From e9a77fccb7570c3c3e636580827d192358309149 Mon Sep 17 00:00:00 2001 From: Thiago Sposito Date: Fri, 17 Oct 2025 17:18:35 -0300 Subject: [PATCH] chore: update Nix configurations for Nixcloud and common hosts - Add Nixcloud host configurations including networking, hardware, and system settings - Refactor existing configurations for clarity and organization - Remove unused podman configuration from home-manager - Update SSH agent settings and session variables in Nixbook host --- flake.lock | 16 ++-- flake.nix | 31 ++++-- home-manager/home.nix | 9 -- home-manager/zsh.nix | 11 ++- hosts/Nixbook/default.nix | 12 +-- hosts/Nixcloud/default.nix | 95 +++++++++++++++++++ hosts/Nixcloud/nixos/configuration.nix | 15 +++ .../Nixcloud/nixos/hardware-configuration.nix | 9 ++ hosts/Nixcloud/nixos/networking.nix | 35 +++++++ hosts/common/default.nix | 2 + hosts/common/users/nimbus/default.nix | 44 +++++++++ 11 files changed, 240 insertions(+), 39 deletions(-) create mode 100644 hosts/Nixcloud/default.nix create mode 100644 hosts/Nixcloud/nixos/configuration.nix create mode 100644 hosts/Nixcloud/nixos/hardware-configuration.nix create mode 100644 hosts/Nixcloud/nixos/networking.nix create mode 100644 hosts/common/users/nimbus/default.nix diff --git a/flake.lock b/flake.lock index 32a88e6..a7acc72 100644 --- a/flake.lock +++ b/flake.lock @@ -183,18 +183,14 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1760062596, - "narHash": "sha256-nFyr+kOCo9PvdHa9JDTWtMRRqgfOqVUvBSfeyQzqDos=", - "ref": "refs/heads/main", - "rev": "621da7663ad8f975b98b1cdd5756f361e4f4cc05", - "revCount": 2, - "type": "git", - "url": "ssh://git@git.sr.ht/~sposito/secrets" + "path": "git@git.sr.ht/~sposito/secrets", + "type": "path" }, "original": { - "type": "git", - "url": "ssh://git@git.sr.ht/~sposito/secrets" - } + "path": "git@git.sr.ht/~sposito/secrets", + "type": "path" + }, + "parent": [] }, "sops-nix": { "inputs": { diff --git a/flake.nix b/flake.nix index c82a771..9b15621 100644 --- a/flake.nix +++ b/flake.nix @@ -21,16 +21,17 @@ inputs.nixpkgs.follows = "nixpkgs"; }; secrets = { - url = "git+ssh://git@git.sr.ht/~sposito/secrets"; + url = "git@git.sr.ht/~sposito/secrets"; flake = false; }; }; outputs = - { self - , nixpkgs - , home-manager - , ... + { + self, + nixpkgs, + home-manager, + ... }@inputs: let inherit (self) outputs; @@ -87,10 +88,22 @@ }; # nix build .#checks.x86_64-linux packages.${system}.all = nixpkgs.legacyPackages.${system}.linkFarm "all-builds" [ - { name = "nixbook"; path = self.nixosConfigurations.Nixbook.config.system.build.toplevel; } - { name = "nixstation"; path = self.nixosConfigurations.Nixstation.config.system.build.toplevel; } - { name = "hm-nixbook"; path = self.homeConfigurations."thiago@Nixbook".activationPackage; } - { name = "hm-nixstation"; path = self.homeConfigurations."thiago@Nixstation".activationPackage; } + { + name = "nixbook"; + path = self.nixosConfigurations.Nixbook.config.system.build.toplevel; + } + { + name = "nixstation"; + path = self.nixosConfigurations.Nixstation.config.system.build.toplevel; + } + { + name = "hm-nixbook"; + path = self.homeConfigurations."thiago@Nixbook".activationPackage; + } + { + name = "hm-nixstation"; + path = self.homeConfigurations."thiago@Nixstation".activationPackage; + } ]; }; diff --git a/home-manager/home.nix b/home-manager/home.nix index 7044357..f435739 100644 --- a/home-manager/home.nix +++ b/home-manager/home.nix @@ -126,15 +126,6 @@ }; }; - podman = { - enable = true; - dockerCompat = true; # optional: use docker commands - extraPackages = with pkgs; [ - fuse-overlayfs - slirp4netns - ]; - }; - vscode = { enable = true; }; diff --git a/home-manager/zsh.nix b/home-manager/zsh.nix index 8e778eb..f2660dd 100644 --- a/home-manager/zsh.nix +++ b/home-manager/zsh.nix @@ -1,7 +1,8 @@ -{ config -, lib -, pkgs -, ... +{ + config, + lib, + pkgs, + ... }: { config = { @@ -18,6 +19,8 @@ eval "$(direnv hook zsh)" export GPG_TTY=$(tty) export EDITOR="nvim -n -c 'set noswapfile nobackup nowritebackup'" + export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) + ''; shellAliases = { diff --git a/hosts/Nixbook/default.nix b/hosts/Nixbook/default.nix index 1653cea..148db8f 100644 --- a/hosts/Nixbook/default.nix +++ b/hosts/Nixbook/default.nix @@ -13,7 +13,9 @@ kernelPackages = pkgs.linuxPackages_latest; }; - environment.sessionVariables = { NIXOS_OZONE_WL = "1"; }; + environment.sessionVariables = { + NIXOS_OZONE_WL = "1"; + }; environment.systemPackages = with pkgs; [ exfat gcsfuse @@ -30,7 +32,7 @@ networking.hostName = "Nixbook"; programs.hyprland.enable = false; programs.hyprland.withUWSM = false; - + programs.ssh.startAgent = false; hardware = { sane.enable = true; graphics.enable = true; @@ -88,7 +90,7 @@ gdm.wayland = true; defaultSession = "gnome"; }; - + gnome.gnome-keyring.enable = true; avahi = { enable = true; nssmdns4 = true; @@ -154,9 +156,5 @@ }; }; - - - - system.stateVersion = "23.11"; } diff --git a/hosts/Nixcloud/default.nix b/hosts/Nixcloud/default.nix new file mode 100644 index 0000000..e7ae5e5 --- /dev/null +++ b/hosts/Nixcloud/default.nix @@ -0,0 +1,95 @@ +{ + config, + inputs, + lib, + pkgs, + ... +}: +{ + imports = [ ./users/nimbus/default.nix ]; + + boot.loader.systemd-boot.enable = true; + + nixpkgs.overlays = [ + (final: prev: { + libnitrokey = prev.libnitrokey.overrideAttrs (old: { + cmakeFlags = (old.cmakeFlags or [ ]) ++ [ + "-DCMAKE_POLICY_VERSION_MINIMUM=3.5" + ]; + }); + }) + ]; + + environment = { + shells = with pkgs; [ bash ]; + etc = lib.mapAttrs' (name: value: { + name = "nix/path/${name}"; + value.source = value.flake; + }) config.nix.registry; + systemPackages = with pkgs; [ + ccid + exfat + file + fuse3 + gcsfuse + git + gnupg + libnitrokey + libusb1 + nix-ld + opensc + pciutils + pcsc-safenet + pcsclite + pcsctools + pkcs11helper + rclone + sops + wget + ]; + }; + + nix = { + registry = (lib.mapAttrs (_: flake: { inherit flake; })) ( + (lib.filterAttrs (_: lib.isType "flake")) inputs + ); + + nixPath = [ "/etc/nix/path" ]; + + settings = { + download-buffer-size = "512M"; + experimental-features = "nix-command flakes"; + auto-optimise-store = true; + }; + }; + + nixpkgs.config.allowUnfree = true; + programs = { + gnupg = { + agent = { + enableSSHSupport = true; + enable = true; + pinentryPackage = pkgs.pinentry-tty; + }; + }; + nix-ld = { + enable = true; + libraries = with pkgs; [ + glibc + zlib + ]; + }; + }; + services = { + pcscd.enable = true; + # xserver.displayManager.sessionCommands = + # "${pkgs.xorg.xmodmap}/bin/xmodmap -e 'keycode 64 = Alt_L'"; + + udev.packages = [ + pkgs.nitrokey-udev-rules + ]; + }; + users.groups.scard = { }; + + time.timeZone = "America/Sao_Paulo"; +} diff --git a/hosts/Nixcloud/nixos/configuration.nix b/hosts/Nixcloud/nixos/configuration.nix new file mode 100644 index 0000000..0a9232b --- /dev/null +++ b/hosts/Nixcloud/nixos/configuration.nix @@ -0,0 +1,15 @@ +{ ... }: { + imports = [ + ./hardware-configuration.nix + ./networking.nix # generated at runtime