1
0
Fork 0

Compare commits

..

No commits in common. "c3f45055990ef9f8dfe19f209d1be4b71b6e4a31" and "9bc8eb6bc60cebf96a8e68a4ab0327f4d7ebfae2" have entirely different histories.

11 changed files with 1910 additions and 124 deletions

View file

@ -11,67 +11,47 @@ A full set of configuration files managed via NixOS. This project is an **unoffi
Secrets are managed using [git-crypt](https://github.com/AGWA/git-crypt). To unlock the repo, use `git-crypt unlock [path to key file]`. git-crypt will transparently encrypt/decrypt files stored in `modules/secrets` going forward, but you'll need this key file on all hosts that are using secrets. Secrets are managed using [git-crypt](https://github.com/AGWA/git-crypt). To unlock the repo, use `git-crypt unlock [path to key file]`. git-crypt will transparently encrypt/decrypt files stored in `modules/secrets` going forward, but you'll need this key file on all hosts that are using secrets.
> [!NOTE] Note: This is a poor man's secret management solution. These secrets will be world-readable in the `/nix/store/`.
> This is a poor man's secret management solution. If you use this, your secrets will be world-readable in the `/nix/store/`.
### First-time installation ### First-time installation
When installing on a brand new system, partition the main drive into two partitions: a `/boot` partition, and a LUKS partition. Then, run `bin/format-drives.sh --root [root partition] --luks [luks partition]` (the script will request sudo privileges): When installing on a brand new system, partition the main drive into two partitions: a `/boot` partition, and a LUKS partition. Then, run `bin/format-drives.sh --root [root partition] --luks [luks partition]`. This also creates a `hardware-configuration.nix` file.
```sh ```sh
./bin/format-drives.sh --boot /dev/nvme0n1p1 --luks /dev/nvme0n1p2 ./bin/format-drives.sh --boot /dev/nvme0n1p1 --luks /dev/nvme0n1p2
``` ```
Next, set up the host's config under in the `hosts` folder by copying `configuration.nix.template` and `hardware-configuration.nix.template` into a new folder. Running `format-drives.sh` also generates a `hardware-configuration.nix` file you can use. Next, set up the host's config under in the `hosts` folder by copying `configuration.nix.template` and `hardware-configuration.nix.template` into a new folder.
Then, add the host to `flake.nix` under the `nixosConfigurations` section. Then, add the host to `flake.nix` under the `nixosConfigurations` section.
Finally, run the NixOS installer, replacing `host` with your actual hostname: Finally, run the NixOS installer, replacing `host` with your actual hostname:
```sh ```sh
sudo nixos-install --verbose --root /mnt --flake .#host --no-root-password nixos-install --verbose --root /mnt --flake .#host --no-root-password
``` ```
> [!TIP] > [!TIP]
> This config installs a nixos-rebuild wrapper called `nos` (NixOS Operations Script) that handles pulling and pushing changes to your configuration repository via git. For more info, run `nixos-operations-script --help`. > This config installs a [Nix wrapper called nh](https://github.com/viperML/nh). Basic install/upgrade commands can be run using `nh`, but more advanced stuff should use `nixos-rebuild`.
### Running updates ### Running updates
To update a system, run `nixos-operations-script` (or just `nos`). To commit updates back to the repo, use `nos --update`. Do not run this script as root - it will automatically request sudo permissions as needed. All hosts are configured to run automatic daily updates (see `modules/system/system.nix`). You can disable this by adding `aux.system.services.autoUpgrade = false;` to a host's config.
#### Automatic updates Automatic updates work by `git pull`ing the latest version of the repo from Forgejo. This repo gets updated nightly by [`Hevana`](./hosts/Hevana), which updates the `flake.lock` file and pushes it back up to Forgejo. Only one host needs to do this, and you can enable this feature on a host using `aux.system.services.autoUpgrade.pushUpdates = true;`.
To enable automatic updates for a host, set `aux.system.services.autoUpgrade = true;`. You can configure the autoUpgrade module with additional settings, e.g.:
```nix
aux.system.services.autoUpgrade = {
enable = true;
configDir = config.secrets.nixConfigFolder;
extraFlags = "--build-host hevana";
onCalendar = "daily";
user = config.users.users.aires.name;
};
```
Automatic updates work by running `nos`. There's an additional `pushUpdates` option that, when enabled, updates the `flake.lock` file and pushes it back up to the Git repository. Only one host needs to do this (in this case, it's [Hevana](./hosts/Hevana), but you can safely enable it on multiple hosts as long as they use the same repository and update at different times.
#### Manually updating #### Manually updating
Run `nos` to update the system. Use the `--update` flag to update `flake.lock` as part of the process. For the first build, you'll need to specify the path to your `flake.nix` file and the hostname using `nos --hostname my_hostname --flake /path/to/flake.nix`. Run `nh` to update the system. Use the `--update` flag to update `flake.lock` as part of the process. After the first build, you can omit the hostname and path to your flake.nix file:
After the first build, you can omit the hostname and path:
```sh ```sh
nos nh os switch --update
``` ```
This is the equivalent of running: This is the equivalent of running:
```sh ```sh
cd [flake dir] nix flake update
git pull
nix flake update --commit-lock-file
git push
sudo nixos-rebuild switch --flake . sudo nixos-rebuild switch --flake .
``` ```

