imterah/nix-infra
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

chore: Add base configuration.

Browse source
This commit is contained in:
Tera << 8 2025-05-04 23:29:29 -04:00
parent a92de43a60
commit 612c7e2f16
Signed by: imterah
GPG key ID: 8FA7DD57BA6CEA37
18 changed files with 700 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -5,4 +5,3 @@ result-*
# Ignore automatically generated direnv output
.direnv

3
.gitmodules vendored Normal file
View file

@ -0,0 +1,3 @@
[submodule "secrets"]
path = secrets
url = https://git.terah.dev/imterah/sops

22
LICENSE
View file

@ -1,11 +1,19 @@
Copyright (c) 2025 imterah.
zlib License
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
(C) 2024 Tera
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
This software is provided 'as-is', without any express or implied
warranty. In no event will the authors be held liable for any damages
arising from the use of this software.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
Permission is granted to anyone to use this software for any purpose,
including commercial applications, and to alter it and redistribute it
freely, subject to the following restrictions:
3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1. The origin of this software must not be misrepresented; you must not
claim that you wrote the original software. If you use this software
in a product, an acknowledgment in the product documentation would be
appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be
misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.

8
README.md
View file

@ -1,3 +1,7 @@
# nix-infra
# Tera's NixOS Home Infrastructure
Work-in-progress NixOS Server Infrastructure
Work-in-progress NixOS Server Infrastructure based on [valerie's NixOS setup](https://git.dessa.dev/valnyx/nixos/src/branch/main).
## WARNING
This is a work-in-progress and currently DOES NOT WORK. Please check back later.

339
flake.lock generated Executable file
View file

@ -0,0 +1,339 @@
{
"nodes": {
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1744940522,
"narHash": "sha256-TNoetfICvd29DhxRPpmyKItQBDlqSvKcV+wGNkn14jk=",
"owner": "nix-community",
"repo": "disko",
"rev": "51d33bbb7f1e74ba5f9d9a77357735149da99081",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"emacs-overlay": {
"inputs": {
"nixpkgs": [
"nixpkgs-unstable"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1745169495,
"narHash": "sha256-e9+CfVIrI/iGZVjUeS/h/bOG/55MdvGwOP6m9ncz27Q=",
"owner": "nix-community",
"repo": "emacs-overlay",
"rev": "d24224780e6cb41af7b46a17d39306e5e982aa15",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "emacs-overlay",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1743550720,
"narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "c621e8422220273271f52058f618c94e405bb0f5",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"flake-utils": "flake-utils_2"
},
"locked": {
"lastModified": 1738591040,
"narHash": "sha256-4WNeriUToshQ/L5J+dTSWC5OJIwT39SEP7V7oylndi8=",
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"rev": "afcb15b845e74ac5e998358709b2b5fe42a948d1",
"type": "github"
},
"original": {
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1744743431,
"narHash": "sha256-iyn/WBYDc7OtjSawbegINDe/gIkok888kQxk3aVnkgg=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "c61bfe3ae692f42ce688b5865fac9e0de58e1387",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-24.11",
"repo": "home-manager",
"type": "github"
}
},
"impermanence": {
"locked": {
"lastModified": 1737831083,
"narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "impermanence",
"type": "github"
}
},
"nh": {
"inputs": {
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1743682999,
"narHash": "sha256-bg+aAN8K90r3m/I+xXiXG0gawpbkshwlk93wxUN7KEk=",
"owner": "viperML",
"repo": "nh",
"rev": "9e9a4590b38b62b28f07a1fae973ce7b6ca0687a",
"type": "github"
},
"original": {
"owner": "viperML",
"repo": "nh",
"type": "github"
}
},
"nix-gaming": {
"inputs": {
"flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1745114168,
"narHash": "sha256-x+HdFBsfRznwWPpnqXM3yaTVz2CcK5X/ThY6BA3PgcI=",
"owner": "fufexan",
"repo": "nix-gaming",
"rev": "05b70003daf802fd5c0af3903fab5f23fef3c47c",
"type": "github"
},
"original": {
"owner": "fufexan",
"repo": "nix-gaming",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1744440957,
"narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1743296961,
"narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1744440957,
"narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1744932701,
"narHash": "sha256-fusHbZCyv126cyArUwwKrLdCkgVAIaa/fQJYFlCEqiU=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "b024ced1aac25639f8ca8fdfc2f8c4fbd66c48ef",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1744502386,
"narHash": "sha256-QAd1L37eU7ktL2WeLLLTmI6P9moz9+a/ONO8qNBYJgM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "f6db44a8daa59c40ae41ba6e5823ec77fe0d2124",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1736344531,
"narHash": "sha256-8YVQ9ZbSfuUk2bUf2KRj60NRraLPKPS0Q4QFTbc+c2c=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "bffc22eb12172e6db3c5dde9e3e5628f8e3e7912",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"disko": "disko",
"emacs-overlay": "emacs-overlay",
"flake-utils": "flake-utils",
"home-manager": "home-manager",
"impermanence": "impermanence",
"nh": "nh",
"nix-gaming": "nix-gaming",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix",
"zen-browser": "zen-browser"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1744669848,
"narHash": "sha256-pXyanHLUzLNd3MX9vsWG+6Z2hTU8niyphWstYEP3/GU=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "61154300d945f0b147b30d24ddcafa159148026a",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"zen-browser": {
"inputs": {
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1742688375,
"narHash": "sha256-yVsET+na0V2edU+5xZTchrZqbN7+uMOOtZ7FfZc79bg=",
"owner": "valnyx17",
"repo": "zen-browser-flake",
"rev": "05e9fd204ae043ceb1ed056460b4ca03fa413c12",
"type": "github"
},
"original": {
"owner": "valnyx17",
"repo": "zen-browser-flake",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

