From be973e1d11d7ccbfa38082f2fb36f0656787d210 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 12 Apr 2026 15:26:03 +0200 Subject: [PATCH 1/3] flake: update --- flake.lock | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/flake.lock b/flake.lock index 490b4af..2040331 100644 --- a/flake.lock +++ b/flake.lock @@ -41,11 +41,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1772408722, - "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=", + "lastModified": 1775087534, + "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3", + "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b", "type": "github" }, "original": { @@ -114,11 +114,11 @@ ] }, "locked": { - "lastModified": 1774104215, - "narHash": "sha256-EAtviqz0sEAxdHS4crqu7JGR5oI3BwaqG0mw7CmXkO8=", + "lastModified": 1775585728, + "narHash": "sha256-8Psjt+TWvE4thRKktJsXfR6PA/fWWsZ04DVaY6PUhr4=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "f799ae951fde0627157f40aec28dec27b22076d0", + "rev": "580633fa3fe5fc0379905986543fd7495481913d", "type": "github" }, "original": { @@ -237,11 +237,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1774388614, - "narHash": "sha256-tFwzTI0DdDzovdE9+Ras6CUss0yn8P9XV4Ja6RjA+nU=", + "lastModified": 1775811116, + "narHash": "sha256-t+HZK42pB6N+i5RGbuy7Xluez/VvWbembBdvzsc23Ss=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1073dad219cb244572b74da2b20c7fe39cb3fa9e", + "rev": "54170c54449ea4d6725efd30d719c5e505f1c10e", "type": "github" }, "original": { @@ -252,11 +252,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1772328832, - "narHash": "sha256-e+/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB+Q=", + "lastModified": 1774748309, + "narHash": "sha256-+U7gF3qxzwD5TZuANzZPeJTZRHS29OFQgkQ2kiTJBIQ=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "c185c7a5e5dd8f9add5b2f8ebeff00888b070742", + "rev": "333c4e0545a6da976206c74db8773a1645b5870a", "type": "github" }, "original": { @@ -297,11 +297,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1774386573, - "narHash": "sha256-4hAV26quOxdC6iyG7kYaZcM3VOskcPUrdCQd/nx8obc=", + "lastModified": 1775710090, + "narHash": "sha256-ar3rofg+awPB8QXDaFJhJ2jJhu+KqN/PRCXeyuXR76E=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9", + "rev": "4c1018dae018162ec878d42fec712642d214fdfa", "type": "github" }, "original": { @@ -354,11 +354,11 @@ ] }, "locked": { - "lastModified": 1774303811, - "narHash": "sha256-fhG4JAcLgjKwt+XHbjs8brpWnyKUfU4LikLm3s0Q/ic=", + "lastModified": 1775971308, + "narHash": "sha256-VKp9bhVSm0bT6JWctFy06ocqxGGnWHi1NfoE90IgIcY=", "owner": "Mic92", "repo": "sops-nix", - "rev": "614e256310e0a4f8a9ccae3fa80c11844fba7042", + "rev": "31ac5fe5d015f76b54058c69fcaebb66a55871a4", "type": "github" }, "original": { From 2a44b8e85210031ca84bec2503b0f87bf121bf6f Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Fri, 3 Apr 2026 15:14:05 +0200 Subject: [PATCH 2/3] machine/playman: init --- README.md | 3 +- flake.lock | 11 ++-- flake.nix | 3 +- machines/.sops.yaml | 6 ++ machines/configurations.nix | 7 ++ machines/playman/boot.nix | 17 +++++ machines/playman/configuration.nix | 29 +++++++++ machines/playman/disko-config.nix | 72 +++++++++++++++++++++ machines/playman/hardware-configuration.nix | 29 +++++++++ machines/playman/network.nix | 6 ++ machines/playman/nixinate.nix | 8 +++ machines/playman/profiles.nix | 11 ++++ machines/playman/secrets.yaml | 30 +++++++++ machines/playman/services.nix | 34 ++++++++++ machines/playman/system.nix | 7 ++ 15 files changed, 265 insertions(+), 8 deletions(-) create mode 100644 machines/playman/boot.nix create mode 100644 machines/playman/configuration.nix create mode 100644 machines/playman/disko-config.nix create mode 100644 machines/playman/hardware-configuration.nix create mode 100644 machines/playman/network.nix create mode 100644 machines/playman/nixinate.nix create mode 100644 machines/playman/profiles.nix create mode 100644 machines/playman/secrets.yaml create mode 100644 machines/playman/services.nix create mode 100644 machines/playman/system.nix diff --git a/README.md b/README.md index 4e6f487..4314095 100644 --- a/README.md +++ b/README.md @@ -121,11 +121,10 @@ used flakes: ```bash nix run github:nix-community/nixos-anywhere -- \ - --disko-mode disko \ --disk-encryption-keys /tmp/disk.key /tmp/disk.key \ --extra-files "$temp" \ --flake .# \ - root@ + --target-host root@ ``` ## Inspired by diff --git a/flake.lock b/flake.lock index 2040331..7a52254 100644 --- a/flake.lock +++ b/flake.lock @@ -222,15 +222,16 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1774567711, - "narHash": "sha256-uVlOHBvt6Vc/iYNJXLPa4c3cLXwMllOCVfAaLAcphIo=", - "owner": "NixOS", + "lastModified": 1775232991, + "narHash": "sha256-QkmL6kwmQXBN24FVOZSfFkNpUgu8jHfdYPoA2H8sA7k=", + "owner": "Stunkymonkey", "repo": "nixos-hardware", - "rev": "3f6f874dfc34d386d10e434c48ad966c4832243e", + "rev": "d6ee262f8d4db0815b08c76714becc09af11f962", "type": "github" }, "original": { - "owner": "NixOS", + "owner": "Stunkymonkey", + "ref": "dell-precision-5820", "repo": "nixos-hardware", "type": "github" } diff --git a/flake.nix b/flake.nix index 82a6947..94b3cea 100644 --- a/flake.nix +++ b/flake.nix @@ -11,7 +11,8 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - nixos-hardware.url = "github:NixOS/nixos-hardware"; + # nixos-hardware.url = "github:NixOS/nixos-hardware"; + nixos-hardware.url = "github:Stunkymonkey/nixos-hardware/dell-precision-5820"; nixinate = { url = "github:matthewcroughan/nixinate"; diff --git a/machines/.sops.yaml b/machines/.sops.yaml index ca27a02..3934bfb 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -5,6 +5,7 @@ keys: - &workman age1f2e644jteyeppfaatajtvjmsupl0e7nzx97ded6m0cgzw04l84ks5xl9l2 - &thinkman age1spt854cdscqs757a8kazth52rv4p9udh54suw9lpzlqg5savyapq2u0c03 - &serverle age14nt7qcsrye0vrpk0xcgcfmhkxwwumna39fpn83g3x0zml62skatqpnmhk4 + - &playman age15d6y9s30t6ggdec4aqycxr4lht98rz77w5rvpnplf3fnqcgyau2qgcwh3g - &newton age1s9spl75rwhgm3cvvqsr9rze5m0kuxqes2tsxjmq07xg5ycn5j47s2m0dlu creation_rules: - path_regex: workman/secrets.yaml$ @@ -27,3 +28,8 @@ creation_rules: - age: - *admin_felix - *serverle + - path_regex: playman/secrets.yaml$ + key_groups: + - age: + - *admin_felix + - *playman diff --git a/machines/configurations.nix b/machines/configurations.nix index 2c41f81..4523824 100644 --- a/machines/configurations.nix +++ b/machines/configurations.nix @@ -82,5 +82,12 @@ in ./serverle/configuration.nix ]; }; + playman = nixosSystem { + system = "x86_64-linux"; + modules = defaultModules ++ [ + nixos-hardware.nixosModules.dell-precision-5820 + ./playman/configuration.nix + ]; + }; }; } diff --git a/machines/playman/boot.nix b/machines/playman/boot.nix new file mode 100644 index 0000000..53beb65 --- /dev/null +++ b/machines/playman/boot.nix @@ -0,0 +1,17 @@ +_: { + boot = { + loader = { + timeout = 0; + systemd-boot = { + enable = true; + configurationLimit = 10; + editor = true; + }; + efi.canTouchEfiVariables = true; + }; + initrd = { + systemd.enable = true; # for a nice password prompt + verbose = false; + }; + }; +} diff --git a/machines/playman/configuration.nix b/machines/playman/configuration.nix new file mode 100644 index 0000000..4b23a63 --- /dev/null +++ b/machines/playman/configuration.nix @@ -0,0 +1,29 @@ +{ ... }: +{ + imports = [ + ./boot.nix + ./disko-config.nix + ./hardware-configuration.nix + ./network.nix + ./nixinate.nix + ./profiles.nix + ./services.nix + ./system.nix + ]; + + networking.hostName = "playman"; + + sops = { + defaultSopsFile = ./secrets.yaml; + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + gnupg.sshKeyPaths = [ ]; + }; + + # needed for cross-compilation + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + + system = { + stateVersion = "25.11"; + autoUpgrade.enable = true; + }; +} diff --git a/machines/playman/disko-config.nix b/machines/playman/disko-config.nix new file mode 100644 index 0000000..3718ec7 --- /dev/null +++ b/machines/playman/disko-config.nix @@ -0,0 +1,72 @@ +{ + disko.devices = { + disk = { + vdb = { + type = "disk"; + device = "/dev/disk/by-id/nvme-eui.ace42e817028d9c6"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "encrypted"; + settings.allowDiscards = true; + passwordFile = "/tmp/disk.key"; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + }; + }; + }; + }; + }; + lvm_vg = { + pool = { + type = "lvm_vg"; + lvs = { + root = { + size = "100G"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + home = { + size = "500G"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/home"; + }; + }; + swap = { + size = "32GB"; + content = { + type = "swap"; + resumeDevice = true; + }; + }; + }; + }; + }; + }; +} diff --git a/machines/playman/hardware-configuration.nix b/machines/playman/hardware-configuration.nix new file mode 100644 index 0000000..4f63519 --- /dev/null +++ b/machines/playman/hardware-configuration.nix @@ -0,0 +1,29 @@ +{ + pkgs, + ... +}: +let + cpuFlavor = "intel"; +in +{ + boot.kernelPackages = pkgs.linuxPackages_latest; + + my.hardware = { + bluetooth.enable = true; + debug.enable = true; + drive-monitor = { + enable = true; + OnFailureMail = "server@buehler.rocks"; + }; + firmware = { + enable = true; + inherit cpuFlavor; + }; + graphics = { + enable = true; + inherit cpuFlavor; + }; + keychron.enable = true; + yubikey.enable = true; + }; +} diff --git a/machines/playman/network.nix b/machines/playman/network.nix new file mode 100644 index 0000000..abb0e3f --- /dev/null +++ b/machines/playman/network.nix @@ -0,0 +1,6 @@ +_: { + networking = { + domain = "buehler.rocks"; + search = [ "buehler.rocks" ]; + }; +} diff --git a/machines/playman/nixinate.nix b/machines/playman/nixinate.nix new file mode 100644 index 0000000..1a571be --- /dev/null +++ b/machines/playman/nixinate.nix @@ -0,0 +1,8 @@ +_: { + _module.args.nixinate = { + host = "playman.local"; + sshUser = "felix"; + buildOn = "remote"; + substituteOnTarget = true; + }; +} diff --git a/machines/playman/profiles.nix b/machines/playman/profiles.nix new file mode 100644 index 0000000..9b7d573 --- /dev/null +++ b/machines/playman/profiles.nix @@ -0,0 +1,11 @@ +# enabled profiles +_: { + my.profiles = { + clean.enable = true; + development.enable = true; + gaming.enable = true; + nix.enable = true; + sync.enable = true; + update.enable = true; + }; +} diff --git a/machines/playman/secrets.yaml b/machines/playman/secrets.yaml new file mode 100644 index 0000000..b80b53e --- /dev/null +++ b/machines/playman/secrets.yaml @@ -0,0 +1,30 @@ +users: + felix: + password: ENC[AES256_GCM,data:MHiZkTDna6nz6JhCst0uQA7MKDLtXzIqZuJEYHPgC6dRmGckYBUR0mXqh+5lLlCOeqtGbyBFKQ7tv7hpgIOX2lVyX4V99IICzw==,iv:p9ZtVpL2u64iEQuo3TF+5kFaWLd0wHT16lT4Wx8QLyo=,tag:o9g2wKQfNQyv3078tL58Nw==,type:str] +borgbackup: + password: ENC[AES256_GCM,data:bWZUeX09dxLjiHVsymKi3zArtxW4aEkVU/eLa3RbdvI=,iv:sRxy7Y0EggxXf6tGQZJdVfggcBbQD+1w2hvJgQCyr3Y=,tag:Up/opwQwl8+t1Yt26012GQ==,type:str] + ssh_key: ENC[AES256_GCM,data:k5gDazMB8sVwJANws8nORGvM8baxwx+kniFIlc50WaJplerbsk1ZspxRes5vnMeEM0UBawtBkHUXpcXVo5KXU/hXd1sDHQe3CFBhKjSFwls3b9LSmt81mBYjrlPeHMah5/PHOz5RDj5skpZ7rd5AzVOfu+aB4qUogl/gAP9aEMdtuIBx/uKXba3ER5590vLpd1Q4sxAuiWnkXi02rgW6Pzyx9RqcUU9KWLQuhfnyeEZ+PPjR4NHPJBr4TkUJ3DR2UziCtlOH1H0kKeDIj/pWqXKx8C5p7RRRkPxZ/qLmDqMtt3Cjs7MlDFUijvfnDSieKoa3JIZw9Kb9AlomkgfqrCOUEaNCBZEq/ovAj7SXm13t50SFGZfTRVul3AcToRxauzhrKXvoUbvKu0Qd4zSOPIXU4tnxodCrWraEbAXKJ+uqKH6N2RA8vxnT06Yqv9SY75hDbPIDvK/44+YWrQU5hNWYKZ+Afnadps2+huqNLbiih+/0AzTAAhtqUYsuQS+1ybTT5fsoakMssRf+wyi8,iv:vGaEIaeQGGOgLMu9oZwr/+N1/IzPPuOElMXczEZkwSw=,tag:VKzmy3Zy1C+VUgqAkscGfg==,type:str] +sops: + age: + - recipient: age1hf8m9upp00dr7qv2kmqdr50fpvd9ejzkfu8yknqnuda2aas2tvrs4l3u7m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFblpKaTJIVTlVMHRjemZX + VWhmbU1vTzlxRDNQM1N3Y2tHb3ZZdUwvSFdFCnc4cTkyaWtxTEhEbUpXd0d3bnFJ + QkdaRHRvK2ZqazZGdGFoZFJwTUVCOUkKLS0tIGc4SUtZeGg3QXhwcW9NVk4zMVVo + andwd2Eydk5oRzBRTlNwdzFVQ1QwYmsK7Rn/P4JCjajb0seyzFRcnIxsz2WgkbYf + wF7wsXoBZrwGPu2otrn2G/4IYrXYn5Gf2K/sjKVo/PtsnHLRWEWgBw== + -----END AGE ENCRYPTED FILE----- + - recipient: age15d6y9s30t6ggdec4aqycxr4lht98rz77w5rvpnplf3fnqcgyau2qgcwh3g + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4KzgwZzIrbVFFWE1OWWsr + ZElTQjhLOWgzZGRXcnV0dnpYejFhVWRXREhRCkxjU2NNQmdLQzY2Wm4yZjlSWWRu + OEpmcXcvblh1N0Exck1mMmRLZmd6VHcKLS0tIE5hUGV1eTRYUk51RXY3R2Q0ckVn + aHlUbExuSDlQZWN6TlEzdjAyNTBiaUUKM2w9fi0MJa4ujpkcrtyQqmjOYaTsbdBJ + wBDbuJ1EazT47T4g9ycilbFS6LvugfJxfrzN0mW3XEuiWkrsYIIsPw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-04-03T15:10:27Z" + mac: ENC[AES256_GCM,data:p3Ke6ZCuuBYOzrcLGtnC4Kk8Y8S+EM8WlyT0hNFyoA/Ds6aI+FtOuNKfZN4Znh2KbLZBOaz6UJ+jDaMrfaRPJY13HlklysuSGari9Y7YdxdkcMvfl/nlGfhE7A0Wgm/m7LF2N33BAd2NrPKpPF2Omu8moIMcQ+xy5GKzVb/hiHU=,iv:3Tq29JZkVmh0/L01+mlmW/5N1bXOecElsMwg+m9Kpq0=,tag:S0m79vu0ywsaj/t+mtLfQw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.1 diff --git a/machines/playman/services.nix b/machines/playman/services.nix new file mode 100644 index 0000000..be7974d --- /dev/null +++ b/machines/playman/services.nix @@ -0,0 +1,34 @@ +# Deployed services +{ config, ... }: +let + inherit (config.sops) secrets; +in +{ + sops.secrets = { + "borgbackup/password" = { }; + "borgbackup/ssh_key" = { }; + }; + + # List services that you want to enable: + my.services = { + backup = { + enable = true; + OnFailureMail = "server@buehler.rocks"; + passwordFile = secrets."borgbackup/password".path; + sshKeyFile = secrets."borgbackup/ssh_key".path; + paths = [ "/" ]; + }; + # remote build + remote-build.enable = true; + + ssh-server = { + enable = true; + }; + initrd-ssh = { + enable = true; + }; + vpn = { + enable = true; + }; + }; +} diff --git