starred/nix-config
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-03-18 07:24:10 +01:00
Code Issues Packages Projects Releases 10 Wiki Activity

feat: add distributed-builds & many hosts

Browse Source 
feat: remove nur & devenv
feat: adjust the structure to make it suitable for servers
feat: add iso/proxmox generators and add docs about it
feat: update ryan's openssh keys & add hashedPassword
feat: add proxmox's nodes into ssh_config, with alias
This commit is contained in:
Ryan Yin
2023-06-17 03:07:59 +08:00
parent a5f0922ba7
commit 45a7973553
48 changed files with 736 additions and 685 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
Makefile
View File

@@ -31,6 +31,27 @@ darwin-debug: darwin-set-proxy
--extra-experimental-features 'nix-command flakes'
./result/sw/bin/darwin-rebuild switch --flake . --show-trace --verbose
idols:
nixos-rebuild --flake .#aquamarine --target-host aquamarine --build-host aquamarine switch --use-remote-sudo
nixos-rebuild --flake .#ruby --target-host ruby --build-host ruby switch --use-remote-sudo
nixos-rebuild --flake .#kana --target-host kana --build-host kana switch --use-remote-sudo
idols-debug:
nixos-rebuild --flake .#aquamarine --target-host aquamarine --build-host aquamarine switch --use-remote-sudo --show-trace --verbose
nixos-rebuild --flake .#ruby --target-host ruby --build-host ruby switch --use-remote-sudo --show-trace --verbose
nixos-rebuild --flake .#kana --target-host kana --build-host kana switch --use-remote-sudo --show-trace --verbose
idols-image:
# take image for idols, and upload the image to proxmox nodes.
nom build .#aquamarine
scp result/vzdump-qemu-*.vma.zst root@gtr5:/var/lib/vz/dump
nom build .#ruby
scp result/vzdump-qemu-*.vma.zst root@s500plus:/var/lib/vz/dump
nom build .#kana
scp result/vzdump-qemu-*.vma.zst root@um560:/var/lib/vz/dump
fmt:
# format the nix files in this repo
nix fmt

54
README.md
View File

@@ -24,9 +24,16 @@ Nix allows for easy-to-manage, collaborative, reproducible deployments. This mea
## Hosts
- `msi-rtx3090`: my main PC, with RTX 3090 GPU, with NixOS
- `harmonica`: my MacBook Pro 2020 13-inch, with macOS, for work
- `nixos-test`: my test machine, with NixOS
```shell
tree hosts
hosts
├── harmonica # my MacBook Pro 2020 13-inch, with macOS, for work.
└── idols
├── ai # my main computer, with NixOS + I5-13600KF + RTX 4090 GPU, for gaming & daily use.
├── aquamarine # my NixOS virtual machine with R9-5900HX(8C16T), mainly for distributed building & testing.
├── kana # yet another NixOS vm on another physical machine with R5-5625U(6C12T).
└── ruby # another NixOS vm on another physical machine with R7-5825U(8C16T).
```
## How to Deploy this Flake?
@@ -37,17 +44,10 @@ After installing NixOS with `nix-command` & `flake` enabled, follow the steps be
For NixOS, use the following commands:
```bash
# deploy my test configuration
sudo nixos-rebuild switch --flake .#nixos-test
# deploy one of the configuration based on the hostname
sudo nixos-rebuild switch --flake .
# deploy my PC's configuration
sudo nixos-rebuild switch --flake .#msi-rtx4090
# or just deploy with hostname
sudo nixos-rebuild switch
# we can also deploy using make, which is defined in Makefile
# we can also deploy using `make`, which is defined in Makefile
make deploy
```
@@ -93,6 +93,34 @@ $ fhs
for other methods, check out [Different methods to run a non-nixos executable on Nixos](https://unix.stackexchange.com/questions/522822/different-methods-to-run-a-non-nixos-executable-on-nixos).
## How to create & managage VM from this flake?
use `aquamarine` as an example, we can create a virtual machine with the following command:
```shell
# 1. generate a proxmox vma image file
nom build .#aquamarine # `nom`(nix-output-monitor) can be replaced by the standard command `nix`
# 2. upload the genereated image to proxmox server's backup directory `/var/lib/vz/dump`
# please replace the vma file name with the one you generated in step 1.
scp result/vzdump-qemu-aquamarine-nixos-23.11.20230603.dd49825.vma.zst root@192.168.5.174:/var/lib/vz/dump
# 3. the image we uploaded will be listed in proxmox web ui's this page: [storage 'local'] -> [backups], we can restore a vm from it via the web ui now.
```
Once the virtual machine `aquamarine` is created, we can deploy updates to it with the following commands:
```shell
# 1. add the ssh key to ssh-agent
ssh-add ~/.ssh/ai-idols
# 2. deploy the configuration to the remote host, using the ssh key we added in step 1
# and the username defaults to `$USER`, it's `ryan` in my case.
nixos-rebuild --flake .#aquamarine --target-host aquamarine --build-host aquamarine switch --use-remote-sudo --verbose
```
The commands above will build & deploy the configuration to `aquamarine`, the build process will be executed on `aquamarine` too, and the `--use-remote-sudo` option indicates that we will use `sudo` on the remote host, because `nixos-rebuild switch` needs root permission to deploy the configuration.
## Other Interesting Dotfiles
Other dotfiles && docs that inspired me:

238
flake.lock generated
View File

@@ -63,45 +63,7 @@
"type": "github"
}
},
"devenv": {
"inputs": {
"flake-compat": "flake-compat",
"nix": "nix",
"nixpkgs": "nixpkgs_2",
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
"lastModified": 1678113758,
"narHash": "sha256-mD3SkN43b1s5CJ8Rx3l2oK3Dqgs+6Ze0FfWrdMcrrYk=",
"owner": "cachix",
"repo": "devenv",
"rev": "6455f319fc90e0be2071327093c5458f9afc61bf",
"type": "github"
},
"original": {
"owner": "cachix",
"ref": "v0.6.2",
"repo": "devenv",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"locked": {
"lastModified": 1680531544,
"narHash": "sha256-8qbiDTYb1kGaDADRXTItpcMKQ1TeQVkuof6oEwHUvVA=",
@@ -139,21 +101,6 @@
}
},
"flake-utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems"
},
@@ -171,7 +118,7 @@
"type": "github"
}
},
"flake-utils_3": {
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
},
@@ -189,28 +136,6 @@
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"devenv",
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1660459072,
"narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
@@ -256,7 +181,7 @@
"hyprland": {
"inputs": {
"hyprland-protocols": "hyprland-protocols",
"nixpkgs": "nixpkgs_3",
"nixpkgs": "nixpkgs_2",
"wlroots": "wlroots",
"xdph": "xdph"
},
@@ -298,7 +223,7 @@
},
"lib-aggregate": {
"inputs": {
"flake-utils": "flake-utils_3",
"flake-utils": "flake-utils_2",
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
@@ -315,26 +240,10 @@
"type": "github"
}
},
"lowdown-src": {
"flake": false,
"locked": {
"lastModified": 1633514407,
"narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=",
"owner": "kristapsdz",
"repo": "lowdown",
"rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8",
"type": "github"
},
"original": {
"owner": "kristapsdz",
"repo": "lowdown",
"type": "github"
}
},
"nil": {
"inputs": {
"flake-utils": "flake-utils_2",
"nixpkgs": "nixpkgs_4",
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_3",
"rust-overlay": "rust-overlay"
},
"locked": {
@@ -352,34 +261,10 @@
"type": "github"
}
},
"nix": {
"inputs": {
"lowdown-src": "lowdown-src",
"nixpkgs": [
"devenv",
"nixpkgs"
],
"nixpkgs-regression": "nixpkgs-regression"
},
"locked": {
"lastModified": 1676545802,
"narHash": "sha256-EK4rZ+Hd5hsvXnzSzk2ikhStJnD63odF7SzsQ8CuSPU=",
"owner": "domenkozar",
"repo": "nix",
"rev": "7c91803598ffbcfe4a55c44ac6d49b2cf07a527f",
"type": "github"
},
"original": {
"owner": "domenkozar",
"ref": "relaxed-flakes",
"repo": "nix",
"type": "github"
}
},
"nix-eval-jobs": {
"inputs": {
"flake-parts": "flake-parts",
"nixpkgs": "nixpkgs_6"
"nixpkgs": "nixpkgs_5"
},
"locked": {
"lastModified": 1685435187,
@@ -478,39 +363,7 @@
"type": "github"
}
},
"nixpkgs-regression": {
"locked": {
"lastModified": 1643052045,
"narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1673800717,
"narHash": "sha256-SFHraUqLSu5cC6IxTprex/nTsI81ZQAtDvlBvGDWfnA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "2f9fd351ec37f5d479556cd48be4ca340da59b8f",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1685801374,
"narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
@@ -528,10 +381,10 @@
},
"nixpkgs-wayland": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-compat": "flake-compat",
"lib-aggregate": "lib-aggregate",
"nix-eval-jobs": "nix-eval-jobs",
"nixpkgs": "nixpkgs_7"
"nixpkgs": "nixpkgs_6"
},
"locked": {
"lastModified": 1685650687,
@@ -548,22 +401,6 @@
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1677534593,
"narHash": "sha256-PuZSAHeq4/9pP/uYH1FcagQ3nLm/DrDrvKi/xC9glvw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3ad64d9e2d5bf80c877286102355b1625891ae9a",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1683014792,
"narHash": "sha256-6Va9iVtmmsw4raBc3QKvQT2KT/NGRWlvUlJj46zN8B8=",
@@ -579,7 +416,7 @@
"type": "github"
}
},
"nixpkgs_4": {
"nixpkgs_3": {
"locked": {
"lastModified": 1682929865,
"narHash": "sha256-jxVrgnf5QNjO+XoxDxUWtN2G5xyJSGZ5SWDQFxMuHxc=",
@@ -595,7 +432,7 @@
"type": "github"
}
},
"nixpkgs_5": {
"nixpkgs_4": {
"locked": {
"lastModified": 1685836261,
"narHash": "sha256-rpxEPGeW4JZJcH58SQApJUtJ7w78VPtkF6Cut/Pq6Kg=",
@@ -611,7 +448,7 @@
"type": "github"
}
},
"nixpkgs_6": {
"nixpkgs_5": {
"locked": {
"lastModified": 1681347147,
"narHash": "sha256-B+hTioRc3Jdf4SJyeCiO0fW5ShIznJk2OTiW2vOV+mc=",
@@ -627,7 +464,7 @@
"type": "github"
}
},
"nixpkgs_7": {
"nixpkgs_6": {
"locked": {
"lastModified": 1685383865,
"narHash": "sha256-3uQytfnotO6QJv3r04ajSXbEFMII0dUtw0uqYlZ4dbk=",
@@ -643,63 +480,18 @@
"type": "github"
}
},
"nur": {
"locked": {
"lastModified": 1685880642,
"narHash": "sha256-jQNe2IAL7qPdwCk8HnwlfJN790YjIoRu4EfjfI6y0qk=",
"owner": "nix-community",
"repo": "NUR",
"rev": "65b4ce84312de2fec2e26315bad06278e3e4acd5",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "NUR",
"type": "github"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": [
"devenv",
"flake-compat"
],
"flake-utils": "flake-utils",
"gitignore": "gitignore",
"nixpkgs": [
"devenv",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1677160285,
"narHash": "sha256-tBzpCjMP+P3Y3nKLYvdBkXBg3KvTMo3gvi8tLQaqXVY=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "2bd861ab81469428d9c823ef72c4bb08372dd2c4",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"darwin": "darwin_2",
"devenv": "devenv",
"home-manager": "home-manager_2",
"hyprland": "hyprland",
"nil": "nil",
"nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs_5",
"nixpkgs": "nixpkgs_4",
"nixpkgs-darwin": "nixpkgs-darwin",
"nixpkgs-stable": "nixpkgs-stable_2",
"nixpkgs-wayland": "nixpkgs-wayland",
"nur": "nur"
"nixpkgs-stable": "nixpkgs-stable",
"nixpkgs-wayland": "nixpkgs-wayland"
}
},
"rust-overlay": {

