diff options
Diffstat (limited to 'hosts')
35 files changed, 1286 insertions, 0 deletions
diff --git a/hosts/T495/configuration.nix b/hosts/T495/configuration.nix new file mode 100644 index 0000000..eb24cba --- /dev/null +++ b/hosts/T495/configuration.nix @@ -0,0 +1,87 @@ +{ config, lib, pkgs, ... }: { + imports = [ ./wg.nix ]; + + # Setup bootloader + boot._loader.enable = true; + + # Enable common options + _archetypes = { + # Use desktop profile + profiles.desktop = { + enable = true; + home.users.timmy.enable = true; + }; + # Install software + collections = { + desktop = { + extraUtilities.enable = true; + cad.enable = true; + chromium.enable = true; + crypto.enable = true; + graphics.enable = true; + office.enable = true; + }; + development = { + android.enable = true; + c.enable = true; + docker.enable = true; + lua.enable = true; + web = { + hugo = { + enable = true; + openFirewall = true; + }; + node.enable = true; + }; + }; + bluetooth.enable = true; + }; + }; + + # Enable user timmy + _users.timmy = { + enable = true; + autologin.enable = true; + nas = { + enable = true; + office.enable = true; + }; + wifi.enable = true; + }; + + # Install spotify + nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ + "spotify" + ]; + environment.systemPackages = with pkgs; [ + spotify + ]; + + # Use amdgpu driver for x11 + services.xserver.videoDrivers = [ "amdgpu" ]; + + # Configure home + home-manager.users.timmy = { + gtk._mintTheme = { + dark = true; + color = "Purple"; + icons.color = "Purple"; + }; + programs._st = { + enable = true; + font = { + name = "TamzenForPowerline"; + attrs = { + pixelsize = 20; + }; + }; + }; + programs._seasonalwallpaper.wallpapers.download = true; + fonts.fontconfig = { + subpixelRendering = "rgb"; + hinting = "slight"; + }; + }; + + system.stateVersion = "24.05"; +} diff --git a/hosts/T495/hardware-configuration.nix b/hosts/T495/hardware-configuration.nix new file mode 100644 index 0000000..6258a83 --- /dev/null +++ b/hosts/T495/hardware-configuration.nix @@ -0,0 +1,49 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/4256823f-107b-41a9-851d-6bd9939f1f4b"; + fsType = "btrfs"; + options = [ "subvol=@" ]; + }; + + boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/f20115a9-0a0e-43d2-9cee-c705b2de43b9"; + + fileSystems."/home" = + { device = "/dev/disk/by-uuid/4256823f-107b-41a9-851d-6bd9939f1f4b"; + fsType = "btrfs"; + options = [ "subvol=@home" ]; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/9441-53B1"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/T495/resources/secrets/wg0.yaml b/hosts/T495/resources/secrets/wg0.yaml new file mode 100644 index 0000000..bcab052 --- /dev/null +++ b/hosts/T495/resources/secrets/wg0.yaml @@ -0,0 +1,16 @@ +wg0: ENC[AES256_GCM,data:RtqC32AyJLbX4n440wioqbwzByZWX1OKA9DeAYG6RvQM+PqSGDoMbf3Vx+OusKaCWjlQaQb0y3GzIuhhkfO/3envp5ehJn6iwYUJVUG3aK99SEc2iQbHUWL2nf3B9ek+dBTmwuAYpCEaMq9mjRkxT9Hx74ZaFTAu56tTThSVzhTrXhCpvtGdcfvmIl37EF0tZwFCALCTEPJfsnrLoBDtuTTbJt1VSELrMTNgQDv1W8c7xKNbQ/tUOXaAYJyzJ4iBZ6TnbXxISL5XrN96ucSuBA0cvWCGOEKwJ/Kv58r1NrKvgLYAAbcywEAc5dNCc91K0Dc18l9IPZFIEJ6O8ch/jw56jdhnP5NKDD82AE9MlcbkLZHma2jUna6NuzIhS/eD5GnbOZui6rZTShb/wNikIgCoLpNWoM7Rb3txoKLyrxv7kpeGTBOqPGycOTEe3e3R4U8lVC0qkyhI5OPBt028njDX+/rdwZ2sJEMv5CXslgqy1Jsb2cgUXBiJ4C8XGBHt8eAj3bSG1ONwlQ9SQxuY7aQeMkIUeVqrLi74OPz2Z24=,iv:n/iFkwZqFbuMXrfcc8K6WSnM5sNDf0Ja+PpoKmyCnQ0=,tag:lFFsnHPXGYjlYBUnUADU3Q==,type:str] +sops: + age: + - recipient: age1w80rc0dnuu8nw99gw64c596qqetm78jdnsqajr0u7ephykekr39qfz8vnv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4NEN4NGxDR1oreGVoSGhE + TzMxSEY0QVBhS2Z6MW15ci9aVlJ0a3IyVlZBCldPRVNvcUhJSHhWSEk3akd4RjN0 + ajhUV2d1ZWRsRFU4cTE2dGl6RmM4MGsKLS0tIFhnUjl5aDJqWVB1NE15SlNzR2Iv + YTNydURsOUMrSXZGdk9UOUdUQlA0SFUKxEDJRR6tpYva9qpWo9NxwCxk/xpRVoTl + YJkmDZzMcXikXXiro96AprP9dXJXvMPKYPGl2Zsal8PlGFPBoHW2GA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-10-19T02:34:09Z" + mac: ENC[AES256_GCM,data:AwSZ7gPvvUR90E36gZwmn3m+zw2zAhUAVjMIt1O4ln56p/cmYYRiI4VZqbMmlLOx9al1sM6dFuenEWhgY7XJbURdD1esc9DvooK/3t6EcJKiLDk1+9XvtEcx5BgGDUbV13HmbJIzEi994BzocYaDAQGxxicMVbn6PVCE59md7f8=,iv:LJB4Cqeqa5lqa2na7sptDvPgXI/tclMPieBO4gWb1J0=,tag:eJl7xPddeci3qI0DV27Dig==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/hosts/T495/wg.nix b/hosts/T495/wg.nix new file mode 100644 index 0000000..3881b63 --- /dev/null +++ b/hosts/T495/wg.nix @@ -0,0 +1,7 @@ +{ config, pkgs, inputs, ... }: { + sops.secrets.wg0.sopsFile = ./resources/secrets/wg0.yaml; + + networking.wg-quick.interfaces = { + wg0.configFile = config.sops.secrets.wg0.path; + }; +} diff --git a/hosts/X230/configuration.nix b/hosts/X230/configuration.nix new file mode 100644 index 0000000..fcf0b05 --- /dev/null +++ b/hosts/X230/configuration.nix @@ -0,0 +1,64 @@ +{ config, lib, pkgs, ... }: { + imports = [ ./wg.nix ]; + + # Setup bootloader + boot._loader.enable = true; + + # Enable common options + _archetypes = { + # Use desktop profile + profiles.desktop = { + enable = true; + home.users.timmy.enable = true; + }; + # Install software + collections = { + desktop = { + crypto.enable = true; + graphics.enable = true; + office.enable = true; + }; + }; + }; + + # Enable user timmy + _users.timmy = { + enable = true; + autologin.enable = true; + wifi.enable = true; + }; + + # Use intel driver for better performance and vsync + services.xserver.videoDrivers = [ "intel" ]; + + # Configure home + home-manager.users.timmy = { + gtk._mintTheme = { + dark = true; + color = "Teal"; + icons.color = "Teal"; + }; + fonts.fontconfig.defaultFonts.monospace = [ "TamzenForPowerline" ]; + gtk = { + font.name = "monospace"; + font.size = 8; + cursorTheme.size = 24; + }; + programs._st = { + enable = true; + font = { + name = "TamzenForPowerline"; + attrs = { + pixelsize = 14; + }; + }; + }; + programs._seasonalwallpaper.wallpapers.download = true; + fonts.fontconfig = { + subpixelRendering = "rgb"; + hinting = "full"; + }; + }; + + system.stateVersion = "24.05"; +} diff --git a/hosts/X230/hardware-configuration.nix b/hosts/X230/hardware-configuration.nix new file mode 100644 index 0000000..0791585 --- /dev/null +++ b/hosts/X230/hardware-configuration.nix @@ -0,0 +1,48 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/41036740-73bc-4004-a302-01233b4d83b8"; + fsType = "btrfs"; + options = [ "subvol=@" ]; + }; + + boot.initrd.luks.devices."enc".device = "/dev/disk/by-uuid/6019772f-4a1c-4abd-9c70-b1d71cc2de65"; + + fileSystems."/home" = + { device = "/dev/disk/by-uuid/41036740-73bc-4004-a302-01233b4d83b8"; + fsType = "btrfs"; + options = [ "subvol=@home" ]; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/72D4-F66A"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s25.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/X230/resources/secrets/wg0.yaml b/hosts/X230/resources/secrets/wg0.yaml new file mode 100644 index 0000000..5941b70 --- /dev/null +++ b/hosts/X230/resources/secrets/wg0.yaml @@ -0,0 +1,16 @@ +wg0: ENC[AES256_GCM,data:wcgowNptTdrJNjzH6n/ulbec5+GPkuRAUNidWFy4dhClioTg8vdrXhhwP+sykwEZYOjsLurkU0Rw1w9ds+AGe3J+FnW1qKdskcY+8t/CyNY51pUbzMCKxexnNj52+0+VlH6FAUyplo6ESg/vlWCFyuyACWjQfdqDW/1PxJzrYqZ7MIwbCdntjE/84F52BqxePt3LolzvzTGUOx5Lr6Jbv9i3tv1R9NmZxt5t2gwaGbIIPWMVZh972w5HJYa8bfx67vuyj6HE46tMiu8WdQbHfjRvVIA+0OtHihpDGHfi5Q6iXpO/rk4YJZjsiEgTMTqD08HD5Gm+wBFwHSJjCOBpBsq3GsspDLNI+EXel7Gmtk+BhL1tFQdpYPwz7bHd03Znawr4Br7R0gHJg4FXnhKlG+SyDqXKirnCyCTfUotIBmU0dX4tzmwiOMyvImgXZA==,iv:GAk27qkZDopzdWnBeL7yTmyn9dM2wSzKd41NRhsyNNY=,tag:Ba7jZhqEa8dUedIvVFBbHA==,type:str] +sops: + age: + - recipient: age1w80rc0dnuu8nw99gw64c596qqetm78jdnsqajr0u7ephykekr39qfz8vnv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4NEN4NGxDR1oreGVoSGhE + TzMxSEY0QVBhS2Z6MW15ci9aVlJ0a3IyVlZBCldPRVNvcUhJSHhWSEk3akd4RjN0 + ajhUV2d1ZWRsRFU4cTE2dGl6RmM4MGsKLS0tIFhnUjl5aDJqWVB1NE15SlNzR2Iv + YTNydURsOUMrSXZGdk9UOUdUQlA0SFUKxEDJRR6tpYva9qpWo9NxwCxk/xpRVoTl + YJkmDZzMcXikXXiro96AprP9dXJXvMPKYPGl2Zsal8PlGFPBoHW2GA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-09T12:36:15Z" + mac: ENC[AES256_GCM,data:T8hQbFrPOGYQl8tbqUMLdQN3qjhcAXmKfwqEsLQkDjr2nxUXDz8d58TUsaRvkHC4jPo9lXyPL5SSpua2kzJIcDDLPkiPB/3qV8ksJQ0dgcfLkUnrI1mtoo9AOPnHrTjstSAR2cmiFbCTqRpkLnGwI+NoCLjNjd/GNSAlMl00QMg=,iv:boSHzNAuKGkAhtkApOOJEtW4gt13mMmCin24gf3dXIs=,tag:1+4+BE8ZPgvgf4RlH6Wmhw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.1 diff --git a/hosts/X230/wg.nix b/hosts/X230/wg.nix new file mode 100644 index 0000000..3881b63 --- /dev/null +++ b/hosts/X230/wg.nix @@ -0,0 +1,7 @@ +{ config, pkgs, inputs, ... }: { + sops.secrets.wg0.sopsFile = ./resources/secrets/wg0.yaml; + + networking.wg-quick.interfaces = { + wg0.configFile = config.sops.secrets.wg0.path; + }; +} diff --git a/hosts/flex-wg-router/configuration.nix b/hosts/flex-wg-router/configuration.nix new file mode 100644 index 0000000..18d9667 --- /dev/null +++ b/hosts/flex-wg-router/configuration.nix @@ -0,0 +1,73 @@ +{ config, lib, pkgs, ... }: let + ipAddress = "10.1.1.1"; +in { + imports = [ ./wg.nix ]; + + # Setup bootloader + boot._loader.enable = true; + + # Enable common options + _archetypes = { + profiles.headless = { + enable = true; + home.users.timmy.enable = true; + }; + profiles.router.enable = true; + }; + + networking = { + # Label lan and wan interfaces + _interfaceLabels = { + enable = true; + interfaces = { + lan0 = "98:b7:85:22:9b:43"; # External + wan0 = "54:ee:75:8c:4b:2d"; # Internal + }; + }; + # Set ip addresses + interfaces = { + lan0.ipv4.addresses = [{ + address = ipAddress; + prefixLength = 24; + }]; + wan0.ipv4.addresses = [{ + address = "46.110.173.163"; # Reserved static ip for wg-router + prefixLength = 31; + }]; + }; + defaultGateway = { + address = "46.110.173.161"; + interface = "wan0"; + }; + # Firewall rules + firewall = { + interfaces.wan0 = { + allowedUDPPorts = [ 51820 ]; + }; + }; + }; + + # Router config + services._router = { + dnsDhcpConfig = { + localDomain = "wg-router.pls.lan"; + dhcp = { + defaultGateway = ipAddress; + localhostIp = ipAddress; + rangeStart = "10.1.1.100"; + rangeEnd = "10.1.1.250"; + staticLeases = { + idrac-8HT2W52 = { + macAddress = "18:fb:7b:9d:16:b3"; + staticIp = "10.1.1.10"; + }; + }; + }; + }; + }; + + # Enable user timmy + _users.timmy.enable = true; + + system.stateVersion = "25.05"; +} diff --git a/hosts/flex-wg-router/hardware-configuration.nix b/hosts/flex-wg-router/hardware-configuration.nix new file mode 100644 index 0000000..01cff6d --- /dev/null +++ b/hosts/flex-wg-router/hardware-configuration.nix @@ -0,0 +1,45 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/01eae5fd-a46e-4a36-8a9d-247a0b16bcef"; + fsType = "btrfs"; + options = [ "subvol=@" ]; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/345A-436A"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + fileSystems."/home" = + { device = "/dev/disk/by-uuid/01eae5fd-a46e-4a36-8a9d-247a0b16bcef"; + fsType = "btrfs"; + options = [ "subvol=@home" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/flex-wg-router/resources/secrets/wg.yaml b/hosts/flex-wg-router/resources/secrets/wg.yaml new file mode 100644 index 0000000..1f6867b --- /dev/null +++ b/hosts/flex-wg-router/resources/secrets/wg.yaml @@ -0,0 +1,17 @@ +wg1: ENC[AES256_GCM,data:r7jNBzEcItmlEtjhKCbyOBaNYfutKxC2UdUYSLHfYyLnwwdIwM1kfvd5K1/UZNAKoG7sHpBha59M1tvZAOIGAFnzG14YsVrMD8w6Qy4pc0FmdyNHDEM4EwaqHFRjbb5oBAFv6lI2VZ3AgXf6StXoVUYtbEA1QBVqVq4Syk6/CalnhkE2LuZpuVA5GZUZ8aTmFRp9zOnhcNoVJMrokTUswV4Mgn3zt2Tb+3bfoZJ9jbb6H8P/F0NGU+phy0EENZMIqOGBP5aPPIZfVQYphQcG6BYiddti3Copq57vqh/qOB70LPle6b/IsaT/K8Xqjp8PjNI/e5gkZdVwIGx/w3Gk0+CkD0tDEUMBdsFfvm7Dbz3xQxN66/0ZMGQgic0xtytr/DfKCIMIwsr33GKavP7OXEJ6lUF615Y4PQhNNx4ePlgcttt2b7TG5bM8nxKsaQ==,iv:mLYNgKXCp8w2JO90Rsn7gtifEn4Yc6JKnjws7uo1w10=,tag:c51B1fZe1HnJhFDc86HnOg==,type:str] +wg0: ENC[AES256_GCM,data:SJQ21aLwoQ0nEHfoHRd+ksL8pX7HoCRVjGIS/BZxq9JQhHJg9ZHHbwwUkz/3vrq1S+PD7e1bL0FHpgHPuZVHawpaFIeWd6TEPH+6oUxlRbDaEbcWR5POlNyMVV3z9TnOElgmqT0VUqfY80NEqFPbCLdjcWHjnwO4nzrEhPMA9WG2PFCAnZNUtVXh2mnblA61/xmxkSVysahBP+bTHA8a+v/AXy7WrHbnHizTeevdCMqWyDhzHvO8hfH4tU/xJ7GQrG/bxk4JZ6XT8a2CAqmNEKyWicB/zSc5NdILNQL7Kx2mzg/fDp4nltf7iBRZfLuN+r7whrKJ2lJQPATeyjMlIgHUcnohjihiOsGYiBcB3/Y4hIHVt7rRBMoFBB2OgNKC3gx6saZreRxLHZcRZFcVm39G9vaw6EI=,iv:qO8vMlstL/kOxFSlUd/dCtAK9ZzZt+LH/9vfulqHiMc=,tag:yuiwA8Hp8qDrF3UPlCMSUg==,type:str] +sops: + age: + - recipient: age1f0tmpy2nam58skmznjyqd3zf54rxtfrk6fda0vlpq9y3yg6wac7sjf0vja + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoNVZ5dmNSd1NRQUhURkl2 + dnk3MkNjMFUyNnU5L1FFNTV0a1NUbUZ6ZUEwCmNNUldIdnoycVpwUHJrcXZvZXp5 + NGVHcUlHUm1uK0QxV1JmdDVyQVoxZDgKLS0tIDJhSHhkYjNML045SHNobytucnVZ + L25wUWRJbzZMZDFseXdvOFJXQVRxN28KJjC3ola24tTEV8tFYpnsId4d0S+jHkS9 + ME6i4jorWRlQKdYn/gTUoqgMAvJEc73hjTfgX6bFshhuhflfGxXQQw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-31T19:40:45Z" + mac: ENC[AES256_GCM,data:XON+JNOWr6WRYYI0+vCC4qiDST8iY/XQZlkB16l5vMsirS3j5iAIi60hn5viFqMn+IIV7GretbVnBVP32R4C59II8bIySzrsdJj5AuvTvdBvglhkelhiDnchqE98KCG9zr41bJsSaQ/8ubRy7b5jiu9aqzQFg9UQZousecIu/MU=,iv:IJNCc05iu0sZxa3RFh5l1TMcwl3YKRtVXn4wfdOy6M8=,tag:OO5uC8nAjqsWoxC1N801GA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.1 diff --git a/hosts/flex-wg-router/wg.nix b/hosts/flex-wg-router/wg.nix new file mode 100644 index 0000000..b454b81 --- /dev/null +++ b/hosts/flex-wg-router/wg.nix @@ -0,0 +1,9 @@ +{ config, pkgs, inputs, ... }: { + sops.secrets.wg0.sopsFile = ./resources/secrets/wg.yaml; + sops.secrets.wg1.sopsFile = ./resources/secrets/wg.yaml; + + networking.wg-quick.interfaces = { + wg0.configFile = config.sops.secrets.wg0.path; + wg1.configFile = config.sops.secrets.wg1.path; + }; +} diff --git a/hosts/hp-envy-office/configuration.nix b/hosts/hp-envy-office/configuration.nix new file mode 100644 index 0000000..c55c07b --- /dev/null +++ b/hosts/hp-envy-office/configuration.nix @@ -0,0 +1,68 @@ +{ config, lib, pkgs, ... }: { + imports = [ ./wg.nix ]; + + # Setup bootloader + boot._loader.enable = true; + boot.loader.timeout = 15; # Show for longer since it's usually skipped + + # Enable common options + _archetypes = { + # Use desktop profile + profiles.desktop = { + enable = true; + home.users.timmy.enable = true; + }; + # Install software + collections = { + desktop = { + extraUtilities.enable = true; + chromium.enable = true; + graphics.enable = true; + office.enable = true; + }; + development = { + docker.enable = true; + web = { + node.enable = true; + }; + }; + virtualization.enable = true; + }; + }; + + # Enable user timmy + _users.timmy = { + enable = true; + nas = { + enable = true; + office.enable = true; + office.automount = true; + }; + }; + + # Disable suspend + systemd._suspend.disable = true; + + # Use amdgpu driver for x11 + services.xserver.videoDrivers = [ "amdgpu" ]; + + # Configure home + home-manager.users.timmy = { + gtk._mintTheme = { + dark = true; + color = "Blue"; + icons.color = "Blue"; + }; + programs._seasonalwallpaper.wallpapers.download = true; + fonts.fontconfig = { + subpixelRendering = "rgb"; + hinting = "none"; + }; + gtk.gtk3.bookmarks = [ + "file:///home/timmy/docs/src/sites/admin Admin" + "file:///media/chexx/chexx cHEXx" + ]; + }; + + system.stateVersion = "24.11"; +} diff --git a/hosts/hp-envy-office/hardware-configuration.nix b/hosts/hp-envy-office/hardware-configuration.nix new file mode 100644 index 0000000..22a8c24 --- /dev/null +++ b/hosts/hp-envy-office/hardware-configuration.nix @@ -0,0 +1,48 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ums_realtek" "usb_storage" "usbhid" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/5749d84b-690b-43a2-b834-f94675003189"; + fsType = "btrfs"; + options = [ "subvol=@" ]; + }; + + boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/4a617e54-4800-4474-b1fd-3bca5f66e55a"; + + fileSystems."/home" = + { device = "/dev/disk/by-uuid/5749d84b-690b-43a2-b834-f94675003189"; + fsType = "btrfs"; + options = [ "subvol=@home" ]; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/5E93-7CE3"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/hp-envy-office/resources/secrets/wg.yaml b/hosts/hp-envy-office/resources/secrets/wg.yaml new file mode 100644 index 0000000..f3b53aa --- /dev/null +++ b/hosts/hp-envy-office/resources/secrets/wg.yaml @@ -0,0 +1,16 @@ +wg1: ENC[AES256_GCM,data:XWdnE2QvfvFlMKUW6BoUSsEXDmYj4aNfbxvA6pFeIZM7NEtIwC4/NsplPwFIZwF372/bwDGXGocuh5gd1p/eAlsyz2DrAS+8g1+4T40EPPmXPgh++vUTvcpPlt74Qxp2yAeEU4CU7UPLvlxSvNjh5PGS68Cw7KxSB7kiWFxRWtm5oVfb+U6cBaQE6Biie7wPmXNWOobGHTfFYDeNmH6w33nH4lCV2MC0eYty9ytwHeVS7gUNrk4oxIfd+1FmNzwNHtVZvRg4wRzcc2M9fD0LuyuY6QVS/qaJG4hNNEHZ6qa0VMTnOzQ4jFHtd5jnz2vb7ckE7UWcFPjXYObcykk0End7sHVN/bD+fUv56JKZOHvVYFgs6OwCzUPAufnv10+h,iv:LMEpZW3mwGuIpJoacBYL8M0ROVNeVMzeb7ncZtfxIDA=,tag:aNCziN9CVgm0IB8VvVorEA==,type:str] +sops: + age: + - recipient: age1w80rc0dnuu8nw99gw64c596qqetm78jdnsqajr0u7ephykekr39qfz8vnv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhdUJRS21FeFlseWJXU1dt + MnhQRnFvZWM0M1o4bUhBWW9KRDdnZ1pGZkYwCnhPYmFHZmdnRS9lb2xsTXZBcmIx + dHF5dmlrbjJyUk84QVBLTEFwMWdESGMKLS0tIHFyZGpSeTFoNEQyZThFc2RyQkhY + Q1ZvODVWSXE1STlkZ09tVXdVeU1WaVkKhKMfJclNgHXN7pww2w3AaKwcWiBo676g + RWSkV6C+5purA0CzTu1uC3CKz8UK8mVgPfamSZdZQU8+6bGMmseWoQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-31T19:32:51Z" + mac: ENC[AES256_GCM,data:zpEYjHqta6HuRHIKijbLmAND5mCaR14ZUdEeXq/zJ8g4DgWrAkaukhYdXhLH+SEUZt8d3tmj5Eq+6oz9qEjdWhBuPykxVBmBiqIhQBgACCMhSL5v3wY1rxL2ZiQ7szEuwh0GjXpkzPno0Z2+xZ6FzVsJdGnZwykru+JWQcUIfvk=,iv:yUiP/clvI/NnDrji9eMYiTqtO1xsTc7u86V/nlQSMIA=,tag:UyMz/BdYoGxXCJIb8tITcQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.1 diff --git a/hosts/hp-envy-office/wg.nix b/hosts/hp-envy-office/wg.nix new file mode 100644 index 0000000..763496e --- /dev/null +++ b/hosts/hp-envy-office/wg.nix @@ -0,0 +1,7 @@ +{ config, pkgs, inputs, ... }: { + sops.secrets.wg1.sopsFile = ./resources/secrets/wg.yaml; + + networking.wg-quick.interfaces = { + wg1.configFile = config.sops.secrets.wg1.path; + }; +} diff --git a/hosts/libreX60/bios-flashing.nix b/hosts/libreX60/bios-flashing.nix new file mode 100644 index 0000000..6117813 --- /dev/null +++ b/hosts/libreX60/bios-flashing.nix @@ -0,0 +1,8 @@ +# https://libreboot.org/docs/install/#thinkpad-t60x60x60tabletx60s + +{ pkgs, ... }: { + environment.systemPackages = [ pkgs.flashprog ]; + + boot.kernelParams = [ "iomem=relaxed" ]; +} + diff --git a/hosts/libreX60/configuration.nix b/hosts/libreX60/configuration.nix new file mode 100644 index 0000000..2ebb333 --- /dev/null +++ b/hosts/libreX60/configuration.nix @@ -0,0 +1,63 @@ +{ config, lib, pkgs, ... }: { + imports = [ + ./powertop-auto-tune.nix + # Uncomment this module and reboot to enable bios flashing + #./bios-flashing.nix + ]; + + # Use grub + boot._loader = { + enable = true; + loader = "grub"; + mode = "bios"; + grub.biosDevice = "/dev/sda"; + }; + + # Use libre kernel + boot.kernelPackages = pkgs.linuxPackages-libre; + + # Enable common options + _archetypes = { + # Use desktop profile + profiles.desktop = { + enable = true; + home.users.timmy.enable = true; + }; + }; + + # Enable user timmy + _users.timmy = { + enable = true; + autologin.enable = true; + wifi.enable = true; + }; + + # i915 Gpu requires intel driver + services.xserver.videoDrivers = [ "intel" ]; + + # Configure home + home-manager.users.timmy = { + gtk._mintTheme = { + dark = true; + color = "Red"; + icons.color = "Red"; + }; + fonts.fontconfig.defaultFonts.monospace = [ "TamzenForPowerline" ]; + gtk = { + font.name = "monospace"; + font.size = 8; + cursorTheme.size = 24; + }; + programs._st = { + enable = true; + font = { + name = "TamzenForPowerline"; + attrs = { + pixelsize = 14; + }; + }; + }; + }; + + system.stateVersion = "24.11"; +} diff --git a/hosts/libreX60/hardware-configuration.nix b/hosts/libreX60/hardware-configuration.nix new file mode 100644 index 0000000..b0a7868 --- /dev/null +++ b/hosts/libreX60/hardware-configuration.nix @@ -0,0 +1,46 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "ahci" "firewire_ohci" "usb_storage" "sd_mod" "sdhci_pci" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/91572803-436d-4f43-b41f-dfba2103752e"; + fsType = "btrfs"; + options = [ "subvol=@" ]; + }; + + fileSystems."/home" = + { device = "/dev/disk/by-uuid/91572803-436d-4f43-b41f-dfba2103752e"; + fsType = "btrfs"; + options = [ "subvol=@home" ]; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/F618-D6C2"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/libreX60/powertop-auto-tune.nix b/hosts/libreX60/powertop-auto-tune.nix new file mode 100644 index 0000000..0eb9578 --- /dev/null +++ b/hosts/libreX60/powertop-auto-tune.nix @@ -0,0 +1,17 @@ +# https://en.wikibooks.org/wiki/Libreboot/ThinkPad_X60#Remove_High_Pitched_Whining_Noise +# TLDR; running `powertop --auto-tune` is supposed to kill the high pitched noises produced by the X60 + +{ pkgs, ... }: { + environment.systemPackages = [ pkgs.powertop ]; + + # Create systemd service + systemd.services.powertop-autotune = { + description = "Powertop Auto-Tune"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.powertop}/bin/powertop --auto-tune"; + }; + }; +} diff --git a/hosts/optiplex/configuration.nix b/hosts/optiplex/configuration.nix new file mode 100644 index 0000000..b314905 --- /dev/null +++ b/hosts/optiplex/configuration.nix @@ -0,0 +1,104 @@ +{ config, lib, pkgs, home-manager, ... }: { + imports = [ + ./g610.nix + ]; + + # Setup bootloader + boot._loader.enable = true; + + # Enable common options + _archetypes = { + # Use desktop profile + profiles.desktop = { + enable = true; + home.users.timmy.enable = true; + }; + # Install software + collections = { + desktop = { + extraUtilities.enable = true; + cad.enable = true; + chromium.enable = true; + crypto.enable = true; + graphics.enable = true; + office.enable = true; + video.enable = true; + }; + development = { + android.enable = true; + c.enable = true; + docker.enable = true; + lua.enable = true; + web = { + hugo = { + enable = true; + openFirewall = true; + }; + node.enable = true; + }; + }; + virtualization.enable = true; + }; + }; + + # Enable user timmy + _users.timmy = { + enable = true; + autologin.enable = true; + nas = { + enable = true; + home.enable = true; + home.automount = true; + }; + }; + + # Disable suspend + systemd._suspend.disable = true; + + # Allow unfree for nvidia + others + nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ + "nvidia-x11" + "nvidia-settings" + "spotify" + "steam" + "steam-original" + "steam-unwrapped" + "steam-run" + ]; + + # Install more software + environment.systemPackages = with pkgs; [ + prismlauncher + spotify + #vintagestory + ]; + + programs.steam.enable = true; + + # Use nvidia driver + services.xserver.videoDrivers = [ "nvidia" ]; + hardware.nvidia = { + modesetting.enable = true; # Required + powerManagement.enable = false; # Can cause bugs + nvidiaSettings = true; + open = false; # Not compatible w/ GTX-1050 + package = config.boot.kernelPackages.nvidiaPackages.stable; # Still good for 1050 + forceFullCompositionPipeline = true; # Enables vsync + }; + + # Configure home + home-manager.users.timmy = { + gtk._mintTheme = { + dark = true; + color = "Green"; + icons.color = "Green"; + }; + programs._seasonalwallpaper.wallpapers.download = true; + fonts.fontconfig = { + subpixelRendering = "rgb"; + hinting = "none"; + }; + }; + + system.stateVersion = "25.11"; +} diff --git a/hosts/optiplex/g610.nix b/hosts/optiplex/g610.nix new file mode 100644 index 0000000..c584165 --- /dev/null +++ b/hosts/optiplex/g610.nix @@ -0,0 +1,9 @@ +{ pkgs, ... }: { + # Turn off backlight on my G610 keyboard + systemd.services.myEarlyService = { + description = "G610 no backlight"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig.ExecStart = "${pkgs.g810-led}/bin/g610-led -a 00"; + }; +} diff --git a/hosts/optiplex/hardware-configuration.nix b/hosts/optiplex/hardware-configuration.nix new file mode 100644 index 0000000..9485a66 --- /dev/null +++ b/hosts/optiplex/hardware-configuration.nix @@ -0,0 +1,44 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "firewire_ohci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/e4094dd8-d1fd-4aa1-8f95-82a9144a32be"; + fsType = "btrfs"; + options = [ "subvol=root" ]; + }; + + fileSystems."