diff --git a/.sops.yaml b/.sops.yaml index 2fea209..5d92f4a 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,9 +2,11 @@ keys: - &jmug age1psyctjy329r9v07uqu72vkjl06f26f0epvh6zxejdkwp3m0tnyvq88rnr4 # This key is in cold storage. - &hosts: - &nixlap age1cfcfye2unv89fgyuwpvy9sas40jd87kksw7rlgy4cwmcfjqntv2st2jcnp + - &asahi age1y2kfnx87z2j7te9hu0guderrf2x9m8d0f3gfjjxcdk2va77yj3hsngj2f5 creation_rules: - path_regex: secrets.yaml$ key_groups: - age: - *jmug - *nixlap + - *asahi diff --git a/flake.lock b/flake.lock index ee4f169..fd87e40 100644 --- a/flake.lock +++ b/flake.lock @@ -1,6 +1,41 @@ { "nodes": { + "apple-silicon": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1747514947, + "narHash": "sha256-irRDuerdVu495nBgkhCUjCi2mRpPig0F6cKMoIOfScA=", + "owner": "tpwrules", + "repo": "nixos-apple-silicon", + "rev": "db46177593e24f68e802455875850cdeaf49eb1c", + "type": "github" + }, + "original": { + "owner": "tpwrules", + "ref": "release-2025-05-17", + "repo": "nixos-apple-silicon", + "type": "github" + } + }, "flake-compat": { + "locked": { + "lastModified": 1688025799, + "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=", + "owner": "nix-community", + "repo": "flake-compat", + "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1733328505, @@ -51,7 +86,7 @@ }, "ghostty": { "inputs": { - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "flake-utils": "flake-utils", "nixpkgs-stable": "nixpkgs-stable", "nixpkgs-unstable": "nixpkgs-unstable", @@ -153,16 +188,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1748162331, - "narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=", - "owner": "NixOS", + "lastModified": 1747327360, + "narHash": "sha256-LSmTbiq/nqZR9B2t4MRnWG7cb0KVNU70dB7RT4+wYK4=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334", + "rev": "e06158e58f3adee28b139e9c2bcfcc41f8625b46", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "nixos-25.05", + "owner": "nixos", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -247,14 +282,31 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1748162331, + "narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { + "apple-silicon": "apple-silicon", "ghostty": "ghostty", "home-manager": "home-manager", "nix-darwin": "nix-darwin", "nixgl": "nixgl", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "nixpkgs-darwin": "nixpkgs-darwin", "nixpkgs-msft-go": "nixpkgs-msft-go", "nixpkgs-unstable": "nixpkgs-unstable_2", diff --git a/flake.nix b/flake.nix index bdf0987..aba4f04 100644 --- a/flake.nix +++ b/flake.nix @@ -19,7 +19,9 @@ url = "github:mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; - + apple-silicon = { + url = "github:tpwrules/nixos-apple-silicon/release-2025-05-17"; + }; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; home-manager = { url = "github:nix-community/home-manager/release-25.05"; @@ -36,6 +38,7 @@ nixpkgs-unstable, nixpkgs-msft-go, nix-darwin, + apple-silicon, nixos-hardware, home-manager, ghostty, @@ -60,6 +63,22 @@ } ]; }; + asahi = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + specialArgs = { + inherit inputs apple-silicon ghostty; + }; + modules = [ + ./hosts/asahi/configuration.nix + home-manager.nixosModules.home-manager + { + home-manager.extraSpecialArgs = { inherit inputs; }; + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.users.jmug = import ./hosts/asahi/home.nix; + } + ]; + }; devbox = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { diff --git a/hosts/asahi/configuration.nix b/hosts/asahi/configuration.nix new file mode 100644 index 0000000..0c8f9dd --- /dev/null +++ b/hosts/asahi/configuration.nix @@ -0,0 +1,176 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ config, + lib, + pkgs, + apple-silicon, + ghostty, + ... +}: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + apple-silicon.nixosModules.apple-silicon-support + # Sops and other stuff. + ../common/core + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = false; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + networking.hostName = "asahi-nix"; # Define your hostname. + networking.wireless = { + enable = true; + secretsFile = config.sops.secrets."wireless.env".path; + networks = { + "UG_LivingRoom_5G" = { + pskRaw = "ext:home_psk"; + }; + }; + }; + + hardware.asahi = { + peripheralFirmwareDirectory = ./firmware; + useExperimentalGPUDriver = true; + experimentalGPUInstallMode = "overlay"; + }; + + # Set your time zone. + time.timeZone = "America/Los_Angeles"; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + # i18n.defaultLocale = "en_US.UTF-8"; + # console = { + # font = "Lat2-Terminus16"; + # keyMap = "us"; + # useXkbConfig = true; # use xkb.options in tty. + # }; + + # Enable the X11 windowing system. + # services.xserver.enable = true; + + # Configure keymap in X11 + # services.xserver.xkb.layout = "us"; + # services.xserver.xkb.options = "eurosign:e,caps:escape"; + + # Enable CUPS to print documents. + # services.printing.enable = true; + + # Enable sound. + # services.pulseaudio.enable = true; + # OR + # services.pipewire = { + # enable = true; + # pulse.enable = true; + # }; + + # This doesn't seem to be doing anything in hyprland because it configure libinput directly. + # I'll leave it here just in case, but doesn't seem necessary. + services.libinput = { + enable = true; + }; + + # Define a user account. Don't forget to set a password with ‘passwd’. + # users.users.alice = { + # isNormalUser = true; + # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + # packages = with pkgs; [ + # tree + # ]; + # }; + users.users.jmug = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + packages = with pkgs; [ + git + ]; + shell = pkgs.zsh; + }; + programs.zsh.enable = true; + programs.neovim = { + enable = true; + defaultEditor = true; + }; + + services.keyd = { + enable = true; + keyboards.colemakdhm = { + ids = [ "05ac:0351:6f083222" ]; + settings = { + main = { + e = "f"; + r = "p"; + t = "b"; + y = "j"; + u = "l"; + i = "u"; + o = "y"; + p = ";"; + s = "r"; + d = "s"; + f = "t"; + h = "m"; + j = "n"; + k = "e"; + l = "i"; + ";" = "o"; + v = "d"; + b = "v"; + n = "k"; + m = "h"; + capslock = "leftcontrol"; + }; + }; + }; + }; + + # List packages installed in system profile. + # You can use https://search.nixos.org/ to find more packages (and options). + environment.systemPackages = with pkgs; [ + keyd + kitty + htop + # Terminal + ghostty.packages.aarch64-linux.default + ]; + + fonts = { + fontDir.enable = true; + packages = with pkgs; [ + nerd-fonts.bigblue-terminal + nerd-fonts.fira-code + ]; + }; + + programs.hyprland = { + enable = true; + xwayland.enable = true; + }; + + # This is not really enabling X11, bad naming. + services.xserver = { + enable = true; + displayManager.gdm = { + enable = true; + wayland = true; + }; + }; + + # USB devices. + services.devmon.enable = true; + services.gvfs.enable = true; + services.udisks2.enable = true; + + system.stateVersion = "25.05"; # Don't change!!! +} diff --git a/hosts/asahi/firmware/all_firmware.tar.gz b/hosts/asahi/firmware/all_firmware.tar.gz new file mode 100755 index 0000000..782306d Binary files /dev/null and b/hosts/asahi/firmware/all_firmware.tar.gz differ diff --git a/hosts/asahi/firmware/kernelcache.release.mac14g b/hosts/asahi/firmware/kernelcache.release.mac14g new file mode 100755 index 0000000..72c731f Binary files /dev/null and b/hosts/asahi/firmware/kernelcache.release.mac14g differ diff --git a/hosts/asahi/hardware-configuration.nix b/hosts/asahi/hardware-configuration.nix new file mode 100644 index 0000000..d82c15e --- /dev/null +++ b/hosts/asahi/hardware-configuration.nix @@ -0,0 +1,39 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "usb_storage" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/b5800f37-1df2-4d6c-b2c7-7c274d56e938"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/547D-181B"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/e4138eb3-f8cf-436f-9a0f-3c67d3095582"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; +} diff --git a/hosts/asahi/home.nix b/hosts/asahi/home.nix new file mode 100644 index 0000000..c50d34f --- /dev/null +++ b/hosts/asahi/home.nix @@ -0,0 +1,87 @@ +{ lib, config, pkgs, ...