From 16b832d5f0b87e7250ce9976cd792261729af2ea Mon Sep 17 00:00:00 2001 From: Emmet Date: Wed, 28 Feb 2024 17:39:00 -0600 Subject: [PATCH] Fixed typos, added autoinstall notes, reworked homelab config --- README.org | 8 ++- install.org | 37 ++++++++++--- profiles/homelab/base.nix | 83 ++++++++++++++++++++++++++++ profiles/homelab/configuration.nix | 88 ++---------------------------- profiles/worklab/README.org | 3 + profiles/worklab/configuration.nix | 10 ++++ profiles/worklab/home.nix | 5 ++ system/security/sshd.nix | 6 +- 8 files changed, 145 insertions(+), 95 deletions(-) create mode 100644 profiles/homelab/base.nix create mode 100644 profiles/worklab/README.org create mode 100644 profiles/worklab/configuration.nix create mode 100644 profiles/worklab/home.nix diff --git a/README.org b/README.org index 273bfdc..cd26d81 100644 --- a/README.org +++ b/README.org @@ -23,9 +23,15 @@ I wrote some reinstall notes for myself [[./install.org][here (install.org)]]. TLDR: You should™ be able to install my dotfiles to an existing UEFI NixOS system with the following script: #+begin_src sh :noeval -nix-shell -p git --command "nix-run gitlab:librephoenix/nixos-config --extra-experimental-features nix-command --extra-experimental-features flakes" +nix-shell -p git --command "nix run gitlab:librephoenix/nixos-config --extra-experimental-features nix-command --extra-experimental-features flakes" #+end_src +Note: If you're installing this to a VM, Hyprland won't work unless 3D acceleration is enabled. + +Disclaimer: If you install my =homelab= or =worklab= profiles /CHANGE THE PUBLIC SSH KEYS UNLESS YOU WANT ME TO BE ABLE TO SSH INTO YOUR SERVER. YOU CAN CHANGE OR REMOVE THE SSH KEY IN THE RELEVANT CONFIGURATION.NIX/: +- [[./profiles/homelab/configuration.nix][configuration.nix]] for homelab profile +- [[./profiles/worklab/configuration.nix][configuration.nix]] for worklab profile + ** Modules Separate Nix files can be imported as modules using an import block: #+BEGIN_SRC nix diff --git a/install.org b/install.org index 670c173..e10aed1 100644 --- a/install.org +++ b/install.org @@ -1,7 +1,7 @@ #+title: Install #+author: Emmet -These are just some simple install notes for myself (in-case I have to reinstall unexpectedly). +These are just some simple install notes for myself (in-case I have to reinstall unexpectedly). You could also use these to try out my config in a VM. ** Automated Install Script (Experimental) *** Install Directly From Git @@ -9,21 +9,21 @@ I wrote a quick automated install script at [[./install.sh][install.sh]]. It ess I'll eventually™ add the ability to supply arguments to this script as well. -The quickest way to install is running the install script directly from the remote git repo using =nix-run=, which is essentially just one of the following: +The quickest way to install is running the install script directly from the remote git repo using =nix run=, which is essentially just one of the following: #+BEGIN_SRC sh :noeval # Install from gitlab -nix-run gitlab:librephoenix/nixos-config +nix run gitlab:librephoenix/nixos-config # Or install from github -nix-run github:librephoenix/nixos-config +nix run github:librephoenix/nixos-config # Or install from codeberg -nix-run git+https://codeberg.org/librephoenix/nixos-config +nix run git+https://codeberg.org/librephoenix/nixos-config #+END_SRC The script will ask for sudo permissions at certain points, /but you should not run the script as root/. -If the above =nix-run= command gives you an error, odds are you either don't have =git= installed, or you haven't enabled the experimental features in your Nix config (=nix-command= and =flakes=). To get the command to install properly, you can first enter a shell with =git= available using: +If the above =nix run= command gives you an error, odds are you either don't have =git= installed, or you haven't enabled the experimental features in your Nix config (=nix-command= and =flakes=). To get the command to install properly, you can