/home" = + { device = "/dev/disk/by-uuid/e4094dd8-d1fd-4aa1-8f95-82a9144a32be"; + fsType = "btrfs"; + options = [ "subvol=home" ]; + }; + + fileSystems."/nix" = + { device = "/dev/disk/by-uuid/e4094dd8-d1fd-4aa1-8f95-82a9144a32be"; + fsType = "btrfs"; + options = [ "subvol=nix" ]; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/9350-1411"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/piframe/configuration.nix b/hosts/piframe/configuration.nix new file mode 100644 index 0000000..b45a293 --- /dev/null +++ b/hosts/piframe/configuration.nix @@ -0,0 +1,77 @@ +{ config, lib, pkgs, ... }: { + _archetypes = { + # Use headless and pi profiles + profiles.headless = { + enable = true; + home.users.timmy.enable = true; + home.users.piframe.enable = true; + }; + profiles.pi = { + enable = true; + home.users.timmy.enable = true; + home.users.piframe.enable = true; + }; + collections = { + desktop.xserver.enable = true; + }; + }; + + # Install twm as basic window manager to boot into and immediately go fullscreen on immich-frame + services.xserver.windowManager.twm.enable = true; + + # Install immich-frame + environment.systemPackages = with pkgs; [ + immich-frame + ]; + + # Open 8080 for immich-frame + networking.firewall.allowedTCPPorts = [ 8080 ]; + + # Enable user timmy for ssh maintenance and wifi secrets + _users.timmy = { + enable = true; + wifi.enable = true; + }; + + # Enable piframe user + users.users.piframe = { + isNormalUser = true; + }; + + # Configure automatic login with getty + services.getty.autologinUser = "piframe"; + + # Configure piframe home + home-manager.users.piframe = { + services = { + _gammastep.enable = true; + # Manual location to avoid having to mess with geoclue + gammastep = { + provider = "manual"; + latitude = 41.881832; + longitude = -87.623177; + }; + }; + programs.bash = { + enable = true; + profileExtra = '' + # startx on tty1 immediately + [ -z $DISPLAY ] && [ `tty` = /dev/tty1 ] && startx + ''; + }; + home.file.".xinitrc".text = '' + #!/bin/sh + gammastep & + unclutter --start-hidden & + immich-frame --fullscreen & + exec twm + ''; + home.file.".twmrc".text = '' + *NoTitle # Hide title bar on all windows + *NoBorder # Hide borders on all windows + ''; + home.stateVersion = "25.11"; + }; + + system.stateVersion = "25.11"; +} diff --git a/hosts/piframe/hardware-configuration.nix b/hosts/piframe/hardware-configuration.nix new file mode 100644 index 0000000..ceb755a --- /dev/null +++ b/hosts/piframe/hardware-configuration.nix @@ -0,0 +1,24 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; +} diff --git a/hosts/poweredge/configuration.nix b/hosts/poweredge/configuration.nix new file mode 100644 index 0000000..16a2686 --- /dev/null +++ b/hosts/poweredge/configuration.nix @@ -0,0 +1,35 @@ +{ config, lib, pkgs, ... }: let + serverEmail = "poweredge@tjkeller.xyz"; +in { + imports = [ + ./ddns-updater.nix + ./fileshares.nix + ./networking.nix + #./notification-mailer.nix # TODO move some of this stuff to archetype + ./wg1.nix + ]; + + # Setup bootloader + boot._loader.enable = true; + + # Enable common options + _archetypes = { + profiles.headless = { + enable = true; + home.users.timmy.enable = true; + }; + profiles.zfs.enable = true; + profiles.router.enable = true; + }; + + # Enable smartd + services.smartd.enable = true; # TODO move to archetype + + # Enable user timmy + _users.timmy.enable = true; + + # Without this, "ZFS requires networking.hostId to be set" will be raised + networking.hostId = "4d9e002f"; + + system.stateVersion = "25.11"; +} diff --git a/hosts/poweredge/ddns-updater.nix b/hosts/poweredge/ddns-updater.nix new file mode 100644 index 0000000..103c23b --- /dev/null +++ b/hosts/poweredge/ddns-updater.nix @@ -0,0 +1,19 @@ +{ config, lib, ... }: { + # Password file for mail application password + sops.secrets.ddns-updater-config.sopsFile = ./resources/secrets/ddns-updater-config.yaml; + + # Enable ddns updater + services.ddns-updater = { + enable = true; + environment = { + SERVER_ENABLED="no"; + CONFIG_FILEPATH = config.sops.secrets.ddns-updater-config.path; + PERIOD = "5m"; + }; + }; + + # FIXME Required root permissions to open secret + systemd.services.ddns-updater = { + serviceConfig.DynamicUser = lib.mkForce false; + }; +} diff --git a/hosts/poweredge/fileshares.nix b/hosts/poweredge/fileshares.nix new file mode 100644 index 0000000..4593ef8 --- /dev/null +++ b/hosts/poweredge/fileshares.nix @@ -0,0 +1,44 @@ +{ + # TODO make user for ps2 + services._fileShares.enable = true; + services._fileShares.shares = { + PS2 = { + path = "/media/storage/games/ps2"; + smb = { + enable = true; + allowUser = "ps2"; + extraOptions = { + "min protocol" = "NT1"; + "max protocol" = "NT1"; + }; + }; + }; + WinBackups = { + path = "/media/storage/backups/windows"; + smb.enable = true; + }; + pictures = { + path = "/media/storage/pictures"; + nfs.enable = true; + }; + tapes = { + path = "/media/storage/tapes"; + nfs.enable = true; + }; + backups = { + path = "/media/storage/backups"; + nfs.enable = true; + }; + }; + + users.users = { + ps2 = { + isSystemUser = true; + password = "ps2"; + group = "ps2"; + }; + }; + users.groups = { + ps2 = {}; + }; +} diff --git a/hosts/poweredge/hardware-configuration.nix b/hosts/poweredge/hardware-configuration.nix new file mode 100644 index 0000000..0fcc098 --- /dev/null +++ b/hosts/poweredge/hardware-configuration.nix @@ -0,0 +1,50 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "megaraid_sas" "usbhid" "usb_storage" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "zpool/root"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + + fileSystems."/nix" = + { device = "zpool/nix"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + + fileSystems."/var" = + { device = "zpool/var"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + + fileSystems."/home" = + { device = "zpool/home"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/D083-98C0"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/poweredge/networking.nix b/hosts/poweredge/networking.nix new file mode 100644 index 0000000..7632a86 --- /dev/null +++ b/hosts/poweredge/networking.nix @@ -0,0 +1,87 @@ +{ + networking = { + enableIPv6 = false; + # Label lan and wan interfaces + _interfaceLabels = { + enable = true; + interfaces = { + lan0 = "50:9a:4c:5d:c3:7a"; + wan0 = "50:9a:4c:5d:c3:7b"; + }; + }; + # Set ip addresses + interfaces = { + lan0.ipv4.addresses = [{ + address = "192.168.1.1"; + prefixLength = 24; + }]; + wan0.useDHCP = true; + }; + # Firewall rules + firewall = { + interfaces.wan0 = { + allowedUDPPorts = [ 51820 ]; + }; + }; + # Additional advanced rules + # TODO add multi NAT feature to router service + nftables = { + enable = true; + tables = { + # NAT/masquerade wg1 allowing lan0 clients to access wg1 + wg-nat = { + family = "ip"; + content = '' + chain post { + type nat hook postrouting priority srcnat; policy accept; + iifname "lan0" oifname "wg1" masquerade comment "lan0 => wg1" + } + ''; + }; + }; + }; + }; + + services._router = { + dnsDhcpConfig = { + localDomain = "home.lan"; + dhcp = { + defaultGateway = "192.168.1.1"; + localhostIp = "192.168.1.1"; + rangeStart = "192.168.1.50"; + rangeEnd = "192.168.1.250"; + # TODO think about moving leases to another file + staticLeases = { + idrac-7N94GK2 = { + macAddress = "50:9a:4c:5d:c3:7c"; + staticIp = "192.168.1.3"; + }; + OpenWrt-Attic = { + macAddress = "34:98:b5:60:5e:be"; + staticIp = "192.168.1.4"; + }; + OpenWrt-Basement = { + macAddress = "8c:3b:ad:35:c7:8c"; + staticIp = "192.168.1.5"; + }; + ArcherC54 = { + macAddress = "12:eb:b6:13:f9:e2"; + staticIp = "192.168.1.6"; + }; + T495 = { + macAddress = "04:33:c2:9d:34:74"; + staticIp = "192.168.1.11"; + }; + optiplex = { + macAddress = "e4:54:e8:bc:ba:05"; + staticIp = "192.168.1.12"; + }; + X230 = { + macAddress = "84:3a:4b:60:34:c4"; + staticIp = "192.168.1.13"; + }; + }; + }; + }; + }; +} diff --git a/hosts/poweredge/notification-mailer.nix b/hosts/poweredge/notification-mailer.nix new file mode 100644 index 0000000..d8fddc7 --- /dev/null +++ b/hosts/poweredge/notification-mailer.nix @@ -0,0 +1,27 @@ +{ config, ... }: let + serverEmail = "server-notifications@tjkeller.xyz"; +in { + # Mailer password secret for mail application password + sops.secrets.mailerPassword.sopsFile = ./resources/secrets/mailer-pass.yaml; + + # Enable mta for system event notifications + services.mail._mailer = { + sender = { + host = "mail.tjkeller.xyz"; + user = serverEmail; + from = serverEmail; + passwordFile = config.sops.secrets.mailerPassword.path; + }; + recipient = serverEmail; + }; + + # Enable zed mailer module + services.zfs._zedMailer.enable = true; + + # Enable smartd notifications + services.smartd.notifications.mail = { + enable = true; + sender = serverEmail; + recipient = serverEmail; + }; +} diff --git a/hosts/poweredge/resources/secrets/ddns-updater-config.yaml