steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

WIP everything

Browse source
This commit is contained in:
steveej 2024-01-18 14:59:17 +00:00
parent 2a23c7fdbe
commit 26f0bde4b3
29 changed files with 1630 additions and 423 deletions
Download patch file Download diff file Expand all files Collapse all files

11
nix/os/containers/webserver.nix
View file

@ -39,7 +39,14 @@ in {
in ''
redir /hedgedoc* https://hedgedoc.${domain}
respond "Hi!"
file_server /*/* {
browse
root /var/www/stefanjunker.de/htdocs/caddy
pass_thru
}
# respond "Hi"
# respond (not /*/*) "Hi"
'';
};
@ -99,7 +106,7 @@ in {
};
services.jitsi-meet = {
enable = true;
enable = false;
hostName = "meet.${domain}";
config = {
prejoinPageEnabled = true;

36
nix/os/devices/router0-dmz0/configuration.nix
View file

@ -184,10 +184,11 @@ in {
after = ["hook"];
rules = let
wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces;
exposedHost = "192.168.22.121";
exposedHost = "srv0-dmz0.dmz.internal";
in [
"iifname { ${wanInterfaces} } tcp dport 220 redirect to 22"
"iifname { ${wanInterfaces} } dnat ip to ${exposedHost}"
# TODO: if this hostname doesn't resolve it'll break the whole ruleset
# "iifname { ${wanInterfaces} } dnat ip to ${exposedHost}"
];
};
};
@ -574,7 +575,8 @@ in {
# sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path;
# enables debug logging
# logger_stdout_level= lib.mkForce 0;
logger_stdout_level= lib.mkForce 0;
logger_stdout = -1;
# logger_syslog_level= lib.mkForce 0;
# resources on vlan tagging
@ -583,6 +585,7 @@ in {
dynamic_vlan = 1;
# this option currently requires a patch to hostapd
vlan_no_bridge = 1;
/* not used due to the above vlan_no_bridge setting
@ -620,14 +623,36 @@ in {
# "SAE"
]);
# wpa_psk_radius = 0;
wpa_pairwise = "CCMP";
wmm_enabled = 1;
# IEEE 802.11i (authentication) related configuration
# Encrypt management frames to protect against deauthentication and similar attacks
ieee80211w = 1;
sae_require_mfp = 1;
sae_groups = "19 20 21";
# [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default)
tls_flags= "[ENABLE-TLSv1.3]";
ieee8021x=0;
eap_server=0;
};
};
# wlan0-1 = {
# ssid = "mlsia-testing";
# authentication = {
# mode = "wpa3-sae-transition";
# };
# bssid = mkBssid 1;
# settings = {
# bridge = bridgeInterfaceName;
# };
# };
# wlan0-1 = {
# ssid = "justtestingwifi-wpa3";
# authentication = {
@ -777,7 +802,7 @@ in {
tag
(mkVlanIpv4HostAddr { inherit vlanid; host = 100; cidr = false; })
(mkVlanIpv4HostAddr { inherit vlanid; host = 199; cidr = false; })
"30m"
"12h"
];
in
builtins.map
@ -843,7 +868,8 @@ in {
};
# The service irqbalance is useful as it assigns certain IRQ calls to specific CPUs instead of letting the first CPU core to handle everything. This is supposed to increase performance by hitting CPU cache more often.
services.irqbalance.enable = true;
# disable for now as i think it causes wifi issues
services.irqbalance.enable = false;
system.stateVersion = "23.05";

3
nix/os/devices/sj-bm-hostkey0/configuration.nix
View file

@ -162,5 +162,8 @@
boot.binfmt.emulatedSystems = [
"aarch64-linux"
"i686-linux"
# "i386-linux"
# "i586-linux"
];
}

47
nix/os/devices/sj-vps-htz0/system.nix
View file

@ -1,13 +1,14 @@
{
pkgs,
lib,
config,
repoFlake,
nodeName,
...
}: let
{ pkgs
, lib
, config
, repoFlake
, nodeName
, ...
}:
let
wireguardPort = 51820;
in {
in
{
imports = [
../../snippets/systemd-resolved.nix
];
@ -31,14 +32,14 @@ in {
networking.interfaces.eth0 = {
mtu = 1400;
useDHCP = false;
useDHCP = true;
ipv4.addresses = [
{
"address" = "167.233.1.14";
"prefixLength" = 29;
}
];
ipv6.addresses = [];
ipv6.addresses = [ ];
};
networking.defaultGateway = {
@ -53,7 +54,7 @@ in {
networking.nat = {
enable = true;
internalInterfaces = ["ve-*" "wg*"];
internalInterfaces = [ "ve-*" "wg*" ];
externalInterface = "eth0";
};
@ -78,7 +79,7 @@ in {
privateKeyFile = config.sops.secrets.wg0-private.path;
peers = [
{
allowedIPs = ["192.168.99.2/32"];
allowedIPs = [ "192.168.99.2/32" ];
publicKey = "O3k4jEdX6jkV1fHP/J8KSH5tvi+n1VvnBTD5na6Naw0=";
presharedKeyFile = config.sops.secrets.wg0-psk-steveej-psk.path;
}
@ -86,12 +87,12 @@ in {
};
# virtualization
virtualisation = {docker.enable = false;};
virtualisation = { docker.enable = false; };
services.spice-vdagentd.enable = true;
services.qemuGuest.enable = true;
nix.gc = {automatic = true;};
nix.gc = { automatic = true; };
containers = {
mailserver = import ../../containers/mailserver.nix {
@ -108,17 +109,17 @@ in {
webserver =
import ../../containers/webserver.nix
{
inherit repoFlake;
{
inherit repoFlake;
autoStart = true;
autoStart = true;
hostAddress = "192.168.100.12";
localAddress = "192.168.100.13";
hostAddress = "192.168.100.12";
localAddress = "192.168.100.13";
httpPort = 80;
httpsPort = 443;
};
httpPort = 80;
httpsPort = 443;
};
syncthing = import ../../containers/syncthing.nix {
autoStart = true;

