From 0322c74f99cd36ef8f941b424addd3aad6c1264f Mon Sep 17 00:00:00 2001 From: Christoph Hollizeck Date: Fri, 21 Nov 2025 14:51:19 +0100 Subject: [PATCH] nixberry: first steps towards new config --- flake.lock | 137 +++++++++----- flake.nix | 34 ++-- modules/flake-parts/host-machines.nix | 30 +++- modules/hosts/loptland/default.nix | 1 + modules/hosts/nixberry/default.nix | 248 +++++++++++++++++++++++++- modules/server/acme.nix | 2 +- 6 files changed, 374 insertions(+), 78 deletions(-) diff --git a/flake.lock b/flake.lock index 8302382..d39dce2 100644 --- a/flake.lock +++ b/flake.lock @@ -33,6 +33,22 @@ "type": "github" } }, + "argononed": { + "flake": false, + "locked": { + "lastModified": 1729566243, + "narHash": "sha256-DPNI0Dpk5aym3Baf5UbEe5GENDrSmmXVdriRSWE+rgk=", + "owner": "nvmd", + "repo": "argononed", + "rev": "16dbee54d49b66d5654d228d1061246b440ef7cf", + "type": "github" + }, + "original": { + "owner": "nvmd", + "repo": "argononed", + "type": "github" + } + }, "blobs": { "flake": false, "locked": { @@ -123,27 +139,6 @@ "type": "github" } }, - "fenix": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ], - "rust-analyzer-src": "rust-analyzer-src" - }, - "locked": { - "lastModified": 1763707297, - "narHash": "sha256-Bd9VGavwFBLpyU4pjiWfv73gUibNj8dc3xmOW8ff3bI=", - "owner": "nix-community", - "repo": "fenix", - "rev": "7c2d3a165a4a080fdcb6c191d8f9768281c99f75", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "fenix", - "type": "github" - } - }, "flake-compat": { "flake": false, "locked": { @@ -1245,6 +1240,53 @@ "type": "github" } }, + "nixos-images": { + "inputs": { + "nixos-stable": [ + "nixos-raspberrypi", + "nixpkgs" + ], + "nixos-unstable": [ + "nixos-raspberrypi", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1747747741, + "narHash": "sha256-LUOH27unNWbGTvZFitHonraNx0JF/55h30r9WxqrznM=", + "owner": "nvmd", + "repo": "nixos-images", + "rev": "cbbd6db325775096680b65e2a32fb6187c09bbb4", + "type": "github" + }, + "original": { + "owner": "nvmd", + "ref": "sdimage-installer", + "repo": "nixos-images", + "type": "github" + } + }, + "nixos-raspberrypi": { + "inputs": { + "argononed": "argononed", + "nixos-images": "nixos-images", + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1758967172, + "narHash": "sha256-zRASAVS7tX7gPdvCUbi2m7KGX0jNuMlaOFqbkUZhu9k=", + "owner": "nvmd", + "repo": "nixos-raspberrypi", + "rev": "09c214a30e5a27e0fa92a9975b91c82ba05d1f17", + "type": "github" + }, + "original": { + "owner": "nvmd", + "ref": "main", + "repo": "nixos-raspberrypi", + "type": "github" + } + }, "nixos-wsl": { "inputs": { "flake-compat": "flake-compat_4", @@ -1393,6 +1435,22 @@ } }, "nixpkgs_3": { + "locked": { + "lastModified": 1758583444, + "narHash": "sha256-OnYthHIsVIMrZDWtCEp6Zde8ZtMcEBnpyCIdtTKU7bo=", + "owner": "nvmd", + "repo": "nixpkgs", + "rev": "d8551a2038e21091fce8157e070bdb25dca0a94f", + "type": "github" + }, + "original": { + "owner": "nvmd", + "ref": "modules-with-keys-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { "locked": { "lastModified": 1763421233, "narHash": "sha256-Stk9ZYRkGrnnpyJ4eqt9eQtdFWRRIvMxpNRf4sIegnw=", @@ -1408,7 +1466,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { "lastModified": 1763553727, "narHash": "sha256-4aRqRkYHplWk0mrtoF5i3Uo73E3niOWiUZU8kmPm9hQ=", @@ -1424,7 +1482,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_6": { "locked": { "lastModified": 1763191728, "narHash": "sha256-esRhOS0APE6k40Hs/jjReXg+rx+J5LkWw7cuWFKlwYA=", @@ -1440,7 +1498,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_7": { "locked": { "lastModified": 