swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2026-04-14 13:19:09 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: add policestation
Some checks are pending
Build and Deploy / build (push) Waiting to run
Details
Build and Deploy / deploy (push) Blocked by required conditions
Details
Flake check / Check flake (push) Waiting to run
Details

Browse source
This commit is contained in:
Leon Schwarzäugl 2026-03-25 22:51:31 +01:00
parent 361f77a447
commit f22f61ccdb
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
5 changed files with 294 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.github/README.md vendored
View file

@ -185,6 +185,7 @@
|🪟 **chaostheater** | Asus Z97-A, i7-4790k, GTX970, 32GB RAM | Home Game Streaming Server (Windows/AtlasOS, not nix-managed) |
|📱 **magicant** | Samsung Galaxy Z Flip 6 | Phone |
|💿 **drugstore** | - | NixOS-installer ISO for bootstrapping new hosts |
|💿 **policestation** | - | NixOS live ISO for generating cryptographic keys |
|💿 **brickroad** | - | Kexec tarball for bootstrapping low-memory machines |
|❔ **hotel** | - | Demo config for checking out this configuration |
|❔ **toto** | - | Helper configuration for testing purposes |

162
SwarselSystems.org
View file

@ -30,6 +30,9 @@ This configuration is part of a NixOS system that is for the most part fully dec
The literate configuration approach lets me explain my choices to my future self as well as you, the reader. I go to great lengths to explain the choices for all design steps that I take in order for me to pay due diligence in crafting my setup, and not simply copying big chunks of other peoples code. Also, this is very convenient to me as I only need to keep of (ideally) a single file to manage all of my configuration. I hope that this documentation will make it easier for beginners to get into NixOS (and, to some extent, Emacs) as I know it can be a struggle in the beginning.
** What I achieve with this project
:PROPERTIES:
:CUSTOM_ID: h:150ce3b3-20c6-4dc1-afcd-381cb9101719
:END:
[[https://github.com/Swarsel/.dotfiles/tree/main/files/topology/topology.png][file:./files/topology/topology_small.png]]
@ -318,6 +321,7 @@ Here I give a brief overview over the host machines that I am using. This is hel
|🪟 **chaostheater** | Asus Z97-A, i7-4790k, GTX970, 32GB RAM | Home Game Streaming Server (Windows/AtlasOS, not nix-managed) |
|📱 **magicant** | Samsung Galaxy Z Flip 6 | Phone |
|💿 **drugstore** | - | NixOS-installer ISO for bootstrapping new hosts |
|💿 **policestation** | - | NixOS live ISO for generating cryptographic keys |
|💿 **brickroad** | - | Kexec tarball for bootstrapping low-memory machines |
|❔ **hotel** | - | Demo config for checking out this configuration |
|❔ **toto** | - | Helper configuration for testing purposes |
@ -3385,8 +3389,19 @@ This is an improvement to what I did earlier, where I did not use =nixos-generat
inputs.home-manager.nixosModules.home-manager
"${self}/install/installer-config.nix"
];
format =
{
format = {
x86_64-linux = "install-iso";
aarch64-linux = "sd-aarch64-installer";
}.${system};
};
keygen = inputs.nixos-generators.nixosGenerate {
inherit pkgs system;
modules = [
inputs.home-manager.nixosModules.home-manager
"${self}/install/keygen-config.nix"
];
format = {
x86_64-linux = "install-iso";
aarch64-linux = "sd-aarch64-installer";
}.${system};
@ -8064,8 +8079,132 @@ Steps to recover using live ISO:
};
}
#+end_src
**** Policestation (live ISO key generator config)
:PROPERTIES:
:CUSTOM_ID: h:ab5924ed-9c36-4bda-9b90-d6ae1143f5c8
:END:
This live ISO config provides a secure environment for setting up cryptographic keys. All networking capabilities are turned off and only necessary tools for generating the keys are enabled.
#+begin_src nix-ts :tangle install/keygen-config.nix
{ config, pkgs, lib, ... }:
{
config = {
home-manager.users.nixos = {
home = {
inherit (config.system) stateVersion;
username = "nixos";
homeDirectory = "/home/nixos";
keyboard.layout = "us";
};
services.gpg-agent = {
enable = true;
enableBashIntegration = true;
enableSshSupport = true;
pinentry = {
package = pkgs.pinentry-curses;
program = "pinentry-curses";
};
defaultCacheTtl = 60;
maxCacheTtl = 120;
};
programs.gpg = {