56
nix/os/devices/steveej-t14/configuration.nix
View file

@ -11,5 +11,61 @@
./user.nix
./boot.nix
./secrets.nix
# samba seerver
({ lib, ... }: {
# networking.firewall.enable = lib.mkForce false;
services.samba-wsdd.enable = true; # make shares visible for windows 10 clients
networking.firewall.allowedTCPPorts = [
5357 # wsdd
];
networking.firewall.allowedUDPPorts = [
3702 # wsdd
];
services.samba = {
enable = true;
securityType = "user";
extraConfig = ''
workgroup = ARBEITSGRUPPE
server string = steveej-t14
netbios name = steveej-t14
security = user
# use sendfile = yes
# for executables on windows
acl allow execute always = True
# legacy windows quirks
max protocol = NT1
min protocol = NT1
ntlm auth = yes
# client max protocol = SMB1
# client min protocol = NT1
# note: localhost is the ipv6 localhost ::1
hosts allow = 192.168. 127.0.0.1 localhost
hosts deny = 0.0.0.0/0
guest account = nobody
map to guest = bad user
'';
shares = {
voodoo = {
path = "/home/steveej/Desktop/voodoo";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
# "force user" = "steveej";
# "force group" = "users";
};
};
};
})
];
}

22
nix/os/devices/steveej-t14/hw.nix
View file

@ -1,4 +1,4 @@
{...}: let
{lib, ...}: let
stage1Modules = [
"aesni_intel"
"kvm_amd"
@ -7,6 +7,22 @@
"thunderbolt"
"e1000e"
"usbcore"
"xhci_hcd"
"usbnet"
"snd_usb_audio"
"usbhid"
"snd_usbmidi_lib"
"cdc_mbim"
"cdc_ncm"
"usb_storage"
"cdc_wdm"
"uvcvideo"
"btusb"
"xhci_pci"
"cdc_ether"
"uas"
];
in {
# TASK: new device
@ -14,8 +30,11 @@ in {
enable = true;
encrypted = true;
diskId = "nvme-WD_BLACK_SN850X_4000GB_2227DT443901";
earlyDiskIdOverride = "usb-JMicron_Generic_0123456789ABCDEF-0:0";
};
# boot.loader.grub.device = lib.mkForce "/dev/disk/by-id/usb-JMicron_Generic_0123456789ABCDEF-0:0";
# see https://linrunner.de/tlp/
services.tlp = {
enable = true;
@ -90,6 +109,7 @@ in {
];
};
hardware.enableRedistributableFirmware = true;
# boot.initrd.availableKernelModules = stage1Modules;
boot.initrd.kernelModules = stage1Modules;
}

20
nix/os/devices/steveej-t14/pkg.nix
View file

@ -59,6 +59,25 @@
sway
'';
# autologin steveej on tty1
systemd.services."autovt@tty1".description = "Autologin at the TTY1";
systemd.services."autovt@tty1".after = [ "systemd-logind.service" ]; # without it user session not started and xorg can't be run from this tty
systemd.services."autovt@tty1".wantedBy = [ "multi-user.target" ];
systemd.services."autovt@tty1".serviceConfig =
{ ExecStart = [
"" # override upstream default with an empty ExecStart
"@${pkgs.utillinux}/sbin/agetty agetty --login-program ${pkgs.shadow}/bin/login --autologin steveej --noclear %I $TERM"
];
Restart = "always";
Type = "idle";
};
programs.zsh.loginShellInit = ''
if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then
exec sway
fi
'';
# fonts = let
# prefs.font = rec {
# size = 13;
@ -109,6 +128,7 @@
# rtkit is optional but recommended
security.rtkit.enable = true;
services.pipewire = {
audio.enable = true;
enable = true;
alsa.enable = true;
alsa.support32Bit = true;

