diff --git a/README.md b/README.md index c0fceab..31c4139 100644 --- a/README.md +++ b/README.md @@ -20,16 +20,17 @@ ## Hosts -| | Type | Name | Hardware | Purpose | -| --- | ------- | -------- | -------------------------------------- | ---------------------------------------------------------------------------------- | -| 💻 | Desktop | sirius | Ryzen 5 3600 - 64GB RAM - RTX 3080 TI | Multi-monitor desktop running Windows Subsystem for Linux. | -| 🖥️ | Laptop | canopus | Ryzen 9 5900HS - 16 GB RAM - RTX 3060 | Optimized for productivity on the go and some gaming. | -| 🖥️ | Server | homelab | Ryzen 7 8700G - 32 GB RAM - Radeon 780M| WIP | -| ☁️ | VPS | arcturus | 4 Core - 8 GB RAM | Primary server responsible for exposing my homelab applications to the internet. | -| 🥔 | VPS | alpha | 2 Core - 4 GB RAM | Monitors uptime and health status of all services across the infrastructure. | -| 🥔 | Server | vega | Cortex A53 - 1 GB RAM | Running AdGuard Home for network-wide ad blocking. | -| ☁️ | VPS | capella | 4 Core - 6 GB RAM | For running Minecraft, CS 2, Rust game servers. | -| ☁️ | VPS | node | i9-13900 - 64 GB RAM | Running Ethereum and BSC nodes. Currently in the process of migrating from Ubuntu. | +| | Type | Name | Hardware | Purpose | +| --- | ------- | -------- | --------------------------------------- | ---------------------------------------------------------------------------------- | +| 💻 | Desktop | sirius | Ryzen 5 3600 - 64GB RAM - RTX 3080 TI | Multi-monitor desktop running Windows Subsystem for Linux. | +| 🖥️ | Laptop | canopus | Ryzen 9 5900HS - 16 GB RAM - RTX 3060 | Optimized for productivity on the go and some gaming. | +| 🖥️ | Server | homelab | Ryzen 7 8700G - 32 GB RAM - Radeon 780M | WIP | +| ☁️ | VPS | arcturus | 4 Core - 8 GB RAM | Primary server responsible for exposing my homelab applications to the internet. | +| 🥔 | VPS | alpha | 2 Core - 4 GB RAM | Monitors uptime and health status of all services across the infrastructure. | +| 🥔 | Server | vega | Cortex A53 - 1 GB RAM | Running AdGuard Home for network-wide ad blocking. | +| ☁️ | VPS | capella | 4 Core - 6 GB RAM | For running Minecraft, CS 2, Rust game servers. | +| 📱 | VPS | rigel | S21 Ultra - 12 GB RAM | Yes, I run nix on my android device. lol | +| ☁️ | VPS | node | i9-13900 - 64 GB RAM | Running Ethereum and BSC nodes. Currently in the process of migrating from Ubuntu. | ## Installation diff --git a/flake.lock b/flake.lock index 7d91880..83eeb99 100755 --- a/flake.lock +++ b/flake.lock @@ -363,6 +363,57 @@ "type": "github" } }, + "nix-formatter-pack": { + "inputs": { + "nixpkgs": [ + "nix-on-droid", + "nixpkgs" + ], + "nmd": "nmd", + "nmt": "nmt" + }, + "locked": { + "lastModified": 1705252799, + "narHash": "sha256-HgSTREh7VoXjGgNDwKQUYcYo13rPkltW7IitHrTPA5c=", + "owner": "Gerschtli", + "repo": "nix-formatter-pack", + "rev": "2de39dedd79aab14c01b9e2934842051a160ffa5", + "type": "github" + }, + "original": { + "owner": "Gerschtli", + "repo": "nix-formatter-pack", + "type": "github" + } + }, + "nix-on-droid": { + "inputs": { + "home-manager": [ + "home-manager" + ], + "nix-formatter-pack": "nix-formatter-pack", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-docs": "nixpkgs-docs", + "nixpkgs-for-bootstrap": "nixpkgs-for-bootstrap", + "nmd": "nmd_2" + }, + "locked": { + "lastModified": 1720396533, + "narHash": "sha256-UFzk/hZWO1VkciIO5UPaSpJN8s765wsngUSvtJM6d5Q=", + "owner": "nix-community", + "repo": "nix-on-droid", + "rev": "f3d3b8294039f2f9a8fb7ea82c320f29c6b0fe25", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-24.05", + "repo": "nix-on-droid", + "type": "github" + } + }, "nix-secrets": { "inputs": { "nixpkgs": [ @@ -458,6 +509,22 @@ "type": "github" } }, + "nixpkgs-docs": { + "locked": { + "lastModified": 