237
flake.nix
View File

@@ -1,5 +1,12 @@
{
description = "NixOS configuration of Ryan Yin";
description = "NixOS & macOS configuration of Ryan Yin";
##################################################################################################################
#
# Want to know Nix in details? Looking for a beginner-friendly tutorial?
# Check out [NixOS & Nix Flakes - A Guide for Beginners](https://thiscute.world/en/posts/nixos-and-flake-basics/)!
#
##################################################################################################################
# the nixConfig here only affects the flake itself, not the system configuration!
nixConfig = {
@@ -16,19 +23,16 @@
extra-substituters = [
"https://nix-community.cachix.org"
"https://nixpkgs-wayland.cachix.org"
"https://xddxdd.cachix.org"
];
extra-trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
"xddxdd.cachix.org-1:ay1HJyNDYmlSwj5NXQG065C8LfoqqKaTNCyzeixGjf8="
];
};
# This is the standard format for flake.nix. `inputs` are the dependencies of the flake,
# and `outputs` function will return all the build results of the flake.
# Each item in `inputs` will be passed as a parameter to the `outputs` function after being pulled and built.
inputs = {
# There are many ways to reference flake inputs. The most widely used is github:owner/name/reference,
@@ -45,11 +49,6 @@
inputs.nixpkgs.follows = "nixpkgs-darwin";
};
# nix users repository
# used to install some packages not in nixpkgs
# e.g. wechat-uos/qqmusic/dingtalk
nur.url = "github:nix-community/NUR";
# home-manager, used for managing user configuration
home-manager = {
url = "github:nix-community/home-manager/release-23.05";
@@ -70,9 +69,6 @@
inputs.nixpkgs.follows = "nixpkgs";
};
# use devenv to manage my development environment
devenv.url = "github:cachix/devenv/v0.6.2";
# secrets management, lock with git commit at 2023/5/15
agenix.url = "github:ryantm/agenix/db5637d10f797bb251b94ef9040b237f4702cde3";
@@ -80,91 +76,104 @@
nil.url = "github:oxalica/nil/2023-05-09";
};
# `outputs` are all the build result of the flake.
# A flake can have many use cases and different types of outputs.
# The `outputs` function will return all the build results of the flake.
# A flake can have many use cases and different types of outputs,
# parameters in `outputs` are defined in `inputs` and can be referenced by their names.
# However, `self` is an exception, This special parameter points to the `outputs` itself (self-reference)
# However, `self` is an exception, this special parameter points to the `outputs` itself (self-reference)
# The `@` syntax here is used to alias the attribute set of the inputs's parameter, making it convenient to use inside the function.
outputs =
inputs@{ self
, nixpkgs
, darwin
, home-manager
, nixos-generators
, ...
}: {
nixosConfigurations = {
# By default, NixOS will try to refer the nixosConfiguration with its hostname.
# so the system named `msi-rtx4090` will use this configuration.
# However, the configuration name can also be specified using `sudo nixos-rebuild switch --flake /path/to/flakes/directory#<name>`.
# The `nixpkgs.lib.nixosSystem` function is used to build this configuration, the following attribute set is its parameter.
# Run `sudo nixos-rebuild switch --flake .#msi-rtx4090` in the flake's directory to deploy this configuration on any NixOS system
msi-rtx4090 = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux";
}:
let
x64_system = "x86_64-linux";
x64_specialArgs = {
pkgs-stable = import inputs.nixpkgs-stable {
system = x64_system; # refer the `system` parameter form outer scope recursively
# To use chrome, we need to allow the installation of non-free software
config.allowUnfree = true;
};
} // inputs;
ai_modules = [
./hosts/idols/ai
# The Nix module system can modularize configurations, improving the maintainability of configurations.
#
# Each parameter in the `modules` is a Nix Module, and there is a partial introduction to it in the nixpkgs manual:
# <https://nixos.org/manual/nixpkgs/unstable/#module-system-introduction>
# It is said to be partial because the documentation is not complete, only some simple introductions
# (such is the current state of Nix documentation...)
# A Nix Module can be an attribute set, or a function that returns an attribute set.
# If a Module is a function, according to the Nix Wiki description, this function can have up to four parameters:
#
# config: The configuration of the entire system
# options: All option declarations refined with all definition and declaration references.
# pkgs: The attribute set extracted from the Nix package collection and enhanced with the nixpkgs.config option.
# modulesPath: The location of the module directory of Nix.
#
# Only these four parameters can be passed by default.
# If you need to pass other parameters, you must use `specialArgs` by uncomment the following line
specialArgs = {
pkgs-stable = import inputs.nixpkgs-stable {
system = system; # refer the `system` parameter form outer scope recursively
# To use chrome, we need to allow the installation of non-free software
config.allowUnfree = true;
};
} // inputs;
modules = [
./hosts/msi-rtx4090
home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
# make home-manager as a module of nixos
# so that home-manager configuration will be deployed automatically when executing `nixos-rebuild switch`
home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.extraSpecialArgs = x64_specialArgs;
home-manager.users.ryan = import ./home/linux/x11.nix;
}
];
aquamarine_modules = [
./hosts/idols/aquamarine
# pass all inputs into home manager's all sub modules
home-manager.extraSpecialArgs = specialArgs;
home-manager.users.ryan = import ./home/linux/x11.nix;
}
];
home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.extraSpecialArgs = x64_specialArgs;
home-manager.users.ryan = import ./home/linux/server.nix;
}
];
ruby_modules = [
./hosts/idols/ruby
home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.extraSpecialArgs = x64_specialArgs;
home-manager.users.ryan = import ./home/linux/server.nix;
}
];
kana_modules = [
./hosts/idols/kana
home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.extraSpecialArgs = x64_specialArgs;
home-manager.users.ryan = import ./home/linux/server.nix;
}
];
in {
nixosConfigurations = let system = x64_system; specialArgs = x64_specialArgs; in {
# 星野 アイ, Hoshino Ai
ai = nixpkgs.lib.nixosSystem {
inherit system specialArgs;
modules = ai_modules;
};
nixos-test = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux";
specialArgs = {
pkgs-stable = import inputs.nixpkgs-stable {
system = system;
config.allowUnfree = true;
};
} // inputs;
modules = [
./hosts/nixos-test
# 星野 愛久愛海, Hoshino Aquamarine
aquamarine = nixpkgs.lib.nixosSystem {
inherit system specialArgs;
modules = aquamarine_modules;
};
home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
# 星野 瑠美衣, Hoshino Rubii
ruby = nixpkgs.lib.nixosSystem {
inherit system specialArgs;
modules = ruby_modules;
};
home-manager.extraSpecialArgs = specialArgs;
home-manager.users.ryan = import ./home/linux/wayland.nix;
}
];
kana = nixpkgs.lib.nixosSystem {
inherit system specialArgs;
modules = kana_modules;
};
};
# configurations for MacOS
# macOS's configuration, for work.
darwinConfigurations."harmonica" = darwin.lib.darwinSystem {
system = "x86_64-darwin";
@@ -188,30 +197,52 @@
x86_64-darwin = nixpkgs.legacyPackages.x86_64-darwin.nixpkgs-fmt;
};
# generate qcow2 & iso image from nixos configuration
# https://github.com/nix-community/nixos-generators
# packages.x86_64-linux = {
# qcow2 = nixos-generators.nixosGenerate {
# system = "x86_64-linux";
# modules = [
# # you can include your own nixos configuration here, i.e.
# # ./configuration.nix
# ];
# format = "qcow";
packages.x86_64-linux =
# take images for idols
# https://github.com/nix-community/nixos-generators
let system = x64_system; specialArgs = x64_specialArgs; in {
# Hoshino Ai is a physical machine, so we need to generate an iso image for it.
ai = nixos-generators.nixosGenerate {
inherit system specialArgs;
modules = ai_modules;
format = "iso";
};
# Hoshino Aquamarine is a virtual machine running on Proxmox VE.
aquamarine = nixos-generators.nixosGenerate {
inherit system specialArgs;
modules = aquamarine_modules ++ [
({config, ...}: {
proxmox.qemuConf.name = "aquamarine-nixos-${config.system.nixos.label}";
})
];
# # you can also define your own custom formats
# # customFormats = { "myFormat" = <myFormatModule>; ... };
# # format = "myFormat";
# };
# iso = nixos-generators.nixosGenerate {
# system = "x86_64-linux";
# modules = [
# # you can include your own nixos configuration here, i.e.
# # ./configuration.nix
# ];
# format = "iso";
# };
# };
# proxmox's configuration:
# https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/virtualisation/proxmox-image.nix
#
# after resize the disk, it will grow partition automatically.
# and it alse had qemu-guest-agent installed by default.
format = "proxmox";
};
# Hoshino Rubii is a vm too.
ruby = nixos-generators.nixosGenerate {
inherit system specialArgs;
modules = ruby_modules ++ [
({config, ...}: {
proxmox.qemuConf.name = "ruby-nixos-${config.system.nixos.label}";
})
];
format = "proxmox";
};
# Kana is a vm too.
kana = nixos-generators.nixosGenerate {
inherit system specialArgs;
modules = kana_modules ++ [
({config, ...}: {
proxmox.qemuConf.name = "kana-nixos-${config.system.nixos.label}";
})
];
format = "proxmox";
};
};
};
}