first enter a shell with =git= available using: #+begin_src sh :noeval nix-shell -p git #+end_src @@ -34,11 +34,17 @@ nix-run gitlab:librephoenix/nixos-config --extra-experimental-features nix-comma And if you want a single copy-paste solution: #+begin_src sh :noeval -nix-shell -p git --command "nix-run gitlab:librephoenix/nixos-config --extra-experimental-features nix-command --extra-experimental-features flakes" +nix-shell -p git --command "nix run gitlab:librephoenix/nixos-config --extra-experimental-features nix-command --extra-experimental-features flakes" #+end_src At a certain point in the install script it will open =nano= (or whatever your $EDITOR is set to) and ask you to edit the =flake.nix=. You can edit as much or as little of the config variables as you like, and it will continue the install after you exit the editor. +Note: If you're installing this to a VM, Hyprland won't work unless 3D acceleration is enabled. + +Disclaimer: If you install my =homelab= or =worklab= profiles /CHANGE THE PUBLIC SSH KEYS UNLESS YOU WANT ME TO BE ABLE TO SSH INTO YOUR SERVER. YOU CAN CHANGE OR REMOVE THE SSH KEY IN THE RELEVANT CONFIGURATION.NIX/: +- [[./profiles/homelab/configuration.nix][configuration.nix]] for homelab profile +- [[./profiles/worklab/configuration.nix][configuration.nix]] for worklab profile + *** Install From Local Git Clone The dotfiles can be installed after cloning the repo into =~/.dotfiles= using: #+BEGIN_SRC sh :noeval @@ -46,7 +52,13 @@ git clone https://gitlab.com/librephoenix/nixos-config.git ~/.dotfiles ~/.dotfiles/install.sh #+END_SRC -At a certain point in the install script it will open =nano= (or whatever your $EDITOR is set to) and ask you to edit the =flake.nix=. You can edit as much or as little of the config variables as you like, and it will continue the install after you exit the editor. +At a certain point in the install script it will open =nano= (or whatever your =$EDITOR= is set to) and ask you to edit the =flake.nix=. You can edit as much or as little of the config variables as you like, and it will continue the install after you exit the editor. + +Note: If you're installing this to a VM, Hyprland won't work unless 3D acceleration is enabled. + +Disclaimer: If you install my =homelab= or =worklab= profiles /CHANGE THE PUBLIC SSH KEYS UNLESS YOU WANT ME TO BE ABLE TO SSH INTO YOUR SERVER. YOU CAN CHANGE OR REMOVE THE SSH KEY IN THE RELEVANT CONFIGURATION.NIX/: +- [[./profiles/homelab/configuration.nix][configuration.nix]] for homelab profile +- [[./profiles/worklab/configuration.nix][configuration.nix]] for worklab profile *** Automatic Install Script Limitations At this time, this only works on an existing NixOS install. It also only works if the dotfiles are cloned into =~/.dotfiles=. It also only works on UEFI, not on BIOS :( @@ -84,6 +96,12 @@ let There are many more config options there that you may also want to change as well. +Note: If you're installing this to a VM, Hyprland won't work unless 3D acceleration is enabled. + +Disclaimer: If you install my =homelab= or =worklab= profiles /CHANGE THE PUBLIC SSH KEYS UNLESS YOU WANT ME TO BE ABLE TO SSH INTO YOUR SERVER. YOU CAN CHANGE OR REMOVE THE SSH KEY IN THE RELEVANT CONFIGURATION.NIX/: +- [[./profiles/homelab/configuration.nix][configuration.nix]] for homelab profile +- [[./profiles/worklab/configuration.nix][configuration.nix]] for worklab profile + *** Rebuild and Switch System Config Once the variables are set, then switch into the system configuration by running: #+BEGIN_SRC sh :noeval @@ -112,3 +130,6 @@ No. You can put them in literally any directory you want. I just prefer to use = *** So I cloned these dotfiles into ~/.dotfiles, and now there are system-level files owned by my user account.. HOW IS THIS SECURE?! If you're worried about someone modifying your system-level (root configuration) files as your unpriveleged user, see [[./harden.sh][harden.sh]]. + +*** I installed this to a VM and when I log in, it crashes and