1761236834, "narHash": "sha256-+pthv6hrL5VLW2UqPdISGuLiUZ6SnAXdd2DdUE+fV2Q=", @@ -1456,7 +1514,7 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_8": { "locked": { "lastModified": 1762977756, "narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=", @@ -1499,7 +1557,6 @@ "inputs": { "catppuccin": "catppuccin", "devenv": "devenv", - "fenix": "fenix", "flake-parts": "flake-parts_2", "git-hooks": "git-hooks_2", "gpg-base-conf": "gpg-base-conf", @@ -1516,8 +1573,9 @@ "nix-gaming": "nix-gaming", "nix-ld": "nix-ld", "nixos-hardware": "nixos-hardware", + "nixos-raspberrypi": "nixos-raspberrypi", "nixos-wsl": "nixos-wsl", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_4", "nixpkgs-latest-factorio": "nixpkgs-latest-factorio", "nixpkgs-master": "nixpkgs-master", "nixpkgs-unstable": "nixpkgs-unstable", @@ -1530,23 +1588,6 @@ "zls": "zls" } }, - "rust-analyzer-src": { - "flake": false, - "locked": { - "lastModified": 1763648203, - "narHash": "sha256-/WJdebbRD+m5vr2xy/bJdCpqd7YHSMapjuXAM/0lvtA=", - "owner": "rust-lang", - "repo": "rust-analyzer", - "rev": "eaaa2da9fbbfd7a79ff501e0563351cb2004574a", - "type": "github" - }, - "original": { - "owner": "rust-lang", - "ref": "nightly", - "repo": "rust-analyzer", - "type": "github" - } - }, "rust-overlay": { "inputs": { "nixpkgs": [ @@ -1573,7 +1614,7 @@ "blobs": "blobs", "flake-compat": "flake-compat_5", "git-hooks": "git-hooks_3", - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_5" }, "locked": { "lastModified": 1763564778, @@ -1591,7 +1632,7 @@ }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_5" + "nixpkgs": "nixpkgs_6" }, "locked": { "lastModified": 1763607916, @@ -1669,7 +1710,7 @@ }, "treefmt-nix": { "inputs": { - "nixpkgs": "nixpkgs_6" + "nixpkgs": "nixpkgs_7" }, "locked": { "lastModified": 1762938485, @@ -1762,7 +1803,7 @@ "zen-browser": { "inputs": { "home-manager": "home-manager_2", - "nixpkgs": "nixpkgs_7" + "nixpkgs": "nixpkgs_8" }, "locked": { "lastModified": 1763663426, diff --git a/flake.nix b/flake.nix index 07b0c5e..db1cc36 100644 --- a/flake.nix +++ b/flake.nix @@ -1,5 +1,5 @@ { - description = "All encompassing flake"; + description = "Infrastructure flake for my machines"; outputs = inputs: inputs.flake-parts.lib.mkFlake { inherit inputs; } (inputs.import-tree ./modules); @@ -25,12 +25,6 @@ nixos-hardware.url = "github:nixos/nixos-hardware"; - nixos-wsl = { - url = "github:nix-community/NixOS-WSL"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - # Run unpatched dynamically compiled binaries nix-ld = { url = "github:Mic92/nix-ld"; inputs.nixpkgs.follows = "nixpkgs-unstable"; @@ -41,6 +35,15 @@ inputs.nixpkgs.follows = "nixpkgs-unstable"; }; + # Support for special cases + nixos-wsl = { + url = "github:nix-community/NixOS-WSL"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + nixos-raspberrypi.url = "github:nvmd/nixos-raspberrypi/main"; + ############ + nix-gaming = { url = "github:fufexan/nix-gaming"; inputs.nixpkgs.follows = "nixpkgs-unstable"; @@ -77,7 +80,7 @@ niri-flake = { url = "github:sodiboo/niri-flake"; - # url = "github:Daholli/niri-flake/1067d35dd18f6a55f79873c944f1427a9eb7caa7"; + # url = "github:Daholli/niri-flake/1067d35dd18f6a55f79873c944f1427a9eb7caa7"; # for debugging inputs = { niri-stable.follows = "niri"; nixpkgs.follows = "nixpkgs"; @@ -89,9 +92,8 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - # GPG default configuration gpg-base-conf = { - url = "github:drduh/config"; + url = "github:drduh/config"; # GPG default configuration flake = false; }; @@ -99,8 +101,8 @@ simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; - ################ - ## inputs for dev shells + ### + # inputs for dev shells git-hooks = { url = "github:cachix/git-hooks.nix"; inputs.nixpkgs.follows = "nixpkgs"; @@ -111,7 +113,7 @@ # inputs.nixpkgs.follows = "nixpkgs"; }; - # zig + # Zig zig-overlay = { url = "github:mitchellh/zig-overlay"; inputs.nixpkgs.follows = "nixpkgs"; @@ -122,12 +124,6 @@ inputs.nixpkgs.follows = "nixpkgs"; inputs.zig-overlay.follows = "zig-overlay"; }; - - # rust - fenix = { - url = "github:nix-community/fenix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; }; } diff --git a/modules/flake-parts/host-machines.nix b/modules/flake-parts/host-machines.nix index 30fd259..8f83504 100644 --- a/modules/flake-parts/host-machines.nix +++ b/modules/flake-parts/host-machines.nix @@ -19,18 +19,32 @@ in name = lib.removePrefix prefix name; }; }; + + raspberrypis = [ "nixberry" ]; in { name = lib.removePrefix prefix name; - value = inputs.nixpkgs.lib.nixosSystem { - inherit specialArgs; - modules = module.imports ++ [ - inputs.home-manager.nixosModules.home-manager - { - home-manager.extraSpecialArgs = specialArgs; + value = + if builtins.elem name raspberrypis then + inputs.nixos-raspberrypi.lib.nixosSystem { + inherit specialArgs; + modules = module.imports ++ [ + inputs.home-manager.nixosModules.home-manager + { + home-manager.extraSpecialArgs = specialArgs; + } + ]; } - ]; - }; + else + inputs.nixpkgs.lib.nixosSystem { + inherit specialArgs; + modules = module.imports ++ [ + inputs.home-manager.nixosModules.home-manager + { + home-manager.extraSpecialArgs = specialArgs; + } + ]; + }; } )) ]; diff --git a/modules/hosts/loptland/default.nix b/modules/hosts/loptland/default.nix index 8b15dd0..985e0e7 100644 --- a/modules/hosts/loptland/default.nix +++ b/modules/hosts/loptland/default.nix @@ -33,6 +33,7 @@ in # System modules base server + loptland-acme hydra forgejo forgejo-runner diff --git a/modules/hosts/nixberry/default.nix b/modules/hosts/nixberry/default.nix index 57dc1a5..9fb4340 100644 --- a/modules/hosts/nixberry/default.nix +++ b/modules/hosts/nixberry/default.nix @@ -5,7 +5,251 @@ let in { - flake.modules.nixos."hosts/nixberry" = { + flake.modules.nixos."hosts/nixberry" = + { inputs, pkgs, ... }: + let - }; + ipAddress = "192.168.178.2"; + sopsFile = ../../../secrets/secrets-nixberry.yaml; + kernelBundle = pkgs.linuxAndFirmware.v6_6_31; + in + { + nixpkgs = { + config.allowUnfree = true; + hostPlatform = { + system = "aarch64-linux"; + }; + + overlays = [ + (self: super: { + inherit (kernelBundle) raspberrypiWirelessFirmware; + inherit (kernelBundle) raspberrypifw; + }) + ]; + }; + + boot = { + loader.raspberryPi.firmwarePackage = kernelBundle.raspberrypifw; + loader.raspberryPi.bootloader = "kernel"; + kernelPackages = kernelBundle.linuxPackages_rpi5; + }; + + system.nixos.tags = + let + cfg = config.boot.loader.raspberryPi; + in + [ + "raspberry-pi-${cfg.variant}" + cfg.bootloader + config.boot.kernelPackages.kernel.version + ]; + + imports = + with config.flake.modules.nixos; + with inputs.nixos-raspberrypi.nixosModules; + [ + inputs.catppuccin.nixosModules.catppuccin + raspberry-pi-5.base + raspberry-pi-5.page-size-16k # Recommended: optimizations and fixes for issues arising from 16k memory page size (only for systems running default rpi5 (bcm2712) kernel) + raspberry-pi-5.bluetooth + raspberry-pi-5.display-vc4 # display + + # System modules + base + server + + cholli + ] + ++ [ + { + home-manager.users.cholli = { + imports = with config.flake.modules.homeManager; [ + inputs.catppuccin.homeModules.catppuccin + + # components + base + + # Activate all user based config + cholli + ]; + }; + } + ]; + + services.tailscale = { + enable = true; + useRoutingFeatures = "server"; + }; + + networking = { + interfaces.end0 = { + ipv4.addresses = [ + { + address = ipAddress; + prefixLength = 24; + } + ]; + useDHCP = true; + }; + interfaces.wlan0 = { + ipv4.addresses = [ + { + address = "192.168.178.3"; + prefixLength = 24; + } + ]; + useDHCP = true; + }; + defaultGateway = { + address = "192.168.178.1"; + interface = "wlan0"; + }; + + wireless = { + enable = true; + networks = { + "Slow Internet" = { + pskRaw = "521b6d766b27276c29c7b6bec5b495b1c52bf88b0682277e65b37dc649b630de"; + }; + }; + }; + firewall = { + allowedTCPPorts = [ + 443 + 53 + 80 + ]; + allowedUDPPorts = [ + 53 + ]; + }; + }; + + services.adguardhome = { + enable = true; + host = ipAddress; + port = 80; + + settings = { + http = { + address = "0.0.0.0:80"; + }; + dns = { + ratelimit = 0; + bind_hosts = [ "0.0.0.0" ]; + upstream_dns = [ + "1.1.1.1" + "1.0.0.1" + "8.8.8.8" + "8.8.4.4" + ]; + }; + filtering = { + protection_enabled = true; + filtering_enabled = true; + }; + + filters = + map + (url: { + enabled = true; + url = url; + }) + [ + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt" # AdGuard Dns filter + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_59.txt" # AdGuard Dns PopupHosts filter + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_9.txt" # The Big List of Hacked Malware Web Sites + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt" # malicious url blocklist + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_18.txt" # Phishing + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_24.txt" + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_47.txt" + ]; + + statistics = { + enabled = true; + interval = "8760h"; + }; + }; + }; + + services.home-assistant = { + enable = true; + configWritable = true; + extraComponents = [ + "default_config" + "analytics" + "shopping_list" + "fritzbox" + "met" + "esphome" + "rpi_power" + "tuya" + ]; + + customComponents = with pkgs.home-assistant-custom-components; [ + smartthinq-sensors + sleep_as_android + ]; + + extraPackages = + python3Packages: with python3Packages; [ + ical + ]; + + customLovelaceModules = with pkgs.home-assistant-custom-lovelace-modules; [ + mushroom + bubble-card + clock-weather-card + vacuum-card + ]; + + config = { + homeassistant = { + latitude = 49.4; + longitude = 8.6; + temperature_unit = "C"; + unit_system = "metric"; + + external_url = "https://ha.christophhollizeck.dev"; + internal_url = "http://192.168.178.2:8123"; + }; + + default_config = ""; + + mobile_app = ""; + recorder = ""; + + lovelace = { + # mode = "yaml"; + resources = [ + { + url = "/local/nixos-lovelace-modules/vacuum-card.js"; + type = "module"; + } + { + url = "/local/nixos-lovelace-modules/bubble-card.js"; + type = "module"; + } + { + url = "/local/nixos-lovelace-modules/clock-weather-card.js"; + type = "module"; + } + { + url = "/local/nixos-lovelace-modules/mushroom.js"; + type = "module"; + } + ]; + }; + + http = { + use_x_forwarded_for = true; + trusted_proxies = [ + "100.86.250.97" # loptland tailscale + ]; + }; + }; + openFirewall = true; + }; + + }; } diff --git a/modules/server/acme.nix b/modules/server/acme.nix index 2c63600..81d509f 100644 --- a/modules/server/acme.nix +++ b/modules/server/acme.nix @@ -1,5 +1,5 @@ topLevel: { - flake.modules.nixos.server = + flake.modules.nixos.loptland-acme = { config, lib,