ngp.computer / nixos
Configuration for my NixOS based systems and Home Manager
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Add in secrets, edge, hashed-password

Noah Pederson 89ea2535 310e9781

+301 -13
+1 -1
configuration.nix
··· 27 27 # this value at the release version of the first install of this system. 28 28 # Before changing this value read the documentation for this option 29 29 # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). 30 - system.stateVersion = "23.11"; # Did you read the comment? 30 + #system.stateVersion = "23.11"; # Did you read the comment? 31 31 }
+9 -9
flake.lock
··· 246 246 ] 247 247 }, 248 248 "locked": { 249 - "lastModified": 1766553861, 250 - "narHash": "sha256-ZbnG01yA3O8Yr1vUm3+NQ2qk9iRhS5bloAnuXHHy7+c=", 249 + "lastModified": 1767024057, 250 + "narHash": "sha256-B1aycRjMRvb6QOGbnqDhiDzZwMebj5jxZ5qyJzaKvpI=", 251 251 "owner": "nix-community", 252 252 "repo": "home-manager", 253 - "rev": "0999ed8f965bbbd991437ad9c5ed3434cecbc30e", 253 + "rev": "34578a2fdfce4257ce5f5baf6e7efbd4e4e252b1", 254 254 "type": "github" 255 255 }, 256 256 "original": { ··· 351 351 }, 352 352 "nixpkgs-unstable": { 353 353 "locked": { 354 - "lastModified": 1766651565, 355 - "narHash": "sha256-QEhk0eXgyIqTpJ/ehZKg9IKS7EtlWxF3N7DXy42zPfU=", 354 + "lastModified": 1766902085, 355 + "narHash": "sha256-coBu0ONtFzlwwVBzmjacUQwj3G+lybcZ1oeNSQkgC0M=", 356 356 "owner": "nixos", 357 357 "repo": "nixpkgs", 358 - "rev": "3e2499d5539c16d0d173ba53552a4ff8547f4539", 358 + "rev": "c0b0e0fddf73fd517c3471e546c0df87a42d53f4", 359 359 "type": "github" 360 360 }, 361 361 "original": { ··· 397 397 }, 398 398 "nixpkgs_4": { 399 399 "locked": { 400 - "lastModified": 1766736597, 401 - "narHash": "sha256-BASnpCLodmgiVn0M1MU2Pqyoz0aHwar/0qLkp7CjvSQ=", 400 + "lastModified": 1766885793, 401 + "narHash": "sha256-P6RVkrM9JLCW6xBjSwHfgTOQ1JwBUma5xe5LI8xAPC0=", 402 402 "owner": "nixos", 403 403 "repo": "nixpkgs", 404 - "rev": "f560ccec6b1116b22e6ed15f4c510997d99d5852", 404 + "rev": "9ef261221d1e72399f2036786498d78c38185c46", 405 405 "type": "github" 406 406 }, 407 407 "original": {
+8
flake.nix
··· 57 57 modules = [ 58 58 determinite.nixosModules.default 59 59 ./configuration.nix 60 + ./users.nix 61 + ./services.nix 60 62 agenix.nixosModules.default 61 63 home-manager.nixosModules.home-manager 62 64 { ··· 85 87 ./host-specific/touma-wsl.nix 86 88 nixos-wsl.nixosModules.default 87 89 ]; 90 + }; 91 + nixosConfigurations.edge = basicSystem { 92 + unstable = true; 93 + modules = [ 94 + ./host-specific/edge/configuration.nix 95 + ]; 88 96 }; 89 97 checks = forAllSystems (system: { 90 98 pre-commit-check = inputs.pre-commit-hooks.lib.${system}.run {
+1
home.nix
··· 193 193 xdg.configFile.fish = { 194 194 source = ./fish; 195 195 recursive = true; 196 + force = true; 196 197 }; 197 198 198 199 xdg.configFile.aerc = {
+197
host-specific/edge/configuration.nix
··· 1 + # Edit this configuration file to define what should be installed on 2 + # your system. Help is available in the configuration.nix(5) man page, on 3 + # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). 4 + 5 + { config, lib, pkgs, inputs, ... }: 6 + let 7 + system = pkgs.stdenv.targetPlatform.system; 8 + agave = (builtins.getFlake "/home/noah/repos/agave"); 9 + in 10 + { 11 + imports = 12 + [ # Include the results of the hardware scan. 13 + ./hardware-configuration.nix 14 + agave.nixosModules.default 15 + ]; 16 + 17 + nix.settings.experimental-features = [ "nix-command" "flakes" ]; 18 + 19 + # Use the systemd-boot EFI boot loader. 