From 7f032ce4156d19677f77da0c7d4be7e13e7db7d0 Mon Sep 17 00:00:00 2001 From: Michael Smith Date: Sun, 25 May 2025 12:23:04 +0200 Subject: [PATCH] Initial commit --- flake.lock | 65 ++++++++ flake.nix | 80 ++++++++++ machines/pinix/default.nix | 109 +++++++++++++ machines/pinix/dotfiles/i3-config | 184 ++++++++++++++++++++++ machines/pinix/dotfiles/i3status-config | 46 ++++++ machines/pinix/hardware-configuration.nix | 35 ++++ machines/pinix/kiosk.nix | 20 +++ modules/common/nix/default.nix | 4 + modules/server/default.nix | 66 ++++++++ 9 files changed, 609 insertions(+) create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 machines/pinix/default.nix create mode 100644 machines/pinix/dotfiles/i3-config create mode 100644 machines/pinix/dotfiles/i3status-config create mode 100644 machines/pinix/hardware-configuration.nix create mode 100644 machines/pinix/kiosk.nix create mode 100644 modules/common/nix/default.nix create mode 100644 modules/server/default.nix diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..7cc7a88 --- /dev/null +++ b/flake.lock @@ -0,0 +1,65 @@ +{ + "nodes": { + "devshell": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1741473158, + "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=", + "owner": "numtide", + "repo": "devshell", + "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "devshell", + "type": "github" + } + }, + "nixos-hardware": { + "locked": { + "lastModified": 1747900541, + "narHash": "sha256-dn64Pg9xLETjblwZs9Euu/SsjW80pd6lr5qSiyLY1pg=", + "owner": "NixOS", + "repo": "nixos-hardware", + "rev": "11f2d9ea49c3e964315215d6baa73a8d42672f06", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "master", + "repo": "nixos-hardware", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1748037224, + "narHash": "sha256-92vihpZr6dwEMV6g98M5kHZIttrWahb9iRPBm1atcPk=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "f09dede81861f3a83f7f06641ead34f02f37597f", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "devshell": "devshell", + "nixos-hardware": "nixos-hardware", + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..fd3fe40 --- /dev/null +++ b/flake.nix @@ -0,0 +1,80 @@ +{ + description = "Manage infrastructure using Nix"; + + inputs = { + nixpkgs = { + url = "github:nixos/nixpkgs/nixos-24.11"; + }; + devshell = { + url = "github:numtide/devshell"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + nixos-hardware = { + url = "github:NixOS/nixos-hardware/master"; + }; + }; + + outputs = { + self, + nixpkgs, + devshell, + nixos-hardware, + } @ inputs: let + forAllSystems = function: + nixpkgs.lib.genAttrs [ + "x86_64-linux" + "x86_64-darwin" + "aarch64-linux" + "aarch64-darwin" + ] (system: + function (import nixpkgs { + inherit system; + overlays = [ + devshell.overlays.default + ]; + })); + in { + nixosConfigurations = { + pinix = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = {inherit inputs;}; + modules = [ + nixos-hardware.nixosModules.raspberry-pi-4 + ./modules/common/nix + ./modules/server + ./machines/pinix + ]; + }; + }; + + formatter = forAllSystems (pkgs: pkgs.alejandra); + + devShells = forAllSystems (pkgs: { + default = pkgs.devshell.mkShell { + name = "NixOS Configuration"; + packages = with pkgs; [ + nixos-rebuild + ]; + commands = [ + { + name = "config:deploy"; + help = '' + Use as `config:deploy HOST {switch|build} EXTRA_ARGS`. + Assumes you have a valid ssh configuration for HOST in ~/.ssh/config + ''; + command = '' + host=$1 # Assign first ARGV to host + shift # Remove host from ARGV + nixos-rebuild --flake ".