This commit is contained in:
Evan Reichard 2025-03-31 18:24:49 -04:00
parent 6cfbc68c8b
commit dccbb234f2
70 changed files with 1276 additions and 206 deletions

7
.sops.yaml Normal file
View File

@ -0,0 +1,7 @@
keys:
- &admin_reichard age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- *admin_reichard

8
TODO.md Normal file
View File

@ -0,0 +1,8 @@
- Nix Builder
- Keys
- User
- Etc
- SSH
- Known Hosts

23
flake.lock generated
View File

@ -244,7 +244,8 @@
"home-manager": "home-manager",
"nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs_2",
"snowfall-lib": "snowfall-lib"
"snowfall-lib": "snowfall-lib",
"sops-nix": "sops-nix"
}
},
"rust-overlay": {
@ -285,6 +286,26 @@
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1743305778,
"narHash": "sha256-Ux/UohNtnM5mn9SFjaHp6IZe2aAnUCzklMluNtV6zFo=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "8e873886bbfc32163fe027b8676c75637b7da114",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,

View File

@ -14,7 +14,6 @@
};
apple-silicon = {
url = "github:tpwrules/nixos-apple-silicon/releasep2-2024-12-25";
# ref = "releasep2-2024-12-25";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-generators = {
@ -25,6 +24,10 @@
url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
inputs.nixpkgs.follows = "nixpkgs";
};
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = inputs:
@ -33,12 +36,53 @@
src = ./.;
snowfall = {
namespace = "reichard";
meta = {
name = "reichardnix";
title = "ReichardNix";
title = "Reichard";
name = "reichard";
};
};
namespace = "reichardnix";
homes.modules = with inputs; [
sops-nix.homeManagerModules.sops
];
systems.modules = {
nixos = with inputs; [
sops-nix.nixosModules.sops
];
};
outputs-builder = channels: {
# Define packages using nixos-generators
packages.x86_64-linux = {
# VMware image
vmware-image = inputs.nixos-generators.nixosGenerate {
system = "x86_64-linux";
format = "vmware";
modules = [
# Your VMware configuration
./hosts/vmware-image.nix
];
};
# Keep your other images
rke2-image = inputs.nixos-generators.nixosGenerate {
system = "x86_64-linux";
format = "vmware";
modules = [
./hosts/rke2-image.nix
];
};
usb-image = inputs.nixos-generators.nixosGenerate {
system = "x86_64-linux";
format = "raw-efi";
modules = [
./hosts/usb-image.nix
];
};
};
};
};
}

View File

@ -1,20 +1,36 @@
{ pkgs, ... }:
{ pkgs, lib, config, namespace, ... }:
let
inherit (lib.${namespace}) enabled;
in
{
reichardnix = {
programs.btop.enable = true;
programs.direnv.enable = true;
programs.ghostty.enable = true;
programs.git.enable = true;
programs.k9s.enable = true;
programs.nvim.enable = true;
reichard = {
user = {
enable = true;
inherit (config.snowfallorg.user) name;
};
programs.hyprland.enable = false;
programs.aws.enable = false;
services = {
ssh-agent = enabled;
};
programs = {
graphical = {
ghostty = enabled;
};
terminal = {
btop = enabled;
direnv = enabled;
git = enabled;
k9s = enabled;
nvim = enabled;
};
};
};
# Global Packages
programs.jq.enable = true;
programs.pandoc.enable = true;
programs.jq = enabled;
programs.pandoc = enabled;
home.packages = with pkgs; [
android-tools
imagemagick
@ -31,7 +47,5 @@
.mode column
'';
# Enable Home Manager & Self Manage
home.stateVersion = "24.11";
programs.home-manager.enable = true;
}

View File

@ -1,75 +1,52 @@
{ pkgs, ... }:
{ pkgs, lib, config, namespace, ... }:
let
inherit (pkgs.lib) mkForce;
inherit (pkgs.stdenv) isLinux;
inherit (lib.${namespace}) enabled;
in
{
reichardnix = {
programs.nvim.enable = true;
reichard = {
user = {
enable = true;
inherit (config.snowfallorg.user) name;
};
services = {
ssh-agent = enabled;
};
programs = {
graphical = {
ghostty = enabled;
};
terminal = {
btop = enabled;
direnv = enabled;
git = enabled;
k9s = enabled;
nvim = enabled;
aws = enabled;
};
};
};
# Home Manager Config
home.stateVersion = "24.11";
home.username = "evanreichard";
home.homeDirectory = mkForce (if isLinux then "/home/evanreichard" else "/Users/evanreichard");
programs.home-manager.enable = true;
# Global Packages
# home.packages = with pkgs; [
# (nerdfonts.override { fonts = [ "Meslo" ]; })
# # ghostty - Pending Darwin @ https://github.com/NixOS/nixpkgs/pull/369788
# android-tools
# awscli2
# bashInteractive
# cw
# fastfetch
# gitAndTools.gh
# google-cloud-sdk
# imagemagick
# kubectl
# kubernetes-helm
# mosh
# pre-commit
# python311
# ssm-session-manager-plugin
# texliveSmall # Pandoc PDF Dep
# thefuck
# tldr
# ]
# ++ optionals isLinux [
# ghostty
# hyprpaper
# firefox
# ]
# ++ optionals isDarwin [ ];
programs.jq = enabled;
programs.pandoc = enabled;
home.packages = with pkgs; [
android-tools
imagemagick
mosh
python311
texliveSmall # Pandoc PDF Dep
google-cloud-sdk
tldr
];
# # GitHub CLI
# programs.gh = {
# enable = true;
# settings = {
# git_protocol = "ssh";
# };
# };
# SQLite Configuration
home.file.".sqliterc".text = ''
.headers on
.mode column
'';
# # Misc Programs
# programs.jq.enable = true;
# programs.k9s.enable = true;
# programs.pandoc.enable = true;
# # Enable Flakes & Commands
# nix = {
# package = mkForce pkgs.nix;
# settings = {
# experimental-features = "nix-command flakes";
# };
# };
# # SQLite Configuration
# home.file.".sqliterc".text = ''
# .headers on
# .mode column
# '';
# # Darwin Spotlight Indexing Hack
# disabledModules = [ "targets/darwin/linkapps.nix" ];
home.stateVersion = "24.11";
}

