commit b216f4f19f1bbb57386dacb7e985a007b8f0c53b Author: Ellis Rahhal Date: Sat Nov 23 20:28:47 2024 -0800 First commit diff --git a/README.md b/README.md new file mode 100644 index 0000000..7ea1229 --- /dev/null +++ b/README.md @@ -0,0 +1,8 @@ +HomeFree Sample Config +====================== + +Clone this repo and modify configuration.nix as needed, then deploy with: + +``` +./install.sh +``` diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..f094a54 --- /dev/null +++ b/configuration.nix @@ -0,0 +1,134 @@ +{ lib, ... }: +{ + imports = [ + ./disk-config.nix + ]; + + networking = { + interfaces = { + wlp4s0 = { + useDHCP = true; + }; + }; + wireless = { + ## Don't enable wireless adapter + enable = lib.mkForce false; + ## @TODO: Get this working as an access point + }; + }; + + homefree = { + system = { + adminUsername = "homefree"; + adminHashedPassword = ""; + authorizedKeys = [ + "" + ]; + }; + + network = { + wan-interface = "eno1"; + wan-bitrate-mbps-down = 1000; + wan-bitrate-mbps-up = 1000; + lan-interface = "enp112s0"; + static-ips = [ + { + mac-address = "32:ea:a6:38:f2:6c"; + hostname = "moms-laptop"; + ip = "10.0.0.2"; + } + { + mac-address = "50:60:f3:f1:3d:36"; + hostname = "bros-iphone"; + ip = "10.0.0.9"; + } + { + mac-address = "68:30:f3:32:4444d:31"; + hostname = "yamaha"; + ip = "10.0.0.10"; + } + ]; + + dns-overrides = [ + { + hostname = "att-modem"; + domain = "localdomain"; + ip = "192.168.1.254"; + } + ]; + }; + + dynamic-dns = { + zones = [ + ## Repace with your own domain + { + zone = "homefree.host"; + protocol = "hetzner"; + username = "erahhal"; + passwordFile = "/run/secrets/ddclient/ddclient-password"; + } + ]; + }; + + wireguard = { + peers = [ + { + name = "my-phone"; + publicKey = "="; + allowedIPs = [ "192.168.2.2/32"]; + } + { + name = "bros-phone"; + publicKey = ""; + allowedIPs = [ "192.168.2.3/32"]; + } + ]; + }; + + services = { + adguard = { + enable = true; + }; + + homeassistant = { + enable = true; + }; + + gitea = { + enable = true; + public = true; + }; + + radicale = { + enable = true; + }; + + unifi = { + enable = true; + }; + + vaultwarden = { + enable = true; + }; + }; + + proxied-hosts = [ + { + label = "att"; + subdomains = [ "att" ]; + https-domains = [ "homefree.host" "rahh.al" ]; + host = "att.localdomain"; + port = 80; + } + { + label = "yamaha-recevier-web-gui"; + subdomains = [ "yamaha" ]; + https-domains = [ "homefree-host" ]; + port = 443; + ssl = true; + ssl-no-verify = true; + host = "yamaha.localdomain"; + } + ]; + }; +} diff --git a/disk-config.nix b/disk-config.nix new file mode 100644 index 0000000..f3b1f4e --- /dev/null +++ b/disk-config.nix @@ -0,0 +1,78 @@ +{ ... }: +{ + disko.devices = { + disk = { + nvme0n1 = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + start = "1M"; + end = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; # Override existing partition + # Subvolumes must set a mountpoint in order to be mounted, + # unless their parent is mounted + subvolumes = { + # Subvolume name is different from mountpoint + "/root" = { + mountpoint = "/"; + mountOptions = [ "subvol=root" "compress=zstd" "noatime" ]; + }; + # Subvolume name is the same as the mountpoint + "/home" = { + mountpoint = "/home"; + mountOptions = [ "subvol=home" "compress=zstd" "noatime" ]; + }; + # Parent is not mounted so the mountpoint must be set + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ "subvol=nix" "compress=zstd" "noatime" ]; + }; + # Subvolume for the swapfile + "/swap" = { + mountpoint = "/swap"; + swap = { + swapfile.size = "64G"; + }; + }; + }; + }; + }; + + # luks = { + # size = "100%"; + # content = { + # type = "luks"; + # name = "crypted"; + # # disable settings.keyFile if you want to use interactive password entry + # #passwordFile = "/tmp/secret.key"; # Interactive + # settings = { + # allowDiscards = true; + # keyFile = "/tmp/secret.key"; + # }; + # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; + # content = { + # ... + # }; + # }; + # }; + }; + }; + }; + }; + }; +} diff --git a/flake.nix b/flake.nix new file mode 100755 index 0000000..9e17b98 --- /dev/null +++ b/flake.nix @@ -0,0 +1,33 @@ +{ + description = "Sample Homefree Host Config"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + + homefree.url = "git+https://git.homefree.host/erahhal/HomeFree"; + }; + + outputs = { + self, + ... + }@inputs: + let + system = "x86_64-linux"; + in + { + nixosConfigurations = { + homefree = inputs.nixpkgs.lib.nixosSystem { + system = system; + modules = [ + inputs.homefree.nixosModules.default + ./disk-config.nix + ./configuration.nix + ]; + specialArgs = { + inherit inputs; + inherit system; + }; + }; + }; + }; +} diff --git a/install.sh b/install.sh new file mode 100755 index 0000000..0c1412a --- /dev/null +++ b/install.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +echo 'Installation steps:' +echo '' +echo ' - Make sure configuration has your SSH key authorized for root so you can change your password, e.g.' +echo ' users.users.root.openssh.authorizedKeys.keys = [' +echo ' "ssh-rsa blahblah"' +echo ' ];' +echo ' - Boot minimal NixOS image on target, e.g. using a USB stick' +echo ' - Do NOT use Ventoy, as it doesnt work on some devices. Use a direct image on a USB stick' +echo ' - On target: Change password with `passwd`' +echo ' - On source: `scp ~/.ssh/authorized_keys nixos@
:/home/nixos`' +echo ' - On target: `mkdir -p ~/.ssh; mv ~/authorized_keys ~/.ssh/authorized_keys' +echo ' - Then continue by entering the values below' +echo '' + +read -p "Enter IP Address: " ADDRESS + +if [[ $ADDRESS =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo "IP: ${ADDRESS}" + echo "" +else + echo "Invalid IP Address" + exit +fi + +read -p "ARE YOU SURE? This will DESTROY the target (Y/N): " confirm && [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]] || exit 1 + +NIX_SSHOPTS=-tt nix run github:nix-community/nixos-anywhere -- --flake ../#homefree nixos@$ADDRESS