diff --git a/flake.nix b/flake.nix index ff539cf..1232f46 100644 --- a/flake.nix +++ b/flake.nix @@ -58,6 +58,16 @@ overlays = import ./overlays {inherit inputs outputs;}; homeManagerModules = import ./modules/home-manager; nixosConfigurations = { + m3-ares = nixpkgs.lib.nixosSystem { + specialArgs = { + inherit inputs outputs; + hostname = "m3-ares"; + }; + modules = [ + ./hosts/m3-ares + agenix.nixosModules.default + ]; + }; m3-kratos = nixpkgs.lib.nixosSystem { specialArgs = { inherit inputs outputs; @@ -79,13 +89,13 @@ }; }; homeConfigurations = { - "m3tam3re@m3-kratos" = home-manager.lib.homeManagerConfiguration { + "m3tam3re@m3-ares" = home-manager.lib.homeManagerConfiguration { pkgs = nixpkgs.legacyPackages."x86_64-linux"; extraSpecialArgs = { inherit inputs outputs; - hostname = "m3-kratos"; + hostname = "m3-ares"; }; - modules = [./home/m3tam3re/m3tam3re-kratos.nix]; + modules = [./home/m3tam3re/m3tam3re-ares.nix]; }; }; }; diff --git a/home/m3tam3re/m3-ares.nix b/home/m3tam3re/m3-ares.nix new file mode 100644 index 0000000..954b285 --- /dev/null +++ b/home/m3tam3re/m3-ares.nix @@ -0,0 +1,97 @@ +{ + config, + lib, + ... +}: +with lib; let + cfg = config.features.desktop.hyprland; +in { + imports = [ + ../common + ./dotfiles + ./home.nix + ../features/cli + ../features/coding + ../features/desktop + #./services/librechat.nix + ]; + + options.features.desktop.hyprland.enable = + mkEnableOption "enable Hyprland"; + + config = mkMerge [ + # Base configuration + { + xdg = { + # TODO: better structure + enable = true; + configFile."mimeapps.list".force = true; + mimeApps = { + enable = true; + associations.added = { + "application/zip" = ["org.gnome.FileRoller.desktop"]; + "application/csv" = ["calc.desktop"]; + "application/pdf" = ["okularApplication_pdf.desktop"]; + "x-scheme-handler/http" = ["io.github.zen_browser.zen.desktop"]; + "x-scheme-handler/https" = ["io.github.zen_browser.zen.desktop"]; + }; + defaultApplications = { + "application/zip" = ["org.gnome.FileRoller.desktop"]; + "application/csv" = ["calc.desktop"]; + "application/pdf" = ["okularApplication_pdf.desktop"]; + "application/md" = ["nvim.desktop"]; + "application/text" = ["nvim.desktop"]; + "x-scheme-handler/http" = ["io.github.zen_browser.zen.desktop"]; + "x-scheme-handler/https" = ["io.github.zen_browser.zen.desktop"]; + }; + }; + }; + features = { + cli = { + fish.enable = true; + fzf.enable = true; + neofetch.enable = true; + secrets.enable = true; + starship.enable = true; + }; + desktop = { + gaming.enable = true; + hyprland.enable = true; + media.enable = true; + office.enable = true; + rofi.enable = true; + fonts.enable = true; + wayland.enable = true; + }; + }; + } + + (mkIf cfg.enable { + wayland.windowManager.hyprland = { + enable = true; + settings = { + monitor = [ + "DP-1,2560x1440@144,0x0,1" + "DP-2,2560x1440@144,2560x0,1" + ]; + workspace = [ + "1, monitor:DP-1, default:true" + "2, monitor:DP-1" + "3, monitor:DP-1" + "4, monitor:DP-2" + "5, monitor:DP-1" + "6, monitor:DP-2" + "7, monitor:DP-2" + ]; + + windowrulev2 = [ + "workspace 1,class:dev.zed.Zed" + "workspace 2,class:(com.obsproject.Studio)" + "workspace 4,opacity 1.0, class:(chromium-browser)" + "workspace 4,opacity 1.0, class:(zen-alpha)" + ]; + }; + }; + }) + ]; +} diff --git a/hosts/m3-ares/configuration.nix b/hosts/m3-ares/configuration.nix new