adtya/configuration.nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

setup Rico0 with NixOS

Browse source
This commit is contained in:
Adithya 2024-01-04 21:51:15 +05:30
parent 5248dac71c
commit cf0d7d1105
Signed by: adtya
GPG key ID: 48FC9915FFD326D0
20 changed files with 466 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
flake.nix
View file

@ -122,6 +122,24 @@
}
];
};
Rico0 = nixpkgs.lib.nixosSystem rec {
system = "aarch64-linux";
pkgs = import nixpkgs {
inherit system;
config = nixpkgs-config;
};
specialArgs = inputs // { inherit secrets; };
modules = [
{
system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
}
nixos-hardware.nixosModules.raspberry-pi-4
./common
./hosts/rico0
];
};
Rico1 = nixpkgs.lib.nixosSystem rec {
system = "aarch64-linux";
pkgs = import nixpkgs {

7
hosts/rico0/containers/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }: {
imports = [ ];
virtualisation.oci-containers = {
backend = "podman";
};
}

30
hosts/rico0/default.nix Normal file
View file

@ -0,0 +1,30 @@
{ ... }: {
imports = [
./hardware
./programs
./services
./containers
./network.nix
./security.nix
];
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "en_US.UTF-8";
LC_IDENTIFICATION = "en_US.UTF-8";
LC_MEASUREMENT = "en_US.UTF-8";
LC_MONETARY = "en_US.UTF-8";
LC_NAME = "en_US.UTF-8";
LC_NUMERIC = "en_US.UTF-8";
LC_PAPER = "en_US.UTF-8";
LC_TELEPHONE = "en_US.UTF-8";
LC_TIME = "en_US.UTF-8";
LC_ALL = "en_US.UTF-8";
};
supportedLocales = [ "en_US.UTF-8/UTF-8" ];
};
time.timeZone = "Asia/Kolkata";
system.stateVersion = "23.11";
}

