├── .gitmodules ├── config.nix ├── modules ├── ecryptfs.nix ├── nixpkgs.nix ├── nix-serve.nix ├── fish.nix ├── ssh-22.11.nix ├── ssh.nix ├── dvorak-swapcaps │ ├── keymap.nix │ └── default.nix ├── agenix.nix ├── udev.nix ├── synaptics.nix ├── config.nix ├── hplip.nix ├── dropbox.nix ├── terminfo.nix ├── fonts.nix ├── desktop.nix ├── programs.nix ├── zerotier.nix ├── users.nix ├── nix.nix └── vscode.nix ├── mercury ├── ca.nix ├── pritunl.nix └── postgresql.nix ├── .editorconfig ├── .gitignore ├── install ├── nixos-install.sh └── README.md ├── hosts ├── rescue │ ├── README.md │ └── configuration.nix ├── zeus │ ├── cache.nix │ ├── gitolite.nix │ ├── zfs.nix │ ├── nextcloud │ │ └── default.nix │ ├── README.md │ └── configuration.nix ├── budgie │ ├── zfs.nix │ ├── forgejo.nix │ ├── hardware-configuration.nix │ ├── configuration.nix │ ├── README.org │ └── nextcloud.nix ├── bingo │ ├── hardware.nix │ └── configuration.nix ├── micro │ └── configuration.nix ├── bandit │ ├── README.org │ ├── hardware-configuration.nix │ └── configuration.nix ├── hercules │ ├── hardware.nix │ ├── configuration.nix │ └── README.md └── radley │ ├── hardware.nix │ └── configuration.nix ├── job.sh ├── README.md ├── nixpkgs └── config.nix ├── deploy.sh ├── flake.nix ├── howto └── zfs-encryption.md └── flake.lock /.gitmodules: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /config.nix: -------------------------------------------------------------------------------- 1 | nixpkgs/config.nix -------------------------------------------------------------------------------- /modules/ecryptfs.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | 3 | { 4 | security.pam.enableEcryptfs = true; 5 | } 6 | -------------------------------------------------------------------------------- /modules/nixpkgs.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | 3 | { 4 | nixpkgs.config = import ../nixpkgs/config.nix pkgs; 5 | } 6 | -------------------------------------------------------------------------------- /mercury/ca.nix: -------------------------------------------------------------------------------- 1 | { secrets, ... }: 2 | 3 | { 4 | security.pki.certificateFiles = [ "${secrets}/mercury/internal.mercury.com.ca.crt" ]; 5 | } 6 | -------------------------------------------------------------------------------- /modules/nix-serve.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | 3 | { 4 | networking.firewall.allowedTCPPorts = [ 5000 ]; 5 | services.nix-serve.enable = true; 6 | } 7 | -------------------------------------------------------------------------------- /modules/fish.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | programs.fish.enable = true; 5 | users.users.ttuegel.shell = 6 | lib.mkDefault "/var/run/current-system/sw/bin/fish"; 7 | } 8 | -------------------------------------------------------------------------------- /modules/ssh-22.11.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | 3 | { 4 | services.openssh = { 5 | enable = true; 6 | passwordAuthentication = false; 7 | permitRootLogin = "no"; 8 | }; 9 | } 10 | -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | root = true 2 | 3 | [*] 4 | end_of_line = lf 5 | insert_final_newline = true 6 | trim_trailing_whitespace = true 7 | charset = utf-8 8 | 9 | [*.nix] 10 | indent_style = space 11 | indent_size = 2 -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .*.swp 2 | gitolite-admin.pub 3 | /programs/mathematica/src 4 | /hardware.nix 5 | *.hashedPassword 6 | /configuration.nix 7 | /hosts/zeus/nextcloud/adminpass 8 | /secrets/ 9 | /.vscode/ 10 | /result* 11 | -------------------------------------------------------------------------------- /install/nixos-install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | host=$1; shift 4 | nixos-install \ 5 | --option binary-caches "$host" \ 6 | --option trusted-public-keys 'zeus-1:hpocFIqCGUxWFSSlvq5V0ImyCQhl+LcnCB21C7bhqjs=' \ 7 | "$@" -------------------------------------------------------------------------------- /modules/ssh.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | 3 | { 4 | services.openssh = { 5 | enable = true; 6 | settings = { 7 | PasswordAuthentication = false; 8 | PermitRootLogin = "no"; 9 | }; 10 | }; 11 | } 12 | -------------------------------------------------------------------------------- /hosts/rescue/README.md: -------------------------------------------------------------------------------- 1 | ``` 2 | nix-build nixos -A config.system.build.isoImage \ 3 | -I nixpkgs=$HOME/nixpkgs \ 4 | -I nixos=$HOME/nixpkgs/nixos \ 5 | -I nixos-config=$HOME/nixos-config/hosts/rescue/configuration.nix 6 | ``` 7 | -------------------------------------------------------------------------------- /job.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -ex 3 | 4 | host="${1:?}" 5 | 6 | nix-build \ 7 | --option max-jobs 1 \ 8 | -I nixos-config=$PWD/hosts/$host/configuration.nix \ 9 | hosts/$host/nixpkgs/nixos \ 10 | -A system 11 | -------------------------------------------------------------------------------- /modules/dvorak-swapcaps/keymap.nix: -------------------------------------------------------------------------------- 1 | { runCommand, kbd }: 2 | 3 | runCommand "dvorak-swapcaps.map.gz" {} '' 4 | zcat "${kbd}/share/keymaps/i386/dvorak/dvorak.map.gz" \ 5 | | sed -e 's/Caps_Lock/Control/g' \ 6 | | gzip -c >$out 7 | '' 8 | -------------------------------------------------------------------------------- /modules/agenix.nix: -------------------------------------------------------------------------------- 1 | { config, agenix-cli, ... }: 2 | 3 | let 4 | inherit (config.nixpkgs.localSystem) system; 5 | packages = agenix-cli.packages.${system}; 6 | in 7 | 8 | { 9 | environment.systemPackages = [ packages.agenix-cli ]; 10 | } 11 | -------------------------------------------------------------------------------- /hosts/zeus/cache.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | 3 | { 4 | fileSystems."/var/www/cache" = { 5 | device = "tank/cache"; 6 | fsType = "zfs"; 7 | }; 8 | 9 | services.nginx.virtualHosts.localhost = { 10 | root = "/var/www/cache"; 11 | }; 12 | } 13 | -------------------------------------------------------------------------------- /modules/udev.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | 3 | { 4 | services.udev.extraRules = '' 5 | # set deadline scheduler for non-rotating disks 6 | ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="deadline" 7 | ''; 8 | } 9 | -------------------------------------------------------------------------------- /hosts/rescue/configuration.nix: -------------------------------------------------------------------------------- 1 | { modulesPath, ...}: 2 | 3 | { 4 | imports = [ 5 | (modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix") 6 | ]; 7 | 8 | # Add ZFS support to kernel and userspace 9 | boot.supportedFilesystems = [ "zfs" ]; 10 | } 11 | -------------------------------------------------------------------------------- /mercury/pritunl.nix: -------------------------------------------------------------------------------- 1 | { config, secrets, ... }: 2 | 3 | { 4 | services.openvpn.servers = { 5 | pritunl = { 6 | autoStart = false; 7 | updateResolvConf = true; 8 | config = "config ${secrets}/mercury/pritunl-thomas.ovpn"; 9 | }; 10 | }; 11 | } 12 | -------------------------------------------------------------------------------- /modules/dvorak-swapcaps/default.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | 3 | { 4 | console.keyMap = (pkgs.callPackage ./keymap.nix {}); 5 | 6 | services.xserver = { 7 | layout = "us"; 8 | xkbVariant = "dvorak"; 9 | xkbOptions = "ctrl:swapcaps,compose:menu"; 10 | }; 11 | } 12 | -------------------------------------------------------------------------------- /modules/synaptics.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | 3 | { 4 | services.xserver.synaptics = { 5 | enable = true; 6 | twoFingerScroll = true; 7 | vertEdgeScroll = false; 8 | additionalOptions = '' 9 | Option "LockedDrags" "True" 10 | Option "LockedDragTimeout" "500" 11 | ''; 12 | }; 13 | } 14 | -------------------------------------------------------------------------------- /hosts/budgie/zfs.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | boot.supportedFilesystems = [ "zfs" ]; 5 | boot.kernelParams = [ "zfs.zfs_arc_max=536870912" ]; 6 | networking.hostId = "2ab18e0f"; 7 | services.zfs = { 8 | autoScrub.enable = true; 9 | autoSnapshot.enable = true; 10 | }; 11 | } 12 | -------------------------------------------------------------------------------- /hosts/zeus/gitolite.nix: -------------------------------------------------------------------------------- 1 | { secrets, ... }: 2 | 3 | { 4 | 5 | fileSystems."