file mode 100644 index 0000000..cc2f290 --- /dev/null +++ b/hosts/m3-ares/configuration.nix @@ -0,0 +1,127 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). +{ + config, + pkgs, + ... +}: { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + specialisation = { + "NVIDIA".configuration = { + boot.kernelParams = ["nvidia.NVreg_PreserveVideoMemoryAllocations=1"]; + system.nixos.tags = ["NVIDIA"]; + services.xserver.videoDrivers = ["nvidia"]; + hardware.nvidia-container-toolkit.enable = true; + }; + }; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.systemd-boot.memtest86.enable = true; + + boot.extraModulePackages = with config.boot.kernelPackages; [v4l2loopback]; + boot.kernelModules = ["v4l2loopback"]; + + boot.extraModprobeConfig = '' + options kvm_intel nested=1 + options kvm_intel emulate_invalid_guest_state=0 + options kvm ignore_msrs=1 + options v4l2loopback exclusive_caps=1 max_buffers=2 + ''; + + networking.hostName = "m3-ares"; # Define your hostname. + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + networking.networkmanager.enable = + true; # Easiest to use and most distros use this by default. + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + # console = { + # font = "Lat2-Terminus16"; + # keyMap = "us"; + # useXkbConfig = true; # use xkb.options in tty. + # }; + + # Enable the X11 windowing system. + # services.xserver.enable = true; + + # Enable the GNOME Desktop Environment. + # services.xserver.displayManager.gdm.enable = true; + # services.xserver.desktopManager.gnome.enable = true; + + # Configure keymap in X11 + # services.xserver.xkb.layout = "us"; + # services.xserver.xkb.options = "eurosign:e,caps:escape"; + + # Enable CUPS to print documents. + # services.printing.enable = true; + + # Enable sound. + # hardware.pulseaudio.enable = true; + # OR + + # Enable touchpad support (enabled default in most desktopManager). + # services.libinput.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [neovim git]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + services.fstrim.enable = true; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + # system.copySystemConfiguration = true; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "24.11"; # Did you read the comment? +} diff --git a/hosts/m3-ares/default.nix b/hosts/m3-ares/default.nix new file mode 100644 index 0000000..53ff859 --- /dev/null +++ b/hosts/m3-ares/default.nix @@ -0,0 +1,57 @@ +# A staring point is the basic NIXOS configuration generated by the ISO installer. +# On an existing NIXOS install you can use the following command in your flakes basedir: +# sudo nixos-generate-config --dir ./hosts/m3tam3re +# +# Please make sure to change the first couple of lines in your configuration.nix: +# { config, inputs, ouputs, lib, pkgs, ... }: +# +# { +# imports = [ # Include the results of the hardware scan. +# ./hardware-configuration.nix +# inputs.home-manager.nixosModules.home-manager +# ]; +# ... +# +# Moreover please update the packages option in your user configuration and add the home-manager options: +# users.users = { +# m3tam3re = { +# isNormalUser = true; +# initialPassword = "12345"; +# extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. +# packages = [ inputs.home-manager.packages.