diff options
| -rw-r--r-- | flake.lock | 67 | ||||
| -rw-r--r-- | flake.nix | 11 | ||||
| -rw-r--r-- | system/linde.nix | 72 | ||||
| -rw-r--r-- | system/marvin.nix | 1 | ||||
| -rw-r--r-- | system/settings/configuration/nix-linux.nix | 10 | ||||
| -rw-r--r-- | system/settings/configuration/nix.nix | 2 | ||||
| -rw-r--r-- | system/settings/darwin.nix | 7 | ||||
| -rw-r--r-- | system/settings/services/git-server.nix | 45 |
8 files changed, 72 insertions, 143 deletions
diff --git a/flake.lock b/flake.lock index ee59ecb5..8cdca080 100644 --- a/flake.lock +++ b/flake.lock @@ -333,22 +333,6 @@ "type": "github" } }, - "nixpkgs-small": { - "locked": { - "lastModified": 1738178544, - "narHash": "sha256-UbM+zJFlze877N5j2YMLKYFX7t05VvmuNX2M0vJ7RfI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "975ac0ab33ee7fea64842047a96f5d679d90913c", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs-stable": { "locked": { "lastModified": 1738023785, @@ -399,11 +383,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1737885589, - "narHash": "sha256-Zf0hSrtzaM1DEz8//+Xs51k/wdSajticVrATqDrfQjg=", + "lastModified": 1734424634, + "narHash": "sha256-cHar1vqHOOyC7f1+tVycPoWTfKIaqkoe1Q6TnKzuti4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "852ff1d9e153d8875a83602e03fdef8a63f0ecf8", + "rev": "d3c42f187194c26d9f0309a8ecc469d6c878ce33", "type": "github" }, "original": { @@ -415,32 +399,32 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1734424634, - "narHash": "sha256-cHar1vqHOOyC7f1+tVycPoWTfKIaqkoe1Q6TnKzuti4=", + "lastModified": 1730768919, + "narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d3c42f187194c26d9f0309a8ecc469d6c878ce33", + "rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_5": { "locked": { - "lastModified": 1730768919, - "narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=", + "lastModified": 1738178544, + "narHash": "sha256-UbM+zJFlze877N5j2YMLKYFX7t05VvmuNX2M0vJ7RfI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc", + "rev": "975ac0ab33ee7fea64842047a96f5d679d90913c", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixpkgs-unstable", + "ref": "nixos-unstable-small", "repo": "nixpkgs", "type": "github" } @@ -449,7 +433,7 @@ "inputs": { "flake-compat": "flake-compat_2", "gitignore": "gitignore", - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_4", "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { @@ -476,9 +460,12 @@ "home-manager": "home-manager_2", "nix-index-database": "nix-index-database", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_3", - "nixpkgs-small": "nixpkgs-small", + "nixpkgs": [ + "srvos", + "nixpkgs" + ], "searchix": "searchix", + "srvos": "srvos", "utils": "utils_2" } }, @@ -486,7 +473,7 @@ "inputs": { "flake-utils": "flake-utils_2", "gomod2nix": "gomod2nix", - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_3", "pre-commit-hooks": "pre-commit-hooks", "simple-css": "simple-css" }, @@ -516,6 +503,24 @@ "url": "https://raw.githubusercontent.com/kevquirk/simple.css/v2.3.1/simple.css" } }, + "srvos": { + "inputs": { + "nixpkgs": "nixpkgs_5" + }, + "locked": { + "lastModified": 