diff --git a/common/boot.nix b/common/boot.nix deleted file mode 100644 index 985e701..0000000 --- a/common/boot.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ pkgs, ... }: -{ - boot = { - loader = { - efi.canTouchEfiVariables = true; - grub = { - enable = true; - efiSupport = true; - device = "nodev"; - }; - }; - - kernelPackages = pkgs.linuxPackages_6_12; - kernel.sysctl."kernel.sysrq" = 1; - - initrd.systemd.network.wait-online.enable = false; - }; -} diff --git a/common/default.nix b/common/default.nix index 8bdfa2b..5d7d18c 100644 --- a/common/default.nix +++ b/common/default.nix @@ -4,7 +4,6 @@ inputs.agenix.nixosModules.default ../mod ../desktop - ./boot.nix ./locale.nix ./nix.nix ./security.nix diff --git a/desktop/default.nix b/desktop/default.nix index f1894ab..90887a8 100644 --- a/desktop/default.nix +++ b/desktop/default.nix @@ -33,15 +33,15 @@ in config = mkIf cfg.enable { hd.desktop = { - accounts.enable = true; - audio.enable = true; - fonts.enable = true; - gpg.enable = true; - network.enable = true; - security.enable = true; - services.enable = true; - software.enable = true; - wm.enable = true; + accounts.enable = lib.mkDefault true; + audio.enable = lib.mkDefault true; + fonts.enable = lib.mkDefault true; + gpg.enable = lib.mkDefault true; + network.enable = lib.mkDefault true; + security.enable = lib.mkDefault true; + services.enable = lib.mkDefault true; + software.enable = lib.mkDefault true; + wm.enable = lib.mkDefault true; }; nixpkgs.config.allowUnfreePredicate = diff --git a/flake.lock b/flake.lock index d22881c..2f59eb4 100644 --- a/flake.lock +++ b/flake.lock @@ -49,6 +49,27 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1746728054, + "narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=", + "owner": "nix-community", + "repo": "disko", + "rev": "ff442f5d1425feb86344c028298548024f21256d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "latest", + "repo": "disko", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -181,6 +202,7 @@ "inputs": { "agenix": "agenix", "colmena": "colmena", + "disko": "disko", "flake-utils": "flake-utils", "home-manager": "home-manager_2", "nixos-hardware": "nixos-hardware", diff --git a/flake.nix b/flake.nix index 7402912..316a2fb 100644 --- a/flake.nix +++ b/flake.nix @@ -22,6 +22,10 @@ inputs.nixpkgs.follows = "nixpkgs"; inputs.flake-utils.follows = "flake-utils"; }; + disko = { + url = "github:nix-community/disko/latest"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = @@ -29,6 +33,7 @@ self, agenix, colmena, + disko, flake-utils, home-manager, nixos-hardware, @@ -78,6 +83,19 @@ overlays ]; }; + + "fw" = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = specialArgs // { + host = "fw"; + }; + modules = [ + ./host/fw + ./home + ./common + overlays + ]; + }; }; colmenaHive = colmena.lib.makeHive { diff --git a/host/c2/default.nix b/host/c2/default.nix index b54bac6..eac23c5 100644 --- a/host/c2/default.nix +++ b/host/c2/default.nix @@ -1,4 +1,4 @@ -{ inputs, ... }: +{ inputs, pkgs, ... }: { networking.hostName = "c2"; @@ -13,8 +13,24 @@ common-pc-laptop-ssd ]; - boot.loader.efi.efiSysMountPoint = "/boot/efi"; - boot.resumeDevice = "/dev/disk/by-label/nixswap"; + boot = { + loader = { + efi.canTouchEfiVariables = true; + efi.efiSysMountPoint = "/boot/efi"; + grub = { + enable = true; + efiSupport = true; + device = "nodev"; + }; + }; + + resumeDevice = "/dev/disk/by-label/nixswap"; + + kernelPackages = pkgs.linuxPackages_6_12; + kernel.sysctl."kernel.sysrq" = 1; + + initrd.systemd.network.wait-online.enable = false; + }; # Fix for touchpad physical click not working boot.kernelParams = [ "psmouse.synaptics_intertouch=0" ]; diff --git a/host/fw/default.nix b/host/fw/default.nix new file mode 100644 index 0000000..31d438b --- /dev/null +++ b/host/fw/default.nix @@ -0,0 +1,43 @@ +{ inputs, pkgs, ... }: +{ + networking.hostName = "fw"; + + age.identityPaths = [ + "/root/.ssh/id_ed25519" + ]; + + imports = [ + ./hardware-configuration.nix + inputs.disko.nixosModules.disko + ./disko.nix + ]; + + boot = { + loader = { + efi.canTouchEfiVariables = true; + grub = { + enable = true; + efiSupport = true; + }; + }; + + kernelPackages = pkgs.linuxPackages_6_12; + kernel.sysctl."kernel.sysrq" = 1; + + initrd.systemd.network.wait-online.enable = false; + }; + + powerManagement = { + enable = true; + cpuFreqGovernor = "ondemand"; + }; + + hd.desktop.enable = true; + + networking.firewall = { + enable = true; + }; + + # ====== DON'T CHANGE ====== + system.stateVersion = "25.05"; +} diff --git a/host/fw/disko.nix b/host/fw/disko.nix new file mode 100644 index 0000000..25f1cf8 --- /dev/null +++ b/host/fw/disko.nix @@ -0,0 +1,97 @@ +let + rootfs = { + type = "btrfs"; + extraArgs = [ + "-f" + "-L" + "nixroot" + ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + }; + }; +in +{ + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; + }; + ESP = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + luks = { + size = "100%"; + label = "crypt"; + content = { + type = "luks"; + name = "cryptlvm"; + settings = { + allowDiscards = true; + }; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + }; + }; + }; + }; + }; + lvm_vg = { + pool = { + type = "lvm_vg"; + lvs = { + root = { + size = "100%"; + content = rootfs; + }; + swap = { + size = "48G"; + content = { + extraArgs = [ "-L nixswap" ]; + type = "swap"; + resumeDevice = true; + }; + }; + + }; + }; + }; + }; +} diff --git a/host/fw/hardware-configuration.nix b/host/fw/hardware-configuration.nix new file mode 100644 index 0000000..e289037 --- /dev/null +++ b/host/fw/hardware-configuration.nix @@ -0,0 +1,28 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ + "nvme" + "xhci_pci" + "thunderbolt" + ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/host/roam/default.nix b/host/roam/default.nix index ecc870c..59ef5f2 100644 --- a/host/roam/default.nix +++ b/host/roam/default.nix @@ -1,4 +1,5 @@ -_: { +{ pkgs, ... }: +{ networking.hostName = "roam"; age.identityPaths = [ @@ -14,6 +15,21 @@ _: { ./services.nix ]; + boot = { + loader = { + efi.canTouchEfiVariables = true; + grub = { + enable = true; + efiSupport = true; + device = "nodev"; + }; + }; + + kernelPackages = pkgs.linuxPackages_6_12; + + initrd.systemd.network.wait-online.enable = false; + }; + security = { acme = { acceptTerms = true; diff --git a/host/solo/default.nix b/host/solo/default.nix index 9ddc15d..683cb57 100644 --- a/host/solo/default.nix +++ b/host/solo/default.nix @@ -1,4 +1,4 @@ -{ ... }: +{ pkgs, ... }: { networking = { hostName = "solo"; @@ -21,6 +21,22 @@ ./nvidia-gpu.nix ]; + boot = { + loader = { + efi.canTouchEfiVariables = true; + grub = { + enable = true; + efiSupport = true; + device = "nodev"; + }; + }; + + kernelPackages = pkgs.linuxPackages_6_12; + kernel.sysctl."kernel.sysrq" = 1; + + initrd.systemd.network.wait-online.enable = false; + }; + powerManagement = { enable = true; cpuFreqGovernor = "performance"; diff --git a/secrets/hd-password.age b/secrets/hd-password.age index c9a29c4..3ac1629 100644 Binary files a/secrets/hd-password.age and b/secrets/hd-password.age differ diff --git a/secrets/roam/firefox-sync-secret.age b/secrets/roam/firefox-sync-secret.age index b2d5137..43e4f25 100644 Binary files a/secrets/roam/firefox-sync-secret.age and b/secrets/roam/firefox-sync-secret.age differ diff --git a/secrets/roam/rclone-conf.age b/secrets/roam/rclone-conf.age index 1f47041..65f3951 100644 Binary files a/secrets/roam/rclone-conf.age and b/secrets/roam/rclone-conf.age differ diff --git a/secrets/tlskey.age b/secrets/tlskey.age index 926f347..99fc887 100644 Binary files a/secrets/tlskey.age and b/secrets/tlskey.age differ diff --git a/var/ssh-keys.nix b/var/ssh-keys.nix index 1561f05..fd9e3d5 100644 --- a/var/ssh-keys.nix +++ b/var/ssh-keys.nix @@ -8,10 +8,12 @@ mkKeys { "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG+dd4m98aKEWfFa/7VZUlJNX0axvIlHVihT8w7RLyY"; "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIsoj2+esEebRwDV2PuNRt9Vz28oolOy+Hc2THwrWTAB"; "roam" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEDlh8hY01wwmNtfa1eK3mVBIcytdh4n/kV05gP9z1Lc"; + "fw" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJmxhDwylLlklpgiUWHc0BPSCkNkuAIrXLNOHpAcgXiL"; }; root = { "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsl8pLaGeCL3kacGWf8pzoLQr501ga/2OzvI2wWbTZJ"; "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJAZaswaiA+oQ9NviADYFf7BJQHNlmdxQuocIdoJmv3o"; "roam" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID++uLcQOx/to3sEo5Nk97CenGf0Y6/dMsBbLouVTgIQ"; + "fw" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOjfPXDS3UvVGXzJYXU8TyP5q0WDzb0anx4Std40AT+j"; }; } diff --git a/var/wg.nix b/var/wg.nix index 64253b1..76d538a 100644 --- a/var/wg.nix +++ b/var/wg.nix @@ -4,6 +4,7 @@ rec { "roam" = "yUbdRfRFFVe4FPUaD7pVByLRhpF9Yl1kethxRUHpVgs="; "solo" = "SRDguh0aN/RH8q/uB09w/OZTbP9JZZy0ABowbWIfkTk="; "c2" = "yJ1vrI9+qzUHuQJxeRDLCDCMRCIhF+0UNPwz3agyxTk="; + "fw" = "xpiJJMPhZEIEvNDBYRbnOsBeDCdKN1cHdYM95b9+rUY="; }; wireguard-network = { "roam" = { @@ -25,6 +26,12 @@ rec { allowedIPs = [ "10.10.11.3/32" ]; persistentKeepalive = 19; }; + "fw" = { + publicKey = publicKey."fw"; + ips = [ "10.10.11.4/32" ]; + allowedIPs = [ "10.10.11.4/32" ]; + persistentKeepalive = 23; + }; }; keyFile = "/var/secrets/wg.key";