/var/lib/gitolite" = { 6 | device = "tank/gitolite"; 7 | fsType = "zfs"; 8 | }; 9 | 10 | services.gitolite = { 11 | enable = true; 12 | adminPubkey = builtins.readFile "${secrets}/hosts/zeus/gitolite-admin.pub"; 13 | }; 14 | } 15 | -------------------------------------------------------------------------------- /hosts/zeus/zfs.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | boot.supportedFilesystems = [ "zfs" ]; 5 | boot.kernelParams = [ "zfs.zfs_arc_max=2147483648" ]; 6 | networking.hostId = "63f13d60"; 7 | services.zfs = { 8 | autoScrub.enable = true; 9 | autoSnapshot.enable = true; 10 | autoSnapshot.daily = 90; 11 | }; 12 | } 13 | -------------------------------------------------------------------------------- /modules/config.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | 3 | { 4 | imports = [ 5 | ./nixpkgs.nix 6 | ./terminfo.nix 7 | ./udev.nix 8 | ]; 9 | 10 | i18n = { 11 | defaultLocale = "en_US.UTF-8"; 12 | }; 13 | 14 | services.avahi.enable = true; 15 | services.avahi.nssmdns = true; 16 | 17 | services.ntp.enable = false; 18 | services.chrony.enable = true; 19 | } 20 | -------------------------------------------------------------------------------- /modules/hplip.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | 3 | let 4 | 5 | inherit (pkgs) hplipWithPlugin; 6 | 7 | in 8 | 9 | { 10 | environment.systemPackages = [ hplipWithPlugin ]; 11 | 12 | # HP printer/scanner support 13 | hardware.sane.enable = true; 14 | hardware.sane.extraBackends = [ hplipWithPlugin ]; 15 | services.printing.enable = true; 16 | services.printing.drivers = [ hplipWithPlugin ]; 17 | } 18 | -------------------------------------------------------------------------------- /modules/dropbox.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | 3 | let 4 | autostartDropbox = pkgs.runCommand "autostart-dropbox" 5 | { inherit (pkgs) dropbox; } 6 | '' 7 | mkdir -p "$out/etc/xdg/autostart" 8 | ln -s "$dropbox/share/applications/dropbox.desktop" \ 9 | "$out/etc/xdg/autostart/dropbox.desktop" 10 | ''; 11 | in 12 | { 13 | environment.systemPackages = [ autostartDropbox pkgs.dropbox ]; 14 | } 15 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # NixOS 2 | 3 | ## Passwords 4 | 5 | Create hashed password files with `mkpasswd`: 6 | 7 | ``` 8 | mkpasswd -m sha-512 >secrets/users//hashed-password 9 | ``` 10 | 11 | ## Install 12 | 13 | 1. Install a basic system following the instructions in the manual. 14 | 2. Clone this repository from GitHub over HTTPS. 15 | 3. Copy secrets over sneakernet. 16 | 4. Copy GnuPG configuration to get passwords from Gitolite. 17 | 5. Generate a binary cache key: 18 | 19 | ``` 20 | nix-store --generate-binary-cache-key $hostname-1 private-key public-key 21 | sudo mv private-key /etc/nix/ 22 | cat public-key # Add to programs/nix.nix 23 | rm public-key 24 | ``` 25 | -------------------------------------------------------------------------------- /mercury/postgresql.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | 3 | { 4 | services.postgresql = { 5 | package = pkgs.postgresql_13; 6 | enable = true; 7 | enableTCPIP = false; 8 | authentication = '' 9 | local all all trust 10 | host all all 127.0.0.1/32 trust 11 | host all all ::1/128 trust 12 | ''; 13 | extraPlugins = [config.services.postgresql.package.pkgs.postgis]; 14 | settings = { 15 | timezone = "UTC"; 16 | shared_buffers = 128; 17 | fsync = false; 18 | synchronous_commit = false; 19 | full_page_writes = false; 20 | max_locks_per_transaction = 256; 21 | shared_preload_libraries = "pg_stat_statements"; 22 | }; 23 | }; 24 | } 25 | -------------------------------------------------------------------------------- /modules/terminfo.nix: -------------------------------------------------------------------------------- 1 | { lib, pkgs, ... }: 2 | 3 | let 4 | inherit (pkgs) runCommand ncurses; 5 | 6 | # Terminfo file for xterm and konsole with 24-bit colors. 7 | terminfo-xterm-24bit = runCommand "terminfo-xterm-24bit" {} '' 8 | cat >terminfo-xterm-24bit.src <.useDHCP`. 32 | networking.useDHCP = lib.mkDefault true; 33 | # networking.interfaces.ens3.useDHCP = lib.mkDefault true; 34 | 35 | nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 36 | virtualisation.hypervGuest.enable = true; 37 | } 38 | -------------------------------------------------------------------------------- /modules/users.nix: -------------------------------------------------------------------------------- 1 | { config, lib, secrets, pkgs, ... }: 2 | 3 | let 4 | readHashedPassword = lib.fileContents; 5 | in 6 | 7 | { 8 | users.mutableUsers = false; 9 | 10 | users.users = { 11 | ttuegel = { 12 | uid = 1000; 13 | isNormalUser = true; 14 | description = "Thomas Tuegel"; 15 | home = "/home/ttuegel"; 16 | createHome = true; 17 | group = "users"; 18 | extraGroups = [ "adbusers" "lp" "lxd" "vboxusers" "wheel" ]; 19 | hashedPassword = readHashedPassword "${secrets}/users/ttuegel/hashed-password"; 20 | shell = "/run/current-system/sw/bin/fish"; 21 | openssh.authorizedKeys.keys = 22 | [ 23 | "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfJ6ioMR5fAtMtjLDxE/Pwq+5M5qmox1/4OyLSNFjq3b5WUftkpQ7aT0x8Rxfdt5H/XmJK4OMAQv2jT7GmsYaLQUL9MQjN+/NLxEOhPu6geURMPaq/VkFWAHlGkpeAB/T4Fl9OanETa1hkcowZwjA4rxNxonxKyNveH16tNhAurHv6Fz57KP28ne6GX9nN3lP0EgaGP+y9ZRqWW5OYZ5+A5AjKxhQ1qu2ivwfLU+9KXaa7HY6YIPrJKHcmxhAU1H7FEIs5o/EnHKVllLbNQn3B3fJp6tCVzmUHEmmS2/cuoDd16+vk98uB0b3kuGccykwDOJTZpCNV6v9dY8ptqHx1 (none)" 24 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBYJqbx0vAxlcvvEX7UKBezvO8BK2Hl3Yzw+KKGxsup2 ttuegel@mailbox.org" 25 | ]; 26 | }; 27 | root.hashedPassword = readHashedPassword "${secrets}/users/root/hashed-password"; 28 | }; 29 | 30 | security.pam.loginLimits = [ 31 | { 32 | domain = "*"; 33 | type = "soft"; 34 | item = "nofile"; 35 | value = "4096"; 36 | } 37 | ]; 38 | 39 | } 40 | -------------------------------------------------------------------------------- /hosts/zeus/nextcloud/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, secrets, ... }: 2 | 3 | { 4 | services.postgresql = { 5 | enable = true; 6 | ensureDatabases = [ "nextcloud" ]; 7 | ensureUsers = [ 8 | { 9 | name = "nextcloud"; 10 | ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; 11 | } 12 | ]; 13 | }; 14 | 15 | fileSystems."/var/lib/postgresql" = { 16 | device = "tank/postgresql"; 17 | fsType = "zfs"; 18 | }; 19 | 20 | age.secrets.nextcloud-admin-password = { 21 | file = "${secrets}/hosts/zeus/nextcloud-admin-password"; 22 | owner = "nextcloud"; 23 | group = "nextcloud"; 24 | }; 25 | 26 | services.nextcloud = { 27 | enable = true; 28 | package = pkgs.nextcloud26; 29 | hostName = "next.tuegel.cloud"; 30 | config = { 31 | dbtype = "pgsql"; 32 | dbuser = "nextcloud"; 33 | dbhost = "/run/postgresql"; 34 | dbname = "nextcloud"; 35 | adminuser = "root"; 36 | adminpassFile = config.age.secrets.nextcloud-admin-password.path; 37 | trustedProxies = [ 38 | "10.100.0.0/24" 39 | "45.76.23.5" 40 | ]; 41 | overwriteProtocol = "https"; 42 | }; 43 | enableBrokenCiphersForSSE = false; 44 | }; 45 | 46 | fileSystems."/var/lib/nextcloud" = { 47 | device = "tank/nextcloud"; 48 | fsType = "zfs"; 49 | }; 50 | 51 | systemd.services."nextcloud-setup" = { 52 | requires = ["postgresql.service"]; 53 | after = ["postgresql.service"]; 54 | }; 55 | 56 | networking.firewall.allowedTCPPorts = [ 80 443 ]; 57 | 58 | } 59 | -------------------------------------------------------------------------------- /hosts/budgie/configuration.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | 3 | { 4 | imports = [ 5 | ./hardware-configuration.nix 6 | ./zfs.nix 7 | ./nextcloud.nix 8 | ./forgejo.nix 9 | ../../modules/fish.nix 10 | ../../modules/nix.nix 11 | ../../modules/ssh.nix 12 | ../../modules/users.nix 13 | ]; 14 | 15 | boot.initrd.availableKernelModules = [ "hv_balloon" "hv_netvsc" "hv_storvsc" "hv_utils" "hv_vmbus" ]; 16 | 17 | # Use the GRUB 2 boot loader. 18 | boot.loader.grub.enable = true; 19 | boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only 20 | 21 | boot.zfs.forceImportRoot = false; 22 | 23 | networking.hostName = "budgie"; 24 | 25 | # Set your time zone. 26 | time.timeZone = "America/Chicago"; 27 | 28 | environment.systemPackages = with pkgs; [ 29 | git htop nano 30 | ]; 31 | 32 | # Enable the OpenSSH daemon. 