diff --git a/README.md b/README.md index 64532d2..61277ed 100755 --- a/README.md +++ b/README.md @@ -1,37 +1,65 @@ # Setup -Follow the steps below to setup your environment. +This dotfiles is intended to be used with NixOS 24.05 +Please install a clean version of NixOS GNOME and then follow the steps below. -## Begin here +## Installation + +### 0. Install NixOS + +Either install GNOME or Minimal depending on if you intend to setup a server or desktop. ### 1. Clone dotfiles to home directory -You should probably already have this cloned in your home directory but if you don't you can clone it with the following command. +Clone the repository to your home directory, you can do this by opening a shell with git installed. ```bash -git clone ssh://od.mvl.sh/dotfiles ~/dotfiles +nixos-shell -p git +git clone https://git.mvl.sh/vleeuwenmenno/dotfiles.git ~/dotfiles +exit ``` -### 2. Prepare shell +### 2. Run `setup.sh` -You can run the setup.sh in the dotfiles folder to install all the necessary packages. +You can run the setup.sh in the dotfiles folder to setup the system. +This will prompt you to give a hostname for the system. For things to properly work you should ensure this repository contains the relevant assets for the hostname you provide. + +In case you're setting up a new system you could use any of the existing hostnames in the `nconfig/nixos/hardware/` folder. +Afterwards you should adopt the pre-generated configuration under `/etc/nixos/hardware-configuration.nix` to the repository and change the hostname to anything you like. ```bash cd ~/dotfiles && ./setup.sh ``` -### 3. Run `dotf update` +### 3. Reboot -This should fix all the symlinks and install all the necessary packages. -Afterwards you should restart your shell. +It's probably a good idea that you either reboot or log out and log back in to make sure all the changes are applied. -This should also set your terminal and default shell to zsh so make sure to restart or just reboot your system. +```bash +# sudo reboot +``` + +### 4. Run `dotf update` + +Run the `dotf update` command, although nixos-rebuild and home-manager already ran the dotf cli didn't yet place proper symlinks for everything. ```bash dotf update ``` -### 4. Reboot +### 5. Setup 1Password + +1Password is installed but you need to login and enable the SSH agent and CLI components under the settings before continuing. + +### 6. Decrypt secrets + +Now that you've got 1Password setup you can decrypt the secrets needed for various applications. + +```bash +dotf secrets decrypt +``` + +### 7. Reboot After you have done all the steps above you should reboot your system to make sure everything is working as intended. @@ -39,14 +67,21 @@ After you have done all the steps above you should reboot your system to make su # sudo reboot ``` -### 5. Secrets + 1Password +## Adding a new system -Since 1Password has been installed you can open it. -Secrets won't be able to decrypt until you have logged in on 1Password and enabled Developer tools under the settings. +### Paths in the repository -## Install extra packages +Here are some paths that contain files named after the hostname of the system. +If you add a new system you should add the relevant files to these paths. -After you've got the first part done and you have `dotf` installed you can install extra packages. -Check the [packages](packages.md) file for more information. +- `nconfig/nixos/hardware/`: Contains the hardware configurations for the different systems. +- `config/ssh/authorized_keys`: Contains the public keys per hostname that will be symlinked to the `~/.ssh/authorized_keys` file. +- `config/nixos/flake.nix`: Contains an array `nixosConfigurations` where you should be adding the new system hostname and relevant configuration. -You can also have a look at [gnome-extensions](gnome-extensions.md) for some gnome extensions that I use. +### Adding a new system + +To add a new system you should follow these steps: + +1. Add the relevant files shown in the section above. +2. Ensure you've either updated or added the `$HOME/.hostname` file with the hostname of the system. +3. Run `dotf update` to ensure the symlinks are properly updated/created. diff --git a/config/config.yaml b/config/config.yaml index a741099..c80c800 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -22,7 +22,7 @@ config: u2f: sources: mennos-laptop: ~/dotfiles/secrets/yubico/u2f.work.keys - mennos-desktop: ~/dotfiles/secrets/yubico/u2f.personal.keys + mennos-server: ~/dotfiles/secrets/yubico/u2f.personal.keys mennos-gamingpc: ~/dotfiles/secrets/yubico/u2f.personal.keys homeserver-pc: ~/dotfiles/secrets/yubico/u2f.personal.keys target: ~/.config/Yubico/u2f_keys @@ -50,7 +50,7 @@ config: ssh_authorized_keys: sources: mennos-laptop: ~/dotfiles/config/ssh/authorized_keys/mennos-laptop - mennos-desktop: ~/dotfiles/config/ssh/authorized_keys/mennos-desktop + mennos-server: ~/dotfiles/config/ssh/authorized_keys/mennos-server mennos-gamingpc: ~/dotfiles/config/ssh/authorized_keys/mennos-gamingpc homeserver-pc: ~/dotfiles/config/ssh/authorized_keys/homeserver-pc target: ~/.ssh/authorized_keys diff --git a/config/nixos/common/server.nix b/config/nixos/common/server.nix index c74466d..6565cd6 100644 --- a/config/nixos/common/server.nix +++ b/config/nixos/common/server.nix @@ -1,4 +1,28 @@ { config, pkgs, ... }: { + # OpenSSH server + services.openssh = { + enable = true; + ports = [ 400 ]; + settings = { + PasswordAuthentication = false; + AllowUsers = [ "menno" ]; + X11Forwarding = false; + PermitRootLogin = "prohibit-password"; + AllowTCPForwarding = true; + AllowAgentForwarding = true; + PermitEmptyPasswords = false; + PubkeyAuthentication = true; + }; + }; + # Open ports in the firewall + networking.firewall = { + enable = true; + allowedTCPPorts = [ + # SSH + 400 + ]; + allowedUDPPorts = [ ]; + }; } diff --git a/config/nixos/common/workstation.nix b/config/nixos/common/workstation.nix index 84f7920..0a8aa16 100644 --- a/config/nixos/common/workstation.nix +++ b/config/nixos/common/workstation.nix @@ -24,4 +24,40 @@ alsa.support32Bit = true; pulse.enable = true; }; + + # Open ports in the firewall + networking.firewall = { + enable = true; + allowedTCPPorts = [ + # RDP (Gnome Remote Desktop) + 3389 + 3390 + 3391 + + # SSH + 400 + ]; + allowedUDPPorts = [ + # RDP (Gnome Remote Desktop) + 3389 + 3390 + 3391 + ]; + }; + + # OpenSSH server + services.openssh = { + enable = true; + ports = [ 400 ]; + settings = { + PasswordAuthentication = false; + AllowUsers = [ "menno" ]; + X11Forwarding = true; + PermitRootLogin = "prohibit-password"; + AllowTCPForwarding = true; + AllowAgentForwarding = true; + PermitEmptyPasswords = false; + PubkeyAuthentication = true; + }; + }; } diff --git a/config/nixos/configuration.nix b/config/nixos/configuration.nix index 0369743..ea8bbd4 100644 --- a/config/nixos/configuration.nix +++ b/config/nixos/configuration.nix @@ -1,13 +1,22 @@ -{ config, pkgs, ... }: { - imports = [ - ./packages/default.nix - ./virtualization.nix - ./users.nix - ./flatpak.nix - ./hosts.nix - ./yubikey.nix - ]; + config, + pkgs, + lib, + isServer ? false, + isWorkstation ? false, + ... +}: +{ + imports = + [ + ./packages/common/default.nix + ./users.nix + ./hosts.nix + ./yubikey.nix + ] + # Include packages based on whether this is a server or workstation. + ++ lib.optional isServer ./packages/server/default.nix + ++ lib.optional isWorkstation ./packages/workstation/default.nix; # Bootloader. boot.loader.systemd-boot.enable = true; @@ -16,8 +25,8 @@ # Enable networking networking.networkmanager.enable = true; - # Set your time zone. - time.timeZone = "Europe/Amsterdam"; + # Allow unfree packages + nixpkgs.config.allowUnfree = true; # Enable experimental nix-command flakes nix = { @@ -27,6 +36,9 @@ ''; }; + # Set your time zone. + time.timeZone = "Europe/Amsterdam"; + # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; @@ -49,33 +61,6 @@ services.tailscale.enable = true; - # Allow unfree packages - nixpkgs.config.allowUnfree = true; - - # Enable the OpenSSH daemon. - # services.openssh = { - # enable = true; - # port = 400; - # permitRootLogin = "no"; - # passwordAuthentication = false; - # pubkeyAuthentication = true; - # }; - - # Open ports in the