${pkgs.system}.default ]; +# }; +# }; +# +# home-manager = { +# useUserPackages = true; +# extraSpecialArgs = { inherit inputs outputs; }; +# users.m3tam3re = +# import ../../home/m3tam3re/${config.networking.hostName}.nix; +# }; +# +# Please also change your hostname accordingly: +#:w +# networking.hostName = "nixos"; # Define your hostname. +{ + imports = [ + ../common + ./configuration.nix + ./hardware.nix + ./programs.nix + ./secrets.nix + ./services + ]; + + extraServices = { + flatpak.enable = true; + ollama.enable = true; + podman.enable = true; + virtualisation.enable = true; + }; + services.ollama = { + environmentVariables = { + HCC_AMDGPU_TARGET = "gfx1100"; + }; + rocmOverrideGfx = "11.0.0"; + }; +} diff --git a/hosts/m3-ares/hardware-configuration.nix b/hosts/m3-ares/hardware-configuration.nix new file mode 100644 index 0000000..03b947f --- /dev/null +++ b/hosts/m3-ares/hardware-configuration.nix @@ -0,0 +1,66 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + modulesPath, + ... +}: { + imports = [(modulesPath + "/installer/scan/not-detected.nix")]; + + boot.initrd.availableKernelModules = ["xhci_pci" "thunderbolt" "ahci" "nvme" "usb_storage" "sd_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/3a50bf0a-024b-488b-aa11-56b32f2fb54d"; + fsType = "btrfs"; + options = ["subvol=root" "compress=zstd"]; + }; + + fileSystems."/home" = { + device = "/dev/disk/by-uuid/3a50bf0a-024b-488b-aa11-56b32f2fb54d"; + fsType = "btrfs"; + options = ["subvol=home" "compress=zstd"]; + }; + + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/3a50bf0a-024b-488b-aa11-56b32f2fb54d"; + fsType = "btrfs"; + options = ["subvol=home" "compress=zstd" "noatime"]; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/4811-EA6E"; + fsType = "vfat"; + }; + + fileSystems."/opt" = { + device = "/dev/disk/by-uuid/3574df3a-2a90-4b54-9c21-128f1d01ff8f"; + fsType = "btrfs"; + options = ["noatime" "compress=zstd"]; + }; + + fileSystems."/mnt/skynet-bkg" = { + device = "100.94.135.99:/volume3/bkg"; + fsType = "nfs"; + options = ["noauto" "x-systemd.automount"]; + }; + + swapDevices = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp46s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlo1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = + lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/m3-ares/hardware.nix b/hosts/m3-ares/hardware.nix new file mode 100644 index 0000000..467d544 --- /dev/null +++ b/hosts/m3-ares/hardware.nix @@ -0,0 +1,30 @@ +{ + hardware = { + nvidia = { + prime = { + offload.enable = false; + + # Bus ID of the Intel GPU. You can find it using lspci, either under 3D or VGA + intelBusId = "PCI:0:2:0"; + + # Bus ID of the NVIDIA GPU. You can find it using lspci, either under 3D or VGA + nvidiaBusId = "PCI:1:0:0"; + }; + modesetting.enable = true; + powerManagement.finegrained = false; + powerManagement.enable = true; + open = false; + dynamicBoost.enable = true; + nvidiaSettings = true; + }; + bluetooth.enable = true; + tuxedo-rs.enable = true; + tuxedo-rs.tailor-gui.enable = true; + tuxedo-drivers.enable = true; + keyboard.zsa.enable = true; + graphics.enable = true; + }; + services.hardware.bolt.enable = true; + services.auto-cpufreq.enable = true; + services.tlp.enable = true; +} diff --git a/hosts/m3-ares/programs.nix b/hosts/m3-ares/programs.nix new file mode 100644 index 0000000..a8be09c --- /dev/null +++ b/hosts/m3-ares/programs.nix @@ -0,0 +1,33 @@ +{pkgs, ...