#$host" \ + --build-host $host \ + --target-host $host \ + --use-remote-sudo \ + --fast \ + "$@" + ''; + } + ]; + }; + }); + }; +} diff --git a/machines/pinix/default.nix b/machines/pinix/default.nix new file mode 100644 index 0000000..dc9b373 --- /dev/null +++ b/machines/pinix/default.nix @@ -0,0 +1,109 @@ +{ + config, + pkgs, + lib, + ... +}: { + imports = [ + ./hardware-configuration.nix + ./kiosk.nix + ]; + + hardware.raspberry-pi."4".fkms-3d.enable = true; + + boot = { + kernelPackages = pkgs.linuxKernel.packages.linux_rpi4; + initrd.availableKernelModules = ["xhci_pci" "usbhid" "usb_storage"]; + loader = { + grub.enable = false; + generic-extlinux-compatible.enable = true; + }; + consoleLogLevel = 0; + kernelParams = ["quiet"]; + initrd.verbose = false; + plymouth.enable = true; + }; + + networking = { + usePredictableInterfaceNames = false; + hostName = "kiosk-pi"; + wireless = { + enable = true; + interfaces = ["wlan0"]; + networks = { + "SSID" = { + pskRaw = "CHANGEME"; + }; + }; + }; + interfaces.wlan0.ipv4.addresses = [ + { + address = "192.168.1.2"; + prefixLength = 24; + } + ]; + defaultGateway = "192.168.1.1"; + nameservers = ["192.168.1.1"]; + }; + + # Set your time zone. + time.timeZone = "Europe/Brussels"; + i18n.defaultLocale = "en_US.UTF-8"; + + # Enable the X11 windowing system. + services.xserver = { + enable = true; + desktopManager.xterm.enable = false; + windowManager.i3 = { + enable = true; + extraPackages = with pkgs; [ + dmenu + i3lock + i3status + ]; + }; + + # NOTE: This kiosk uses a display in portrait mode + xrandrHeads = [ + { + monitorConfig = ''Option "Rotate" "left"''; + output = "HDMI-1"; + } + ]; + }; + + services.displayManager.defaultSession = "none+i3"; + services.displayManager.autoLogin = { + enable = true; + user = "kioskuser"; + }; + + users = { + mutableUsers = true; + users = { + kioskuser = { + isNormalUser = true; + home = "/home/kioskuser"; + extraGroups = ["video" "input"]; + description = "Kiosk user"; + openssh.authorizedKeys.keys = [ + "YOUR PUBLIC SSH KEY" + ]; + }; + + root = { + openssh.authorizedKeys.keys = [ + "YOUR PUBLIC SSH KEY" + ]; + }; + }; + }; + + environment.systemPackages = with pkgs; [ + chromium + htop + unclutter + ]; + + system.stateVersion = "24.11"; +} diff --git a/machines/pinix/dotfiles/i3-config b/machines/pinix/dotfiles/i3-config new file mode 100644 index 0000000..810a5c8 --- /dev/null +++ b/machines/pinix/dotfiles/i3-config @@ -0,0 +1,184 @@ +# This file has been auto-generated by i3-config-wizard(1). +# It will not be overwritten, so edit it as you like. +# +# Should you change your keyboard layout some time, delete +# this file and re-run i3-config-wizard(1). +# + +# i3 config file (v4) +# +# Please see https://i3wm.org/docs/userguide.html for a complete reference! + +set $mod Mod4 + +# Font for window titles. Will also be used by the bar unless a different font +# is used in the bar {} block below. +font pango:monospace 8 + +# This font is widely installed, provides lots of unicode glyphs, right-to-left +# text rendering and scalability on retina/hidpi displays (thanks to pango). +#font pango:DejaVu Sans Mono 8 + +# The combination of xss-lock, nm-applet and pactl is a popular choice, so +# they are included here as an example. Modify as you see fit. + +# xss-lock grabs a logind suspend inhibit lock and will use i3lock to lock the +# screen before suspend. Use loginctl lock-session to lock your screen. +exec --no-startup-id xss-lock --transfer-sleep-lock -- i3lock --nofork + +# NetworkManager is the most popular way to manage wireless networks on Linux, +# and nm-applet is a desktop environment-independent system tray GUI for it. +exec --no-startup-id nm-applet + +# Use pactl to adjust volume in PulseAudio. +set $refresh_i3status killall -SIGUSR1 i3status +bindsym XF86AudioRaiseVolume exec --no-startup-id pactl set-sink-volume @DEFAULT_SINK@ +10% && $refresh_i3status +bindsym XF86AudioLowerVolume exec --no-startup-id pactl set-sink-volume @DEFAULT_SINK@ -10% && $refresh_i3status +bindsym XF86AudioMute exec --no-startup-id pactl set-sink-mute @DEFAULT_SINK@ toggle && $refresh_i3status +bindsym XF86AudioMicMute exec --no-startup-id pactl set-source-mute @DEFAULT_SOURCE@ toggle && $refresh_i3status + +# Use Mouse+$mod to drag floating windows to their wanted position +floating_modifier $mod + +# start a terminal +bindsym $mod+Return exec i3-sensible-terminal + +# kill focused window +bindsym $mod+Shift+q kill + +# start dmenu (a program launcher) +bindsym $mod+d exec --no-startup-id dmenu_run +# A more modern dmenu replacement is rofi: +# bindcode $mod+40 exec "rofi -modi drun,run -show drun" +# There also is i3-dmenu-desktop