felix/nixos
1
0
Fork 0
mirror of https://github.com/Stunkymonkey/nixos.git synced 2025-05-23 17:35:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

machine/workman: init

Browse source
This commit is contained in:
Felix Buehler 2025-05-04 20:20:28 +02:00
parent c48b59fe72
commit 8c029fad44
14 changed files with 336 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

21
flake.lock generated
View file

@ -90,6 +90,26 @@
"type": "github"
}
},
"framework-plymouth": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1744254441,
"narHash": "sha256-zpbqouGFxu0fdECX54jHPyjYEX+04kZRWZFZ4IKL58c=",
"owner": "j-pap",
"repo": "framework-plymouth",
"rev": "6aa8efd36bd79660ced9b8a82495afdb0c8c1166",
"type": "github"
},
"original": {
"owner": "j-pap",
"repo": "framework-plymouth",
"type": "github"
}
},
"git-hooks": {
"inputs": {
"flake-compat": "flake-compat",
@ -314,6 +334,7 @@
"inputs": {
"disko": "disko",
"flake-parts": "flake-parts",
"framework-plymouth": "framework-plymouth",
"git-hooks": "git-hooks",
"nixinate": "nixinate",
"nixos-generators": "nixos-generators",

9
flake.nix
View file

@ -34,6 +34,11 @@
inputs.nixpkgs.follows = "nixpkgs";
};
framework-plymouth = {
url = "github:j-pap/framework-plymouth";
inputs.nixpkgs.follows = "nixpkgs";
};
# own flakes
stunkymonkey = {
url = "github:Stunkymonkey/stunkymonkey.de";
@ -76,7 +81,9 @@
}:
{
# make pkgs available to all `perSystem` functions
_module.args.pkgs = import inputs.nixpkgs { inherit system; };
_module.args.pkgs = import inputs.nixpkgs {
inherit system;
};
# enable pre-commit checks
pre-commit.settings = {

6
machines/.sops.yaml
View file

@ -2,10 +2,16 @@
keys:
- &admin_felix age1hf8m9upp00dr7qv2kmqdr50fpvd9ejzkfu8yknqnuda2aas2tvrs4l3u7m
- &workman age1f2e644jteyeppfaatajtvjmsupl0e7nzx97ded6m0cgzw04l84ks5xl9l2
- &thinkman age1spt854cdscqs757a8kazth52rv4p9udh54suw9lpzlqg5savyapq2u0c03
- &serverle age14nt7qcsrye0vrpk0xcgcfmhkxwwumna39fpn83g3x0zml62skatqpnmhk4
- &newton age1s9spl75rwhgm3cvvqsr9rze5m0kuxqes2tsxjmq07xg5ycn5j47s2m0dlu
creation_rules:
- path_regex: workman/secrets.yaml$
key_groups:
- age:
- *admin_felix
- *workman
- path_regex: thinkman/secrets.yaml$
key_groups:
- age:

7
machines/configurations.nix
View file

@ -58,6 +58,13 @@ in
./thinkman/configuration.nix
];
};
workman = nixosSystem {
system = "x86_64-linux";
modules = defaultModules ++ [
nixos-hardware.nixosModules.framework-amd-ai-300-series
./workman/configuration.nix
];
};
newton = nixosSystem {
system = "x86_64-linux";
modules = defaultModules ++ [ ./newton/configuration.nix ];

24
machines/workman/boot.nix Normal file
View file

@ -0,0 +1,24 @@
{
config,
inputs,
...
}:
{
boot = {
loader = {
timeout = 1;
systemd-boot = {
enable = true;
configurationLimit = 10;
consoleMode = "keep";
editor = true;
};
efi.canTouchEfiVariables = true;
};
plymouth = {
enable = true;
theme = "framework";
themePackages = [ inputs.framework-plymouth.packages.${config.nixpkgs.system}.default ];
};
};
}

29
machines/workman/configuration.nix Normal file
View file

@ -0,0 +1,29 @@
{ ... }:
{
imports = [
./boot.nix
./disko-config.nix
./hardware-configuration.nix
./network.nix
./profiles.nix
./remote-build.nix
./services.nix
./system.nix
];
networking.hostName = "workman";
sops = {
defaultSopsFile = ./secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
gnupg.sshKeyPaths = [ ];
};
# needed for cross-compilation
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
system = {
stateVersion = "24.11";
autoUpgrade.enable = true;
};
}

72
machines/workman/disko-config.nix Normal file
View file

@ -0,0 +1,72 @@
{
disko.devices = {
disk = {
vdb = {
type = "disk";
device = "/dev/disk/by-id/nvme-eui.e8238fa6bf530001001b444a456de595";
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02"; # for grub MBR
};
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
luks = {
size = "100%";
content = {
type = "luks";
name = "encrypted";
settings.allowDiscards = true;
passwordFile = "/tmp/disk.key";
content = {
type = "lvm_pv";
vg = "pool";
};
};
};
};
};
};
};
lvm_vg = {
pool = {
type = "lvm_vg";
lvs = {
root = {
size = "100G";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
home = {
size = "500G";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/home";
};
};
swap = {
size = "64G";
content = {
type = "swap";
resumeDevice = true;
};
};
};
};
};
};
}

