nixberry: first steps towards new config

2025-11-21 14:51:19 +01:00 · 2025-11-21 14:51:19 +01:00 · 0322c74f99
commit 0322c74f99
parent 7139d729e6
6 changed files with 374 additions and 78 deletions
--- a/flake.lock
+++ b/flake.lock
@ -33,6 +33,22 @@
        "type": "github"
      }
    },
+    "argononed": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1729566243,
+        "narHash": "sha256-DPNI0Dpk5aym3Baf5UbEe5GENDrSmmXVdriRSWE+rgk=",
+        "owner": "nvmd",
+        "repo": "argononed",
+        "rev": "16dbee54d49b66d5654d228d1061246b440ef7cf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nvmd",
+        "repo": "argononed",
+        "type": "github"
+      }
+    },
    "blobs": {
      "flake": false,
      "locked": {
@ -123,27 +139,6 @@
        "type": "github"
      }
    },
-    "fenix": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "rust-analyzer-src": "rust-analyzer-src"
-      },
-      "locked": {
-        "lastModified": 1763707297,
-        "narHash": "sha256-Bd9VGavwFBLpyU4pjiWfv73gUibNj8dc3xmOW8ff3bI=",
-        "owner": "nix-community",
-        "repo": "fenix",
-        "rev": "7c2d3a165a4a080fdcb6c191d8f9768281c99f75",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "fenix",
-        "type": "github"
-      }
-    },
    "flake-compat": {
      "flake": false,
      "locked": {
@ -1245,6 +1240,53 @@
        "type": "github"
      }
    },
+    "nixos-images": {
+      "inputs": {
+        "nixos-stable": [
+          "nixos-raspberrypi",
+          "nixpkgs"
+        ],
+        "nixos-unstable": [
+          "nixos-raspberrypi",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1747747741,
+        "narHash": "sha256-LUOH27unNWbGTvZFitHonraNx0JF/55h30r9WxqrznM=",
+        "owner": "nvmd",
+        "repo": "nixos-images",
+        "rev": "cbbd6db325775096680b65e2a32fb6187c09bbb4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nvmd",
+        "ref": "sdimage-installer",
+        "repo": "nixos-images",
+        "type": "github"
+      }
+    },
+    "nixos-raspberrypi": {
+      "inputs": {
+        "argononed": "argononed",
+        "nixos-images": "nixos-images",
+        "nixpkgs": "nixpkgs_3"
+      },
+      "locked": {
+        "lastModified": 1758967172,
+        "narHash": "sha256-zRASAVS7tX7gPdvCUbi2m7KGX0jNuMlaOFqbkUZhu9k=",
+        "owner": "nvmd",
+        "repo": "nixos-raspberrypi",
+        "rev": "09c214a30e5a27e0fa92a9975b91c82ba05d1f17",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nvmd",
+        "ref": "main",
+        "repo": "nixos-raspberrypi",
+        "type": "github"
+      }
+    },
    "nixos-wsl": {
      "inputs": {
        "flake-compat": "flake-compat_4",
@ -1393,6 +1435,22 @@
      }
    },
    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1758583444,
+        "narHash": "sha256-OnYthHIsVIMrZDWtCEp6Zde8ZtMcEBnpyCIdtTKU7bo=",
+        "owner": "nvmd",
+        "repo": "nixpkgs",
+        "rev": "d8551a2038e21091fce8157e070bdb25dca0a94f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nvmd",
+        "ref": "modules-with-keys-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_4": {
      "locked": {
        "lastModified": 1763421233,
        "narHash": "sha256-Stk9ZYRkGrnnpyJ4eqt9eQtdFWRRIvMxpNRf4sIegnw=",
@ -1408,7 +1466,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_4": {
+    "nixpkgs_5": {
      "locked": {
        "lastModified": 1763553727,
        "narHash": "sha256-4aRqRkYHplWk0mrtoF5i3Uo73E3niOWiUZU8kmPm9hQ=",
@ -1424,7 +1482,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_5": {
+    "nixpkgs_6": {
      "locked": {
        "lastModified": 1763191728,
        "narHash": "sha256-esRhOS0APE6k40Hs/jjReXg+rx+J5LkWw7cuWFKlwYA=",
@ -1440,7 +1498,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_6": {
+    "nixpkgs_7": {
      "locked": {
        "lastModified": 1761236834,
        "narHash": "sha256-+pthv6hrL5VLW2UqPdISGuLiUZ6SnAXdd2DdUE+fV2Q=",
@ -1456,7 +1514,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_7": {
+    "nixpkgs_8": {
      "locked": {
        "lastModified": 1762977756,
        "narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=",
@ -1499,7 +1557,6 @@
      "inputs": {
        "catppuccin": "catppuccin",
        "devenv": "devenv",
-        "fenix": "fenix",
        "flake-parts": "flake-parts_2",
        "git-hooks": "git-hooks_2",
        "gpg-base-conf": "gpg-base-conf",
@ -1516,8 +1573,9 @@
        "nix-gaming": "nix-gaming",
        "nix-ld": "nix-ld",
        "nixos-hardware": "nixos-hardware",
+        "nixos-raspberrypi": "nixos-raspberrypi",
        "nixos-wsl": "nixos-wsl",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_4",
        "nixpkgs-latest-factorio": "nixpkgs-latest-factorio",
        "nixpkgs-master": "nixpkgs-master",
        "nixpkgs-unstable": "nixpkgs-unstable",
@ -1530,23 +1588,6 @@
        "zls": "zls"
      }
    },
-    "rust-analyzer-src": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1763648203,
-        "narHash": "sha256-/WJdebbRD+m5vr2xy/bJdCpqd7YHSMapjuXAM/0lvtA=",
-        "owner": "rust-lang",
-        "repo": "rust-analyzer",
-        "rev": "eaaa2da9fbbfd7a79ff501e0563351cb2004574a",
-        "type": "github"
-      },
-      "original": {
-        "owner": "rust-lang",
-        "ref": "nightly",
-        "repo": "rust-analyzer",
-        "type": "github"
-      }
-    },
    "rust-overlay": {
      "inputs": {
        "nixpkgs": [
@ -1573,7 +1614,7 @@
        "blobs": "blobs",
        "flake-compat": "flake-compat_5",
        "git-hooks": "git-hooks_3",
-        "nixpkgs": "nixpkgs_4"
+        "nixpkgs": "nixpkgs_5"
      },
      "locked": {
        "lastModified": 1763564778,
@ -1591,7 +1632,7 @@
    },
    "sops-nix": {
      "inputs": {
-        "nixpkgs": "nixpkgs_5"
+        "nixpkgs": "nixpkgs_6"
      },
      "locked": {
        "lastModified": 1763607916,
@ -1669,7 +1710,7 @@
    },
    "treefmt-nix": {
      "inputs": {
-        "nixpkgs": "nixpkgs_6"
+        "nixpkgs": "nixpkgs_7"
      },
      "locked": {
        "lastModified": 1762938485,
@ -1762,7 +1803,7 @@
    "zen-browser": {
      "inputs": {
        "home-manager": "home-manager_2",
-        "nixpkgs": "nixpkgs_7"
+        "nixpkgs": "nixpkgs_8"
      },
      "locked": {
        "lastModified": 1763663426,
--- a/flake.nix
+++ b/flake.nix
@ -1,5 +1,5 @@
 {
-  description = "All encompassing flake";
+  description = "Infrastructure flake for my machines";

