titaniumtown/nixos
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

phase 3: new flake.nix + extract common-{nix,doas,shell-fish}; rewire imports

Browse Source 
- New unified flake with two nixpkgs channels (unstable for desktops, 25.11 for muffin)
- modules/common-{doas,shell-fish,nix}.nix extracted from duplicated blocks
- modules/desktop-common.nix: renamed from system/common.nix; secret paths point to secrets/desktop/
- hosts/{mreow,yarn}/default.nix import desktop-common; yarn imports modules/no-rgb.nix
- hosts/muffin/default.nix imports common-* + server-prefixed modules + services/; duplicate doas/fish/nix blocks removed; gc retention preserved as mkForce override
- modules/age-secrets.nix: file paths → ../secrets/server/*.age
- services/{minecraft,matrix/livekit}: secret paths → ../secrets/server/
- home/profiles/*.nix: ./progs/ → ../progs/
- hosts/{mreow,yarn}/home.nix: imports rewired to ../../home/profiles/ and ../../home/progs/
- home/progs/pi.nix and hosts/yarn/home.nix: secret reads → ../../secrets/home/
- tests/*.nix: ../modules/security.nix → ../modules/server-security.nix; ../modules/overlays.nix → ../lib/overlays.nix
- lib/default.nix: takes explicit lib param (defaults to nixpkgs-stable.lib)
This commit is contained in:
primary
2026-04-18 00:58:55 -04:00
parent 05fd05deda
commit 1719d54ee0
28 changed files with 562 additions and 203 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
modules/age-secrets.nix
View File