10
home/base/desktop/default.nix Normal file
View File

@@ -0,0 +1,10 @@
{ ... }:
{
imports = [
../server
./development.nix
./media.nix
];
}

51
home/base/development.nix → home/base/desktop/development.nix
View File

@@ -1,6 +1,16 @@
{ config, pkgs, nil, ... }:
{ pkgs, nil, ... }:
{
#############################################################
#
# Basic settings for development environment
#
# Please avoid to install language specific packages here(globally),
# instead, install them independently using dev-templates:
# https://github.com/the-nix-way/dev-templates
#
#############################################################
home.packages = with pkgs; [
nil.packages."${pkgs.system}".default # nix language server
@@ -30,33 +40,11 @@
gnumake # used by this repo, to simplify the deployment
clang-tools
clang-analyzer
# lldb
# cmake
# autoconf
# automake
# bison
# cppcheck
# fakeroot
# flex
# gettext
# groff
# libtool
# m4
# patch
# pkgconf
# texinfo
# binutils
# Golang
delve
go
go-outline
go-tools
go2nix
gomodifytags
delve
gopls
gotests
impl
# Rust
rustup
@@ -67,6 +55,7 @@
pandas
requests
pyquery
pyyaml
]))
# db related
@@ -79,15 +68,6 @@
# embedded development
minicom
# other languages
# julia
zig
# elixir
# solidity
# java
# adoptopenjdk-openj9-bin-17
# other tools
k6 # load testing tool
mitmproxy # http/https proxy tool
@@ -118,9 +98,4 @@
enableNushellIntegration = true;
};
};
# GitHub CLI tool
programs.gh = {
enable = true;
};
}

0
home/base/media.nix → home/base/desktop/media.nix
View File

0
home/base/bash.nix → home/base/server/bash.nix
View File

2
home/base/core.nix → home/base/server/core.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ pkgs, ... }:
{
home.packages = with pkgs; [

4
home/base/default.nix → home/base/server/default.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ ... }:
{
imports = [
./nushell
@@ -6,9 +6,7 @@
./bash.nix
./core.nix
./development.nix
./git.nix
./media.nix
./starship.nix
];

0
home/base/git.nix → home/base/server/git.nix
View File

0
home/base/nushell/config.nu → home/base/server/nushell/config.nu
View File

0
home/base/nushell/default.nix → home/base/server/nushell/default.nix
View File

0
home/base/starship.nix → home/base/server/starship.nix
View File

0
home/base/tmux/custom-plugins.nix → home/base/server/tmux/custom-plugins.nix
View File

0
home/base/tmux/default.nix → home/base/server/tmux/default.nix
View File

4
home/darwin/default.nix
View File

@@ -1,8 +1,8 @@
{ pkgs, ... }:
{ ... }:
{
imports = [
../base
../base/desktop
./alacritty
./core.nix

20
home/linux/base/development.nix
View File

@@ -1,20 +0,0 @@
{ config, pkgs, nil, ... }:
{
home.packages = with pkgs; [
nil.packages."${pkgs.system}".default # nix language server
# GUI IDE
insomnia # REST client
# need to run `conda-install` before using it
# need to run `conda-shell` before using command `conda`
# conda is not available for MacOS
conda
];
# GitHub CLI tool
programs.gh = {
enable = true;
};
}

12
home/linux/base/ssh.nix
View File

@@ -28,6 +28,18 @@
# Specifies that ssh should only use the identity file explicitly configured above
# required to prevent sending default identity files first.
IdentitiesOnly yes
Host gtr5
HostName 192.168.5.172
Port 22
Host um560
HostName 192.168.5.173
Port 22
Host s500plus
HostName 192.168.5.174
Port 22
'';
# use ssh-agent so we only need to input passphrase once

15
home/linux/base/system-tools.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, config, ... }:
{ pkgs, ... }:
{
@@ -6,15 +6,18 @@
home.packages = with pkgs; [
btop # replacement of htop/nmon
htop
iotop
nmon
## networking tools
wireguard-tools # manage wireguard vpn manually, via wg-quick
iotop
iftop
# misc
libnotify
wireguard-tools # manage wireguard vpn manually, via wg-quick
# need to run `conda-install` before using it
# need to run `conda-shell` before using command `conda`
# conda is not available for MacOS
conda
# system call monitoring
strace # system call monitoring
@@ -29,8 +32,6 @@
usbutils # lsusb
hdparm # for disk performance, command
dmidecode # a tool that reads information about your system's hardware from the BIOS according to the SMBIOS/DMI standard
cifs-utils # for mounting windows shares
];
# auto mount usb drives

0
home/linux/base/alacritty/alacritty.yml → home/linux/desktop/alacritty/alacritty.yml
View File

2
home/linux/base/alacritty/default.nix → home/linux/desktop/alacritty/default.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, ... }:
{ ... }:
{
programs.alacritty = {

0
home/linux/base/alacritty/theme_github_dark.yml → home/linux/desktop/alacritty/theme_github_dark.yml
View File

5
home/linux/desktop/creative.nix
View File

@@ -1,7 +1,4 @@
{ pkgs
, config
, ...
}:
{ pkgs, ... }:
{
home.packages = with pkgs; [
# creative

12
home/linux/desktop/default.nix
View File

@@ -1,13 +1,16 @@
{ pkgs, ... }:
{
imports = [
./alacritty
./creative.nix
./media.nix
];
home.packages = with pkgs; [
# networking
wireshark
# GUI apps
insomnia # REST client
wireshark # network analyzer
# e-book viewer(.epub/.mobi/...)
# do not support .pdf
@@ -25,4 +28,9 @@
# misc
flameshot
];
# GitHub CLI tool
programs.gh = {
enable = true;
};
}

8
home/linux/hyprland/default.nix
View File

@@ -1,8 +1,5 @@
{ pkgs
, config
, lib
, ...
}: {
{ pkgs, ...}:
{
imports = [
./wayland-apps.nix
];
@@ -51,4 +48,3 @@
};
}