53
flake.nix Executable file
View file

@ -0,0 +1,53 @@
{
description = "Tera's Server Setup: 'When my data's tracking me, when my phone is spying, if not now, then when?'";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
flake-utils.url = "github:gytis-ivaskevicius/flake-utils-plus";
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
sops-nix.url = "github:Mic92/sops-nix";
impermanence.url = "github:nix-community/impermanence";
nh = {
url = "github:viperML/nh";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
};
outputs = {
self,
nixpkgs,
flake-utils,
...
} @ inputs: let
mkApp = flake-utils.lib.mkApp;
mkFlake = flake-utils.lib.mkFlake;
in mkFlake {
inherit self inputs nixpkgs;
overlays = import ./overlays.nix {inherit inputs;};
sharedOverlays = [
self.overlays.additions
self.overlays.modifications
self.overlays.unstable-packages
];
hostDefaults.extraArgs = {inherit flake-utils;};
hostDefaults.specialArgs = {
inherit inputs;
inherit (self) outputs;
};
# Main Docker-based host
hosts.andromeda = {
system = "x86_64-linux";
modules = [
inputs.disko.nixosModules.default
(import ./hosts/andromeda/disko.nix {device = "/dev/disk/by-id/nvme-Samsung_SSD_979_PRO_with_Heatsink_1TB_S6WSNJ0T900943T";})
inputs.impermanence.nixosModules.impermanence
./hosts/andromeda/configuration.nix
];
};
};
}

3
hosts/andromeda/README.md Normal file
View file

@ -0,0 +1,3 @@
# Andromeda: Docker Home Server
This thing handles nearly all traffic for my home network. She has Traefik,

59
hosts/andromeda/configuration.nix Executable file
View file

@ -0,0 +1,59 @@
{
config,
pkgs,
lib,
outputs,
inputs,
...
}: {
imports = [
./hardware-configuration.nix
../../system/nix.nix
../../system/sops.nix
../../system/impermanence.nix
../../system/sshd.nix
../../system/avahifixes.nix
../../system/i18n.nix
];
sops.secrets.tera-password.neededForUsers = true;
users.mutableUsers = false;
users.users.tera = {
uid = 1000;
description = "Tera";
home = "/home/tera";
hashedPasswordFile = config.sops.secrets.tera-password.path;
isNormalUser = true;
createHome = true;
shell = pkgs.bash;
extraGroups = [
"wheel"
"networkmanager"
"audio"
"docker"
"input"
"plugdev"
];
openssh.authorizedKeys.keys = [
(builtins.readFile ../../secrets/id_user.pub)
];
};
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "andromeda";
networking.networkmanager.enable = true;
boot.supportedFilesystems = [];
# Services
services.docker.enable = true;
environment.systemPackages = builtins.attrValues {
inherit (pkgs.unstable) htop btop micro nano;
};
system.stateVersion = "24.11";
}

29
hosts/andromeda/hardware-configuration.nix Executable file
View file

@ -0,0 +1,29 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci" "usbhid" "uas" "sd_mod"];
boot.initrd.kernelModules = ["dm-snapshot"];
boot.kernelModules = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp193s0f3u2u3.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

3
hosts/milkyway/README.md Normal file
View file

@ -0,0 +1,3 @@
# Milky Way: Remote VPS
This is the gateway from my home network to the public internet.