33 | services.openssh.enable = true; 34 | services.openssh.settings.PermitRootLogin = "no"; 35 | security.pam.enableSSHAgentAuth = true; 36 | services.fail2ban.enable = true; 37 | 38 | # This value determines the NixOS release from which the default 39 | # settings for stateful data, like file locations and database versions 40 | # on your system were taken. It's perfectly fine and recommended to leave 41 | # this value at the release version of the first install of this system. 42 | # Before changing this value read the documentation for this option 43 | # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). 44 | system.stateVersion = "23.05"; # Did you read the comment? 45 | 46 | } 47 | -------------------------------------------------------------------------------- /hosts/bandit/hardware-configuration.nix: -------------------------------------------------------------------------------- 1 | # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 | # and may be overwritten by future invocations. Please make changes 3 | # to /etc/nixos/configuration.nix instead. 4 | { config, lib, pkgs, modulesPath, ... }: 5 | 6 | { 7 | imports = 8 | [ (modulesPath + "/installer/scan/not-detected.nix") 9 | ]; 10 | 11 | boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" ]; 12 | boot.initrd.kernelModules = [ ]; 13 | boot.kernelModules = [ "kvm-intel" ]; 14 | boot.extraModulePackages = [ ]; 15 | 16 | fileSystems."/" = 17 | { device = "tank/root"; 18 | fsType = "zfs"; 19 | }; 20 | 21 | fileSystems."/boot" = 22 | { device = "/dev/disk/by-uuid/6198-4319"; 23 | fsType = "vfat"; 24 | }; 25 | 26 | swapDevices = [ ]; 27 | 28 | # Enables DHCP on each ethernet and wireless interface. In case of scripted networking 29 | # (the default) this is the recommended approach. When using systemd-networkd it's 30 | # still possible to use this option, but it's recommended to use it in conjunction 31 | # with explicit per-interface declarations with `networking.interfaces..useDHCP`. 32 | networking.useDHCP = lib.mkDefault true; 33 | # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; 34 | # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; 35 | 36 | nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 37 | powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; 38 | hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 39 | } 40 | -------------------------------------------------------------------------------- /modules/nix.nix: -------------------------------------------------------------------------------- 1 | { lib, config, pkgs, ... }: 2 | 3 | let 4 | caches = { 5 | "http://cache.nixos.org" = "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="; 6 | "https://nix-community.cachix.org" = "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="; 7 | "https://ttuegel.cachix.org" = "ttuegel.cachix.org-1:RXdy60/000ypCG8n9rpJkYdi+of5j7yj8KmwMH/nYuc="; 8 | "https://hercules-ci.cachix.org" = "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0="; 9 | "https://cache.iog.io" = "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ="; 10 | "https://shajra.cachix.org" = "shajra.cachix.org-1:V0x7Wjgd/mHGk2KQwzXv8iydfIgLupbnZKLSQt5hh9o="; 11 | "https://cache.mercury.com" = "cache.mercury.com:yhfFlgvqtv0cAxzflJ0aZW3mbulx4+5EOZm6k3oML+I="; 12 | }; 13 | extraPublicKeys = [ 14 | "zeus-1:hpocFIqCGUxWFSSlvq5V0ImyCQhl+LcnCB21C7bhqjs=" 15 | "hermes-1:wp8T4saXcXUdKaF/9inVox1SsDZ4DA2qHzvFXb+JZcI=" 16 | "maia-1:Fo9tkI6tOVk5ywQASNighjVAt5go/6+nGIoVrRzRgIs=" 17 | "pollux-1:USx/G8zXmEx3kGfEqNm28KcE90jvvVUvdN0dHGRaijI=" 18 | "pollux-2:EiBAkRxc6B3fVYPfQZAw4GIobhK7tocQ8BISx4Jq0G0=" 19 | "bandit-1:3/GmUsRRTVknf02c9k7fbQgH1yLuTR+6kMhLHPEG/r4=" 20 | ]; 21 | in 22 | 23 | { 24 | nix = { 25 | settings = { 26 | sandbox = true; 27 | trusted-public-keys = lib.attrValues caches ++ extraPublicKeys; 28 | trusted-substituters = lib.attrNames caches; 29 | }; 30 | extraOptions = '' 31 | gc-keep-derivations = true 32 | secret-key-files = /etc/nix/private-key 33 | experimental-features = nix-command flakes 34 | ''; 35 | channel.enable = false; 36 | }; 37 | } 38 | -------------------------------------------------------------------------------- /nixpkgs/config.nix: -------------------------------------------------------------------------------- 1 | pkgs: 2 | 3 | let 4 | 5 | config = { 6 | allowBroken = true; 7 | allowUnfree = true; 8 | android_sdk.accept_license = true; 9 | pulseaudio = true; 10 | }; 11 | 12 | io-mono = '' 13 | [buildPlans.iosevka-io-mono] 14 | family = "Io Mono" 15 | spacing = "fontconfig-mono" 16 | serifs = "sans" 17 | no-cv-ss = true 18 | export-glyph-names = false 19 | no-ligation = true 20 | 21 | [buildPlans.iosevka-io-mono.variants.design] 22 | i = "serifed-flat-tailed" 23 | l = "serifed-flat-tailed" 24 | t = "flat-hook" 25 | zero = "dotted" 26 | four = "closed" 27 | asterisk = "hex-low" 28 | brace = "straight" 29 | 30 | [buildPlans.iosevka-io-mono.variants.italic] 31 | k = "curly-serifless" 32 | 33 | [buildPlans.iosevka-io-mono.weights.light] 34 | shape = 300 35 | menu = 300 36 | css = 300 37 | 38 | [buildPlans.iosevka-io-mono.weights.regular] 39 | shape = 400 40 | menu = 400 41 | css = 400 42 | 43 | [buildPlans.iosevka-io-mono.weights.bold] 44 | shape = 700 45 | menu = 700 46 | css = 700 47 | ''; 48 | 49 | in 50 | 51 | config // { 52 | packageOverrides = super: 53 | let 54 | self = super.pkgs; 55 | in 56 | { 57 | 58 | # Get emacsPackages from emacs-overlay. 59 | emacsPackages = 60 | (self.emacsPackagesNgFor self.emacs).overrideScope' 61 | (_: super: super.melpaPackages); 62 | 63 | io-mono = self.iosevka.override { 64 | set = "io-mono"; 65 | privateBuildPlan = io-mono; 66 | }; 67 | 68 | # Aliases 69 | 70 | font-awesome-ttf = self.font-awesome_4; 71 | 72 | }; 73 | } 74 | -------------------------------------------------------------------------------- /hosts/budgie/README.org: -------------------------------------------------------------------------------- 1 | * Budgie 2 | 3 | ** Filesystem 4 | 5 | #+begin_src sh 6 | # Make an old-school MS-DOS partition table. 7 | parted /dev/vda -- mklabel msdos 8 | # Make the root partition. 9 | parted /dev/vda -- mkpart primary 512MB -4GB 10 | # Make a swap partition. 11 | parted /dev/vda -- mkpart primary linux-swap -4GB 100% 12 | # Make a boot partition for Grub. 13 | parted /dev/vda -- mkpart primary 1MB 512MB 14 | parted /dev/vda -- set 3 boot on 15 | # Set up swap partition. 16 | mkswap -L swap /dev/vda2 17 | # Set up boot partition. 18 | mkfs.ext4 -L boot /dev/vda3 19 | #+end_src 20 | 21 | #+begin_src sh 22 | # Create a ZFS pool. 23 | zpool create \ 24 | -o ashift=12 \ 25 | -R /mnt \ 26 | -O canmount=off \ 27 | -O acltype=posixacl -O dnodesize=auto -O xattr=sa -O relatime=on \ 28 | -O compression=zstd \ 29 | -O normalization=formD \ 30 | tank \ 31 | /dev/vda1 32 | # Create the root dataset. 33 | zfs create \ 34 | -o mountpoint=legacy \ 35 | -o encryption=on -o keylocation=prompt -o keyformat=passphrase \ 36 | tank/root 37 | #+end_src 38 | 39 | If we have to reboot, import the pool and load the encryption key: 40 | 41 | #+begin_src sh 42 | zpool import tank 43 | zfs load-key tank/root 44 | #+end_src 45 | 46 | #+begin_src sh 47 | # Mount filesystems 48 | swapon /dev/vda2 49 | mount -t zfs tank/root /mnt 50 | mkdir -p /mnt/boot 51 | mount /dev/vda3 /mnt/boot 52 | #+end_src 53 | 54 | #+begin_src sh 55 | # Configure 56 | nixos-generate-config --root /mnt 57 | # Install git for flakes 58 | nix-env -iA nixos.gitFull 59 | nixos-install --root /mnt --flake .#budgie --no-root-passwd --no-channel-copy 60 | umount /mnt/boot /mnt 61 | swapoff 62 | zpool export tank 63 | #+end_src 64 | -------------------------------------------------------------------------------- /deploy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -xeu 4 | set -o pipefail 5 | 6 | build_host= 7 | dry_run= 8 | target_host= 9 | 10 | while [[ $# -gt 0 ]] 11 | do 12 | case $1 in 13 | "--build-host") 14 | shift 15 | build_host="$1" 16 | ;; 17 | "--dry-run") 18 | dry_run=1 19 | ;; 20 | "--target-host") 21 | shift 22 | target_host="$1" 23 | ;; 24 | *) 25 | if ! [[ -v host ]] 26 | then 27 | host="$1" 28 | else 29 | echo >&2 "Unrecognized argument: $1"; exit 1 30 | fi 31 | esac 32 | shift 33 | done 34 | 35 | [[ -n "$host" ]] || exit 1 36 | 37 | if [[ -z "$target_host" ]] 38 | then 39 | target_host="$host" 40 | fi 41 | 42 | attr_path=".#nixosConfigurations.