7
home/linux/i3/default.nix
View File

@@ -1,8 +1,5 @@
{ pkgs
, config
, lib
, ...
}: {
{ pkgs, ...}:
{
# i3 配置,基于 https://github.com/endeavouros-team/endeavouros-i3wm-setup
# 直接从当前文件夹中读取配置文件作为配置内容

30
home/linux/server.nix Normal file
View File

@@ -0,0 +1,30 @@
{ ... }:
{
imports = [
../base/server
./base/shell.nix
./base/system-tools.nix
];
# Home Manager needs a bit of information about you and the
# paths it should manage.
home = {
username = "ryan";
homeDirectory = "/home/ryan";
# This value determines the Home Manager release that your
# configuration is compatible with. This helps avoid breakage
# when a new Home Manager release introduces backwards
# incompatible changes.
#
# You can update Home Manager without changing this value. See
# the Home Manager release notes for a list of state version
# changes in each release.
stateVersion = "22.11";
};
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
}

6
home/linux/wayland.nix
View File

@@ -1,16 +1,14 @@
{ config, pkgs, ... }:
{ ... }:
{
imports = [
../base
../base/desktop
./hyprland
./fcitx5
./desktop
./base/alacritty
./base/development.nix
./base/shell.nix
./base/ssh.nix
./base/system-tools.nix

6
home/linux/x11.nix
View File

@@ -1,16 +1,14 @@
{ config, pkgs, ... }:
{ ... }:
{
imports = [
../base
../base/desktop
./i3
./fcitx5
./desktop
./base/alacritty
./base/development.nix
./base/shell.nix
./base/ssh.nix
./base/system-tools.nix

2
hosts/harmonica/default.nix
View File

@@ -1,5 +1,5 @@
# My MacBook Pro - Computer for Business
{ pkgs, ... } @ args:
{ ... }:
{
imports = [

0
hosts/msi-rtx4090/cifs-mount.nix → hosts/idols/ai/cifs-mount.nix
View File

40
hosts/msi-rtx4090/default.nix → hosts/idols/ai/default.nix
View File

@@ -1,31 +1,22 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, home-manager, nur, ... } @ args:
{ config, ... } @ args:
{
imports = [
# This adds a nur configuration option.
# Use `config.nur.repos.<user>.<package-name>` in NixOS Module for packages from the NUR.
nur.nixosModules.nur
./cifs-mount.nix
# Include the results of the hardware scan.
./hardware-configuration.nix
../../modules/nixos/fhs-fonts.nix
# ../../modules/nixos/hyprland.nix
../../modules/nixos/i3.nix
../../modules/nixos/gui-apps.nix
../../modules/nixos/core-desktop.nix
../../modules/nixos/user_group.nix
../../../modules/nixos/fhs-fonts.nix
# ../../../modules/nixos/hyprland.nix
../../../modules/nixos/i3.nix
../../../modules/nixos/core-desktop.nix
../../../modules/nixos/remote-building.nix
../../../modules/nixos/user-group.nix
../../secrets
../../../secrets
];
nixpkgs.overlays = import ../../overlays args;
nixpkgs.overlays = import ../../../overlays args;
# Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
boot.binfmt.emulatedSystems = [ "aarch64-linux" "riscv64-linux" ];
@@ -52,7 +43,7 @@
};
networking = {
hostName = "msi-rtx4090"; # Define your hostname.
hostName = "ai";
wireless.enable = false; # Enables wireless support via wpa_supplicant.
# Configure network proxy if necessary
@@ -65,7 +56,7 @@
interfaces.enp5s0 = {
useDHCP = false;
ipv4.addresses = [{
address = "192.168.5.66";
address = "192.168.5.100";
prefixLength = 24;
}];
};
@@ -76,15 +67,16 @@
];
};
virtualisation.docker.storageDriver = "btrfs";
# for Nvidia GPU
services.xserver.videoDrivers = [ "nvidia" ]; # will install nvidia-vaapi-driver by default
hardware.nvidia = {
package = config.boot.kernelPackages.nvidiaPackages.stable;
modesetting.enable = true;
powerManagement.enable = true;
};
virtualisation.docker.enableNvidia = true; # for nvidia-docker
hardware.opengl = {
enable = true;
@@ -94,12 +86,6 @@
driSupport32Bit = true;
};
virtualisation.docker = {
enable = true;
enableNvidia = true;
storageDriver = "btrfs";
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave

0
hosts/msi-rtx4090/hardware-configuration.nix → hosts/idols/ai/hardware-configuration.nix
View File

42
hosts/nixos-test/default.nix → hosts/idols/aquamarine/default.nix
View File

@@ -1,27 +1,20 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ ... } @args:
{ config, pkgs, home-manager, nur, ... } @args:
#############################################################
#
# Aquamarine - A NixOS VM running on Proxmox
#
#############################################################
{
imports = [
# This adds a nur configuration option.
# Use `config.nur.repos.<user>.<package-name>` in NixOS Module for packages from the NUR.
nur.nixosModules.nur
../../../modules/nixos/proxmox-hardware-configuration.nix
# Include the results of the hardware scan.
./hardware-configuration.nix
../../modules/nixos/fhs-fonts.nix
../../modules/nixos/hyprland.nix
# ../../modules/nixos/i3.nix
../../modules/nixos/gui-apps.nix
../../modules/nixos/core-desktop.nix
../../modules/nixos/user_group.nix
../../../modules/nixos/core-server.nix
../../../modules/nixos/user-group.nix
];
nixpkgs.overlays = import ../../overlays args;
nixpkgs.overlays = import ../../../overlays args;
# Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
@@ -39,19 +32,8 @@
"cifs" # mount windows share
];
# Bootloader.
boot.loader = {
grub = {
enable = true;
device = "/dev/sda"; # "nodev"
efiSupport = false;
useOSProber = true;
#efiInstallAsRemovable = true; # in case canTouchEfiVariables doesn't work for your system
};
};
networking = {
hostName = "nixos-test"; # Define your hostname.
hostName = "aquamarine"; # Define your hostname.
wireless.enable = false; # Enables wireless support via wpa_supplicant.
# Configure network proxy if necessary
@@ -62,7 +44,7 @@
interfaces.ens18 = {
useDHCP = false;
ipv4.addresses = [{
address = "192.168.5.48";
address = "192.168.5.101";
prefixLength = 24;
}];
};