20 + boot.loader.systemd-boot.enable = true; 21 + #boot.loader.grub.device = "nodev"; 22 + #boot.loader.grub.efiSupport = true; 23 + #boot.loader.grub.useOSProber = true; 24 + boot.loader.efi.canTouchEfiVariables = true; 25 + 26 + # Use latest kernel. 27 + boot.kernelPackages = pkgs.linuxPackages_latest; 28 + 29 + networking.hostName = "edge"; # Define your hostname. 30 + 31 + # Configure network connections interactively with nmcli or nmtui. 32 + networking.networkmanager.enable = true; 33 + 34 + # Set your time zone. 35 + # time.timeZone = "Europe/Amsterdam"; 36 + 37 + # Configure network proxy if necessary 38 + # networking.proxy.default = "http://user:password@proxy:port/"; 39 + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; 40 + 41 + # Select internationalisation properties. 42 + i18n.defaultLocale = "en_US.UTF-8"; 43 + console = { 44 + font = "Lat2-Terminus16"; 45 + keyMap = "us"; 46 + #useXkbConfig = true; # use xkb.options in tty. 47 + }; 48 + 49 + # Enable the X11 windowing system. 50 + # services.xserver.enable = true; 51 + 52 + 53 + 54 + 55 + # Configure keymap in X11 56 + # services.xserver.xkb.layout = "us"; 57 + # services.xserver.xkb.options = "eurosign:e,caps:escape"; 58 + 59 + # Enable CUPS to print documents. 60 + # services.printing.enable = true; 61 + 62 + # Enable sound. 63 + # services.pulseaudio.enable = true; 64 + # OR 65 + # services.pipewire = { 66 + # enable = true; 67 + # pulse.enable = true; 68 + # }; 69 + 70 + # Enable touchpad support (enabled default in most desktopManager). 71 + # services.libinput.enable = true; 72 + 73 + # Define a user account. Don't forget to set a password with ‘passwd’. 74 + # users.users.alice = { 75 + # isNormalUser = true; 76 + # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. 77 + # packages = with pkgs; [ 78 + # tree 79 + # ]; 80 + # }; 81 + 82 + # programs.firefox.enable = true; 83 + 84 + # List packages installed in system profile. 85 + # You can use https://search.nixos.org/ to find more packages (and options). 86 + environment.systemPackages = with pkgs; [ 87 + neovim 88 + wget 89 + git 90 + htop 91 + inputs.agenix.packages."${system}".agenix 92 + agave.packages.${system}.solana 93 + agave.packages.${system}.solana-keygen 94 + ]; 95 + 96 + # Some programs need SUID wrappers, can be configured further or are 97 + # started in user sessions. 98 + # programs.mtr.enable = true; 99 + # programs.gnupg.agent = { 100 + # enable = true; 101 + # enableSSHSupport = true; 102 + # }; 103 + 104 + # List services that you want to enable: 105 + 106 + # Enable the OpenSSH daemon. 107 + services.openssh.enable = true; 108 + services.openssh.openFirewall = true; 109 + 110 + # Open ports in the firewall. 111 + # networking.firewall.allowedTCPPorts = [ ... ]; 112 + # networking.firewall.allowedUDPPorts = [ ... ]; 113 + # Or disable the firewall altogether. 114 + networking.firewall.enable = true; 115 + networking.firewall = { 116 + allowPing = true; 117 + allowedUDPPorts = [ ]; 118 + allowedUDPPortRanges = [ 119 + # Agave 120 + { from = 8000; to = 8020; } 121 + ]; 122 + allowedTCPPorts = [ 123 + 2375 124 + 3000 125 + # Agave 126 + 8001 127 + 8899 128 + 8900 129 + 10000 130 + ]; 131 + }; 132 + security.pam.loginLimits = [ 133 + { 134 + domain = "*"; 135 + type = "soft"; 136 + item = "nofile"; 137 + value = "100000"; 138 + } 139 + { 140 + domain = "*"; 141 + type = "hard"; 142 + item = "nofile"; 143 + value = "1000000"; 144 + } 145 + ]; 146 + 147 + age.secrets.validator-identity = { 148 + file = ./secrets/validator-identity.age; 149 + owner = "sol"; 150 + group = "sol"; 151 + }; 152 + services.ambient-validator = { 153 + enable = true; 154 + package = agave.packages.