diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index ccc75e0..2feddf9 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -38,3 +38,20 @@ jobs: authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - run: nix --print-build-logs --verbose build --allow-import-from-derivation .#nixosConfigurations.thinkpad.config.system.build.toplevel + + build-hs: + if: ${{ always() }} + needs: check + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - uses: cachix/install-nix-action@v17 + + - uses: cachix/cachix-action@v10 + with: + name: aciceri-fleet + authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + + - run: nix --print-build-logs --verbose build --allow-import-from-derivation .#nixosConfigurations.hs.config.system.build.toplevel diff --git a/flake.lock b/flake.lock index 4e6e401..9e2fbf7 100644 --- a/flake.lock +++ b/flake.lock @@ -366,15 +366,15 @@ }, "nixosHardware": { "locked": { - "lastModified": 1664784436, - "narHash": "sha256-A1J0ZPhBfZZiWI6ipjKJ8+RpMllzOMu/An/8Tk3t4oo=", - "owner": "aciceri", + "lastModified": 1665040200, + "narHash": "sha256-glqL6yj3aUm40y92inzRmowGt9aIrUrpBX7eBAMic4I=", + "owner": "NixOS", "repo": "nixos-hardware", - "rev": "27cc372c162529cebfbac91a56e7e22756f37435", + "rev": "47fd70289491c1f0c0d9a1f44fb5a9e2801120c9", "type": "github" }, "original": { - "owner": "aciceri", + "owner": "NixOS", "repo": "nixos-hardware", "type": "github" } diff --git a/flake.nix b/flake.nix index 1b3e3dd..c49e895 100644 --- a/flake.nix +++ b/flake.nix @@ -4,7 +4,7 @@ inputs = { nixpkgsUnstable.url = github:NixOS/nixpkgs/nixos-unstable; nixpkgsStable.url = github:NixOS/nixpkgs/nixos-22.05; - nixosHardware.url = github:aciceri/nixos-hardware; + nixosHardware.url = github:NixOS/nixos-hardware; homeManager = { url = github:nix-community/home-manager; inputs.nixpkgs.follows = "nixpkgsUnstable"; diff --git a/hmModules/xdg/default.nix b/hmModules/xdg/default.nix new file mode 100644 index 0000000..1dac606 --- /dev/null +++ b/hmModules/xdg/default.nix @@ -0,0 +1,3 @@ +{ + xdg.enable = true; +} diff --git a/hosts/hs/default.nix b/hosts/hs/default.nix new file mode 100644 index 0000000..4c11ec2 --- /dev/null +++ b/hosts/hs/default.nix @@ -0,0 +1,363 @@ +{ + fleetModules, + pkgs, + lib, + ... +}: { + imports = + [ + ./hardware-configuration.nix + ] + ++ fleetModules [ + "common" + "ccr" + "ssh" + ]; + + ccr = { + enable = true; + modules = [ + "shell" + "git" + ]; + packages = []; + extraGroups = [ + "wheel" + "fuse" + "networkmanager" + ]; + }; + + systemd.services.standby-sdb = { + description = "Set spindown time (sleep) for /dev/sdb "; + wantedBy = ["multi-user.target"]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.hdparm}/bin/hdparm -B 127 -S 241 /dev/sdb"; + }; + }; + + systemd.services.standby-sdc = { + description = "Set spindown time (sleep) for /dev/sdc "; + wantedBy = ["multi-user.target"]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.hdparm}/bin/hdparm -B 127 -S 241 /dev/sdc"; + }; + }; + + systemd.services.amuled.serviceConfig.Restart = pkgs.lib.mkForce "always"; + + users.users.amule = { + isNormalUser = false; + isSystemUser = true; + group = "amule"; + }; + users.groups."amule" = {}; + + services = { + samba-wsdd = { + enable = true; + workgroup = "WORKGROUP"; + hostname = "nas"; + discovery = true; + }; + + samba = { + enable = true; + securityType = "user"; + extraConfig = '' + workgroup = WORKGROUP + server string = nas + netbios name = nas + security = user + map to guest = bad user + vfs objects = recycle + recycle:repository = .recycle + recycle:keeptree = yes + recycle:versions = yes + ''; + shares = { + archivio = { + path = "/mnt/archivio/archivio"; + comment = "archivio"; + "force user" = "ccr"; + browseable = "yes"; + writeable = "yes"; + "guest ok" = "yes"; + "read only" = "no"; + }; + film = { + path = "/mnt/film/film"; + comment = "film"; + "force user" = "ccr"; + browseable = "yes"; + writeable = "yes"; + "guest ok" = "yes"; + "read only" = "no"; + }; + transmission = { + path = "/mnt/archivio/transmission"; + comment = "transmission"; + "force user" = "transmission"; + browseable = "yes"; + writeable = "yes"; + "guest ok" = "yes"; + "read only" = "no"; + }; + amule = { + path = "/mnt/archivio/amule"; + comment = "amule"; + "force user" = "ccr"; + browseable = "yes"; + writeable = "yes"; + "guest ok" = "yes"; + "read only" = "no"; + }; + musica = { + path = "/mnt/film/musica"; + comment = "music"; + "force user" = "ccr"; + browseable = "yes"; + writeable = "no"; + "guest ok" = "yes"; + "read only" = "no"; + }; + }; + }; + + transmission = { + enable = true; + # the following json is merged to this attrset, it must have `rpc-username` and `rpc-password` + credentialsFile = "/mnt/archivio/transmission/credentials.json"; + settings = { + download-dir = "/mnt/archivio/transmission/"; + incomplete-dir = "/mnt/archivio/transmission/.incomplete"; + incomplete-dir-enabled = true; + + rpc-port = 9091; + rpc-whitelist-enabled = false; + rpc-host-whitelist-enabled = false; + rpc-authentication-required = true; + }; + }; + + amule = { + dataDir = "/mnt/archivio/amule"; + enable = true; + user = "amule"; + }; + + calibre-web = { + enable = true; + listen = { + ip = "0.0.0.0"; + port = 9092; + }; + options.calibreLibrary = "/mnt/archivio/calibre/"; + openFirewall = true; + }; + + syncthing = { + enable = true; + guiAddress = "0.0.0.0:8384"; + dataDir = "/mnt/archivio/syncthing"; + user = "ccr"; + overrideDevices = false; + overrideFolders = false; + folders = { + "/mnt/archivio/syncthing/camera" = { + id = "camera"; + }; + "/mnt/archivio/syncthing/orgzly" = { + id = "orgzly"; + }; + "/mnt/archivio/syncthing/roam" = { + id = "roam"; + }; + "/mnt/archivio/syncthing/whatsapp" = { + id = "whatsapp"; + }; + "/mnt/archivio/syncthing/calls" = { + id = "calls"; + }; + }; + }; + + navidrome = { + enable = false; + settings = { + Address = "0.0.0.0"; + Port = 9093; + MusicFolder = "/mnt/film/musica"; + DataFolder = "/mnt/film/musica/.navidrome"; + }; + }; + + nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + clientMaxBodySize = "10G"; # max file size for uploads + commonHttpConfig = '' + log_format upstream_time '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"' + 'rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'; + ''; + virtualHosts = { + "torrent.ccr.ydns.eu" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:9091"; + }; + }; + + "sync.ccr.ydns.eu" = { + enableACME = true; + addSSL = true; + locations."