  outputs = inputs: inputs.flake-parts.lib.mkFlake { inherit inputs; } (inputs.import-tree ./modules);

@ -25,12 +25,6 @@

    nixos-hardware.url = "github:nixos/nixos-hardware";

-    nixos-wsl = {
-      url = "github:nix-community/NixOS-WSL";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
-    # Run unpatched dynamically compiled binaries
    nix-ld = {
      url = "github:Mic92/nix-ld";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
@ -41,6 +35,15 @@
      inputs.nixpkgs.follows = "nixpkgs-unstable";
    };

+    # Support for special cases
+    nixos-wsl = {
+      url = "github:nix-community/NixOS-WSL";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    nixos-raspberrypi.url = "github:nvmd/nixos-raspberrypi/main";
+    ############
+
    nix-gaming = {
      url = "github:fufexan/nix-gaming";
      inputs.nixpkgs.follows = "nixpkgs-unstable";
@ -77,7 +80,7 @@

    niri-flake = {
      url = "github:sodiboo/niri-flake";
-      # url = "github:Daholli/niri-flake/1067d35dd18f6a55f79873c944f1427a9eb7caa7";
+      # url = "github:Daholli/niri-flake/1067d35dd18f6a55f79873c944f1427a9eb7caa7"; # for debugging
      inputs = {
        niri-stable.follows = "niri";
        nixpkgs.follows = "nixpkgs";
@ -89,9 +92,8 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

