From 1bb83efeeff7c9dd3f72023a3e14de372e8d7f47 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Tue, 8 Oct 2024 19:42:33 -0500 Subject: [PATCH 01/14] WIP pinephone --- flake.lock | 17 ++++++++++ flake.nix | 49 ++++++++++++++++++++++++++++- modules/nixos/default.nix | 66 +++++++++++++++++++-------------------- 3 files changed, 98 insertions(+), 34 deletions(-) diff --git a/flake.lock b/flake.lock index 314c2d6..838341c 100644 --- a/flake.lock +++ b/flake.lock @@ -522,6 +522,22 @@ "type": "github" } }, + "mobile-nixos": { + "flake": false, + "locked": { + "lastModified": 1728423157, + "narHash": "sha256-pJaC+Aef6oixhV6HdWPS2Pq/TgHxEN+MPLYUjighWYI=", + "owner": "lytedev", + "repo": "mobile-nixos", + "rev": "b2c496bbcebc85a28d1d939b56bd331536bd1ac4", + "type": "github" + }, + "original": { + "owner": "lytedev", + "repo": "mobile-nixos", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1709479366, @@ -627,6 +643,7 @@ "home-manager": "home-manager", "home-manager-unstable": "home-manager-unstable", "hyprland": "hyprland", + "mobile-nixos": "mobile-nixos", "nixpkgs": "nixpkgs_3", "nixpkgs-unstable": "nixpkgs-unstable", "slippi": "slippi", diff --git a/flake.nix b/flake.nix index 225aad4..130d227 100644 --- a/flake.nix +++ b/flake.nix @@ -32,6 +32,11 @@ slippi.inputs.home-manager.follows = "home-manager-unstable"; # nnf.url = "github:thelegy/nixos-nftables-firewall?rev=71fc2b79358d0dbacde83c806a0f008ece567b7b"; + + mobile-nixos = { + url = "github:lytedev/mobile-nixos"; + flake = false; + }; }; nixConfig = { @@ -66,6 +71,7 @@ home-manager-unstable, helix, hardware, + mobile-nixos, # nnf, # hyprland, slippi, @@ -627,6 +633,47 @@ ./nixos/router.nix ]; }; + + # pinephone-image = + # (import "${mobile-nixos}/lib/eval-with-configuration.nix" { + # configuration = with nixosModules; [ + # linux + # home-manager-defaults + + # # outputs.diskoConfigurations.unencrypted # can I even disko with an image-based installation? + # common + # wifi + + # # TODO: how do I get a minimally useful mobile environment? + # # for me, this means an on-screen keyboard and suspend support I think? + # # I can live in a tty if needed and graphical stuff can all evolve later + # # not worried about modem + # # maybe/hopefully I can pull in or define my own sxmo via nix? + # ]; + # device = "pine64-pinephone"; + # pkgs = pkgsFor "aarch64-linux"; + # }) + # .outputs + # .disk-image; + + pinephone = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + modules = with nixosModules; [ + # TODO: how do I build this image? + linux + home-manager-defaults + + # outputs.diskoConfigurations.unencrypted # can I even disko with an image-based installation? + common + wifi + + { + imports = [ + (import "${mobile-nixos}/lib/configuration.nix" {device = "pine64-pinephone";}) + ]; + } + ]; + }; }; homeConfigurations = { @@ -657,7 +704,7 @@ }; /* - TODO: nix-on-droid for phone terminal usage? + TODO: nix-on-droid for phone terminal usage? mobile-nixos? TODO: nix-darwin for work? TODO: nixos ISO? */ diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index a985704..4617883 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -1135,43 +1135,43 @@ boot.tmp.cleanOnBoot = true; services.irqbalance.enable = true; - services.kanidm = { - enableClient = true; - enablePam = true; - package = pkgs.kanidm; + # this is not ready for primetime yet + # services.kanidm = { + # enableClient = true; + # enablePam = true; + # package = pkgs.kanidm; - clientSettings.uri = "https://idm.h.lyte.dev"; - unixSettings = { - # hsm_pin_path = "/somewhere/else"; - pam_allowed_login_groups = []; - }; - }; - - systemd.tmpfiles.rules = [ - "d /etc/kanidm 1755 nobody users -" - ]; + # clientSettings.uri = "https://idm.h.lyte.dev"; + # unixSettings = { + # # hsm_pin_path = "/somewhere/else"; + # pam_allowed_login_groups = []; + # }; + # }; + # systemd.tmpfiles.rules = [ + # "d /etc/kanidm 1755 nobody users -" + # ]; # module has the incorrect file permissions out of the box - environment.etc = { - /* - "kanidm" = { - enable = true; - user = "nobody"; - group = "users"; - mode = "0755"; - }; - */ - "kanidm/unixd" = { - user = "kanidm-unixd"; - group = "kanidm-unixd"; - mode = "0700"; - }; - "kanidm/config" = { - user = "nobody"; - group = "users"; - mode = "0755"; - }; + # environment.etc = { + /* + "kanidm" = { + enable = true; + user = "nobody"; + group = "users"; + mode = "0755"; }; + */ + # "kanidm/unixd" = { + # user = "kanidm-unixd"; + # group = "kanidm-unixd"; + # mode = "0700"; + # }; + # "kanidm/config" = { + # user = "nobody"; + # group = "users"; + # mode = "0755"; + # }; + # }; programs.gnupg.agent = { enable = true; From 337e587f92b984a46d5f2e4aaaad0005a0a2412c Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Tue, 8 Oct 2024 19:46:46 -0500 Subject: [PATCH 02/14] Use nixpkgs-unstable (duh) --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 130d227..c04d387 100644 --- a/flake.nix +++ b/flake.nix @@ -656,7 +656,7 @@ # .outputs # .disk-image; - pinephone = nixpkgs.lib.nixosSystem { + pinephone = nixpkgs-unstable.lib.nixosSystem { system = "aarch64-linux"; modules = with nixosModules; [ # TODO: how do I build this image? From 64e4c9c1b222e7f30bd1b902468ec5491b007ae4 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Tue, 8 Oct 2024 20:22:11 -0500 Subject: [PATCH 03/14] Started building at least...? --- flake.nix | 54 +++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 39 insertions(+), 15 deletions(-) diff --git a/flake.nix b/flake.nix index c04d387..f668d30 100644 --- a/flake.nix +++ b/flake.nix @@ -656,24 +656,48 @@ # .outputs # .disk-image; - pinephone = nixpkgs-unstable.lib.nixosSystem { + pinephone = let system = "aarch64-linux"; - modules = with nixosModules; [ - # TODO: how do I build this image? - linux - home-manager-defaults + inherit (nixpkgs-unstable) lib; + in + lib.nixosSystem { + inherit system; + modules = with nixosModules; [ + # TODO: how do I build this as a .img to flash to an SD card? - # outputs.diskoConfigurations.unencrypted # can I even disko with an image-based installation? - common - wifi + # for testing, this seems to work `nixos-rebuild build --impure --flake .#pinephone` - { - imports = [ - (import "${mobile-nixos}/lib/configuration.nix" {device = "pine64-pinephone";}) - ]; - } - ]; - }; + { + # enable cross-compiling with impure + nixpkgs.buildPlatform = builtins.currentSystem; + nixpkgs.hostPlatform = system; + } + + linux + home-manager-unstable-defaults + + # outputs.diskoConfigurations.unencrypted # can I even disko with an image-based installation? + common + wifi + + { + system.stateVersion = "24.11"; + } + + { + imports = [ + (import "${mobile-nixos}/lib/configuration.nix" {device = "pine64-pinephone";}) + ]; + + # TODO: quirk: since the pinephone kernel doesn't seem to have "rpfilter" support, firewall ain't working + networking.firewall.enable = lib.mkForce false; + + # TODO: quirk: since git send-email requires perl support, which we don't seem to have on the pinephone, we're just disabling git for now + # TODO: would likely be easier/better to somehow ignore the assertion? probably a way to do that... + programs.git.enable = lib.mkForce false; + } + ]; + }; }; homeConfigurations = { From a3997d519ab4b7be51be2ab479f3357f46818923 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Tue, 8 Oct 2024 21:06:11 -0500 Subject: [PATCH 04/14] Update actual --- nixos/beefcake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/beefcake.nix b/nixos/beefcake.nix index b83ba33..b06763b 100644 --- a/nixos/beefcake.nix +++ b/nixos/beefcake.nix @@ -1783,7 +1783,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 virtualisation.oci-containers = { containers.actual = { - image = "ghcr.io/actualbudget/actual-server:24.10.0"; + image = "ghcr.io/actualbudget/actual-server:24.10.1"; autoStart = true; ports = ["5006:5006"]; volumes = ["/storage/actual:/data"]; From 352d4412f28179dcf6c72bed883e78433d58992a Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Wed, 9 Oct 2024 09:44:36 -0500 Subject: [PATCH 05/14] Use pkgsCross --- flake.nix | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/flake.nix b/flake.nix index f668d30..e1a7c29 100644 --- a/flake.nix +++ b/flake.nix @@ -438,7 +438,7 @@ # otherwise, they will likely have no effect anyways text = '' command -v powerprofilesctl &>/dev/null && bash -x -c 'powerprofilesctl set performance' - command -v swaymsg &>/dev/null && bash -x -c 'swaymsg output eDP-1 mode 2880x1920@60Hz' + command -v swaymsg &>/dev/null && bash -x -c 'swaymsg output eDP-1 mode 2880x1920@120Hz' ''; }) (writeShellApplication @@ -657,28 +657,23 @@ # .disk-image; pinephone = let - system = "aarch64-linux"; inherit (nixpkgs-unstable) lib; in - lib.nixosSystem { - inherit system; - modules = with nixosModules; [ + nixpkgs-unstable.legacyPackages.${builtins.currentSystem}.pkgsCross.aarch64-multiplatform.nixos { + imports = with nixosModules; [ # TODO: how do I build this as a .img to flash to an SD card? # for testing, this seems to work `nixos-rebuild build --impure --flake .