@@ -15,7 +15,7 @@
# ZFS encryption key
# path is set to /etc/zfs-key to match the ZFS dataset keylocation property
zfs-key = {
file = ../secrets/zfs-key.age;
file = ../secrets/server/zfs-key.age;
mode = "0400";
owner = "root";
group = "root";
@@ -24,7 +24,7 @@
# Secureboot keys archive
secureboot-tar = {
file = ../secrets/secureboot.tar.age;
file = ../secrets/server/secureboot.tar.age;
mode = "0400";
owner = "root";
group = "root";
@@ -32,7 +32,7 @@
# System passwords
hashedPass = {
file = ../secrets/hashedPass.age;
file = ../secrets/server/hashedPass.age;
mode = "0400";
owner = "root";
group = "root";
@@ -40,7 +40,7 @@
# Service authentication
caddy_auth = {
file = ../secrets/caddy_auth.age;
file = ../secrets/server/caddy_auth.age;
mode = "0400";
owner = "caddy";
group = "caddy";
@@ -48,7 +48,7 @@
# Njalla API token (NJALLA_API_TOKEN=...) for Caddy DNS-01 challenge
njalla-api-token-env = {
file = ../secrets/njalla-api-token-env.age;
file = ../secrets/server/njalla-api-token-env.age;
mode = "0400";
owner = "caddy";
group = "caddy";
@@ -56,21 +56,21 @@
# ddns-updater config.json with Njalla provider credentials
ddns-updater-config = {
file = ../secrets/ddns-updater-config.age;
file = ../secrets/server/ddns-updater-config.age;
mode = "0400";
owner = "ddns-updater";
group = "ddns-updater";
};
jellyfin-api-key = {
file = ../secrets/jellyfin-api-key.age;
file = ../secrets/server/jellyfin-api-key.age;
mode = "0400";
owner = "root";
group = "root";
};
slskd_env = {
file = ../secrets/slskd_env.age;
file = ../secrets/server/slskd_env.age;
mode = "0500";
owner = config.services.slskd.user;
group = config.services.slskd.group;
@@ -78,7 +78,7 @@
# Network configuration
wg0-conf = {
file = ../secrets/wg0.conf.age;
file = ../secrets/server/wg0.conf.age;
mode = "0400";
owner = "root";
group = "root";
@@ -86,14 +86,14 @@
# ntfy-alerts secrets (group-readable for CI runner notifications)
ntfy-alerts-topic = {
file = ../secrets/ntfy-alerts-topic.age;
file = ../secrets/server/ntfy-alerts-topic.age;
mode = "0440";
owner = "root";
group = "gitea-runner";
};
ntfy-alerts-token = {
file = ../secrets/ntfy-alerts-token.age;
file = ../secrets/server/ntfy-alerts-token.age;
mode = "0440";
owner = "root";
group = "gitea-runner";
@@ -101,19 +101,19 @@
# Firefox Sync server secrets (SYNC_MASTER_SECRET)
firefox-syncserver-env = {
file = ../secrets/firefox-syncserver-env.age;
file = ../secrets/server/firefox-syncserver-env.age;
mode = "0400";
};
# MollySocket env (MOLLY_VAPID_PRIVKEY + MOLLY_ALLOWED_UUIDS)
mollysocket-env = {
file = ../secrets/mollysocket-env.age;
file = ../secrets/server/mollysocket-env.age;
mode = "0400";
};
# Murmur (Mumble) server password
murmur-password-env = {
file = ../secrets/murmur-password-env.age;
file = ../secrets/server/murmur-password-env.age;
mode = "0400";
owner = "murmur";
group = "murmur";
@@ -121,7 +121,7 @@
# Coturn static auth secret
coturn-auth-secret = {
file = ../secrets/coturn-auth-secret.age;
file = ../secrets/server/coturn-auth-secret.age;
mode = "0400";
owner = "turnserver";
group = "turnserver";
@@ -129,7 +129,7 @@
# Matrix (continuwuity) registration token
matrix-reg-token = {
file = ../secrets/matrix-reg-token.age;
file = ../secrets/server/matrix-reg-token.age;
mode = "0400";
owner = "continuwuity";
group = "continuwuity";
@@ -138,7 +138,7 @@
# Matrix (continuwuity) TURN secret — same secret as coturn-auth-secret,
# decrypted separately so continuwuity can read it with its own ownership
matrix-turn-secret = {
file = ../secrets/coturn-auth-secret.age;
file = ../secrets/server/coturn-auth-secret.age;
mode = "0400";
owner = "continuwuity";
group = "continuwuity";
@@ -146,7 +146,7 @@
# CI deploy SSH key
ci-deploy-key = {
file = ../secrets/ci-deploy-key.age;
file = ../secrets/server/ci-deploy-key.age;
mode = "0400";
owner = "gitea-runner";
group = "gitea-runner";
@@ -154,7 +154,7 @@
# Git-crypt symmetric key for dotfiles repo
git-crypt-key-dotfiles = {
file = ../secrets/git-crypt-key-dotfiles.age;
file = ../secrets/server/git-crypt-key-dotfiles.age;
mode = "0400";
owner = "gitea-runner";
group = "gitea-runner";
@@ -162,7 +162,7 @@
# Git-crypt symmetric key for server-config repo
git-crypt-key-server-config = {
file = ../secrets/git-crypt-key-server-config.age;
file = ../secrets/server/git-crypt-key-server-config.age;
mode = "0400";
owner = "gitea-runner";
group = "gitea-runner";
@@ -170,7 +170,7 @@
# Gitea Actions runner registration token
gitea-runner-token = {
file = ../secrets/gitea-runner-token.age;
file = ../secrets/server/gitea-runner-token.age;
mode = "0400";
owner = "gitea-runner";
group = "gitea-runner";
@@ -178,7 +178,7 @@
# llama-cpp API key for bearer token auth
llama-cpp-api-key = {
file = ../secrets/llama-cpp-api-key.age;
file = ../secrets/server/llama-cpp-api-key.age;
mode = "0400";
owner = "root";
group = "root";
@@ -186,7 +186,7 @@
# Harmonia binary cache signing key
harmonia-sign-key = {
file = ../secrets/harmonia-sign-key.age;
file = ../secrets/server/harmonia-sign-key.age;
mode = "0400";
owner = "harmonia";
group = "harmonia";
@@ -194,7 +194,7 @@
# Caddy basic auth for nix binary cache (separate from main caddy_auth)
nix-cache-auth = {
file = ../secrets/nix-cache-auth.age;
file = ../secrets/server/nix-cache-auth.age;
mode = "0400";
owner = "caddy";
group = "caddy";

