diff --git a/flake.lock b/flake.lock index 79e4155..86f0968 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,26 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1770165109, + "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=", + "owner": "ryantm", + "repo": "agenix", + "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "base16": { "inputs": { "fromYaml": "fromYaml" @@ -84,6 +105,48 @@ "type": "github" } }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1744478979, + "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "43975d782b418ebf4969e9ccba82466728c2851b", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "deploy-rs": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs_2", + "utils": "utils" + }, + "locked": { + "lastModified": 1770019181, + "narHash": "sha256-hwsYgDnby50JNVpTRYlF3UR/Rrpt01OrxVuryF40CFY=", + "owner": "serokell", + "repo": "deploy-rs", + "rev": "77c906c0ba56aabdbc72041bf9111b565cdd6171", + "type": "github" + }, + "original": { + "owner": "serokell", + "repo": "deploy-rs", + "type": "github" + } + }, "disko": { "inputs": { "nixpkgs": [ @@ -120,6 +183,22 @@ "type": "github" } }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib_2" @@ -193,6 +272,27 @@ } }, "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1745494811, + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -212,7 +312,7 @@ "type": "github" } }, - "home-manager_2": { + "home-manager_3": { "inputs": { "nixpkgs": [ "zen-browser", @@ -291,16 +391,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1776548001, - "narHash": "sha256-ZSK0NL4a1BwVbbTBoSnWgbJy9HeZFXLYQizjb2DPF24=", + "lastModified": 1754028485, + "narHash": "sha256-IiiXB3BDTi6UqzAZcf2S797hWEPCRZOwyNThJIYhUfk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b12141ef619e0a9c1c84dc8c684040326f27cdcc", + "rev": "59e69648d345d6e8fef86158c555730fa12af9de", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "nixos-25.05", "repo": "nixpkgs", "type": "github" } @@ -336,6 +436,38 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1743014863, + "narHash": "sha256-jAIUqsiN2r3hCuHji80U7NNEafpIMBXiwKlSrjWMlpg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "bd3bac8bfb542dbde7ffffb6987a1a1f9d41699f", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1776548001, + "narHash": "sha256-ZSK0NL4a1BwVbbTBoSnWgbJy9HeZFXLYQizjb2DPF24=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b12141ef619e0a9c1c84dc8c684040326f27cdcc", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { "locked": { "lastModified": 1776169885, "narHash": "sha256-Gk2T0tDDDAs319hp/ak+bAIUG5bPMvnNEjPV8CS86Fg=", @@ -348,6 +480,22 @@ "url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz" } }, + "nixpkgs_5": { + "locked": { + "lastModified": 1776877367, + "narHash": "sha256-EHq1/OX139R1RvBzOJ0aMRT3xnWyqtHBRUBuO1gFzjI=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "0726a0ecb6d4e08f6adced58726b95db924cef57", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "noctalia": { "inputs": { "nixpkgs": [ @@ -375,7 +523,7 @@ "noctalia", "nixpkgs" ], - "systems": "systems", + "systems": "systems_3", "treefmt-nix": "treefmt-nix" }, "locked": { @@ -439,22 +587,25 @@ }, "root": { "inputs": { + "agenix": "agenix", + "deploy-rs": "deploy-rs", "disko": "disko", - "home-manager": "home-manager", + "home-manager": "home-manager_2", "nix-colors": "nix-colors", "nixos-vfio": "nixos-vfio", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_3", "noctalia": "noctalia", "quickshell": "quickshell", "spicetify-nix": "spicetify-nix", "stylix": "stylix", + "xray-3x-ui": "xray-3x-ui", "zen-browser": "zen-browser" } }, "spicetify-nix": { "inputs": { - "nixpkgs": "nixpkgs_2", - "systems": "systems_2" + "nixpkgs": "nixpkgs_4", + "systems": "systems_4" }, "locked": { "lastModified": 1776894239, @@ -483,7 +634,7 @@ "nixpkgs" ], "nur": "nur", - "systems": "systems_3", + "systems": "systems_5", "tinted-kitty": "tinted-kitty", "tinted-schemes": "tinted-schemes", "tinted-tmux": "tinted-tmux", @@ -505,16 +656,16 @@ }, "systems": { "locked": { - "lastModified": 1689347949, - "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", "owner": "nix-systems", - "repo": "default-linux", - "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", "type": "github" }, "original": { "owner": "nix-systems", - "repo": "default-linux", + "repo": "default", "type": "github" } }, @@ -534,6 +685,36 @@ } }, "systems_3": { + "locked": { + "lastModified": 1689347949, + "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", + "owner": "nix-systems", + "repo": "default-linux", + "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default-linux", + "type": "github" + } + }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_5": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", @@ -634,9 +815,45 @@ "type": "github" } }, + "utils": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "xray-3x-ui": { + "inputs": { + "nixpkgs": "nixpkgs_5" + }, + "locked": { + "lastModified": 1761047979, + "narHash": "sha256-A7gDkM/xAX1R8FGmryZpcIsLsdcrnmJ5bpN8rmFoH9o=", + "owner": "sunmeplz", + "repo": "xray-3x-ui", + "rev": "a01a56f38813a2e86d2612556f3a672cb11c3681", + "type": "github" + }, + "original": { + "owner": "sunmeplz", + "repo": "xray-3x-ui", + "type": "github" + } + }, "zen-browser": { "inputs": { - "home-manager": "home-manager_2", + "home-manager": "home-manager_3", "nixpkgs": [ "nixpkgs" ] diff --git a/flake.nix b/flake.nix index dacbdf3..85fe2f4 100644 --- a/flake.nix +++ b/flake.nix @@ -4,11 +4,15 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; spicetify-nix.url = "github:Gerg-L/spicetify-nix"; - + xray-3x-ui.url = "github:sunmeplz/xray-3x-ui"; home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; + agenix = { + url = "github:ryantm/agenix"; + }; + deploy-rs.url = "github:serokell/deploy-rs"; quickshell = { url = "github:outfoxxed/quickshell"; inputs.nixpkgs.follows = "nixpkgs"; @@ -45,6 +49,9 @@ nix-colors, stylix, disko, + agenix, + xray-3x-ui, + deploy-rs, ... } @ inputs: let system = "x86_64-linux"; @@ -124,5 +131,24 @@ } ]; }; + nixosConfigurations.kittykat = nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = {inherit inputs;}; + modules = [ + ./hosts/kittykat/configuration.nix + xray-3x-ui.nixosModules.default + agenix.nixosModules.default + inputs.disko.nixosModules.disko + ]; + }; + deploy.nodes.kittykat = { + hostname = "kittykat"; + profiles.system = { + sshUser = "root"; + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.kittykat; + }; + }; + checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; }; } diff --git a/hosts/kittykat/configuration.nix b/hosts/kittykat/configuration.nix new file mode 100644 index 0000000..48c7f25 --- /dev/null +++ b/hosts/kittykat/configuration.nix @@ -0,0 +1,30 @@ +{ + config, + lib, + pkgs, + ... +}: { + imports = [ + ./hardware-configuration.nix + ./disko.nix + ../../modules/nixos/networking/ssh.nix + ../../modules/nixos/users/tulg.nix + ./traefik.nix + ]; + + networking.hostName = "kittykat"; + environment.systemPackages = with pkgs; [ + nano + fastfetch + kitty + ]; + services.xray-3x-ui = { + enable = true; + port = 2053; + openFirewall = true; + }; + + nixpkgs.config.allowUnfree = true; + nix.settings.experimental-features = ["nix-command" "flakes"]; + system.stateVersion = "25.05"; +} diff --git a/hosts/kittykat/disko.nix b/hosts/kittykat/disko.nix new file mode 100644 index 0000000..d439fcc --- /dev/null +++ b/hosts/kittykat/disko.nix @@ -0,0 +1,37 @@ +{ + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/sda"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; + priority = 1; + }; + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/kittykat/hardware-configuration.nix b/hosts/kittykat/hardware-configuration.nix new file mode 100644 index 0000000..7db19c8 --- /dev/null +++ b/hosts/kittykat/hardware-configuration.nix @@ -0,0 +1,17 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + boot.loader.grub = { + enable = true; + efiSupport = true; + }; + networking.useDHCP = lib.mkDefault true; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/kittykat/traefik.nix b/hosts/kittykat/traefik.nix new file mode 100644 index 0000000..e6abfb4 --- /dev/null +++ b/hosts/kittykat/traefik.nix @@ -0,0 +1,66 @@ +{config, ...