}: { + programs.nix-ld.enable = true; + programs.nix-ld.libraries = with pkgs; [ + # Add any missing dynamic libraries for unpackaged programs + # here, NOT in environment.systemPackages + ]; + programs.hyprland = { + enable = true; + xwayland.enable = true; + }; + programs.steam = { + enable = true; + remotePlay.openFirewall = true; + dedicatedServer.openFirewall = true; + }; + programs.fish.enable = true; + programs.thunar = { + enable = true; + plugins = with pkgs.xfce; [thunar-archive-plugin thunar-volman]; + }; + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + pinentryPackage = pkgs.pinentry-gnome3; + settings = {default-cache-ttl = 10800;}; + }; + programs.nh = { + enable = true; + clean.enable = true; + clean.extraArgs = "--keep-since 4d --keep 3"; + flake = "/home/m3tam3re/p/nixos/nixos-config"; + }; +} diff --git a/hosts/m3-ares/secrets.nix b/hosts/m3-ares/secrets.nix new file mode 100644 index 0000000..5f50d47 --- /dev/null +++ b/hosts/m3-ares/secrets.nix @@ -0,0 +1,31 @@ +{ + age = { + secrets = { + wg-DE = { + file = ../../secrets/wg-DE.age; + path = "/etc/wireguard/DE.conf"; + }; + wg-NL = { + file = ../../secrets/wg-NL.age; + path = "/etc/wireguard/NL.conf"; + }; + wg-NO = { + file = ../../secrets/wg-NO.age; + path = "/etc/wireguard/NO.conf"; + }; + wg-US = { + file = ../../secrets/wg-US.age; + path = "/etc/wireguard/US.conf"; + }; + wg-BR = { + file = ../../secrets/wg-BR.age; + path = "/etc/wireguard/BR.conf"; + }; + tailscale-key.file = ../../secrets/tailscale-key.age; + m3tam3re-secrets = { + file = ../../secrets/m3tam3re-secrets.age; + owner = "m3tam3re"; + }; + }; + }; +} diff --git a/hosts/m3-ares/services/containers/default.nix b/hosts/m3-ares/services/containers/default.nix new file mode 100644 index 0000000..f7e9be4 --- /dev/null +++ b/hosts/m3-ares/services/containers/default.nix @@ -0,0 +1,4 @@ +{ + imports = [ + ]; +} diff --git a/hosts/m3-ares/services/default.nix b/hosts/m3-ares/services/default.nix new file mode 100644 index 0000000..16efb6a --- /dev/null +++ b/hosts/m3-ares/services/default.nix @@ -0,0 +1,34 @@ +{ + imports = [ + ./containers + ./n8n.nix + ./postgres.nix + ./restic.nix + ./sound.nix + ./udev.nix + #./wireguard.nix + ]; + services = { + hypridle.enable = true; + printing.enable = true; + gvfs.enable = true; + trezord.enable = true; + gnome.gnome-keyring.enable = true; + qdrant.enable = true; + avahi = { + enable = true; + nssmdns4 = true; + publish = { + addresses = true; + workstation = true; + userServices = true; + }; + }; + }; + systemd.sleep.extraConfig = '' + AllowSuspend=no + AllowHibernation=no + AllowHybridSleep=no + AllowSuspendThenHibernate=no + ''; +} diff --git a/hosts/m3-ares/services/n8n.nix b/hosts/m3-ares/services/n8n.nix new file mode 100644 index 0000000..3751aaa --- /dev/null +++ b/hosts/m3-ares/services/n8n.nix @@ -0,0 +1,11 @@ +{ + services.n8n = { + enable = true; + openFirewall = true; + }; + systemd.services.n8n = { + environment = { + N8N_SECURE_COOKIE = "false"; + }; + }; +} diff --git a/hosts/m3-ares/services/postgres.nix b/hosts/m3-ares/services/postgres.nix new file mode 100644 index 0000000..6c4ad63 --- /dev/null +++ b/hosts/m3-ares/services/postgres.nix @@ -0,0 +1,22 @@ +{pkgs, ...