nixos: revive crusty
This commit is contained in:
parent
e37da92ab9
commit
42362a0211
|
@ -1,9 +1,11 @@
|
|||
keys:
|
||||
- &crusty age1y7arunqzyjjdyspx46z20x6qadxpxfu5z59qe74tn4re375ctg7qtj48p3
|
||||
- &msfjarvis age1dvrymsl5xk26pkznk5kljqssnkvae2ftsawx96n4r43p3cfzyv4qtr67qj
|
||||
- &wailord age10fy49p7faufe5533rxgshwjn9kr3aqcxjyqk6ty26j99w50dkswsvn2maq
|
||||
creation_rules:
|
||||
- path_regex: secrets/*
|
||||
key_groups:
|
||||
- age:
|
||||
- *crusty
|
||||
- *msfjarvis
|
||||
- *wailord
|
||||
|
|
11
flake.nix
11
flake.nix
|
@ -111,7 +111,6 @@
|
|||
inputs.home-manager.nixosModules.home-manager
|
||||
inputs.sops-nix.nixosModules.sops
|
||||
inputs.stylix.nixosModules.stylix
|
||||
inputs.disko.nixosModules.disko
|
||||
inputs.srvos.nixosModules.common
|
||||
inputs.srvos.nixosModules.mixins-systemd-boot
|
||||
({lib, ...}: {
|
||||
|
@ -135,8 +134,13 @@
|
|||
{nixpkgs.pkgs = pkgs;}
|
||||
]
|
||||
++ (
|
||||
if name == "wailord" || name == "crusty"
|
||||
then [inputs.srvos.nixosModules.server]
|
||||
if name == "wailord"
|
||||
then [inputs.disko.nixosModules.disko inputs.srvos.nixosModules.server]
|
||||
else []
|
||||
)
|
||||
++ (
|
||||
if name == "crusty"
|
||||
then [inputs.nixos-hardware.nixosModules.raspberry-pi-4 inputs.srvos.nixosModules.server]
|
||||
else []
|
||||
)
|
||||
++ (
|
||||
|
@ -148,6 +152,7 @@
|
|||
};
|
||||
in
|
||||
genAttrs hosts mkHost;
|
||||
packages.x86_64-linux.crusty = self.nixosConfigurations.crusty.config.system.build.sdImage;
|
||||
deploy = {
|
||||
user = "root";
|
||||
nodes =
|
||||
|
|
|
@ -6,11 +6,22 @@
|
|||
}: {
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
./sd-image.nix
|
||||
];
|
||||
# Pi kernel does not build all modules so this allows some to be missing.
|
||||
nixpkgs.overlays = [
|
||||
(_: super: {
|
||||
makeModulesClosure = x:
|
||||
super.makeModulesClosure (x // {allowMissing = true;});
|
||||
})
|
||||
];
|
||||
|
||||
hardware.raspberry-pi."4" = {
|
||||
apply-overlays-dtmerge.enable = true;
|
||||
pwm0.enable = true;
|
||||
};
|
||||
|
||||
boot.loader.systemd-boot.enable = lib.mkForce false;
|
||||
boot.loader.grub.enable = false;
|
||||
boot.loader.generic-extlinux-compatible.enable = true;
|
||||
|
||||
time.timeZone = "Asia/Kolkata";
|
||||
|
||||
|
@ -22,10 +33,16 @@
|
|||
|
||||
users = {
|
||||
mutableUsers = false;
|
||||
users.msfjarvis = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["wheel"];
|
||||
hashedPassword = ''$y$j9T$MQNdrYiBEX4.vkTzuXc4Q.$FKzWf0o.527za6LfMU1f96Cf2iZPZRVmOwmOw7yx5.A'';
|
||||
users = {
|
||||
msfjarvis = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["wheel"];
|
||||
hashedPassword = ''$y$j9T$g8JL/B98ogQF/ryvwHpWe.$jyKMeotGz/o8Pje.nejKzPMiYOxtn//33OzMu5bAHm2'';
|
||||
};
|
||||
root.openssh.authorizedKeys.keys = [
|
||||
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEoNv1E/D4IzNIJeJg7Rp49Jizw8aoCLSyFLcUmD1F6K''
|
||||
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP3WC4HKwbfVGnJzhtrWo2Ue0dnaZH1JaPu4X6VILQL6''
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -57,10 +74,6 @@
|
|||
};
|
||||
};
|
||||
|
||||
services.getty.autologinUser = "msfjarvis";
|
||||
|
||||
services.openssh.enable = true;
|
||||
|
||||
services.qbittorrent = {