$host.config.system.build.toplevel" 43 | drv_path="$(nix path-info --derivation "$attr_path")" 44 | 45 | if [[ -n "$build_host" ]] 46 | then 47 | nix copy --derivation --to "ssh://$build_host" "$attr_path" 48 | ssh -A "$build_host" nix build "$drv_path" 49 | result="$(ssh -A "$build_host" nix path-info "$drv_path")" 50 | else 51 | nix build "$attr_path" 52 | result="$(nix path-info "$attr_path")" 53 | fi 54 | 55 | [[ -z "$dry_run" ]] || exit 0 56 | 57 | if [[ -n "$build_host" ]] 58 | then 59 | ssh -A "$build_host" nix copy --to "ssh://$target_host" "$result" 60 | else 61 | nix copy --to "ssh://$target_host" "$result" 62 | fi 63 | 64 | ssh -A "$target_host" sudo env NIXOS_INSTALL_BOOTLOADER=1 "$result/bin/switch-to-configuration" switch 65 | ssh -A "$target_host" sudo nix-env --profile /nix/var/nix/profiles/system --set "$result" 66 | -------------------------------------------------------------------------------- /install/README.md: -------------------------------------------------------------------------------- 1 | # Installation 2 | 3 | 0. Run `sudo su` to perform the following steps as user `root`. 4 | 1. Follow the instructions in the manual to boot and partition the new system. 5 | 2. Generate the hardware configuration. 6 | 7 | ```.sh 8 | nixos-generate-config --root /mnt 9 | ``` 10 | 11 | 3. Clone the configuration. 12 | 13 | ```.sh 14 | mkdir -p /mnt/etc; cd /mnt/etc 15 | git clone https://github.com/ttuegel/nixos-config nixos 16 | ``` 17 | 18 | 4. Set a root password in the install environment. 19 | Activate the SSH daemon. 20 | 21 | ```.sh 22 | passwd 23 | systemctl start sshd 24 | ``` 25 | 26 | 5. Copy configuration secrets from the cache machine: 27 | 28 | ```.sh 29 | rsync nixos-config/secrets/ root@nixos:/mnt/etc/nixos/secrets 30 | ``` 31 | 32 | 6. Install NixOS. 33 | 34 | ```.sh 35 | ./install-nixos.sh IP_ADDR -I nixpkgs=/mnt/etc/nixos/nixpkgs 36 | ``` 37 | 38 | 7. Authorize the new device in Zerotier. 39 | 8. Set up desktop shortcuts and terminal colors. 40 | 9. Copy GPG keys to new machine. 41 | 42 | ```.sh 43 | # Export keys. 44 | gpg --export-secret-keys --armor KEYID >secret.asc 45 | # Move 'secret.asc' to the new machine. 46 | # Import keys. 47 | gpg --import secret.asc 48 | # Trust keys. 49 | gpg --edit-key KEYID 50 | # gpg> trust 51 | # gpg> quit 52 | ``` 53 | 54 | 10. Clone dotfiles with VCSH. 55 | 56 | ```.sh 57 | vcsh clone gitolite@host:ttuegel/dotfiles 58 | # Deal with conflicting files: 59 | vcsh dotfiles reset origin/master 60 | ``` 61 | 62 | 11. Move the configuration repository at `/etc/nixos` to `$HOME/nixos-config`. 63 | Update remote URLs of configuration repository and push new host configuration to GitHub. 64 | 12. Set up Firefox Sync. 65 | 13. Get wallpapers. 66 | -------------------------------------------------------------------------------- /hosts/radley/hardware.nix: -------------------------------------------------------------------------------- 1 | # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 | # and may be overwritten by future invocations. Please make changes 3 | # to /etc/nixos/configuration.nix instead. 4 | { config, lib, pkgs, modulesPath, ... }: 5 | 6 | { 7 | imports = 8 | [ (modulesPath + "/installer/scan/not-detected.nix") 9 | ]; 10 | 11 | boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ]; 12 | boot.initrd.kernelModules = [ ]; 13 | boot.kernelModules = [ "kvm-intel" ]; 14 | boot.extraModulePackages = [ ]; 15 | 16 | fileSystems."/" = 17 | { device = "tank/safe/root"; 18 | fsType = "zfs"; 19 | }; 20 | 21 | fileSystems."/home" = 22 | { device = "tank/safe/home"; 23 | fsType = "zfs"; 24 | }; 25 | 26 | fileSystems."/nix" = 27 | { device = "tank/local/nix"; 28 | fsType = "zfs"; 29 | }; 30 | 31 | fileSystems."/boot" = 32 | { device = "/dev/disk/by-uuid/F7F9-D737"; 33 | fsType = "vfat"; 34 | }; 35 | 36 | swapDevices = [ ]; 37 | 38 | # Enables DHCP on each ethernet and wireless interface. In case of scripted networking 39 | # (the default) this is the recommended approach. When using systemd-networkd it's 40 | # still possible to use this option, but it's recommended to use it in conjunction 41 | # with explicit per-interface declarations with `networking.interfaces..useDHCP`. 42 | networking.useDHCP = lib.mkDefault true; 43 | # networking.interfaces.enp0s25.useDHCP = lib.mkDefault true; 44 | # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true; 45 | 46 | hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 47 | } 48 | -------------------------------------------------------------------------------- /hosts/bandit/configuration.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | 3 | { 4 | imports = 5 | [ # Include the results of the hardware scan. 6 | ./hardware-configuration.nix 7 | ../../modules/agenix.nix 8 | ../../modules/config.nix 9 | ../../modules/desktop.nix 10 | ../../modules/dvorak-swapcaps 11 | ../../modules/fish.nix 12 | ../../modules/hplip.nix 13 | ../../modules/users.nix 14 | ../../modules/zerotier.nix 15 | ]; 16 | 17 | # Use the systemd-boot EFI boot loader. 18 | boot.loader.systemd-boot.enable = true; 19 | boot.loader.efi.canTouchEfiVariables = true; 20 | 21 | networking.hostName = "bandit"; 22 | networking.hostId = "81b00b03"; 23 | networking.networkmanager.enable = true; 24 | networking.firewall = { 25 | enable = true; 26 | allowPing = true; 27 | }; 28 | 29 | nix.settings = { 30 | max-jobs = 4; 31 | cores = 2; 32 | }; 33 | 34 | time.timeZone = "America/Chicago"; 35 | 36 | i18n.defaultLocale = "en_US.UTF-8"; 37 | 38 | # This value determines the NixOS release from which the default 39 | # settings for stateful data, like file locations and database versions 40 | # on your system were taken. It's perfectly fine and recommended to leave 41 | # this value at the release version of the first install of this system. 42 | # Before changing this value read the documentation for this option 43 | # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). 44 | system.stateVersion = "23.05"; # Did you read the comment? 45 | 46 | services.fstrim.enable = false; # Not necessary with ZFS. See also: services.zfs.trim.interval. 47 | 48 | # TLP power management daemon 49 | services.power-profiles-daemon.enable = false; # Bad defaults and conflicts with TLP. 50 | services.tlp.enable = true; 51 | 52 | } 53 | -------------------------------------------------------------------------------- /modules/vscode.nix: -------------------------------------------------------------------------------- 1 | { pkgs, lib, ... }: 2 | 3 | let 4 | inherit (pkgs) vscode-extensions vscode-utils vscode-with-extensions; 5 | 6 | gitlens = vscode-utils.extensionFromVscodeMarketplace { 7 | name = "gitlens"; 8 | publisher = "eamodio"; 9 | version = "11.6.0"; 10 | sha256 = "sha256:0lhrw24ilncdczh90jnjx71ld3b626xpk8b9qmwgzzhby89qs417"; 11 | }; 12 | 13 | nix-env-selector = vscode-utils.extensionFromVscodeMarketplace { 14 | name = "nix-env-selector"; 15 | publisher = "arrterian"; 16 | version = "1.0.7"; 17 | sha256 = "sha256:0mralimyzhyp4x9q98x3ck64ifbjqdp8cxcami7clvdvkmf8hxhf"; 18 | }; 19 | 20 | editorconfig = vscode-utils.extensionFromVscodeMarketplace { 21 | name = "editorconfig"; 22 | publisher = "editorconfig"; 23 | version = "0.16.4"; 24 | sha256 = "sha256:0fa4h9hk1xq6j3zfxvf483sbb4bd17fjl5cdm3rll7z9kaigdqwg"; 25 | }; 26 | 27 | rewrap = vscode-utils.extensionFromVscodeMarketplace { 28 | name = "rewrap"; 29 | publisher = "stkb"; 30 | version = "1.14.0"; 31 | sha256 = "sha256:0phffzqv1nmwsgcx6abgzbzw95zc0zlnhsjv2grs5mcsgrghl759"; 32 | }; 33 | 34 | language-yesod = vscode-utils.extensionFromVscodeMarketplace { 35 | name = "language-yesod"; 36 | publisher = "BIGMOON"; 37 | version = "0.8.1"; 38 | sha256 = "sha256:1kwhwf2cqpirhfhdm52f2y75gmp3wxffzzxh9j6s510sxw5y9gb8"; 39 | }; 40 | 41 | vscode = vscode-with-extensions.override { 42 | vscodeExtensions = with vscode-extensions; 43 | [ 44 | editorconfig 45 | rewrap 46 | gitlens 47 | language-yesod 48 | nix-env-selector 49 | bbenoist.nix 50 | dhall.dhall-lang 51 | haskell.haskell justusadam.language-haskell 52 | ms-azuretools.vscode-docker 53 | ms-vscode.cpptools 54 | ms-vscode-remote.remote-ssh 55 | ]; 56 | }; 57 | in 58 | { 59 | environment.systemPackages = [ vscode ]; 60 | } 61 | -------------------------------------------------------------------------------- /hosts/zeus/README.md: -------------------------------------------------------------------------------- 1 | # Zeus 2 | 3 | ## Initialization 4 | 5 | ### ZFS 6 | 7 | Create the ZFS pool and filesystems: 8 | 9 | ```.sh 10 | zpool create -O xattr=sa -o ashift=12 -o autoexpand=on tank \ 11 | mirror \ 12 | /dev/disk/by-id/ata-WDC_WD40EFRX-68N32N0_WD-WCC7K0TL8ZXR \ 13 | /dev/disk/by-id/ata-WDC_WD40EFRX-68N32N0_WD-WCC7K3FFHYLD 14 | 15 | zfs create -o mountpoint=legacy -o compression=lz4 tank/postgresql 16 | 17 | zfs create -o mountpoint=legacy -o compression=lz4 tank/nextcloud 18 | ``` 19 | 20 | ### PostgreSQL 21 | 22 | Migrate PostgreSQL to ZFS: 23 | 24 | ```.sh 25 | # Stop PostgreSQL 26 | systemctl stop postgresql 27 | # Migrate data 28 | mkdir -p /mnt 29 | mount -t zfs tank/postgresql /mnt 30 | rsync -a /var/lib/postgresql/ /mnt 31 | umount /mnt 32 | # Replace data directory with mountpoint 33 | rm -fr /var/lib/postgresql 34 | mkdir /var/lib/postgresql 35 | chown postgres:postgres /var/lib/postgresql 36 | chmod o-rwx /var/lib/postgresql 37 | mount -t zfs tank/postgresql /var/lib/postgresql 38 | # Restart PostgreSQL 39 | systemctl start postgresql 40 | ``` 41 | 42 | ### Wireguard 43 | 44 | Create a key pair for Wireguard: 45 | 46 | ```.sh 47 | mkdir -p /var/lib/wireguard 48 | wg genkey >/var/lib/wireguard/private.key 49 | chmod go-r /var/lib/wireguard/private.key 50 | wg pubkey /var/lib/wireguard/public.key 51 | ``` 52 | 53 | ### Nextcloud 54 | 55 | Migrate Nextcloud to ZFS: 56 | 57 | ```.sh 58 | # Stop nginx 59 | systemctl stop nginx 60 | # Migrate data 61 | mkdir -p /mnt 62 | mount -t zfs tank/nextcloud /mnt 63 | rsync -a /var/lib/nextcloud/ /mnt 64 | umount /mnt 65 | # Replace data directory with mountpoint 66 | rm -fr /var/lib/nextcloud 67 | mkdir /var/lib/nextcloud 68 | chown nextcloud:nextcloud /var/lib/nextcloud 69 | mount -t zfs tank/nextcloud /var/lib/nextcloud 70 | # Restart nginx 71 | systemctl start nginx 72 | ``` 73 | 74 | ## Snapshots 75 | 76 | ```.sh 77 | zfs set com.sun:auto-snapshot=true tank 78 | zfs set com.sun:auto-snapshot:frequent=false tank 79 | zfs set com.sun:auto-snapshot=false tank/cache 80 | ``` 81 | -------------------------------------------------------------------------------- /hosts/hercules/configuration.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | 3 | { 4 | imports = [ 5 | ./hardware.nix 6 | ../../modules/config.nix 7 | ../../modules/desktop.nix 8 | ../../modules/dvorak-swapcaps 9 | ../../modules/hplip.nix 10 | ../../modules/zerotier.nix 11 | ../../modules/fish.nix 12 | ../../mercury/ca.nix 13 | ../../mercury/postgresql.nix 14 | ../../modules/users.nix 15 | ]; 16 | 17 | boot.kernelParams = [ 18 | "nohibernate" 19 | "zfs.zfs_arc_max=1073741824" 20 | ]; 21 | 22 | boot.supportedFilesystems = [ "zfs" ]; 23 | boot.swraid.enable = false; 24 | 25 | # Use the systemd-boot EFI boot loader. 26 | boot.loader.systemd-boot.enable = true; 27 | boot.loader.efi.canTouchEfiVariables = true; 28 | 29 | networking.hostName = "hercules"; 30 | networking.hostId = "bb5a16a3"; 31 | 32 | networking.networkmanager.enable = true; 33 | 34 | # The global useDHCP flag is deprecated, therefore explicitly set to false here. 35 | # Per-interface useDHCP will be mandatory in the future, so this generated config 36 | # replicates the default behaviour. 37 | networking.useDHCP = false; 38 | 39 | # Disable DHCP because it conflicts with NetworkManager. 40 | networking.interfaces.enp4s0.useDHCP = false; 41 | networking.interfaces.wlo1.useDHCP = false; 42 | 43 | networking.firewall = { 44 | enable = true; 45 | allowPing = true; 46 | }; 47 | 48 | time.timeZone = "America/Chicago"; 49 | 50 | nix.settings = { 51 | max-jobs = 8; 52 | cores = 2; 53 | }; 54 | 55 | # This value determines the NixOS release from which the default 56 | # settings for stateful data, like file locations and database versions 57 | # on your system were taken. It‘s perfectly fine and recommended to leave 58 | # this value at the release version of the first install of this system. 59 | # Before changing this value read the documentation for this option 60 | # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). 61 | system.stateVersion = "21.11"; # Did you read the comment? 62 | 63 | services.tailscale.enable = true; 64 | 65 | } 66 | -------------------------------------------------------------------------------- /hosts/bingo/configuration.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | 3 | { 4 | imports = 5 | [ 6 | ./hardware.nix 7 | ../../modules/config.nix 8 | ../../modules/desktop.nix 9 | ../../modules/dvorak-swapcaps 10 | ../../modules/hplip.nix 11 | ../../modules/zerotier.nix 12 | ../../modules/fish.nix 13 | ../../mercury/ca.nix 14 | ../../mercury/postgresql.nix 15 | ../../modules/users.nix 16 | ]; 17 | 18 | boot.kernelParams = [ "zfs.zfs_arc_max=1073741824" ]; 19 | 20 | boot.supportedFilesystems = [ "zfs" ]; 21 | 22 | boot.extraModprobeConfig = '' 23 | options iwlmvm power_scheme=1 24 | options iwlwifi power_save=0 25 | ''; 26 | 27 | # Use the systemd-boot EFI boot loader. 28 | boot.loader.systemd-boot.enable = true; 29 | boot.loader.systemd-boot.memtest86.enable = true; 30 | boot.loader.efi.canTouchEfiVariables = true; 31 | 32 | networking.hostName = "bingo"; 33 | networking.hostId = "d9b1725a"; 34 | 35 | networking.networkmanager.enable = true; 36 | 37 | networking.firewall = { 38 | enable = true; 39 | allowPing = true; 40 | }; 41 | 42 | time.timeZone = "America/Chicago"; 43 | 44 | nix.settings.max-jobs = 4; 45 | nix.settings.cores = 2; 46 | 47 | # The global useDHCP flag is deprecated, therefore explicitly set to false here. 48 | # Per-interface useDHCP will be mandatory in the future, so this generated config 49 | # replicates the default behaviour. 50 | networking.useDHCP = false; 51 | networking.interfaces.wlp0s20f3.useDHCP = true; 52 | 53 | # This value determines the NixOS release from which the default 54 | # settings for stateful data, like file locations and database versions 55 | # on your system were taken. It‘s perfectly fine and recommended to leave 56 | # this value at the release version of the first install of this system. 57 | # Before changing this value read the documentation for this option 58 | # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). 59 | system.stateVersion = "21.11"; # Did you read the comment? 60 | 61 | services.tailscale.enable = true; 62 | 63 | } 64 | -------------------------------------------------------------------------------- /hosts/budgie/nextcloud.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, secrets, ... }: 2 | 3 | { 4 | services.postgresql = { 5 | enable = true; 6 | ensureDatabases = [ "nextcloud" ]; 7 | ensureUsers = [ 8 | { 9 | name = "nextcloud"; 10 | ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; 11 | } 12 | ]; 13 | }; 14 | 15 | age.secrets.nextcloud-admin-password = { 16 | file = "${secrets}/hosts/budgie/nextcloud-admin-password"; 17 | owner = "nextcloud"; 18 | group = "nextcloud"; 19 | }; 20 | 21 | age.secrets.nextcloud-backblaze-secret = { 22 | file = "${secrets}/hosts/budgie/nextcloud-backblaze-secret"; 23 | owner = "nextcloud"; 24 | group = "nextcloud"; 25 | }; 26 | 27 | services.nextcloud = { 28 | enable = true; 29 | package = pkgs.nextcloud27; 30 | hostName = "cloud.enchanted.earth"; 31 | https = true; 32 | database.createLocally = true; 33 | nginx.recommendedHttpHeaders = true; 34 | configureRedis = true; 35 | phpOptions = { 36 | "opcache.interned_strings_buffer" = "16"; 37 | }; 38 | config = { 39 | dbtype = "pgsql"; 40 | adminuser = "root"; 41 | adminpassFile = config.age.secrets.nextcloud-admin-password.path; 42 | objectstore.s3 = { 43 | enable = true; 44 | hostname = "s3.us-west-004.backblazeb2.com"; 45 | bucket = "cloud-enchanted-earth"; 46 | usePathStyle = true; 47 | autocreate = false; 48 | key = "004e252d0df953f0000000002"; 49 | secretFile = config.age.secrets.nextcloud-backblaze-secret.path; 50 | }; 51 | }; 52 | extraOptions = { 53 | # Bulk upload is broken at least until Nextcloud 28. 54 | # Worse, the feature makes the wrong trade-off: gain some speed, but lose 55 | # all resilience, i.e. the ability to resume uploads. 56 | "bulkupload.enabled" = false; 57 | }; 58 | }; 59 | 60 | services.nginx.virtualHosts.${config.services.nextcloud.hostName} = { 61 | forceSSL = true; 62 | enableACME = true; 63 | }; 64 | security.acme.acceptTerms = true; 65 | security.acme.defaults.email = "ttuegel+acme@mailbox.org"; 66 | 67 | systemd.services."nextcloud-setup" = { 68 | requires = ["postgresql.service"]; 69 | after = ["postgresql.service"]; 70 | }; 71 | 72 | networking.firewall.allowedTCPPorts = [ 80 443 ]; 73 | 74 | } 75 | -------------------------------------------------------------------------------- /hosts/radley/configuration.