diff --git a/.sops.yaml b/.sops.yaml index a861312..3bb72d3 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -6,6 +6,7 @@ keys: # nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age' - &aristotle age1hm6pkvt4d640wmjhxg5wxfwkp9zhcqre9klr4zg5kx2qx7vyhuuqlytmnp - &blacksteel age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk + - &lightsail-tokyo age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa creation_rules: - path_regex: secrets.yaml$ key_groups: @@ -13,3 +14,4 @@ creation_rules: - *guanranwang - *aristotle - *blacksteel + - *lightsail-tokyo diff --git a/darwin/profiles/desktop/home/default.nix b/darwin/profiles/desktop/home/default.nix index 40cf994..cc2f3cc 100644 --- a/darwin/profiles/desktop/home/default.nix +++ b/darwin/profiles/desktop/home/default.nix @@ -8,10 +8,6 @@ # Terminal "alacritty" - # Shell - "fish" - "bash" - # Editor "neovim" "vscode" diff --git a/flake.lock b/flake.lock index dcf13c4..bc7171c 100755 --- a/flake.lock +++ b/flake.lock @@ -584,6 +584,7 @@ "scss-reset": "scss-reset", "sops-nix": "sops-nix", "spicetify-nix": "spicetify-nix", + "srvos": "srvos", "systems": "systems", "treefmt-nix": "treefmt-nix" } @@ -673,6 +674,26 @@ "type": "github" } }, + "srvos": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1713747325, + "narHash": "sha256-3Rh1372yHv7TYA8yJqSCcKeVsHdhmDa4veN9kb3fNx8=", + "owner": "nix-community", + "repo": "srvos", + "rev": "e00e421468806a7a245bc76f0a23eb9e91593918", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "srvos", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index b4dbf94..79ced40 100755 --- a/flake.nix +++ b/flake.nix @@ -88,6 +88,10 @@ inputs.nixpkgs.follows = "nixpkgs"; inputs.flake-utils.follows = "flake-utils"; }; + srvos = { + url = "github:nix-community/srvos"; + inputs.nixpkgs.follows = "nixpkgs"; + }; systems.url = "github:nix-systems/default"; treefmt-nix = { url = "github:numtide/treefmt-nix"; @@ -206,5 +210,19 @@ nixOnDroidConfigurations = { "socrates" = mkDroid [./hosts/socrates]; }; + + colmena = { + meta = { + specialArgs = {inherit inputs;}; + nixpkgs = import inputs.nixpkgs { + system = "x86_64-linux"; # How does this work? + }; + }; + + "lightsail-tokyo" = { + imports = [./hosts/lightsail-tokyo]; + deployment.targetHost = "18.177.132.61"; + }; + }; }); } diff --git a/home/applications/nix/default.nix b/home/applications/nix/default.nix index 201966d..8b0e129 100644 --- a/home/applications/nix/default.nix +++ b/home/applications/nix/default.nix @@ -17,6 +17,7 @@ nix-index comma sops + colmena ]; # for `nh` diff --git a/home/default.nix b/home/default.nix index 422478f..88220da 100644 --- a/home/default.nix +++ b/home/default.nix @@ -36,9 +36,11 @@ inputs.nur.hmModules.nur ./applications/atuin + ./applications/bash ./applications/bat ./applications/eza ./applications/fastfetch + ./applications/fish ./applications/git ./applications/gpg ./applications/skim diff --git a/hosts/aristotle/default.nix b/hosts/aristotle/default.nix index d32d204..1f328d6 100644 --- a/hosts/aristotle/default.nix +++ b/hosts/aristotle/default.nix @@ -17,6 +17,7 @@ networking.hostName = "aristotle"; time.timeZone = "Asia/Shanghai"; _module.args.disks = ["/dev/nvme0n1"]; # Disko + system.stateVersion = "23.11"; services.tailscale = { enable = true; diff --git a/hosts/aristotle/hardware-configuration.nix b/hosts/aristotle/hardware-configuration.nix index 0dce2a8..851da16 100644 --- a/hosts/aristotle/hardware-configuration.nix +++ b/hosts/aristotle/hardware-configuration.nix @@ -16,5 +16,4 @@ boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid"]; boot.kernelModules = ["kvm-intel"]; nixpkgs.hostPlatform = "x86_64-linux"; - system.stateVersion = "23.11"; } diff --git a/hosts/blacksteel/default.nix b/hosts/blacksteel/default.nix index 6afb680..d7520a1 100644 --- a/hosts/blacksteel/default.nix +++ b/hosts/blacksteel/default.nix @@ -13,11 +13,11 @@ ./anti-feature.nix ]; - boot.loader.efi.canTouchEfiVariables = true; boot.loader.systemd-boot.enable = true; networking.hostName = "blacksteel"; time.timeZone = "Asia/Shanghai"; + system.stateVersion = "23.11"; ######## Services services.tailscale = { diff --git a/hosts/blacksteel/hardware-configuration.nix b/hosts/blacksteel/hardware-configuration.nix index f530974..36f06c5 100644 --- a/hosts/blacksteel/hardware-configuration.nix +++ b/hosts/blacksteel/hardware-configuration.nix @@ -29,7 +29,6 @@ #hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470; nixpkgs.hostPlatform = "x86_64-linux"; - system.stateVersion = "23.11"; # no disko because dual booting with macOS isnt very flexible boot.initrd.luks.devices."luks-8c26de19-f0d4-4ac7-a73c-a28dafd30544".device = "/dev/disk/by-uuid/8c26de19-f0d4-4ac7-a73c-a28dafd30544"; diff --git a/hosts/lightsail-tokyo/anti-feature.nix b/hosts/lightsail-tokyo/anti-feature.nix new file mode 100644 index 0000000..026b59f --- /dev/null +++ b/hosts/lightsail-tokyo/anti-feature.nix @@ -0,0 +1,17 @@ +{lib, ...}: { + nixpkgs.config = { + allowNonSource = false; + allowNonSourcePredicate = pkg: + builtins.elem (lib.getName pkg) [ + "adoptopenjdk-hotspot-bin" + "cargo-bootstrap" + "rustc-bootstrap" + "rustc-bootstrap-wrapper" + ]; + + allowUnfree = false; + allowUnfreePredicate = pkg: + builtins.elem (lib.getName pkg) [ + ]; + }; +} diff --git a/hosts/lightsail-tokyo/default.nix b/hosts/lightsail-tokyo/default.nix new file mode 100644 index 0000000..03e3535 --- /dev/null +++ b/hosts/lightsail-tokyo/default.nix @@ -0,0 +1,15 @@ +{ + modulesPath, + lib, + ... +}: { + imports = [ + "${modulesPath}/virtualisation/amazon-image.nix" + ../../nixos/profiles/server + ./anti-feature.nix + ]; + + time.timeZone = "Asia/Tokyo"; + boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; + system.stateVersion = "23.11"; +} diff --git a/hosts/socrates/default.nix b/hosts/socrates/default.nix index e90cb40..31235da 100644 --- a/hosts/socrates/default.nix +++ b/hosts/socrates/default.nix @@ -60,8 +60,6 @@ sharedModules = [ ({...