View File

@ -1,31 +1,47 @@
{ pkgs, config, ... }:
{ pkgs, lib, config, namespace, ... }:
let
inherit (lib.${namespace}) enabled;
in
{
reichardnix = {
reichard = {
user = {
enable = true;
inherit (config.snowfallorg.user) name;
};
programs = {
browsers.firefox = {
services = {
ssh-agent = enabled;
sops = {
enable = true;
gpuAcceleration = true;
hardwareDecoding = true;
defaultSopsFile = lib.snowfall.fs.get-file "secrets/mbp-nixos/default.yaml";
sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
};
};
programs = {
graphical = {
wms.hyprland = enabled;
ghostty = enabled;
browsers.firefox = {
enable = true;
gpuAcceleration = true;
hardwareDecoding = true;
};
};
btop.enable = true;
direnv.enable = true;
ghostty.enable = true;
git.enable = true;
hyprland.enable = true;
k9s.enable = true;
nvim.enable = true;
terminal = {
btop = enabled;
direnv = enabled;
git = enabled;
k9s = enabled;
nvim = enabled;
};
};
};
# Global Packages
programs.jq.enable = true;
programs.pandoc.enable = true;
programs.jq = enabled;
programs.pandoc = enabled;
home.packages = with pkgs; [
android-tools
imagemagick

189
hosts/rke2-image.nix Normal file
View File

@ -0,0 +1,189 @@
{ pkgs, lib, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
config = {
# Basic System
system.stateVersion = "24.11";
nix.settings.experimental-features = [ "nix-command" "flakes" ];
time.timeZone = "UTC";
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
fsType = "ext4";
autoResize = true;
};
boot = {
initrd = {
availableKernelModules = [
# Xen
"xen_blkfront"
"xen_netfront"
];
kernelModules = [ "xen_netfront" "xen_blkfront" ];
supportedFilesystems = [ "ext4" "xenfs" ];
};
kernelModules = [
# Xen VM Requirements
"xen_netfront"
"xen_blkfront"
"xenfs"
# iSCSI
"iscsi_tcp"
];
};
# Add Intel Arc A310 GPU Drivers
nixpkgs.config.allowUnfree = true;
hardware.enableRedistributableFirmware = true;
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
libvdpau-va-gl
intel-vaapi-driver
intel-media-driver
intel-compute-runtime
intel-ocl
];
};
# Network Configuration
networking = {
hostName = lib.mkForce "";
useNetworkd = true;
useDHCP = false;
firewall = {
enable = true;
allowedTCPPorts = [
# RKE2 Ports - https://docs.rke2.io/install/requirements#networking
6443 # Kubernetes API
9345 # RKE2 supervisor API
2379 # etcd Client Port
2380 # etcd Peer Port
2381 # etcd Metrics Port
10250 # kubelet metrics
9099 # Canal CNI health checks
];
allowedUDPPorts = [
# RKE2 Ports - https://docs.rke2.io/install/requirements#networking
8472 # Canal CNI with VXLAN
# 51820 # Canal CNI with WireGuard IPv4 (if using encryption)
# 51821 # Canal CNI with WireGuard IPv6 (if using encryption)
];
# Allow Multicast
extraCommands = ''
iptables -A INPUT -m pkttype --pkt-type multicast -j ACCEPT
'';
};
};
services = {
# Enable Xen Guest Utilities
xe-guest-utilities.enable = true;
# Enable iSCSI
openiscsi = {
enable = true;
name = "iqn.2025.placeholder:initiator"; # Overridden @ Runtime
};
# Cloud Init
cloud-init = {
enable = true;
network.enable = true;
settings = {
datasource_list = [ "NoCloud" ];
preserve_hostname = false;
system_info.distro = "nixos";
system_info.network.renderers = [ "networkd" ];
};
};
# Enable SSH
openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
};
};
# Enable RKE2
rke2 = {
enable = true;
disable = [ "rke2-ingress-nginx" ];
};
};
systemd.services = {
# RKE2 - Wait Cloud Init
rke2-server = {
after = [ "cloud-final.service" ];
requires = [ "cloud-final.service" ];
};
# Runtime iSCSI Initiator Setup
iscsi-initiator-setup = {
description = "Setup iSCSI Initiator Name";
requires = [ "cloud-final.service" ];
before = [ "iscsid.service" ];
after = [ "cloud-final.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
path = [ pkgs.hostname pkgs.util-linux ];
script = ''
mkdir -p /run/iscsi
echo "InitiatorName=iqn.2025.org.nixos:$(hostname)" > /run/iscsi/initiatorname.iscsi
mount --bind /run/iscsi/initiatorname.iscsi /etc/iscsi/initiatorname.iscsi
'';
};
};
# User Authorized Keys
users.users.root = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIe1n9l9pVF5+kjWJCOt3AvBVf1HOSZkEDZxCWVPSIkr evan@reichard"
];
hashedPassword = null;
};
# Add Symlinks Expected by Democratic
system.activationScripts = {
iscsi-initiator = ''
mkdir -p /usr/bin
ln -sf ${pkgs.openiscsi}/bin/iscsiadm /usr/bin/iscsiadm
ln -sf ${pkgs.openiscsi}/bin/iscsid /usr/bin/iscsid
'';
};
# System Packages
environment = {
systemPackages = with pkgs; [
htop
intel-gpu-tools
k9s
kubectl
kubernetes-helm
nfs-utils
openiscsi
tmux
vim
];
# Don't Manage - Runtime Generation
etc."iscsi/initiatorname.iscsi".enable = false;
};
};
}