View file

@ -1,13 +1,12 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# The NixOS Operations Script (NOS) is a wrapper script for nixos-rebuild and Flake-based configurations. # Wrapper script for nixos-rebuild
# It handles pulling the latest version of your repository using Git, running system updates, and pushing changes back up.
# Configuration parameters # Configuration parameters
operation="switch" # The nixos-rebuild operation to use operation="switch" # The nixos-rebuild operation to use
hostname=$(/run/current-system/sw/bin/hostname) # The name of the host to build hostname=$(/run/current-system/sw/bin/hostname) # The name of the host to build
flakeDir="${FLAKE_DIR}" # Path to the flake file (and optionally the hostname) flakeDir="${FLAKE_DIR}" # Path to the flake file (and optionally the hostname). Defaults to the FLAKE_DIR environment variable.
update=false # Whether to update and commmit flake.lock update=false # Whether to update flake.lock (false by default)
user=$(/run/current-system/sw/bin/whoami) # Which user account to use for git commands user=$(/run/current-system/sw/bin/whoami) # Which user account to use for git commands (defaults to whoever called the script)
remainingArgs="" # All remaining arguments that haven't yet been processed (will be passed to nixos-rebuild) remainingArgs="" # All remaining arguments that haven't yet been processed (will be passed to nixos-rebuild)
function usage() { function usage() {
@ -17,17 +16,15 @@ function usage() {
echo " 1. Pull the latest version of your Nix config repository" echo " 1. Pull the latest version of your Nix config repository"
echo " 2. Run 'nixos-rebuild switch'." echo " 2. Run 'nixos-rebuild switch'."
echo "" echo ""
echo "Advanced usage: nixos-operations-script.sh [-h | --hostname hostname-to-build] [-o | --operation operation] [-f | --flake path-to-flake] [extra nixos-rebuild parameters]" echo "Advanced usage: nixos-operations-script.sh [-o|--operation operation] [-f|--flake path-to-flake] [extra nixos-rebuild parameters]"
echo ""
echo "Options:" echo "Options:"
echo " --help Show this help screen." echo " -h, --help Show this help screen."
echo " -f, --flake [path] The path to your flake.nix file (defualts to the FLAKE_DIR environment variable)." echo " -o, --operation The nixos-rebuild operation to perform."
echo " -h, --hostname [hostname] The name of the host to build (defaults to the current system's hostname)." echo " -f, --flake <path> The path to your flake.nix file (and optionally, the hostname to build)."
echo " -o, --operation [operation] The nixos-rebuild operation to perform (defaults to 'switch')." echo " -U, --update Update and commit flake.lock."
echo " -U, --update Update and commit the flake.lock file." echo " -u, --user Which user account to run git commands under."
echo " -u, --user [username] Which user account to run git commands under (defaults to the user running this script)."
echo "" echo ""
exit 0 exit 2
} }
# Argument processing logic shamelessly stolen from https://stackoverflow.com/questions/192249/how-do-i-parse-command-line-arguments-in-bash # Argument processing logic shamelessly stolen from https://stackoverflow.com/questions/192249/how-do-i-parse-command-line-arguments-in-bash
@ -39,11 +36,6 @@ while [[ $# -gt 0 ]]; do
shift shift
shift shift
;; ;;
--hostname|-h)
hostname="$2"
shift
shift
;;
--update|--upgrade|-U) --update|--upgrade|-U)
update=true update=true
shift shift
@ -58,8 +50,9 @@ while [[ $# -gt 0 ]]; do
shift shift
shift shift
;; ;;
--help) --help|-h)
usage usage
exit 0
;; ;;
*) *)
POSITIONAL_ARGS+=("$1") # save positional arg POSITIONAL_ARGS+=("$1") # save positional arg
@ -87,9 +80,9 @@ else
echo "Skipping 'nix flake update'..." echo "Skipping 'nix flake update'..."
fi fi
options="--flake ${flakeDir}#${hostname} ${remainingArgs} --use-remote-sudo --log-format multiline-with-logs" options="--flake $flakeDir $remainingArgs --use-remote-sudo --log-format multiline-with-logs"
echo "Running this operation: nixos-rebuild ${operation} ${options}" echo "Running this operation: nixos-rebuild $operation $options"
/run/wrappers/bin/sudo -u $user /run/current-system/sw/bin/nixos-rebuild $operation $options /run/wrappers/bin/sudo -u root /run/current-system/sw/bin/nixos-rebuild $operation $options
exit 0 exit 0