b/hosts/poweredge/resources/secrets/ddns-updater-config.yaml new file mode 100644 index 0000000..3be017b --- /dev/null +++ b/hosts/poweredge/resources/secrets/ddns-updater-config.yaml @@ -0,0 +1,16 @@ +ddns-updater-config: ENC[AES256_GCM,data:vJ3z4R6P1gHKfkm6L2mQl68MKDJwpMNmrAOQo+4GkO2NC6EjKTLoSKhFiaGWVjMm7nrVfYRV+U/6b4VJXV4qURWhsm41t3x8zXAtt0viLC6pv+uMtuxadhU2Zxij4U2bSiMn6sSbfHd3uGIym7FnfOIL3LPEanVMuRUk20a0ZgHBdq1BPk6r5V8AoGfsu1XWHTvnO4ggg9oQPtGhurKTXixTD0Rb1Iv43JXLXqK/O3JGD5h4XbDmXB9eTqiBHUgZ0E4F5SE23L5mO0kI0TNNph2lTHXdfB+5,iv:xFry3gzdvvYh127yhYySvp5UHDa8Y+t/bg2+mwJ/HXo=,tag:pH2CE2l2UpNJiLJ+tjVvqQ==,type:str] +sops: + age: + - recipient: age1zfvmt2avdlfz0fvchczplc84u7m8vqausm7zytl9s4x9m9yax4cqy30zpz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWitQcVlaTmFVaHIraHlT + VFBDVEtlQUlqckN4eFF3YU95N3ZNU3JQcFNzCnkrR2xmTEtyUHRWQlRnTWZSaGVT + U0wvcGt6R0w4L3dSakVDVWVpTUhWbWMKLS0tIGVKSXVTL1B2L2FlSkQwSDVYd3Fk + WE8rLy81UEU5ZG9SaHRLOHNqOWUzWnMKBFtzJ9frroYk6hoW+1ww/3LpxCEa1Vtr + KNNnHKry8lQQDmalN5ZVYMTVAlTnQQ6QE7DxBukUwWYmizQ+BY8HDg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-31T01:47:37Z" + mac: ENC[AES256_GCM,data:8ozC5JWR/s3nNK+njc7zO32/7ptd//wuWGWZPHXrPV1iVyYndczGgu0ekEyKeRCn/WwGE5pyt32gy0l2Y+k7j7mV6GJguy6qhltani6Mz2Gfy5sRohn5s2rBDTiSYEVAgGTRt56DLxGD36P6xFPm+wHGspjCzNALrPretuN5xFg=,iv:+/mlXEMEO80pDVpFwZmnyywvHR/V9zHkbloF/e/dJ6Q=,tag:O+Ox0xUzERjeB+VftiUNEg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.1 diff --git a/hosts/poweredge/resources/secrets/mailer-pass.yaml b/hosts/poweredge/resources/secrets/mailer-pass.yaml new file mode 100644 index 0000000..331bd66 --- /dev/null +++ b/hosts/poweredge/resources/secrets/mailer-pass.yaml @@ -0,0 +1,16 @@ +pass: ENC[AES256_GCM,data:RHOvLwbDIb8FZ+dG66e5U43qR0aXlLLZGAnlbRjSl8hxCMEtJ4940nggiaIV75jCaiWyLutay7MrKPKZBHDZwBIqcJYQRWm1zWGkoZi0/bX38vUFWOpI4qku9fIB2qll,iv:bqEnTagxlRqlAmMgFCtXXCSSlODE598yoV4fU0jSYL8=,tag:c/ZiGCDSb8quDoYiIKbMeQ==,type:str] +sops: + age: + - recipient: age1zfvmt2avdlfz0fvchczplc84u7m8vqausm7zytl9s4x9m9yax4cqy30zpz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEUXlZaUhSUkNGK2xpVzRp + OEhYMTV6bnpPZC9tdHZWbnZxcUp6WWVLMnhFCmZmckVBckdRS1g0MjJQdE80S2Js + aGlNek1nSmU2aGI4cWVXR0NmbjJwa00KLS0tIDJ3N3BoenQ5ZW02K3BLNWxkWU5y + Ym56YzI5Zk9KeFhzZXJXR3NoOUl0ckEKOLweZrk/Pe6BG48+RrwOxyOy0Zb768aZ + YIxTBv/qSzZei6VqZHiIwTUEMyE7z3CS0dBFws6q4fB4LfIpv6fiYg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-31T01:37:29Z" + mac: ENC[AES256_GCM,data:WIGXvuwB4bcBDfMRrrMQ7faUkxFdreyYiuy6bNPI2pzvvUFTSo/lJTv/DjisSARdYmFHFvdResIXUjg75Sc2I5IrvRxZxnYqx/3z5k/WOFWb8HSKH2H+OUHtLkqWJSCQ9YBuX2tys93mEXgwchPpn4nzVaYBgxZl54F3icX7tsE=,iv:BS9KPGkVaH0G0bAZz6+LR0NDcmqw6khOkih5DyvGyug=,tag:dA9YVL1xEqUqe6hDzOH7XQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.1 diff --git a/hosts/poweredge/resources/secrets/wg1.yaml b/hosts/poweredge/resources/secrets/wg1.yaml new file mode 100644 index 0000000..6610514 --- /dev/null +++ b/hosts/poweredge/resources/secrets/wg1.yaml @@ -0,0 +1,16 @@ +wg1: ENC[AES256_GCM,data:1IySjV57HcywgiCZ/ZYbcr4Y9EbLrb6bE4kpG1DmDsLiRVFSfZA1UOoMGosot+7YiuE4xfZNHGSnzDrpE73gi5E9qYlvjhOfyLq06a1lK7Q0Wo/QrH9eSH05h6SA4E8sE0w2aKY/6cWfLaXTP1d7xLJA1OOCy7y+wIXrHQcA/TI5XIxikFSe+tT7rhKz128u6MIGl8VWzCp4RmoN94MAgWp0RoVt0VSHlvNPTbMuTZI0YPN1NgHjcf7KWnit33GXydmAWr+wym/oxxdT77O6wMPcGIsxmMLOPNy3K1sTezGTPSS1CSVniKIIW2HYZepGfaTlKwBFIn7ctmMrBvqmMcHiW+QIPwWbOC8UWHJAGklv3vCa7Q8XDUKlOPNdS0o73jb+BVUJWerwR4ik6NPu/H/lWgIETg1pd/Qv//nGsPeGRIUFKyKxoL/5E67+pA==,iv:d+T6wKhV1i/2kae03VPLMaTFB2yleeDFPm1lrfjvkx8=,tag:h/41zAlfz6oBo8jqz9NW7A==,type:str] +sops: + age: + - recipient: age1zfvmt2avdlfz0fvchczplc84u7m8vqausm7zytl9s4x9m9yax4cqy30zpz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxOFFVRFl2MDhiUVRPdnZJ + b3BSZ0pSaG8vR3o3SGlmVENvN3ZObHU3eUc4CmJrdk8rbXpBMWhTZ2hvdlk0VWo1 + ejdnTDR4bFlUUXc4Smd0NEp6b3crZFUKLS0tIFBsQUdRWjZLSDY1ZlFaRDdLOVhs + MFFGY0NSU3NaK2U0U1NndUIyYm54ZWsKZ6q9j1fNaNSzBA0rbZYyUWt3U2V/7/9/ + FZTKd8mH/uCoxvK8unlVZ9uYNADRh2smp7LwK1AWie/6khAIFqVBeg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-31T02:00:52Z" + mac: ENC[AES256_GCM,data:VXBQSegpiLmT5pF0XVB8NTVzhn4QDE2WfVznANVdrXC4BqFYoQXscW+4BcMmwkUqz5MjeKNF4KgRwtpKWVyRXG7EXVEGeA/NdysAxM9eSD4YrQZLqWzG8UKStyFG7jgHw/YA3H94hJ3rYnhsA9Kb3DHEmnQSZskTOmn2ppyUunQ=,iv:/rVWmaXl149Prhv35wBDZN6c+HgQ6PYSb8RIE30t7MI=,tag:SZ7mI9XDsIjhliFyWO14ug==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.1 diff --git a/hosts/poweredge/wg1.nix b/hosts/poweredge/wg1.nix new file mode 100644 index 0000000..d94efb6 --- /dev/null +++ b/hosts/poweredge/wg1.nix @@ -0,0 +1,7 @@ +{ config, pkgs, inputs, ... }: { + sops.secrets.wg1.sopsFile = ./resources/secrets/wg1.yaml; + + networking.wg-quick.interfaces = { + wg1.configFile = config.sops.secrets.wg1.path; + }; +} |