WIP everything

2024-01-18 14:59:17 +00:00 · 2024-01-18 14:59:17 +00:00 · 26f0bde4b3
commit 26f0bde4b3
parent 2a23c7fdbe
29 changed files with 1630 additions and 423 deletions
--- a/nix/os/devices/steveej-t14/configuration.nix
+++ b/nix/os/devices/steveej-t14/configuration.nix
@ -11,5 +11,61 @@
    ./user.nix
    ./boot.nix
    ./secrets.nix
+
+    # samba seerver
+    ({ lib, ... }: {
+
+      # networking.firewall.enable = lib.mkForce false;
+      services.samba-wsdd.enable = true; # make shares visible for windows 10 clients
+      networking.firewall.allowedTCPPorts = [
+        5357 # wsdd
+      ];
+      networking.firewall.allowedUDPPorts = [
+        3702 # wsdd
+      ];
+      services.samba = {
+        enable = true;
+
+        securityType = "user";
+
+        extraConfig = ''
+          workgroup = ARBEITSGRUPPE
+          server string = steveej-t14
+          netbios name = steveej-t14
+          security = user
+
+          # use sendfile = yes
+
+          # for executables on windows
+          acl allow execute always = True
+
+          # legacy windows quirks
+          max protocol = NT1
+          min protocol = NT1
+          ntlm auth = yes
+
+          # client max protocol = SMB1
+          # client min protocol = NT1
+
+          # note: localhost is the ipv6 localhost ::1
+          hosts allow = 192.168. 127.0.0.1 localhost
+          hosts deny = 0.0.0.0/0
+          guest account = nobody
+          map to guest = bad user
+        '';
+        shares = {
+          voodoo = {
+            path = "/home/steveej/Desktop/voodoo";
+            browseable = "yes";
+            "read only" = "no";
+            "guest ok" = "no";
+            "create mask" = "0644";
+            "directory mask" = "0755";
+            # "force user" = "steveej";
+            # "force group" = "users";
+          };
+        };
+      };
+    })
  ];
 }
--- a/nix/os/devices/steveej-t14/hw.nix
+++ b/nix/os/devices/steveej-t14/hw.nix
@ -1,4 +1,4 @@
-{...}: let
+{lib, ...}: let
  stage1Modules = [
    "aesni_intel"
    "kvm_amd"
@ -7,6 +7,22 @@

    "thunderbolt"
    "e1000e"
+
+    "usbcore"
+    "xhci_hcd"
+    "usbnet"
+    "snd_usb_audio"
+    "usbhid"
+    "snd_usbmidi_lib"
+    "cdc_mbim"
+    "cdc_ncm"
+    "usb_storage"
+    "cdc_wdm"
+    "uvcvideo"
+    "btusb"
+    "xhci_pci"
+    "cdc_ether"
+    "uas"
  ];
 in {
  # TASK: new device
@ -14,8 +30,11 @@ in {
    enable = true;
    encrypted = true;
    diskId = "nvme-WD_BLACK_SN850X_4000GB_2227DT443901";
+    earlyDiskIdOverride  = "usb-JMicron_Generic_0123456789ABCDEF-0:0";
  };

+  # boot.loader.grub.device = lib.mkForce "/dev/disk/by-id/usb-JMicron_Generic_0123456789ABCDEF-0:0";
+
  # see https://linrunner.de/tlp/
  services.tlp = {
    enable = true;
@ -90,6 +109,7 @@ in {
    ];
  };

+  hardware.enableRedistributableFirmware = true;
  # boot.initrd.availableKernelModules = stage1Modules;
  boot.initrd.kernelModules = stage1Modules;
 }
--- a/nix/os/devices/steveej-t14/pkg.nix
+++ b/nix/os/devices/steveej-t14/pkg.nix
@ -59,6 +59,25 @@
    sway
  '';

+
+  # autologin steveej on tty1
+  systemd.services."autovt@tty1".description = "Autologin at the TTY1";
+  systemd.services."autovt@tty1".after = [ "systemd-logind.service" ];  # without it user session not started and xorg can't be run from this tty
+  systemd.services."autovt@tty1".wantedBy = [ "multi-user.target" ];
+  systemd.services."autovt@tty1".serviceConfig =
+    { ExecStart = [
+        ""  # override upstream default with an empty ExecStart
+        "@${pkgs.utillinux}/sbin/agetty agetty --login-program ${pkgs.shadow}/bin/login --autologin steveej --noclear %I $TERM"
+      ];
+      Restart = "always";
+      Type = "idle";
+    };
+  programs.zsh.loginShellInit = ''
+      if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then
+        exec sway
+      fi
+    '';
+
  # fonts = let
  #   prefs.font = rec {
  #     size = 13;
@ -109,6 +128,7 @@
  # rtkit is optional but recommended
  security.rtkit.enable = true;
  services.pipewire = {
+    audio.enable = true;
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
--- a/nix/os/devices/steveej-t14/system.nix
+++ b/nix/os/devices/steveej-t14/system.nix
@ -1,11 +1,11 @@
-{
-  pkgs,
-  lib,
-  config,
-  nodeName,
-  repoFlake,
-  ...
-}: let
+{ pkgs
+, lib
+, config
+, nodeName
+, repoFlake
+, ...
+}:
+let
  passwords = import ../../../variables/passwords.crypt.nix;