View File

@ -7,6 +7,13 @@ rec {
type: default: description:
mkOption { inherit type default description; };
mkBoolOpt = mkOpt types.bool;
enabled = {
enable = true;
};
disabled = {
enable = false;
};
}

View File

@ -8,12 +8,12 @@ let
;
inherit (lib.${namespace}) mkBoolOpt mkOpt;
cfg = config.${namespace}.programs.browsers.firefox;
cfg = config.${namespace}.programs.graphical.browsers.firefox;
in
{
imports = lib.snowfall.fs.get-non-default-nix-files ./.;
options.${namespace}.programs.browsers.firefox = with types; {
options.${namespace}.programs.graphical.browsers.firefox = with types; {
enable = lib.mkEnableOption "Firefox";
extraConfig = mkOpt str "" "Extra configuration for the user profile JS file.";

View File

@ -1,11 +1,12 @@
{ pkgs, lib, config, namespace, ... }:
let
inherit (lib) mkIf;
cfg = config.${namespace}.programs.ghostty;
inherit (pkgs.stdenv) isLinux;
inherit (lib) mkIf mkEnableOption optionals;
cfg = config.${namespace}.programs.graphical.ghostty;
in
{
options.${namespace}.programs.ghostty = {
enable = lib.mkEnableOption "Ghostty";
options.${namespace}.programs.graphical.ghostty = {
enable = mkEnableOption "Ghostty";
};
config = mkIf cfg.enable {
@ -53,12 +54,13 @@ in
};
home.packages = with pkgs; [
# Pending Darwin @ https://github.com/NixOS/nixpkgs/pull/369788
# ghostty
thefuck
fastfetch
bashInteractive
(nerdfonts.override { fonts = [ "Meslo" ]; })
] ++ optionals isLinux [
# Pending Darwin @ https://github.com/NixOS/nixpkgs/pull/369788
ghostty
];
home.file.".config/fastfetch/config.jsonc".text = builtins.readFile ./config/fastfetch.jsonc;

View File

@ -49,7 +49,7 @@ env = HYPRCURSOR_SIZE,24
# https://wiki.hyprland.org/Configuring/Variables/#general
general {
gaps_in = 5
gaps_out = 20
gaps_out = 12
border_size = 2

View File

@ -38,32 +38,31 @@
color: @text;
}
/* Icon Only Sizes */
#network,
#backlight,
#battery {
font-size: 18px;
}
/* Node Styles */
#workspaces,
#window,
#cpu,
#memory,
#battery,
#backlight,
#pulseaudio,
#network,
#backlight,
#battery,
#clock {
margin-top: 0.75rem;
padding: 0px 0.5rem;
margin-top: 1rem;
padding: 0.2px 1rem;
background-color: @surface0;
}
#workspaces {
margin-left: 1rem;
border-radius: 1rem;
padding: 0px;
background-color: @surface0;
}
#window {
background: transparent;
margin-left: 0.5rem;
margin-right: 8rem; /* Notch */
margin-left: 1rem;
}
#workspaces button {
@ -74,30 +73,38 @@
#workspaces button.active {
color: @sky;
background-color: @surface2;
border-radius: 1rem;
}
#workspaces button:hover {
color: @sapphire;
border-radius: 1rem;
}
#clock {
color: @blue;
border-radius: 0px 1rem 1rem 0px;
margin-right: 1rem;
#window {
background: transparent;
margin-left: 0.5rem;
margin-right: 8rem; /* Notch */
}
#memory {
color: @blue;
border-radius: 0px 1rem 1rem 0px;
margin-right: 0.5rem;
}
#pulseaudio {
color: @maroon;
}
#network {
color: @mauve;
}
#cpu {
color: @peach;
}
#backlight {
color: @yellow;
}
#battery {
color: @green;
}
@ -110,13 +117,25 @@
color: @red;
}
#backlight {
color: @yellow;
#clock {
color: @blue;
margin-right: 1rem;
}
#pulseaudio,
#cpu {
color: @maroon;
border-radius: 1rem 0px 0px 1rem;
margin-left: 0.5rem;
/* Left Border Radius */
#clock,
#network,
#cpu,
#workspaces {
border-top-left-radius: 1rem;
border-bottom-left-radius: 1rem;
}
/* Right Border Radius */
#pulseaudio,
#clock,
#battery,
#workspaces {
border-top-right-radius: 1rem;
border-bottom-right-radius: 1rem;
}

