lytedev/nix
1
0
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'origin/main'

Browse source
This commit is contained in:
Daniel Flanagan 2023-11-26 16:47:21 -06:00
commit cdb3b7c5bf
Signed by: lytedev
GPG key ID: 5B2020A0F9921EF4
15 changed files with 202 additions and 148 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
flake.lock
View file

@ -59,11 +59,11 @@
]
},
"locked": {
"lastModified": 1696266752,
"narHash": "sha256-wJnMDFM21+xXdsXSs6pXMElbv4YfqmQslcPApRuaYKs=",
"lastModified": 1699781810,
"narHash": "sha256-LD+PIUbm1yQmQmGIbSsc/PB1dtJtGqXFgxRc1C7LlfQ=",
"owner": "nix-community",
"repo": "disko",
"rev": "646ee25c25fffee122a66282861f5f56ad3e0fd9",
"rev": "2d7d77878c5d70f66f3d676ff66708d8d4f9d7df",
"type": "github"
},
"original": {
@ -145,11 +145,11 @@
},
"hardware": {
"locked": {
"lastModified": 1699701045,
"narHash": "sha256-mDzUXK7jNO/utInWpSWEX1NgEEunVIpJg+LyPsDTfy0=",
"lastModified": 1700559156,
"narHash": "sha256-gL4epO/qf+wo30JjC3g+b5Bs8UrpxzkhNBBsUYxpw2g=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "b689465d0c5d88e158e7d76094fca08cc0223aad",
"rev": "c3abafb01cd7045dba522af29b625bd1e170c2fb",
"type": "github"
},
"original": {
@ -189,11 +189,11 @@
]
},
"locked": {
"lastModified": 1696145345,
"narHash": "sha256-3dM7I/d4751SLPJah0to1WBlWiyzIiuCEUwJqwBdmr4=",
"lastModified": 1700553346,
"narHash": "sha256-kW7uWsCv/lxuA824Ng6EYD9hlVYRyjuFn0xBbYltAeQ=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "6f9b5b83ad1f470b3d11b8a9fe1d5ef68c7d0e30",
"rev": "1aabb0a31b25ad83cfaa37c3fe29053417cd9a0f",
"type": "github"
},
"original": {
@ -214,11 +214,11 @@
"xdph": "xdph"
},
"locked": {
"lastModified": 1699391198,
"narHash": "sha256-HrnlCdZBqqE37gFORapfSGEGcqhCyhX2aSMRnDEmR0k=",
"lastModified": 1700592218,
"narHash": "sha256-vHzDbBrZ5EsfVUMLgjuugf6OqB+iOLjKLO9O5n2occ4=",
"owner": "hyprwm",
"repo": "Hyprland",
"rev": "751d2851cc270c3322ffe2eb83c156e4298a0c0e",
"rev": "472926528428cd714c90f157e639fc0466611c8b",
"type": "github"
},
"original": {
@ -276,11 +276,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1697723726,
"narHash": "sha256-SaTWPkI8a5xSHX/rrKzUe+/uVNy6zCGMXgoeMb7T9rg=",
"lastModified": 1700390070,
"narHash": "sha256-de9KYi8rSJpqvBfNwscWdalIJXPo8NjdIZcEJum1mH0=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "7c9cc5a6e5d38010801741ac830a3f8fd667a7a0",
"rev": "e4ad989506ec7d71f7302cc3067abd82730a4beb",
"type": "github"
},
"original": {
@ -354,11 +354,11 @@
]
},
"locked": {
"lastModified": 1695284550,
"narHash": "sha256-z9fz/wz9qo9XePEvdduf+sBNeoI9QG8NJKl5ssA8Xl4=",
"lastModified": 1700362823,
"narHash": "sha256-/H7XgvrYM0IbkpWkcdfkOH0XyBM5ewSWT1UtaLvOgKY=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "2f375ed8702b0d8ee2430885059d5e7975e38f78",
"rev": "49a87c6c827ccd21c225531e30745a9a6464775c",
"type": "github"
},
"original": {
@ -453,18 +453,18 @@
"flake": false,
"locked": {
"host": "gitlab.freedesktop.org",
"lastModified": 1697909146,
"narHash": "sha256-jU0I6FoCKnj4zIBL4daosFWh81U1fM719Z6cae8PxSY=",
"lastModified": 1699292815,
"narHash": "sha256-HXu98PyBMKEWLqiTb8viuLDznud/SdkdJsx5A5CWx7I=",
"owner": "wlroots",
"repo": "wlroots",
"rev": "47bf87ade2bd32395615a385ebde1fefbcdf79a2",
"rev": "5de9e1a99d6642c2d09d589aa37ff0a8945dcee1",
"type": "gitlab"
},
"original": {
"host": "gitlab.freedesktop.org",
"owner": "wlroots",
"repo": "wlroots",
"rev": "47bf87ade2bd32395615a385ebde1fefbcdf79a2",
"rev": "5de9e1a99d6642c2d09d589aa37ff0a8945dcee1",
"type": "gitlab"
}
},

79
lib/internal.md
View file