66
hosts/idols/kana/default.nix Normal file
View File

@@ -0,0 +1,66 @@
{ ... } @args:
#############################################################
#
# Kana - a NixOS VM running on Proxmox
#
#############################################################
{
imports = [
../../../modules/nixos/proxmox-hardware-configuration.nix
../../../modules/nixos/core-server.nix
../../../modules/nixos/user-group.nix
];
nixpkgs.overlays = import ../../../overlays args;
# Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
boot.binfmt.emulatedSystems = [ "aarch64-linux" "riscv64-linux" ];
# supported fil systems, so we can mount any removable disks with these filesystems
boot.supportedFilesystems = [
"ext4"
"btrfs"
"xfs"
#"zfs"
"ntfs"
"fat"
"vfat"
"exfat"
"cifs" # mount windows share
];
networking = {
hostName = "kana"; # Define your hostname.
wireless.enable = false; # Enables wireless support via wpa_supplicant.
# Configure network proxy if necessary
# proxy.default = "http://user:password@proxy:port/";
# proxy.noProxy = "127.0.0.1,localhost,internal.domain";
networkmanager.enable = true;
interfaces.ens18 = {
useDHCP = false;
ipv4.addresses = [{
address = "192.168.5.103";
prefixLength = 24;
}];
};
defaultGateway = "192.168.5.201";
nameservers = [
"119.29.29.29" # DNSPod
"223.5.5.5" # AliDNS
];
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

68
hosts/idols/ruby/default.nix Normal file
View File

@@ -0,0 +1,68 @@
{ ... } @args:
#############################################################
#
# Ruby - a NixOS VM running on Proxmox
#
#############################################################
{
imports = [
../../../modules/nixos/proxmox-hardware-configuration.nix
../../../modules/nixos/core-server.nix
../../../modules/nixos/user-group.nix
];
nixpkgs.overlays = import ../../../overlays args;
# Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
boot.binfmt.emulatedSystems = [ "aarch64-linux" "riscv64-linux" ];
# supported fil systems, so we can mount any removable disks with these filesystems
boot.supportedFilesystems = [
"ext4"
"btrfs"
"xfs"
#"zfs"
"ntfs"
"fat"
"vfat"
"exfat"
"cifs" # mount windows share
];
networking = {
hostName = "ruby"; # Define your hostname.
wireless.enable = false; # Enables wireless support via wpa_supplicant.
# Configure network proxy if necessary
# proxy.default = "http://user:password@proxy:port/";
# proxy.noProxy = "127.0.0.1,localhost,internal.domain";
networkmanager.enable = true;
interfaces.ens18 = {
useDHCP = false;
ipv4.addresses = [{
address = "192.168.5.102";
prefixLength = 24;
}];
};
defaultGateway = "192.168.5.201";
nameservers = [
"119.29.29.29" # DNSPod
"223.5.5.5" # AliDNS
];
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

34
hosts/nixos-test/hardware-configuration.nix
View File

@@ -1,34 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "/dev/disk/by-uuid/b779eb19-e43d-4f07-a91f-eb08bd8e1202";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

2
modules/darwin/core.nix
View File

@@ -1,6 +1,6 @@
# all the configuration options are documented here:
# https://daiderd.com/nix-darwin/manual/index.html#sec-options
{ pkgs, lib, ... }:
{ pkgs, ... }:
{
# # enable flakes globally
nix.settings.experimental-features = [ "nix-command" "flakes" ];

85
modules/nixos/core-desktop.nix
View File

@@ -1,47 +1,30 @@
{ config, pkgs, devenv, ... }:
{ lib, pkgs, ... }:
{
# for nix server, we do not need to keep too much generations
boot.loader.systemd-boot.configurationLimit = 10;
# boot.loader.grub.configurationLimit = 10;
# do garbage collection weekly to keep disk usage low
nix.gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 1w";
};
# Manual optimise storage: nix-store --optimise
# https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-auto-optimise-store
nix.settings.auto-optimise-store = true;
imports = [
./core-server.nix
];
# enable flakes globally
nix.settings.experimental-features = [ "nix-command" "flakes" ];
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# Set your time zone.
time.timeZone = "Asia/Shanghai";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "zh_CN.UTF-8";
LC_IDENTIFICATION = "zh_CN.UTF-8";
LC_MEASUREMENT = "zh_CN.UTF-8";
LC_MONETARY = "zh_CN.UTF-8";
LC_NAME = "zh_CN.UTF-8";
LC_NUMERIC = "zh_CN.UTF-8";
LC_PAPER = "zh_CN.UTF-8";
LC_TELEPHONE = "zh_CN.UTF-8";
LC_TIME = "zh_CN.UTF-8";
};
# to install chrome, you need to enable unfree packages
nixpkgs.config.allowUnfree = lib.mkForce true;
# Enable CUPS to print documents.
services.printing.enable = true;
# DO NOT promote ryan to input password for `nix-store` and `nix-copy-closure`
security.sudo.extraRules = [
{ users = [ "ryan" ];
commands = [
{ command = "/run/current-system/sw/bin/nix-store" ;
options = [ "NOPASSWD" ];
}
{ command = "/run/current-system/sw/bin/nix-copy-closure" ;
options = [ "NOPASSWD" ];
}
];
}
];
# all fonts are linked to /nix/var/nix/profiles/system/sw/share/X11/fonts
fonts = {
@@ -95,6 +78,7 @@
};
};
# dconf is a low-level configuration system.
programs.dconf.enable = true;
# networking.firewall.allowedTCPPorts = [ ... ];
@@ -121,20 +105,12 @@
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
wget
curl
git # used by nix flakes
git-lfs # used by huggingface models
devenv.packages."${pkgs.system}".devenv
# the vscode insiders is designed to run alongside the main build,
# with a separate code-insiders command and a different config path
#
# TODO install vscode into systemPackages to avoid binary collision error temporarily
# has collision between vscode & vscode-insider - /lib/vscode/chrome_crashpad_handler
((pkgs.vscode.override { isInsiders = true; }).overrideAttrs (oldAttrs: {
((vscode.override { isInsiders = true; }).overrideAttrs (oldAttrs: {
src = (builtins.fetchTarball {
url = "https://code.visualstudio.com/sha/download?build=insider&os=linux-x64";
# you need to update this sha256 every time you update vscode insiders
@@ -143,23 +119,8 @@
});
version = "latest";
}))
# create a fhs environment by command `fhs`, so we can run non-nixos packages in nixos!
(
let base = pkgs.appimageTools.defaultFhsEnvArgs; in
pkgs.buildFHSUserEnv (base // {
name = "fhs";
targetPkgs = pkgs: (base.targetPkgs pkgs) ++ [ pkgs.pkg-config ];
profile = "export FHS=1";
runScript = "bash";
extraOutputsToInstall = [ "dev" ];
})
)
];
# replace default editor with neovim
environment.variables.EDITOR = "nvim";
# PipeWire is a new low-level multimedia framework.
# It aims to offer capture and playback for both audio and video with minimal latency.
# It support for PulseAudio-, JACK-, ALSA- and GStreamer-based applications.
@@ -227,7 +188,6 @@
# see https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/programs/adb.nix
programs.adb.enable = true;
xdg.portal = {
enable = true;
wlr.enable = true;
@@ -252,7 +212,4 @@
];
# set user's default shell system-wide
users.defaultUserShell = pkgs.nushell;
# for power management
services.upower.enable = true;
}