View File

@ -1,17 +1,16 @@
{ lib, pkgs, config, namespace, ... }:
let
inherit (lib) mkIf;
cfg = config.${namespace}.programs.hyprland;
cfg = config.${namespace}.programs.graphical.wms.hyprland;
in
{
options.${namespace}.programs.hyprland = {
options.${namespace}.programs.graphical.wms.hyprland = {
enable = lib.mkEnableOption "Hyprland";
};
config = mkIf cfg.enable {
wayland.windowManager.hyprland = {
enable = true;
# systemd.enable = false;
extraConfig = builtins.readFile ./config/hyprland.conf;
};
@ -36,9 +35,9 @@ in
"memory"
"tray"
"pulseaudio"
"network"
"backlight"
"battery"
"network"
"clock"
];
"hyprland/window" = { format = "{}"; };
@ -48,10 +47,33 @@ in
all-outputs = true;
on-click = "activate";
};
battery = { format = "󰁹 {}%"; };
battery = {
states = {
warning = 30;
critical = 15;
};
format = "{icon}";
format-charging = "󰂄";
format-plugged = "󰂄";
format-alt = "{icon}";
format-icons = [
"󰂃"
"󰁺"
"󰁻"
"󰁼"
"󰁽"
"󰁾"
"󰁾"
"󰁿"
"󰂀"
"󰂁"
"󰂂"
"󰁹"
];
};
cpu = {
interval = 10;
format = "󰻠 {}%";
format = " {}%";
max-length = 10;
on-click = "";
};
@ -61,9 +83,24 @@ in
format-alt = " {used:0.1f}G";
max-length = 10;
};
# backlight = {
# format = "󰖨 {}%";
# device = "acpi_video0";
# };
backlight = {
format = "󰖨 {}%";
device = "acpi_video0";
format = "{icon}";
format-icons = [
"󰋙"
"󰫃"
"󰫄"
"󰫅"
"󰫆"
"󰫇"
"󰫈"
];
on-scroll-up = "brightnessctl s 1%-";
on-scroll-down = "brightnessctl s +1%";
};
tray = {
icon-size = 13;
@ -71,8 +108,29 @@ in
spacing = 10;
};
network = {
format = "󰖩 {essid}";
format-disconnected = "󰖪 disconnected";
interval = 1;
format-wifi = "󰖩";
format-ethernet = "󰈀";
format-linked = "󰈁";
format-disconnected = "";
on-click-right = "${pkgs.networkmanagerapplet}/bin/nm-connection-editor";
# tooltip-format = ''
# <big>Network Details</big>
# <tt><small>Interface: {ifname}</small></tt>
# <tt><small>IP: {ipaddr}/{cidr}</small></tt>
# <tt><small>Gateway: {gwaddr}</small></tt>
# <tt><small>󰜷 {bandwidthUpBytes}\n󰜮 {bandwidthDownBytes}</small></tt>'';
tooltip-format = ''
<big>Network Details</big>
<small>
Interface: {ifname}
SSID: {essid}
IP Address: {ipaddr}/{cidr}
Gateway: {gwaddr}
󰜷 {bandwidthUpBytes} / 󰜮 {bandwidthDownBytes}
</small>'';
};
clock = {
format = " {:%Y-%m-%d %H:%M:%S}";

View File

@ -1,10 +1,10 @@
{ lib, pkgs, config, namespace, ... }:
let
inherit (lib) mkIf;
cfg = config.${namespace}.programs.aws;
cfg = config.${namespace}.programs.terminal.aws;
in
{
options.${namespace}.programs.aws = {
options.${namespace}.programs.terminal.aws = {
enable = lib.mkEnableOption "AWS";
};

View File

@ -1,10 +1,10 @@
{ lib, config, namespace, ... }:
let
inherit (lib) mkIf;
cfg = config.${namespace}.programs.btop;
cfg = config.${namespace}.programs.terminal.btop;
in
{
options.${namespace}.programs.btop = {
options.${namespace}.programs.terminal.btop = {
enable = lib.mkEnableOption "btop";
};

View File

@ -1,10 +1,10 @@
{ lib, config, namespace, ... }:
let
inherit (lib) mkIf;
cfg = config.${namespace}.programs.direnv;
cfg = config.${namespace}.programs.terminal.direnv;
in
{
options.${namespace}.programs.direnv = {
options.${namespace}.programs.terminal.direnv = {
enable = lib.mkEnableOption "direnv";
};

View File

@ -1,10 +1,10 @@
{ pkgs, lib, config, namespace, ... }:
let
inherit (lib) mkIf;
cfg = config.${namespace}.programs.git;
cfg = config.${namespace}.programs.terminal.git;
in
{
options.${namespace}.programs.git = {
options.${namespace}.programs.terminal.git = {
enable = lib.mkEnableOption "Git";
};

View File

@ -1,10 +1,10 @@
{ lib, pkgs, config, namespace, ... }:
let
inherit (lib) mkIf;
cfg = config.${namespace}.programs.k9s;
cfg = config.${namespace}.programs.terminal.k9s;
in
{
options.${namespace}.programs.k9s = {
options.${namespace}.programs.terminal.k9s = {
enable = lib.mkEnableOption "k9s";
};