/" = { + proxyPass = "http://localhost:8384"; + }; + }; + + "books.ccr.ydns.eu" = { + enableACME = true; + addSSL = true; + locations."/" = { + proxyPass = "http://localhost:9092"; + }; + }; + + "music.ccr.ydns.eu" = { + enableACME = true; + addSSL = true; + locations."/" = { + proxyPass = "http://localhost:9093"; + }; + }; + + "gate.ccr.ydns.eu" = { + enableACME = true; + addSSL = true; + locations."/" = { + proxyPass = "http://192.168.1.71:80"; + }; + }; + }; + }; + }; + + systemd.services.ydns = let + ydnsUpdater = pkgs.writeScriptBin "ydnsUpdater" '' + USER="andrea.ciceri@autistici.org" + PASSWORD=$(cat /home/ccr/.ydns-password) + DOMAIN="ccr.ydns.eu" + for SUBDOMAIN in "books" "music" "sync" "torrent" "gate" + do + HOST="$SUBDOMAIN.$DOMAIN" + ${pkgs.curl}/bin/curl --basic -u "$USER:$PASSWORD" --silent https://ydns.io/api/v1/update/?host=$HOST + done + ${pkgs.curl}/bin/curl --basic -u "$USER:$PASSWORD" --silent https://ydns.io/api/v1/update/?host=$DOMAIN + ''; + in { + description = "YDNS IP updater"; + wantedBy = ["multi-user.target"]; + after = ["network.target"]; + serviceConfig = { + User = "root"; + Type = "oneshot"; + ExecStart = "${pkgs.bash}/bin/bash ${ydnsUpdater}/bin/ydnsUpdater"; + }; + }; + + # TODO It seems to not work + systemd.timers.ydnsUpdater = { + wantedBy = ["timers.target"]; + partOf = ["ydnsUpdater.service"]; + timerConfig = { + OnCalendar = "*-*-* *:00:00"; # hourly + Unit = "ydnsUpdater.service"; + }; + }; + + networking.firewall = { + enable = true; + allowPing = true; + allowedTCPPorts = [ + 80 # http + 139 # samba + 443 # https + 445 # samba + 4712 # amule + 4711 # amule web gui + 8384 # syncthing + ]; + allowedUDPPorts = [ + 137 # samba + 138 # samba + 51820 # wireguard + ]; + }; + + networking.nat.enable = true; + networking.nat.externalInterface = "enp0s10"; + networking.nat.internalInterfaces = ["wg0"]; + + networking.wireguard.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP address and subnet of the server's end of the tunnel interface. + ips = ["10.100.0.1/24"]; + + # The port that WireGuard listens to. Must be accessible by the client. + listenPort = 51820; + + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp0s10 -j MASQUERADE + ''; + + # This undoes the above command + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp0s10 -j MASQUERADE + ''; + + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. + privateKeyFile = "/home/ccr/wireguard-keys/private"; + + peers = [ + # List of allowed peers. + { + # Feel free to give a meaning full name + # Public key of the peer (not a file path). + publicKey = "fCwjd75CefC9A7WqO7s3xfOk2nRcoTKfnAzDT6Lc5AA="; + # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. + allowedIPs = ["10.100.0.2/32"]; + } + ]; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "andrea.ciceri@autistici.org"; + }; + + nix = { + gc = { + automatic = true; + options = lib.mkForce "--delete-older-than 3d"; + }; + }; + + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; +} diff --git a/hosts/hs/hardware-configuration.nix b/hosts/hs/hardware-configuration.nix new file mode 100644 index 0000000..e573bf0 --- /dev/null +++ b/hosts/hs/hardware-configuration.nix @@ -0,0 +1,27 @@ +{lib, ...