@ -2,8 +2,85 @@
## Update Server
```shell
**NOTE**: I want to establish a solid way to do this without `root@`.
```fish
g a; set host beefcake; nix run nixpkgs#nixos-rebuild -- --flake ".#$host" \
--target-host "root@$host" --build-host "root@$host" \
switch --show-trace
```
## Safer Method
```bash
# make sure all files are at least staged so nix flakes will see them
git add -A
# initialize a delayed reboot by a process you can kill later if things look good
# note that the amount of time you give it probably needs to be enough time to both complete the upgrade
# _and_ perform whatever testing you need
host=your_host
ssh -t "root@$host" "bash -c '
set -m
(sleep 300; reboot;) &
jobs -p
bg
disown
'"
# build the system and start running it, but do NOT set the machine up to boot to that system yet
# we will test things and make sure it works first
# if it fails, the reboot we started previously will automatically kick in once the timeout is reached
# and the machine will boot to the now-previous iteration
nix run nixpkgs#nixos-rebuild -- --flake ".#$host" \
--target-host "root@$host" --build-host "root@$host" \
test --show-trace
# however you like, verify the system is running as expected
# if it is, run the same command with "switch" instead of "test"
# otherwise, we will wait until the machine reboots back into the
# this is crude, but should be pretty foolproof
# the main gotcha is that the system is already unbootable or non-workable, but
# if you always use this method, that should be an impossible state to get into
# if we still have ssh access and the machine fails testing, just rollback
# instead of waiting for the reboot
ssh "root@$host" nixos-rebuild --rollback switch
```
## Provisioning New NixOS Hosts
Note that for best results the target flake attribute should first be built and
cached to the binary cache at `nix.h.lyte.dev`.
```bash
# establish network access
# plug in ethernet or do the wpa_cli song and dance for wifi
wpa_cli scan
wpa_cli scan_results
wpa_cli add_network 0
wpa_cli set_network 0 ssid "MY_SSID"
wpa_cli set_network 0 psk "MY_WIFI_PASSWORD"
wpa_cli enable_network 0
wpa_cli save_config
# disk encryption key (if needed)
echo -n "password" > /tmp/secret.key
# partition disks
nix-shell --packages git --run "sudo nix run \
--extra-experimental-features nix-command \
--extra-experimental-features flakes \
github:nix-community/disko -- \
--flake 'git+https://git.lyte.dev/lytedev/nix#${PARTITION_SCHEME}' \
--mode disko \
--arg disks '[ \"/dev/${DISK}\" ]'"
# install
nix-shell --packages git \
--run "sudo nixos-install \
--flake 'git+https://git.lyte.dev/lytedev/nix#${FLAKE_ATTR}' \
--option trusted-substituters 'https://cache.nixos.org https://nix.h.lyte.dev' \
--option trusted-public-keys 'cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= h.lyte.dev:HeVWtne31ZG8iMf+c15VY3/Mky/4ufXlfTpT8+4Xbs0='"
```

22
modules/home-manager/bat.nix
View file

@ -6,18 +6,18 @@
programs.bat = {
enable = true;
config = {
theme = "Catppuccin-mocha";
};
themes = {
"Catppuccin-mocha" = builtins.readFile (pkgs.fetchFromGitHub
{
owner = "catppuccin";
repo = "bat";
rev = "477622171ec0529505b0ca3cada68fc9433648c6";
sha256 = "6WVKQErGdaqb++oaXnY3i6/GuH2FhTgK0v4TN4Y0Wbw=";
}
+ "/Catppuccin-mocha.tmTheme");
theme = "ansi";
};
# themes = {
# "Catppuccin-mocha" = builtins.readFile (pkgs.fetchFromGitHub
# {
# owner = "catppuccin";
# repo = "bat";
# rev = "477622171ec0529505b0ca3cada68fc9433648c6";
# sha256 = "6WVKQErGdaqb++oaXnY3i6/GuH2FhTgK0v4TN4Y0Wbw=";
# }
# + "/Catppuccin-mocha.tmTheme");
# };
};
home.shellAliases = {

21
modules/home-manager/broot.nix
View file

@ -1,9 +1,9 @@
{...}: {
{colors, ...}: {
programs.broot = {
enable = true;
enableFishIntegration = true;
settings = {
modal = false; # vim mode?
