rm dotbot; move everything to home manager

2024-12-15 02:14:00 -05:00 · 2024-12-15 02:14:00 -05:00 · c1b64baea7
commit c1b64baea7
parent cedd2c1983
39 changed files with 7 additions and 37 deletions
--- a/hosts/ytnix/.sops.yaml
+++ b/hosts/ytnix/.sops.yaml
@ -0,0 +1,7 @@
+keys:
+  - &primary age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
+creation_rules:
+  - path_regex: secrets.yaml$
+    key_groups:
+    - age:
+      - *primary
--- a/hosts/ytnix/default.nix
+++ b/hosts/ytnix/default.nix
@ -0,0 +1,281 @@
+{
+  inputs,
+  outputs,
+  lib,
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ./hardware-configuration.nix
+    ../common.nix
+  ];
+
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.defaultSopsFormat = "yaml";
+  sops.age.keyFile = "/root/.config/sops/age/keys.txt";
+  sops.secrets = {
+    "borg/yt" = {};
+    "azure" = {};
+    "ntfy" = {};
+    "wireguard/private" = {};
+    "wireguard/psk" = {};
+  };
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    tmp.cleanOnBoot = true;
+    kernelPackages = pkgs.linuxPackages_latest;
+    extraModulePackages = with config.boot.kernelPackages; [
+      rtl8821ce
+    ];
+  };
+
+  networking = {
+    hostName = "ytnix";
+    wireless.iwd = {
+      enable = true;
+      settings = {
+        Rank = {
+          # disable 2.4 GHz cause i have a shitty wireless card
+          # that interferes with bluetooth otherwise
+          BandModifier2_4GHz = 0.0;
+        };
+      };
+    };
+    networkmanager = {
+      enable = true;
+      dns = "none";
+      wifi.backend = "iwd";
+    };
+    nameservers = ["31.59.129.225" "2a0f:85c1:840:2bfb::1"];
+    resolvconf.enable = true;
+    firewall = {
+      allowedUDPPorts = [51820]; # for wireguard
+      trustedInterfaces = ["wg0"];
+    };
+  };
+  programs.nm-applet.enable = true;
+
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    pulse.enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    wireplumber.extraConfig.bluetoothEnhancements = {
+      "wireplumber.settings" = {
+        "bluetooth.autoswitch-to-headset-profile" = false;
+      };
+      "monitor.bluez.properties" = {
+        "bluez5.enable-sbc-xq" = true;
+        "bluez5.enable-msbc" = true;
+        "bluez5.enable-hw-volume" = true;
+        "bluez5.roles" = ["a2dp_sink" "a2dp_source"];
+      };
+    };
+  };
+
+  services.libinput.enable = true;
+
+  users.users.yt = {
+    isNormalUser = true;
+    extraGroups = ["wheel" "libvirtd" "docker"];
+    shell = pkgs.zsh;
+  };
+  programs.zsh.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    tmux
+    vim
+    wget
+    neovim
+    git
+    python3
+    wl-clipboard
+    mako
+    tree
+    kitty
+    borgbackup
+    brightnessctl
+    alsa-utils
+    nixd
+    veracrypt
+    bluetuith
+    libimobiledevice
+    pass-wayland
+    htop
+    file
+    dnsutils
+    age
+    compsize
+    wireguard-tools
+    traceroute
+    sops
+    restic
+  ];
+
+  environment.sessionVariables = {
+    NIXOS_OZONE_WL = "1";
+    ANKI_WAYLAND = "1";
+  };
+
+  system.stateVersion = "24.05";
+
+  services.gnome.gnome-keyring.enable = true;
+  programs.gnupg.agent.enable = true;
+
+  services.displayManager.defaultSession = "sway";
+  services.displayManager.sddm = {
+    enable = true;
+    wayland.enable = true;
+  };
+  # security.sudo.wheelNeedsPassword = false;
+
+  fonts.packages = with pkgs; [
+    nerd-fonts.roboto-mono