15
modules/common-doas.nix Normal file
View File

@@ -0,0 +1,15 @@
{ username, ... }:
{
# doas replaces sudo on every host
security = {
doas.enable = true;
sudo.enable = false;
doas.extraRules = [
{
users = [ username ];
keepEnv = true;
persist = true;
}
];
};
}

22
modules/common-nix.nix Normal file
View File

@@ -0,0 +1,22 @@
{ lib, ... }:
{
# Common Nix daemon settings. Host-specific overrides (binary cache substituters,
# gc retention) live in the host's default.nix.
nix = {
optimise.automatic = true;
gc = {
automatic = true;
dates = "weekly";
# Default retention: override per-host via lib.mkForce if different.
options = lib.mkDefault "--delete-older-than 30d";
};
settings = {
experimental-features = [
"nix-command"
"flakes"
];
};
};
}

16
modules/common-shell-fish.nix Normal file
View File

@@ -0,0 +1,16 @@
{ pkgs, lib, ... }:
{
# https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell
# Login shells stay bash but immediately `exec fish` so fish is the effective shell
# without breaking scripts that hardcode #!/bin/bash.
programs.fish.enable = true;
programs.bash = {
interactiveShellInit = ''
if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
then
shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
exec ${lib.getExe pkgs.fish} $LOGIN_OPTION
fi
'';
};
}