83
nix/os/devices/steveej-t14/system.nix
View file

@ -1,11 +1,11 @@
{
pkgs,
lib,
config,
nodeName,
repoFlake,
...
}: let
{ pkgs
, lib
, config
, nodeName
, repoFlake
, ...
}:
let
passwords = import ../../../variables/passwords.crypt.nix;
localTcpPorts = [
@ -24,7 +24,8 @@
21027
];
in {
in
{
imports = [
../../snippets/nix-settings-holo-chain.nix
];
@ -44,16 +45,16 @@ in {
sshUser = "nix-remote-builder";
protocol = "ssh-ng";
system = "x86_64-linux";
maxJobs = 24;
maxJobs = 32;
speedFactor = 100;
supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features ++ [];
supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features ++ [ ];
}
];
networking.extraHosts = ''
'';
networking.bridges."virbr1".interfaces = [];
networking.bridges."virbr1".interfaces = [ ];
networking.interfaces."virbr1".ipv4.addresses = [
{
address = "10.254.254.254";
@ -86,7 +87,7 @@ in {
# virtualization
virtualisation = {
libvirtd = {enable = true;};
libvirtd = { enable = true; };
virtualbox.host = {
enable = false;
@ -107,11 +108,11 @@ in {
enable = true;
package = lib.mkForce pkgs.gnome3.gvfs;
};
environment.systemPackages = with pkgs; [lxqt.lxqt-policykit]; # provides a default authentification client for policykit
environment.systemPackages = with pkgs; [ lxqt.lxqt-policykit ]; # provides a default authentification client for policykit
security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"];
security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
services.xserver.videoDrivers = lib.mkForce ["amdgpu"];
services.xserver.videoDrivers = lib.mkForce [ "amdgpu" ];
services.xserver.serverFlagsSection = ''
Option "BlankTime" "0"
Option "StandbyTime" "0"
@ -123,35 +124,37 @@ in {
hardware.ledger.enable = true;
services.zerotierone = {
enable = true;
joinNetworks = [
# moved to the service below as it's now secret
];
};
# services.zerotierone = {
# enable = false;
# joinNetworks = [
# # moved to the service below as it's now secret
# ];
# };
systemd.services.zerotieroneSecretNetworks = {
enable = false;
requiredBy = ["zerotierone.service"];
partOf = ["zerotierone.service"];
# systemd.services.zerotieroneSecretNetworks = {
# enable = false;
# requiredBy = [ "zerotierone.service" ];
# partOf = [ "zerotierone.service" ];
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
# serviceConfig.Type = "oneshot";
# serviceConfig.RemainAfterExit = true;
script = let
secret = config.sops.secrets.zerotieroneNetworks;
in ''
# include the secret's hash to trigger a restart on change
# ${builtins.hashString "sha256" (builtins.toJSON secret)}
# script =
# let
# secret = config.sops.secrets.zerotieroneNetworks;
# in
# ''
# # include the secret's hash to trigger a restart on change
# # ${builtins.hashString "sha256" (builtins.toJSON secret)}
${config.systemd.services.zerotierone.preStart}
# ${config.systemd.services.zerotierone.preStart}
rm -rf /var/lib/zerotier-one/networks.d/*.conf
for network in `grep -v '#' ${secret.path}`; do
touch /var/lib/zerotier-one/networks.d/''${network}.conf
done
'';
};
# rm -rf /var/lib/zerotier-one/networks.d/*.conf
# for network in `grep -v '#' ${secret.path}`; do
# touch /var/lib/zerotier-one/networks.d/''${network}.conf
# done
# '';
# };
sops.secrets.zerotieroneNetworks = {
sopsFile = ../../../../secrets/zerotierone.txt;

1
nix/os/devices/steveej-x13s/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
result

82
nix/os/devices/steveej-x13s/configuration.nix Normal file
View file

@ -0,0 +1,82 @@
{ repoFlake
, pkgs
, lib
, config
, nodeFlake
, nodeName
, localDomainName
, system
, ...
}:
{
imports = [
# repoFlake.inputs.sops-nix.nixosModules.sops
# ../../profiles/common/user.nix
{
nix.nixPath = [
"nixpkgs=${pkgs.path}"
];
nix.settings.experimental-features = [
"nix-command"
"flakes"
];
nix.settings.max-jobs = lib.mkDefault "auto";
nix.settings.cores = lib.mkDefault 0;
}
{
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "yes";
# users.commonUsers = {
# enable = true;
# enableNonRoot = false;
# rootPasswordFile = config.sops.secrets.passwords-root.path;
# };
users.users.root.password = "install";
# sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
# sops.defaultSopsFormat = "yaml";
# sops.secrets.passwords-root.neededForUsers = true;
}
];
networking = {
hostName = nodeName;
useNetworkd = false;
networkmanager.enable = false;
firewall.enable = false;
};
system.stateVersion = "23.11";
# We exclude a number of modules included in the default list. A non-insignificant amount do
# not apply to embedded hardware like this, so simply skip the defaults.
#
# Custom kernel is required as a lot of MTK components misbehave when built as modules.
# They fail to load properly, leaving the system without working ethernet, they'll oops on
# remove. MTK-DSA parts and PCIe were observed to do this.
# boot.initrd.includeDefaultModules = false;
# boot.initrd.kernelModules = ["rfkill" "cfg80211" "mt7915e"];
# boot.initrd.availableKernelModules = ["nvme"];
nixpkgs.config.allowUnfree = true;
# hardware.enableRedistributableFirmware = true;
environment.systemPackages = [
pkgs.busybox
];
fileSystems."/".label = "x13s_root";
}