  localTcpPorts = [
@ -24,7 +24,8 @@
    21027
  ];

-in {
+in
+{
  imports = [
    ../../snippets/nix-settings-holo-chain.nix
  ];
@ -44,16 +45,16 @@ in {
      sshUser = "nix-remote-builder";
      protocol = "ssh-ng";
      system = "x86_64-linux";
-      maxJobs = 24;
+      maxJobs = 32;
      speedFactor = 100;
-      supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features ++ [];
+      supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features ++ [ ];
    }
  ];

  networking.extraHosts = ''
  '';

-  networking.bridges."virbr1".interfaces = [];
+  networking.bridges."virbr1".interfaces = [ ];
  networking.interfaces."virbr1".ipv4.addresses = [
    {
      address = "10.254.254.254";
@ -86,7 +87,7 @@ in {

  # virtualization
  virtualisation = {
-    libvirtd = {enable = true;};
+    libvirtd = { enable = true; };

    virtualbox.host = {
      enable = false;
@ -107,11 +108,11 @@ in {
    enable = true;
    package = lib.mkForce pkgs.gnome3.gvfs;
  };
-  environment.systemPackages = with pkgs; [lxqt.lxqt-policykit]; # provides a default authentification client for policykit
+  environment.systemPackages = with pkgs; [ lxqt.lxqt-policykit ]; # provides a default authentification client for policykit

-  security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"];
+  security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];

-  services.xserver.videoDrivers = lib.mkForce ["amdgpu"];
+  services.xserver.videoDrivers = lib.mkForce [ "amdgpu" ];
  services.xserver.serverFlagsSection = ''
    Option "BlankTime" "0"
    Option "StandbyTime" "0"
@ -123,35 +124,37 @@ in {

  hardware.ledger.enable = true;

-  services.zerotierone = {
-    enable = true;
-    joinNetworks = [
-      # moved to the service below as it's now secret
-    ];
-  };
+  # services.zerotierone = {
+  #   enable = false;
+  #   joinNetworks = [
+  #     # moved to the service below as it's now secret
+  #   ];
+  # };

-  systemd.services.zerotieroneSecretNetworks = {
-    enable = false;
-    requiredBy = ["zerotierone.service"];
-    partOf = ["zerotierone.service"];
+  # systemd.services.zerotieroneSecretNetworks = {
+  #   enable = false;
+  #   requiredBy = [ "zerotierone.service" ];
+  #   partOf = [ "zerotierone.service" ];

-    serviceConfig.Type = "oneshot";
-    serviceConfig.RemainAfterExit = true;
+  #   serviceConfig.Type = "oneshot";
+  #   serviceConfig.RemainAfterExit = true;

-    script = let
-      secret = config.sops.secrets.zerotieroneNetworks;
-    in ''
-      # include the secret's hash to trigger a restart on change
-      # ${builtins.hashString "sha256" (builtins.toJSON secret)}
+  #   script =
+  #     let
+  #       secret = config.sops.secrets.zerotieroneNetworks;
+  #     in
+  #     ''
+  #       # include the secret's hash to trigger a restart on change
+  #       # ${builtins.hashString "sha256" (builtins.toJSON secret)}

-      ${config.systemd.services.zerotierone.preStart}
+  #       ${config.systemd.services.zerotierone.preStart}

-      rm -rf /var/lib/zerotier-one/networks.d/*.conf
-      for network in `grep -v '#' ${secret.path}`; do
-        touch /var/lib/zerotier-one/networks.d/''${network}.conf
-      done
-    '';
-  };
+  #       rm -rf /var/lib/zerotier-one/networks.d/*.conf
+  #       for network in `grep -v '#' ${secret.path}`; do
+  #         touch /var/lib/zerotier-one/networks.d/''${network}.conf
+  #       done
+  #     '';
+  # };

  sops.secrets.zerotieroneNetworks = {
    sopsFile = ../../../../secrets/zerotierone.txt;