View file

@ -203,7 +203,7 @@
"narHash": "sha256-5WHctvz0R9N9oBGda1ROuJ/V/m/tZsEXloGWDrd9G7Y=", "narHash": "sha256-5WHctvz0R9N9oBGda1ROuJ/V/m/tZsEXloGWDrd9G7Y=",
"rev": "866b8902c975a1aaec547445976dd39d60def4ab", "rev": "866b8902c975a1aaec547445976dd39d60def4ab",
"type": "tarball", "type": "tarball",
"url": "https://git.auxolotl.org/api/v1/repos/auxolotl/labs/archive/d7762a5a78273ffb76da6f6902245983143f63f6.tar.gz?rev=d7762a5a78273ffb76da6f6902245983143f63f6" "url": "https://git.auxolotl.org/api/v1/repos/auxolotl/labs/archive/866b8902c975a1aaec547445976dd39d60def4ab.tar.gz?rev=866b8902c975a1aaec547445976dd39d60def4ab"
}, },
"original": { "original": {
"dir": "lib", "dir": "lib",
@ -315,11 +315,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1728492678, "lastModified": 1728888510,
"narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=", "narHash": "sha256-nsNdSldaAyu6PE3YUA+YQLqUDJh+gRbBooMMekZJwvI=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7", "rev": "a3c0b3b21515f74fd2665903d4ce6bc4dc81c77c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -331,11 +331,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1728740863, "lastModified": 1728909085,
"narHash": "sha256-u+rxA79a0lyhG+u+oPBRtTDtzz8kvkc9a6SWSt9ekVc=", "narHash": "sha256-WLxED18lodtQiayIPDE5zwAfkPJSjHJ35UhZ8h3cJUg=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a3f9ad65a0bf298ed5847629a57808b97e6e8077", "rev": "c0b1da36f7c34a7146501f684e9ebdf15d2bebf8",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -13,7 +13,6 @@
aux.system.packages = with pkgs; [ aux.system.packages = with pkgs; [
fastfetch # Show a neat system statistics screen when opening a terminal fastfetch # Show a neat system statistics screen when opening a terminal
htop # System monitor htop # System monitor
lm_sensors # System temperature monitoring
zellij # Terminal multiplexer zellij # Terminal multiplexer
]; ];

View file

@ -5,12 +5,6 @@ let
# LUKS partition will decrypt to /dev/mapper/nixos-root # LUKS partition will decrypt to /dev/mapper/nixos-root
decryptPart = "nixos-root"; decryptPart = "nixos-root";
decryptPath = "/dev/mapper/${decryptPart}"; decryptPath = "/dev/mapper/${decryptPart}";
# Default mount options for your main partitions
primaryPartOpts = [
"compress=zstd"
(lib.mkIf cfg.discard "discard=async").content
];
in in
{ {
options = { options = {
@ -62,11 +56,15 @@ in
# Enable TPM auto-unlocking if configured # Enable TPM auto-unlocking if configured
crypttabExtraOpts = lib.mkIf config.aux.system.bootloader.tpm2.enable [ "tpm2-device=auto" ]; crypttabExtraOpts = lib.mkIf config.aux.system.bootloader.tpm2.enable [ "tpm2-device=auto" ];
}; };
fileSystems = { fileSystems =
{
"/" = { "/" = {
device = decryptPath; device = decryptPath;
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=@" ] ++ primaryPartOpts; options = [
"subvol=@"
"compress=zstd"
] ++ lib.optionals cfg.discard [ "discard=async" ];
}; };
"/boot" = { "/boot" = {
device = cfg.partitions.boot; device = cfg.partitions.boot;
@ -75,29 +73,37 @@ in
"/home" = { "/home" = {
device = decryptPath; device = decryptPath;
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=@home" ] ++ primaryPartOpts; options = [
"subvol=@home"
"compress=zstd"
] ++ lib.optionals cfg.discard [ "discard=async" ];
}; };
"/var/log" = { "/var/log" = {
device = decryptPath; device = decryptPath;
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=@log" ] ++ primaryPartOpts; options = [
"subvol=@log"
"compress=zstd"
] ++ lib.optionals cfg.discard [ "discard=async" ];
}; };
"/nix" = { "/nix" = {
device = decryptPath; device = decryptPath;
fsType = "btrfs"; fsType = "btrfs";
options = [ options = [
"subvol=@nix" "subvol=@nix"
"compress=zstd"
"noatime" "noatime"
] ++ primaryPartOpts; ] ++ lib.optionals cfg.discard [ "discard=async" ];
}; };
"/swap" = lib.mkIf cfg.swapFile.enable { }
// lib.optionalAttrs cfg.swapFile.enable {
"/swap" = {
device = decryptPath; device = decryptPath;
fsType = "btrfs"; fsType = "btrfs";
options = [ options = [
"subvol=@swap" "subvol=@swap"
"noatime" "noatime"
(lib.mkIf cfg.discard "discard=async").content ] ++ lib.optionals cfg.discard [ "discard=async" ];
];
}; };
}; };