-    # GPG default configuration
    gpg-base-conf = {
-      url = "github:drduh/config";
+      url = "github:drduh/config"; # GPG default configuration
      flake = false;
    };

@ -99,8 +101,8 @@

    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver";

-    ################
-    ## inputs for dev shells
+    ###
+    # inputs for dev shells
    git-hooks = {
      url = "github:cachix/git-hooks.nix";
      inputs.nixpkgs.follows = "nixpkgs";
@ -111,7 +113,7 @@
      # inputs.nixpkgs.follows = "nixpkgs";
    };

-    # zig
+    # Zig
    zig-overlay = {
      url = "github:mitchellh/zig-overlay";
      inputs.nixpkgs.follows = "nixpkgs";
@ -122,12 +124,6 @@
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.zig-overlay.follows = "zig-overlay";
    };
-
-    # rust
-    fenix = {
-      url = "github:nix-community/fenix";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
  };

 }
--- a/modules/flake-parts/host-machines.nix
+++ b/modules/flake-parts/host-machines.nix
@ -19,10 +19,24 @@ in
            name = lib.removePrefix prefix name;
          };
        };
+
+        raspberrypis = [ "nixberry" ];
      in
      {
        name = lib.removePrefix prefix name;
-        value = inputs.nixpkgs.lib.nixosSystem {
+        value =
+          if builtins.elem name raspberrypis then
+            inputs.nixos-raspberrypi.lib.nixosSystem {
+              inherit specialArgs;
+              modules = module.imports ++ [
+                inputs.home-manager.nixosModules.home-manager
+                {
+                  home-manager.extraSpecialArgs = specialArgs;
+                }
+              ];
+            }
+          else
+            inputs.nixpkgs.lib.nixosSystem {
              inherit specialArgs;
              modules = module.imports ++ [
                inputs.home-manager.nixosModules.home-manager
--- a/modules/hosts/loptland/default.nix
+++ b/modules/hosts/loptland/default.nix
@ -33,6 +33,7 @@ in
          # System modules
          base
          server
+          loptland-acme
          hydra
          forgejo
          forgejo-runner
--- a/modules/hosts/nixberry/default.nix
+++ b/modules/hosts/nixberry/default.nix
@ -5,7 +5,251 @@
 let
 in
 {
-  flake.modules.nixos."hosts/nixberry" = {
+  flake.modules.nixos."hosts/nixberry" =
+    { inputs, pkgs, ... }:
+    let
+
+      ipAddress = "192.168.178.2";
+      sopsFile = ../../../secrets/secrets-nixberry.yaml;
+      kernelBundle = pkgs.linuxAndFirmware.v6_6_31;
+    in
+    {
+      nixpkgs = {
+        config.allowUnfree = true;
+        hostPlatform = {
+          system = "aarch64-linux";
+        };
+
+        overlays = [
+          (self: super: {
+            inherit (kernelBundle) raspberrypiWirelessFirmware;
+            inherit (kernelBundle) raspberrypifw;
+          })
+        ];
+      };
+
+      boot = {
+        loader.raspberryPi.firmwarePackage = kernelBundle.raspberrypifw;
+        loader.raspberryPi.bootloader = "kernel";
+        kernelPackages = kernelBundle.linuxPackages_rpi5;
+      };
+
+      system.nixos.tags =
+        let
+          cfg = config.boot.loader.raspberryPi;
+        in
+        [
+          "raspberry-pi-${cfg.variant}"
+          cfg.bootloader
+          config.boot.kernelPackages.kernel.version
+        ];
+
+      imports =
+        with config.flake.modules.nixos;
+        with inputs.nixos-raspberrypi.nixosModules;
+        [
+          inputs.catppuccin.nixosModules.catppuccin
+          raspberry-pi-5.base
+          raspberry-pi-5.page-size-16k # Recommended: optimizations and fixes for issues arising from 16k memory page size (only for systems running default rpi5 (bcm2712) kernel)
+          raspberry-pi-5.bluetooth
+          raspberry-pi-5.display-vc4 # display
+
+          # System modules
+          base
+          server
+
+          cholli
+        ]
+        ++ [
+          {
+            home-manager.users.cholli = {
+              imports = with config.flake.modules.homeManager; [
+                inputs.catppuccin.homeModules.catppuccin
+
+                # components
+                base
+
+                # Activate all user based config
+                cholli
+              ];
+            };
+          }
+        ];
+
+      services.tailscale = {
+        enable = true;
+        useRoutingFeatures = "server";
+      };
+
+      networking = {
+        interfaces.end0 = {
+          ipv4.addresses = [
+            {
+              address = ipAddress;
+              prefixLength = 24;
+            }
+          ];
+          useDHCP = true;
+        };
+        interfaces.wlan0 = {
