From 28fe66a888db6bd593c87ab578ffb37b5f9141e9 Mon Sep 17 00:00:00 2001 From: Alejandro Angulo Date: Sat, 2 Sep 2023 17:12:21 -0700 Subject: [PATCH] Added pi4 configuration --- flake.lock | 17 +++++ flake.nix | 48 +++++++++++--- modules/services/octoprint/default.nix | 44 +++++++++++++ secrets/cf_dns_kilonull.age | 24 +++---- secrets/secrets.nix | 9 ++- systems/aarch64-linux/pi4/default.nix | 85 +++++++++++++++++++++++++ systems/x86_64-linux/gospel/default.nix | 2 +- 7 files changed, 205 insertions(+), 24 deletions(-) create mode 100644 modules/services/octoprint/default.nix create mode 100644 systems/aarch64-linux/pi4/default.nix diff --git a/flake.lock b/flake.lock index 2f3207b..4486886 100644 --- a/flake.lock +++ b/flake.lock @@ -169,6 +169,22 @@ "type": "github" } }, + "nixos-hardware": { + "locked": { + "lastModified": 1693588489, + "narHash": "sha256-hUGiONyurfBxmTtRUttdlkdq+ml16L1MiKKAS1047OE=", + "owner": "NixOS", + "repo": "nixos-hardware", + "rev": "fe0ea731b84b10143fc68cd557368ac70f0fb65c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "master", + "repo": "nixos-hardware", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1692734709, @@ -192,6 +208,7 @@ "flake-utils-plus": "flake-utils-plus", "home-manager": "home-manager", "nixos-generators": "nixos-generators", + "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", "snowfall-lib": "snowfall-lib" } diff --git a/flake.nix b/flake.nix index ae657b2..ffed200 100644 --- a/flake.nix +++ b/flake.nix @@ -25,6 +25,8 @@ agenix.inputs.nixpkgs.follows = "nixpkgs"; agenix.inputs.home-manager.follows = "home-manager"; agenix.inputs.darwin.follows = ""; + + nixos-hardware.url = "github:NixOS/nixos-hardware/master"; }; outputs = inputs: let @@ -39,20 +41,48 @@ channels-config.allowUnfree = true; systems.modules = with inputs; [ - home-manager.nixosModules.home-manager agenix.nixosModules.default + home-manager.nixosModules.home-manager ]; - deploy.nodes.node = { - hostname = "node"; - profiles.system = { - user = "root"; - sshUser = "alejandro"; - path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos inputs.self.nixosConfigurations.node; - sshOpts = ["-A"]; + deploy.nodes = { + node = { + hostname = "node"; + profiles.system = { + user = "root"; + sshUser = "alejandro"; + path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos inputs.self.nixosConfigurations.node; + sshOpts = ["-A"]; + }; + }; + + pi4 = let + system = "aarch64-linux"; + pkgs = import inputs.nixpkgs {inherit system;}; + deployPkgs = import inputs.nixpkgs { + inherit system; + overlays = [ + inputs.deploy-rs.overlay + (self: super: { + deploy-rs = { + inherit (pkgs) deploy-rs; + lib = inputs.deploy-rs.lib; + }; + }) + ]; + }; + in { + hostname = "pi4"; + profiles.system = { + user = "root"; + sshUser = "alejandro"; + path = deployPkgs.deploy-rs.lib.aarch64-linux.activate.nixos inputs.self.nixosConfigurations.pi4; + }; }; }; - checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks inputs.self.deploy) inputs.deploy-rs.lib; + # TODO: Re-enable this when I