|
||||
enable = true;
|
||||
port = 9091;
|
||||
|
@ -78,7 +91,16 @@
|
|||
file_filter = "*.mp4";
|
||||
};
|
||||
|
||||
services.tailscale.enable = true;
|
||||
systemd.services.disable-wlan-powersave = {
|
||||
description = "Disable WiFi power save";
|
||||
after = ["sys-subsystem-net-devices-wlan0.device"];
|
||||
wantedBy = ["sys-subsystem-net-devices-wlan0.device"];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = "yes";
|
||||
ExecStart = "${pkgs.iw}/bin/iw dev wlan0 set power_save off";
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "23.11";
|
||||
}
|
||||
|
|
|
@ -6,29 +6,6 @@
|
|||
imports = [
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = ["xhci_pci" "usbhid"];
|
||||
boot.initrd.kernelModules = [];
|
||||
boot.kernelModules = [];
|
||||
boot.extraModulePackages = [];
|
||||
boot.supportedFilesystems = ["ntfs"];
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
|
||||
fsType = "ext4";
|
||||
};
|
||||
fileSystems."/media" = {
|
||||
device = "/dev/disk/by-uuid/1d9cbc92-8ea9-4ae7-8c8f-5f72c3d75626";
|
||||
fsType = "ext4";
|
||||
options = [
|
||||
"nofail"
|
||||
];
|
||||
};
|
||||
|
||||
swapDevices = [];
|
||||
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
|
||||
}
|
||||
|
|
|
@ -0,0 +1,58 @@
|
|||
{
|
||||
modulesPath,
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
nixpkgs.crossSystem.system = "aarch64-linux";
|
||||
imports = [
|
||||
(modulesPath + "/installer/sd-card/sd-image.nix")
|
||||
];
|
||||
|
||||
boot = {
|
||||
consoleLogLevel = lib.mkDefault 7;
|
||||
|
||||
kernelParams = ["console=ttyS0,115200n8" "console=ttyAMA0,115200n8" "console=tty0"];
|
||||
};
|
||||
|
||||
sdImage = {
|
||||
populateFirmwareCommands = let
|
||||
configTxt = pkgs.writeText "config.txt" ''
|
||||
[pi3]
|
||||
kernel=u-boot-rpi3.bin
|
||||
[pi4]
|
||||
kernel=u-boot-rpi4.bin
|
||||
enable_gic=1
|
||||
armstub=armstub8-gic.bin
|
||||
# Otherwise the resolution will be weird in most cases, compared to
|
||||
# what the pi3 firmware does by default.
|
||||
disable_overscan=1
|
||||
[all]
|
||||
# Boot in 64-bit mode.
|
||||
arm_64bit=1
|
||||
# U-Boot needs this to work, regardless of whether UART is actually used or not.
|
||||
# Look in arch/arm/mach-bcm283x/Kconfig in the U-Boot tree to see if this is still
|
||||
# a requirement in the future.
|
||||
enable_uart=1
|
||||
# Prevent the firmware from smashing the framebuffer setup done by the mainline kernel
|
||||
# when attempting to show low-voltage or overtemperature warnings.
|
||||
avoid_warnings=1
|
||||
'';
|
||||
in ''
|
||||
(cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/firmware/)
|
||||
# Add the config
|
||||
cp ${configTxt} firmware/config.txt
|
||||
# Add pi3 specific files
|
||||
cp ${pkgs.ubootRaspberryPi3_64bit}/u-boot.bin firmware/u-boot-rpi3.bin
|
||||
# Add pi4 specific files
|
||||
cp ${pkgs.ubootRaspberryPi4_64bit}/u-boot.bin firmware/u-boot-rpi4.bin
|
||||
cp ${pkgs.raspberrypi-armstubs}/armstub8-gic.bin firmware/armstub8-gic.bin
|
||||
cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/bcm2711-rpi-4-b.dtb firmware/
|
||||
'';
|
||||
populateRootCommands = ''
|
||||
mkdir -p ./files/boot
|
||||