modal = true; # vim mode?
verbs = [
{
@ -12,6 +12,23 @@
execution = "$EDITOR {file}";
}
];
skin = with colors.withHashPrefix; {
status_normal_fg = fg;
status_normal_bg = bg;
status_error_fg = red;
status_error_bg = yellow;
tree_fg = red;
selected_line_bg = bg2;
permissions_fg = purple;
size_bar_full_bg = red;
size_bar_void_bg = bg;
directory_fg = yellow;
input_fg = blue;
flag_value_fg = yellow;
table_border_fg = red;
code_fg = yellow;
};
};
};
}

1
modules/home-manager/common.nix
View file

@ -18,6 +18,7 @@
iex
zellij
broot
nnn
cargo
senpai
tmux

1
modules/home-manager/default.nix
View file

@ -19,6 +19,7 @@
zellij = import ./zellij.nix;
firefox = import ./firefox.nix;
broot = import ./broot.nix;
nnn = import ./nnn.nix;
waybar = import ./waybar.nix;
swaylock = import ./swaylock.nix;
desktop = import ./desktop.nix;

2
modules/home-manager/firefox.nix
View file

@ -5,7 +5,7 @@
enable = true;
# TODO: uses nixpkgs.pass so pass otp doesn't work
package = pkgs.firefox.override {extraNativeMessagingHosts = [pkgs.passff-host];};
package = pkgs.firefox.override {nativeMessagingHosts = [pkgs.passff-host];};
# extensions = with pkgs.nur.repos.rycee.firefox-addons; [
# ublock-origin

2
modules/home-manager/foxtrot.nix
View file

@ -1,5 +1,5 @@
{outputs, ...}: let
scale = 1.5;
scale = 1.25;
in {
imports = with outputs.homeManagerModules; [
sway

4
modules/home-manager/hyprland.nix
View file

@ -27,6 +27,10 @@
"desc:Dell Inc. DELL U2720Q D3TM623,3840x2160@60,3840x0,1.5,transform,3"
];
xwayland = {
force_zero_scaling = true;
};
exec-once = [
"hyprpaper"
"mako"

5
modules/home-manager/nnn.nix Normal file
View file

@ -0,0 +1,5 @@
{...}: {
programs.nnn = {
enable = true;
};
}

4
modules/nixos/postgres.nix
View file

@ -6,9 +6,7 @@
ensureUsers = [
{
name = "daniel";
ensurePermissions = {
"DATABASE daniel" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
}
];
enableTCPIP = true;

28
nixos/beefcake/default.nix
View file

@ -119,12 +119,6 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
owner = config.systemd.services.plausible.serviceConfig.User;
group = config.systemd.services.plausible.serviceConfig.Group;
};
plausible-erlang-cookie = {
path = "/var/lib/plausible/plausible-erlang-cookie";
mode = "0440";
owner = config.systemd.services.plausible.serviceConfig.User;
group = config.systemd.services.plausible.serviceConfig.Group;
};
plausible-secret-key-base = {
path = "/var/lib/plausible/plausible-secret-key-base";
mode = "0440";
@ -359,6 +353,12 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
};
};