}: { + boot = { + initrd.availableKernelModules = ["ohci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod"]; + loader.grub = lib.mkForce { + enable = true; + version = 2; + device = "/dev/disk/by-id/ata-OCZ-VERTEX_TMHAK8OARSURAIF6N1A5"; + }; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + }; + "/mnt/archivio" = { + device = "/dev/disk/by-label/archivio"; + fsType = "ext4"; + }; + "/mnt/film" = { + device = "/dev/disk/by-label/film"; + fsType = "ext4"; + }; + }; + + swapDevices = [{device = "/dev/disk/by-label/swap";}]; +} diff --git a/hosts/pbp/default.nix b/hosts/pbp/default.nix new file mode 100644 index 0000000..1ab660f --- /dev/null +++ b/hosts/pbp/default.nix @@ -0,0 +1,20 @@ +{ + fleetModules, + pkgs, + lib, + ... +}: { + imports = + [ + ./hardware-configuration.nix + ] + ++ fleetModules [ + "common" + "ssh" + "ccr" + #"mara" + ]; + + ccr.enable = true; + # mara.enable = true; +} diff --git a/hosts/pbp/hardware-configuration.nix b/hosts/pbp/hardware-configuration.nix new file mode 100644 index 0000000..b73e267 --- /dev/null +++ b/hosts/pbp/hardware-configuration.nix @@ -0,0 +1,67 @@ +{ + config, + lib, + pkgs, + ... +}: { + boot = { + initrd.availableKernelModules = ["usbhid"]; + extraModulePackages = with config.boot.kernelPackages; [ + v4l2loopback + ]; + loader = { + grub.enable = false; + generic-extlinux-compatible.enable = true; + }; + }; + + hardware = { + opengl.enable = true; + pulseaudio = { + enable = true; + package = pkgs.pulseaudioFull; + }; + bluetooth = { + enable = true; + settings = { + General = { + MultiProfile = "multiple"; + ControllerMode = "dual"; + AutoConnect = true; + }; + Policy = { + AutoEnable = true; + }; + }; + }; + }; + + services.blueman.enable = true; + + networking = { + useDHCP = false; + interfaces.wlan0.useDHCP = true; + networkmanager.enable = true; + }; + + time.timeZone = "Europe/Rome"; + + fileSystems = { + "/" = { + device = "/dev/nvme0n1p1"; + fsType = "btrfs"; + }; + "/boot" = { + device = "/dev/disk/by-uuid/C406-2AFC"; + fsType = "vfat"; + }; + }; + + swapDevices = [{device = "/dev/disk/by-uuid/e236d328-496e-4cf8-ba54-857789ca258f";}]; + + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; + + services.logind.extraConfig = '' + HandlePowerKey=ignore + ''; +} diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix index 06bba23..ef65df3 100644 --- a/hosts/thinkpad/default.nix +++ b/hosts/thinkpad/default.nix @@ -12,10 +12,10 @@ ] ++ fleetModules [ "common" + "ccr" "fonts" "dbus" "audio" - "ccr" "battery" "ssh" "adb" @@ -24,13 +24,53 @@ "docker" "transmission" "fprintd" + "binfmt" ]; + ccr = { + enable = true; + autologin = true; + modules = [ + "shell" + "sway" + "emacs" + "mpv" + "firefox" + "qutebrowser" + "git" + "gpg" + "password-store" + "slack" + "chrome" + "vscode" + "element" + "udiskie" + "discord" + "cura" + "xdg" + ]; + packages = with pkgs; [ + comma + ]; + extraGroups = [ + "wheel" + "fuse" + "video" + "adbusers" + "docker" + "networkmanager" + "dialout" + "bluetooth" + "camera" + ]; + }; + boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usb_storage" "sd_mod"]; boot.initrd.kernelModules = []; boot.kernelModules = ["kvm-intel"]; boot.extraModulePackages = []; + boot.binfmt.emulatedSystems = ["aarch64-linux"]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction diff --git a/modules/binfmt/default.nix b/modules/binfmt/default.nix new file mode 