#pinephone` - { - # enable cross-compiling with impure - nixpkgs.buildPlatform = builtins.currentSystem; - nixpkgs.hostPlatform = system; - } + # TODO: would like to use the mobile-nixos installer? + # "${nixpkgs-unstable}/nixos/modules/installer/sd-card/sd-image-aarch64-installer.nix" - linux - home-manager-unstable-defaults + # linux + # home-manager-unstable-defaults # outputs.diskoConfigurations.unencrypted # can I even disko with an image-based installation? - common - wifi + # common + # wifi { system.stateVersion = "24.11"; @@ -686,7 +681,9 @@ { imports = [ - (import "${mobile-nixos}/lib/configuration.nix" {device = "pine64-pinephone";}) + (import "${mobile-nixos}/lib/configuration.nix" { + device = "pine64-pinephone"; + }) ]; # TODO: quirk: since the pinephone kernel doesn't seem to have "rpfilter" support, firewall ain't working From 2c541801e6733a87bd390f4f53f11494ad01e143 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Wed, 9 Oct 2024 09:57:09 -0500 Subject: [PATCH 06/14] Add image --- flake.nix | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/flake.nix b/flake.nix index e1a7c29..b690336 100644 --- a/flake.nix +++ b/flake.nix @@ -666,14 +666,14 @@ # for testing, this seems to work `nixos-rebuild build --impure --flake .#pinephone` # TODO: would like to use the mobile-nixos installer? - # "${nixpkgs-unstable}/nixos/modules/installer/sd-card/sd-image-aarch64-installer.nix" + "${nixpkgs-unstable}/nixos/modules/installer/sd-card/sd-image-aarch64-installer.nix" - # linux - # home-manager-unstable-defaults + linux + home-manager-unstable-defaults # outputs.diskoConfigurations.unencrypted # can I even disko with an image-based installation? - # common - # wifi + common + wifi { system.stateVersion = "24.11"; @@ -697,6 +697,8 @@ }; }; + images.pinephone = outputs.nixosConfigurations.pinephone.config.system.build.sdImage; + homeConfigurations = { "deck" = let system = "x86_64-linux"; From a1acf60896981de1e584409d4509cea552357583 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Wed, 9 Oct 2024 10:05:14 -0500 Subject: [PATCH 07/14] I think this will build an SD image with an installer? --- flake.nix | 10 ++++++++++ modules/nixos/default.nix | 4 ++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index b690336..babac53 100644 --- a/flake.nix +++ b/flake.nix @@ -692,6 +692,16 @@ # TODO: quirk: since git send-email requires perl support, which we don't seem to have on the pinephone, we're just disabling git for now # TODO: would likely be easier/better to somehow ignore the assertion? probably a way to do that... programs.git.enable = lib.mkForce false; + + # this option is conflicted, presumably due to some assumption in my defaults/common config + # the sd-image module we're importing above has this set to true, so we better go with that? + # that said, I think the mobile-nixos bootloader module has this set to false, so... + # TODO: what does this mean? + boot.loader.generic-extlinux-compatible.enable = lib.mkForce true; + + # another conflicting option since I think I default to NetworkManager and this conflicts with networking.wireless.enable + networking.networkmanager.enable = lib.mkForce false; + networking.wireless.enable = lib.mkForce true; } ]; }; diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 4617883..624f43f 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -308,7 +308,7 @@ settings = { PasswordAuthentication = false; KbdInteractiveAuthentication = false; - PermitRootLogin = "prohibit-password"; + PermitRootLogin = lib.mkForce "prohibit-password"; }; openFirewall = lib.mkDefault true; @@ -362,7 +362,7 @@ modifications unstable-packages ]; - config.allowUnfree = true; + # config.allowUnfree = true; }; nix = { From 2b4b1c58507eba516f6e9d75c6a25dcc1d318ee6 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Wed, 9 Oct 2024 11:04:24 -0500 Subject: [PATCH 08/14] Well, we tried --- flake.nix | 61 ++++++++++++++++++++++++--------------- modules/nixos/default.nix | 1 - 2 files changed, 37 insertions(+), 25 deletions(-) diff --git a/flake.nix b/flake.nix index babac53..c5a1338 100644 --- a/flake.nix +++ b/flake.nix @@ -659,8 +659,39 @@ pinephone = let inherit (nixpkgs-unstable) lib; in - nixpkgs-unstable.legacyPackages.