enable = true;
};
};
programs = {
ssh.startAgent = false;
gnupg = {
dirmngr.enable = true;
agent = {
enable = true;
enableSSHSupport = true;
};
};
};
swapDevices = [ ];
services = {
pcscd.enable = true;
udev.packages = [ pkgs.yubikey-personalization ];
getty.autologinUser = "nixos";
};
nix = {
channel.enable = false;
settings.experimental-features = [ "nix-command" "flakes" ];
};
environment.interactiveShellInit = ''
unset HISTFILE
export GNUPGHOME="/run/user/$(id -u)/gnupg"
if [ ! -d "$GNUPGHOME" ]; then
install -m=0700 --directory="$GNUPGHOME"
fi
[ ! -f "$GNUPGHOME/gpg.conf" ] && cp /home/nixos/gpg.conf "$GNUPGHOME/gpg.conf"
[ ! -f "$GNUPGHOME/gpg-agent.conf" ] && cp /home/nixos/gpg-agent.conf "$GNUPGHOME/gpg-agent.conf"
'';
environment.systemPackages = with pkgs; [
paperkey
pgpdump
parted
cryptsetup
yubikey-manager
yubikey-personalization
pcsc-tools
];
boot = {
initrd.network.enable = false;
tmp.cleanOnBoot = true;
kernel.sysctl = {
"kernel.unprivileged_bpf_disabled" = 1;
};
};
networking = {
hostName = "policestation";
resolvconf.enable = false;
dhcpcd.enable = false;
dhcpcd.allowInterfaces = [];
interfaces = {};
firewall.enable = true;
useDHCP = false;
useNetworkd = false;
wireless.enable = false;
networkmanager.enable = lib.mkForce false;
};
users.users.nixos = {
isNormalUser = true;
extraGroups = [ "wheel" ];
initialHashedPassword = "";
};
security.sudo = {
enable = true;
wheelNeedsPassword = false;
};
systemd = {
targets = {
sleep.enable = false;
suspend.enable = false;
hibernate.enable = false;
hybrid-sleep.enable = false;
};
};
system.stateVersion = lib.mkForce "23.05";
};
}
#+end_src
**** Brick Road (kexec image)
@ -10415,6 +10554,9 @@ Here I disable global completion to prevent redundant compinit calls and cache i
}
#+end_src
***** nautilus
:PROPERTIES:
:CUSTOM_ID: h:e31fa37e-220f-4e97-89ae-6a5219309a05
:END:
This enabled the right-click context menu entry in nautilus that allows to open a folder in a terminal - I never use this to be honest, but I feel like the file explorer would not be complete otherwise.
@ -11430,6 +11572,9 @@ Here we just define some aliases for rebuilding the system, and we allow some in
#+end_src
**** Persistent user/group IDs
:PROPERTIES:
:CUSTOM_ID: h:2ae284ba-423e-4181-9447-a45ff7187591
:END:
When using microvms, I opted to use ZFS with it, and mount datasets into the microvms. That however means that we need to make sure that userids stay consistent between microvm reboots. This could be done by persisting =/var/lib/nixos=, but even then it would not be guaranteed that all UIDs/GIDs match up with the hypervising host, which would not be a big problem, but I like to keep it consistent anyways.
@ -20318,6 +20463,9 @@ Some standard options that should be set for every microvm guest. We set the def
#+end_src
**** microvm-guest-shares
:PROPERTIES:
:CUSTOM_ID: h:1ba0d688-e20c-418f-bb73-6c73662e20e9
:END:
Some standard options that should be set for every microvm guest. We set the default
#+begin_src nix-ts :tangle modules/nixos/optional/microvm-guest-shares.nix
@ -25572,6 +25720,9 @@ Currently, I am too lazy to explain every option here, but most of it is very se
#+end_src
**** Shikane
:PROPERTIES:
:CUSTOM_ID: h:6b44b706-bda6-4238-aa97-84ec91b2718a
:END:
#+begin_src nix-ts :tangle modules/home/common/shikane.nix
{ lib, config, confLib, ... }:
@ -25704,6 +25855,7 @@ When setting up a new machine:
enable = true;
scdaemonSettings = {
disable-ccid = true; # prevent conflicts between pcscd and scdameon
pcsc-shared = true; # as long as only one key is used, this prevents key from not being detected sometimes
};
publicKeys = [
{
@ -26390,6 +26542,9 @@ This service changes the screen hue at night. I am not sure if that really does
#+end_src
**** Khal
:PROPERTIES:
:CUSTOM_ID: h:771a6e35-9299-4df0-8d07-0a3443099484
:END:
#+begin_src nix-ts :tangle modules/home/common/khal.nix
{ lib, config, pkgs, ... }:
@ -39399,6 +39554,9 @@ jobs:
#+end_src
** Private topology flake
:PROPERTIES:
:CUSTOM_ID: h:7967d45f-5b37-4580-8a4c-fa5ba0ce7a25
:END:
This flake is automatically loaded as an override when building the repo topology using the alias =build-topology= defined in [[#h:91dd4cc4-aada-4e74-be23-0cc69ed85af5][zsh]].