1738198321, + "narHash": "sha256-lhnHBXO9Y8xEn92JqxjancdL8Gh16ONuxZp60iZfmX4=", + "owner": "nix-community", + "repo": "srvos", + "rev": "7d5a4aaadac9ff63f9ed4347df95175aceee5079", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "srvos", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 46d17ac0..3d376f14 100644 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,7 @@ { inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - nixpkgs-small.url = "github:NixOS/nixpkgs/nixos-unstable-small"; + srvos.url = "github:nix-community/srvos"; + nixpkgs.follows = "srvos/nixpkgs"; nixos-hardware.url = "github:NixOS/nixos-hardware"; nix-index-database.url = "github:Mic92/nix-index-database"; nix-index-database.inputs.nixpkgs.follows = "nixpkgs"; @@ -25,8 +25,8 @@ inputs@ { self , utils + , srvos , nixpkgs - , nixpkgs-small , nixos-hardware , emacs-overlay , home-manager @@ -86,10 +86,12 @@ common-gpu-nvidia-nonprime ]); }; - nixosConfigurations.linde = nixpkgs-small.lib.nixosSystem { + nixosConfigurations.linde = nixpkgs.lib.nixosSystem { system = utils.lib.system.aarch64-linux; specialArgs = { inherit inputs; }; modules = [ + srvos.nixosModules.server + srvos.nixosModules.hardware-hetzner-cloud-arm agenix.nixosModules.default searchix.nixosModules.web golink.nixosModules.default @@ -101,6 +103,7 @@ system = utils.lib.system.aarch64-darwin; specialArgs = { inherit inputs; }; modules = [ + srvos.darwinModules.desktop ./system/marvin.nix ./packages/modules/darwin/caddy ]; diff --git a/system/linde.nix b/system/linde.nix index 20d71e55..e82236d0 100644 --- a/system/linde.nix +++ b/system/linde.nix @@ -6,14 +6,14 @@ with lib; let - netif = "enp1s0"; + netif = "eth0"; hostname = "linde"; net-ip4 = "116.203.248.56"; - net-mask4 = "32"; + net-mask4 = 32; net-gw = "172.31.1.1"; net-ip6 = "2a01:4f8:c012:23a4::1"; net-redisip = "2a01:4f8:c012:23a4::6379"; - net-mask6 = "64"; + net-mask6 = 64; net-gw6 = "fe80::1"; domain = "alanpearce.eu"; ts-domain = "hydra-pinecone.ts.net"; @@ -56,9 +56,6 @@ in }; }; - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.efiSysMountPoint = "/boot/efi"; time.timeZone = "Europe/Berlin"; @@ -85,8 +82,6 @@ in enable = true; settings = { PermitRootLogin = "without-password"; - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; }; }; services.sshguard = { @@ -134,6 +129,7 @@ in secretKeyFile = config.age.secrets.binarycache.path; }; + programs.vim.defaultEditor = false; programs.neovim = { enable = true; defaultEditor = true; @@ -144,7 +140,6 @@ in networking = { hostName = hostname; inherit domain; - useDHCP = false; dhcpcd.enable = false; nameservers = [ "2606:4700:4700::1111" @@ -157,6 +152,30 @@ in ${net-ip6} = [ "${hostname}.${domain}" hostname ]; ${net-redisip} = [ "redis" ]; }; + defaultGateway = { + address = net-gw; + interface = netif; + }; + defaultGateway6 = { + address = net-gw6; + interface = netif; + }; + interfaces.${netif} = { + ipv4 = { + addresses = [ + { address = net-ip4; prefixLength = net-mask4; } + ]; + routes = [ + { address = net-gw; prefixLength = 32; } + ]; + }; + ipv6 = { + addresses = [ + { address = net-ip6; prefixLength = net-mask6; } + { address = net-redisip; prefixLength = net-mask6; } + ]; + }; + }; firewall = { enable = true; allowPing = true; @@ -188,44 +207,12 @@ in useLocalResolver = false; }; }; + services.cloud-init.network.enable = false; services.resolved = { enable = true; llmnr = "false"; dnssec = "true"; }; - systemd.network = { - enable = true; - networks.