35
nix/os/devices/steveej-x13s/default.nix Normal file
View file

@ -0,0 +1,35 @@
{
system ? "aarch64-linux",
nodeName,
repoFlake,
nodeFlake,
localDomainName ? "internal",
...
}: {
meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake system;
packages' = repoFlake.packages.${system};
nodePackages' = nodeFlake.packages.${system};
inherit localDomainName;
};
meta.nodeNixpkgs.${nodeName} =
import nodeFlake.inputs.nixpkgs.outPath
{
inherit system;
};
${nodeName} = {
deployment.targetHost = "${nodeName}.${localDomainName}";
deployment.replaceUnknownProfiles = true;
# nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system};
imports = [
./configuration.nix
];
networking.hostName = nodeName;
};
}

159
nix/os/devices/steveej-x13s/flake.lock generated Normal file
View file

@ -0,0 +1,159 @@
{
"nodes": {
"brainwart_x13s-nixos": {
"flake": false,
"locked": {
"lastModified": 1701822673,
"narHash": "sha256-F2LBV8tqGPhEAvmn5Frxj79RPWgPGUYxJRYz8Pn9uj0=",
"owner": "BrainWart",
"repo": "x13s-nixos",
"rev": "ba245df7a72a78ec93aa500ba1a0cb29f0f65f37",
"type": "github"
},
"original": {
"owner": "BrainWart",
"ref": "main",
"repo": "x13s-nixos",
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1705348229,
"narHash": "sha256-CssPema1sBxZkrT95KFuKCNNiqxNe1lnf2QNeXk88Xk=",
"owner": "nix-community",
"repo": "disko",
"rev": "d0b4408eaf782a1ada0a9133bb1cecefdd59c696",
"type": "github"
},
"original": {
"id": "disko",
"type": "indirect"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"srvos",
"nixpkgs"
]
},
"locked": {
"lastModified": 1704982712,
"narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "07f6395285469419cf9d078f59b5b49993198c00",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"get-flake": {
"locked": {
"lastModified": 1694475786,
"narHash": "sha256-s5wDmPooMUNIAAsxxCMMh9g68AueGg63DYk2hVZJbc8=",
"owner": "ursi",
"repo": "get-flake",
"rev": "ac54750e3b95dab6ec0726d77f440efe6045bec1",
"type": "github"
},
"original": {
"owner": "ursi",
"repo": "get-flake",
"type": "github"
}
},
"linux_x13s": {
"flake": false,
"locked": {
"lastModified": 1705487080,
"narHash": "sha256-DTOPiUGaeH5Ey+AZaO1c1n/QFikIXmvo2tTzgFtJ70k=",
"owner": "jhovold",
"repo": "linux",
"rev": "dd209a8fb4840e48ca4963bb23057f38b1066a6d",
"type": "github"
},
"original": {
"owner": "jhovold",
"ref": "wip/sc8280xp-v6.7",
"repo": "linux",
"type": "github"
}
},
"mobile-nixos": {
"flake": false,
"locked": {
"lastModified": 1705008488,
"narHash": "sha256-Gj97fDFZaK6gLb3ayZgTTtD+MFE1YjoyYHWkB1TIAe0=",
"owner": "NixOS",
"repo": "mobile-nixos",
"rev": "56e55df7b07b5e5c6d050732d851cec62b41df95",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "mobile-nixos",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1705316053,
"narHash": "sha256-J2Ey5mPFT8gdfL2XC0JTZvKaBw/b2pnyudEXFvl+dQM=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "c3e128f3c0ecc1fb04aef9f72b3dcc2f6cecf370",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"brainwart_x13s-nixos": "brainwart_x13s-nixos",
"disko": "disko",
"get-flake": "get-flake",
"linux_x13s": "linux_x13s",
"mobile-nixos": "mobile-nixos",
"nixpkgs": "nixpkgs",
"srvos": "srvos"
}
},
"srvos": {
"inputs": {
"flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1705346686,
"narHash": "sha256-lTf1b2I6wwNDhV5eEKIAMT5DOa43bK5KaPqDWH2yfek=",
"owner": "numtide",
"repo": "srvos",
"rev": "8e03bea707212a7225b0ab02a8186af8b1e98e0a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "srvos",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