}: { + services.postgresql = { + enable = true; + package = pkgs.postgresql_17; + extraPlugins = with pkgs.postgresql17Packages; [ + pgvector + ]; + authentication = '' + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + + host all all 10.88.0.0/16 trust + host all all 19.89.0.0/16 trust + ''; + initialScript = pkgs.writeText "initialScript.sql" '' + CREATE USER n8n WITH PASSWORD 'n8n'; + CREATE DATABASE n8n; + GRANT ALL PRIVILEGES ON DATABASE n8n TO n8n; + ''; + }; +} diff --git a/hosts/m3-ares/services/restic.nix b/hosts/m3-ares/services/restic.nix new file mode 100644 index 0000000..3111a3a --- /dev/null +++ b/hosts/m3-ares/services/restic.nix @@ -0,0 +1,25 @@ +{ + services.restic.backups = { + skynet = { + repository = "/mnt/skynet-bkg/m3-nix"; + passwordFile = "/etc/nixos/restic-pass"; + initialize = true; + paths = ["/home/m3tam3re"]; + exclude = [ + "/home/m3tam3re/.cache" + "/home/m3tam3re/Bilder/" + "/home/m3tam3re/Videos/" + "/home/m3tam3re/Downloads" + "/home/m3tam3re/Library" + "/home/m3tam3re/Projekte" + "/home/m3tam3re/Sync" + "/home/m3tam3re/.local/share/Trash" + ]; + timerConfig = { + OnCalendar = "09:30"; + RandomizedDelaySec = "2h"; + Persistent = true; + }; + }; + }; +} diff --git a/hosts/m3-ares/services/sound.nix b/hosts/m3-ares/services/sound.nix new file mode 100644 index 0000000..44e0d96 --- /dev/null +++ b/hosts/m3-ares/services/sound.nix @@ -0,0 +1,14 @@ +{pkgs, ...}: { + environment.systemPackages = with pkgs; [ + speechd + ]; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + jack.enable = false; + wireplumber.enable = true; + }; +} diff --git a/hosts/m3-ares/services/tailscale.nix b/hosts/m3-ares/services/tailscale.nix new file mode 100644 index 0000000..7910806 --- /dev/null +++ b/hosts/m3-ares/services/tailscale.nix @@ -0,0 +1,40 @@ +{ + config, + pkgs, + ... +}: { + services.tailscale = { + enable = true; + useRoutingFeatures = "client"; + }; + + systemd.services.tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = ["network-pre.target" "tailscale.service"]; + wants = ["network-pre.target" "tailscale.service"]; + wantedBy = ["multi-user.target"]; + + # set this service as a oneshot job + serviceConfig = { + Type = "oneshot"; + EnvironmentFile = "${config.age.secrets.tailscale-key.path}"; + }; + + # have the job run this shell script + script = with pkgs; '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up --exit-node 100.88.96.77 --authkey $TAILSCALE_KEY + ''; + }; +} diff --git a/hosts/m3-ares/services/udev.nix b/hosts/m3-ares/services/udev.nix new file mode 100644 index 0000000..19ceb22 --- /dev/null +++ b/hosts/m3-ares/services/udev.nix @@ -0,0 +1,8 @@ +{pkgs, ...}: { + services.udev.extraRules = '' + SUBSYSTEM=="usb", MODE="0666 + ''; + environment.systemPackages = with pkgs; [ + zsa-udev-rules + ]; +} diff --git a/hosts/m3-ares/services/wireguard.nix b/hosts/m3-ares/services/wireguard.nix new file mode 100644 index 0000000..b52b822 --- /dev/null +++ b/hosts/m3-ares/services/wireguard.nix @@ -0,0 +1,25 @@ +{config, ...}: { + networking.wg-quick.interfaces = { + DE = { + configFile = config.age.secrets.wg-DE.path; + autostart = false; + }; + NL = { + configFile = config.age.secrets.wg-NL.path; + autostart = false; + }; + NO = { + configFile = config.age.secrets.wg-NO.path; + autostart = true; + }; + US = { + configFile = config.age.secrets.wg-US.path; + autostart = false; + }; + BR = { + configFile = config.age.secrets.wg-BR.path; + autostart = false; + }; + }; + services.resolved.enable = true; +}