${netif} = - { - name = netif; - routes = [ - { - Gateway = net-gw6; - PreferredSource = net-ip6; - QuickAck = true; - InitialCongestionWindow = 30; - InitialAdvertisedReceiveWindow = 30; - } - { - Gateway = net-gw; - QuickAck = true; - InitialCongestionWindow = 30; - InitialAdvertisedReceiveWindow = 30; - } - ]; - address = [ - "${net-ip6}/${net-mask6}" - "${net-redisip}/${net-mask6}" - ]; - addresses = [{ - Address = "${net-ip4}/${net-mask4}"; - Peer = "${net-gw}/32"; - }]; - }; - wait-online = { - extraArgs = [ "--interface=${netif}" ]; - }; - }; services.tailscale = { enable = true; @@ -283,7 +270,6 @@ in "net.ipv4.tcp_slow_start_after_idle" = false; }; - security.sudo.execWheelOnly = true; security.sudo.extraConfig = '' Defaults:root,%wheel env_keep+=EDITOR ''; diff --git a/system/marvin.nix b/system/marvin.nix index ed79c8f2..21f085db 100644 --- a/system/marvin.nix +++ b/system/marvin.nix @@ -39,7 +39,6 @@ nix.settings = { max-jobs = 8; cores = 4; - auto-optimise-store = false; # https://github.com/NixOS/nix/issues/7273 }; nix = { diff --git a/system/settings/configuration/nix-linux.nix b/system/settings/configuration/nix-linux.nix index e11b0389..1c26bc7e 100644 --- a/system/settings/configuration/nix-linux.nix +++ b/system/settings/configuration/nix-linux.nix @@ -1,5 +1,4 @@ { config -, lib , pkgs , ... }: { @@ -11,20 +10,11 @@ settings = { auto-optimise-store = true; }; - daemonCPUSchedPolicy = "idle"; - daemonIOSchedClass = "idle"; }; nixpkgs.config.allowUnfree = true; system.autoUpgrade = { enable = true; - flags = [ "--max-jobs" "2" ]; - }; - systemd.services.nixos-upgrade = { - script = pkgs.lib.mkForce '' - ${pkgs.nix}/bin/nix-channel --update - ${config.system.build.nixos-rebuild}/bin/nixos-rebuild boot --no-build-output ${toString config.system.autoUpgrade.flags} - ''; }; } diff --git a/system/settings/configuration/nix.nix b/system/settings/configuration/nix.nix index b0459b16..481c3911 100644 --- a/system/settings/configuration/nix.nix +++ b/system/settings/configuration/nix.nix @@ -9,7 +9,6 @@ use-xdg-base-directories = true; keep-outputs = true; keep-derivations = true; - experimental-features = "nix-command flakes"; warn-dirty = false; substituters = [ "https://nix-community.cachix.org" @@ -38,7 +37,6 @@ type = "path"; path = pkgs.path; }; - }; }; } diff --git a/system/settings/darwin.nix b/system/settings/darwin.nix index 0f507a31..9841c06c 100644 --- a/system/settings/darwin.nix +++ b/system/settings/darwin.nix @@ -16,9 +16,7 @@ [ "/run/current-system/sw" "/nix/var/nix/profiles/default" ] ]; - environment.darwinConfig = "$HOME/.config/nixpkgs/darwin-configuration.nix"; nix = { - daemonIOLowPriority = true; settings.extra-platforms = "aarch64-darwin x86_64-darwin"; settings.trusted-users = [ "@admin" ]; @@ -28,11 +26,6 @@ allowUnfree = true; }; - # needed so that nix-darwin can activate the system as root - security.sudo.extraConfig = '' - Defaults env_keep += "NIX_PATH" - ''; - services.lorri.enable = true; launchd.user.agents.lorri = { serviceConfig = { diff --git