270
nix/os/devices/steveej-x13s/flake.nix Normal file
View file

@ -0,0 +1,270 @@
{
inputs =
{
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
get-flake.url = "github:ursi/get-flake";
disko.inputs.nixpkgs.follows = "nixpkgs";
srvos.url = "github:numtide/srvos";
srvos.inputs.nixpkgs.follows = "nixpkgs";
mobile-nixos.url = "github:NixOS/mobile-nixos";
mobile-nixos.flake = false;
# see https://github.com/jhovold/linux/wiki/X13s for status updates
linux_x13s.url = "github:jhovold/linux/wip/sc8280xp-v6.7";
linux_x13s.flake = false;
brainwart_x13s-nixos = {
url = "github:BrainWart/x13s-nixos/main";
flake = false;
};
};
outputs =
{ self
, get-flake
, nixpkgs
, ...
}:
let
targetPlatform = "aarch64-linux";
buildPlatform = "x86_64-linux";
nodeName = "steveej-x13s";
pkgs = nixpkgs.legacyPackages.${targetPlatform};
pkgsCross = import self.inputs.nixpkgs {
system = buildPlatform;
crossSystem = {
config = "pentium2-unknown-linux-gnu";
};
};
mkNixosConfiguration = { extraModules ? [ ], ... } @ attrs:
nixpkgs.lib.nixosSystem (
nixpkgs.lib.attrsets.recursiveUpdate
attrs
{
specialArgs = (import ./default.nix {
system = targetPlatform;
inherit nodeName;
repoFlake = get-flake ../../../..;
nodeFlake = self;
}).meta.nodeSpecialArgs.${nodeName};
modules =
[
self.nixosModules.hardware-x13s
./configuration.nix
# flake registry
{
nix.registry.nixpkgs.flake = nixpkgs;
}
{
nixpkgs.overlays = [
(final: prev:
{
qrtr = final.callPackage "${self.inputs.mobile-nixos}/overlay/qrtr/qrtr.nix" { };
qmic = final.callPackage "${self.inputs.mobile-nixos}/overlay/qrtr/qmic.nix" { };
rmtfs = final.callPackage "${self.inputs.mobile-nixos}/overlay/qrtr/rmtfs.nix" { };
pd-mapper = final.callPackage "${self.inputs.mobile-nixos}/overlay/qrtr/pd-mapper.nix" {
inherit (final) qrtr;
};
compressFirmwareXz = prev.lib.id; #this leaves all firmware uncompressed :) for pd-mapper
})
];
}
]
++ extraModules;
}
);
in
{
nixosConfigurations = {
native = mkNixosConfiguration {
system = targetPlatform;
};
cross = mkNixosConfiguration {
extraModules = [
{
nixpkgs.buildPlatform.system = buildPlatform;
nixpkgs.hostPlatform.system = targetPlatform;
}
];
};
};
nixosModules.hardware-x13s = { pkgs, config, lib, options, ... }:
let
# TODO: introduce options for these
kernelPdMapper = true;
in
{
config =
let
inherit (config.boot.loader) efi;
kp = [
{
name = "x13s-cfg";
patch = null;
extraStructuredConfig = with lib.kernel; {
EFI_ARMSTUB_DTB_LOADER = lib.mkForce yes;
OF_OVERLAY = lib.mkForce yes;
BTRFS_FS = lib.mkForce yes;
BTRFS_FS_POSIX_ACL = lib.mkForce yes;
MEDIA_CONTROLLER = lib.mkForce yes;
SND_USB_AUDIO_USE_MEDIA_CONTROLLER = lib.mkForce yes;
SND_USB = lib.mkForce yes;
SND_USB_AUDIO = lib.mkForce module;
USB_XHCI_PCI = lib.mkForce module;
NO_HZ_FULL = lib.mkForce yes;
HZ_100 = lib.mkForce yes;
HZ_250 = lib.mkForce no;
DRM_AMDGPU = lib.mkForce no;
DRM_NOUVEAU = lib.mkForce no;
QCOM_TSENS = lib.mkForce yes;
NVMEM_QCOM_QFPROM = lib.mkForce yes;
ARM_QCOM_CPUFREQ_NVMEM = lib.mkForce yes;
} // lib.optionalAttrs kernelPdMapper {
QCOM_PD_MAPPER = lib.mkForce yes;
QRTR = lib.mkForce yes;
};
}
];
# We can't quite move to mainline linux
linux_x13s_pkg = { buildLinux, ... } @ args:
buildLinux (args // rec {
version = "6.7.0";
modDirVersion = lib.versions.pad 3 version;
extraMeta.branch = lib.versions.majorMinor version;
src = self.inputs.linux_x13s;
kernelPatches = (args.kernelPatches or [ ]) ++ kp;
} // (args.argsOverride or { }));
# we add additional configuration on top of te normal configuration above
# using the extraStructuredConfig option on the kernel patch
linux_x13s = pkgs.callPackage linux_x13s_pkg {
defconfig = "johan_defconfig";
};
uncompressed-fw = pkgs.callPackage
({ lib, runCommand, buildEnv, firmwareFilesList }:
runCommand "qcom-modem-uncompressed-firmware-share"
{
firmwareFiles = buildEnv {
name = "qcom-modem-uncompressed-firmware";
paths = firmwareFilesList;
pathsToLink = [
"/lib/firmware/rmtfs"
"/lib/firmware/qcom"
];
};
} ''
PS4=" $ "
(
set -x
mkdir -p $out/share/
ln -s $firmwareFiles/lib/firmware/ $out/share/uncompressed-firmware
)
'')
{
firmwareFilesList = lib.flatten options.hardware.firmware.definitions;
};
linuxPackages_x13s = pkgs.linuxPackagesFor linux_x13s;
dtb = "${linuxPackages_x13s.kernel}/dtbs/qcom/sc8280xp-lenovo-thinkpad-x13s.dtb";
dtbName = "x13s63rc4.dtb";
in
{
boot = {
loader.systemd-boot.enable = true;
loader.systemd-boot.extraFiles = {
"${dtbName}" = dtb;
};
loader.efi.canTouchEfiVariables = true;
loader.efi.efiSysMountPoint = "/boot";
kernelPackages = linuxPackages_x13s;
kernelParams = [
"boot.shell_on_fail"
"clk_ignore_unused"
"pd_ignore_unused"
"arm64.nopauth"
"cma=128M"
"nvme.noacpi=1"
"iommu.strict=0"
"dtb=${dtbName}"
];
initrd = {
includeDefaultModules = false;
availableKernelModules = [
"i2c_hid"
"i2c_hid_of"
"i2c_qcom_geni"
"leds_qcom_lpg"
"pwm_bl"
"qrtr"
"pmic_glink_altmode"
"gpio_sbu_mux"
"phy_qcom_qmp_combo"
"panel-edp"
"msm"
"phy_qcom_edp"
"i2c-core"
"i2c-hid"
"i2c-hid-of"
"i2c-qcom-geni"
"pcie-qcom"
"phy-qcom-qmp-combo"
"phy-qcom-qmp-pcie"
"phy-qcom-qmp-usb"
"phy-qcom-snps-femto-v2"
"phy-qcom-usb-hs"
"nvme"
];
};
};
# power management, etc.
environment.systemPackages = with pkgs; [
qrtr
qmic
rmtfs
pd-mapper
uncompressed-fw
];
environment.pathsToLink = [ "share/uncompressed-firmware" ];
# ensure the x13s' dtb file is in the boot partition
system.activationScripts.x13s-dtb = ''
in_package="${dtb}"
esp_tool_folder="${efi.efiSysMountPoint}/"
in_esp="''${esp_tool_folder}${dtbName}"
>&2 echo "Ensuring $in_esp in EFI System Partition"
if ! ${pkgs.diffutils}/bin/cmp --silent "$in_package" "$in_esp"; then
>&2 echo "Copying $in_package -> $in_esp"
mkdir -p "$esp_tool_folder"
cp "$in_package" "$in_esp"
sync
fi
'';
hardware.enableAllFirmware = true;
hardware.firmware = [
pkgs.linux-firmware
(pkgs.callPackage "${self.inputs.brainwart_x13s-nixos}/pkgs/x13s-firmware.nix" { })
];
};
};
};
}