a/machines/playman/system.nix b/machines/playman/system.nix new file mode 100644 index 0000000..25b65db --- /dev/null +++ b/machines/playman/system.nix @@ -0,0 +1,7 @@ +# enabled system services +_: { + my.system = { + avahi.enable = true; + podman.enable = true; + }; +} From 7909067dc7b1137542eb3a85aa31a5ee87ae2a37 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Fri, 3 Apr 2026 17:02:38 +0200 Subject: [PATCH 3/3] harware/graphics: add nvidia and rename to gpu --- machines/playman/hardware-configuration.nix | 7 ++----- machines/thinkman/hardware-configuration.nix | 10 +++------- machines/workman/hardware-configuration.nix | 7 ++----- modules/hardware/graphics/default.nix | 9 ++++++--- 4 files changed, 13 insertions(+), 20 deletions(-) diff --git a/machines/playman/hardware-configuration.nix b/machines/playman/hardware-configuration.nix index 4f63519..39d5775 100644 --- a/machines/playman/hardware-configuration.nix +++ b/machines/playman/hardware-configuration.nix @@ -2,9 +2,6 @@ pkgs, ... }: -let - cpuFlavor = "intel"; -in { boot.kernelPackages = pkgs.linuxPackages_latest; @@ -17,11 +14,11 @@ in }; firmware = { enable = true; - inherit cpuFlavor; + cpuFlavor = "intel"; }; graphics = { enable = true; - inherit cpuFlavor; + gpuFlavor = "nvidia"; }; keychron.enable = true; yubikey.enable = true; diff --git a/machines/thinkman/hardware-configuration.nix b/machines/thinkman/hardware-configuration.nix index af5463d..0727182 100644 --- a/machines/thinkman/hardware-configuration.nix +++ b/machines/thinkman/hardware-configuration.nix @@ -1,8 +1,4 @@ -_: -let - cpuFlavor = "intel"; -in -{ +_: { # video driver boot.initrd.kernelModules = [ "i915" ]; @@ -20,11 +16,11 @@ in drive-monitor.enable = true; firmware = { enable = true; - inherit cpuFlavor; + cpuFlavor = "intel"; }; graphics = { enable = true; - inherit cpuFlavor; + gpuFlavor = "intel"; }; id-card.enable = true; keychron.enable = true; diff --git a/machines/workman/hardware-configuration.nix b/machines/workman/hardware-configuration.nix index b15c33b..6cd67f1 100644 --- a/machines/workman/hardware-configuration.nix +++ b/machines/workman/hardware-configuration.nix @@ -2,9 +2,6 @@ pkgs, ... }: -let - cpuFlavor = "amd"; -in { boot.kernelPackages = pkgs.linuxPackages_latest; @@ -30,11 +27,11 @@ in drive-monitor.enable = true; firmware = { enable = true; - inherit cpuFlavor; + cpuFlavor = "amd"; }; graphics = { enable = true; - inherit cpuFlavor; + gpuFlavor = "amd"; }; id-card.enable = true; keychron.enable = true; diff --git a/modules/hardware/graphics/default.nix b/modules/hardware/graphics/default.nix index 4f9befe..4608559 100644 --- a/modules/hardware/graphics/default.nix +++ b/modules/hardware/graphics/default.nix @@ -10,11 +10,12 @@ in { options.my.hardware.graphics = { enable = lib.mkEnableOption "graphics configuration"; - cpuFlavor = lib.mkOption { + gpuFlavor = lib.mkOption { type = lib.types.nullOr ( lib.types.enum [ "amd" "intel" + "nvidia" ] ); default = null; @@ -29,7 +30,7 @@ in hardware.graphics.enable = true; } # Intel GPU - (lib.mkIf (cfg.cpuFlavor == "intel") { + (lib.mkIf (cfg.gpuFlavor == "intel") { nixpkgs.config.packageOverrides = pkgs: { intel-vaapi-driver = pkgs.intel-vaapi-driver.override { enableHybridCodec = true; }; }; @@ -41,7 +42,9 @@ in ]; }) - (lib.mkIf (cfg.cpuFlavor == "amd") { + (lib.mkIf (cfg.gpuFlavor == "amd") { + }) + (lib.mkIf (cfg.gpuFlavor == "nvidia") { }) ] );