${system}.ambient-validator; 155 + # this needs to be a secret 156 + identityKeypair = config.age.secrets.validator-identity.path; 157 + rpcBindAddress = "0.0.0.0"; 158 + geyserPluginConfig = { 159 + libpath = "${agave.packages.${system}.yellowstone-geyser}/lib/libyellowstone_grpc_geyser.so"; 160 + log = { 161 + level = "info"; 162 + }; 163 + tokio = { 164 + worker_threads = 4; 165 + affinity = null; 166 + }; 167 + grpc = { 168 + address = "0.0.0.0:10000"; 169 + }; 170 + }; 171 + }; 172 + # Copy the NixOS configuration file and link it from the resulting system 173 + # (/run/current-system/configuration.nix). This is useful in case you 174 + # accidentally delete configuration.nix. 175 + # system.copySystemConfiguration = true; 176 + 177 + # This option defines the first version of NixOS you have installed on this particular machine, 178 + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. 179 + # 180 + # Most users should NEVER change this value after the initial install, for any reason, 181 + # even if you've upgraded your system to a new NixOS release. 182 + # 183 + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, 184 + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how 185 + # to actually do that. 186 + # 187 + # This value being lower than the current NixOS release does NOT mean your system is 188 + # out of date, out of support, or vulnerable. 189 + # 190 + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, 191 + # and migrated your data accordingly. 192 + # 193 + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . 194 + system.stateVersion = "25.11"; # Did you read the comment? 195 + 196 + } 197 +
+46
host-specific/edge/hardware-configuration.nix
··· 1 + # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 + # and may be overwritten by future invocations. Please make changes 3 + # to /etc/nixos/configuration.nix instead. 4 + { config, lib, pkgs, modulesPath, ... }: 5 + 6 + { 7 + imports = 8 + [ (modulesPath + "/installer/scan/not-detected.nix") 9 + ]; 10 + 11 + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" ]; 12 + boot.initrd.kernelModules = [ ]; 13 + boot.kernelModules = [ "kvm-amd" ]; 14 + boot.extraModulePackages = [ ]; 15 + 16 + fileSystems."/" = 17 + { device = "/dev/disk/by-uuid/8101a0a8-a8c6-4083-85b6-c136d3c80f2e"; 18 + fsType = "ext4"; 19 + }; 20 + 21 + fileSystems."/boot" = 22 + { device = "/dev/disk/by-uuid/E7AD-32DA"; 23 + fsType = "vfat"; 24 + options = [ "fmask=0077" "dmask=0077" ]; 25 + }; 26 + 27 + swapDevices = [ ]; 28 + 29 + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 30 + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 31 + boot.swraid = { 32 + enable = true; 33 + #mdadmConf = '' 34 + # ARRAY /dev/md126 metadata=1.2 UUID=27cd6eab:f0304d07:b859f0f2:1a8f29b7 35 + # MAILADDR noah 36 + #''; 37 + }; 38 + 39 + # stuff for Agave 40 + boot.kernel.sysctl."net.core.rmem_default" = 134217728; 41 + boot.kernel.sysctl."net.core.rmem_max" = 134217728; 42 + boot.kernel.sysctl."net.core.wmem_default" = 134217728; 43 + boot.kernel.sysctl."net.core.wmem_max" = 134217728; 44 + boot.kernel.sysctl."vm.max_map_count" = 1000000; 45 + boot.kernel.sysctl."fs.nr_open" = 1000000; 46 + }
+7
host-specific/edge/secrets/secrets.nix
··· 1 + let 2 + edge = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINCmFKYXpQf1E8E7fj5s+3R33HPRjPhXrv++FCKYBCd4 root@nixos"; 3 + in 4 + { 5 + "validator-identity.age".publicKeys = [ edge ]; 6 + } 7 +
host-specific/edge/secrets/validator-identity.age

This is a binary file and will not be displayed.

