diff options
| author | Mel <mel@rnrd.eu> | 2025-09-24 18:50:23 +0200 |
|---|---|---|
| committer | Mel <mel@rnrd.eu> | 2025-09-24 18:50:23 +0200 |
| commit | a58d7cec519ef4a5d8148ee8ab7d97053a1ccdb0 (patch) | |
| tree | c6d12e02927cf101426605aef32f0666f34e9f3b | |
| parent | 117d6afa0054123e71b2eb06c9d91482a2988fdc (diff) | |
| download | minerals-a58d7cec519ef4a5d8148ee8ab7d97053a1ccdb0.tar.zst minerals-a58d7cec519ef4a5d8148ee8ab7d97053a1ccdb0.zip | |
Define roles for the two 'mineral' types
Signed-off-by: Mel <mel@rnrd.eu>
| -rw-r--r-- | flake.nix | 13 | ||||
| -rw-r--r-- | machines/bismuth/default.nix | 2 | ||||
| -rw-r--r-- | machines/graphite/default.nix | 2 | ||||
| -rw-r--r-- | machines/moissanite/default.nix | 2 | ||||
| -rw-r--r-- | machines/serpentine/default.nix | 2 | ||||
| -rw-r--r-- | modules/arm.nix | 4 | ||||
| -rw-r--r-- | modules/common.nix | 72 | ||||
| -rw-r--r-- | modules/packages.nix | 78 | ||||
| -rw-r--r-- | roles/desktop.nix | 140 | ||||
| -rw-r--r-- | roles/development-server.nix | 89 |
10 files changed, 182 insertions, 222 deletions
diff --git a/flake.nix b/flake.nix index 748e166..be8f54f 100644 --- a/flake.nix +++ b/flake.nix @@ -56,22 +56,31 @@ arm = "aarch64-linux"; }; - machines = with systems; [ + roles = lib.genAttrs [ + "desktop" + "development-server" + ] lib.id; + + machines = with systems; with roles; [ { name = "graphite"; system = x86; + role = desktop; } { name = "moissanite"; system = arm; + role = desktop; } { name = "bismuth"; system = x86; + role = desktop; } { name = "serpentine"; system = x86; + role = development-server; } ]; @@ -115,7 +124,6 @@ machine: let packageSets = packageSetsForSystem machine.system; - specialArgs = inputs // packageSets // { me = machine; }; in { @@ -125,6 +133,7 @@ modules = [ ./machines/${machine.name} + ./roles/${machine.role}.nix home-manager.nixosModules.home-manager { diff --git a/machines/bismuth/default.nix b/machines/bismuth/default.nix index 0d0e36b..7838ce0 100644 --- a/machines/bismuth/default.nix +++ b/machines/bismuth/default.nix @@ -2,8 +2,6 @@ { imports = [ - ../../roles/desktop.nix - ./hardware.nix ./devices.nix diff --git a/machines/graphite/default.nix b/machines/graphite/default.nix index 53650ed..87a6035 100644 --- a/machines/graphite/default.nix +++ b/machines/graphite/default.nix @@ -2,8 +2,6 @@ { imports = [ - ../../roles/desktop.nix - ./hardware.nix ./devices.nix diff --git a/machines/moissanite/default.nix b/machines/moissanite/default.nix index 38f5a51..322c1ac 100644 --- a/machines/moissanite/default.nix +++ b/machines/moissanite/default.nix @@ -2,8 +2,6 @@ { imports = [ - ../../roles/desktop.nix - ../../modules/arm.nix ../../modules/work diff --git a/machines/serpentine/default.nix b/machines/serpentine/default.nix index 99dd159..66d6a1f 100644 --- a/machines/serpentine/default.nix +++ b/machines/serpentine/default.nix @@ -2,8 +2,6 @@ { imports = [ - ../../roles/development-server.nix - ../../modules/work ./hardware.nix diff --git a/modules/arm.nix b/modules/arm.nix index df8e02e..63a448f 100644 --- a/modules/arm.nix +++ b/modules/arm.nix @@ -9,6 +9,10 @@ assert lib.assertMsg ( me.system == "aarch64-linux" ) "arm module included on non-arm (${me.system}) architecture."; { + # disable things that just don't work on arm. + + programs.steam.enable = lib.mkForce false; + # non-machine specific arm package selection. # used to include replacements for necessary programs with no # default support for aarch64. (i.e. discord) diff --git a/modules/common.nix b/modules/common.nix new file mode 100644 index 0000000..e36d4e9 --- /dev/null +++ b/modules/common.nix @@ -0,0 +1,72 @@ +{ + me, + pkgs, + ... +}: + +{ + imports = [ + ./packages.nix + ./nix.nix + ./user.nix + ./locale.nix + ./vim.nix + ./tmux.nix + ./nix-ld.nix + ]; + + services.envfs.enable = true; + + virtualisation = { + libvirtd.enable = true; + docker.enable = true; + }; + + # fish enables this by default, + # it makes every nixos rebuild very slow. + documentation.man.generateCaches = false; + documentation = { + info.enable = true; + doc.enable = true; + dev.enable = true; + nixos = { + enable = true; + includeAllModules = true; + }; + }; + + networking.hostName = me.name; + # use corsac dns server + networking.nameservers = + let + corsacTailnet = "100.64.100.100"; + in + [ corsacTailnet ]; + + services.resolved.enable = true; + + services = { + acpid.enable = true; + sysprof.enable = true; + tailscale = { + enable = true; + useRoutingFeatures = "both"; + extraUpFlags = [ "--ssh" ]; + }; + + # sometimes needed for gnupg + pcscd.enable = true; + }; + + programs = { + fish.enable = true; + git.enable = true; + + gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + }; + + environment.etc.openvpn.source = "${pkgs.update-resolv-conf}/libexec/openvpn"; +} diff --git a/modules/packages.nix b/modules/packages.nix new file mode 100644 index 0000000..57775f1 --- /dev/null +++ b/modules/packages.nix @@ -0,0 +1,78 @@ +{ + me, + pkgs, + auxiliaryPkgs, + unstablePkgs, + ... +}: + +let + inherit (builtins) filter elem; + + filterUnsupportedPackages = + packages: filter (p: elem me.system (p.meta.platforms or [ me.system ])) packages; +in +{ + # TODO: the filter already does some good work, but we need some way to + # pick out x86-only packages, so it is not as opaque as it currently is. + # (who knows if muse-sounds-manager is actually installed, for example?) + environment.systemPackages = (with pkgs; filterUnsupportedPackages [ + file unzip jq dig htop wget screen dive + gnupg pinentry-gnome3 age agenix minisign openssl cryptsetup pamtester + bitwarden-desktop bitwarden-cli + inetutils pciutils usbutils lshw lsof inxi iw pmutils acpi acpid + minicom miniserve netcat-gnu socat tcpdump nmap iftop iperf mtr arp-scan ethtool + sysprof wireshark seer mitmproxy hardinfo2 btrfs-assistant remmina trayscale + vlc celluloid foliate calibre + yt-dlp ffmpeg_7-full imagemagick handbrake mpv helvum + gimp3 krita mypaint aseprite rnote fontforge-gtk + blender inkscape obs-studio darktable davinci-resolve + orca-slicer + renderdoc + audacity musescore muse-sounds-manager reaper + # bitwigs bubblewrap configuration requires some non-ARM package sets. + # bitwig-studio + ungoogled-chromium librewolf lagrange + senpai signal-desktop alpaca newsflash + qemu_full virtiofsd + + openvpn openvpn3 update-resolv-conf + transmission_4-gtk fragments + + xorg.xeyes wl-clipboard + + ripgrep hyperfine parallel just fzf bat delta eza fd tokei didyoumean + universal-ctags compiledb graphviz + python3 uv ruff + nodejs_22 deno yarn + rustc rustup cargo rustfmt + go gopls delve go-task gotags golangci-lint + meson cmake gnumake ninja gdb gcc clang clang-tools + hare haredoc + jdk maven gradle + nil nixfmt-rfc-style + nixpkgs-review nixpkgs-fmt nixpkgs-lint-community + postgresql + helix alacritty ghostty + androidStudioPackages.dev + + winetricks bottles + scrcpy apfs-fuse nfs-utils + ubootTools dtc cloud-utils + borgbackup pika-backup + + prismlauncher xonotic + + man-pages man-pages-posix + ]) ++ (with unstablePkgs; [ + claude-code gemini-cli + ]) ++ (with auxiliaryPkgs; [ + # TODO: need fixes for 25.05 + # retroarch wine + + # TODO: ngfx (obviously) does not work on ARM, put it somewhere else + # ngfx + ]); + + environment.etc.openvpn.source = "${pkgs.update-resolv-conf}/libexec/openvpn"; +} diff --git a/roles/desktop.nix b/roles/desktop.nix index 838df28..8760da2 100644 --- a/roles/desktop.nix +++ b/roles/desktop.nix @@ -1,86 +1,37 @@ { - me, pkgs, auxiliaryPkgs, - unstablePkgs, ... }: -let - inherit (builtins) filter elem; - - filterUnsupportedPackages = - packages: filter (p: elem me.system (p.meta.platforms or [ me.system ])) packages; -in { imports = [ - ./nix.nix - ./user.nix - ./locale.nix - ./vim.nix - ./tmux.nix - ./gnome.nix - ./fonts.nix - ./flatpak.nix - ./libreoffice.nix - ./electronics.nix - ./hardware-keys.nix - ./nix-ld.nix + ../modules/common.nix + + ../modules/gnome.nix + ../modules/fonts.nix + ../modules/flatpak.nix + ../modules/libreoffice.nix + ../modules/electronics.nix + ../modules/hardware-keys.nix ]; - services.envfs.enable = true; - - virtualisation = { - libvirtd.enable = true; - docker.enable = true; - }; - - # fish enables this by default, - # it makes every nixos rebuild very slow. - documentation.man.generateCaches = false; - documentation = { - info.enable = true; - doc.enable = true; - dev.enable = true; - nixos = { - enable = true; - includeAllModules = true; - }; - }; - - networking.hostName = me.name; - # use corsac dns server - networking.nameservers = - let - corsacTailnet = "100.64.100.100"; - in - [ corsacTailnet ]; - - services.resolved.enable = true; - services = { - acpid.enable = true; sysprof.enable = true; tailscale = { enable = true; useRoutingFeatures = "both"; extraUpFlags = [ "--ssh" ]; }; - - # sometimes needed for gnupg - pcscd.enable = true; }; programs = { - # steam requires the i386 package set, which obviously does not work on ARM. # TODO: pull out gaming related configuration (like steam) into a seperate module. - # steam = { - # enable = true; - # remotePlay.openFirewall = true; - # }; + steam = { + enable = true; + remotePlay.openFirewall = true; + }; virt-manager.enable = true; - fish.enable = true; - git.enable = true; ghidra = { enable = true; @@ -95,12 +46,6 @@ in }; adb.enable = true; - - gnupg.agent = { - enable = true; - enableSSHSupport = true; - pinentryPackage = pkgs.pinentry-gnome3; - }; }; # on desktop machines (a.k.a. minerals) we only use tailscale ssh @@ -108,66 +53,5 @@ in # have to grab the ones tailscale uses. age.identityPaths = [ "/var/lib/tailscale/ssh/ssh_host_ed25519_key" ]; - # TODO: the filter already does some good work, but we need some way to - # pick out x86-only packages, so it is not as opaque as it currently is. - # (who knows if muse-sounds-manager is actually installed, for example?) - environment.systemPackages = (with pkgs; filterUnsupportedPackages [ - file unzip jq dig htop wget screen dive - gnupg pinentry-gnome3 age agenix minisign openssl cryptsetup pamtester - bitwarden-desktop bitwarden-cli - inetutils pciutils usbutils lshw lsof inxi iw pmutils acpi acpid - minicom miniserve netcat-gnu socat tcpdump nmap iftop iperf mtr arp-scan ethtool - sysprof wireshark seer mitmproxy hardinfo2 btrfs-assistant remmina trayscale - vlc celluloid foliate calibre - yt-dlp ffmpeg_7-full imagemagick handbrake mpv helvum - gimp3 krita mypaint aseprite rnote fontforge-gtk - blender inkscape obs-studio darktable davinci-resolve - orca-slicer - renderdoc - audacity musescore muse-sounds-manager reaper - # bitwigs bubblewrap configuration requires some non-ARM package sets. - # bitwig-studio - ungoogled-chromium librewolf lagrange - senpai signal-desktop alpaca newsflash - qemu_full virtiofsd - - openvpn openvpn3 update-resolv-conf - transmission_4-gtk fragments - - xorg.xeyes wl-clipboard - - ripgrep