by nixos-infect + + ]; + + boot.tmp.cleanOnBoot = true; + zramSwap.enable = true; + networking.hostName = "srv1065175"; + networking.domain = "hstgr.cloud"; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWstSULudWNwPQxyS2J7Qygw8CozDDy8WsPjsYzKPI9s0B/KLU0g1oX42bBvn4DgNpzGrpb6IGHpRQohStt7vcOxb9XpfhIOcIr45gU3k3lcPjh6vj8/ZoNQlRDIfxs83RDImvveYABuI/Hq42mLV1kI5qnQHaJxuW73AuYKNzE3Z3PUl5Kw6MgzSZ96QlpiQDn/js7ZTBF/YZ18kPh9E9O1y+EDhcJ4gn38rFIMYMG/KbJB22hYyYQHo0WkJlZ2jScnjv1op2yHPM4lfjOnnyL+LhOQLN8VrHayDWXtJcIW0nEKT+1R/7qkSH/5ELA2c/gznfkdTDzfG8+P3WAzNF openpgp:0xC25417F1 n3k0'' '''' ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICRAJaRuXqVeAs/Y5CeTbyc9lSbyvchkVqiML/yl6wbh thiago@Nixbook'' ]; + system.stateVersion = "23.11"; +} diff --git a/hosts/Nixcloud/nixos/hardware-configuration.nix b/hosts/Nixcloud/nixos/hardware-configuration.nix new file mode 100644 index 0000000..5e7b44e --- /dev/null +++ b/hosts/Nixcloud/nixos/hardware-configuration.nix @@ -0,0 +1,9 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; + +} diff --git a/hosts/Nixcloud/nixos/networking.nix b/hosts/Nixcloud/nixos/networking.nix new file mode 100644 index 0000000..30f9f61 --- /dev/null +++ b/hosts/Nixcloud/nixos/networking.nix @@ -0,0 +1,35 @@ +{ lib, ... }: { + # This file was populated at runtime with the networking + # details gathered from the active system. + networking = { + nameservers = [ "45.143.83.10" + "1.1.1.1" + "8.8.4.4" + ]; + defaultGateway = "72.61.129.254"; + defaultGateway6 = { + address = "2a02:4780:66::1"; + interface = "eth0"; + }; + dhcpcd.enable = false; + usePredictableInterfaceNames = lib.mkForce false; + interfaces = { + eth0 = { + ipv4.addresses = [ + { address="72.61.129.56"; prefixLength=24; } + ]; + ipv6.addresses = [ + { address="2a02:4780:66:9ac0::1"; prefixLength=48; } +{ address="fe80::9ce8:d4ff:feb5:50d7"; prefixLength=64; } + ]; + ipv4.routes = [ { address = "72.61.129.254"; prefixLength = 32; } ]; + ipv6.routes = [ { address = "2a02:4780:66::1"; prefixLength = 128; } ]; + }; + + }; + }; + services.udev.extraRules = '' + ATTR{address}=="9e:e8:d4:b5:50:d7", NAME="eth0" + + ''; +} diff --git a/hosts/common/default.nix b/hosts/common/default.nix index 7789cf0..6264d98 100644 --- a/hosts/common/default.nix +++ b/hosts/common/default.nix @@ -72,6 +72,7 @@ programs = { gnupg = { agent = { + enableSSHSupport = true; enable = true; pinentryPackage = pkgs.pinentry-tty; }; @@ -89,6 +90,7 @@ pcscd.enable = true; # xserver.displayManager.sessionCommands = # "${pkgs.xorg.xmodmap}/bin/xmodmap -e 'keycode 64 = Alt_L'"; + udev.packages = [ pkgs.libwacom pkgs.nitrokey-udev-rules diff --git a/hosts/common/users/nimbus/default.nix b/hosts/common/users/nimbus/default.nix new file mode 100644 index 0000000..00d969f --- /dev/null +++ b/hosts/common/users/nimbus/default.nix @@ -0,0 +1,44 @@ +{ pkgs, config, ... }: +let + ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups; +in +{ + users.users.nimbus = { + + isNormalUser = true; + initialPassword = "changeme"; + extraGroups = [ + "fuse" + "networkmanager" + "scard" + "wheel" + ] + ++ ifTheyExist [ + "docker" + "git" + "i2c" + "kvm" + "libvirt" + "libvirtd" + "photos" + "scanner" + "video" + "wireshark" + ]; + openssh.authorizedKeys.keyFiles = [ + (builtins.fetchurl { + url = "https://meta.sr.ht/~sposito.keys"; + name = "sposito-srht-keys"; + sha256 = "1mf76x36kd1iaccy6l5f5xnbjqkm1fwf9giws9nb3bvgmj3c25wc"; + }) + ]; + + packages = with pkgs; [ + git + podman + podman-compose + nginx + ]; + }; + +}