${builtins.currentSystem}.pkgsCross.aarch64-multiplatform.nixos { - imports = with nixosModules; [ + lib.nixosSystem { + system = "aarch64-linux"; + # lib.nixosSystem { + + modules = with nixosModules; [ + { + imports = [ + (import "${mobile-nixos}/lib/configuration.nix" { + device = "pine64-pinephone"; + }) + ]; + + # nixpkgs.hostPlatform.system = "aarch64-linux"; + nixpkgs.buildPlatform = "x86_64-linux"; + + # TODO: quirk: since the pinephone kernel doesn't seem to have "rpfilter" support, firewall ain't working + networking.firewall.enable = lib.mkForce false; + + # TODO: quirk: since git send-email requires perl support, which we don't seem to have on the pinephone, we're just disabling git for now + # TODO: would likely be easier/better to somehow ignore the assertion? probably a way to do that... + programs.git.enable = lib.mkForce false; + + # this option is conflicted, presumably due to some assumption in my defaults/common config + # the sd-image module we're importing above has this set to true, so we better go with that? + # that said, I think the mobile-nixos bootloader module has this set to false, so... + # TODO: what does this mean? + boot.loader.generic-extlinux-compatible.enable = lib.mkForce true; + + # another conflicting option since I think I default to NetworkManager and this conflicts with networking.wireless.enable + networking.networkmanager.enable = lib.mkForce false; + networking.wireless.enable = lib.mkForce true; + } + # TODO: how do I build this as a .img to flash to an SD card? # for testing, this seems to work `nixos-rebuild build --impure --flake .#pinephone` @@ -680,28 +711,10 @@ } { - imports = [ - (import "${mobile-nixos}/lib/configuration.nix" { - device = "pine64-pinephone"; - }) - ]; - - # TODO: quirk: since the pinephone kernel doesn't seem to have "rpfilter" support, firewall ain't working - networking.firewall.enable = lib.mkForce false; - - # TODO: quirk: since git send-email requires perl support, which we don't seem to have on the pinephone, we're just disabling git for now - # TODO: would likely be easier/better to somehow ignore the assertion? probably a way to do that... - programs.git.enable = lib.mkForce false; - - # this option is conflicted, presumably due to some assumption in my defaults/common config - # the sd-image module we're importing above has this set to true, so we better go with that? - # that said, I think the mobile-nixos bootloader module has this set to false, so... - # TODO: what does this mean? - boot.loader.generic-extlinux-compatible.enable = lib.mkForce true; - - # another conflicting option since I think I default to NetworkManager and this conflicts with networking.wireless.enable - networking.networkmanager.enable = lib.mkForce false; - networking.wireless.enable = lib.mkForce true; + # nixpkgs.buildPlatform = "x86_64-linux"; + # nixpkgs.hostPlatform = lib.systems.examples.aarch64-multiplatform; + # nixpkgs.localSystem.system = lib.systems.examples.x86_64-linux; + # nixpkgs.crossSystem = lib.mkForce null; } ]; }; diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 624f43f..b18be39 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -1230,7 +1230,6 @@ }; }; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; system.stateVersion = lib.mkDefault "24.05"; }; From 303ca8c8711480120ce4aa0e6bd70732f14fb488 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Thu, 10 Oct 2024 11:46:03 -0500 Subject: [PATCH 09/14] Fix minecraft server so saving works --- flake.nix | 1 + modules/nixos/default.nix | 8 +++++++- nixos/beefcake.nix | 32 +++++++++++++++++++++----------- 3 files changed, 29 insertions(+), 12 deletions(-) diff --git a/flake.nix b/flake.nix index c5a1338..751d19b 100644 --- a/flake.nix +++ b/flake.nix @@ -407,6 +407,7 @@ virtual-machines-gui laptop gaming + cross-compiler ./nixos/foxtrot.nix diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index b18be39..448baae 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -351,6 +351,10 @@ }; }; + cross-compiler = {config, ...}: { + boot.binfmt.emulatedSystems = ["aarch64-linux"]; + }; + default-nix-configuration-and-overlays = { lib, config, @@ -362,7 +366,7 @@ modifications unstable-packages ]; - # config.allowUnfree = true; + config.allowUnfree = true; }; nix = { @@ -373,6 +377,8 @@ trusted-users = ["root" "daniel"]; experimental-features = lib.mkDefault ["nix-command" "flakes"]; + extra-platforms = ["aarch64-linux"]; + substituters = [ # TODO: dedupe with flake's config? is that even necessary? "https://cache.nixos.org/" diff --git a/nixos/beefcake.nix b/nixos/beefcake.nix index b06763b..6871931 100644 --- a/nixos/beefcake.nix +++ b/nixos/beefcake.nix @@ -1112,26 +1112,27 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 port = 26969; dir = "/storage/flanilla"; user = "flanilla"; - uid = config.users.users.flanilla.uid; - gid = config.users.groups.flanilla.gid; + # uid = config.users.users.flanilla.uid; + # gid = config.users.groups.flanilla.gid; in { # flanilla family minecraft server users.groups.${user} = {}; users.users.