100644 index 0000000..d799a59 --- /dev/null +++ b/modules/binfmt/default.nix @@ -0,0 +1,11 @@ +{ + config, + lib, + pkgs, + ... +}: { + boot.binfmt.emulatedSystems = ["aarch64-linux"]; + nix.extraOptions = '' + extra-platforms = aarch64-linux arm-linux + ''; +} diff --git a/modules/ccr/default.nix b/modules/ccr/default.nix index 5944bcd..2edcb54 100644 --- a/modules/ccr/default.nix +++ b/modules/ccr/default.nix @@ -5,63 +5,68 @@ fleetHmModules, ... }: { - users.users.ccr = { - uid = 1000; - hashedPassword = "$6$JGOefuRk7kL$fK9.5DFnLLoW08GL4eKRyf958jyZdw//hLMaz4pp28jJuSFb24H6R3dgt1.sMs0huPY85rludSw4dnQJG5xSw1"; # mkpasswd -m sha-512 - description = "Andrea Ciceri"; - isNormalUser = true; - extraGroups = [ - "wheel" - "fuse" - "video" - "adbusers" - "docker" - "networkmanager" - "dialout" - "bluetooth" - "camera" - ]; - shell = pkgs.zsh; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJmn7H6wxrxCHypvY74Z6pBr5G6v564NaUZb9xIILV92JEdpZzuTLLlP+JkMx/8MLRy+pC7prMwR+FhH+LaTm/9x3T6FYP/q9UIAL3cFwBAwj5XQXQKzx9f6pX/7iJrMfAUQ+ZrRUNJHt5Gl+8UypmDgnQLuv5vmQSMRzKnUPuu4lCJtWOpSPhXffz3Ec1tm5nAMuxIMRPY91PYu1fMLlFrjB1FX1goVHKB1uWx16GjJszYCVbN6xcPac0sgUg+qNGBhWkUh0F073rhepQJeWp5FtwIxe2zRsZBxxTy5qxNLmHzBeNDxlOkcy2/Lr+BxVy+mhF/2fJziX80/bWSEA1" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDynKeHTnXOTCi+MH2agM4k5uBkTL+W5xkL/ep3DKuTIb9MbKjHkRIquSdVRAit4ZQVQN+S3yoCXCRdLLurM3/a6C7vc/a3UfGPyV/oDYDCdHNsOwimqIQg8Pc0WtnevLpZTC2VR4UU8zzaD/mmEWqxNszaNNUve+Fy0lwg6jn6vTnQCupbyMnghherozPJu94H/JLuDEcPT0wZUmBjhjT+yHp65Yk8hKVb1jRqEdjAHM4yZf6ceIxI9NMGeSnAKf/b8IsO6y7A93NZ75CnD6AW9Rclemi+nOqZo9zQ2m2LRtMTHSoNOLLkNQCCD+l2G4w1wPMONw4mz1vR917iJdd+5BXDtEVwScDfOmqVewynxkfztSvB+qTDzdqde3NO8fFA8jMk3rUXXfIl/Yb0G87wVT/Jcl7+ZBch8s+ljPsmyy5RY+uXLgKgE1tne0KJuzeJtxSAzTrPUhILB/A8PuJUzVGVWAdGRcusOc/0SdsluFsa11E0D946JcgNo72bWm0=" - ]; + options.ccr = { + enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + modules = lib.mkOption { + type = with lib.types; listOf str; + default = ["shell" "git"]; + }; + + packages = lib.mkOption { + type = with lib.types; listOf package; + default = []; + }; + + autologin = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + authorizedKeys = lib.mkOption { + type = with lib.types; listOf str; + default = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJmn7H6wxrxCHypvY74Z6pBr5G6v564NaUZb9xIILV92JEdpZzuTLLlP+JkMx/8MLRy+pC7prMwR+FhH+LaTm/9x3T6FYP/q9UIAL3cFwBAwj5XQXQKzx9f6pX/7iJrMfAUQ+ZrRUNJHt5Gl+8UypmDgnQLuv5vmQSMRzKnUPuu4lCJtWOpSPhXffz3Ec1tm5nAMuxIMRPY91PYu1fMLlFrjB1FX1goVHKB1uWx16GjJszYCVbN6xcPac0sgUg+qNGBhWkUh0F073rhepQJeWp5FtwIxe2zRsZBxxTy5qxNLmHzBeNDxlOkcy2/Lr+BxVy+mhF/2fJziX80/bWSEA1" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDynKeHTnXOTCi+MH2agM4k5uBkTL+W5xkL/ep3DKuTIb9MbKjHkRIquSdVRAit4ZQVQN+S3yoCXCRdLLurM3/a6C7vc/a3UfGPyV/oDYDCdHNsOwimqIQg8Pc0WtnevLpZTC2VR4UU8zzaD/mmEWqxNszaNNUve+Fy0lwg6jn6vTnQCupbyMnghherozPJu94H/JLuDEcPT0wZUmBjhjT+yHp65Yk8hKVb1jRqEdjAHM4yZf6ceIxI9NMGeSnAKf/b8IsO6y7A93NZ75CnD6AW9Rclemi+nOqZo9zQ2m2LRtMTHSoNOLLkNQCCD+l2G4w1wPMONw4mz1vR917iJdd+5BXDtEVwScDfOmqVewynxkfztSvB+qTDzdqde3NO8fFA8jMk3rUXXfIl/Yb0G87wVT/Jcl7+ZBch8s+ljPsmyy5RY+uXLgKgE1tne0KJuzeJtxSAzTrPUhILB/A8PuJUzVGVWAdGRcusOc/0SdsluFsa11E0D946JcgNo72bWm0=" + ]; + }; + + hashedPassword = lib.mkOption { + type = lib.types.str; + default = "$6$JGOefuRk7kL$fK9.5DFnLLoW08GL4eKRyf958jyZdw//hLMaz4pp28jJuSFb24H6R3dgt1.sMs0huPY85rludSw4dnQJG5xSw1"; # mkpasswd -m sha-512 + }; + + extraGroups = lib.mkOption { + type = with lib.types; listOf str; + default = ["wheel" "fuse" "networkmanager" "dialout"]; + }; }; - services.getty.autologinUser = "ccr"; + config = lib.mkIf config.ccr.enable { + users.users.ccr = { + uid = 1000; + hashedPassword = config.ccr.hashedPassword; + description = "Andrea Ciceri"; + isNormalUser = true; + extraGroups = config.ccr.extraGroups; + shell = pkgs.zsh; + openssh.authorizedKeys.keys = config.ccr.authorizedKeys; + }; - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.users.ccr = { - imports = fleetHmModules [ - "shell" - "sway" - "emacs" - "mpv" - "firefox" - "qutebrowser" - "git" - "gpg" - "password-store" - "slack" - "chrome" - "vscode" - "element" - "udiskie" - "discord" - "cura" - ]; - home.packages = with pkgs; [ - comma - ]; - home.stateVersion = config.system.stateVersion; - # TODO move away from here - xdg.enable = true; - # home.pointerCursor = { - # x11.enable = true; - # size = 32; - # package = pkgs.vanilla-dmz; - # name = "Vanilla-DMZ"; - # }; + services.getty.autologinUser = + if config.ccr.autologin + then "ccr" + else null; + + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.users.ccr = { + imports = fleetHmModules config.ccr.modules; + home.packages = config.ccr.packages; + home.stateVersion = config.system.stateVersion; + }; }; } diff --git a/modules/common/default.nix b/modules/common/default.nix index fe79dc3..70590c0 100644 --- a/modules/common/default.nix +++ b/modules/common/default.nix @@ -11,6 +11,7 @@ time.timeZone = lib.mkDefault "Europe/Rome"; networking.useDHCP = lib.mkDefault true; users.mutableUsers = false; + # TODO remove users.users.root.password = "password"; i18n.defaultLocale = "en_US.UTF-8"; diff --git a/modules/ssh/default.nix b/modules/ssh/default.nix index c3dc07a..e011fcc 100644 --- a/modules/ssh/default.nix +++ b/modules/ssh/default.nix @@ -1,3 +1,6 @@ { services.sshd.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJmn7H6wxrxCHypvY74Z6pBr5G6v564NaUZb9xIILV92JEdpZzuTLLlP+JkMx/8MLRy+pC7prMwR+FhH+LaTm/9x3T6FYP/q9UIAL3cFwBAwj5XQXQKzx9f6pX/7iJrMfAUQ+ZrRUNJHt5Gl+8UypmDgnQLuv5vmQSMRzKnUPuu4lCJtWOpSPhXffz3Ec1tm5nAMuxIMRPY91PYu1fMLlFrjB1FX1goVHKB1uWx16GjJszYCVbN6xcPac0sgUg+qNGBhWkUh0F073rhepQJeWp5FtwIxe2zRsZBxxTy5qxNLmHzBeNDxlOkcy2/Lr+BxVy+mhF/2fJziX80/bWSEA1" + ]; } diff --git a/utils/default.nix b/utils/default.nix index b7f382b..fc73aae 100644 --- a/utils/default.nix +++ b/utils/default.nix @@ -8,7 +8,10 @@ comma, ... }: let - supportedSystems = {x86_64-linux = "x86_64-linux";}; + supportedSystems = { + x86_64-linux = "x86_64-linux"; + aarch64-linux = "aarch64-linux"; + }; pkgsFor = lib.genAttrs (lib.attrValues supportedSystems) (system: nixpkgsUnstable.legacyPackages.${system}); @@ -52,6 +55,15 @@ system = supportedSystems.x86_64-linux; modules = [nixosHardware.nixosModules.lenovo-thinkpad-x1-7th-gen]; }; + hs = mkConfiguration { + name = "hs"; + system = supportedSystems.x86_64-linux; + }; + pbp = mkConfiguration { + name = "pbp"; + system = supportedSystems.aarch64-linux; + modules = ["${nixosHardware}/pine64/pinebook-pro"]; + }; }; mkVmApp = system: configuration: let