}: { imports = [ - ../../home/applications/bash - ../../home/applications/fish ../../home/applications/neovim ../../home/applications/nix ]; diff --git a/nixos/profiles/common/core/default.nix b/nixos/profiles/common/core/default.nix index 89f2eb8..7ee302e 100644 --- a/nixos/profiles/common/core/default.nix +++ b/nixos/profiles/common/core/default.nix @@ -59,7 +59,7 @@ services.openssh = { enable = true; - settings.PermitRootLogin = "no"; + settings.PermitRootLogin = lib.mkDefault "no"; # mkDefault for colmena settings.PasswordAuthentication = false; }; diff --git a/nixos/profiles/common/core/networking/default.nix b/nixos/profiles/common/core/networking/default.nix index 673f912..3debd3e 100644 --- a/nixos/profiles/common/core/networking/default.nix +++ b/nixos/profiles/common/core/networking/default.nix @@ -1,9 +1,13 @@ { - networking.wireless.iwd.enable = true; + lib, + config, + ... +}: { + networking.wireless.iwd.enable = lib.mkDefault true; services.resolved.enable = true; - sops.secrets."wireless/wangxiaobo".path = "/var/lib/iwd/wangxiaobo.psk"; - sops.secrets."wireless/OpenWrt".path = "/var/lib/iwd/OpenWrt.psk"; + sops.secrets."wireless/wangxiaobo".path = lib.mkIf config.networking.wireless.iwd.enable "/var/lib/iwd/wangxiaobo.psk"; + sops.secrets."wireless/OpenWrt".path = lib.mkIf config.networking.wireless.iwd.enable "/var/lib/iwd/OpenWrt.psk"; ### https://wiki.archlinux.org/title/Sysctl#Improving_performance boot.kernelModules = ["tcp_bbr"]; diff --git a/nixos/profiles/common/graphical/home/default.nix b/nixos/profiles/common/graphical/home/default.nix index c7e4e29..6b0f757 100644 --- a/nixos/profiles/common/graphical/home/default.nix +++ b/nixos/profiles/common/graphical/home/default.nix @@ -11,10 +11,6 @@ # Terminal "alacritty" - # Shell - "fish" - "bash" - # Editor "neovim" # "helix" diff --git a/nixos/profiles/server/default.nix b/nixos/profiles/server/default.nix index 112c56e..5edd6c3 100644 --- a/nixos/profiles/server/default.nix +++ b/nixos/profiles/server/default.nix @@ -1,9 +1,14 @@ -{pkgs, ...}: -# no i dont actually own a server { + pkgs, + inputs, + ... +}: { imports = [ - ../common/minimal + ../common/core + # ../common/minimal + inputs.srvos.nixosModules.mixins-terminfo ]; - boot.kernelPackages = pkgs.linuxPackages; # mkDefault for server + boot.kernelPackages = pkgs.linuxPackages; + networking.wireless.iwd.enable = false; } diff --git a/secrets.yaml b/secrets.yaml index 2452b0a..642ea00 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -19,29 +19,38 @@ sops: - recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXL3R3UWF2UjFBZXlVWmEr - L3Nva3ZnMW9kUVN0bzhlVlE3UWRWSlRqY3lzCmp4SDlkZUdIQmFMb1UrWWk3SXBI - TExucEFodlZaZjFGQ3lkOWh1NFFsckUKLS0tIEZTL0QvZmVVWlVBOWtVczFaYnFl - ejFYb0J0dmtSL0VURDBHZEhER0FZeEUKErLL9cf65O/YmLt0JVpdXuK2sXLh4x/O - YVv9lzzECDAMZbh2RScw5z91zWM9kB5vx17XrpcUnF4ouH+jnlOx8Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRDVuSHNpQzMzb1gxaXB4 + aEs5SEpyeFdKMExIYnZMdTdIZi9JbXY2aHlzCmN5Um81VnF3TXpOcW1IbFBnTWY3 + VHVQTmM3Zm5rOGx1UDhRRnBPZTZpRlEKLS0tIFV1am5VVXJiODdFT0RIQW9wNlVM + OWhuQmMrT2dId3U1RGtoamZyNElvSzAKqOOQB3oMulmSTFbiJenpucju+djFUY1t + ldHjlbYF9ywbAckqFtYXGcbDDbD5iv8ZvulyhU2d73534rspOXzyWQ== -----END AGE ENCRYPTED FILE----- - recipient: age1hm6pkvt4d640wmjhxg5wxfwkp9zhcqre9klr4zg5kx2qx7vyhuuqlytmnp enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHN2RPVVFlYzlyRitlS0Fn - SGJaR2srdExaT3V5dFd3OFFraXBlbVY0K2d3CnNRUmFkSHJuTWlUeW9haS9lQ2N2 - S3JmU3FmWUtLblRoYnRwK05OY05RK0kKLS0tIGQ2d2REbkFuQnFkT1I1QnFIc1Z6 - TlhnYmhQWnRBWG1CeWp6bktmemNxbk0KXYImIHhtlXUS2H+Ot81zGbC/BaMkba8D - GUJeizpBBbA6BSjeQYx1Hd/mJJ4eqbN9abnLgYhQ42i9KfWWC4Eu1w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRitmZ0xSRmNRbTIwdjg2 + aStiQnIzU1AyTzkxdE9UT0laQlkxNzh5RDAwClNDcitIa0FCVUxCRldyL1I4Rit1 + bE9MZjNlaXV6aU5UYjhEVzgrMExHNGcKLS0tIG43bE9CSTFGZG9ZSlhucVc1cWZV + T3cwdUYyQWhpM04ydTJhOWQ1NHZqTncK6kVvFDpmgT4fEv2NCerIr3y1iIfV9phv + fKHhtqeEmaon9Hp1hqBcQzB4+PuxA+AWSZ+wjffGa/aS+RsSt2FYdw== -----END AGE ENCRYPTED FILE----- - recipient: age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0N2FtN1UvTXQ3MXZPQVN2 - bTBCQzR1cmhhdmV5K0g4ODZySk42V09aZVE0CndxWTRVZS9Pek85VU1nK1hEYjc5 - RnFjZEFmVytIYVBtN1IxOU1uSHVLUGcKLS0tIFB2UzlFeFJWOGJ3SFBDNENxT1FN - MFdBdDhnbWFwTVd1aFgvUHdRZkhTV3MKIcvIbGmAMVAu5KcOi8xsjIvwAzp8etAn - cXbkj9HfU/FHWv2fJNC/2Dda3AKKfDFNQJIk0MYOuyFR+JMu6Dah/g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrMlR2WmM5cHl3SHRtZ08x + SG42bzNQSmlaQXN6RFpxSkpPcDAwbnpDMWhnCm5tZkpocWswYWF4UmYzS1dINkJ0 + bExOZWpNNlN0WkNXU29UY05vRFVoNUEKLS0tIGRwaUJFNkoyV2pLeDZOd3FxYnIz + eWpqWU12ekl0NWRQV2lIdzRIcmYvVlUKYO7EDTdyLzDjoSgSj7/p/uwjZrw2xWgp + 5474kRLJyPVjejTnnc3K1/za9Cp68tIsk/wC+bGflnXqrReNHyXq3Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaWWxBUUVWOVZqbE5FUEt1 + ekdKaXRHdTdvWnR0R1BWMHlGMk5OQ1JTb1JJCkhWTDFpUEdneUR2UW9LVjdHN3VP + UE5WUzNJTWtreDQ2VEd2ZnFSdHJ5dDAKLS0tIEdsWlNIUDB2blBYTDdNaXN0YjBi + SC9YMFk4dUNOUDJYMXErck8yTmJmZmcKp66bHZTD6VitAOfzIr8VJr02+R9f5mxH + c5n2CWurDsZsNTKk7pgxQo78ySyAG3rzvOqgK0NFesyHy9dRl8xHCQ== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-04-01T04:24:51Z" mac: ENC[AES256_GCM,data:cJYaWZvPI+cWeWBNZS5omgfZ7Jq7mPIPc/wle5s4XkAb5AgvFaT17FmBRRYBVLvGvevSRponU3z6kLvLbH1HfE89zpboPc76+6vmYPkx8bY+vy8lgg5BTWPHkQZ6BeORJQLi3aiH6CNOOD7wL1dlwD+ldZOD7D9kgxTwbFPX+V8=,iv:TFe6eY+M6qsvJDv09RovOLbRfNkcU8JHR1EaJtJKKIE=,tag:dAU7eFTmJpCGt/gxrwoRkQ==,type:str]