View file

@ -32,7 +32,10 @@ in
gnutar gnutar
gzip gzip
home-manager home-manager
openssh lm_sensors
config.nix.package.out
nh
config.programs.ssh.package
sudo sudo
xz.bin xz.bin
]; ];

View file

@ -59,7 +59,6 @@ in
noto-fonts-emoji noto-fonts-emoji
liberation_ttf liberation_ttf
fira-code fira-code
fira-code-nerdfont
fira-code-symbols fira-code-symbols
fira fira
roboto-slab roboto-slab

View file

@ -87,13 +87,16 @@ in
matchBlocks = config.secrets.users.aires.sshConfig; matchBlocks = config.secrets.users.aires.sshConfig;
}; };
# Tweak Zsh # Set up Zsh
zsh = { zsh = {
oh-my-zsh = {
theme = "gentoo";
};
shellAliases = { shellAliases = {
nos = "nixos-operations-script"; nos = "nixos-operations-script";
z = "zellij"; z = "zellij";
update = "upgrade"; update = "upgrade";
upgrade = "nos --update"; upgrade = "nos";
}; };
loginExtra = "fastfetch --memory-percent-green 75 --memory-percent-yellow 90"; loginExtra = "fastfetch --memory-percent-green 75 --memory-percent-yellow 90";
}; };

View file

@ -1,24 +1,29 @@
# Additional ZSH settings via Home Manager # Additional ZSH settings via Home Manager
{ pkgs, ... }: { pkgs, ... }:
{ {
programs = { programs.zsh = {
# Set up Starship
# https://starship.rs/
starship = {
enable = true;
enableZshIntegration = true;
};
zsh = {
enable = true; enable = true;
autosuggestion.enable = true; autosuggestion.enable = true;
syntaxHighlighting.enable = true; syntaxHighlighting.enable = true;
history.ignoreDups = true; # Do not enter command lines into the history list if they are duplicates of the previous event. history.ignoreDups = true; # Do not enter command lines into the history list if they are duplicates of the previous event.
initExtra = '' prezto = {
function set_win_title(){ git.submoduleIgnore = "untracked"; # Ignore submodules when they are untracked.
echo -ne "\033]0; $(basename "$PWD") \007" };
plugins = [
{
name = "zsh-nix-shell";
file = "nix-shell.plugin.zsh";
src = pkgs.fetchFromGitHub {
owner = "chisui";
repo = "zsh-nix-shell";
rev = "v0.8.0";
sha256 = "1lzrn0n4fxfcgg65v0qhnj7wnybybqzs4adz7xsrkgmcsr0ii8b7";
};
} }
precmd_functions+=(set_win_title) ];
''; oh-my-zsh = {
enable = true;
plugins = [ "git" ];
}; };
}; };
} }

View file

@ -90,6 +90,23 @@ in
enable = true; enable = true;
matchBlocks = config.secrets.users.gremlin.sshConfig; matchBlocks = config.secrets.users.gremlin.sshConfig;
}; };
# Set up Zsh
zsh = {
# Install and source the p10k theme
plugins = [
{
name = "powerlevel10k";
src = pkgs.zsh-powerlevel10k;
file = "share/zsh-powerlevel10k/powerlevel10k.zsh-theme";
}
{
name = "powerlevel10k-config";
src = ./p10k-config;
file = "p10k.zsh";
}
];
};
}; };
}; };
}) })

File diff suppressed because it is too large Load diff