459
modules/desktop-common.nix Normal file
View File

@@ -0,0 +1,459 @@
{
config,
options,
pkgs,
lib,
username,
inputs,
niri-package,
...
}:
{
imports = [
# shared across all hosts
./common-doas.nix
./common-shell-fish.nix
./common-nix.nix
# desktop-only modules
./desktop-vm.nix
./desktop-steam.nix
./desktop-networkmanager.nix
inputs.disko.nixosModules.disko
inputs.lanzaboote.nixosModules.lanzaboote
inputs.nixos-hardware.nixosModules.common-cpu-amd-pstate
inputs.nixos-hardware.nixosModules.common-cpu-amd-zenpower
inputs.nixos-hardware.nixosModules.common-pc-ssd
];
# allow overclocking (I actually underclock but lol)
hardware.amdgpu.overdrive.ppfeaturemask = "0xFFFFFFFF";
hardware.enableRedistributableFirmware = true;
hardware.cpu.amd.updateMicrocode = true;
services.kmscon.enable = true;
# Add niri to display manager session packages
services.displayManager.sessionPackages = [ niri-package ];
programs = {
gamescope = {
enable = true;
capSysNice = true;
};
steam = {
enable = true;
gamescopeSession.enable = true;
};
};
system.activationScripts = {
# FIX: https://github.com/NixOS/nix/issues/2982
"profile-channel-dummy".text = ''
#!/bin/sh
mkdir -p /nix/var/nix/profiles/per-user/root/channels
'';
# extract all my secureboot keys
# TODO! proper secrets management
"secureboot-keys".text = ''
#!/usr/bin/env sh
rm -fr ${config.boot.lanzaboote.pkiBundle} || true
mkdir -p ${config.boot.lanzaboote.pkiBundle}
${lib.getExe pkgs.gnutar} xf ${../secrets/desktop/secureboot.tar} -C ${config.boot.lanzaboote.pkiBundle}
chown -R root:wheel ${config.boot.lanzaboote.pkiBundle}
chmod -R 500 ${config.boot.lanzaboote.pkiBundle}
'';
};
swapDevices = [ ];
# Desktop-specific Nix cache — muffin serves it, desktops consume.
# Base nix settings (optimise, gc, experimental-features) come from common-nix.nix.
nix.settings = {
substituters = [ "https://nix-cache.sigkill.computer" ];
trusted-public-keys = [
"nix-cache.sigkill.computer-1:ONtQC9gUjL+2yNgMWB68NudPySXhyzJ7I3ra56/NPgk="
];
netrc-file = "${../secrets/desktop/nix-cache-netrc}";
};
# cachyos kernel overlay
nixpkgs.overlays = [ inputs.nix-cachyos-kernel.overlays.default ];
# kernel options
boot = {
# cachyos kernel: bore scheduler, full lto, x86_64-v3 (common to zen 3 + zen 5)
kernelPackages =
let
helpers = pkgs.callPackage "${inputs.nix-cachyos-kernel}/helpers.nix" { };
kernel = pkgs.cachyosKernels.linux-cachyos-bore-lto.override {
lto = "full";
processorOpt = "x86_64-v3";
};
in
helpers.kernelModuleLLVMOverride (pkgs.linuxKernel.packagesFor kernel);
# disable legacy subsystems neither host will ever use
kernelPatches = [
{
name = "disable-legacy-subsystems";
patch = null;
structuredExtraConfig = with lib.kernel; {
# ancient bus/card standards
PCMCIA = lib.mkForce no;
PCCARD = lib.mkForce no;
PARPORT = lib.mkForce no;
GAMEPORT = lib.mkForce module;
FIREWIRE = lib.mkForce no;
AGP = lib.mkForce no;
# legacy networking
ATM = lib.mkForce no;
FDDI = lib.mkForce no;
ISDN = lib.mkForce no;
CAN = lib.mkForce no;
NFC = lib.mkForce no;
INFINIBAND = lib.mkForce no;
# amateur radio (HAMRADIO is the umbrella but these are separate symbols)
HAMRADIO = lib.mkForce no;
AX25 = lib.mkForce no;
NETROM = lib.mkForce no;
ROSE = lib.mkForce no;
# dead protocols
PHONET = lib.mkForce no;
IEEE802154 = lib.mkForce no;
"6LOWPAN" = lib.mkForce no;
NET_9P = lib.mkForce no;
BATMAN_ADV = lib.mkForce no;
# tv tuners / digital video broadcasting
MEDIA_ANALOG_TV_SUPPORT = lib.mkForce no;