View File

@ -1,10 +1,10 @@
{ pkgs, lib, config, namespace, ... }:
let
inherit (lib) mkIf;
cfg = config.${namespace}.programs.nvim;
cfg = config.${namespace}.programs.terminal.nvim;
in
{
options.${namespace}.programs.nvim = {
options.${namespace}.programs.terminal.nvim = {
enable = lib.mkEnableOption "NeoVim";
};

View File

@ -0,0 +1,41 @@
{ config, lib, namespace, pkgs, ... }:
let
inherit (lib) mkIf types;
inherit (lib.${namespace}) mkOpt;
cfg = config.${namespace}.services.sops;
in
{
options.${namespace}.services.sops = with types; {
enable = lib.mkEnableOption "sops";
defaultSopsFile = mkOpt path null "Default sops file.";
sshKeyPaths = mkOpt (listOf path) [ ] "SSH Key paths to use.";
};
config = mkIf cfg.enable {
home.packages = with pkgs; [
age
sops
ssh-to-age
];
sops = {
inherit (cfg) defaultSopsFile;
defaultSopsFormat = "yaml";
age = {
generateKey = true;
keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ] ++ cfg.sshKeyPaths;
};
# TODO
# secrets = {
# nix = {
# sopsFile = lib.snowfall.fs.get-file "secrets/default.yaml";
# path = "${config.home.homeDirectory}/.config/nix/nix.conf";
# };
# };
};
};
}

View File

@ -0,0 +1,15 @@
{ config, lib, namespace, ... }:
let
cfg = config.${namespace}.services.ssh-agent;
in
{
options.${namespace}.services.ssh-agent = {
enable = lib.mkEnableOption "ssh-agent service";
};
config = lib.mkIf cfg.enable {
services.ssh-agent = {
enable = true;
};
};
}

View File

@ -0,0 +1,27 @@
{ config, lib, inputs, namespace, ... }:
let
inherit (lib) mkIf types;
inherit (lib.${namespace}) mkOpt mkBoolOpt;
cfg = config.${namespace}.hardware.asahi;
in
{
imports = [
inputs.apple-silicon.nixosModules.default
];
options.${namespace}.hardware.asahi = {
enable = lib.mkEnableOption "support for asahi linux";
enableGPU = mkBoolOpt false "enable gpu driver";
firmwareDirectory = mkOpt types.path null "firmware directory";
};
config = mkIf cfg.enable {
hardware = {
asahi = {
peripheralFirmwareDirectory = cfg.firmwareDirectory;
useExperimentalGPUDriver = cfg.enableGPU;
};
};
};
}

View File

@ -0,0 +1,40 @@
{ config, lib, pkgs, namespace, ... }:
let
inherit (lib) mkIf;
inherit (lib.${namespace}) mkBoolOpt;
cfg = config.${namespace}.hardware.opengl;
in
{
options.${namespace}.hardware.opengl = {
enable = lib.mkEnableOption "support for opengl";
enable32Bit = mkBoolOpt false "enabel 32-bit";
enableIntel = mkBoolOpt false "support for intel";
enableNvidia = mkBoolOpt false "support for nvidia";
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
libva-utils
vdpauinfo
] ++ lib.optionals cfg.enableNvidia [
nvtopPackages.full
];
hardware.graphics = {
enable = true;
enable32Bit = cfg.enable32Bit;
extraPackages = with pkgs;
lib.optionals cfg.enableIntel [
libvdpau-va-gl
intel-vaapi-driver
intel-media-driver
intel-compute-runtime
intel-ocl
] ++ lib.optionals cfg.enableNvidia [
cudatoolkit
];
};
};
}

View File

@ -0,0 +1,76 @@
{ config, lib, pkgs, namespace, host, ... }:
let
inherit (lib.${namespace}) mkBoolOpt mkOpt;
cfg = config.${namespace}.nix;
in
{
options.${namespace}.nix = {
enable = mkBoolOpt true "Whether or not to manage nix configuration.";
package = mkOpt lib.types.package pkgs.nixVersions.latest "Which nix package to use.";
};
config = lib.mkIf cfg.enable {
nix =
let
users = [
"root"
"@wheel"
"nix-builder"
"evanreichard"
];
in
{
inherit (cfg) package;
buildMachines = lib.optional (host != "nixos-builder") {
hostName = "10.0.50.130";
systems = [ "x86_64-linux" ];
sshUser = "root";
speedFactor = 1;
protocol = "ssh";
sshKey = config.sops.secrets.reichard_ssh_key.path;
supportedFeatures = [
"benchmark"
"big-parallel"
"nixos-test"
"kvm"
];
};
checkConfig = true;
distributedBuilds = true;
gc = {
automatic = true;
options = "--delete-older-than 7d";
};
# This will additionally add your inputs to the system's legacy channels
# # Making legacy nix commands consistent as well
nixPath = lib.mapAttrsToList (key: _: "${key}=flake:${key}") config.nix.registry;
optimise.automatic = true;
settings = {
allowed-users = users;
auto-optimise-store = pkgs.stdenv.hostPlatform.isLinux;
builders-use-substitutes = true;
experimental-features = [
"nix-command"
"flakes "
];
flake-registry = "/etc/nix/registry.json";
http-connections = 50;
keep-derivations = true;
keep-going = true;
keep-outputs = true;
log-lines = 50;
sandbox = true;
trusted-users = users;
warn-dirty = false;
use-xdg-base-directories = true;
};
};
};
}