${user} = { isSystemUser = true; createHome = false; + home = dir; group = user; }; virtualisation.oci-containers.containers.minecraft-flanilla = { - autoStart = true; + autoStart = false; image = "docker.io/itzg/minecraft-server"; - user = "${toString uid}:${toString gid}"; + # user = "${toString uid}:${toString gid}"; extraOptions = ["--tty" "--interactive"]; environment = { EULA = "true"; MOTD = "Flanilla Survival! Happy hunting!"; - UID = toString uid; - GID = toString gid; + # UID = toString uid; + # GID = toString gid; STOP_SERVER_ANNOUNCE_DELAY = "20"; TZ = "America/Chicago"; VERSION = "1.21"; @@ -1152,6 +1153,10 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 "${dir}/worlds:/worlds" ]; }; + systemd.services.podman-minecraft-flanilla.serviceConfig = { + User = user; + Group = user; + }; systemd.tmpfiles.settings = { "10-${user}-survival" = { "${dir}/data" = { @@ -1179,26 +1184,27 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 port = 26968; dir = "/storage/flanilla-creative"; user = "flanilla"; - uid = config.users.users.flanilla.uid; - gid = config.users.groups.flanilla.gid; + # uid = config.users.users.flanilla.uid; + # gid = config.users.groups.flanilla.gid; in { # flanilla family minecraft server users.groups.${user} = {}; users.users.${user} = { isSystemUser = true; createHome = false; + home = lib.mkForce dir; group = user; }; virtualisation.oci-containers.containers.minecraft-flanilla-creative = { autoStart = true; image = "docker.io/itzg/minecraft-server"; - user = "${toString uid}:${toString gid}"; + # user = "${toString uid}:${toString gid}"; extraOptions = ["--tty" "--interactive"]; environment = { EULA = "true"; MOTD = "Flanilla Creative! Have fun building!"; - UID = toString uid; - GID = toString gid; + # UID = toString uid; + # GID = toString gid; STOP_SERVER_ANNOUNCE_DELAY = "20"; TZ = "America/Chicago"; VERSION = "1.21"; @@ -1219,6 +1225,10 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 "${dir}/worlds:/worlds" ]; }; + # systemd.services.podman-minecraft-flanilla-creative.serviceConfig = { + # User = user; + # Group = user; + # }; systemd.tmpfiles.settings = { "10-${user}-creative" = { "${dir}/data" = { From 8afad6f40c192b422193ea18e7a99d6992112517 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Mon, 14 Oct 2024 09:54:39 -0500 Subject: [PATCH 10/14] Add factorio server in preparation for 2.0 release --- nixos/beefcake.nix | 23 ++++++++++++++ nixos/factorio-versions.json | 58 ++++++++++++++++++++++++++++++++++++ nixos/router.nix | 2 ++ secrets/beefcake/secrets.yml | 5 ++-- 4 files changed, 86 insertions(+), 2 deletions(-) create mode 100644 nixos/factorio-versions.json diff --git a/nixos/beefcake.nix b/nixos/beefcake.nix index 6871931..df44b9b 100644 --- a/nixos/beefcake.nix +++ b/nixos/beefcake.nix @@ -1804,6 +1804,29 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 extraConfig = ''reverse_proxy :5006''; }; } + { + services.factorio = { + enable = true; + package = pkgs.factorio-headless.override { + versionsJson = ./factorio-versions.json; + }; + admins = ["lytedev"]; + autosave-interval = 5; + game-name = "Flanwheel Online"; + description = "Space Age 2.0"; + openFirewall = true; + # public = true; # NOTE: cannot be true if requireUserVerification is false + port = 34197; + requireUserVerification = false; # critical for DRM-free users + lan = true; # NOTE: not sure if this interferes with online-ability? + + # contains the game password and account password for "public" servers + extraSettingsFile = config.sops.secrets.factorio-server-settings.path; + }; + sops.secrets = { + factorio-server-settings = {mode = "0777";}; + }; + } ]; /* diff --git a/nixos/factorio-versions.json b/nixos/factorio-versions.json new file mode 100644 index 0000000..e772fd0 --- /dev/null +++ b/nixos/factorio-versions.json @@ -0,0 +1,58 @@ +{ + "x86_64-linux": { + "alpha": { + "experimental": { + "name": "factorio_alpha_x64-1.1.110.tar.xz", + "needsAuth": true, + "sha256": "0ndhb94lh47n09a7wshm2inv52fd6rjfa7fk7nk9b7zzh84i7f4x", + "tarDirectory": "x64", + "url": "https://factorio.com/get-download/1.1.110/alpha/linux64", + "version": "1.1.110" + }, + "stable": { + "name": "factorio_alpha_x64-1.1.110.tar.xz", + "needsAuth": true, + "sha256": "0ndhb94lh47n09a7wshm2inv52fd6rjfa7fk7nk9b7zzh84i7f4x", + "tarDirectory": "x64", + "url": "https://factorio.com/get-download/1.1.110/alpha/linux64", + "version": "1.1.110" + } + }, + "demo": { + "experimental": { + "name": "factorio_demo_x64-1.1.110.tar.xz", + "needsAuth": false, + "sha256": "0dasxgrybl00vrabgrlarsvg0hdg5rvn3y4hsljhqc4zpbf93nxx", + "tarDirectory": "x64", + "url": "https://factorio.com/get-download/1.1.110/demo/linux64", + "version": "1.1.110" + }, + "stable": { + "name": "factorio_demo_x64-1.1.110.tar.xz", + "needsAuth": false, + "sha256": "0dasxgrybl00vrabgrlarsvg0hdg5rvn3y4hsljhqc4zpbf93nxx", + "tarDirectory": "x64", + "url": "https://factorio.com/get-download/1.1.110/demo/linux64", + "version": "1.1.110" + } + }, + "headless": { + "experimental": { + "name": "factorio_headless_x64-1.1.110.tar.xz", + "needsAuth": false, + "sha256": "0sk4g9y051xjhiwdhj1yz808308zwsbpq3nps1ywvpp56vdycps8", + "tarDirectory": "x64", + "url": "https://factorio.com/get-download/1.1.110/headless/linux64", + "version": "1.1.110" + }, + "stable": { + "name": "factorio_headless_x64-1.1.110.tar.xz", + "needsAuth": false, + "sha256": "0sk4g9y051xjhiwdhj1yz808308zwsbpq3nps1ywvpp56vdycps8", + "tarDirectory": "x64", + "url": "https://factorio.com/get-download/1.1.110/headless/linux64", + "version": "1.1.110" + } + } + } +} \ No newline at end of file diff --git a/nixos/router.nix b/nixos/router.nix index ff8d685..751b99b 100644 --- a/nixos/router.nix +++ b/nixos/router.nix @@ -214,6 +214,7 @@ in { udp dport { 80, 443 } accept comment "Allow QUIC to server (see nat prerouting)" tcp dport { 22 } accept comment "Allow SSH to server (see nat prerouting)" tcp dport { 25565 } accept comment "Allow Minecraft server connections (see nat prerouting)" + udp dport { 34197 } accept comment "Allow Factorio server connections (see nat prerouting)" iifname "${lan}" accept comment "Allow local network to access the router" iifname "tailscale0" accept comment "Allow local network to access the router" @@ -256,6 +257,7 @@ in { iifname ${wan} tcp dport {26966} dnat to ${hosts.beefcake.ip} iifname ${wan} tcp dport {25565} dnat to ${hosts.bald.ip} iifname ${wan} udp dport {25565} dnat to ${hosts.bald.ip} + iifname ${wan} udp dport {34197} dnat to ${hosts.beefcake.ip} } chain postrouting { diff --git a/secrets/beefcake/secrets.yml b/secrets/beefcake/secrets.yml index dd41417..c6878f3 100644 --- a/secrets/beefcake/secrets.yml +++ b/secrets/beefcake/secrets.yml @@ -27,6 +27,7 @@ restic-rascal-passphrase: ENC[AES256_GCM,data:yonKbBh4riGwxc/qcj8F/qrgAtA1sWhYej restic-rascal-ssh-private-key: ENC[AES256_GCM,data:ddsOs0XsayyQI9qc6LzwQpdDnfwNpbj8PbBJ5fyuqtlVNYndeLxaYcbZI2ULSUhgR1tN0FS+ggGTHQhVvjwksNvpskUGHNKkSLKH3D/mn5N9tsoeAblN4gZsloZdqXBVzEehumcQMdhh6iy6NkNbuinKrVKDhLV25PrFKuSBEYw9VHU7HAMW5Tfop3RzBXjZWETCDAR2OQa7d1dXsJ0Kw6b9RFmRe5MGQ0J7YhjdTg26JGMMVSeHvr5UbiUJkGA5RvOLEDM2Dfai7Lf8yRPZVxUl+rdRsNvNYEoYGu5rGLUFcuqIbQ+s40dP2uXwWauwkIvHUjEahkbP0httj4Kg3qIJBRPg7OuS+MOwAnLEAs3hl5zeBV396yA9qjWW8nhnbml58/uFFbfXbJWTM3r8cMpFbHKD+Ojo/99fm5Vy3pAMzNzEsHOaT+iyDYyNkV5OH1GyKK9n7kIRLdqmWe7GmaKXlwVvNUPi3RvLX9VXq83a4BuupFyTmaNfPGMs/17830aleV674+QVgKh3VyFtuJy6KBpMXDv16wFo,iv:S2I3h6pmKLxEc29E0zn2b8lscqA//5/ZMTV9q+/tdvs=,tag:ALeCT+nrVPDfS21xC555sA==,type:str] restic-ssh-priv-key-benland: ENC[AES256_GCM,data:G+uiYZTvqXhpJb66j6Q6S+otlXeRX0CdYeMHzSMjIbvbI0AVm0yCU7COO5/O8i47NpvrKKS1kVxVEK8ixLRUowkl3hgRXhxsBIPFnpkMD0ENmJttm4HOpi0qIWMwzPYTjkz/slY4HcTFnCfYy1ZpURQdWwZsr1EdAA05bUMTtM22R3uOMzjO8uf72PCWX7yffo8MxsLmWvNVAOhVlrb2H5KQNR/IquFK3TFoZitq5nVDG9tcEFkX+lgA3zsmCHU/2DvvodgeRoltaAFvgjVznNGf4e5p8owHUtSzX52HwGZRiUlMuhpre2gm1r73n8AyZe41II+LX/85fMfZDdyayIGv3AAMBib8H0/AoChexRcdLQEmzOgRrXsgucDJrWSWP6WMBVyamUm79m5ep0fvL1lJftuJqN0uuq9dBrispdso4x+6jk/pDf5pEM/FE6s1rY832BEb7q0PnjyvVogOez+cIihmMpDdnS0A/8TFzg29i3C+93x5vrt3k7atNzR/jN+/GqX2FKLzxWrrIw2d,iv:IP+N8JQu+XRvwTtBnxu54ujzU5UliltXG3mk9HfJaN8=,tag:4oinE9QMaSh8IfUd/ttM3Q==,type:str] paperless-superuser-password: ENC[AES256_GCM,data:lypWK73mOYI2hyQAW/4T3cDiVtsts3kKb7LZb9ES3n97Kn5l,iv:jBHUBFbb4GqQ3gnK0h5VCaGj3/kd3/eGa1QFiE7+B9I=,tag:UoQar+x1xVnCV2k+9hYjWA==,type:str] +factorio-server-settings: ENC[AES256_GCM,data:ZEwi0Ff9vmUi7bdguNV1LgppsQFktvIM+4y7/mUC2cQ37wDWwPvKvKmcaDOxTM7XteIcaLsFg6rttUASSJDiFRGTt5/FNagTn6kfMJEETLZyxQ==,iv:AxSpB4/nFHFtkfO0x8Ra5w2Nd+bqt54Y5NRkIU/Bb5Y=,tag:8tuaqrn0Y2wAnTqUQPqXYA==,type:str] sops: kms: [] gcp_kms: [] @@ -51,8 +52,8 @@ sops: bGpacHFRSkJYUUMwOEh4cVBXZ1NESmsKa5EhZ7148ojCqZldukLcPLr93HqnpNgq rMI0Nyz4Z4lkTVMRpA94zyNTkNwJ02/CYcKi8EJi6jGZnNPUTcnTwg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-13T05:09:18Z" - mac: ENC[AES256_GCM,data:rS12xfQ6FQwVa19rdfk6i1DThUOfsrw+IdKGYOMrX8a7sOKPkNxyxyZASfaKopg3BaM8qmoOFUW4B9VWwTh4d+MhruH3DhJO3UuZpOtDv7H8JFmzqg8rlYx0nm+8/+dB0zjgK7m2FP8wn0jfXraaaQ7/HobgLgGtl+NAsXQkrwQ=,iv:+JO3Yq6Kp2CHu20dSRDOJf0ivq5ASHYrKvlCgg1vGxQ=,tag:y6nIISSZFQwRoFNvqaQWbg==,type:str] + lastmodified: "2024-10-14T14:32:44Z" + mac: ENC[AES256_GCM,data:Jebesyq1m+kEmeXJHQyJOxkJUP79PlfwyzbrWIKYb2E4zrdOdSj8l7ucFJm4l9jFFcZF+CQc/zzlkFPiYxJbeBrM6L7tnV1v3N4t699x3S0oF72tAAewvxVaHtSridP2zVdEhNzaOIP3GXTi677vx1NQy+WyIAHe63vAAyW4F4Q=,iv:p2hfMsuWxSnqB16O+7vOm3LPW/LvWa+1zdFYlJJkgVI=,tag:PYs9/peP0WEsdSDrToJkOw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 From c8bf3ae618af2dbc22b673f19932c65f11ec11c7 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Mon, 14 Oct 2024 09:58:00 -0500 Subject: [PATCH 11/14] clean up since online works with lan=true --- nixos/beefcake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/beefcake.nix b/nixos/beefcake.nix index df44b9b..db91b35 100644 --- a/nixos/beefcake.nix +++ b/nixos/beefcake.nix @@ -1815,10 +1815,10 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 game-name = "Flanwheel Online"; description = "Space Age 2.0"; openFirewall = true; + lan = true; # public = true; # NOTE: cannot be true if requireUserVerification is false port = 34197; requireUserVerification = false; # critical for DRM-free users - lan = true; # NOTE: not sure if this interferes with online-ability? # contains the game password and account password for "public" servers extraSettingsFile = config.sops.secrets.factorio-server-settings.path; From 66c0f17e46fe91b4901a7e29f988a9cb510cc444 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Mon, 14 Oct 2024 09:58:40 -0500 Subject: [PATCH 12/14] fix: game-password -> game_password --- secrets/beefcake/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/secrets/beefcake/secrets.yml b/secrets/beefcake/secrets.yml index c6878f3..0b11c0f 100644 --- a/secrets/beefcake/secrets.yml +++ b/secrets/beefcake/secrets.yml @@ -27,7 +27,7 @@ restic-rascal-passphrase: ENC[AES256_GCM,data:yonKbBh4riGwxc/qcj8F/qrgAtA1sWhYej restic-rascal-ssh-private-key: ENC[AES256_GCM,data:ddsOs0XsayyQI9qc6LzwQpdDnfwNpbj8PbBJ5fyuqtlVNYndeLxaYcbZI2ULSUhgR1tN0FS+ggGTHQhVvjwksNvpskUGHNKkSLKH3D/mn5N9tsoeAblN4gZsloZdqXBVzEehumcQMdhh6iy6NkNbuinKrVKDhLV25PrFKuSBEYw9VHU7HAMW5Tfop3RzBXjZWETCDAR2OQa7d1dXsJ0Kw6b9RFmRe5MGQ0J7YhjdTg26JGMMVSeHvr5UbiUJkGA5RvOLEDM2Dfai7Lf8yRPZVxUl+rdRsNvNYEoYGu5rGLUFcuqIbQ+s40dP2uXwWauwkIvHUjEahkbP0httj4Kg3qIJBRPg7OuS+MOwAnLEAs3hl5zeBV396yA9qjWW8nhnbml58/uFFbfXbJWTM3r8cMpFbHKD+Ojo/99fm5Vy3pAMzNzEsHOaT+iyDYyNkV5OH1GyKK9n7kIRLdqmWe7GmaKXlwVvNUPi3RvLX9VXq83a4BuupFyTmaNfPGMs/17830aleV674+QVgKh3VyFtuJy6KBpMXDv16wFo,iv:S2I3h6pmKLxEc29E0zn2b8lscqA//5/ZMTV9q+/tdvs=,tag:ALeCT+nrVPDfS21xC555sA==,type:str] restic-ssh-priv-key-benland: ENC[AES256_GCM,data:G+uiYZTvqXhpJb66j6Q6S+otlXeRX0CdYeMHzSMjIbvbI0AVm0yCU7COO5/O8i47NpvrKKS1kVxVEK8ixLRUowkl3hgRXhxsBIPFnpkMD0ENmJttm4HOpi0qIWMwzPYTjkz/slY4HcTFnCfYy1ZpURQdWwZsr1EdAA05bUMTtM22R3uOMzjO8uf72PCWX7yffo8MxsLmWvNVAOhVlrb2H5KQNR/IquFK3TFoZitq5nVDG9tcEFkX+lgA3zsmCHU/2DvvodgeRoltaAFvgjVznNGf4e5p8owHUtSzX52HwGZRiUlMuhpre2gm1r73n8AyZe41II+LX/85fMfZDdyayIGv3AAMBib8H0/AoChexRcdLQEmzOgRrXsgucDJrWSWP6WMBVyamUm79m5ep0fvL1lJftuJqN0uuq9dBrispdso4x+6jk/pDf5pEM/FE6s1rY832BEb7q0PnjyvVogOez+cIihmMpDdnS0A/8TFzg29i3C+93x5vrt3k7atNzR/jN+/GqX2FKLzxWrrIw2d,iv:IP+N8JQu+XRvwTtBnxu54ujzU5UliltXG3mk9HfJaN8=,tag:4oinE9QMaSh8IfUd/ttM3Q==,type:str] paperless-superuser-password: ENC[AES256_GCM,data:lypWK73mOYI2hyQAW/4T3cDiVtsts3kKb7LZb9ES3n97Kn5l,iv:jBHUBFbb4GqQ3gnK0h5VCaGj3/kd3/eGa1QFiE7+B9I=,tag:UoQar+x1xVnCV2k+9hYjWA==,type:str] -factorio-server-settings: ENC[AES256_GCM,data:ZEwi0Ff9vmUi7bdguNV1LgppsQFktvIM+4y7/mUC2cQ37wDWwPvKvKmcaDOxTM7XteIcaLsFg6rttUASSJDiFRGTt5/FNagTn6kfMJEETLZyxQ==,iv:AxSpB4/nFHFtkfO0x8Ra5w2Nd+bqt54Y5NRkIU/Bb5Y=,tag:8tuaqrn0Y2wAnTqUQPqXYA==,type:str] +factorio-server-settings: ENC[AES256_GCM,data:ItK+/eONdAqNAiQxCrCipUmTdIKt274qwVyNnSdOdxxd67XGozs/xr/cCYwwDiUyKQ7mD8oBLL6EVaHbXpObLwGe0Nsnz5jE9GtI0k5184/jsQ==,iv:Qre+BKhdqNDNuOz0PGZJJpTmQxJdNoTbd5FxRy0lrVs=,tag:G4dFdVclUdagyA84Yh653w==,type:str] sops: kms: [] gcp_kms: [] @@ -52,8 +52,8 @@ sops: bGpacHFRSkJYUUMwOEh4cVBXZ1NESmsKa5EhZ7148ojCqZldukLcPLr93HqnpNgq rMI0Nyz4Z4lkTVMRpA94zyNTkNwJ02/CYcKi8EJi6jGZnNPUTcnTwg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-14T14:32:44Z" - mac: ENC[AES256_GCM,data:Jebesyq1m+kEmeXJHQyJOxkJUP79PlfwyzbrWIKYb2E4zrdOdSj8l7ucFJm4l9jFFcZF+CQc/zzlkFPiYxJbeBrM6L7tnV1v3N4t699x3S0oF72tAAewvxVaHtSridP2zVdEhNzaOIP3GXTi677vx1NQy+WyIAHe63vAAyW4F4Q=,iv:p2hfMsuWxSnqB16O+7vOm3LPW/LvWa+1zdFYlJJkgVI=,tag:PYs9/peP0WEsdSDrToJkOw==,type:str] + lastmodified: "2024-10-14T14:58:39Z" + mac: ENC[AES256_GCM,data:cNVTWA2S9SMEqoDz7jHuN/9hO20kDyoR03vKw8D72VJiqDEVvAkYeRu6KmGI7DWcfV/2OIrwVjyt+zry92ksYPmF1Xx8s4hu6Z0ooi7mvNrtSMnOLJ68mfpERbdBBcnvX5YivS50mbPhif/kvb5IgUxIQvo2NGFC9Sj7ZnXLa+U=,iv:kKkHVNJ0JE4CRvQdLAfFHKeL4h3o7Z6HJ57HzsqKTJY=,tag:k9K7NS2TZ0uk9u0yd9IAOg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 