hyperfine parallel just fzf bat delta eza fd tokei didyoumean - universal-ctags compiledb graphviz - python3 uv ruff - nodejs_22 deno yarn - rustc rustup cargo rustfmt - go gopls delve go-task gotags golangci-lint - meson cmake gnumake ninja gdb gcc clang clang-tools - hare haredoc - jdk maven gradle - nil nixfmt-rfc-style - nixpkgs-review nixpkgs-fmt nixpkgs-lint-community - postgresql - helix alacritty ghostty - androidStudioPackages.dev - - winetricks bottles - scrcpy apfs-fuse nfs-utils - ubootTools dtc cloud-utils - borgbackup pika-backup - - prismlauncher xonotic - - man-pages man-pages-posix - ]) ++ (with unstablePkgs; [ - claude-code gemini-cli - ]) ++ (with auxiliaryPkgs; [ - # TODO: need fixes for 25.05 - # retroarch wine - - # TODO: ngfx (obviously) does not work on ARM, put it somewhere else - # ngfx - ]); - environment.etc.openvpn.source = "${pkgs.update-resolv-conf}/libexec/openvpn"; } diff --git a/roles/development-server.nix b/roles/development-server.nix index b0e80e5..1ccd779 100644 --- a/roles/development-server.nix +++ b/roles/development-server.nix @@ -1,54 +1,26 @@ { - me, - pkgs, - auxiliaryPkgs, - unstablePkgs, ... }: { imports = [ - ./nix.nix - ./user.nix - ./locale.nix - ./vim.nix - ./tmux.nix - ./nix-ld.nix + ../modules/common.nix ]; - services.envfs.enable = true; - virtualisation = { - libvirtd.enable = true; docker = { enable = true; - daemon.settings.dns = [ "1.1.1.1" "1.0.0.1" ]; - }; - }; - - # fish enables this by default, - # it makes every nixos rebuild very slow. - documentation.man.generateCaches = false; - documentation = { - info.enable = true; - doc.enable = true; - dev.enable = true; - nixos = { - enable = true; - includeAllModules = true; + daemon.settings.dns = [ + "1.1.1.1" + "1.0.0.1" + ]; }; }; - networking.hostName = me.name; - services.resolved.enable = true; - users.users.mel.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTG/DHTkuQgwLakSBuXx3XBe+WjUmDlSgLBGzldx/ZD mel@moissanite" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDlqytVSNMFAfbB+rdiNktv3WYViVBMeK7zUO2Pjfii+ mel@corsac" ]; services = { - acpid.enable = true; - tailscale.enable = true; - openssh = { enable = true; ports = [ 62322 ]; # listen on random port @@ -69,56 +41,5 @@ # ban those who found the real port fail2ban.enable = true; - - # sometimes needed for gnupg - pcscd.enable = true; }; - - programs = { - fish.enable = true; - git.enable = true; - - gnupg.agent = { - enable = true; - enableSSHSupport = true; - pinentryPackage = pkgs.pinentry-curses; - }; - }; - - environment.systemPackages = (with pkgs; [ - file unzip jq dig htop wget screen dive - gnupg pinentry-curses age agenix minisign openssl cryptsetup pamtester - inetutils pciutils usbutils lshw lsof inxi iw pmutils acpi acpid - minicom miniserve netcat-gnu socat tcpdump nmap iftop iperf mtr arp-scan ethtool - mitmproxy - yt-dlp ffmpeg_7-full imagemagick - senpai - qemu_full virtiofsd - - openvpn openvpn3 update-resolv-conf - - ripgrep hyperfine parallel just fzf bat delta eza fd tokei didyoumean - universal-ctags compiledb graphviz - python3 uv ruff - nodejs_22 deno yarn - rustc rustup cargo rustfmt - go gopls delve go-task gotags golangci-lint - meson cmake gnumake ninja gdb gcc clang clang-tools - hare haredoc - jdk maven gradle - nil nixfmt-rfc-style - nixpkgs-review nixpkgs-fmt nixpkgs-lint-community - postgresql - helix alacritty - - ubootTools dtc cloud-utils - borgbackup - - man-pages man-pages-posix - ]) ++ (with unstablePkgs; [ - claude-code gemini-cli - ]) ++ (with auxiliaryPkgs; [ - ]); - - environment.etc.openvpn.source = "${pkgs.update-resolv-conf}/libexec/openvpn"; } |