diff --git a/flake.lock b/flake.lock index 88b5f8bc..c83e5692 100644 --- a/flake.lock +++ b/flake.lock @@ -64,6 +64,27 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730135292, + "narHash": "sha256-CI27qHAbc3/tIe8sb37kiHNaeCqGxNimckCMj0lW5kg=", + "owner": "nix-community", + "repo": "disko", + "rev": "ab58501b2341bc5e0fc88f2f5983a679b075ddf5", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "latest", + "repo": "disko", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -170,11 +191,11 @@ "forgit": { "flake": false, "locked": { - "lastModified": 1729244272, - "narHash": "sha256-8BMFL3WktkkB8m6asbNeb9swnLWi3jHo012fBXGa8ls=", + "lastModified": 1730711879, + "narHash": "sha256-oYToU9mdP0Wb/j+k8/SO+njjk92CApAlxU2iDe7QJqQ=", "owner": "wfxr", "repo": "forgit", - "rev": "60b651de7ea6143921ebd39b69150736b1985870", + "rev": "2d5f8f48f510146c59fe5531f2eb61d2f1344367", "type": "github" }, "original": { @@ -210,11 +231,11 @@ ] }, "locked": { - "lastModified": 1730016908, - "narHash": "sha256-bFCxJco7d8IgmjfNExNz9knP8wvwbXU4s/d53KOK6U0=", + "lastModified": 1730633670, + "narHash": "sha256-ZFJqIXpvVKvzOVFKWNRDyIyAo+GYdmEPaYi1bZB6uf0=", "owner": "nix-community", "repo": "home-manager", - "rev": "e83414058edd339148dc142a8437edb9450574c8", + "rev": "8f6ca7855d409aeebe2a582c6fd6b6a8d0bf5661", "type": "github" }, "original": { @@ -239,6 +260,32 @@ "type": "github" } }, + "inovex-mdm": { + "inputs": { + "mdm-linux-inventory": [ + "mdm-linux-inventory" + ], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "host": "gitlab.inovex.de", + "lastModified": 1730186269, + "narHash": "sha256-ovSOX6ZpnJj2RRu94hgf9EGLcPs/XfjXqDHc5iZKK4A=", + "owner": "ffranzmann", + "repo": "mdm-linux-inventory-nix", + "rev": "d3f405a712d3f250a46c51c7c31fe855289511b7", + "type": "gitlab" + }, + "original": { + "host": "gitlab.inovex.de", + "owner": "ffranzmann", + "ref": "master", + "repo": "mdm-linux-inventory-nix", + "type": "gitlab" + } + }, "krops": { "flake": false, "locked": { @@ -320,6 +367,25 @@ "type": "github" } }, + "mdm-linux-inventory": { + "flake": false, + "locked": { + "host": "gitlab.inovex.de", + "lastModified": 1729248637, + "narHash": "sha256-2VhU4ozf5IrtadOoHe7vqUzwvJlCPZpNcl9o+h1lyac=", + "owner": "inovex-it-mdm", + "repo": "mdm-linux-inventory", + "rev": "3773229472a54623f179c85cb5fcb62124f35b20", + "type": "gitlab" + }, + "original": { + "host": "gitlab.inovex.de", + "owner": "inovex-it-mdm", + "ref": "main", + "repo": "mdm-linux-inventory", + "type": "gitlab" + } + }, "naersk": { "inputs": { "nixpkgs": [ @@ -367,11 +433,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1730368399, - "narHash": "sha256-F8vJtG389i9fp3k2/UDYHMed3PLCJYfxCqwiVP7b9ig=", + "lastModified": 1730797322, + "narHash": "sha256-cH9emjYIbDYTde/CKOmU97rh7sKuyfedzPcTz4OTJkE=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "da14839ac5f38ee6adbdb4e6db09b5eef6d6ccdc", + "rev": "1b0b927860d7eb367ee6a3123ddeb7a8e24bd836", "type": "github" }, "original": { @@ -383,11 +449,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1730200266, - "narHash": "sha256-l253w0XMT8nWHGXuXqyiIC/bMvh1VRszGXgdpQlfhvU=", + "lastModified": 1730531603, + "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "807e9154dcb16384b1b765ebe9cd2bba2ac287fd", + "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", "type": "github" }, "original": { @@ -399,11 +465,11 @@ }, "nur": { "locked": { - "lastModified": 1730364288, - "narHash": "sha256-q8iZMOxu5OjWDiNbE+LI83tXvxHUl2zrPKefojnksFE=", + "lastModified": 