+          ipv4.addresses = [
+            {
+              address = "192.168.178.3";
+              prefixLength = 24;
+            }
+          ];
+          useDHCP = true;
+        };
+        defaultGateway = {
+          address = "192.168.178.1";
+          interface = "wlan0";
+        };
+
+        wireless = {
+          enable = true;
+          networks = {
+            "Slow Internet" = {
+              pskRaw = "521b6d766b27276c29c7b6bec5b495b1c52bf88b0682277e65b37dc649b630de";
+            };
+          };
+        };
+        firewall = {
+          allowedTCPPorts = [
+            443
+            53
+            80
+          ];
+          allowedUDPPorts = [
+            53
+          ];
+        };
+      };
+
+      services.adguardhome = {
+        enable = true;
+        host = ipAddress;
+        port = 80;
+
+        settings = {
+          http = {
+            address = "0.0.0.0:80";
+          };
+          dns = {
+            ratelimit = 0;
+            bind_hosts = [ "0.0.0.0" ];
+            upstream_dns = [
+              "1.1.1.1"
+              "1.0.0.1"
+              "8.8.8.8"
+              "8.8.4.4"
+            ];
+          };
+          filtering = {
+            protection_enabled = true;
+            filtering_enabled = true;
+          };
+
+          filters =
+            map
+              (url: {
+                enabled = true;
+                url = url;
+              })
+              [
+                "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt" # AdGuard Dns filter
+                "https://adguardteam.github.io/HostlistsRegistry/assets/filter_59.txt" # AdGuard Dns PopupHosts filter
+                "https://adguardteam.github.io/HostlistsRegistry/assets/filter_9.txt" # The Big List of Hacked Malware Web Sites
+                "https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt" # malicious url blocklist
+                "https://adguardteam.github.io/HostlistsRegistry/assets/filter_18.txt" # Phishing
+                "https://adguardteam.github.io/HostlistsRegistry/assets/filter_24.txt"
+                "https://adguardteam.github.io/HostlistsRegistry/assets/filter_47.txt"
+              ];
+
+          statistics = {
+            enabled = true;
+            interval = "8760h";
+          };
+        };
+      };
+
+      services.home-assistant = {
+        enable = true;
+        configWritable = true;
+        extraComponents = [
+          "default_config"
+          "analytics"
+          "shopping_list"
+          "fritzbox"
+          "met"
+          "esphome"
+          "rpi_power"
+          "tuya"
+        ];
+
+        customComponents = with pkgs.home-assistant-custom-components; [
+          smartthinq-sensors
+          sleep_as_android
+        ];
+
+        extraPackages =
+          python3Packages: with python3Packages; [
+            ical
+          ];
+
+        customLovelaceModules = with pkgs.home-assistant-custom-lovelace-modules; [
+          mushroom
+          bubble-card
+          clock-weather-card
+          vacuum-card
+        ];
+
+        config = {
+          homeassistant = {
+            latitude = 49.4;
+            longitude = 8.6;
+            temperature_unit = "C";
+            unit_system = "metric";
+
+            external_url = "https://ha.christophhollizeck.dev";
+            internal_url = "http://192.168.178.2:8123";
+          };
+
+          default_config = "";
+
+          mobile_app = "";
+          recorder = "";
+
+          lovelace = {
+            # mode = "yaml";
+            resources = [
+              {
+                url = "/local/nixos-lovelace-modules/vacuum-card.js";
+                type = "module";
+              }
+              {
+                url = "/local/nixos-lovelace-modules/bubble-card.js";
+                type = "module";
+              }
+              {
+                url = "/local/nixos-lovelace-modules/clock-weather-card.js";
+                type = "module";
+              }
+              {
+                url = "/local/nixos-lovelace-modules/mushroom.js";
+                type = "module";
+              }
+            ];
+          };
+
+          http = {
+            use_x_forwarded_for = true;
+            trusted_proxies = [
+              "100.86.250.97" # loptland tailscale
+            ];
+          };
+        };
+        openFirewall = true;
+      };

    };
 }
--- a/modules/server/acme.nix
+++ b/modules/server/acme.nix
@ -1,5 +1,5 @@
 topLevel: {
-  flake.modules.nixos.server =
+  flake.modules.nixos.loptland-acme =
    {
      config,
      lib,