# services.gitea-actions-runner.instances.main = {
# # TODO: simple git-based automation would be dope? maybe especially for
# # mirroring to github super easy?
# enable = false;
# };
services.gitea = {
enable = true;
appName = "git.lyte.dev";
@ -370,6 +370,9 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
HTTP_PORT = 3088;
DOMAIN = "git.lyte.dev";
};
actions = {
ENABLED = true;
};
service = {
DISABLE_REGISTRATION = true;
};
@ -406,7 +409,6 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
services.plausible = {
# TODO: enable
enable = false;
releaseCookiePath = config.sops.secrets.plausible-erlang-cookie.path;
database = {
clickhouse.setup = true;
postgres = {
@ -433,21 +435,15 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
ensureUsers = [
{
name = "daniel";
ensurePermissions = {
"DATABASE daniel" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
}
{
name = "plausible";
ensurePermissions = {
"DATABASE plausible" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
}
{
name = "nextcloud";
ensurePermissions = {
"DATABASE nextcloud" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
}
];
dataDir = "/storage/postgres";

32
nixos/foxtrot/default.nix
View file

@ -24,13 +24,32 @@
inputs.hardware.nixosModules.framework-13-7040-amd
];
# TODO: hibernation? does sleep suffice?
swapDevices = [
# TODO: move this to disko?
# sudo btrfs subvolume create /swap
# sudo btrfs filesystem mkswapfile --size 32g --uuid clear /swap/swapfile
# sudo swapon /swap/swapfile
{device = "/swap/swapfile";}
];
# findmnt -no UUID -T /swap/swapfile
boot.resumeDevice = "/dev/disk/by-uuid/3076912c-ac61-4067-b6b2-361f68b2d038";
services.logind = {
lidSwitch = "suspend-then-hibernate";
extraConfig = ''
HandlePowerKey=suspend-then-hibernate
IdleAction=suspend-then-hibernate
IdleActionSec=10m
'';
};
systemd.sleep.extraConfig = "HibernateDelaySec=30m";
services.fwupd.enable = true;
services.fwupd.extraRemotes = ["lvfs-testing"];
hardware.opengl.extraPackages = [
pkgs.rocmPackages.clr.icd
# pkgs.rocmPackages.clr.icd
pkgs.amdvlk
# encoding/decoding acceleration
pkgs.libvdpau-va-gl
@ -44,11 +63,16 @@
efi.canTouchEfiVariables = true;
systemd-boot.enable = true;
};
kernelPackages = pkgs.linuxPackages_6_5;
kernelPackages = pkgs.linuxPackages_latest;
# sudo filefrag -v /swap/swapfile | awk '$1=="0:" {print substr($4, 1, length($4)-2)}'
# the above won't work for btrfs, instead you need
# btrfs inspect-internal map-swapfile -r /swap/swapfile
# https://wiki.archlinux.org/title/Power_management/Suspend_and_hibernate#Hibernation_into_swap_file
# many of these come from https://wiki.archlinux.org/title/Framework_Laptop_13#Suspend
kernelParams = [
"amdgpu.sg_display=0"
# "amdgpu.sg_display=0"
"acpi_osi=\"!Windows 2020\""
"resume_offset=39331072"
# "nvme.noacpi=1" # maybe causing crashes upon waking?
# "rtc_cmos.use_acpi_alarm=1" # maybe causing excessive battery drain while sleeping -- perhaps due to waking?
];

2
nixos/thinker/default.nix
View file

@ -25,7 +25,7 @@
extraConfig = ''
HandlePowerKey=suspend-then-hibernate
IdleAction=suspend-then-hibernate
IdleActionSec=1m
IdleActionSec=10m
'';
};
systemd.sleep.extraConfig = "HibernateDelaySec=30m";

103
readme.md
View file

@ -13,14 +13,22 @@ here is useful inspiration.
$ nixos-rebuild switch --flake git+https://git.lyte.dev/lytedev/nix#${FLAKE_ATTR}
```
You don't have even have to clone this crap yourself. How cool is that!