firewall. - networking.firewall = { - enable = true; - allowedTCPPorts = [ - 3389 - 3390 - 3391 - ]; - allowedUDPPorts = [ - 3389 - 3390 - 3391 - ]; - }; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/config/nixos/flake.nix b/config/nixos/flake.nix index a6bd46e..7f05da9 100644 --- a/config/nixos/flake.nix +++ b/config/nixos/flake.nix @@ -16,6 +16,10 @@ ./common/workstation.nix ./configuration.nix ]; + specialArgs = { + isWorkstation = true; + isServer = false; + }; }; "mennos-gamingpc" = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; @@ -24,14 +28,22 @@ ./common/workstation.nix ./configuration.nix ]; + specialArgs = { + isWorkstation = true; + isServer = false; + }; }; - "mennos-desktop" = nixpkgs.lib.nixosSystem { + "mennos-server" = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ - ./hardware/mennos-desktop.nix + ./hardware/mennos-server.nix ./common/server.nix ./configuration.nix ]; + specialArgs = { + isWorkstation = false; + isServer = true; + }; }; }; }; diff --git a/config/nixos/hardware/mennos-desktop.nix b/config/nixos/hardware/mennos-server.nix similarity index 85% rename from config/nixos/hardware/mennos-desktop.nix rename to config/nixos/hardware/mennos-server.nix index 2ef0c91..9541cac 100644 --- a/config/nixos/hardware/mennos-desktop.nix +++ b/config/nixos/hardware/mennos-server.nix @@ -21,23 +21,10 @@ boot.extraModulePackages = [ ]; fileSystems."/" = { - device = "/dev/disk/by-uuid/1356cd09-5c55-45b5-8b06-6aadc84cee37"; + device = "/dev/disk/by-uuid/010484c7-457e-4953-8712-5e81275e57f4"; fsType = "ext4"; }; - boot.initrd.luks.devices."luks-32bf1c42-e6ef-4fb8-9b76-8bb13b9ea155".device = "/dev/disk/by-uuid/32bf1c42-e6ef-4fb8-9b76-8bb13b9ea155"; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/CD6B-8910"; - fsType = "vfat"; - options = [ - "fmask=0077" - "dmask=0077" - ]; - }; - - swapDevices = [ ]; - # Enable OpenGL hardware.opengl = { enable = true; @@ -82,7 +69,7 @@ # still possible to use this option, but it's recommended to use it in conjunction # with explicit per-interface declarations with `networking.interfaces..useDHCP`. networking.useDHCP = lib.mkDefault true; - networking.hostName = "mennos-desktop"; + networking.hostName = "mennos-server"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; diff --git a/config/nixos/packages/common/default.nix b/config/nixos/packages/common/default.nix new file mode 100644 index 0000000..be0c2d9 --- /dev/null +++ b/config/nixos/packages/common/default.nix @@ -0,0 +1,4 @@ +{ ... }: +{ + imports = [ ./virtualization.nix ]; +} diff --git a/config/nixos/virtualization.nix b/config/nixos/packages/common/virtualization.nix similarity index 100% rename from config/nixos/virtualization.nix rename to config/nixos/packages/common/virtualization.nix diff --git a/config/nixos/packages/default.nix b/config/nixos/packages/server/default.nix similarity index 100% rename from config/nixos/packages/default.nix rename to config/nixos/packages/server/default.nix diff --git a/config/nixos/packages/1password.nix b/config/nixos/packages/workstation/1password.nix similarity index 100% rename from config/nixos/packages/1password.nix rename to config/nixos/packages/workstation/1password.nix diff --git a/config/nixos/packages/workstation/default.nix b/config/nixos/packages/workstation/default.nix new file mode 100644 index 0000000..0ca94bc --- /dev/null +++ b/config/nixos/packages/workstation/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./steam.nix + ./1password.nix + ./flatpak.nix + ]; +} diff --git a/config/nixos/flatpak.nix b/config/nixos/packages/workstation/flatpak.nix similarity index 100% rename from config/nixos/flatpak.nix rename to config/nixos/packages/workstation/flatpak.nix diff --git a/config/nixos/packages/steam.nix b/config/nixos/packages/workstation/steam.nix similarity index 100% rename from config/nixos/packages/steam.nix rename to config/nixos/packages/workstation/steam.nix diff --git a/config/ssh/authorized_keys/mennos-gamingpc b/config/ssh/authorized_keys/mennos-gamingpc index a7083d7..f4d8226 100644 --- a/config/ssh/authorized_keys/mennos-gamingpc +++ b/config/ssh/authorized_keys/mennos-gamingpc @@ -1,2 +1,2 @@ -# This is the authrorized_keys file for the user mennos-desktop +# This is the authrorized_keys file for the user mennos-gamingpc ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+sKpcREOUjwMMSzEWAso6830wbOi8kUxqpuXWw5gHr \ No newline at end of file diff --git a/config/ssh/authorized_keys/mennos-desktop b/config/ssh/authorized_keys/mennos-server similarity index 55% rename from config/ssh/authorized_keys/mennos-desktop rename to config/ssh/authorized_keys/mennos-server index a7083d7..c6cf11e 100644 --- a/config/ssh/authorized_keys/mennos-desktop +++ b/config/ssh/authorized_keys/mennos-server @@ -1,2 +1,2 @@ -# This is the authrorized_keys file for the user mennos-desktop +# This is the authrorized_keys file for the user mennos-server ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+sKpcREOUjwMMSzEWAso6830wbOi8kUxqpuXWw5gHr \ No newline at end of file diff --git a/setup.sh b/setup.sh index cdf1d28..c965134 100755 --- a/setup.sh +++ b/setup.sh @@ -1,37 +1,64 @@ #!/usr/bin/env bash -# Check if nixos-version is available -if [ -x "$(command -v nixos-version)" ]; then - echo "Detected NixOS, skipping Nix setup." - return -else - echo "NixOS not detected, installing Nix..." - sh <(curl -L https://nixos.org/nix/install) --daemon -fi +NIXOS_RELEASE=24.05 -# Check if home-manager is available -if [ -x "$(command -v home-manager)" ]; then - echo "Detected Home Manager, did you setup everything already!?" - echo "You should only run ./setup.sh once, re-running this could do damage." +# Check if $HOME/.dotfiles-setup exists, if so exit because setup has already been run +if [ -f $HOME/.dotfiles-setup ]; then + echo "Setup has already been run, exiting..." exit 0 fi -# Link .bashrc -rm -rf $HOME/.bashrc -ln -s $HOME/dotfiles/.bashrc $HOME/.bashrc +# Check if nixos-version is available +ensure_nixos() { + if [ -x "$(command -v nixos-version)" ]; then + echo "Detected NixOS, skipping Nix setup." + return + else + echo "NixOS not detected, installing Nix..." + sh <(curl -L https://nixos.org/nix/install) --daemon + fi +} -# Install home-manager -sudo nix-channel --add https://github.com/nix-community/home-manager/archive/release-24.05.tar.gz home-manager -sudo nix-channel --update -sudo nix-shell '' -A install -nix-shell '' -A install +setup_symlinks() { + # Link .bashrc + rm -rf $HOME/.bashrc + ln -s $HOME/dotfiles/.bashrc $HOME/.bashrc -# Link proper home-manager configs -rm -rf ~/.config/home-manager -ln -s $HOME/dotfiles/config/home-manager ~/.config/home-manager + # Link proper home-manager configs + rm -rf ~/.config/home-manager + ln -s $HOME/dotfiles/config/home-manager ~/.config/home-manager -# Link proper nixos configs -sudo ln -s $HOME/dotfiles/config/nixos/configuration.nix /etc/nixos/configuration.nix + # Link proper nixos configs + sudo ln -s $HOME/dotfiles/config/nixos/configuration.nix /etc/nixos/configuration.nix +} + +install_home_manager() { + sudo nix-channel --add https://github.com/nix-community/home-manager/archive/release-$NIXOS_RELEASE.tar.gz home-manager + sudo nix-channel --update + sudo nix-shell '' -A install + nix-shell '' -A install +} + +prepare_hostname() { + # Ask the user what hostname this machine should have + echo "Enter the hostname for this machine:" + read hostname + + # Validate hostname to ensure it's not empty, contains only alphanumeric characters, and is less than 64 characters + while [[ -z $hostname || ! $hostname =~ ^[a-zA-Z0-9]+$ || ${#hostname} -gt 64 ]]; do + echo "Invalid hostname. Please enter a valid hostname:" + read hostname + done + + # Set the hostname by dumping it into $HOME/.hostname + touch $HOME/.hostname + echo $hostname > $HOME/.hostname +} + +prepare_hostname +ensure_nixos +install_home_manager +setup_symlinks # Rebuild NixOS sudo nixos-rebuild switch @@ -39,6 +66,8 @@ sudo nixos-rebuild switch # Rebuild Home Manager cd $HOME/dotfiles/config/home-manager && NIXPKGS_ALLOW_UNFREE=1 home-manager switch +touch $HOME/.dotfiles-setup + echo "##############################################################" echo "# #" echo "# !!! LOGOUT & LOGIN OR RESTART BEFORE YOU CONTINUE !!! #"