1
nix/os/devices/voodoo/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
result

85
nix/os/devices/voodoo/configuration.nix Normal file
View file

@ -0,0 +1,85 @@
{
repoFlake,
pkgs,
lib,
config,
nodeFlake,
nodeName,
localDomainName,
system,
...
}: let
in {
imports = [
# repoFlake.inputs.sops-nix.nixosModules.sops
# ../../profiles/common/user.nix
{
nix.nixPath = [
"nixpkgs=${pkgs.path}"
];
nix.settings.experimental-features = [
"nix-command"
"flakes"
];
nix.settings.max-jobs = lib.mkDefault "auto";
nix.settings.cores = lib.mkDefault 0;
}
{
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "yes";
# users.commonUsers = {
# enable = true;
# enableNonRoot = false;
# rootPasswordFile = config.sops.secrets.passwords-root.path;
# };
users.users.root.password = "voodoo";
# sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
# sops.defaultSopsFormat = "yaml";
# sops.secrets.passwords-root.neededForUsers = true;
}
];
networking = {
hostName = nodeName;
useNetworkd = false;
useDHCP = true;
firewall.enable = false;
};
system.stateVersion = "23.11";
# We exclude a number of modules included in the default list. A non-insignificant amount do
# not apply to embedded hardware like this, so simply skip the defaults.
#
# Custom kernel is required as a lot of MTK components misbehave when built as modules.
# They fail to load properly, leaving the system without working ethernet, they'll oops on
# remove. MTK-DSA parts and PCIe were observed to do this.
# boot.initrd.includeDefaultModules = false;
# boot.initrd.kernelModules = ["rfkill" "cfg80211" "mt7915e"];
# boot.initrd.availableKernelModules = ["nvme"];
hardware.enableRedistributableFirmware = false;
# Extlinux compatible with custom uboot patches in this repo, which also provide unique
# MAC addresses instead of the non-unique one that gets used by a lot of MTK devices...
boot.loader.grub.enable = true;
environment.systemPackages = [
# pkgs.pciutils
];
fileSystems."/".label = "voodoo_root";
boot.loader.grub.devices = [
"/dev/disk/by-id/usb-ST313640_A_20171021-0"
];
}