From 06427b694c011bb08a44207045a5699fca58db5c Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Tue, 15 Oct 2024 10:10:28 -0500 Subject: [PATCH 13/14] Building jovian --- flake.lock | 45 +++++++++++++++++++++++++++++++++++++++ flake.nix | 35 ++++++++++++++++++++++++++++++ modules/nixos/default.nix | 4 ++-- 3 files changed, 82 insertions(+), 2 deletions(-) diff --git a/flake.lock b/flake.lock index 838341c..1691673 100644 --- a/flake.lock +++ b/flake.lock @@ -505,6 +505,28 @@ "type": "github" } }, + "jovian": { + "inputs": { + "nix-github-actions": "nix-github-actions", + "nixpkgs": [ + "nixpkgs-unstable" + ] + }, + "locked": { + "lastModified": 1728974938, + "narHash": "sha256-pTPEx6WlM+nJVGrRUGx7Di4ljZMwE9HfvlZ6f3NzNfo=", + "owner": "Jovian-Experiments", + "repo": "Jovian-NixOS", + "rev": "23170582b0658e6afd913149a58863af3a57b376", + "type": "github" + }, + "original": { + "owner": "Jovian-Experiments", + "ref": "development", + "repo": "Jovian-NixOS", + "type": "github" + } + }, "libpng": { "flake": false, "locked": { @@ -538,6 +560,28 @@ "type": "github" } }, + "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "jovian", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1690328911, + "narHash": "sha256-fxtExYk+aGf2YbjeWQ8JY9/n9dwuEt+ma1eUFzF8Jeo=", + "owner": "zhaofengli", + "repo": "nix-github-actions", + "rev": "96df4a39c52f53cb7098b923224d8ce941b64747", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "ref": "matrix-name", + "repo": "nix-github-actions", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1709479366, @@ -643,6 +687,7 @@ "home-manager": "home-manager", "home-manager-unstable": "home-manager-unstable", "hyprland": "hyprland", + "jovian": "jovian", "mobile-nixos": "mobile-nixos", "nixpkgs": "nixpkgs_3", "nixpkgs-unstable": "nixpkgs-unstable", diff --git a/flake.nix b/flake.nix index 751d19b..d58908d 100644 --- a/flake.nix +++ b/flake.nix @@ -31,6 +31,9 @@ slippi.inputs.nixpkgs.follows = "nixpkgs-unstable"; slippi.inputs.home-manager.follows = "home-manager-unstable"; + jovian.url = "github:Jovian-Experiments/Jovian-NixOS/development"; + jovian.inputs.nixpkgs.follows = "nixpkgs-unstable"; + # nnf.url = "github:thelegy/nixos-nftables-firewall?rev=71fc2b79358d0dbacde83c806a0f008ece567b7b"; mobile-nixos = { @@ -71,6 +74,7 @@ home-manager-unstable, helix, hardware, + jovian, mobile-nixos, # nnf, # hyprland, @@ -391,6 +395,37 @@ ]; }; + steamdeck1 = nixpkgs-unstable.lib.nixosSystem { + system = "x86_64-linux"; + modules = with nixosModules; [ + home-manager-unstable-defaults + + outputs.diskoConfigurations.standard + hardware.nixosModules.common-pc-ssd + common + gaming + graphical-workstation + plasma6 + + jovian.outputs.nixosModules.jovian + + { + networking.hostName = "steamdeck1"; + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + hardware.bluetooth.enable = true; + networking.networkmanager.enable = true; + + home-manager.users.daniel = { + imports = with homeManagerModules; [ + firefox-no-tabs + linux-desktop-environment-config + ]; + }; + } + ]; + }; + foxtrot = nixpkgs-unstable.lib.nixosSystem { system = "x86_64-linux"; modules = with nixosModules; [ diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 08f4550..b9973c9 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -352,7 +352,7 @@ }; cross-compiler = {config, ...}: { - boot.binfmt.emulatedSystems = ["aarch64-linux"]; + boot.binfmt.emulatedSystems = ["aarch64-linux" "i686-linux"]; }; default-nix-configuration-and-overlays = { @@ -377,7 +377,7 @@ trusted-users = ["root" "daniel"]; experimental-features = lib.mkDefault ["nix-command" "flakes"]; - extra-platforms = ["aarch64-linux"]; + extra-platforms = ["i686-linux" "aarch64-linux"]; substituters = [ # TODO: dedupe with flake's config? is that even necessary? From 5ad3a220a7ea1ec28581574bbde2739f06ac09af Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Tue, 15 Oct 2024 10:43:21 -0500 Subject: [PATCH 14/14] Fix soju account by updating password --- nixos/beefcake.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/nixos/beefcake.nix b/nixos/beefcake.nix index db91b35..97f9328 100644 --- a/nixos/beefcake.nix +++ b/nixos/beefcake.nix @@ -220,8 +220,6 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 networking.firewall.allowedUDPPorts = lib.mkIf config.services.headscale.enable [3478]; } { - # TODO: I think I need to setup my account? wondering if this can be done in nix as well - services.restic.commonPaths = ["/var/lib/soju" "/var/lib/private/soju"]; services.soju = { enable = true;