1730799901, + "narHash": "sha256-IXijJOaruWRtIt5ySERCd8rI5jKjVXg1q/oDvHPsXdw=", "owner": "nix-community", "repo": "NUR", - "rev": "63bded559a2f06eb05835b8331be4de5a3b0ec5a", + "rev": "ca7969ff2ec6ffc542dcf37c9fff09068938be1a", "type": "github" }, "original": { @@ -561,15 +627,18 @@ "alertmanager-ntfy": "alertmanager-ntfy", "aoe-taunt-discord-bot": "aoe-taunt-discord-bot", "caddy-patched": "caddy-patched", + "disko": "disko", "flake-compat": "flake-compat", "forgit": "forgit", "go-karma-bot": "go-karma-bot", "home-manager": "home-manager", "indent-blankline-nvim-lua": "indent-blankline-nvim-lua", + "inovex-mdm": "inovex-mdm", "krops": "krops", "lollypops": "lollypops", "matrix-hook": "matrix-hook", "mc3000": "mc3000", + "mdm-linux-inventory": "mdm-linux-inventory", "naersk": "naersk", "nix-apple-fonts": "nix-apple-fonts", "nixos-hardware": "nixos-hardware", diff --git a/flake.nix b/flake.nix index 06214f2a..890ac92e 100644 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,28 @@ inputs = { + inovex-mdm = { + type = "gitlab"; + host = "gitlab.inovex.de"; + owner = "ffranzmann"; + ref = "master"; + repo = "mdm-linux-inventory-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.mdm-linux-inventory.follows = "mdm-linux-inventory"; + }; + + mdm-linux-inventory = { + type = "gitlab"; + host = "gitlab.inovex.de"; + owner = "inovex-it-mdm"; + ref = "main"; + repo = "mdm-linux-inventory"; + flake = false; + }; + + disko.url = "github:nix-community/disko/latest"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + caddy-patched = { url = "github:pinpox/nixos-caddy-patched"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/home-manager/modules/shell/zsh.nix b/home-manager/modules/shell/zsh.nix index 7e0cb168..2811b80c 100644 --- a/home-manager/modules/shell/zsh.nix +++ b/home-manager/modules/shell/zsh.nix @@ -82,9 +82,9 @@ weather = "${pkgs.curl}/bin/curl -4 http://wttr.in/Koeln"; radio = "${pkgs.mpv}/bin/mpv http://lassul.us:8000/radio.ogg"; + # ${pkgs.yubikey-manager}/bin/ykman oath accounts code | \ yotp = '' - ${pkgs.yubikey-manager}/bin/ykman oath accounts code | \ - ${pkgs.fzf}/bin/fzf | awk '{print $2}' | ${pkgs.xclip}/bin/xclip -sel clip + ${pkgs.fzf}/bin/fzf | awk '{print $2}' | ${pkgs.xclip}/bin/xclip -sel clip ''; zzz = "systemctl suspend"; diff --git a/machines/ahorn/configuration.nix b/machines/ahorn/configuration.nix index 77a00ff1..75861901 100644 --- a/machines/ahorn/configuration.nix +++ b/machines/ahorn/configuration.nix @@ -5,6 +5,7 @@ pkgs, lib, nixos-hardware, + inovex-mdm, ... }: { @@ -65,10 +66,20 @@ nixos-hardware.nixosModules.lenovo-thinkpad-t480s ./hardware-configuration.nix retiolum.nixosModules.retiolum + inovex-mdm.nixosModules.default #retiolum.nixosModules.ca ]; + lollypops.secrets.files."inovex-mdm/mdm-create-token" = { }; + + services.inovex-mdm = { + enable = true; + userhome = "/home/pinpox"; + tokenFile = "${config.lollypops.secrets.files."inovex-mdm/mdm-create-token".path}"; + screenLockTimeout = "300"; + }; + programs.sway.enable = true; hardware.graphics = { @@ -183,6 +194,17 @@ enable = true; wireguardIp = "192.168.7.2"; hostname = "ahorn"; - bootDevice = "/dev/disk/by-uuid/d4b70087-c965-40e8-9fca-fc3b2606a590"; }; + + # Encrypted drive to be mounted by the bootloader. Path of the device will + # have to be changed for each install. + boot.initrd.luks.devices = { + root = { + # Get UUID from blkid /dev/sda2 + device = "/dev/disk/by-uuid/d4b70087-c965-40e8-9fca-fc3b2606a590"; + preLVM = true; + allowDiscards = true; + }; + }; + } diff --git