MEDIA_DIGITAL_TV_SUPPORT = lib.mkForce no;
DVB_CORE = lib.mkForce no;
# hypervisor guest support (bare metal only)
HYPERV = lib.mkForce no;
XEN = lib.mkForce no;
VMWARE_VMCI = lib.mkForce no;
VMWARE_BALLOON = lib.mkForce no;
VMWARE_PVSCSI = lib.mkForce no;
VMWARE_VMCI_VSOCKETS = lib.mkForce no;
VMXNET3 = lib.mkForce no;
DRM_VMWGFX = lib.mkForce no;
VBOXGUEST = lib.mkForce no;
VBOXSF_FS = lib.mkForce no;
# staging drivers (experimental/unmaintained)
STAGING = lib.mkForce no;
# SND_PCI stays — SND_HDA_INTEL (AMD HDA audio) lives under it
ACCESSIBILITY = lib.mkForce no;
MTD = lib.mkForce no;
MEDIA_RC_SUPPORT = lib.mkForce no;
# legacy storage (AHCI for modern SATA is independent)
ATA_SFF = lib.mkForce no;
SCSI_LOWLEVEL = lib.mkForce no;
FUSION = lib.mkForce no;
# misc legacy
MOST = lib.mkForce no;
PPDEV = lib.mkForce no;
PHANTOM = lib.mkForce no;
X86_ANDROID_TABLETS = lib.mkForce no;
# CHROME_PLATFORMS stays — Framework laptops use CrOS EC
SURFACE_PLATFORMS = lib.mkForce no;
MCTP = lib.mkForce no;
GPIB = lib.mkForce no;
SIOX = lib.mkForce no;
SLIMBUS = lib.mkForce no;
WWAN = lib.mkForce no;
# nvidia gpu
DRM_NOUVEAU = lib.mkForce no;
# other gpus not present
DRM_RADEON = lib.mkForce no;
DRM_GMA500 = lib.mkForce no;
DRM_AST = lib.mkForce no;
DRM_MGAG200 = lib.mkForce no;
DRM_HISI_HIBMC = lib.mkForce no;
DRM_APPLETBDRM = lib.mkForce no;
# intel gpu
DRM_I915 = lib.mkForce no;
DRM_XE = lib.mkForce no;
# intel cpu / platform
INTEL_IOMMU = lib.mkForce no;
INTEL_IDLE = lib.mkForce no;
INTEL_HFI_THERMAL = lib.mkForce no;
INTEL_TCC_COOLING = lib.mkForce no;
INTEL_SOC_DTS_THERMAL = lib.mkForce no;
INTEL_PCH_THERMAL = lib.mkForce no;
INTEL_POWERCLAMP = lib.mkForce no;
X86_PKG_TEMP_THERMAL = lib.mkForce no;
X86_INTEL_LPSS = lib.mkForce no;
INTEL_MEI = lib.mkForce no;
INTEL_TH = lib.mkForce no;
INTEL_VSEC = lib.mkForce no;
INTEL_IDXD = lib.mkForce no;
INTEL_IOATDMA = lib.mkForce no;
EDAC_E752X = lib.mkForce no;
EDAC_I82975X = lib.mkForce no;
EDAC_I3000 = lib.mkForce no;
EDAC_I3200 = lib.mkForce no;
EDAC_IE31200 = lib.mkForce no;
EDAC_X38 = lib.mkForce no;
EDAC_I5400 = lib.mkForce no;
EDAC_I7CORE = lib.mkForce no;
EDAC_I5100 = lib.mkForce no;
EDAC_I7300 = lib.mkForce no;
EDAC_SBRIDGE = lib.mkForce no;
EDAC_SKX = lib.mkForce no;
EDAC_I10NM = lib.mkForce no;
EDAC_IMH = lib.mkForce no;
EDAC_PND2 = lib.mkForce no;
EDAC_IGEN6 = lib.mkForce no;
# intel audio
SND_SOC_SOF_INTEL_TOPLEVEL = lib.mkForce no;
SND_SOC_INTEL_SST_TOPLEVEL = lib.mkForce no;
# mellanox networking
MLX4_CORE = lib.mkForce no;
MLX5_CORE = lib.mkForce no;
MLXSW_CORE = lib.mkForce no;
MLX_PLATFORM = lib.mkForce no;
# fpga
FPGA = lib.mkForce no;
# old x86 cpufreq / platform (both systems are modern Zen)
AMD_NUMA = lib.mkForce no;
X86_POWERNOW_K8 = lib.mkForce no;
X86_P4_CLOCKMOD = lib.mkForce no;
X86_SPEEDSTEP_LIB = lib.mkForce no;
# cxl (datacenter memory expansion)
CXL_BUS = lib.mkForce no;
# embedded SoC peripherals (not present on desktop/laptop)
INPUT_TOUCHSCREEN = lib.mkForce no;
INPUT_TABLET = lib.mkForce no;
INPUT_JOYSTICK = lib.mkForce no;
MEDIA_PLATFORM_DRIVERS = lib.mkForce no;
MEDIA_TEST_SUPPORT = lib.mkForce no;
# deprecated userland compat
SGETMASK_SYSCALL = lib.mkForce no;
UID16 = lib.mkForce no;
X86_X32_ABI = lib.mkForce no;
};
}
];
# aes_generic is built-in as of linux 7.0, no longer a loadable module
initrd.luks.cryptoModules = lib.mkForce (
lib.filter (m: m != "aes_generic") options.boot.initrd.luks.cryptoModules.default