sends me back to the login manager (SDDM)? +Enable 3D acceleration for your virtual machine. Hyprland doesn't work without it. diff --git a/profiles/homelab/base.nix b/profiles/homelab/base.nix new file mode 100644 index 0000000..c32ce2c --- /dev/null +++ b/profiles/homelab/base.nix @@ -0,0 +1,83 @@ +{ lib, pkgs, systemSettings, userSettings, ... }: + +{ + imports = + [ ../../system/hardware-configuration.nix + ../../system/hardware/time.nix # Network time sync + ../../system/security/doas.nix + ../../system/security/gpg.nix + ( import ../../system/app/docker.nix {storageDriver = "btrfs"; inherit userSettings pkgs lib;} ) + ]; + + # Fix nix path + nix.nixPath = [ "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos" + "nixos-config=$HOME/dotfiles/system/configuration.nix" + "/nix/var/nix/profiles/per-user/root/channels" + ]; + + # Ensure nix flakes are enabled + nix.package = pkgs.nixFlakes; + nix.extraOptions = '' + experimental-features = nix-command flakes + ''; + + # I'm sorry Stallman-taichou + nixpkgs.config.allowUnfree = true; + + # Kernel modules + boot.kernelModules = [ "i2c-dev" "i2c-piix4" ]; + + # Bootloader + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.efi.efiSysMountPoint = "/boot"; + + # Networking + networking.hostName = systemSettings.hostname; # Define your hostname. + networking.networkmanager.enable = true; # Use networkmanager + + # Timezone and locale + time.timeZone = systemSettings.timezone; # time zone + i18n.defaultLocale = systemSettings.locale; + i18n.extraLocaleSettings = { + LC_ADDRESS = systemSettings.locale; + LC_IDENTIFICATION = systemSettings.locale; + LC_MEASUREMENT = systemSettings.locale; + LC_MONETARY = systemSettings.locale; + LC_NAME = systemSettings.locale; + LC_NUMERIC = systemSettings.locale; + LC_PAPER = systemSettings.locale; + LC_TELEPHONE = systemSettings.locale; + LC_TIME = systemSettings.locale; + }; + + # User account + users.users.${userSettings.username} = { + isNormalUser = true; + description = userSettings.name; + extraGroups = [ "networkmanager" "wheel" ]; + packages = with pkgs; []; + uid = 1000; + }; + + # System packages + environment.systemPackages = with pkgs; [ + vim + wget + zsh + git + rclone + rdiff-backup + cryptsetup + gocryptfs + ]; + + # I use zsh btw + environment.shells = with pkgs; [ zsh ]; + users.defaultUserShell = pkgs.zsh; + programs.zsh.enable = true; + + # It is ok to leave this unchanged for compatibility purposes + system.stateVersion = "22.11"; + +} diff --git a/profiles/homelab/configuration.nix b/profiles/homelab/configuration.nix index 8a9b382..f589ee8 100644 --- a/profiles/homelab/configuration.nix +++ b/profiles/homelab/configuration.nix @@ -1,85 +1,9 @@ -{ lib, pkgs, systemSettings, userSettings, ... }: +{ userSettings, ... }: { - imports = - [ ../../system/hardware-configuration.nix - ../../system/hardware/time.nix # Network time sync - ../../system/security/doas.nix - ../../system/security/gpg.nix - ../../system/security/sshd.nix - ( import ../../system/app/docker.nix {storageDriver = "btrfs"; inherit userSettings pkgs lib;} ) - ]; - - # Fix nix path - nix.nixPath = [ "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos" - "nixos-config=$HOME/dotfiles/system/configuration.nix" - "/nix/var/nix/profiles/per-user/root/channels" - ]; - - # Ensure nix flakes are enabled - nix.package = pkgs.nixFlakes; - nix.extraOptions = '' - experimental-features = nix-command flakes - ''; - - # I'm sorry Stallman-taichou - nixpkgs.config.allowUnfree = true; - - # Kernel modules - boot.kernelModules = [ "i2c-dev" "i2c-piix4" ]; - - # Bootloader - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - boot.loader.efi.efiSysMountPoint = "/boot"; - - # Networking - networking.hostName = systemSettings.hostname; # Define your hostname. - networking.networkmanager.enable = true; # Use networkmanager - - # Timezone and locale - time.timeZone = systemSettings.timezone; # time zone - i18n.defaultLocale = systemSettings.locale; - i18n.extraLocaleSettings = { - LC_ADDRESS = systemSettings.locale; - LC_IDENTIFICATION = systemSettings.locale; - LC_MEASUREMENT = systemSettings.locale; - LC_MONETARY = systemSettings.locale; - LC_NAME = systemSettings.locale; - LC_NUMERIC = systemSettings.locale; - LC_PAPER = systemSettings.locale; - LC_TELEPHONE = systemSettings.locale; - LC_TIME = systemSettings.locale; - }; - - # User account - users.users.