a/machines/kartoffel/configuration.nix b/machines/kartoffel/configuration.nix index 04df241f..e6c46fc9 100644 --- a/machines/kartoffel/configuration.nix +++ b/machines/kartoffel/configuration.nix @@ -13,7 +13,17 @@ enable = true; wireguardIp = "192.168.7.3"; hostname = "kartoffel"; - bootDevice = "/dev/disk/by-uuid/608e0e77-eea4-4dc4-b88d-76cc63e4488b"; + }; + + # Encrypted drive to be mounted by the bootloader. Path of the device will + # have to be changed for each install. + boot.initrd.luks.devices = { + root = { + # Get UUID from blkid /dev/sda2 + device = "/dev/disk/by-uuid/608e0e77-eea4-4dc4-b88d-76cc63e4488b"; + preLVM = true; + allowDiscards = true; + }; }; pinpox.defaults.CISkip = true; diff --git a/machines/kfbox/configuration.nix b/machines/kfbox/configuration.nix index 1c43f8da..6eaeab31 100644 --- a/machines/kfbox/configuration.nix +++ b/machines/kfbox/configuration.nix @@ -10,6 +10,8 @@ }: { + lollypops.deployment.deploy-method = "archive"; + lollypops.secrets.files."ente/credentials.yaml" = { owner = "ente"; group-name = "ente"; diff --git a/machines/limette/README.md b/machines/limette/README.md new file mode 100644 index 00000000..e69de29b diff --git a/machines/limette/configuration.nix b/machines/limette/configuration.nix new file mode 100644 index 00000000..6bad1450 --- /dev/null +++ b/machines/limette/configuration.nix @@ -0,0 +1,116 @@ +{ + pkgs, + lib, + nixos-hardware, + disko, + ... +}: +{ + + services.gnome.gnome-keyring.enable = true; + hardware.keyboard.qmk.enable = true; + + hardware.enableRedistributableFirmware = true; + imports = [ + nixos-hardware.nixosModules.lenovo-thinkpad-x230 + # ./hardware-configuration.nix + ./disko-config.nix + disko.nixosModules.disko + + ]; + + disko.devices.disk.main.imageSize = "40G"; + disko.imageBuilder.extraDependencies = [ pkgs.kmod ]; + # disko.devices.disk.root.device = "/dev/sda"; + + programs.sway.enable = true; + + hardware.graphics = { + enable = true; + enable32Bit = true; + + extraPackages = with pkgs; [ + intel-media-driver # LIBVA_DRIVER_NAME=iHD + ]; + }; + environment.sessionVariables = { + LIBVA_DRIVER_NAME = "iHD"; + NIXOS_OZONE_WL = "1"; + }; + + xdg.portal = { + enable = true; + wlr = { + enable = true; + settings = { + + # See xdg-desktop-portal-wlr(5) for supported values. + screencast = { + # output_name = "HDMI-A-1"; + max_fps = 30; + # exec_before = "disable_notifications.sh"; + # exec_after = "enable_notifications.sh"; + chooser_type = "simple"; + chooser_cmd = "${pkgs.slurp}/bin/slurp -f %o -or"; + }; + }; + }; + extraPortals = [ + pkgs.xdg-desktop-portal-gtk + pkgs.xdg-desktop-portal-wlr + ]; + }; + + services.fwupd.enable = true; + services.acpid.enable = true; + + # Often hangs + systemd.services = { + NetworkManager-wait-online.enable = lib.mkForce false; + systemd-networkd-wait-online.enable = lib.mkForce false; + }; + + lollypops.extraTasks = { + rebuild-nosecrets = { + desc = "Rebuild without deloying secrets"; + cmds = [ ]; + deps = [ + "deploy-flake" + "rebuild" + ]; + }; + }; + + environment.systemPackages = [ + pkgs.xdg-desktop-portal + pkgs.xdg-desktop-portal-wlr + ]; + + pinpox.desktop = { + enable = true; + wireguardIp = "192.168.7.8"; + hostname = "limette"; + }; + + # efiSupport = lib.mkForce false; + # efiInstallAsRemovable = lib.mkForce false; + # gfxmodeBios = "1600x900"; + # gfxpayloadBios = "text"; + + users.users.pinpox.initialPassword = "changeme"; + + boot.loader.efi.canTouchEfiVariables = false; + # boot.loader.grub.device = "/dev/disk/by-label/BOOT"; + + # Encrypted