+7
secrets/noah-hashed-password.age
··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 e6zq8g rYZsjju3Nn5w9PgOxAMpv1KsVvMpHJ0oshbgxwI53A4 3 + UtVwUd7SXJrxL4diZm3rwa1iT0x/2fdFXrtfSrh3nk8 4 + -> ssh-ed25519 FcROng ixHXkjOcK2JKQZFoRWI050PLROfpSiTZbOn1x3CzUxk 5 + 4C+0NflesRNJmpwFpbBOQ5XU+zoCFjlUDtALLG8u9Go 6 + --- m0ao+O5J8OSB2jdDlOf6EFf1jz7NQc9XFSsWkFl2aYo 7 + �nX�����s�vե�2���Oi���%�|оO�gi�����b�t�HM�C���N�g��p���k�f����?w�S�d��d�Vދ���S2Ǔ���G^��ɇ
+6
secrets/porkbun-api-key.age
··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 e6zq8g CdLTZ6uXiJB+xaD+I5NVHD5OxLSH+yAz99j04GiKukU 3 + kQTUR4yK23wHV9QGMlmTmIlMh63nP49g1NrS+sJKfBY 4 + --- H6/xHryPPKmAWW/bDXUN4YBXMKrsFpUAveKxWsT0SH0 5 + �E����,�ήS��P)A.������9O\�����2n��U�!���X�a��� l�Z�4*(G�[��>�Zl� 6 + :QՅ���������o����$=��& ڍ�w�t^�<<E�0p�8��:���� G�̉����J#�QR�����p�򘐞�kA,�=!��5�KK��0o��nQ��)�\\�ĘN�����wQ�҉
+10
secrets/secrets.nix
··· 1 + let 2 + noah = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQFlX3hhXxsqAUYLvF+IX1YWQ+k22OHlqMOjgyNBe9e noah@misaki"; 3 + misaki = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO+Rcf4Lr+JPWGKQol6eAml6SMgERkGJWgN7y1qYUUvX root@nixos"; 4 + edge = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINCmFKYXpQf1E8E7fj5s+3R33HPRjPhXrv++FCKYBCd4 root@nixos"; 5 + hosts = [ misaki edge ]; 6 + in 7 + { 8 + "porkbun-api-key.age".publicKeys = [ noah misaki ]; 9 + "noah-hashed-password.age".publicKeys = hosts; 10 + }
+9 -3
users.nix
··· 1 - { pkgs, lib, ... }: 1 + { pkgs, lib, config, ... }: 2 2 { 3 3 4 4 # Declarative only optoins. ··· 6 6 # Users must be declared either as part of a package or in this file. 7 7 users.mutableUsers = false; 8 8 9 + age.secrets.noah-password = { 10 + file = ./secrets/noah-hashed-password.age; 11 + owner = "root"; 12 + group = "root"; 13 + }; 14 + 9 15 # Define a user account. Don't forget to set a password with ‘passwd’. 10 16 users.users.noah = { 11 17 isNormalUser = true; ··· 15 21 "video" 16 22 "nas" 17 23 ]; # Enable ‘sudo’ for the user. 18 - hashedPasswordFile = "/etc/nixos/noah-password"; 24 + hashedPasswordFile = config.age.secrets.noah-password.path; 19 25 openssh.authorizedKeys.keys = lib.strings.splitString "\n" ( 20 26 builtins.readFile ( 21 27 builtins.fetchurl { ··· 23 29 name = "chiefnoah.keys"; 24 30 # Update this with: 25 31 # `curl https://meta.sr.ht/~chiefnoah.keys | sha256sum` 26 - sha256 = "b07f29019f0fcf2d7e217637fce6c7f9476468cc47cb8eaf36a0cd646aa4a8a7"; 32 + sha256 = "0wdnx25blqihbgaa0hzd39mjqwki92ambar097hjfmlrxg1s4lk7"; 27 33 } 28 34 ) 29 35 );