1705957679, + "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9a333eaa80901efe01df07eade2c16d183761fa3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-f2k": { "inputs": { "emacs": "emacs", @@ -502,6 +569,22 @@ "type": "github" } }, + "nixpkgs-for-bootstrap": { + "locked": { + "lastModified": 1720244366, + "narHash": "sha256-WrDV0FPMVd2Sq9hkR5LNHudS3OSMmUrs90JUTN+MXpA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40", + "type": "github" + } + }, "nixpkgs-lib": { "locked": { "lastModified": 1738452942, @@ -658,6 +741,60 @@ "type": "github" } }, + "nmd": { + "flake": false, + "locked": { + "lastModified": 1666190571, + "narHash": "sha256-Z1hc7M9X6L+H83o9vOprijpzhTfOBjd0KmUTnpHAVjA=", + "owner": "rycee", + "repo": "nmd", + "rev": "b75d312b4f33bd3294cd8ae5c2ca8c6da2afc169", + "type": "gitlab" + }, + "original": { + "owner": "rycee", + "repo": "nmd", + "type": "gitlab" + } + }, + "nmd_2": { + "inputs": { + "nixpkgs": [ + "nix-on-droid", + "nixpkgs-docs" + ], + "scss-reset": "scss-reset" + }, + "locked": { + "lastModified": 1705050560, + "narHash": "sha256-x3zzcdvhJpodsmdjqB4t5mkVW22V3wqHLOun0KRBzUI=", + "owner": "~rycee", + "repo": "nmd", + "rev": "66d9334933119c36f91a78d565c152a4fdc8d3d3", + "type": "sourcehut" + }, + "original": { + "owner": "~rycee", + "repo": "nmd", + "type": "sourcehut" + } + }, + "nmt": { + "flake": false, + "locked": { + "lastModified": 1648075362, + "narHash": "sha256-u36WgzoA84dMVsGXzml4wZ5ckGgfnvS0ryzo/3zn/Pc=", + "owner": "rycee", + "repo": "nmt", + "rev": "d83601002c99b78c89ea80e5e6ba21addcfe12ae", + "type": "gitlab" + }, + "original": { + "owner": "rycee", + "repo": "nmt", + "type": "gitlab" + } + }, "nur": { "inputs": { "flake-parts": "flake-parts", @@ -704,6 +841,7 @@ "ghostty": "ghostty", "home-manager": "home-manager", "impermanence": "impermanence", + "nix-on-droid": "nix-on-droid", "nix-secrets": "nix-secrets", "nix-vscode-extensions": "nix-vscode-extensions", "nixos-hardware": "nixos-hardware", @@ -755,6 +893,22 @@ "type": "github" } }, + "scss-reset": { + "flake": false, + "locked": { + "lastModified": 1631450058, + "narHash": "sha256-muDlZJPtXDIGevSEWkicPP0HQ6VtucbkMNygpGlBEUM=", + "owner": "andreymatin", + "repo": "scss-reset", + "rev": "0cf50e27a4e95e9bb5b1715eedf9c54dee1a5a91", + "type": "github" + }, + "original": { + "owner": "andreymatin", + "repo": "scss-reset", + "type": "github" + } + }, "sops-nix": { "inputs": { "nixpkgs": "nixpkgs_6" diff --git a/flake.nix b/flake.nix index c544717..60f9d35 100755 --- a/flake.nix +++ b/flake.nix @@ -9,6 +9,7 @@ } @ inputs: let inherit (self) outputs; inherit (inputs.nixpkgs.lib) nixosSystem; + inherit (inputs.nix-on-droid.lib) nixOnDroidConfiguration; forAllSystems = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" @@ -21,6 +22,12 @@ modules = [./hosts/${host}]; }; + mkDroidConfig = host: { + pkgs = import nixpkgs {system = "aarch64-linux";}; + extraSpecialArgs = {inherit inputs outputs username email;}; + modules = [./hosts/${host}]; + }; + mkNode = hostname: { inherit hostname; profiles.system = { @@ -49,6 +56,12 @@ homelab = nixosSystem (mkNixOSConfig "homelab"); }; + # NixOnDroid configuration entrypoint + # 'nix-on-droid switch --flake .#your-hostname' + nixOnDroidConfigurations = { + rigel = nixOnDroidConfiguration (mkDroidConfig "rigel"); + }; + deploy = { nodes = { arcturus = mkNode "arcturus"; @@ -90,6 +103,11 @@ url = "git+ssh://git@github.com/tuxdotrs/nix-secrets.git?shallow=1"; inputs.nixpkgs.follows = "nixpkgs"; }; + nix-on-droid = { + url = "github:nix-community/nix-on-droid/release-24.05"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.home-manager.follows = "home-manager"; + }; tfolio = { url = "git+ssh://git@github.com/tuxdotrs/tfolio.git"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/hosts/rigel/default.nix b/hosts/rigel/default.nix new file mode 100644 index 0000000..827a00b --- /dev/null +++ b/hosts/rigel/default.nix @@ -0,0 +1,43 @@ +{ + pkgs, + username, + outputs, + inputs, + email, + ... +}: { + imports = [ + ../../modules/droid/sshd.nix + ]; + + services.openssh = { + enable = true; + ports = [8022]; + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+OzPUe2ECPC929DqpkM39tl/vdNAXfsRnmrGfR+X3D ${email}" + ]; + }; + + user.shell = "${pkgs.zsh}/bin/zsh"; + + environment.packages = with pkgs; [ + nano + git + neovim + openssh + ]; + + home-manager = { + config = ./home.nix; + backupFileExtension = "backup"; + extraSpecialArgs = {inherit inputs outputs username email;}; + useGlobalPkgs = true; + }; + + # Set up nix for flakes + nix.extraOptions = '' + experimental-features = nix-command flakes + ''; + + system.stateVersion = "24.05"; +} diff --git a/hosts/rigel/home.nix b/hosts/rigel/home.nix new file mode 100644 index 0000000..1b8181a --- /dev/null +++ b/hosts/rigel/home.nix @@ -0,0 +1,30 @@ +{pkgs, ...}: { + imports = [ + ../../modules/home/git + ../../modules/home/starship + ]; + + programs = { + bat.enable = true; + zoxide = { + enable = true; + options = ["--cmd cd"]; + }; + zsh = { + enable = true; + shellAliases = { + ls = "lsd"; + }; + syntaxHighlighting.enable = true; + autosuggestion.enable = true; + }; + }; + + home.packages = with pkgs; [ + neovim + busybox + lsd + ]; + + home.stateVersion = "24.05"; +} diff --git a/modules/droid/sshd.nix b/modules/droid/sshd.nix new file mode 100644 index 0000000..a2b4da4 --- /dev/null +++ b/modules/droid/sshd.nix @@ -0,0 +1,106 @@ +{ + config, + lib, + pkgs, + ... +}: let + # utility functions + concatLines = list: builtins.concatStringsSep "\n" list; + + prefixLines = mapper: list: concatLines (map mapper list); + + # could be put in the config + configPath = "ssh/sshd_config"; + + keysFolder = "/etc/ssh"; + + authorizedKeysFolder = "/etc/ssh/authorized_keys.d"; + + supportedKeysTypes = [ + "rsa" + "ed25519" + ]; + + sshd-start-bin = "sshd-start"; + + # real config + cfg = config.services.openssh; + + pathOfKeyOf = type: "${keysFolder}/ssh_host_${type}_key"; + + generateKeyOf = type: '' + ${lib.getExe' pkgs.openssh "ssh-keygen"} \ + -t "${type}" \ + -f "${pathOfKeyOf type}" \ + -N "" + ''; + + generateKeyWhenNeededOf = type: '' + if [ ! -f ${pathOfKeyOf type} ]; then + mkdir --parents ${keysFolder} + ${generateKeyOf type} + fi + ''; + + sshd-start = pkgs.writeScriptBin sshd-start-bin '' + #!${pkgs.runtimeShell} + ${prefixLines generateKeyWhenNeededOf supportedKeysTypes} + + mkdir --parents "${authorizedKeysFolder}" + echo "${lib.concatStringsSep "\n" cfg.authorizedKeys}" > ${authorizedKeysFolder}/${config.user.userName} + + echo "Starting sshd in non-daemonized way on port ${lib.concatMapStrings toString cfg.ports}" + ${lib.getExe' pkgs.openssh "sshd"} \ + -f "/etc/${configPath}" \ + -D # don't detach into a daemon process + ''; +in { + options = { + services.openssh = { + enable = lib.mkEnableOption '' + Whether to enable the OpenSSH secure shell daemon, which + allows secure remote logins. + ''; + + ports = lib.mkOption { + type = lib.types.listOf lib.types.port; + default = [22]; + description = '' + Specifies on which ports the SSH daemon listens. + ''; + }; + + authorizedKeys = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = []; + description = '' + Specify a list of public keys to be added to the authorized_keys file. + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + environment.etc = { + "${configPath}".text = '' + ${prefixLines (port: "Port ${toString port}") cfg.ports} + + AuthorizedKeysFile ${authorizedKeysFolder}/%u + + LogLevel VERBOSE + ''; + }; + + environment.packages = [ + sshd-start + pkgs.openssh + ]; + + build.activationAfter.sshd = '' + SERVER_PID=$(${lib.getExe' pkgs.procps "ps"} -a | ${lib.getExe' pkgs.toybox "grep"} sshd || true) + if [ -z "$SERVER_PID" ]; then + $DRY_RUN_CMD ${lib.getExe sshd-start} + fi + ''; + }; +}