figure out how to prevent needing to build + # dependencies for architectures other than the host machine + # checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks inputs.self.deploy) inputs.deploy-rs.lib; }; } diff --git a/modules/services/octoprint/default.nix b/modules/services/octoprint/default.nix new file mode 100644 index 0000000..5ee9428 --- /dev/null +++ b/modules/services/octoprint/default.nix @@ -0,0 +1,44 @@ +{ + options, + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.aa.services.octoprint; +in { + options.aa.services.octoprint = with types; { + enable = mkEnableOption "octoprint"; + acmeCertName = mkOption { + type = str; + default = ""; + description = '' + If set to a non-empty string, foces SSL with the supplied acme + certificate. + ''; + }; + }; + + config = mkIf cfg.enable { + services.octoprint.enable = true; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + virtualHosts."octoprint.kilonull.com" = + { + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.octoprint.port}"; + proxyWebsockets = true; + }; + } + // lib.optionalAttrs (cfg.acmeCertName != "") { + forceSSL = true; + useACMEHost = cfg.acmeCertName; + }; + }; + + networking.firewall.allowedTCPPorts = [80 443]; + }; +} diff --git a/secrets/cf_dns_kilonull.age b/secrets/cf_dns_kilonull.age index 249d5ce..d9d3255 100644 --- a/secrets/cf_dns_kilonull.age +++ b/secrets/cf_dns_kilonull.age @@ -1,12 +1,14 @@ age-encryption.org/v1 --> ssh-ed25519 Yk7ehg yd4HdQ3M4nNxxkQJxbBTpxm4Q91Geu9NPTpc89GDX2k -VDK0jJvCRmDzjXkCTt7FTRQflccY+5Sw6m5j+i8y5qE --> ssh-ed25519 SYNSNQ 6bUFdt0+KzWLIhk8HC2YSlvRGUHx9lbfsLuId3eI8mE -/J8MhNcNbwGt3GNFWRqBoEuRA2diuVUEIwCNjWduV58 --> piv-p256 UIEGzg AmQTLuIgW3b1xwBR72vx1HKOWSrlBo2u2Cp/ERAUuC3E -yRIBeItdJuAgp2f8/j4ZZAzvGSQnoDL1u3bneHKxdt8 --> g@-grease ekU. 7n9S -TQDOfhGOoWQ0CRITXdz3pSreU3MTaB/SXBupQ2KCw8M3CN3q33DpL+29asuKQuK4 -6StATcU7fMQ+NU/tCXt1qWz/qw4cfo2+gLk ---- QFnlzub83Ji3lIK+B/U8nztj9t4DLBX00BBVKkJJ/gs -S&M{@@'H|A7ZIr{>KWS'ؙ䊊"o٥(77-z!A ;؋yr7*ok$\p^XL,OIXƴ<)ȑ>yeS4f}8vE+YYQ|ib'%N~ \ No newline at end of file +-> ssh-ed25519 Yk7ehg NwKwWQiMTehA+gluPXpVyL4zyhGRheQ1hCyyjPyWNlM +ZTD2ssehxzayPhnW+OVqXzr/fqQ7Hdm711RgZT5R4Pw +-> ssh-ed25519 SYNSNQ oEc4p7cz7u+gEYIJVW7hl+VXwXzPSpRXCL33Ij2ZIkc +avgbK9ss20KmL1XB9Sg45bwv6BItDcMJj8/e2fXxZOE +-> ssh-ed25519 t5XIGA huqEOk8X1Z4g4pcjAc6griyt3x+hU5NWMfCUL8WoUkI +yqJxaxWF04PzcmyFN8hq+u9DaQmbI4W3PSDC2+Rxr5I +-> piv-p256 UIEGzg AzYN661WI0nUCA4MHnSqOT0A23jbBl9Dnv5CmmJkvuSk +BXxeYW5RdiYNwtMG+PHF5b7x2Pu129SNOeqItwfcWTs +-> X{\S-grease <0c[|Bb +tXXujcfm/3s/TMaX5tM9TamHAEHSUCArwJCDEJ2SFKcL8FSV1N3srp4wNogtF7pO +PjLeXFHo +--- 1VR3EGzzVvK+pbDlvomJ6cJ9wOrP2LoPsUqmh0c6bVE +>/,+bLjgf<9mKTN3w¹1(&D 72#.