69
modules/nixos/core-server.nix
View File

@@ -1,14 +1,15 @@
{ config, pkgs, devenv, ... }:
{ lib, pkgs, ... }:
{
# for nix server, we do not need to keep too much generations
boot.loader.systemd-boot.configurationLimit = 10;
boot.loader.systemd-boot.configurationLimit = lib.mkDefault 10;
# boot.loader.grub.configurationLimit = 10;
# do garbage collection weekly to keep disk usage low
nix.gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 1w";
automatic = lib.mkDefault true;
dates = lib.mkDefault "weekly";
options = lib.mkDefault "--delete-older-than 1w";
};
# Manual optimise storage: nix-store --optimise
@@ -17,9 +18,11 @@
# enable flakes globally
nix.settings.experimental-features = [ "nix-command" "flakes" ];
nix.settings.trusted-users = ["ryan"];
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
nixpkgs.config.allowUnfree = lib.mkDefault false;
# Set your time zone.
time.timeZone = "Asia/Shanghai";
@@ -39,45 +42,10 @@
LC_TIME = "zh_CN.UTF-8";
};
# all fonts are linked to /nix/var/nix/profiles/system/sw/share/X11/fonts
fonts = {
# use fonts specified by user rather than default ones
enableDefaultFonts = false;
fontDir.enable = true;
fonts = with pkgs; [
# icon fonts
material-design-icons
font-awesome
# 思源系列字体是 Adobe 主导的。其中汉字部分被称为「思源黑体」和「思源宋体」,是由 Adobe + Google 共同开发的
source-sans # 无衬线字体,不含汉字。字族名叫 Source Sans 3 和 Source Sans Pro以及带字重的变体加上 Source Sans 3 VF
source-han-sans # 思源黑体
# nerdfonts
(nerdfonts.override {
fonts = [
"FiraCode"
"JetBrainsMono"
"Iosevka"
];
})
];
# user defined fonts
# the reason there's Noto Color Emoji everywhere is to override DejaVu's
# B&W emojis that would sometimes show instead of some Color emojis
fontconfig.defaultFonts = {
sansSerif = [ "Noto Sans" "Noto Color Emoji" ];
monospace = [ "JetBrainsMono Nerd Font" "Noto Color Emoji" ];
emoji = [ "Noto Color Emoji" ];
};
};
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
networking.firewall.enable = false;
networking.firewall.enable = lib.mkDefault false;
# Enable the OpenSSH daemon.
services.openssh = {
@@ -99,11 +67,28 @@
aria2
git # used by nix flakes
git-lfs # used by huggingface models
k9s
# create a fhs environment by command `fhs`, so we can run non-nixos packages in nixos!
(
let base = pkgs.appimageTools.defaultFhsEnvArgs; in
pkgs.buildFHSUserEnv (base // {
name = "fhs";
targetPkgs = pkgs: (base.targetPkgs pkgs) ++ [ pkgs.pkg-config ];
profile = "export FHS=1";
runScript = "bash";
extraOutputsToInstall = [ "dev" ];
})
)
];
# replace default editor with neovim
environment.variables.EDITOR = "nvim";
virtualisation.docker = {
enable = true;
};
# for power management
services.power-profiles-daemon = {
enable = true;

17
modules/nixos/gui-apps.nix
View File

@@ -1,17 +0,0 @@
{ config, pkgs, ... }:
{
# this params has problem with home-manager,
# so defined as NixOS Module here.
# nixpkgs.config.permittedInsecurePackages = [
# "electron-19.0.7" # required by wechat-uos, and it's already EOL
# "openssl-1.1.1u" # OpenSSL 1.1 is reaching its end of life on 2023/09/11
# ];
environment.systemPackages = [
# packages from nur-xddxdd
# config.nur.repos.xddxdd.wechat-uos
];
# flatpack is recommended to install other apps such as netease-cloud-music/qqmusic/...
}

67
modules/nixos/proxmox-hardware-configuration.nix Normal file
View File

@@ -0,0 +1,67 @@
{ config, lib, ... }:
##############################################################################
#
# Template for Proxmox's VM, mainly based on:
# https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/virtualisation/proxmox-image.nix
#
# the url above is used by `nixos-generator` to generate the Proxmox's VMA image file.
#
##############################################################################
let
bios = "seabios";
partitionTableType = if bios == "seabios" then "legacy" else "efi";
supportEfi = partitionTableType == "efi" || partitionTableType == "hybrid";
supportBios = partitionTableType == "legacy" || partitionTableType == "hybrid" || partitionTableType == "legacy+gpt";
hasBootPartition = partitionTableType == "efi" || partitionTableType == "hybrid";
hasNoFsPartition = partitionTableType == "hybrid" || partitionTableType == "legacy+gpt";
in
{
# DO NOT promote ryan to input password for sudo.
# this is a workaround for the issue of remote deploy:
# https://github.com/NixOS/nixpkgs/issues/118655
security.sudo.extraRules = [
{ users = [ "ryan" ];
commands = [
{ command = "ALL" ;
options = [ "NOPASSWD" ];
}
];
}
];
boot = {
# after resize the disk, it will grow partition automatically.
growPartition = true;
kernelParams = [ "console=ttyS0" ];
loader.grub = {
device = lib.mkDefault (if (hasNoFsPartition || supportBios) then
# Even if there is a separate no-fs partition ("/dev/disk/by-partlabel/no-fs" i.e. "/dev/vda2"),
# which will be used the bootloader, do not set it as loader.grub.device.
# GRUB installation fails, unless the whole disk is selected.
"/dev/vda"
else
"nodev");
efiSupport = lib.mkDefault supportEfi;
efiInstallAsRemovable = lib.mkDefault supportEfi;
};
loader.timeout = 0;
initrd.availableKernelModules = [ "uas" "virtio_blk" "virtio_pci" ];
};
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
autoResize = true;
fsType = "ext4";
};
fileSystems."/boot" = lib.mkIf hasBootPartition {
device = "/dev/disk/by-label/ESP";
fsType = "vfat";
};
# it alse had qemu-guest-agent installed by default.
services.qemuGuest.enable = lib.mkDefault true;
}