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | 3 | let 4 | nvidia-offload = pkgs.writeShellScriptBin "nvidia-offload" '' 5 | export __NV_PRIME_RENDER_OFFLOAD=1 6 | export __NV_PRIME_RENDER_OFFLOAD_PROVIDER=NVIDIA-G0 7 | export __GLX_VENDOR_LIBRARY_NAME=nvidia 8 | export __VK_LAYER_NV_optimus=NVIDIA_only 9 | exec -a "$0" "$@" 10 | ''; 11 | in 12 | 13 | { 14 | imports = 15 | [ 16 | ./hardware.nix 17 | ../../modules/agenix.nix 18 | ../../modules/config.nix 19 | ../../modules/desktop.nix 20 | ../../modules/dvorak-swapcaps 21 | ../../modules/fish.nix 22 | ../../modules/hplip.nix 23 | ../../modules/users.nix 24 | ../../modules/zerotier.nix 25 | ]; 26 | 27 | boot.supportedFilesystems = [ "zfs" ]; 28 | boot.kernelParams = [ "zfs.zfs_arc_max=1073741824" ]; 29 | 30 | boot.loader.systemd-boot.enable = true; 31 | 32 | boot.tmp.useTmpfs = false; 33 | 34 | networking.hostName = "radley"; 35 | networking.hostId = "01db539b"; 36 | 37 | networking.networkmanager.enable = true; 38 | 39 | networking.firewall = { 40 | enable = true; 41 | allowPing = true; 42 | }; 43 | 44 | nix.settings = { 45 | max-jobs = 4; 46 | cores = 2; 47 | }; 48 | 49 | time.timeZone = "America/Chicago"; 50 | 51 | # The global useDHCP flag is deprecated, therefore explicitly set to false here. 52 | # Per-interface useDHCP will be mandatory in the future, so this generated config 53 | # replicates the default behaviour. 54 | networking.useDHCP = false; 55 | networking.interfaces.enp0s25.useDHCP = true; 56 | networking.interfaces.wlp4s0.useDHCP = true; 57 | 58 | services.xserver.videoDrivers = [ "nvidia" ]; 59 | hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470; 60 | hardware.nvidia.prime = { 61 | offload.enable = true; 62 | intelBusId = "PCI:0:2:0"; 63 | nvidiaBusId = "PCI:2:0:0"; 64 | }; 65 | environment.systemPackages = [ nvidia-offload ]; 66 | 67 | # This value determines the NixOS release from which the default 68 | # settings for stateful data, like file locations and database versions 69 | # on your system were taken. It‘s perfectly fine and recommended to leave 70 | # this value at the release version of the first install of this system. 71 | # Before changing this value read the documentation for this option 72 | # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). 73 | system.stateVersion = "20.09"; # Did you read the comment? 74 | } 75 | -------------------------------------------------------------------------------- /hosts/zeus/configuration.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, secrets, ... }: 2 | 3 | { 4 | imports = [ 5 | ../../modules/agenix.nix 6 | ../../modules/config.nix 7 | ../../modules/dvorak-swapcaps 8 | ../../modules/ecryptfs.nix 9 | ../../modules/fish.nix 10 | ../../modules/nix.nix 11 | ../../modules/ssh.nix 12 | ../../modules/users.nix 13 | ../../modules/zerotier.nix 14 | ./cache.nix 15 | ./gitolite.nix 16 | ./nextcloud 17 | ./zfs.nix 18 | ]; 19 | 20 | ### HARDWARE 21 | 22 | boot.loader.systemd-boot.enable = true; 23 | 24 | boot.initrd.availableKernelModules = [ "ahci" "ohci_pci" "ehci_pci" "xhci_pci" "usbhid" ]; 25 | 26 | powerManagement.cpuFreqGovernor = "ondemand"; 27 | 28 | ### HARDWARE: VIDEO 29 | 30 | boot.kernelModules = [ "kvm-amd" ]; 31 | boot.kernelParams = [ "radeon.si_support=0" "amdgpu.si_support=1" ]; 32 | services.xserver.videoDrivers = [ "amdgpu" ]; 33 | hardware.opengl.driSupport32Bit = true; 34 | hardware.enableAllFirmware = true; 35 | 36 | ### HARDWARE: HIDPI 37 | 38 | boot.loader.systemd-boot.consoleMode = "keep"; 39 | console.earlySetup = false; 40 | 41 | ### FILESYSTEMS 42 | 43 | fileSystems = { 44 | "/" = { 45 | device = "/dev/disk/by-uuid/134db4cf-4a7f-4949-8b53-8d1f01c6bce4"; 46 | fsType = "ext4"; 47 | options = [ "rw" "data=ordered" "noatime" ]; 48 | }; 49 | "/boot" = { 50 | device = "/dev/disk/by-uuid/A9C8-33F6"; 51 | fsType = "vfat"; 52 | }; 53 | }; 54 | 55 | services.davfs2.enable = true; 56 | users.users.ttuegel.extraGroups = [ config.services.davfs2.davGroup ]; 57 | 58 | ### NETWORKING 59 | 60 | networking.hostName = "zeus"; 61 | 62 | networking.firewall = { 63 | enable = true; 64 | allowPing = true; 65 | }; 66 | 67 | networking.networkmanager.enable = true; 68 | 69 | age.secrets.wireguard-private-key.file = "${secrets}/hosts/zeus/wireguard-private.key"; 70 | 71 | networking.wireguard = { 72 | enable = true; 73 | interfaces.wg0 = { 74 | ips = [ "10.100.0.2/24" ]; 75 | privateKeyFile = config.age.secrets.wireguard-private-key.path; 76 | peers = [ 77 | { 78 | publicKey = "UpeZmYMsVtEbCMNu2BhVcdln/DP8fuLtdVOYArM14GU="; 79 | allowedIPs = [ "10.100.0.0/24" ]; 80 | endpoint = "45.76.23.5:51820"; 81 | persistentKeepalive = 16; 82 | } 83 | ]; 84 | }; 85 | }; 86 | 87 | ### NIX 88 | 89 | nix.settings.max-jobs = 4; 90 | nix.settings.cores = 4; 91 | 92 | ### ENVIRONMENT 93 | 94 | time.timeZone = "America/Chicago"; 95 | 96 | system.stateVersion = "20.09"; 97 | 98 | security.pam.enableSSHAgentAuth = true; 99 | 100 | documentation.nixos.enable = false; # It's always broken anyway. 101 | programs.command-not-found.enable = false; 102 | programs.bash.enableCompletion = false; 103 | 104 | environment.systemPackages = with pkgs; [ 105 | cryptsetup keyutils 106 | gnupg pinentry-curses 107 | direnv cachix 108 | fd ripgrep 109 | git vcsh 110 | htop 111 | tmux 112 | wireguard-tools 113 | zfsbackup 114 | ]; 115 | 116 | services.fstrim.enable = true; 117 | 118 | } 119 | -------------------------------------------------------------------------------- /hosts/hercules/README.md: -------------------------------------------------------------------------------- 1 | # maia 2 | 3 | ## Partitioning 4 | 5 | Back up the disk before partitioning anything. 6 | 7 | ``` .sh 8 | DISK=/dev/disk/by-id/nvme-PC711_NVMe_SK_hynix_1TB__ASA6N74641090725J 9 | parted $DISK -- mklabel gpt # create new partition table 10 | parted $DISK -- mkpart primary 512MiB 100% # create primary partition 11 | parted $DISK -- mkpart ESP fat32 1MiB 512MiB # create ESP (EFI boot) partition 12 | parted $DISK -- set 2 esp on 13 | ``` 14 | 15 | Set up ESP file system. 16 | 17 | ``` .sh 18 | mkfs.vfat $DISK-part2 19 | ``` 20 | 21 | Set up ZFS file systems. 22 | 23 | ``` .sh 24 | zpool create -O mountpoint=none -O compression=lz4 -O xattr=sa -O acltype=posixacl -o ashift=12 rpool $DISK-part1 25 | zfs create -o mountpoint=legacy rpool/local 26 | zfs create -o mountpoint=legacy rpool/local/nix 27 | zfs create -o mountpoint=legacy rpool/safe 28 | zfs create -o mountpoint=legacy rpool/safe/root 29 | zfs create -o mountpoint=legacy rpool/safe/home 30 | ``` 31 | 32 | Set up mount points before running the installer. 33 | 34 | ``` .sh 35 | mount -t zfs rpool/safe/root /mnt 36 | mkdir /mnt/home 37 | mount -t zfs rpool/safe/home /mnt/home 38 | mkdir /mnt/nix 39 | mount -t zfs rpool/local/nix /mnt/nix 40 | mkdir /mnt/boot 41 | mount $DISK-part2 /mnt/boot 42 | ``` 43 | 44 | ## Install 45 | 46 | Configure the installer. 47 | 48 | ``` .sh 49 | nixos-generate-config --root /mnt 50 | ``` 51 | 52 | Clone this repository. 53 | 54 | ``` .sh 55 | nix-env -iA nixos.git 56 | cd /mnt/etc 57 | mv nixos nixos.bak 58 | git clone git@github.com:ttuegel/nixos-config.git nixos 59 | cd nixos 60 | mkdir -p hosts/maia 61 | mv ../nixos.bak/configuration.nix hosts/maia 62 | mv ../nixos.bak/hardware-configuration.nix hosts/maia/hardware.nix 63 | ln -s hosts/maia/configuration.nix configuration.nix 64 | ``` 65 | 66 | Edit `configuration.nix` as needed. Run the installer. 67 | 68 | ``` .sh 69 | nixos-install 70 | ``` 71 | 72 | For convenience, copy over keys. From an established box, 73 | 74 | ``` .sh 75 | gpg --armor --export KEYID >public.key 76 | gpg --armor --export-secret-keys KEYID >secret.key 77 | rsync public.key nixos@ADDR:/mnt/home/ttuegel/ 78 | rsync secret.key nixos@ADDR:/mnt/home/ttuegel/ 79 | rm public.key secret.key 80 | ``` 81 | 82 | ## Reboot 83 | 84 | Unmount drives and export ZFS pools. 85 | 86 | ``` .sh 87 | umount /mnt/{boot,home,nix} 88 | umount /mnt 89 | zpool export rpool 90 | ``` 91 | 92 | Power off. 93 | 94 | ``` .sh 95 | sudo systemctl poweroff 96 | ``` 97 | 98 | Remove boot media and restart. 99 | 100 | ## Configure 101 | 102 | After rebooting, approve the new machine in [ZeroTier](https://my.zerotier.com). 103 | 104 | Import keys. 105 | 106 | ``` .sh 107 | gpg --import private.key 108 | gpg --import secret.key 109 | rm private.key secret.key 110 | gpg --edit-key KEYID 111 | # change the 'trust' level to 'ultimate' 112 | ``` 113 | 114 | Enable SSH in `gpg-agent`. 115 | 116 | ``` 117 | # ~/.gnupg/gpg-agent.conf 118 | enable-ssh-support 119 | pinentry-program /run/current-system/sw/bin/pinentry-qt 120 | ``` 121 | 122 | Log in again for changes to take effect. 