221
hosts/rico0/hardware/default.nix Normal file
View file

@ -0,0 +1,221 @@
{ lib, ... }: {
imports = [ ./filesystem.nix ./kernel.nix ];
#hardware.raspberry-pi."4".poe-plus-hat.enable = true;
hardware.raspberry-pi."4".apply-overlays-dtmerge.enable = lib.mkDefault true;
hardware.deviceTree.filter = "bcm2711-rpi-4*.dtb";
hardware.deviceTree = {
overlays = [
# Combined equivalent to:
# * https://github.com/raspberrypi/linux/blob/rpi-6.1.y/arch/arm/boot/dts/overlays/rpi-poe-overlay.dts
# * https://github.com/raspberrypi/linux/blob/rpi-6.1.y/arch/arm/boot/dts/overlays/rpi-poe-plus-overlay.dts
{
name = "rpi-poe-plus-overlay";
dtsText = ''
/*
* Overlay for the Raspberry Pi POE HAT.
*/
/dts-v1/;
/plugin/;
/ {
compatible = "brcm,bcm2711";
fragment@0 {
target-path = "/";
__overlay__ {
fan: pwm-fan {
compatible = "pwm-fan";
cooling-levels = <0 1 10 100 255>;
#cooling-cells = <2>;
pwms = <&fwpwm 0 80000>;
};
};
};
fragment@1 {
target = <&cpu_thermal>;
__overlay__ {
polling-delay = <2000>; /* milliseconds */
};
};
fragment@2 {
target = <&thermal_trips>;
__overlay__ {
trip0: trip0 {
temperature = <55000>;
hysteresis = <2000>;
type = "active";
};
trip1: trip1 {
temperature = <58000>;
hysteresis = <2000>;
type = "active";
};
trip2: trip2 {
temperature = <61000>;
hysteresis = <2000>;
type = "active";
};
trip3: trip3 {
temperature = <64000>;
hysteresis = <5000>;
type = "active";
};
};
};
fragment@3 {
target = <&cooling_maps>;
__overlay__ {
map0 {
trip = <&trip0>;
cooling-device = <&fan 0 1>;
};
map1 {
trip = <&trip1>;
cooling-device = <&fan 1 2>;
};
map2 {
trip = <&trip2>;
cooling-device = <&fan 2 3>;
};
map3 {
trip = <&trip3>;
cooling-device = <&fan 3 4>;
};
};
};
fragment@4 {
target-path = "/__overrides__";
params: __overlay__ {
poe_fan_temp0 = <&trip0>,"temperature:0";
poe_fan_temp0_hyst = <&trip0>,"hysteresis:0";
poe_fan_temp1 = <&trip1>,"temperature:0";
poe_fan_temp1_hyst = <&trip1>,"hysteresis:0";
poe_fan_temp2 = <&trip2>,"temperature:0";
poe_fan_temp2_hyst = <&trip2>,"hysteresis:0";
poe_fan_temp3 = <&trip3>,"temperature:0";
poe_fan_temp3_hyst = <&trip3>,"hysteresis:0";
poe_fan_i2c = <&fwpwm>,"status=disabled",
<&poe_mfd>,"status=okay",
<&fan>,"pwms:0=",<&poe_mfd_pwm>;
};
};
fragment@5 {
target = <&firmware>;
__overlay__ {
fwpwm: pwm {
compatible = "raspberrypi,firmware-poe-pwm";
#pwm-cells = <2>;
};
};
};
fragment@6 {
target = <&i2c0>;
i2c_bus: __overlay__ {
#address-cells = <1>;
#size-cells = <0>;
poe_mfd: poe@51 {
compatible = "raspberrypi,poe-core";
reg = <0x51>;
status = "disabled";
poe_mfd_pwm: poe_pwm@f0 {
compatible = "raspberrypi,poe-pwm";
reg = <0xf0>;
status = "okay";
#pwm-cells = <2>;
};
};
};
};
fragment@7 {
target = <&i2c0if>;
__dormant__ {
status = "okay";
};
};
fragment@8 {
target = <&i2c0mux>;
__dormant__ {
status = "okay";
};
};
__overrides__ {
poe_fan_temp0 = <&trip0>,"temperature:0";
poe_fan_temp0_hyst = <&trip0>,"hysteresis:0";
poe_fan_temp1 = <&trip1>,"temperature:0";
poe_fan_temp1_hyst = <&trip1>,"hysteresis:0";
poe_fan_temp2 = <&trip2>,"temperature:0";
poe_fan_temp2_hyst = <&trip2>,"hysteresis:0";
poe_fan_temp3 = <&trip3>,"temperature:0";
poe_fan_temp3_hyst = <&trip3>,"hysteresis:0";
i2c = <0>, "+5+6",
<&fwpwm>,"status=disabled",
<&i2c_bus>,"status=okay",
<&poe_mfd>,"status=okay",
<&fan>,"pwms:0=",<&poe_mfd_pwm>;
};
};
// SPDX-License-Identifier: (GPL-2.0 OR MIT)
// Overlay for the Raspberry Pi PoE+ HAT.
/ {
compatible = "brcm,bcm2711";
fragment@10 {
target-path = "/";
__overlay__ {
rpi_poe_power_supply: rpi-poe-power-supply {
compatible = "raspberrypi,rpi-poe-power-supply";
firmware = <&firmware>;
status = "okay";
};
};
};
fragment@11 {
target = <&poe_mfd>;
__overlay__ {
rpi-poe-power-supply@f2 {
compatible = "raspberrypi,rpi-poe-power-supply";
reg = <0xf2>;
status = "okay";
};
};
};
__overrides__ {
i2c = <0>, "+5+6",
<&fwpwm>,"status=disabled",
<&rpi_poe_power_supply>,"status=disabled",
<&i2c_bus>,"status=okay",
<&poe_mfd>,"status=okay",
<&fan>,"pwms:0=",<&poe_mfd_pwm>;
};
};
&fan {
cooling-levels = <0 32 64 128 255>;
};
&params {
poe_fan_i2c = <&fwpwm>,"status=disabled",
<&rpi_poe_power_supply>,"status=disabled",
<&poe_mfd>,"status=okay",
<&fan>,"pwms:0=",<&poe_mfd_pwm>;
};
'';
}
];
};
}

11
hosts/rico0/hardware/filesystem.nix Normal file
View file

@ -0,0 +1,11 @@
_: {
fileSystems."/" = {
device = "/dev/disk/by-partlabel/NIXOS_ROOT";
fsType = "btrfs";
options = [ "noatime" "compress=zstd" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-partlabel/ESP";
fsType = "vfat";
};
}

5
hosts/rico0/hardware/kernel.nix Normal file
View file

@ -0,0 +1,5 @@
{ lib
, ...
}: {
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
}