+  ];
+
+  hardware.enableAllFirmware = true;
+  hardware.bluetooth = {
+    enable = true;
+    powerOnBoot = true;
+  };
+  services.blueman.enable = true;
+
+  programs.sway.enable = true;
+
+  services.borgbackup.jobs.ytnixRsync = {
+    paths = ["/root" "/home" "/var/lib" "/var/log" "/opt" "/etc"];
+    exclude = [
+      "**/.cache"
+      "**/node_modules"
+      "**/cache"
+      "**/Cache"
+      "/var/lib/docker"
+      "/var/lib/private/ollama"
+      "/home/**/Downloads"
+      "**/.steam"
+      "**/.rustup"
+      "**/.docker"
+      "**/borg"
+    ];
+    repo = "de3911@de3911.rsync.net:borg/yt";
+    encryption = {
+      mode = "repokey-blake2";
+      passCommand = "cat /run/secrets/borg/yt";
+    };
+    environment = {
+      BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519";
+      BORG_REMOTE_PATH = "borg1";
+    };
+    compression = "auto,zstd";
+    startAt = "daily";
+    extraCreateArgs = ["--stats"];
+    # warnings are often not that serious
+    failOnWarnings = false;
+    postHook = ''
+      ${pkgs.curl}/bin/curl -u $(cat /run/secrets/ntfy) -d "ytnixRsync: backup completed with exit code: $exitStatus
+      $(journalctl -u borgbackup-job-ytnixRsync.service|tail -n 5)" \
+      https://ntfy.cything.io/chunk
+    '';
+  };
+
+  services.btrbk.instances.local = {
+    onCalendar = "hourly";
+    settings = {
+      snapshot_preserve = "2w";
+      snapshot_preserve_min = "2d";
+      snapshot_dir = "/snapshots";
+      subvolume = {
+        "/home" = {};
+        "/" = {};
+      };
+    };
+  };
+
+  programs.steam.enable = true;
+
+  services.logind = {
+    lidSwitch = "hibernate";
+    powerKey = "hibernate";
+  };
+
+  xdg.mime.defaultApplications = {
+    "application/pdf" = "okular.desktop";
+    "image/*" = "gwenview.desktop";
+    "*/html" = "chromium-browser.desktop";
+  };
+
+  programs.thunar = {
+    enable = true;
+    plugins = with pkgs.xfce; [
+      thunar-archive-plugin
+      thunar-volman
+    ];
+  };
+  # preference changes don't work in thunar without this
+  programs.xfconf.enable = true;
+  # mount, trash and stuff in thunar
+  services.gvfs.enable = true;
+  # thumbnails in thunar
+  services.tumbler.enable = true;
+
+  virtualisation = {
+    libvirtd.enable = true;
+    docker.enable = true;
+  };
+  programs.virt-manager.enable = true;
+
+  services.usbmuxd.enable = true;
+  programs.nix-ld.enable = true;
+  programs.evolution.enable = true;
+
+  # this is true by default and mutually exclusive with
+  # programs.nix-index
+  programs.command-not-found.enable = false;
+  programs.nix-index = {
+    enable = true;
+    enableZshIntegration = true;
+  };
+
+  xdg.portal = {
+    enable = true;
+    wlr.enable = true;
+  };
+
+  programs.obs-studio = {
+    enable = true;
+    plugins = with pkgs.obs-studio-plugins; [
+      wlrobs
+    ];
+  };
+
+  hardware.graphics = {
+    enable = true;
+    extraPackages = with pkgs; [
+      intel-media-driver
+      intel-media-sdk
+    ];
+  };
+
+  services.ollama.enable = true;
+
+  # wireguard setup
+  networking.wg-quick.interfaces.wg0 = {
+    address = ["10.0.0.2/24" "fdc9:281f:04d7:9ee9::2/64"];
+    privateKeyFile = "/run/secrets/wireguard/private";
+    peers = [
+      {
+        publicKey = "a16/F/wP7HQIUtFywebqPSXQAktPsLgsMLH9ZfevMy0=";
+        allowedIPs = ["0.0.0.0/0" "::/0"];
+        endpoint = "31.59.129.225:51820";
+        persistentKeepalive = 25;