30
machines/workman/hardware-configuration.nix Normal file
View file

@ -0,0 +1,30 @@
{
pkgs,
...
}:
let
cpuFlavor = "amd";
in
{
boot.kernelPackages = pkgs.linuxPackages_latest;
my.hardware = {
bluetooth.enable = true;
debug.enable = true;
drive-monitor.enable = true;
firmware = {
enable = true;
inherit cpuFlavor;
};
graphics = {
enable = true;
inherit cpuFlavor;
};
id-card.enable = true;
keychron.enable = true;
monitor.enable = true;
sound.enable = true;
thunderbolt.enable = true;
yubikey.enable = true;
};
}

20
machines/workman/network.nix Normal file
View file

@ -0,0 +1,20 @@
# network settings
_: {
# hotfixes for dns settings
networking.extraHosts =
let
serverle_ip = "192.168.178.60";
in
''
${serverle_ip} stunkymonkey.de
${serverle_ip} automation.stunkymonkey.de
${serverle_ip} download.stunkymonkey.de
${serverle_ip} esphome.stunkymonkey.de
${serverle_ip} indexer.stunkymonkey.de
${serverle_ip} media.stunkymonkey.de
${serverle_ip} movies.stunkymonkey.de
${serverle_ip} series.stunkymonkey.de
${serverle_ip} subtitles.stunkymonkey.de
${serverle_ip} view.stunkymonkey.de
'';
}

24
machines/workman/profiles.nix Normal file
View file

@ -0,0 +1,24 @@
# enabled profiles
_: {
my.profiles = {
"3d-design".enable = true;
android.enable = true;
clean.enable = true;
desktop-apps.enable = true;
desktop-dev.enable = true;
development.enable = true;
filesystem.enable = true;
gaming.enable = true;
latex.enable = true;
media.enable = true;
meeting.enable = true;
nautilus.enable = true;
powersave.enable = true;
printing.enable = true;
sway.enable = true;
sync.enable = true;
update.enable = true;
usb-iso.enable = true;
webcam.enable = true;
};
}

24
machines/workman/remote-build.nix Normal file
View file

@ -0,0 +1,24 @@
# enabled remote-build service
{ config, ... }:
let
inherit (config.sops) secrets;
in
{
sops.secrets."nixremote/ssh_key" = { };
nix.buildMachines = [
{
hostName = "buehler.rocks";
system = "x86_64-linux";
supportedFeatures = [
"benchmark"
"kvm"
"big-parallel"
];
sshUser = "nixremote";
sshKey = secrets."nixremote/ssh_key".path;
maxJobs = 4;
}
];
nix.distributedBuilds = true;
}