View File

@ -0,0 +1,28 @@
{ config, lib, namespace, ... }:
let
inherit (lib) mkIf;
cfg = config.${namespace}.programs.graphical.wms.hyprland;
in
{
options.${namespace}.programs.graphical.wms.hyprland = {
enable = lib.mkEnableOption "Hyprland";
};
config = mkIf cfg.enable {
programs = {
hyprland = {
enable = true;
withUWSM = true;
};
};
reichard = {
display-managers = {
sddm = {
enable = true;
};
};
};
};
}

View File

@ -0,0 +1,33 @@
{ config, lib, namespace, ... }:
let
inherit (lib.${namespace}) mkOpt;
cfg = config.${namespace}.security.sops;
in
{
options.${namespace}.security.sops = {
enable = lib.mkEnableOption "sops";
defaultSopsFile = mkOpt lib.types.path null "Default sops file.";
sshKeyPaths = mkOpt (with lib.types; listOf path) [
"/etc/ssh/ssh_host_ed25519_key"
] "SSH Key paths to use.";
};
config = lib.mkIf cfg.enable {
sops = {
inherit (cfg) defaultSopsFile;
age = {
inherit (cfg) sshKeyPaths;
keyFile = "${config.users.users.${config.${namespace}.user.name}.home}/.config/sops/age/keys.txt";
};
};
sops.secrets = {
"reichard_ssh_key" = {
sopsFile = lib.snowfall.fs.get-file "secrets/default.yaml";
};
};
};
}

View File

@ -0,0 +1,78 @@
{ config, format, lib, namespace, ... }:
let
inherit (lib)
types
mkDefault
mkIf
;
inherit (lib.${namespace}) mkOpt;
cfg = config.${namespace}.services.openssh;
authorizedKeys = [
# MBP-Personal NixOS
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIe1n9l9pVF5+kjWJCOt3AvBVf1HOSZkEDZxCWVPSIkr"
];
in
{
options.${namespace}.services.openssh = with types; {
enable = lib.mkEnableOption "OpenSSH support";
authorizedKeys = mkOpt (listOf str) authorizedKeys "The public keys to apply.";
extraConfig = mkOpt str "" "Extra configuration to apply.";
};
config = mkIf cfg.enable {
services.openssh = {
enable = true;
hostKeys = mkDefault [
{
bits = 4096;
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
openFirewall = true;
ports = [ 22 ];
settings = {
AuthenticationMethods = "publickey";
ChallengeResponseAuthentication = "no";
PasswordAuthentication = false;
PermitRootLogin = if format == "install-iso" then "yes" else "no";
PubkeyAuthentication = "yes";
StreamLocalBindUnlink = "yes";
UseDns = false;
UsePAM = true;
X11Forwarding = false;
KexAlgorithms = [
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group16-sha512"
"diffie-hellman-group18-sha512"
"diffie-hellman-group-exchange-sha256"
"sntrup761x25519-sha512@openssh.com"
];
Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
];
};
startWhenNeeded = true;
};
programs.ssh = {
startAgent = lib.mkDefault true;
inherit (cfg) extraConfig;
};
reichard = {
user.extraOptions.openssh.authorizedKeys.keys = cfg.authorizedKeys;
};
};
}

View File

@ -0,0 +1,43 @@
{ config, lib, namespace, ... }:
let
inherit (lib) mkIf;
cfg = config.${namespace}.system.boot;
in
{
options.${namespace}.system.boot = {
enable = lib.mkEnableOption "booting";
silentBoot = lib.mkEnableOption "silent boot";
showNotch = lib.mkEnableOption "show macOS notch";
};
config = mkIf cfg.enable {
boot = {
kernelParams = lib.optionals cfg.silentBoot [
"quiet"
"loglevel=3"
"udev.log_level=3"
"rd.udev.log_level=3"
"systemd.show_status=auto"
"rd.systemd.show_status=auto"
"vt.global_cursor_default=0"
] ++ lib.optionals cfg.showNotch [
"apple_dcp.show_notch=1"
];
loader = {
efi = {
canTouchEfiVariables = false;
};
systemd-boot = {
enable = true;
configurationLimit = 20;
editor = false;
};
timeout = 1;
};
};
};
}

View File

@ -0,0 +1,33 @@
{ config, lib, pkgs, namespace, ... }:
let
inherit (lib) mkIf mkForce;
inherit (lib.${namespace}) mkBoolOpt;
cfg = config.${namespace}.system.networking;
in
{
options.${namespace}.system.networking = {
enable = lib.mkEnableOption "networking support";
enableIWD = mkBoolOpt false "enable iwd";
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
mtr
tcpdump
traceroute
];
reichard.user.extraGroups = [ "network" ];
networking = {
firewall.enable = true;
usePredictableInterfaceNames = mkForce true;
} // (lib.optionalAttrs cfg.enableIWD) {
wireless.iwd = {
enable = true;
settings.General.EnableNetworkConfiguration = true;
};
};
};
}

View File

@ -0,0 +1,26 @@
{ config, lib, namespace, ... }:
let
inherit (lib) mkIf;
cfg = config.${namespace}.system.networking;
in
{
config = mkIf cfg.enable {
reichard.user.extraGroups = [ "networkmanager" ];
networking.networkmanager = {
enable = true;
connectionConfig = {
"connection.mdns" = "2";
};
# unmanaged = [
# "interface-name:br-*"
# "interface-name:rndis*"
# ]
# ++ lib.optionals config.${namespace}.virtualisation.podman.enable [ "interface-name:docker*" ]
# ++ lib.optionals config.${namespace}.virtualisation.kvm.enable [ "interface-name:virbr*" ];
};
};
}