You don't have even have to clone this crap yourself. How cool is that! But if you do, it looks like this:
But if you're gonna change stuff you had better setup the pre-commit hook:
```shell_session
$ nixos-rebuild switch --flake ./repo/dir/for/nix#${FLAKE_ATTR}
```
## Setup
If you're gonna change stuff you had better setup the pre-commit hook:
```shell_session
$ ln -s $PWD/pre-commit.bash .git/hooks/pre-commit
```
## Secrets
If you're deploying anything secrets-related, you will need the proper keys:
```shell_session
@ -31,99 +39,23 @@ $ pass age-key >> ${XDG_CONFIG_HOME:-~/.config}/sops/age/keys.txt
## NixOS
```shell_session
$ nixos-rebuild switch --flake .
$ nixos-rebuild switch --flake
```
## Not NixOS
**NOTE**: I pretty much solely use Home Manager as a NixOS module presently, so this is not fully supported.
```shell_session
$ curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
$ nix profile install github:nix-community/home-manager
$ home-manager switch --flake git+https://git.lyte.dev/lytedev/nix
$ FLAKE_ATTR=base-x86_64-linux
$ home-manager switch --flake git+https://git.lyte.dev/lytedev/nix#$FLAKE_ATTR
```
# Advanced Usage
# Internal/Advanced Usage
## Push NixOS Config
```bash
host=your_host
nix run nixpkgs#nixos-rebuild -- --flake ".#$host" \
--target-host "root@$host" --build-host "root@$host" \
switch --show-trace
```
### Safer Method
```bash
# initialize a delayed reboot by a process you can kill later if things look good
# note that the amount of time you give it probably needs to be enough time to both complete the upgrade
# _and_ perform whatever testing you need
host=your_host
ssh -t "root@$host" "bash -c '
set -m
(sleep 300; reboot;) &
jobs -p
bg
disown
'"
# build the system and start running it, but do NOT set the machine up to boot to that system yet
# we will test things and make sure it works first
# if it fails, the reboot we started previously will automatically kick in once the timeout is reached
# and the machine will boot to the now-previous iteration
nix run nixpkgs#nixos-rebuild -- --flake ".#$host" \
--target-host "root@$host" --build-host "root@$host" \
test --show-trace
# however you like, verify the system is running as expected
# if it is, run the same command with "switch" instead of "test"
# otherwise, we will wait until the machine reboots back into the
# this is crude, but should be pretty foolproof
# the main gotcha is that the system is already unbootable or non-workable, but
# if you always use this method, that should be an impossible state to get into
# if we still have ssh access and the machine fails testing, just rollback
# instead of waiting for the reboot
ssh "root@$host" nixos-rebuild --rollback switch
```
## Provisioning New NixOS Hosts
```bash
# establish network access
# plug in ethernet or do the wpa_cli song and dance for wifi
wpa_cli scan
wpa_cli scan_results
wpa_cli add_network 0
wpa_cli set_network 0 ssid "MY_SSID"
wpa_cli set_network 0 psk "MY_WIFI_PASSWORD"
wpa_cli enable_network 0
wpa_cli save_config
# disk encryption key (if needed)
echo -n "password" > /tmp/secret.key
# partition disks
nix-shell --packages git --run "sudo nix run \
--extra-experimental-features nix-command \
--extra-experimental-features flakes \
github:nix-community/disko -- \
--flake 'git+https://git.lyte.dev/lytedev/nix#${PARTITION_SCHEME}' \
--mode disko \
--arg disks '[ \"/dev/${DISK}\" ]'"
# install
nix-shell --packages git \
--run "sudo nixos-install \
--flake 'git+https://git.lyte.dev/lytedev/nix#${FLAKE_ATTR}' \
--option trusted-substituters 'https://cache.nixos.org https://nix.h.lyte.dev' \
--option trusted-public-keys 'cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= h.lyte.dev:HeVWtne31ZG8iMf+c15VY3/Mky/4ufXlfTpT8+4Xbs0='"
```
# Internal Usage
Just for me, see [[lib/internal.md]]
See [lib/internal.md](./lib/internal.md).
# To Do
@ -135,7 +67,6 @@ Just for me, see [[lib/internal.md]]
- grafana and stuff for monitoring
- alerts?
- Fonts installed by home manager instead of nixos module
- Zellij config?
- Broot config?
## Long Term