which only displays applications shipping a +# .desktop file. It is a wrapper around dmenu, so you need that installed. +# bindcode $mod+40 exec --no-startup-id i3-dmenu-desktop + +# change focus +bindsym $mod+j focus left +bindsym $mod+k focus down +bindsym $mod+l focus up +bindsym $mod+semicolon focus right + +# alternatively, you can use the cursor keys: +bindsym $mod+Left focus left +bindsym $mod+Down focus down +bindsym $mod+Up focus up +bindsym $mod+Right focus right + +# move focused window +bindsym $mod+Shift+j move left +bindsym $mod+Shift+k move down +bindsym $mod+Shift+l move up +bindsym $mod+Shift+semicolon move right + +# alternatively, you can use the cursor keys: +bindsym $mod+Shift+Left move left +bindsym $mod+Shift+Down move down +bindsym $mod+Shift+Up move up +bindsym $mod+Shift+Right move right + +# split in horizontal orientation +bindsym $mod+h split h + +# split in vertical orientation +bindsym $mod+v split v + +# enter fullscreen mode for the focused container +bindsym $mod+f fullscreen toggle + +# change container layout (stacked, tabbed, toggle split) +bindsym $mod+s layout stacking +bindsym $mod+w layout tabbed +bindsym $mod+e layout toggle split + +# toggle tiling / floating +bindsym $mod+Shift+space floating toggle + +# change focus between tiling / floating windows +bindsym $mod+space focus mode_toggle + +# focus the parent container +bindsym $mod+a focus parent + +# focus the child container +#bindsym $mod+d focus child + +# Define names for default workspaces for which we configure key bindings later on. +# We use variables to avoid repeating the names in multiple places. +set $ws1 "1" +set $ws2 "2" +set $ws3 "3" +set $ws4 "4" +set $ws5 "5" +set $ws6 "6" +set $ws7 "7" +set $ws8 "8" +set $ws9 "9" +set $ws10 "10" + +# switch to workspace +bindsym $mod+1 workspace number $ws1 +bindsym $mod+2 workspace number $ws2 +bindsym $mod+3 workspace number $ws3 +bindsym $mod+4 workspace number $ws4 +bindsym $mod+5 workspace number $ws5 +bindsym $mod+6 workspace number $ws6 +bindsym $mod+7 workspace number $ws7 +bindsym $mod+8 workspace number $ws8 +bindsym $mod+9 workspace number $ws9 +bindsym $mod+0 workspace number $ws10 + +# move focused container to workspace +bindsym $mod+Shift+1 move container to workspace number $ws1 +bindsym $mod+Shift+2 move container to workspace number $ws2 +bindsym $mod+Shift+3 move container to workspace number $ws3 +bindsym $mod+Shift+4 move container to workspace number $ws4 +bindsym $mod+Shift+5 move container to workspace number $ws5 +bindsym $mod+Shift+6 move container to workspace number $ws6 +bindsym $mod+Shift+7 move container to workspace number $ws7 +bindsym $mod+Shift+8 move container to workspace number $ws8 +bindsym $mod+Shift+9 move container to workspace number $ws9 +bindsym $mod+Shift+0 move container to workspace number $ws10 + +# reload the configuration file +bindsym $mod+Shift+c reload +# restart i3 inplace (preserves your layout/session, can be used to upgrade i3) +bindsym $mod+Shift+r restart +# exit i3 (logs you out of your X session) +bindsym $mod+Shift+e exec "i3-nagbar -t warning -m 'You pressed the exit shortcut. Do you really want to exit i3? This will end your X session.' -B 'Yes, exit i3' 'i3-msg exit'" + +# resize window (you can also use the mouse for that) +mode "resize" { + # These bindings trigger as soon as you enter the resize mode + + # Pressing left will shrink the window’s width. + # Pressing right will grow the window’s width. + # Pressing up will shrink the window’s height. + # Pressing down will grow the window’s height. + bindsym j resize shrink width 10 px or 10 ppt + bindsym k resize grow height 10 px or 10 ppt + bindsym l resize shrink height 10 px or 10 ppt + bindsym semicolon resize grow width 10 px or 10 ppt + + # same bindings, but for the arrow keys + bindsym Left resize shrink width 10 px or 10 ppt + bindsym Down resize grow height 10 px or 10 ppt + bindsym Up resize shrink height 10 px or 10 ppt + bindsym Right resize grow width 10 px or 10 ppt + + # back to normal: Enter or Escape or $mod+r + bindsym Return mode "default" + bindsym Escape mode "default" + bindsym $mod+r mode "default" +} + +bindsym $mod+r mode "resize" + +# Start i3bar to display a workspace bar (plus the system information i3status +# finds out, if available) +bar { + status_command i3status +} + +exec_always --no-startup-id kiosk & diff --git a/machines/pinix/dotfiles/i3status-config b/machines/pinix/dotfiles/i3status-config new file mode 100644 index 0000000..6d0a301 --- /dev/null +++ b/machines/pinix/dotfiles/i3status-config @@ -0,0 +1,46 @@ +# i3status configuration file. +# see "man i3status" for documentation. + +# It is important that this file is edited as UTF-8. +# The following line should contain a sharp s: +# ß +# If the above line is not correctly displayed, fix your editor first! + +general { + colors = true + interval = 5 +} + +order += "wireless _first_" +order += "disk /" +order += "load" +order += "memory" +order += "tztime local" + +wireless _first_ { + format_up = "W: (%quality at %essid) %ip" + format_down = "W: down" +} + +ethernet _first_ { + format_up = "E: %ip (%speed)" + format_down = "E: down" +} + +disk "/" { + format = "%avail" +} + +load { + format = "%1min" +} + +memory { + format = "%used" + threshold_degraded = "1G" + format_degraded = "MEMORY < %available" +} + +tztime local { + format = "%d-%m-%Y %H:%M" +} diff --git a/machines/pinix/hardware-configuration.nix b/machines/pinix/hardware-configuration.nix new file mode 100644 index 0000000..2e2545f --- /dev/null +++ b/machines/pinix/hardware-configuration.nix @@ -0,0 +1,35 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = ["xhci_pci" "uas" "usbhid" "usb_storage"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + options = ["noatime"]; + }; + + swapDevices = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.end0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp1s0u1u1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; +} diff --git a/machines/pinix/kiosk.nix b/machines/pinix/kiosk.nix new file mode 100644 index 0000000..2d0b2b1 --- /dev/null +++ b/machines/pinix/kiosk.nix @@ -0,0 +1,20 @@ +{ + config, + pkgs, + lib, + ... +}: let + kiosk-command = pkgs.writeShellScriptBin "kiosk" '' + # Disable screen blanking and standby + ${pkgs.xorg.xset}/bin/xset s noblank + ${pkgs.xorg.xset}/bin/xset s off + ${pkgs.xorg.xset}/bin/xset -dpms + + # Hide mouse + ${pkgs.unclutter}/bin/unclutter -idle 0.5 -root & + + ${pkgs.chromium}/bin/chromium-browser --noerrdialogs --disable-infobars --kiosk https://example.com/dashboard + ''; +in { + environment.systemPackages = [kiosk-command]; +} diff --git a/modules/common/nix/default.nix b/modules/common/nix/default.nix new file mode 100644 index 0000000..11cc8c9 --- /dev/null +++ b/modules/common/nix/default.nix @@ -0,0 +1,4 @@ +{inputs, ...}: { + nixpkgs.config.allowUnfree = true; + nix.settings.experimental-features = ["nix-command" "flakes"]; +} diff --git a/modules/server/default.nix b/modules/server/default.nix new file mode 100644 index 0000000..976c3f8 --- /dev/null +++ b/modules/server/default.nix @@ -0,0 +1,66 @@ +{ + inputs, + config, + pkgs, + ... +}: { + # See https://linux.die.net/man/8/pam_ssh_agent_auth + security.pam.sshAgentAuth.enable = true; + + system.autoUpgrade = { + enable = true; + allowReboot = true; + rebootWindow = { + lower = "01:00"; + upper = "05:00"; + }; + flake = "git+ssh://user@git.example.com/user/nixos-config.git"; + }; + + nix = { + # Automatic garbage collection + gc = { + automatic = true; + dates = "daily"; + options = "--delete-older-than 7d"; + }; + }; + + environment.systemPackages = with pkgs; [ + git + molly-guard + vim + ]; + + boot.tmp.cleanOnBoot = true; + + # Use more aggressive OOM + services.earlyoom = { + enable = true; + }; + + # Limit journal size + services.journald.extraConfig = '' + SystemMaxUse=500M + ''; + + # I18n + time.timeZone = "Europe/Brussels"; + i18n.defaultLocale = "en_US.UTF-8"; + + # Networking + networking.firewall.logRefusedConnections = false; + + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "prohibit-password"; + PasswordAuthentication = false; + }; + }; + + services.fail2ban = { + enable = true; + bantime = "10m"; + }; +}