123 | 124 | ``` .sh 125 | gpg --list-keys --with-keygrip 126 | echo KEYGRIP >>~/.gnupg/sshcontrol 127 | ``` 128 | 129 | Clone configuration. 130 | 131 | ``` .sh 132 | vcsh clone gitolite@zeus:ttuegel/dotfiles 133 | rm ~/.gnupg/gpg-agent.conf ~/.gnupg/sshcontrol 134 | vcsh dotfiles checkout master 135 | ``` 136 | -------------------------------------------------------------------------------- /flake.nix: -------------------------------------------------------------------------------- 1 | { 2 | inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; 3 | inputs.secrets = { 4 | url = "git+ssh://gitolite@zeus/ttuegel/nixos-secrets?ref=main"; 5 | flake = false; 6 | }; 7 | inputs.nixpkgs-zeus.url = "github:NixOS/nixpkgs/nixos-23.05"; 8 | inputs.nixpkgs-budgie.url = "github:NixOS/nixpkgs/nixos-23.11"; 9 | inputs.agenix-cli.url = "github:cole-h/agenix-cli"; 10 | inputs.agenix.url = "github:ryantm/agenix"; 11 | inputs.flake-utils.url = "github:numtide/flake-utils"; 12 | inputs.nixos-hardware.url = "github:NixOS/nixos-hardware"; 13 | inputs.emacs-overlay.url = "github:nix-community/emacs-overlay"; 14 | 15 | outputs = inputs@{ self, flake-utils, ... }: { 16 | nixosConfigurations = { 17 | 18 | # Workstations 19 | 20 | bingo = inputs.nixpkgs.lib.nixosSystem { 21 | system = "x86_64-linux"; 22 | modules = [ 23 | ./hosts/bingo/configuration.nix 24 | { nixpkgs.overlays = [ inputs.emacs-overlay.overlays.emacs ]; } 25 | ./modules/programs.nix 26 | ]; 27 | specialArgs = { inherit (inputs) secrets; }; 28 | }; 29 | 30 | hercules = inputs.nixpkgs.lib.nixosSystem { 31 | system = "x86_64-linux"; 32 | specialArgs = { inherit (inputs) secrets; }; 33 | modules = [ 34 | ./hosts/hercules/configuration.nix 35 | { nixpkgs.overlays = [ inputs.emacs-overlay.overlays.emacs ]; } 36 | ./modules/programs.nix 37 | ]; 38 | }; 39 | 40 | radley = inputs.nixpkgs.lib.nixosSystem { 41 | system = "x86_64-linux"; 42 | modules = [ 43 | ./hosts/radley/configuration.nix 44 | { nixpkgs.overlays = [ inputs.emacs-overlay.overlays.emacs ]; } 45 | ./modules/programs.nix 46 | ]; 47 | specialArgs = { inherit (inputs) agenix-cli secrets; }; 48 | }; 49 | 50 | bandit = inputs.nixpkgs.lib.nixosSystem { 51 | system = "x86_64-linux"; 52 | modules = [ 53 | ./hosts/bandit/configuration.nix 54 | inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t480 55 | { nixpkgs.overlays = [ inputs.emacs-overlay.overlays.emacs ]; } 56 | ./modules/programs.nix 57 | ]; 58 | specialArgs = { inherit (inputs) agenix-cli secrets; }; 59 | }; 60 | 61 | # Special purpose 62 | 63 | micro = inputs.nixpkgs.lib.nixosSystem { 64 | system = "x86_64-linux"; 65 | modules = [ ./hosts/micro/configuration.nix ]; 66 | specialArgs = { inherit (inputs) secrets; }; 67 | }; 68 | 69 | rescue = inputs.nixpkgs.lib.nixosSystem { 70 | system = "x86_64-linux"; 71 | modules = [ ./hosts/rescue/configuration.nix ]; 72 | }; 73 | 74 | # Servers 75 | 76 | budgie = inputs.nixpkgs-budgie.lib.nixosSystem { 77 | system = "x86_64-linux"; 78 | modules = [ 79 | ./hosts/budgie/configuration.nix 80 | inputs.agenix.nixosModules.default 81 | ]; 82 | specialArgs = { inherit (inputs) emacs-config secrets; }; 83 | }; 84 | 85 | zeus = inputs.nixpkgs-zeus.lib.nixosSystem { 86 | system = "x86_64-linux"; 87 | modules = [ 88 | ./hosts/zeus/configuration.nix 89 | inputs.agenix.nixosModules.default 90 | ]; 91 | specialArgs = { inherit (inputs) agenix-cli secrets; }; 92 | }; 93 | 94 | }; 95 | } 96 | // (flake-utils.lib.eachDefaultSystem (system: { 97 | devShells.default = 98 | let pkgs = inputs.nixpkgs.legacyPackages.${system}; in 99 | pkgs.mkShell { 100 | packages = [ pkgs.vultr-cli ]; 101 | }; 102 | }) 103 | ); 104 | } 105 | -------------------------------------------------------------------------------- /howto/zfs-encryption.md: -------------------------------------------------------------------------------- 1 | # Encrypting ZFS datasets 2 | 3 | Given: 4 | 5 | - NixOS is installed on an unencrypted ZFS filesystem, and 6 | - more than 50% free space in the ZFS storage pool; 7 | 8 | then, this guide describes how to fully encrypt the filesystem with a single 9 | reboot. 10 | 11 | ## Overview 12 | 13 | If we were creating an encrypted storage pool from scratch, we would enable 14 | encryption once and the settings would be inherited in every dataset: 15 | 16 | ```.sh 17 | zpool create \ 18 | -O encryption=aes-256-gcm \ 19 | -O keylocation=prompt \ 20 | -O keyformat=passphrase \ 21 | ... 22 | ``` 23 | 24 | Note that the storage pool itself is not encrypted! This only sets the default 25 | options for all the datasets in the pool. To avoid creating a new pool, we will 26 | create a root dataset which is encrypted and migrate the existing unencrypted 27 | datasets to encrypted datasets which inherit from the new root. 28 | 29 | ## Configuration 30 | 31 | The storage pool is named `tank`, as is traditional. There are two heirarchies: 32 | 33 | - `tank/safe`: datasets that are backed up 34 | - `tank/safe/root`: mounted at `/` 35 | - `tank/safe/home`: mounted at `/home` 36 | - `tank/local`: datasets that are not backed up 37 | - `tank/local/nix`: the Nix store mounted at `/nix` 38 | 39 | We will move all datasets under `tank/` to `tank/main/`. Adjust the following 40 | instructions according to your own configuration. 41 | 42 | Depending on your configuration, you may need to run `zfs` commands with `sudo`. 43 | You can run the migration as an unprivileged user if you `allow` the correct 44 | permissions: 45 | 46 | ```.sh 47 | sudo zfs allow $username create,destroy,mount,snapshot,send,receive tank 48 | ``` 49 | 50 | (Replace `$username` with the actual username.) 51 | 52 | ## Creating the root dataset 53 | 54 | The storage pool was not created with encryption enabled, so we create an 55 | encrypted dataset to serve as the root of a new heirarchy: 56 | 57 | ```.sh 58 | zfs create \ 59 | -o mountpoint=legacy \ 60 | -o compression=zstd \ 61 | -o encryption=aes-256-gcm \ 62 | -o keylocation=prompt \ 63 | -o keyformat=passphrase \ 64 | tank/main 65 | ``` 66 | 67 | Enter the new password when prompted. 68 | Create new children in the encrypted root: 69 | 70 | ```.sh 71 | zfs create tank/main/local 72 | zfs create tank/main/safe 73 | ``` 74 | 75 | ## Configure NixOS 76 | 77 | Next we modify the NixOS configuration, changing any references to 78 | `tank/foo/bar` to `tank/main/foo/bar`. It is very important to run 79 | `nixos-rebuild` now, even though the encrypted datasets do not exist yet! In the 80 | next step, we will create snapshots of the existing filesystems and the modified 81 | configuration must be in the Nix store in those snapshots. 82 | 83 | ## Take snapshots 84 | 85 | Make snapshots of the existing, unencrypted datasets: 86 | 87 | ```.sh 88 | zfs snapshot tank/local/nix@(env TZ=UTC date '+%F_%T') 89 | zfs snapshot tank/safe/home@(env TZ=UTC date '+%F_%T') 90 | zfs snapshot tank/safe/root@(env TZ=UTC date '+%F_%T') 91 | ``` 92 | 93 | It is a good idea to close any applications you are not using to minimize 94 | changes to the filesystems after the snapshots, but it is not required. 95 | 96 | ## Encrypt snapshots 97 | 98 | Send the snapshots to new datasets under the encrypted root: 99 | 100 | ```.sh 101 | zfs send tank/local/nix@... | zfs receive tank/main/local/nix 102 | zfs send tank/safe/home@... | zfs receive tank/main/safe/home 103 | zfs send tank/safe/root@... | zfs receive tank/main/safe/root 104 | ``` 105 | 106 | Verify that the new datasets are encrypted: 107 | 108 | ```.sh 109 | zfs list -o name,encryption 110 | ``` 111 | 112 | ## Reboot 113 | 114 | Reboot. If all goes well, destroy the unencrypted datasets: 115 | 116 | ```.sh 117 | zfs destroy -r tank/local 118 | zfs destroy -r tank/safe 119 | ``` 120 | -------------------------------------------------------------------------------- /flake.lock: -------------------------------------------------------------------------------- 1 | { 2 | "nodes": { 3 | "agenix": { 4 | "inputs": { 5 | "darwin": "darwin", 6 | "home-manager": "home-manager", 7 | "nixpkgs": "nixpkgs" 8 | }, 9 | "locked": { 10 | "lastModified": 1701216516, 11 | "narHash": "sha256-jKSeJn+7hZ1dZdiH1L+NWUGT2i/BGomKAJ54B9kT06Q=", 12 | "owner": "ryantm", 13 | "repo": "agenix", 14 | "rev": "13ac9ac6d68b9a0896e3d43a082947233189e247", 15 | "type": "github" 16 | }, 17 | "original": { 18 | "owner": "ryantm", 19 | "repo": "agenix", 20 | "type": "github" 21 | } 22 | }, 23 | "agenix-cli": { 24 | "inputs": { 25 | "flake-utils": "flake-utils", 26 | "nixpkgs": "nixpkgs_2" 27 | }, 28 | "locked": { 29 | "lastModified": 1641404293, 30 | "narHash": "sha256-0+QVY1sDhGF4hAN6m2FdKZgm9V1cuGGjY4aitRBnvKg=", 31 | "owner": "cole-h", 32 | "repo": "agenix-cli", 33 | "rev": "77fccec4ed922a0f5f55ed964022b0db7d99f07d", 34 | "type": "github" 35 | }, 36 | "original": { 37 | "owner": "cole-h", 38 | "repo": "agenix-cli", 39 | "type": "github" 40 | } 41 | }, 42 | "darwin": { 43 | "inputs": { 44 | "nixpkgs": [ 45 | "agenix", 46 | "nixpkgs" 47 | ] 48 | }, 49 | "locked": { 50 | "lastModified": 1673295039, 51 | "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", 52 | "owner": "lnl7", 53 | "repo": "nix-darwin", 54 | "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", 55 | "type": "github" 56 | }, 57 | "original": { 58 | "owner": "lnl7", 59 | "ref": "master", 60 | "repo": "nix-darwin", 61 | "type": "github" 62 | } 63 | }, 64 | "emacs-overlay": { 65 | "inputs": { 66 | "flake-utils": "flake-utils_2", 67 | "nixpkgs": "nixpkgs_3", 68 | "nixpkgs-stable": "nixpkgs-stable" 69 | }, 70 | "locked": { 71 | "lastModified": 1701855622, 72 | "narHash": "sha256-Mv3J3L61hn9MShgwboviXCdqHvl13atJMHl0rZMCmdI=", 73 | "owner": "nix-community", 74 | "repo": "emacs-overlay", 75 | "rev": "ff6270444ab7e1ab6fac3464d173b03aa8cb7a75", 76 | "type": "github" 77 | }, 78 | "original": { 79 | "owner": "nix-community", 80 | "repo": "emacs-overlay", 81 | "type": "github" 82 | } 83 | }, 84 | "flake-utils": { 85 | "locked": { 86 | "lastModified": 1638122382, 87 | "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=", 88 | "owner": "numtide", 89 | "repo": "flake-utils", 90 | "rev": "74f7e4319258e287b0f9cb95426c9853b282730b", 91 | "type": "github" 92 | }, 93 | "original": { 94 | "owner": "numtide", 95 | "repo": "flake-utils", 96 | "type": "github" 97 | } 98 | }, 99 | "flake-utils_2": { 100 | "inputs": { 101 | "systems": "systems" 102 | }, 103 | "locked": { 104 | "lastModified": 1701680307, 105 | "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", 106 | "owner": "numtide", 107 | "repo": "flake-utils", 108 | "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", 109 | "type": "github" 110 | }, 111 | "original": { 112 | "owner": "numtide", 113 | "repo": "flake-utils", 114 | "type": "github" 115 | } 116 | }, 117 | "flake-utils_3": { 118 | "inputs": { 119 | "systems": "systems_2" 120 | }, 121 | "locked": { 122 | "lastModified": 1701680307, 123 | "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", 124 | "owner": "numtide", 125 | "repo": "flake-utils", 126 | "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", 127 | "type": "github" 128 | }, 129 | "original": { 130 | "owner": "numtide", 131 | "repo": "flake-utils", 132 | "type": "github" 133 | } 134 | }, 135 | "home-manager": { 136 | "inputs": { 137 | "nixpkgs": [ 138 | "agenix", 139 | "nixpkgs" 140 | ] 141 | }, 142 | "locked": { 143 | "lastModified": 1682203081, 144 | "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=", 145 | "owner": "nix-community", 146 | "repo": "home-manager", 147 | "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1", 148 | "type": "github" 149 | }, 150 | "original": { 151 | "owner": "nix-community", 152 | "repo": "home-manager", 153 | "type": "github" 154 | } 155 | }, 156 | "nixos-hardware": { 157 | "locked": { 158 | "lastModified": 1701656485, 159 | "narHash": "sha256-xDFormrGCKKGqngHa2Bz1GTeKlFMMjLnHhTDRdMJ1hs=", 160 | "owner": "NixOS", 161 | "repo": "nixos-hardware", 162 | "rev": "fa194fc484fd7270ab324bb985593f71102e84d1", 163 | "type": "github" 164 | }, 165 | "original": { 166 | "owner": "NixOS", 167 | "repo": "nixos-hardware", 168 | "type": "github" 169 | } 170 | }, 171 | "nixpkgs": { 172 | "locked": { 173 | "lastModified": 1677676435, 174 | "narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=", 175 | "owner": "NixOS", 176 | "repo": "nixpkgs", 177 | "rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169", 178 | "type": "github" 179 | }, 180 | "original": { 181 | "owner": "NixOS", 182 | "ref": "nixos-unstable", 183 | "repo": "nixpkgs", 184 | "type": "github" 185 | } 186 | }, 187 | "nixpkgs-budgie": { 188 | "locked": { 189 | "lastModified": 1701156937, 190 | "narHash": "sha256-jpMJOFvOTejx211D8z/gz0ErRtQPy6RXxgD2ZB86mso=", 191 | "owner": "NixOS", 192 | "repo": "nixpkgs", 193 | "rev": "7c4c20509c4363195841faa6c911777a134acdf3", 194 | "type": "github" 195 | }, 196 | "original": { 197 | "owner": "NixOS", 198 | "ref": "nixos-23.11", 199 | "repo": "nixpkgs", 200 | "type": "github" 201 | } 202 | }, 203 | "nixpkgs-stable": { 204 | "locked": { 205 | "lastModified": 1701540982, 206 | "narHash": "sha256-5ajSy6ODgGmAbmymRdHnjfVnuVrACjI8wXoGVvrtvww=", 207 | "owner": "NixOS", 208 | "repo": "nixpkgs", 209 | "rev": "6386d8aafc28b3a7ed03880a57bdc6eb4465491d", 210 | "type": "github" 211 | }, 212 | "original": { 213 | "owner": "NixOS", 214 | "ref": "nixos-23.05", 215 | "repo": "nixpkgs", 216 | "type": "github" 217 | } 218 | }, 219 | "nixpkgs-zeus": { 220 | "locked": { 221 | "lastModified": 1699596684, 222 | "narHash": "sha256-XSXP8zjBZJBVvpNb2WmY0eW8O2ce+sVyj1T0/iBRIvg=", 223 | "owner": "NixOS", 224 | "repo": "nixpkgs", 225 | "rev": "da4024d0ead5d7820f6bd15147d3fe2a0c0cec73", 226 | "type": "github" 227 | }, 228 | "original": { 229 | "owner": "NixOS", 230 | "ref": "nixos-23.05", 231 | "repo": "nixpkgs", 232 | "type": "github" 233 | } 234 | }, 235 | "nixpkgs_2": { 236 | "locked": { 237 | "lastModified": 1640418986, 238 | "narHash": "sha256-a8GGtxn2iL3WAkY5H+4E0s3Q7XJt6bTOvos9qqxT5OQ=", 239 | "owner": "NixOS", 240 | "repo": "nixpkgs", 241 | "rev": "5c37ad87222cfc1ec36d6cd1364514a9efc2f7f2", 242 | "type": "github" 243 | }, 244 | "original": { 245 | "owner": "NixOS", 246 | "ref": "nixpkgs-unstable", 247 | "repo": "nixpkgs", 248 | "type": "github" 249 | } 250 | }, 251 | "nixpkgs_3": { 252 | "locked": { 253 | "lastModified": 1701436327, 254 | "narHash": "sha256-tRHbnoNI8SIM5O5xuxOmtSLnswEByzmnQcGGyNRjxsE=", 255 | "owner": "NixOS", 256 | "repo": "nixpkgs", 257 | "rev": "91050ea1e57e50388fa87a3302ba12d188ef723a", 258 | "type": "github" 259 | }, 260 | "original": { 261 | "owner": "NixOS", 262 | "ref": "nixos-unstable", 263 | "repo": "nixpkgs", 264 | "type": "github" 265 | } 266 | }, 267 | "nixpkgs_4": { 268 | "locked": { 269 | "lastModified": 1701253981, 270 | "narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=", 271 | "owner": "NixOS", 272 | "repo": "nixpkgs", 273 | "rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58", 274 | "type": "github" 275 | }, 276 | "original": { 277 | "owner": "NixOS", 278 | "ref": "nixos-unstable", 279 | "repo": "nixpkgs", 280 | "type": "github" 281 | } 282 | }, 283 | "root": { 284 | "inputs": { 285 | "agenix": "agenix", 286 | "agenix-cli": "agenix-cli", 287 | "emacs-overlay": "emacs-overlay", 288 | "flake-utils": "flake-utils_3", 289 | "nixos-hardware": "nixos-hardware", 290 | "nixpkgs": "nixpkgs_4", 291 | "nixpkgs-budgie": "nixpkgs-budgie", 292 | "nixpkgs-zeus": "nixpkgs-zeus", 293 | "secrets": "secrets" 294 | } 295 | }, 296 | "secrets": { 297 | "flake": false, 298 | "locked": { 299 | "lastModified": 1701297040, 300 | "narHash": "sha256-PTUfo1oswxh8gk0wFEqLwVDxEPGIqxPgaQjeE33bBq0=", 301 | "ref": "main", 302 | "rev": "e4f362216eec44f503ef24a54eb6047ddf3d0e8d", 303 | "revCount": 15, 304 | "type": "git", 305 | "url": "ssh://gitolite@zeus/ttuegel/nixos-secrets" 306 | }, 307 | "original": { 308 | "ref": "main", 309 | "type": "git", 310 | "url": "ssh://gitolite@zeus/ttuegel/nixos-secrets" 311 | } 312 | }, 313 | "systems": { 314 | "locked": { 315 | "lastModified": 1681028828, 316 | "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", 317 | "owner": "nix-systems", 318 | "repo": "default", 319 | "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", 320 | "type": "github" 321 | }, 322 | "original": { 323 | "owner": "nix-systems", 324 | "repo": "default", 325 | "type": "github" 326 | } 327 | }, 328 | "systems_2": { 329 | "locked": { 330 | "lastModified": 1681028828, 331 | "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", 332 | "owner": "nix-systems", 333 | "repo": "default", 334 | "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", 335 | "type": "github" 336 | }, 337 | "original": { 338 | "owner": "nix-systems", 339 | "repo": "default", 340 | "type": "github" 341 | } 342 | } 343 | }, 344 | "root": "root", 345 | "version": 7 346 | } 347 | --------------------------------------------------------------------------------