615238,

5
flake.nix
View file

@ -40,6 +40,11 @@
impermanence.url = "github:nix-community/impermanence";
lanzaboote = {
url = "github:nix-community/lanzaboote";
inputs.nixpkgs.follows = "nixpkgs";
};
microvm = {
url = "github:astro/microvm.nix";
inputs.nixpkgs.follows = "nixpkgs";

24
hosts/sausebiene/default.nix
View file

@ -2,12 +2,15 @@
globals,
inputs,
nodes,
pkgs,
lib,
...
}:
{
imports = [
inputs.nixos-hardware.nixosModules.common-cpu-intel
inputs.nixos-hardware.nixosModules.common-pc-ssd
inputs.lanzaboote.nixosModules.lanzaboote
../../config
../../config/hardware/intel.nix
@ -22,6 +25,27 @@
nixpkgs.hostPlatform = "x86_64-linux";
boot.mode = "efi";
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";
};
boot.initrd.availableKernelModules = [
"r8169"
"tpm_crb"
];
security.tpm2 = {
enable = true;
pkcs11.enable = true;
};
environment.systemPackages = [ pkgs.sbctl ];
environment.persistence."/persist".directories = [
{
directory = "/var/lib/sbctl";
mode = "0700";
}
];
meta.promtail = {
enable = true;

3
hosts/sausebiene/net.nix
View file

@ -1,6 +1,5 @@
{
config,
globals,
...
}:
{
@ -24,7 +23,7 @@
systemd.network.networks = {
"10-lan" = {
address = [ "192.168.1.17/24" ];
gateway = [ globals.net.home-lan.vlans.services.hosts.ward.ipv4 ];
gateway = [ "192.168.1.1" ];
matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac;
networkConfig = {
IPv6PrivacyExtensions = "yes";