drive to be mounted by the bootloader. Path of the device will + # have to be changed for each install. + # Get UUID from blkid /dev/sda2 + boot.initrd.luks.devices = { + "root" = { + preLVM = true; + device = lib.mkForce "/dev/disk/by-label/LUKS"; + allowDiscards = true; + }; + }; + +} diff --git a/machines/limette/disko-config.nix b/machines/limette/disko-config.nix new file mode 100644 index 00000000..592db502 --- /dev/null +++ b/machines/limette/disko-config.nix @@ -0,0 +1,78 @@ +{ + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/vdb"; + # device = builtins.elemAt disks 0; + content = { + type = "gpt"; + partitions = { + ESP = { + name = "BOOT"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + extraArgs = [ + "-n" + "BOOT" + ]; + }; + }; + luks = { + size = "100%"; + name = "SYSTEM"; + content = { + type = "luks"; + name = "root"; + extraOpenArgs = [ ]; + passwordFile = "/tmp/secret.key"; + settings.allowDiscards = true; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + extraFormatArgs = [ + "--label LUKS" + ]; + }; + }; + }; + }; + }; + }; + lvm_vg = { + pool = { + type = "lvm_vg"; + lvs = { + swap = { + name = "swap"; + size = "8G"; + content = { + type = "swap"; + resumeDevice = true; + extraArgs = [ "-L swap" ]; + }; + }; + root = { + name = "root"; + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ + "defaults" + ]; + extraArgs = [ "-L root" ]; + }; + }; + }; + }; + }; + }; +} diff --git a/modules/default-desktop/default.nix b/modules/default-desktop/default.nix index 9553884a..3d425035 100644 --- a/modules/default-desktop/default.nix +++ b/modules/default-desktop/default.nix @@ -45,15 +45,15 @@ in description = "hostname to identify the instance"; }; - bootDevice = mkOption { - type = types.str; - default = null; - description = '' - Path of the underlying luks-encrypted root. - Get UUID from e.g. - blkid /dev/sda2''; - example = "/dev/disk/by-uuid/608e0e77-eea4-4dc4-b88d-76cc63e4488b"; - }; + # bootDevice = mkOption { + # type = types.str; + # default = null; + # description = '' + # Path of the underlying luks-encrypted root. + # Get UUID from e.g. + # blkid /dev/sda2''; + # example = "/dev/disk/by-uuid/608e0e77-eea4-4dc4-b88d-76cc63e4488b"; + # }; }; config = mkIf cfg.enable { @@ -256,14 +256,14 @@ in # Encrypted drive to be mounted by the bootloader. Path of the device will # have to be changed for each install. - initrd.luks.devices = { - root = { - # Get UUID from blkid /dev/sda2 - device = cfg.bootDevice; - preLVM = true; - allowDiscards = true; - }; - }; + # initrd.luks.devices = { + # root = { + # # Get UUID from blkid /dev/sda2 + # device = cfg.bootDevice; + # preLVM = true; + # allowDiscards = true; + # }; + # }; }; # Define the hostname diff --git a/modules/nix-common/default.nix b/modules/nix-common/default.nix index 61614d64..58793ad3 100644 --- a/modules/nix-common/default.nix +++ b/modules/nix-common/default.nix @@ -60,20 +60,18 @@ in lollypops.secrets.files."nix/nix-access-tokens" = { }; - nix.trustedUsers = [ "@wheel" ]; - # Enable flakes nix = { # Enable flakes package = pkgs.nixVersions.stable; - # !include ${config.lollypops.secrets.files."nix/nix-access-tokens".path} extraOptions = '' fallback = true connect-timeout = 100 stalled-download-timeout = 100 ''; + # !include ${config.lollypops.secrets.files."nix/nix-access-tokens".path} settings = { @@ -82,6 +80,8 @@ in "flakes" ]; + trusted-users = [ "@wheel" ]; + trusted-public-keys = [ "nix-cache:4FILs79Adxn/798F8qk2PC1U8HaTlaPqptwNJrXNA1g=" ]; substituters = [