a/system/settings/services/git-server.nix b/system/settings/services/git-server.nix index 512067ce..df3c0ea2 100644 --- a/system/settings/services/git-server.nix +++ b/system/settings/services/git-server.nix @@ -224,51 +224,6 @@ in }; }; - programs.ssh = with pkgs; { - knownHostsFiles = [ - (writeText "github.keys" '' - # github.com:22 SSH-2.0-babeld-05989c77 - # github.com:22 SSH-2.0-babeld-05989c77 - # github.com:22 SSH-2.0-babeld-05989c77 - # github.com:22 SSH-2.0-babeld-05989c77 - # github.com:22 SSH-2.0-babeld-05989c77 - github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk= - github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= - github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl - '') - (writeText "gitlab.keys" '' - # gitlab.com:22 SSH-2.0-GitLab-SSHD - # gitlab.com:22 SSH-2.0-GitLab-SSHD - # gitlab.com:22 SSH-2.0-GitLab-SSHD - # gitlab.com:22 SSH-2.0-GitLab-SSHD - # gitlab.com:22 SSH-2.0-GitLab-SSHD - gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 - gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= - gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf - '') - (writeText "codeberg.keys" '' - # codeberg.org:22 SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2 - # codeberg.org:22 SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2 - # codeberg.org:22 SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2 - # codeberg.org:22 SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2 - # codeberg.org:22 SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2 - codeberg.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8hZi7K1/2E2uBX8gwPRJAHvRAob+3Sn+y2hxiEhN0buv1igjYFTgFO2qQD8vLfU/HT/P/rqvEeTvaDfY1y/vcvQ8+YuUYyTwE2UaVU5aJv89y6PEZBYycaJCPdGIfZlLMmjilh/Sk8IWSEK6dQr+g686lu5cSWrFW60ixWpHpEVB26eRWin3lKYWSQGMwwKv4LwmW3ouqqs4Z4vsqRFqXJ/eCi3yhpT+nOjljXvZKiYTpYajqUC48IHAxTWugrKe1vXWOPxVXXMQEPsaIRc2hpK+v1LmfB7GnEGvF1UAKnEZbUuiD9PBEeD5a1MZQIzcoPWCrTxipEpuXQ5Tni4mN - codeberg.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL2pDxWr18SoiDJCGZ5LmxPygTlPu+cCKSkpqkvCyQzl5xmIMeKNdfdBpfbCGDPoZQghePzFZkKJNR/v9Win3Sc= - codeberg.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIVIC02vnjFyL+I4RHfvIGNtOgJMe769VTF1VR4EB3ZB - '') - (writeText "sr.ht.keys" '' - # git.sr.ht:22 SSH-2.0-OpenSSH_9.6 - # git.sr.ht:22 SSH-2.0-OpenSSH_9.6 - # git.sr.ht:22 SSH-2.0-OpenSSH_9.6 - # git.sr.ht:22 SSH-2.0-OpenSSH_9.6 - # git.sr.ht:22 SSH-2.0-OpenSSH_9.6 - git.sr.ht ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ+l/lvYmaeOAPeijHL8d4794Am0MOvmXPyvHTtrqvgmvCJB8pen/qkQX2S1fgl9VkMGSNxbp7NF7HmKgs5ajTGV9mB5A5zq+161lcp5+f1qmn3Dp1MWKp/AzejWXKW+dwPBd3kkudDBA1fa3uK6g1gK5nLw3qcuv/V4emX9zv3P2ZNlq9XRvBxGY2KzaCyCXVkL48RVTTJJnYbVdRuq8/jQkDRA8lHvGvKI+jqnljmZi2aIrK9OGT2gkCtfyTw2GvNDV6aZ0bEza7nDLU/I+xmByAOO79R1Uk4EYCvSc1WXDZqhiuO2sZRmVxa0pQSBDn1DB3rpvqPYW+UvKB3SOz - git.sr.ht ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCj6y+cJlqK3BHZRLZuM+KP2zGPrh4H66DacfliU1E2DHAd1GGwF4g1jwu3L8gOZUTIvUptqWTkmglpYhFp4Iy4= - git.sr.ht ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60 - '') - ]; - }; - systemd.services = concatMapAttrs createMirrorService mirrors; systemd.paths = concatMapAttrs createMirrorPath mirrors; systemd.targets.git-mirroring = { |