${userSettings.username} = { - isNormalUser = true; - description = userSettings.name; - extraGroups = [ "networkmanager" "wheel" ]; - packages = with pkgs; []; - uid = 1000; - }; - - # System packages - environment.systemPackages = with pkgs; [ - vim - wget - zsh - git - rclone - rdiff-backup - cryptsetup - gocryptfs - cryfs - ]; - - # I use zsh btw - environment.shells = with pkgs; [ zsh ]; - users.defaultUserShell = pkgs.zsh; - programs.zsh.enable = true; - - # It is ok to leave this unchanged for compatibility purposes - system.stateVersion = "22.11"; - + imports = [ ./base.nix + ( import ../../system/security/sshd.nix { + authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDaeejVJwUVrIZSo1isbu+gkQ7+8ftCgCsczy3OclkEVWHyRTqlG6yp74hr3j8ZNsOhov7c2Q6RqC8oy669hlxi/y9BsvtlI7sBr94oAKFOmkCS4RiK72ngJjBvI0vbk89wQQjmAd3r8B7ZcedpNOC8CkHu8SebKdYPRIUvAbPc3fTEt7DsJkazAepZCB8LEhUp57FAqQ/Ezlt3X/1uwNq5S0EbE9Zm+nUpEfSqR9apY2neKWLyGiCxpK3dzyNOuulCxvtVz+ie2sTk/6SxM+qWEoVVxhdwyxPihEjgC0EvtG0S5mVh5JmcjRkJOzzBHJuw+6r8yWn/AxGdIsoJ4rKNxH1XH1iLHgCraOLOUjUNlmejTcQPu6o92a79fdz2gCHT/BuIjfCW7MErAC3YSmF45TSur/kiWCBaTqYo06pgbQ3w1vKg7fievQlQzsutmg47RvJp6fb74yxuOdVg39cShQu/l8r6zqm21JAeUaaIp4P/0MrAIMOOVUhbK0QgsNElO4yn0ZKH8wGIF8xORh7ikxUIAyq8C41gjJiO2sAFJc3M8DhduQU3X0lHB7U0Qyu+8ZXn05+zdFPXJ73LKc7DCcLkppRXJsdHLSDEFdWqFnV7o08B4qZkPMT4pmvhwhY0Pf1fwavOqxuTstzw18gUGyQzl0foQi0Qrmdazsp2Qw== emmet@snowfire"]; + inherit userSettings; }) + ]; } diff --git a/profiles/worklab/README.org b/profiles/worklab/README.org new file mode 100644 index 0000000..b1c5ff7 --- /dev/null +++ b/profiles/worklab/README.org @@ -0,0 +1,3 @@ +#+title: Worklab Template + +This is literally just my homelab configuration, but setup to work with the ssh keys on my work computer. Used for small servers at work. diff --git a/profiles/worklab/configuration.nix b/profiles/worklab/configuration.nix new file mode 100644 index 0000000..56dcbbc --- /dev/null +++ b/profiles/worklab/configuration.nix @@ -0,0 +1,10 @@ +{ userSettings, ... }: + +{ + imports = [ ../homelab/base.nix + ( import ../../system/security/sshd.nix { + # TODO add public ssh key for worklab + authorizedKeys = [ ]; + inherit userSettings; }) + ]; +} diff --git a/profiles/worklab/home.nix b/profiles/worklab/home.nix new file mode 100644 index 0000000..96bcc74 --- /dev/null +++ b/profiles/worklab/home.nix @@ -0,0 +1,5 @@ +{ ... }: + +{ + imports = [ ../homelab/home.nix ]; +} diff --git a/system/security/sshd.nix b/system/security/sshd.nix index a753e05..672548b 100644 --- a/system/security/sshd.nix +++ b/system/security/sshd.nix @@ -1,4 +1,4 @@ -{ userSettings, ... }: +{ userSettings, authorizedKeys ? [], ... }: { # Enable incoming ssh @@ -10,7 +10,5 @@ PermitRootLogin = "no"; }; }; - users.users.${userSettings.username}.openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDaeejVJwUVrIZSo1isbu+gkQ7+8ftCgCsczy3OclkEVWHyRTqlG6yp74hr3j8ZNsOhov7c2Q6RqC8oy669hlxi/y9BsvtlI7sBr94oAKFOmkCS4RiK72ngJjBvI0vbk89wQQjmAd3r8B7ZcedpNOC8CkHu8SebKdYPRIUvAbPc3fTEt7DsJkazAepZCB8LEhUp57FAqQ/Ezlt3X/1uwNq5S0EbE9Zm+nUpEfSqR9apY2neKWLyGiCxpK3dzyNOuulCxvtVz+ie2sTk/6SxM+qWEoVVxhdwyxPihEjgC0EvtG0S5mVh5JmcjRkJOzzBHJuw+6r8yWn/AxGdIsoJ4rKNxH1XH1iLHgCraOLOUjUNlmejTcQPu6o92a79fdz2gCHT/BuIjfCW7MErAC3YSmF45TSur/kiWCBaTqYo06pgbQ3w1vKg7fievQlQzsutmg47RvJp6fb74yxuOdVg39cShQu/l8r6zqm21JAeUaaIp4P/0MrAIMOOVUhbK0QgsNElO4yn0ZKH8wGIF8xORh7ikxUIAyq8C41gjJiO2sAFJc3M8DhduQU3X0lHB7U0Qyu+8ZXn05+zdFPXJ73LKc7DCcLkppRXJsdHLSDEFdWqFnV7o08B4qZkPMT4pmvhwhY0Pf1fwavOqxuTstzw18gUGyQzl0foQi0Qrmdazsp2Qw== emmet@snowfire" - ]; + users.users.${userSettings.username}.openssh.authorizedKeys.keys = authorizedKeys; }