);
# some default initrd modules (ata_piix etc) don't exist with ATA_SFF=n
initrd.allowMissingModules = true;
lanzaboote = {
enable = true;
# TODO: proper secrets management so this is not stored in nix store
pkiBundle = "/var/lib/sbctl";
};
# Bootloader.
loader = {
efi.canTouchEfiVariables = true;
timeout = 1;
/*
Lanzaboote currently replaces the systemd-boot module.
This setting is usually set to true in configuration.nix
generated at installation time. So we force it to false
for now.
*/
systemd-boot.enable = lib.mkForce false;
systemd-boot.configurationLimit = 10;
};
initrd = {
systemd.enable = true;
compressor = "zstd";
availableKernelModules = [
"xhci_pci"
"thunderbolt"
"nvme"
"usbhid"
"amdgpu"
];
};
kernelModules = [
"kvm-amd"
"ip_tables"
"iptable_nat"
"msr"
"btusb"
];
kernelParams = [
# 1gb huge pages
"hugepagesz=1G"
"hugepages=3"
];
};
environment.etc = {
# override default nixos /etc/issue
"issue".text = "";
};
services = {
# fwupd for updating firmware
fwupd = {
enable = true;
extraRemotes = [ "lvfs-testing" ];
};
# auto detect network printers
avahi = {
enable = true;
nssmdns4 = true;
openFirewall = true;
};
# Enable CUPS to print documents.
printing = {
enable = true;
drivers = with pkgs; [ hplip ];
};
# I don't want fingerprint login
fprintd.enable = false;
# Making sure mullvad works on boot
mullvad-vpn.enable = true;
# power statistics
upower.enable = true;
# power profiles for noctalia shell
power-profiles-daemon.enable = true;
# geolocation (uses beacondb.net by default)
geoclue2 = {
enable = true;
appConfig.zen-twilight = {
isAllowed = true;
isSystem = false;
};
};
};
# EST
time.timeZone = "America/New_York";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
# Enable Bluetooth
hardware.bluetooth = {
enable = true;
powerOnBoot = true;
# Enable experimental features for battery % of bluetooth devices
settings.General.Experimental = true;
};
# Apply gtk themes by enabling dconf
programs.dconf.enable = true;
# Enable sound with pipewire.
services.pulseaudio.enable = false; # pipewire >>>>>>> pulseaudio
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
# Define my user account (the rest of the configuration if found in `~/.config/home-manager/...`)
users.users.${username} = {
isNormalUser = true;
extraGroups = [
"networkmanager"
"wheel"
"video"
"camera"
"adbusers"
];
# TODO! this is really bad :( I should really figure out how to do proper secrets management
hashedPasswordFile = "${../secrets/desktop/password-hash}";
};
services.gvfs.enable = true;
programs.gphoto2.enable = true;
# Enable thermal data
services.thermald.enable = true;
services.pcscd.enable = true;
programs.gnupg.agent = {
enable = true;
pinentryPackage = pkgs.pinentry-curses;
enableSSHSupport = false;
};
# System packages
environment.systemPackages = with pkgs; [
# mullvad-vpn is provided by services.mullvad-vpn.enable
#secureboot ctl
sbctl
dmidecode
doas-sudo-shim
glib
usbutils
libmtp
man-pages
man-pages-posix
# needed for home-manager
git
tmux
android-tools
];
# wayland with electron/chromium applications
environment.sessionVariables.NIXOS_OZONE_WL = "1";
# port 53317 for localsend
networking.firewall.allowedUDPPorts = [ 53317 ];
networking.firewall.allowedTCPPorts = [ 53317 ];
system.stateVersion = "25.05";
nixpkgs.hostPlatform = "x86_64-linux";
documentation.enable = true;
documentation.man.enable = true;
documentation.dev.enable = true;
}