^"KW$BKUknDXk7GRڡd^9`єyM-KvO##8_<u:;\A0X5) \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 62a1d9b..79edeb1 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -2,9 +2,12 @@ let # Remember to pass '--identity identities/me.txt` when using this key users.me = "age1yubikey1qdwgvfqrcqmyw56ux7azuvqr6f8nanszu27nztvxmn4utmplgxctzt90g25"; - machines.gospel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGDzjXVoQEfO9JIcFbp56EvQ0oBdr9Cmhxp4z0ih+ZEZ"; - machines.node = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETLBnc8kJokmFiA28BaSYpeE7flY1W0SM5C1pWv/tOv"; + machines = { + gospel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGDzjXVoQEfO9JIcFbp56EvQ0oBdr9Cmhxp4z0ih+ZEZ"; + node = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETLBnc8kJokmFiA28BaSYpeE7flY1W0SM5C1pWv/tOv"; + pi4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK9fnNXzEmDdmtR+KWj/M9vQioFR0s/4jMnIkUFcj8As"; + }; in { - "cf_dns_kilonull.age".publicKeys = [users.me machines.node machines.gospel]; + "cf_dns_kilonull.age".publicKeys = [users.me machines.node machines.gospel machines.pi4]; "nextcloud_admin.age".publicKeys = [users.me machines.node]; } diff --git a/systems/aarch64-linux/pi4/default.nix b/systems/aarch64-linux/pi4/default.nix new file mode 100644 index 0000000..a4a85e7 --- /dev/null +++ b/systems/aarch64-linux/pi4/default.nix @@ -0,0 +1,85 @@ +{ + config, + pkgs, + lib, + inputs, + nixpkgs, + modulesPath, + ... +}: { + imports = with inputs; [ + (modulesPath + "/installer/scan/not-detected.nix") + (modulesPath + "/installer/sd-card/sd-image-aarch64.nix") + nixos-hardware.nixosModules.raspberry-pi-4 + ]; + + # Workaround for issue 109280 + # See here: https://github.com/NixOS/nixpkgs/issues/109280#issuecomment-973636212 + nixpkgs.overlays = [ + (final: super: { + makeModulesClosure = x: + super.makeModulesClosure (x // {allowMissing = true;}); + }) + ]; + + age.secrets.cf_dns_kilonull.file = ../../../secrets/cf_dns_kilonull.age; + + aa = { + nix.enable = true; + nix.useSelfhostedCache = true; + + apps.btop.enable = true; + apps.tmux.enable = true; + + services.tailscale = { + enable = true; + configureClientRouting = true; + configureServerRouting = true; + }; + services.openssh.enable = true; + services.octoprint = { + enable = true; + acmeCertName = "kilonull.com"; + }; + + security.acme = { + enable = true; + domainName = "kilonull.com"; + dnsCredentialsFile = config.age.secrets.cf_dns_kilonull.path; + }; + + suites.utils.enable = true; + tools.zsh.enable = true; + }; + + environment.systemPackages = with pkgs; [ + libraspberrypi + raspberrypi-eeprom + ]; + + networking = { + hostName = "pi4"; + useDHCP = false; + defaultGateway = "192.168.113.1"; + nameservers = ["192.168.113.13" "1.1.1.1"]; + interfaces.end0.ipv4.addresses = [ + { + address = "192.168.113.42"; + prefixLength = 24; + } + ]; + }; + + security.sudo = { + wheelNeedsPassword = false; + execWheelOnly = true; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? +} diff --git a/systems/x86_64-linux/gospel/default.nix b/systems/x86_64-linux/gospel/default.nix index 992e944..6975dcb 100644 --- a/systems/x86_64-linux/gospel/default.nix +++ b/systems/x86_64-linux/gospel/default.nix @@ -73,7 +73,7 @@ }; }; - boot.binfmt.emulatedSystems = ["aarch64-linux" "armv6l-linux"]; + # boot.binfmt.emulatedSystems = ["aarch64-linux" "armv6l-linux"]; networking = { hostName = "gospel"; useDHCP = false;