View File

@ -0,0 +1,32 @@
{ config, lib, pkgs, namespace, ... }:
let
inherit (lib) mkIf;
cfg = config.${namespace}.system.time;
in
{
options.${namespace}.system.time = {
enable = lib.mkEnableOption "time related settings";
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.openntpd ];
networking.timeServers = [
"0.nixos.pool.ntp.org"
"1.nixos.pool.ntp.org"
"2.nixos.pool.ntp.org"
"3.nixos.pool.ntp.org"
];
services.openntpd = {
enable = true;
extraConfig = ''
listen on 127.0.0.1
listen on ::1
'';
};
time.timeZone = "America/New_York";
};
}

View File

@ -0,0 +1,35 @@
{ config, lib, pkgs, namespace, ... }:
let
inherit (lib) types;
inherit (lib.${namespace}) mkOpt;
cfg = config.${namespace}.user;
in
{
options.${namespace}.user = with types; {
email = mkOpt str "evan@reichard.io" "The email of the user.";
extraGroups = mkOpt (listOf str) [ ] "Groups for the user to be assigned.";
extraOptions = mkOpt attrs { } "Extra options passed to <option>users.users.<name></option>.";
fullName = mkOpt str "Evan Reichard" "The full name of the user.";
initialPassword =
mkOpt str "password"
"The initial password to use when the user is first created.";
name = mkOpt str "evanreichard" "The name to use for the user account.";
};
config = {
users.users.${cfg.name} = {
inherit (cfg) name initialPassword;
extraGroups = [
"wheel"
] ++ cfg.extraGroups;
group = "users";
home = "/home/${cfg.name}";
isNormalUser = true;
shell = pkgs.bashInteractive;
uid = 1000;
} // cfg.extraOptions;
};
}

21
secrets/default.yaml Normal file
View File

@ -0,0 +1,21 @@
reichard_ssh_key: ENC[AES256_GCM,data:IS2/bjFWiqLKDxmg0ucKOMzJWqlMbrUw72qLy7hZaJ5O9pPmEFDtQY7gMV1jZZhmlTr6Ay5LthLNe+38/5lttVOQ/B4EtZHSPlPyFKgvUkVtAjTSSjpxI+Md5lsUHgjP3uL+C6qHPzPeBrm0xtdsUo4GBCwhSuKQCNlUAmX6xy4i5/NI2RD6DGRKF17fKpsKj/6XZlbrKQXcDDmnXQdsMw9f1grBQpacCJ/qwUVM3zojuGd0Ei3mGvMq26ralmDUKwu5dsI3PDJWDNF4+B6Wk7NlBRJDna2lRQDNEA8x7wOV3EpaTFpluKmABTxgEmxx8ZbB+9zlLiG6m09iSU86QQLRLQGP7VuejBYLmvxlydrLaxzlZaVDWrYtFEBWSlaC+jkbanOpcVp0QQVBdJRGg3XEP4NidIAbGVv+Ejz9i3o2ayTuMUKShLKv2NoxUE5lCNX2TDp/pZw4UYW/J2d3WXqpQ2KaWdahqBai2JcYk1Otn3ia0X+T1i1dXDitT45AEI/n4z/gKeGWSDiLJ62uJejSuNXBk879SLQf,iv:wziTYwyTQXKRFrUP4HohZtXnp7sk+vLbJiQd0PLKg1o=,tag:irpzHqh3kocNGKQIeo+kRA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SnA3M2F0cXZjOGlFSTJw
aE9BNGJsQ1JzelFoQk4yMGlpN2dkVUR4ZUNvCmljSDhsVU4rUnowV2dIdlhZYnMy
aXo2OGZRd21PYk81ZE9pV05XSmpVOEEKLS0tIGhGNkVmTnVYRENEYlBxZXJTaExt
SC91WFNocEN2K1NFK2dBUHYwZTQrVFkKKb3AlaRX96vJwEmxNNAThTlO9ZwtD1tv
c6aBELEbmJFdHOcIJITzmS3YOssDOgTL2TbcSFu8mdAQYsRvxC96HA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-30T15:06:18Z"
mac: ENC[AES256_GCM,data:ZqN6MbVcPst/zvr4KNl5AygtC8Icb1BELHg5o6rDOOb6qmB2d75Vk59ve8EiBosMhPdYAXaTCViRLxeWoG3WzEWK0bYAUBI27UBgYqaUTLXTDhohihtAwwWD37S2wFslHWddl5PngbTho8n+uMwyaeBdj53h4GbvQPC2Ji95D5A=,iv:boTLI3IXdQoBfPEqkay9jkm85AFahcNOmBBPwWbJaEw=,tag:Hic4+9Uuh8I2KokfdsZIsg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