1
secrets Submodule

@ -0,0 +1 @@
Subproject commit ed485bba5151879e9b598fd18e6970624b0d21e5

17
system/avahifixes.nix Executable file
View file

@ -0,0 +1,17 @@
{
pkgs,
lib,
...
}: {
# local name resolution
services.avahi = {
enable = true;
openFirewall = true;
nssmdns4 = true;
};
system.nssModules = lib.optional true pkgs.nssmdns;
system.nssDatabases.hosts = lib.optionals true (pkgs.lib.mkMerge [
(lib.mkBefore ["mdns4_minimal [NOTFOUND=return]"]) # before resolution
(lib.mkAfter ["mdns4"]) # after dns
]);
}

47
system/disko.nix Executable file
View file

@ -0,0 +1,47 @@
{device ? throw "Set this to your disk device, e.g. /dev/disk/by-id/...", ...}: {
disko.devices = {
disk = {
main = {
inherit device;
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
name = "ESP";
size = "500M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
rootfs = {
size = "100%";
content = {
"/root" = {
mountpoint = "/";
# mountOptions = ["compress=zstd" "noatime"];
};
"/persist" = {
mountpoint = "/persist";
# mountOptions = ["compress=zstd" "subvol=persist" "noatime"];
mountOptions = ["subvol=persist" "noatime"];
};
"/home" = {
mountpoint = "/home";
mountOptions = ["compress=zstd" "subvol=home" "noatime"];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = ["compress=zstd" "subvol=nix" "noatime"];
};
};
};
};
};
};
};
};
}

4
system/i18n.nix Executable file
View file

@ -0,0 +1,4 @@
{...}: {
time.timeZone = "America/Indiana/Indianapolis";
i18n.defaultLocale = "en_US.UTF-8";
}

45
system/impermanence.nix Executable file
View file

@ -0,0 +1,45 @@
{lib, ...}: {
fileSystems."/persist".neededForBoot = true;
fileSystems."/nix".neededForBoot = true;
boot.initrd.postDeviceCommands = lib.mkAfter ''
mkdir /btrfs_tmp
mount /dev/root_vg/root /btrfs_tmp
if [[ -e /btrfs_tmp/root ]]; then
mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
delete_subvolume_recursively "$i"
done
btrfs subvolume create /btrfs_tmp/root
umount /btrfs_tmp
'';
environment.persistence."/persist" = {
enable = true;
hideMounts = true;
directories = [
"/var/log"
"/var/lib/nixos"
"/var/lib/systemd/coredump"
"/etc/nixos"
"/etc/NetworkManager"
];
files = [
"/etc/machine-id"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
#"/var/lib/sops-nix/key.txt"
];
};
}

52
system/nix.nix Executable file
View file

@ -0,0 +1,52 @@
{
lib,
config,
outputs,
inputs,
...
}: {
nixpkgs.config = {
allowUnfree = true;
allowUnfreePredicate = _: true;
cudaSupport = true;
};
nixpkgs.overlays = [
outputs.overlays.additions
outputs.overlays.modifications
outputs.overlays.unstable-packages
];
nix = let
flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
in {
settings = {
# Enable flakes and new 'nix' command
experimental-features = "nix-command flakes";
# Opinionated: disable global registry
flake-registry = "";
# Workaround for https://github.com/NixOS/nix/issues/9574
nix-path = config.nix.nixPath;
# allowUnfree = true;
auto-optimise-store = true;
builders-use-substitutes = true;
keep-derivations = true;
keep-outputs = true;
trusted-users = ["root" "@wheel"];
substituters = [
"https://cache.nixos.org"
"https://nix-community.cachix.org"
];
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
};
# Opinionated: disable channels
channel.enable = false;
# Opinionated: make flake registry and nix path match flake inputs
registry = lib.mapAttrs (_: flake: {inherit flake;}) flakeInputs;
nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
};
}

12
system/sops.nix Executable file
View file

@ -0,0 +1,12 @@
{inputs, ...}: {
imports = [
inputs.sops-nix.nixosModules.sops
];
sops.defaultSopsFile = "${../secrets/secrets.yaml}";
sops.validateSopsFiles = false;
sops.defaultSopsFormat = "yaml";
sops.age.keyFile = "/persist/var/lib/sops-nix/key.txt";
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
sops.age.generateKey = true;
}

12
system/sshd.nix Executable file
View file

@ -0,0 +1,12 @@
{lib, ...}: {
services.openssh = {
enable = true;
settings = {
KbdInteractiveAuthentication = false;
PermitRootLogin = "no";
PasswordAuthentication = false;
UseDns = true;
X11Forwarding = false;
};
};
}