${config.boot.loader.generic-extlinux-compatible.populateCmd} -c ${config.system.build.toplevel} -d ./files/boot
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -14,7 +14,7 @@ in {
|
|||
|
||||
# Open HTTP(S) ports
|
||||
networking = {
|
||||
networkmanager.enable = true;
|
||||
networkmanager.enable = lib.mkDefault true;
|
||||
nftables.enable = true;
|
||||
firewall = {
|
||||
allowedTCPPorts = [
|
||||
|
@ -37,7 +37,7 @@ in {
|
|||
sops.secrets.tsauthkey = {};
|
||||
|
||||
# Automatically log into my user account
|
||||
services.getty.autologinUser = "msfjarvis";
|
||||
services.getty.autologinUser = lib.mkForce "msfjarvis";
|
||||
|
||||
# Enable SSH
|
||||
services.openssh.enable = true;
|
||||
|
|
|
@ -5,23 +5,32 @@ sops:
|
|||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1y7arunqzyjjdyspx46z20x6qadxpxfu5z59qe74tn4re375ctg7qtj48p3
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoNHdrVTJLcURUZzAxL1Jp
|
||||
K3UzcVNiT2dhV1dRWGFGVmNhSWdJRlRNc0hBCkw1SjVnTTdwRytxS3BXbmJjRjMx
|
||||
UWRHYzZtcHBKTkR3d2FzVEEwM3BrVzAKLS0tIGFyanl0T1h5MldQS3BhdVcrbmtF
|
||||
K3BTWVQzdXNsRjlTVWVweEVYQlNOTlkKxU1dYjX2Thpe3iKNKT02X07k5hirC4+d
|
||||
wjJdwR1B5uKkN91LGlvsjW46WO2NuYNBby70hBSX5POZQlzujOPiVQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1dvrymsl5xk26pkznk5kljqssnkvae2ftsawx96n4r43p3cfzyv4qtr67qj
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtajU2ZkRHa2tVR0JwY0hp
|
||||
emFaUVBlQjVSUG0rcmo1bXc5TE0wMllGWFZBCjZNRkluNWdhdmM4eFF5Y29SdEdG
|
||||
bjQ1Qm9BTWNKQnlTRnpwL1Y4NnRxb1UKLS0tIHpZbkF1MVVQWTZiMS9QRDNTLzV5
|
||||
NUx6SHF2aG9COUFsNVlsZTdGMEdzSHMK/QcAoKkQMXkg/1Qx1VwPkxiTyQzOvWAe
|
||||
448boIEPgXqQU3QujvLnv35LYOjO3VJ9tSrJ7MbRFzFaYMVHzhPdCA==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArTU1xcmIyUjdiNlo2OTBV
|
||||
T1RqM2pubk5EcG1wSC9DaGZYUFJocVBSaWhZClViWmkvZDhDRkNWaWxFZTNvR042
|
||||
N0UySUxPd2NXOWxianhlOVJveFZQZkEKLS0tIGtNOUNxemhJTUxCZk83M0FxdE1T
|
||||
eFlVK2JkcVlUNDIzMlNWVTBLM29PNGsK17BUhERakG6cr6eSRdUbcVXJVBD8WQXv
|
||||
eaXR15zTrxe1gzdECrHRVx0HYCxX1Yy6y2giiK6ubOeputa05ePaVw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age10fy49p7faufe5533rxgshwjn9kr3aqcxjyqk6ty26j99w50dkswsvn2maq
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLMlpGVnQ1M3RteENrMjBW
|
||||
Y2NzQjNUY1lDSWhSVjFCazlDZ0FLQWxTd25NCjU4Nlk2YTFQT0hMUWE0Z21laEpB
|
||||
dElveHdzd0VYTWhVTG9KUmRKMHFMMkkKLS0tIGNacnoxMGFZV0VpS1JKNE1RTnI4
|
||||
T2NvLzJmQlBiMkRDWHhkMXhDK1hDcXcKrOp2c2rQA8x9SXcU9uzq2piy5s4PrSDA
|
||||
IiohZGW1fWLdefdOzMhZb7x6DuyhxXDNM2867rSN45pxboEnD9YnOg==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0eThTYkZXK0hHeGNXNnRU
|
||||
WjJWcmtHMjdrWnQ0L1pOZTFsdmRFcWp2emdJCnMvTFpyMjJOdVZrNGMrTmM1a0hG
|
||||
WmZhK2QrRTI0OHppWjNSOXNKUC8rM2sKLS0tIExIV0RiL0c1MjJKbnFnZ0J2ZkNV
|
||||
Q3picU5aZEtjcFBybVhEMVZvVUtDME0Kp2ZMYhiPQee8BvjUqroeR42rJ6Fr9QWo
|
||||
cjRMnFdDk3YGD/34Lzbs8JVhz7aMsFLOKulU5zuXem834ZVXdzOPNA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-12-22T17:25:10Z"
|
||||
mac: ENC[AES256_GCM,data:7yletAir2P3icyzSRl560vWG3N54R9S/w1lOoUbWjssj220XYWcRNQP6b21A4Npava3bqJujUWm9vXBG577e5Y0sRf+1HY66aQcPI0tl8TB2fwhZx4AgehxKDVVbPVjaSB7GjvaYYbrwmz56nTRh2qN5TBrQeq1vLvdjoRdCryA=,iv:J69HECcwdF/HlewYW3KDB8maO6qs6xd20r2rkgpMd/I=,tag:TYHk6KHZ+gNmie8tqRJsyQ==,type:str]
|
||||
|
|
Loading…
Reference in New Issue