}: { + networking.firewall = { + enable = true; + allowedTCPPorts = [80 443]; + }; + + services.traefik = { + enable = true; + + staticConfigOptions = { + entryPoints = { + web = { + address = ":80"; + http.redirections.entrypoint = { + to = "websecure"; + scheme = "https"; + }; + }; + + websecure = { + address = ":443"; + http.tls.certResolver = "letsencrypt"; + }; + }; + + log = { + level = "INFO"; + filePath = "${config.services.traefik.dataDir}/traefik.log"; + format = "json"; + }; + + certificatesResolvers.letsencrypt.acme = { + email = "tulg@protonmail.ch"; + storage = "${config.services.traefik.dataDir}/acme.json"; + httpChallenge.entryPoint = "web"; + }; + + api.dashboard = true; + }; + + dynamicConfigOptions = { + http = { + routers = { + xray = { + rule = "Host(`v2.kittykat.poggerer.xyz`)"; + entryPoints = ["websecure"]; + service = "xray"; + tls = { + certResolver = "letsencrypt"; + }; + }; + }; + + services = { + xray = { + loadBalancer = { + servers = [ + {url = "http://127.0.0.1:2053";} + ]; + }; + }; + }; + }; + }; + }; +} diff --git a/modules/nixos/networking/ssh.nix b/modules/nixos/networking/ssh.nix index 93942c0..c3a130c 100644 --- a/modules/nixos/networking/ssh.nix +++ b/modules/nixos/networking/ssh.nix @@ -7,9 +7,7 @@ ]; services.openssh = { enable = true; - settings = { - PasswordAuthentication = true; - PermitRootLogin = "yes"; - }; + settings.PermitRootLogin = "prohibit-password"; + allowSFTP = true; }; } diff --git a/modules/nixos/services.nix b/modules/nixos/services.nix index 81d93a9..3476e20 100644 --- a/modules/nixos/services.nix +++ b/modules/nixos/services.nix @@ -34,7 +34,7 @@ enable = true; package = pkgs.mullvad-vpn; }; - + services.v2raya.enable = true; programs.thunar.plugins = with pkgs; [ thunar-archive-plugin thunar-volman diff --git a/modules/nixos/users/tulg.nix b/modules/nixos/users/tulg.nix index f069ccc..a680273 100644 --- a/modules/nixos/users/tulg.nix +++ b/modules/nixos/users/tulg.nix @@ -2,6 +2,9 @@ users.users.tulg = { isNormalUser = true; description = "Tulga"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIefprdYz4gFgBqGlrkycWcTYxFttQHRjDQmREtQTiGyqK1gQiB4z4Cbiayt7Emq224sbaobQPlNSyhlBCSo/Wf0bmZMz8NwNdwhFSkDnyD6LPaHg8fv9FXnWW0wBMl4oSD2wfGbMQBrecjgHXfJ64UiHyyhDllDDtWGgoY75wwfWHzX/NiGaEi0LHCQ8dsgp7H+BhssTkJPZbv6BJcA34yfb6dISjvW2S/QGKMwgYr9ArfGLUTWPbj+EbL7Bf9VsTFe9nP+FnYqEu4+oBIbY2heXWA+FCi0zxmMY4oYJxT5cJi1nffVOxboKLm4kIT93gv1WdcDiQDVdy5sJ1q0gJyiRt1HfJW4l8jn36VJ0FvdGmRliOTzSfeER0gbIsOcxeArHRV3ff/CoSocnSs0To5vFKgjlGwhdE8sJsqILgZnIoKwVvOXuDOz/RhbdBPpVsG7upk7bLJtLv9P5h0h/gUIWA1iktaYBSDL0UofjSrfNhZH6M0P+soIuooanSlVGivTlASw1pd+gjvebbc9ksvGZVqPQT0XegIvZkwfu8moERZUqv/xhNcyWTEGfFKoeHt5ub8Ac0LOe9Ak6N+p8xDjTdkmUgte5J/CNL1JL3JA/iqocAo+VvmIbPatbrOwUNcROOS3WeFg8MfNrbDyYCVNbZWAyM6wwfLB2fIUB2jw== tulg@highcommand" # content of authorized_keys file + ]; extraGroups = [ "networkmanager" "wheel" @@ -9,4 +12,7 @@ "kvm" ]; }; + users.users."root".openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIefprdYz4gFgBqGlrkycWcTYxFttQHRjDQmREtQTiGyqK1gQiB4z4Cbiayt7Emq224sbaobQPlNSyhlBCSo/Wf0bmZMz8NwNdwhFSkDnyD6LPaHg8fv9FXnWW0wBMl4oSD2wfGbMQBrecjgHXfJ64UiHyyhDllDDtWGgoY75wwfWHzX/NiGaEi0LHCQ8dsgp7H+BhssTkJPZbv6BJcA34yfb6dISjvW2S/QGKMwgYr9ArfGLUTWPbj+EbL7Bf9VsTFe9nP+FnYqEu4+oBIbY2heXWA+FCi0zxmMY4oYJxT5cJi1nffVOxboKLm4kIT93gv1WdcDiQDVdy5sJ1q0gJyiRt1HfJW4l8jn36VJ0FvdGmRliOTzSfeER0gbIsOcxeArHRV3ff/CoSocnSs0To5vFKgjlGwhdE8sJsqILgZnIoKwVvOXuDOz/RhbdBPpVsG7upk7bLJtLv9P5h0h/gUIWA1iktaYBSDL0UofjSrfNhZH6M0P+soIuooanSlVGivTlASw1pd+gjvebbc9ksvGZVqPQT0XegIvZkwfu8moERZUqv/xhNcyWTEGfFKoeHt5ub8Ac0LOe9Ak6N+p8xDjTdkmUgte5J/CNL1JL3JA/iqocAo+VvmIbPatbrOwUNcROOS3WeFg8MfNrbDyYCVNbZWAyM6wwfLB2fIUB2jw== tulg@highcommand" # content of authorized_keys file + ]; }