116
install/keygen-config.nix Normal file
View file

@ -0,0 +1,116 @@
{ config, pkgs, lib, ... }:
{
config = {
home-manager.users.nixos = {
home = {
inherit (config.system) stateVersion;
username = "nixos";
homeDirectory = "/home/nixos";
keyboard.layout = "us";
};
services.gpg-agent = {
enable = true;
enableBashIntegration = true;
enableSshSupport = true;
pinentry = {
package = pkgs.pinentry-curses;
program = "pinentry-curses";
};
defaultCacheTtl = 60;
maxCacheTtl = 120;
};
programs.gpg = {
enable = true;
};
};
programs = {
ssh.startAgent = false;
gnupg = {
dirmngr.enable = true;
agent = {
enable = true;
enableSSHSupport = true;
};
};
};
swapDevices = [ ];
services = {
pcscd.enable = true;
udev.packages = [ pkgs.yubikey-personalization ];
getty.autologinUser = "nixos";
};
nix = {
channel.enable = false;
settings.experimental-features = [ "nix-command" "flakes" ];
};
environment.interactiveShellInit = ''
unset HISTFILE
export GNUPGHOME="/run/user/$(id -u)/gnupg"
if [ ! -d "$GNUPGHOME" ]; then
install -m=0700 --directory="$GNUPGHOME"
fi
[ ! -f "$GNUPGHOME/gpg.conf" ] && cp /home/nixos/gpg.conf "$GNUPGHOME/gpg.conf"
[ ! -f "$GNUPGHOME/gpg-agent.conf" ] && cp /home/nixos/gpg-agent.conf "$GNUPGHOME/gpg-agent.conf"
'';
environment.systemPackages = with pkgs; [
paperkey
pgpdump
parted
cryptsetup
yubikey-manager
yubikey-personalization
pcsc-tools
];
boot = {
initrd.network.enable = false;
tmp.cleanOnBoot = true;
kernel.sysctl = {
"kernel.unprivileged_bpf_disabled" = 1;
};
};
networking = {
hostName = "policestation";
resolvconf.enable = false;
dhcpcd.enable = false;
dhcpcd.allowInterfaces = [ ];
interfaces = { };
firewall.enable = true;
useDHCP = false;
useNetworkd = false;
wireless.enable = false;
networkmanager.enable = lib.mkForce false;
};
users.users.nixos = {
isNormalUser = true;
extraGroups = [ "wheel" ];
initialHashedPassword = "";
};
security.sudo = {
enable = true;
wheelNeedsPassword = false;
};
systemd = {
targets = {
sleep.enable = false;
suspend.enable = false;
hibernate.enable = false;
hybrid-sleep.enable = false;
};
};
system.stateVersion = lib.mkForce "23.05";
};
}

1
modules/home/common/gpg-agent.nix
View file

@ -30,6 +30,7 @@ in
enable = true;
scdaemonSettings = {
disable-ccid = true; # prevent conflicts between pcscd and scdameon
pcsc-shared = true; # as long as only one key is used, this prevents key from not being detected sometimes
};
publicKeys = [
{

21
nix/iso.nix
View file

@ -11,11 +11,22 @@
inputs.home-manager.nixosModules.home-manager
"${self}/install/installer-config.nix"
];
format =
{
x86_64-linux = "install-iso";
aarch64-linux = "sd-aarch64-installer";
}.${system};
format = {
x86_64-linux = "install-iso";
aarch64-linux = "sd-aarch64-installer";
}.${system};
};
keygen = inputs.nixos-generators.nixosGenerate {
inherit pkgs system;
modules = [
inputs.home-manager.nixosModules.home-manager
"${self}/install/keygen-config.nix"
];
format = {
x86_64-linux = "install-iso";
aarch64-linux = "sd-aarch64-installer";
}.${system};
};
# nix build --print-out-paths --no-link .#pnap-kexec --system <system>