35
nix/os/devices/voodoo/default.nix Normal file
View file

@ -0,0 +1,35 @@
{
system ? "i586-linux",
nodeName,
repoFlake,
nodeFlake,
localDomainName ? "internal",
...
}: {
meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake system;
packages' = repoFlake.packages.${system};
nodePackages' = nodeFlake.packages.${system};
inherit localDomainName;
};
meta.nodeNixpkgs.${nodeName} =
import nodeFlake.inputs.nixpkgs.outPath
{
inherit system;
};
${nodeName} = {
deployment.targetHost = "${nodeName}.${localDomainName}";
deployment.replaceUnknownProfiles = true;
# nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system};
imports = [
./configuration.nix
];
networking.hostName = nodeName;
};
}

225
nix/os/devices/voodoo/flake.lock generated Normal file
View file

@ -0,0 +1,225 @@
{
"nodes": {
"bpir3": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1703603768,
"narHash": "sha256-ZViXHNt7ClqNtlRO9iot+LxiSbBvZi/RR+/6Q7W6UV8=",
"owner": "steveej-forks",
"repo": "nixos-bpir3",
"rev": "47cb545b92c136d1482a66b940c4719c40eb5fe3",
"type": "github"
},
"original": {
"owner": "steveej-forks",
"ref": "linux-6.6",
"repo": "nixos-bpir3",
"type": "github"
}
},
"dependencyDagOfSubmodule": {
"inputs": {
"nixpkgs": [
"nixos-nftables-firewall",
"nixpkgs"
]
},
"locked": {
"lastModified": 1656615370,
"narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=",
"owner": "thelegy",
"repo": "nix-dependencyDagOfSubmodule",
"rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c",
"type": "github"
},
"original": {
"owner": "thelegy",
"repo": "nix-dependencyDagOfSubmodule",
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1703532766,
"narHash": "sha256-ojjW3cuNmqL5uqDWohwLoO8dYpheM5+AfgsNmGIMwG8=",
"owner": "nix-community",
"repo": "disko",
"rev": "1b191113874dee97796749bb21eac3d84735c70a",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"get-flake": {
"locked": {
"lastModified": 1694475786,
"narHash": "sha256-s5wDmPooMUNIAAsxxCMMh9g68AueGg63DYk2hVZJbc8=",
"owner": "ursi",
"repo": "get-flake",
"rev": "ac54750e3b95dab6ec0726d77f440efe6045bec1",
"type": "github"
},
"original": {
"owner": "ursi",
"repo": "get-flake",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1703527373,
"narHash": "sha256-AjypRssRtS6F3xkf7rE3/bXkIF2WJOZLbTIspjcE1zM=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "80679ea5074ab7190c4cce478c600057cfb5edae",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "master",
"repo": "home-manager",
"type": "github"
}
},
"hostapd": {
"flake": false,
"locked": {
"lastModified": 1703346062,
"narHash": "sha256-SHSBKIgKc5zEGhKDT2v+yGERTJHf8pe+9ZPUwJBTJKQ=",
"ref": "refs/heads/main",
"rev": "196d6c83b9cb7d298fdc92684dc37115348b159e",
"revCount": 19119,
"type": "git",
"url": "git://w1.fi/hostap.git?branch=main"
},
"original": {
"type": "git",
"url": "git://w1.fi/hostap.git?branch=main"
}
},
"nixos-nftables-firewall": {
"inputs": {
"dependencyDagOfSubmodule": "dependencyDagOfSubmodule",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1703279052,
"narHash": "sha256-0rbG/9SwaWtXT7ZuifMq+7wvfxDpZrjr0zdMcM4KK+E=",
"owner": "thelegy",
"repo": "nixos-nftables-firewall",
"rev": "3bf23aeb346e772d157816e6b72a742a6c97db80",
"type": "github"
},
"original": {
"owner": "thelegy",
"repo": "nixos-nftables-firewall",
"type": "github"
}
},
"nixos-stable": {
"locked": {
"lastModified": 1703068421,
"narHash": "sha256-WSw5Faqlw75McIflnl5v7qVD/B3S2sLh+968bpOGrWA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d65bceaee0fb1e64363f7871bc43dc1c6ecad99f",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1703255338,
"narHash": "sha256-Z6wfYJQKmDN9xciTwU3cOiOk+NElxdZwy/FiHctCzjU=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "6df37dc6a77654682fe9f071c62b4242b5342e04",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"openwrt": {
"flake": false,
"locked": {
"lastModified": 1691699580,
"narHash": "sha256-CV+ufXPEr5Nz2O2FBnnuPeHNsFQ7c5s0uW39u/q3cUo=",
"ref": "main",
"rev": "847984c773d819d5579d5abae4b80a4983103ed9",
"revCount": 58166,
"type": "git",
"url": "https://github.com/openwrt/openwrt.git"
},
"original": {
"ref": "main",
"rev": "847984c773d819d5579d5abae4b80a4983103ed9",
"type": "git",
"url": "https://github.com/openwrt/openwrt.git"
}
},
"root": {
"inputs": {
"bpir3": "bpir3",
"disko": "disko",
"get-flake": "get-flake",
"home-manager": "home-manager",
"hostapd": "hostapd",
"nixos-nftables-firewall": "nixos-nftables-firewall",
"nixpkgs": "nixpkgs",
"openwrt": "openwrt",
"srvos": "srvos"
}
},
"srvos": {
"inputs": {
"nixos-stable": "nixos-stable",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1703469109,
"narHash": "sha256-hTQJ9uV43Vt8UXwervEj9mbDoQSN1mD3lwwPChG8jy8=",
"owner": "numtide",
"repo": "srvos",
"rev": "52d07db520046c4775f1047e68a05dcb53bba9ec",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "srvos",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

