diff --git a/.gitignore b/.gitignore index 8b13789..b2be92b 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ - +result diff --git a/flake.nix b/flake.nix index 42d989e..7cfe91b 100644 --- a/flake.nix +++ b/flake.nix @@ -86,6 +86,14 @@ ./thor/configuration.nix ]; + lokiBaseModules = [ + { nixpkgs = nixpkgsSettings; } + ./loki/hardware-configuration.nix + nixos-hardware.nixosModules.common-cpu-intel + nixos-hardware.nixosModules.common-pc-ssd + ./loki/configuration.nix + ]; + # odinStable = extraModules: nixpkgs.lib.nixosSystem { # inherit system; # modules = odinBaseModules ++ [ @@ -122,6 +130,15 @@ ] ++ extraModules; }; + lokiUnstable = extraModules: unstable.lib.nixosSystem { + inherit system; + modules = lokiBaseModules ++ [ + home-manager-unstable.nixosModules.home-manager + homeManagerSettings + { home-manager.users.bertof = import ./home_manager/loki.nix; } + ] ++ extraModules; + }; + in { packages.${system} = unstablePkgs; @@ -140,6 +157,10 @@ odin-nvidia-unstable = odinUnstable [ ./odin/configuration-nvidia.nix ./nixos_modules/pro_audio.nix ./nixos_modules/sesar.nix ]; # odin-intel-stable = odinStable [ ./odin/configuration-intel.nix ./nixos_modules/pro_audio.nix ./nixos_modules/sesar.nix]; # odin-nvidia-stable = odinStable [ ./odin/configuration-nvidia.nix ./nixos_modules/pro_audio.nix ./nixos_modules/sesar.nix]; + + loki = loki-unstable; + + loki-unstable = lokiUnstable []; }; }; } diff --git a/loki.nix b/home_manager/loki.nix similarity index 100% rename from loki.nix rename to home_manager/loki.nix diff --git a/loki/configuration.nix b/loki/configuration.nix new file mode 100644 index 0000000..259f0ef --- /dev/null +++ b/loki/configuration.nix @@ -0,0 +1,306 @@ +{ config, pkgs, lib, ... }: + +{ + boot = { + binfmt.emulatedSystems = [ "armv7l-linux" "aarch64-linux" ]; + kernelPackages = pkgs.linuxPackages_5_17; + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + }; + + console = { + font = "Lat2-Terminus16"; + keyMap = "it"; + }; + + environment = { + pathsToLink = [ "/share/zsh" ]; + systemPackages = with pkgs; [ kakoune tmux vim ]; + }; + + hardware = { + nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470; + nvidia.prime = { + offload.enable = false; + sync.enable = true; + intelBusId = "PCI:0:2:0"; + nvidiaBusId = "PCI:1:0:0"; + }; + + opengl = { + enable = true; + extraPackages = with pkgs; [ intel-media-driver libvdpau-va-gl vaapiIntel vaapiVdpau ]; + }; + + bluetooth.enable = true; + }; + + i18n.defaultLocale = "it_IT.UTF-8"; + + programs = { + dconf.enable = true; + gnupg.agent = { enable = true; enableSSHSupport = true; }; + zsh = { enable = true; syntaxHighlighting.enable = true; }; + }; + + networking = { + hostName = "loki"; + interfaces = { eno1.useDHCP = true; wlp7s0.useDHCP = true; }; + networkmanager.enable = true; + useDHCP = false; + }; + + time.timeZone = "Europe/Rome"; + + services = { + avahi = { + enable = true; + openFirewall = true; + nssmdns = true; + publish = { + enable = true; + addresses = true; + domain = true; + userServices = true; + workstation = true; + }; + extraServiceFiles = { + ssh = "${pkgs.avahi}/etc/avahi/services/ssh.service"; + }; + }; + bazarr = { enable = true; openFirewall = true; group = "users"; }; + blueman.enable = true; + dbus.packages = with pkgs; [ dconf ]; + fail2ban = { enable = true; bantime-increment.enable = true; }; + gnome.gnome-keyring.enable = true; + gvfs = { enable = true; package = lib.mkForce pkgs.gnome3.gvfs; }; + jackett = { enable = true; openFirewall = true; group = "users"; }; + logind.lidSwitch = "ignore"; + node-red = { enable = true; openFirewall = true; withNpmAndGcc = true; }; + openssh = { enable = true; openFirewall = true; permitRootLogin = "no"; passwordAuthentication = false; }; + plex = { enable = true; openFirewall = true; group = "users"; }; + power-profiles-daemon.enable = true; + radarr = { enable = true; openFirewall = true; group = "users"; }; + samba-wsdd = { enable = true; discovery = true; }; + samba = { + enable = true; + enableNmbd = true; + enableWinbindd = true; + nsswins = true; + extraConfig = '' + workgroup = WORKGROUP + load printers = no + smb encrypt = required + ''; + shares = let common = { + "public" = "no"; + "writeable" = "yes"; + "create mask" = "0700"; + "directory mask" = "2700"; + "browseable" = "yes"; + "guest ok" = "no"; + "read only" = "no"; + "force group" = "users"; + }; in + { + bertof = common // { + path = "/mnt/raid/bertof"; + comment = "Bertof samba share"; + "force user" = "bertof"; + "valid users" = "bertof"; + }; + tiziano = common // { + path = "/mnt/raid/tiziano"; + comment = "Tiziano samba share"; + "force user" = "tiziano"; + "valid users" = "tiziano"; + }; + condiviso = common // { + path = "/mnt/raid/condiviso"; + comment = "Samba share condiviso"; + "valid users" = "bertof tiziano"; + "create mask" = "0770"; + "directory mask" = "2770"; + "force create mode" = "0660"; + "force directory mode" = "2770"; + }; + bertof_safe = common // { + path = "/mnt/raid1/bertof"; + comment = "Bertof samba share"; + "force user" = "bertof"; + "valid users" = "bertof"; + }; + tiziano_safe = common // { + path = "/mnt/raid1/tiziano"; + comment = "Tiziano samba share"; + "force user" = "tiziano"; + "valid users" = "tiziano"; + }; + condiviso_safe = common // { + path = "/mnt/raid1/condiviso"; + comment = "Samba share condiviso"; + "valid users" = "bertof tiziano"; + "create mask" = "0770"; + "directory mask" = "2770"; + "force create mode" = "0660"; + "force directory mode" = "2770"; + }; + }; + }; + smartd = { enable = true; notifications.x11.enable = true; }; + sonarr = { enable = true; openFirewall = true; group = "users"; }; + thermald.enable = true; + transmission = { + enable = true; + openFirewall = true; + group = "users"; + settings = { + download-dir = "/mnt/raid/condiviso/Scaricati/Torrent"; + incomplete-dir = "/mnt/raid/condiviso/Scaricati/Torrent/.incomplete"; + }; + }; + xserver = { + enable = true; + videoDrivers = [ "nvidia" ]; + layout = "it"; + xkbOptions = "eurosign:e;"; + libinput.enable = true; + }; + zerotierone = { enable = true; joinNetworks = [ "8056c2e21cf9c753" ]; }; + }; + + users.users = { + bertof = { + isNormalUser = true; + extraGroups = [ "audio" "input" "docker" "libvirtd" "network" "usb" "video" "wheel" ]; + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+zsSWZFFzQKnATCAvtG+iuSm4qkZHjCtHzGa9B/71W" ]; + shell = pkgs.zsh; + }; + tiziano = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMExwtJFk6HjySrTZwJH67SOHC3hlL28NO4oe2GXsv6k" ]; + }; + }; + + # services.snapper = { + # configs = + # let + # bertofExtraConfig = '' + # ALLOW_USERS="bertof" + # TIMELINE_CREATE=yes + # TIMELINE_CLEANUP=yes + # ''; + # common = { extraConfig = bertofExtraConfig; }; + # in + # { + # bertof_home = common // { subvolume = "/home/bertof"; }; + # }; + # }; + + + systemd.packages = with pkgs; [ syncthing ]; + systemd.services = let common = { + after = [ "network.target" ]; + environment = { STNORESTART = "yes"; STNOUPGRADE = "yes"; }; + wantedBy = [ "default.target" ]; + serviceConfig = { + Restart = "on-failure"; + SuccessExitStatus = "2 3 4"; + RestartForceExitStatus = "3 4"; + Group = config.ids.gids.users; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + CapabilityBoundingSet = [ "~CAP_SYS_PTRACE" "~CAP_SYS_ADMIN" "~CAP_SETGID" "~CAP_SETUID" "~CAP_SETPCAP" "~CAP_SYS_TIME" "~CAP_KILL" ]; + }; + }; in + { + syncthing-bertof = common // { + description = "Syncthing service bertof"; + serviceConfig = { User = "bertof"; ExecStart = "${pkgs.syncthing}/bin/syncthing -no-browser -gui-address=0.0.0.0:8384 -home=/mnt/raid/bertof/Syncthing/.config"; }; + }; + syncthing-tiziano = common // { + description = "Syncthing service tiziano"; + serviceConfig = { User = "tiziano"; ExecStart = "${pkgs.syncthing}/bin/syncthing -no-browser -gui-address=0.0.0.0:8385 -home=/mnt/raid/tiziano/Syncthing/.config"; }; + }; + }; + + networking.firewall = { + enable = true; + allowPing = true; + allowedTCPPorts = [ + 445 # SAMBA + 139 # SAMBA + 5357 # SAMBA-WSDD + 8123 # HOME ASSISTANT + 8384 # SYNCTHING + 8385 # SYNCTHING + ]; + allowedUDPPorts = [ + 137 # SYNCTHING + 138 # SYNCTHING + 3702 # SAMBA-WSDD + ]; + extraCommands = ''iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns''; + }; + + virtualisation = { + docker.enable = true; + kvmgt.enable = true; + libvirtd.enable = true; + podman.enable = true; + virtualbox.host.enable = true; + + oci-containers.containers = { + hass = { + image = "ghcr.io/home-assistant/home-assistant:stable"; + environment = { + TZ = "Europe/Rome"; + }; + extraOptions = [ "--privileged" "--network=host" "--pull=always" ]; + ports = [ "8123:8123" ]; + volumes = [ + "/var/lib/hass:/config" + "/mnt/raid/condiviso:/media" + ]; + }; + }; + }; + + + security.sudo.extraConfig = '' + Defaults pwfeedback + ''; + + nixpkgs.config.allowUnfree = true; + nix = { + package = pkgs.nixFlakes; + extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) + "experimental-features = nix-command flakes"; + gc.automatic = true; + }; + + system.autoUpgrade = { + enable = true; + allowReboot = true; + flags = [ + "-I" + "nixos-config=/home/bertof/.config/nixpkgs/nixos/loki.nix" + "--upgrade" + ]; + }; + + system.stateVersion = "21.11"; +} diff --git a/loki/hardware-configuration.nix b/loki/hardware-configuration.nix new file mode 100644 index 0000000..b96a203 --- /dev/null +++ b/loki/hardware-configuration.nix @@ -0,0 +1,38 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "uas" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/eb51e914-c9ab-400d-bd2a-004a3b788caa"; + fsType = "btrfs"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/8A71-E5EB"; + fsType = "vfat"; + }; + + fileSystems."/mnt/raid" = { + device = "/dev/sdc"; + fsType = "btrfs"; + }; + + fileSystems."/mnt/raid1" = { + device = "/dev/sde1"; + fsType = "btrfs"; + }; + + swapDevices = [ ]; + +} diff --git a/thor/configuration.nix b/thor/configuration.nix index 2a54081..ef466db 100644 --- a/thor/configuration.nix +++ b/thor/configuration.nix @@ -46,17 +46,9 @@ programs = { dconf.enable = true; flashrom.enable = true; - gnupg.agent = { - enable = true; - enableSSHSupport = true; - }; - steam = { - enable = true; - }; - zsh = { - enable = true; - syntaxHighlighting.enable = true; - }; + gnupg.agent = { enable = true; enableSSHSupport = true; }; + steam = { enable = true; }; + zsh = { enable = true; syntaxHighlighting.enable = true; }; }; networking = {