View File

@ -1,66 +1,57 @@
{ inputs, lib, pkgs, ... }:
{ namespace, lib, ... }:
let
inherit (lib.${namespace}) enabled;
in
{
imports = [
inputs.apple-silicon.nixosModules.default
./hardware-configuration.nix
];
# Generic Config
nix.settings.experimental-features = [ "nix-command" "flakes" ];
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
time.timeZone = "America/New_York";
# System Config
reichard = {
nix = enabled;
# Enable SSDM
reichardnix = {
display-managers.sddm = {
enable = true;
system = {
time = enabled;
boot = {
enable = true;
showNotch = true;
};
networking = {
enable = true;
enableIWD = true;
};
};
};
# Boot Loader Config
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = false;
hardware = {
opengl = enabled;
asahi = {
enable = true;
enableGPU = true;
firmwareDirectory = ./firmware;
};
};
kernelParams = [ "apple_dcp.show_notch=1" ];
};
# Networking Config
networking = {
firewall.enable = true;
networkmanager.enable = true;
networkmanager.wifi.backend = "iwd";
useDHCP = lib.mkDefault true;
wireless.iwd.enable = true;
security = {
sops = {
enable = true;
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = lib.snowfall.fs.get-file "secrets/default.yaml";
};
};
programs = {
graphical = {
wms.hyprland = enabled;
};
};
};
# Hardware Config
hardware = {
asahi = {
peripheralFirmwareDirectory = ./firmware;
useExperimentalGPUDriver = true;
};
graphics.enable = true;
bluetooth.enable = true;
bluetooth.powerOnBoot = true;
};
# HyprLand Config
programs.hyprland = {
enable = true;
withUWSM = true;
};
# System Packages
environment.systemPackages = with pkgs; [
ghostty
htop
tmux
vim
wget
];
system.stateVersion = "24.11";
}

View File

@ -0,0 +1,189 @@
{ pkgs, lib, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
config = {
# Basic System
system.stateVersion = "24.11";
nix.settings.experimental-features = [ "nix-command" "flakes" ];
time.timeZone = "UTC";
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
fsType = "ext4";
autoResize = true;
};
boot = {
initrd = {
availableKernelModules = [
# Xen
"xen_blkfront"
"xen_netfront"
];
kernelModules = [ "xen_netfront" "xen_blkfront" ];
supportedFilesystems = [ "ext4" "xenfs" ];
};
kernelModules = [
# Xen VM Requirements
"xen_netfront"
"xen_blkfront"
"xenfs"
# iSCSI
"iscsi_tcp"
];
};
# Add Intel Arc A310 GPU Drivers
nixpkgs.config.allowUnfree = true;
hardware.enableRedistributableFirmware = true;
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
libvdpau-va-gl
intel-vaapi-driver
intel-media-driver
intel-compute-runtime
intel-ocl
];
};
# Network Configuration
networking = {
hostName = lib.mkForce "";
useNetworkd = true;
useDHCP = false;
firewall = {
enable = true;
allowedTCPPorts = [
# RKE2 Ports - https://docs.rke2.io/install/requirements#networking
6443 # Kubernetes API
9345 # RKE2 supervisor API
2379 # etcd Client Port
2380 # etcd Peer Port
2381 # etcd Metrics Port
10250 # kubelet metrics
9099 # Canal CNI health checks
];
allowedUDPPorts = [
# RKE2 Ports - https://docs.rke2.io/install/requirements#networking
8472 # Canal CNI with VXLAN
# 51820 # Canal CNI with WireGuard IPv4 (if using encryption)
# 51821 # Canal CNI with WireGuard IPv6 (if using encryption)
];
# Allow Multicast
extraCommands = ''
iptables -A INPUT -m pkttype --pkt-type multicast -j ACCEPT
'';
};
};
services = {
# Enable Xen Guest Utilities
xe-guest-utilities.enable = true;
# Enable iSCSI
openiscsi = {
enable = true;
name = "iqn.2025.placeholder:initiator"; # Overridden @ Runtime
};
# Cloud Init
cloud-init = {
enable = true;
network.enable = true;
settings = {
datasource_list = [ "NoCloud" ];
preserve_hostname = false;
system_info.distro = "nixos";
system_info.network.renderers = [ "networkd" ];
};
};
# Enable SSH
openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
};
};
# Enable RKE2
rke2 = {
enable = true;
disable = [ "rke2-ingress-nginx" ];
};
};
systemd.services = {
# RKE2 - Wait Cloud Init
rke2-server = {
after = [ "cloud-final.service" ];
requires = [ "cloud-final.service" ];
};
# Runtime iSCSI Initiator Setup
iscsi-initiator-setup = {
description = "Setup iSCSI Initiator Name";
requires = [ "cloud-final.service" ];
before = [ "iscsid.service" ];
after = [ "cloud-final.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
path = [ pkgs.hostname pkgs.util-linux ];
script = ''
mkdir -p /run/iscsi
echo "InitiatorName=iqn.2025.org.nixos:$(hostname)" > /run/iscsi/initiatorname.iscsi
mount --bind /run/iscsi/initiatorname.iscsi /etc/iscsi/initiatorname.iscsi
'';
};
};
# User Authorized Keys
users.users.root = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIe1n9l9pVF5+kjWJCOt3AvBVf1HOSZkEDZxCWVPSIkr evan@reichard"
];
hashedPassword = null;
};
# Add Symlinks Expected by Democratic
system.activationScripts = {
iscsi-initiator = ''
mkdir -p /usr/bin
ln -sf ${pkgs.openiscsi}/bin/iscsiadm /usr/bin/iscsiadm
ln -sf ${pkgs.openiscsi}/bin/iscsid /usr/bin/iscsid
'';
};
# System Packages
environment = {
systemPackages = with pkgs; [
htop
intel-gpu-tools
k9s
kubectl
kubernetes-helm
nfs-utils
openiscsi
tmux
vim
];
# Don't Manage - Runtime Generation
etc."iscsi/initiatorname.iscsi".enable = false;
};
};
}