32
hosts/rico0/network.nix Normal file
View file

@ -0,0 +1,32 @@
{ lib, ... }: {
imports = [ ./wireguard.nix ];
networking = {
hostName = "Rico0";
networkmanager = {
enable = true;
dns = "systemd-resolved";
wifi = {
backend = "iwd";
powersave = false;
};
};
useDHCP = lib.mkDefault false;
wireless.iwd = {
enable = true;
settings = {
General = {
AddressRandomization = "network";
EnableNetworkConfiguration = false;
};
Settings = {
AutoConnect = "yes";
};
};
};
};
services.resolved.enable = true;
}

13
hosts/rico0/programs/default.nix Normal file
View file

@ -0,0 +1,13 @@
{ pkgs, ... }: {
imports = [
./neovim.nix
./starship.nix
./zsh.nix
];
programs.git.enable = true;
environment.systemPackages = with pkgs; [
git-crypt
];
}

8
hosts/rico0/programs/neovim.nix Normal file
View file

@ -0,0 +1,8 @@
_: {
programs.neovim = {
enable = true;
defaultEditor = true;
viAlias = true;
vimAlias = true;
};
}

8
hosts/rico0/programs/starship.nix Normal file
View file

@ -0,0 +1,8 @@
_: {
programs.starship = {
enable = true;
settings = {
add_newline = false;
};
};
}

10
hosts/rico0/programs/zsh.nix Normal file
View file

@ -0,0 +1,10 @@
_: {
programs = {
zsh = {
enable = true;
autosuggestions.enable = true;
syntaxHighlighting.enable = true;
};
};
environment.pathsToLink = [ "/share/zsh" ];
}

15
hosts/rico0/security.nix Normal file
View file

@ -0,0 +1,15 @@
_: {
security = {
apparmor = {
enable = true;
enableCache = true;
};
audit.enable = true;
auditd.enable = true;
sudo = {
wheelNeedsPassword = false;
};
polkit.enable = true;
rtkit.enable = true;
};
}

6
hosts/rico0/services/btrfs.nix Normal file
View file

@ -0,0 +1,6 @@
_: {
services.btrfs.autoScrub = {
enable = true;
interval = "weekly";
};
}

9
hosts/rico0/services/caddy.nix Normal file
View file

@ -0,0 +1,9 @@
{ config
, secrets
, ...
}: {
services.caddy = {
enable = true;
inherit (secrets.caddy_config) email;
};
}

9
hosts/rico0/services/default.nix Normal file
View file

@ -0,0 +1,9 @@
_: {
imports = [
./btrfs.nix
./caddy.nix
./frpc.nix
./ssh.nix
];
}

24
hosts/rico0/services/frpc.nix Normal file
View file

@ -0,0 +1,24 @@
{ secrets, ... }:
let
inherit (secrets) frp_config;
in
{
services.frp = {
enable = true;
role = "client";
settings = {
"common" = {
server_addr = frp_config.ip;
server_port = 7000;
authentication_method = "token";
token = frp_config.token;
};
"ssh.rico0" = {
type = "tcp";
local_port = 22;
remote_port = 6000;
};
};
};
}

9
hosts/rico0/services/ssh.nix Normal file
View file

@ -0,0 +1,9 @@
_: {
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
};
};
}

27
hosts/rico0/wireguard.nix Normal file
View file

@ -0,0 +1,27 @@
{ config
, secrets
, ...
}:
let
inherit (secrets.wireguard_config) peers;
in
{
networking.firewall.trustedInterfaces = [ "wg0" ];
networking.wireguard = {
enable = true;
interfaces = {
wg0 = {
ips = [
"10.8.1.3/24"
"fdd9:69ae:9703::3/64"
];
listenPort = 51821;
privateKeyFile = "/etc/wireguard/private.key";
generatePrivateKeyFile = true;
peers = with peers; [
Proxy
];
};
};
};
}

4
hosts/rico1/wireguard.nix
View file

@ -12,8 +12,8 @@ in
interfaces = {
wg0 = {
ips = [
"10.8.1.3/24"
"fdd9:69ae:9703::3/64"
"10.8.1.4/24"
"fdd9:69ae:9703::4/64"
];
listenPort = 51821;
privateKeyFile = "/etc/wireguard/private.key";

4
hosts/rico2/wireguard.nix
View file

@ -12,8 +12,8 @@ in
interfaces = {
wg0 = {
ips = [
"10.8.1.4/24"
"fdd9:69ae:9703::4/64"
"10.8.1.5/24"
"fdd9:69ae:9703::5/64"
];
listenPort = 51821;
privateKeyFile = "/etc/wireguard/private.key";