37
machines/workman/secrets.yaml Normal file
View file

@ -0,0 +1,37 @@
users:
felix:
password: ENC[AES256_GCM,data:3r1f8iUSgT3mDflSkvl3cyfciBZI5rDa9jMZcfW/mniNt9PJTNaaNbBC/cIxgbwcD991Y/Y0NKB0vxOmKMCIcclvGRUwLdKwFQ==,iv:Chya0lUhNtYcOp3GyNl+I1VyNV3KvSOZxeWUgz3SBnA=,tag:OhdIXdwbQAV0eZZS/kpW1Q==,type:str]
borgbackup:
password: ENC[AES256_GCM,data:BodZSJGi/pYZYIG5NYEeNrTVdYdzlgA2lZCNcIL+kT4=,iv:Vmbzq8MxyboeLmM3MyTGVr6+S/JrwbFDaP8PWh+s8aY=,tag:atj9ap7X6drdGMnnCbEZPg==,type:str]
ssh_key: ENC[AES256_GCM,data:LhGZ2VzOWwcjO0gd1ia7Nb6Roy9+kZwYW2ucjWqpeq6e1xl6JXFRkJJ/bLIA++yUVZarLSabhDn0DDHVfGyO5fOdSuuduu0lCl+ffxz3zX7RjibInwstwnvqJo2ZrBbI+9QPBxI4IRo4uEllljN5N4Fvq3Pq6tMLX2ZpkqIEWayDa28gxM3Ib/at9DGSiEsyhJm2b6HTMUi/lXX9vIxPPOgaqmuWgpp7Tzkd8Ph08zvnloWvlRZaYxl/n7+VxEohqZY88RfFSNT/N5TtgnFFTTRX+9B0vCRqyJq9XQ3cf0fG0NJzb0kcO25k45kAGU7QOJ8V7YPgPPwPPWU7IAluhFi9x78QLsuAioXnl79aZli11NE7Gyn2n4FkkhVX1W078tbvLiNURSfVro7crcf6WCX1PBvbuDFdKg8I2r58aZ5vglD5QD0gBbhL0js13z80DRCdNCtyNQZfgMXvAIEq3Lw3UvTUspInMJos7Kgs0hCK/SoP87SymYEkGORpZzoGg/zlHf0kExOj3Fni+LK24sArc/CIeCBBc/BJ,iv:jDAB5ExuplfUtJqgub4oV/wbytpnjK3MjJko/rsJ0fM=,tag:s2aODtXR9Qu29tKjZvfyKA==,type:str]
nixremote:
ssh_key: ENC[AES256_GCM,data:vO3U1dW3VhHSNDDFlt6Slqf2+sf0xeZ/3ztyqGIkUKwU87flHP0cVVyPF71UCSowhFu7SSK/DEkzTdNjoCnx21HDQ5zc+JZFJjKIE7HotcJwWR6/a9hFZniY4FVLAnW+locWjbcOB+Mou/VHm1uo+a8wmNOJTw7FS3ZM6FfANLDZcjxcjJKu23UcUyXDxuMySkRKmLneyfwlk5aP1toyjBwnS9og1UPjSTy6ldM6gsfUv1mZ+BbCWgtiwxcGEy859ROOMuqKxUKGDbgHnby/aqs7dP8xzoVoZQXjHYoWLp1/7IforoyXb8GiUkOWRlCC/dJm6Kx9Y67M13LwKEpX2+WOfNCHqTjYO4234zfOZ1DRJtwCAMKH7y0sjAYp9bK6iHv3qKIjreDSA8S6xbQP5LnXvp55460Puq+Xe2HdnugRfd3d6pKMrHmnRE8mmstG6jDxdGqtoGo2VBvDGAC080J6BXxP0/xpeXwc99TSDdHEymqodZoz3jQuGMb+brxSyDgaw6FEDPNkpxdUFl0/vShTfROqgT0NVbH3,iv:SXIDRjHBQBcstSz1Pgv5jI8+XHbJA/QrqF9EOkIcvqE=,tag:ZakbophvoJmWlVX88hMA7A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hf8m9upp00dr7qv2kmqdr50fpvd9ejzkfu8yknqnuda2aas2tvrs4l3u7m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuMHpBZmU4ZVo5UitOQ1la
UUNZNEU5OVFqM2hsY2g0YzRkemRvbUdyYVVjCjhFbDR2cUxTYUU2dU1Oekc4VEZ5
K2JEd1JZMkFhUXhFaTVnTytFeFU4TmcKLS0tIG5zTGZ4OG9GN2tNVE5zUG95dXFk
cG01NlA0YlpzcENqWjJMUkQwZXJMcUEKv94rjj5iHY1HAZQiE5yleC4f0WABcXbm
Wf4xYYCCWUmcTKXabIyPWn9eCNYCQgy29YTcTKu4/8BvebrGkRHuHw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1spt854cdscqs757a8kazth52rv4p9udh54suw9lpzlqg5savyapq2u0c03
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLSUlHb04rMGR5YWFhUUZq
QXVHYnZQUUdQc0FzbTgyalBPZktBdDVvZ2lRClpzcDltOFA0eFlqTGRUNFptcW1C
WGZyamIyNEFTQXQ4R2pmdU9FS3lma0kKLS0tIFphS0ZhbmxDb3A5MnVvaVJGT1Iw
bzY2ZTY1QUtSRjlOZ1E0Vkw5Q1cxYmMKqwvWUv2XpRIenGwCpZuwKQc0ZsiX2AAx
pmIh4f10G7wr1rLeodRi2KxYIrrudPbxEWIuzmBRyHc7+3EPpzLetw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-05T21:53:42Z"
mac: ENC[AES256_GCM,data:700AWjj0wgdSdyXPAKkdttqeThxtz5Ui7K53wRt0VY657fsRJiezqCp/1JVgLfFCKstfbIE1GbTtAetDJ2cRdthpsgMDCG6EQVap7Kt8YCnqDPcPl7ND5yKR6nOjzmd+p2drIp4SHIDSzM9IJvd1XNvpWsgakPs3YgQjFoRElnY=,iv:l/M8pShzBzd/XyHUXE9HWM1a/At9biYJTj2cZ4xbxkQ=,tag:FtELUjvGO6BImmV8D/FmfA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

21
machines/workman/services.nix Normal file
View file

@ -0,0 +1,21 @@
# Deployed services
{ config, ... }:
let
inherit (config.sops) secrets;
in
{
sops.secrets."borgbackup/password" = { };
sops.secrets."borgbackup/ssh_key" = { };
# List services that you want to enable:
my.services = {
backup = {
enable = true;
OnFailureNotification = true;
passwordFile = secrets."borgbackup/password".path;
sshKeyFile = secrets."borgbackup/ssh_key".path;
paths = [ "/" ];
};
vpn.enable = true;
};
}

13
machines/workman/system.nix Normal file
View file

@ -0,0 +1,13 @@
# enabled system services
_: {
my.system = {
avahi.enable = true;
fonts.enable = true;
kvm = {
enable = true;
cpuFlavor = "amd";
};
podman.enable = true;
spell-check.enable = true;
};
}