112
modules/nixos/remote-building.nix Normal file
View File

@@ -0,0 +1,112 @@
{ ... }: {
############################################
#
# NixOS's Configuration for Remote Building / Distributed Building
#
# Related Docs:
# 1. https://github.com/NixOS/nix/issues/7380
# 2. https://nixos.wiki/wiki/Distributed_build
############################################
# set local's max-job to 0 to force remote building(disable local building)
# nix.settings.max-jobs = 0;
nix.distributedBuilds = true;
nix.buildMachines =
let
sshUser = "ryan";
# ssh key's path on local machine
sshKey = "/home/ryan/.ssh/ai-idols";
systems = [
# native arch
"x86_64-linux"
# emulated arch using binfmt_misc and qemu-user
"aarch64-linux"
"riscv64-linux"
];
# all available system features are poorly documentd here:
# https://github.com/NixOS/nix/blob/e503ead/src/libstore/globals.hh#L673-L687
supportedFeatures = [
"benchmark"
"big-parallel"
"kvm"
];
in
[
{
# some of my remote builders are running NixOS
# and has the same sshUser, sshKey, systems, etc.
inherit sshUser sshKey systems supportedFeatures;
# the hostName should be:
# 1. a hostname that can be resolved by DNS
# 2. the ip address of the remote builder
# 3. a host alias defined globally in /etc/ssh/ssh_config
hostName = "aquamarine";
# remote builder's max-job
maxJobs = 5;
# speedFactor's a signed integer
# nix seems always try to build on the machine with the highest speedFactor
speedFactor = 0;
}
{
inherit sshUser sshKey systems supportedFeatures;
hostName = "ruby";
maxJobs = 2;
speedFactor = 0;
}
{
inherit sshUser sshKey systems supportedFeatures;
hostName = "kana";
maxJobs = 1;
speedFactor = 0;
}
];
# optional, useful when the builder has a faster internet connection than yours
nix.extraOptions = ''
builders-use-substitutes = true
'';
# define the host alias for remote builders
# this config will be written to /etc/ssh/ssh_config
programs.ssh.extraConfig = ''
Host ai
HostName 192.168.5.100
Port 22
Host aquamarine
HostName 192.168.5.101
Port 22
Host ruby
HostName 192.168.5.102
Port 22
Host kana
HostName 192.168.5.103
Port 22
'';
# define the host key for remote builders so that nix can verify all the remote builders
# this config will be written to /etc/ssh/ssh_known_hosts
programs.ssh.knownHosts = {
# 星野 愛久愛海, Hoshino Aquamarine
aquamarine = {
hostNames = [ "aquamarine" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnCQXlllHoLX5EvU+t6yP/npsmuxKt0skHVeJashizE";
};
# 星野 瑠美衣, Hoshino Rubii
ruby = {
hostNames = [ "ruby" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICoIvsorGgnYpyunNrJfZ6Nyue7wBTx6LsyMOMrpgHJ/";
};
# 有馬 かな, Arima Kana
kana = {
hostNames = [ "kana" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuoNB0OSjCFyS022e+ZQCIsb/nhkw/XcWjksqK3sh5x";
};
};
}

6
modules/nixos/user_group.nix → modules/nixos/user-group.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ ... }:
{
users.groups = {
@@ -8,12 +8,14 @@
};
# Define a user account. Don't forget to set a password with passwd.
users.users.ryan = {
# the hashed password with salt is generated by run `mkpasswd`.
hashedPassword = "$y$j9T$YQu5vhlnogjDFDWp9QkPh0$Eu85OiwllqvLg5fzRVMLVHNO7InA3ro8grTJJIepyH1";
home = "/home/ryan";
isNormalUser = true;
description = "ryan";
extraGroups = [ "ryan" "users" "networkmanager" "wheel" "docker" "wireshark" "adbusers" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDiipi59EnVbi6bK1bGrcbfEM263wgdNfbrt6VBC1rHx ryan@ai-idols"
];
};
}

59
secrets/README.md
View File

@@ -22,36 +22,41 @@ Pretend you want to add a new secret file `xxx.age`, then:
1. `cd` to this directory
1. edit `secrets.nix`, add a new entry for `xxx.age`, which defines the
encryption keys and the secret file path, e.g.
```nix
# This file is not imported into your NixOS configuration. It is only used for the agenix CLI.
# agenix use the public keys defined in this file to encrypt the secrets.
# and users can decrypt the secrets by any of the corresponding private keys.
let
# get user's ssh public key by command:
# cat ~/.ssh/id_ed25519.pub
# if you do not have one, you can generate it by command:
# ssh-keygen -t ed25519
ryan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj";
users = [ ryan ];
```nix
# This file is not imported into your NixOS configuration. It is only used for the agenix CLI.
# agenix use the public keys defined in this file to encrypt the secrets.
# and users can decrypt the secrets by any of the corresponding private keys.
let
# get user's ssh public key by command:
# cat ~/.ssh/id_ed25519.pub
# if you do not have one, you can generate it by command:
# ssh-keygen -t ed25519
ryan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj";
users = [ ryan ];
# get system's ssh public key by command:
# cat /etc/ssh/ssh_host_ed25519_key.pub
ai = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGeXNCazqiqxn8TmbCRjA+pLWrxwenn+CFhizBMP6en root@ai";
systems = [ ai ];
in
{
"./encrypt/xxx.age".publicKeys = users ++ systems;
}
```
# get system's ssh public key by command:
# cat /etc/ssh/ssh_host_ed25519_key.pub
msi-rtx4090 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGeXNCazqiqxn8TmbCRjA+pLWrxwenn+CFhizBMP6en root@msi-rtx4090";
systems = [ msi-rtx4090 ];
in
{
"./encrypt/xxx.age".publicKeys = users ++ systems;
}
```
2. create and edit the secret file `xxx.age` interactively by command:
```shell
agenix -e ./encrypt/xxx.age
```
```shell
agenix -e ./encrypt/xxx.age
```
3. or you can also encrypt an existing file to `xxx.age` by command:
```shell
cat /path/to/xxx | agenix -e ./encrypt/xxx.age
```
```shell
cat /path/to/xxx | agenix -e ./encrypt/xxx.age
```
the agenix use `~/.ssh/id_ed25519.pub` or `~/.ssh/id_rsa.pub` as encrypt key by default, you need to pass `--identity /path/to/key` to use a custom `/path/to/key.pub` for enctypt.
@@ -70,7 +75,7 @@ An nixos module exmaple(need to set agenix as flake inputs first...):
];
environment.systemPackages = [
agenix.packages."${pkgs.system}".default
agenix.packages."${pkgs.system}".default
];
age.secrets."xxx" = {

4
secrets/default.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, agenix, ... }:
{ pkgs, agenix, ... }:
{
imports = [
@@ -25,7 +25,7 @@
group = "root";
};
# smb-credentials is referenced in /etc/fstab, by ../hosts/msi-rtx4090/cifs-mount.nix
# smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
age.secrets."smb-credentials" = {
# wether secrets are symlinked to age.secrets.<name>.path
symlink = true;

4
secrets/secrets.nix
View File

@@ -10,8 +10,8 @@ let
# get system's ssh public key by command:
# cat /etc/ssh/ssh_host_ed25519_key.pub
msi-rtx4090 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGeXNCazqiqxn8TmbCRjA+pLWrxwenn+CFhizBMP6en root@msi-rtx4090";
systems = [ msi-rtx4090 ];
ai = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGeXNCazqiqxn8TmbCRjA+pLWrxwenn+CFhizBMP6en root@ai";
systems = [ ai ];
in
{
"./encrypt/wg-business.conf.age".publicKeys = users ++ systems;