80
nix/os/devices/voodoo/flake.nix Normal file
View file

@ -0,0 +1,80 @@
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
get-flake.url = "github:ursi/get-flake";
disko.inputs.nixpkgs.follows = "nixpkgs";
srvos.url = "github:numtide/srvos";
srvos.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = {
self,
get-flake,
nixpkgs,
...
}: let
targetPlatform = "i686-linux";
buildPlatform = "x86_64-linux";
nodeName = "voodoo";
pkgs = nixpkgs.legacyPackages.${targetPlatform};
pkgsCross = import self.inputs.nixpkgs {
system = buildPlatform;
crossSystem = {
config = "pentium2-unknown-linux-gnu";
};
};
mkNixosConfiguration = {extraModules ? [], ...} @ attrs:
nixpkgs.lib.nixosSystem (
nixpkgs.lib.attrsets.recursiveUpdate
attrs
{
specialArgs = (import ./default.nix {
system = targetPlatform;
inherit nodeName;
repoFlake = get-flake ../../../..;
nodeFlake = self;
}).meta.nodeSpecialArgs.${nodeName};
modules =
[
./configuration.nix
# flake registry
{
nix.registry.nixpkgs.flake = nixpkgs;
}
{
nixpkgs.overlays = [
(final: previous:
{
})
];
}
]
++ extraModules;
}
);
in {
nixosConfigurations = {
native = mkNixosConfiguration {
system = targetPlatform;
};
cross = mkNixosConfiguration {
extraModules = [
{
nixpkgs.buildPlatform.system = buildPlatform;
nixpkgs.hostPlatform.system = targetPlatform;
}
];
};
};
};
}

1
nix/os/lib/default.nix
View file

@ -20,6 +20,7 @@ in {
"cdrom"
"adbusers"
"dialout"
"cdrom"
];
openssh.authorizedKeys.keys = keys.users.steveej.openssh;

14
nix/os/modules/opinionatedDisk.nix
View file

@ -7,6 +7,12 @@
with lib; let
cfg = config.hardware.opinionatedDisk;
ownLib = pkgs.callPackage ../lib/default.nix {};
earlyDiskId = cfg:
if cfg.earlyDiskIdOverride != ""
then cfg.earlyDiskIdOverride
else cfg.diskId
;
in {
options.hardware.opinionatedDisk = {
enable = mkEnableOption "Enable opinionated filesystem layout";
@ -15,6 +21,11 @@ in {
default = true;
type = types.bool;
};
earlyDiskIdOverride = mkOption {
default = "";
type = types.string;
};
};
config = lib.mkIf cfg.enable {
@ -38,7 +49,7 @@ in {
swapDevices = [{device = ownLib.disk.swapFsDevice cfg.diskId;}];
boot.loader.grub = {
device = ownLib.disk.bootGrubDevice cfg.diskId;
device = ownLib.disk.bootGrubDevice (earlyDiskId cfg);
enableCryptodisk = cfg.encrypted;
};
@ -54,6 +65,7 @@ in {
builtins.elemAt splitstring lastelem;
value = {
device = ownLib.disk.bootLuksDevice cfg.diskId;
preLVM = true;
allowDiscards = true;
};

11
nix/os/profiles/graphical/system.nix
View file

@ -42,10 +42,13 @@
SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0406", ENV{ID_SECURITY_TOKEN}="1", GROUP="wheel"
'';
services.samba.enable = true;
services.samba.extraConfig = ''
client max protocol = SMB3
'';
# services.samba.enable = true;
# services.samba.extraConfig = ''
# client max protocol = SMB3
# # client min protocol = SMB2_10
# # client min protocol = NT1
# # ntlm auth = yes
# '';
services.logind.lidSwitchExternalPower = "ignore";