+        presharedKeyFile = "/run/secrets/wireguard/psk";
+      }
+    ];
+  };
+}
--- a/hosts/ytnix/hardware-configuration.nix
+++ b/hosts/ytnix/hardware-configuration.nix
@ -0,0 +1,67 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = ["kvm-intel"];
+  boot.extraModulePackages = [];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3";
+    fsType = "btrfs";
+    options = ["subvol=root" "compress=zstd"];
+  };
+
+  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/c6098a16-c8a6-4a97-8648-6f46ca919d13";
+
+  fileSystems."/home" = {
+    device = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3";
+    fsType = "btrfs";
+    options = ["subvol=home" "compress=zstd"];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3";
+    fsType = "btrfs";
+    options = ["subvol=nix" "compress=zstd" "noatime"];
+  };
+
+  fileSystems."/swap" = {
+    device = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3";
+    fsType = "btrfs";
+    options = ["subvol=swap"];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/29B7-F46D";
+    fsType = "vfat";
+    options = ["fmask=0022" "dmask=0022"];
+  };
+
+  swapDevices = [
+    {
+      device = "/swap/swapfile";
+    }
+  ];
+
+  boot.resumeDevice = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3";
+  boot.kernelParams = ["resume_offset=53224704"];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/ytnix/secrets.yaml
+++ b/hosts/ytnix/secrets.yaml
@ -0,0 +1,29 @@
+borg:
+    yt: ENC[AES256_GCM,data:CGcdcA9LnDDlTYJwsT25uY9h70yJtKhxgA==,iv:F25VTezkd4RQd7BZ3DD39hPiPj+Z3H01IgPhCGUQ5aM=,tag:mxLPXR/ffBXkByk1R1PYvQ==,type:str]
+restic:
+    azure-yt: ENC[AES256_GCM,data:s8TJ5cNVW2Jr7kyul8mrBGwdLoTlNTb2MfpZgPU=,iv:sC0DbgFbFl6vvLqwOFDwRa3nabrIWxOTuz7GXn17IHk=,tag:2MYprYgNhh1aFlzuyw5eGQ==,type:str]
+azure: ENC[AES256_GCM,data:UdHmasRElCFC66dxnnGTOw6vgOzrOIMiSLsczK0Qew2WBdZUKVnRTfSCxQrB7P8k+j3N2CDt5Y4GXvf9GVFrWCMOInOqYXcyycGXsdli2DbqpXTa3f13ykvc/aoKyw3YuFQdrNci3Kae9PYZ4v5f7fH8n4WgOKuYj3mO9k7WHxM1JBzYRRZP41Jghnb9SqVhl9UXVPI5ONBd6JI/FiezSMZPYC2FxNgQ7zHUQJ7qQ6aJTgRljslJK9I=,iv:bRoYEA1hbEXRG7PoU7Dfba9uRu3cAqfeuvSIfavZZ8M=,tag:cHXUe/njZNoG6EuHYYz0Yg==,type:str]
+ntfy: ENC[AES256_GCM,data:ZfTVhdzA1+L3B+g7tw==,iv:1dXDqYi5/zBQ9iphzjn/GHGDcl90J1NYHvHQpTsVPlg=,tag:RfB1/Zz9ITJQV89cuk9OcQ==,type:str]
+wireguard:
+    private: ENC[AES256_GCM,data:hPfJis6gbPPguuhNBViiZDmeFSaUXsgRrCGrhTFzbySIytVuaieU0BJSJQo=,iv:tYU41JTeB7Y50RQr1b+zGCgB5voZec2Vfmd350J1Tgc=,tag:aFMZoJhMToJDuuV8dc5Acg==,type:str]
+    psk: ENC[AES256_GCM,data:NhQ1lYFpjTpqbkhYyEpEcBTf6vewSeGevUnvCmruoZMSGA2ZWs+le8a0tAA=,iv:aBeVhzUwzBgochk4vtdqnUv61dZ5jELh28amx8XqyFI=,tag:9TvGx+sJaicX52FitOpOdA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhUmhsRDljYWJLS2tzUC90
+            a1oxZGZBUy9LaFpJeTF2MmZWQnl1NU0vQkc0CklnTGszaHRCRW5GYUU1OU9NVjVH
+            SW02OWVXNDNSMTFyV2NUU2xTV1dlTGMKLS0tIGpKT3lQd3I0T0xEMWo2ekd1MmM3
+            a1MwYjB0Tm03bzJnWTdoZ01KbXBPUkUKUr6hOsdZDJK6bFyEnBf4Vkms8EJsIvZY
+            ML481g9d9Vlm5x7X74nUcWemFSzttSdWEM3Y/IOHpXDbvC/Tbw+z7Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-14T23:07:47Z"
+    mac: ENC[AES256_GCM,data:GQUbR/ApVo6E5jqkGo79GDkRv7nj7Sa16ROCTg0uYO0xDmv9h/bPWBTUOfsU0G/0g3OvohLkBbmYA+hMx24xlLQzQkh8Z3dyAn9CcAJ2j9JLY7qHtSBpvafyPptvKzmPU0mnQpShgqYPCUhF6A2B2YAAvW+TknBih7eiKKeidkc=,iv:XLKIad/LZWuWUrrcXtF0UyNccLhoB0VSWXYCGDq/7Uc=,tag:lNyMV8Ses28gOj+KINem5A==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2