} : +let + pathToKeys = ../common/keys/yubi; + yubiKeys = + lib.lists.forEach (builtins.attrNames (builtins.readDir pathToKeys)) + (key: lib.substring 0 (lib.stringLength key - lib.stringLength ".pub") key); # Remove .pub suffix. + yubikeyPublicKeyEntries = lib.attrsets.mergeAttrsList ( + lib.lists.map + (key: { ".ssh/${key}.pub".source = "${pathToKeys}/${key}.pub"; }) + yubiKeys + ); +in +{ + imports = [ + ../../home-modules/nvim.nix + ../../home-modules/zsh.nix + ../../home-modules/git.nix + ../../home-modules/lazygit.nix + ../../home-modules/starship.nix + ../../home-modules/ghostty-config.nix + ../../home-modules/sops.nix + ]; + + home = { + username = "jmug"; + homeDirectory = "/home/jmug"; + + packages = with pkgs; [ + # Secret management. + age + sops + ]; + + file = {} // yubikeyPublicKeyEntries; + + stateVersion = "25.05"; # Do not change!!! + }; + + programs.ssh = { + enable = true; + addKeysToAgent = "yes"; + matchBlocks = { + "git" = { + host = "github.com"; + user = "git"; + identityFile = [ + "/home/jmug/.ssh/id_yubikey" # Auto updated symlik that matches all yubikeys. + "/home/jmug/.ssh/id_jmug" # Fallback key with passphrase. + ]; + }; + "forgejo" = { + host = "code.jmug.me"; + user = "forgejo"; + identityFile = [ + "/home/jmug/.ssh/id_yubikey" # Auto updated symlik that matches all yubikeys. + "/home/jmug/.ssh/id_jmug" # Fallback key with passphrase. + ]; + }; + wsl = { + user = "jmug"; + hostname = "192.168.10.241"; + port = 69; + forwardAgent = true; + identityFile = [ + "/home/jmug/.ssh/id_yubikey" # Auto updated symlik that matches all yubikeys. + ]; + }; + ws = { + user = "jmug"; + hostname = "98.59.213.212"; + port = 69; + forwardAgent = true; + identityFile = [ + "/home/jmug/.ssh/id_yubikey" # Auto updated symlik that matches all yubikeys. + ]; + }; + }; + }; + + programs.zsh.shellAliases = { + # TODO: Interpolate the name of the host here. + nrsw = "sudo nixos-rebuild switch --flake /home/jmug/nixos#asahi"; # parametrize this as home dir. + }; + + # Let Home Manager install and manage itself. + programs.home-manager.enable = true; +} diff --git a/secrets.yaml b/secrets.yaml index f8cfed5..af64b5d 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -6,31 +6,35 @@ yubico: jmug: ENC[AES256_GCM,data:Z42zNo1DaQutPIfE+0PEAK5F1fmspJp6jmosHSHsUN6dSG4zY93Tdmvisxg0hFUbuMlYg/06z3bsagFY4q+9Eg6qCLqzj1Uzs3VA0vEP+N0UlR5YZvneWzhnw2KYaPSJ/dsxt9tSfJO89P5ffeJgfSds2hLRWngm0agkmZ1P9lRbY0iMTUGl9se4V/anydwH69GQLyul5EtXHr9KZyU2pkT86zQSHGqiiMm85TfyixTWi/PWFl1jtDlyUbvN2HZYFGdQ6O0E,iv:TYel/hCVAMQL1rqok/1YMqcGFuXmsvkwUcA988VULW8=,tag:dnPQiY5i3oHbsC9zdXvY4w==,type:str] wireless.env: ENC[AES256_GCM,data:HpwPUp7SDUPwWzXzOaWBT605aV8d3fD78dIgl4hdym1O1b2tVOs4zgO77n/DmXNugHjybUWpNZN+R2uiseawyufv5ndTZJrFTK4=,iv:Pp1MyegxAi5AhyG1f9f2+jAa2r0jKDYTeiA27KPlOt0=,tag:Wnt//h2dDxApdKortKPVgg==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1psyctjy329r9v07uqu72vkjl06f26f0epvh6zxejdkwp3m0tnyvq88rnr4 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvTndyWUdmQlJkMVgzbnNH - VWw1MVdHVk1BQWxFcWQ2cm9IMkRsUXJua2hjCkk0aHo2dDhMWjB4ODM2b3NVRmZI - Um52b3llWUxvR3BMVjBRVU5PWVFjcU0KLS0tIFJ1cExBUUc2cmMrdlAzZlRtTHJi - a1ppNndmVk5lUzFQNjZBN2V3THJRUUkK2u/VrhUakNXLWuj8edN3IQzEusPuKfXr - 5DxMUAZAUpkMudfxq7JH9NPVR/swp2QrDxYElWQMqkad2+SRbQy/2Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMTStDSGFqeFlsVDZzb0ZJ + d0Y2SGNvZ1NTODVJRitPdm5LcVVsMWNMWkVJCm5oNDJPdFUwNDMrRTh1Y25Tbkt3 + eFlyb3hyOVNid3hpQUFvTWF4S1JKNlUKLS0tIDFYL3dURTNRYzlmZXI2SU9xeDY0 + SnYvQ3JHMUM2UzIvVFlSWUI2ZmE1eDgKWgwW46FDQvtgHQrNTiLfJ1K+KiifvJfN + s8LI1fAcjrQPaDLuNwFt3ddxqHYJaJqmviQpUAY50RUH/CxvLp1ALw== -----END AGE ENCRYPTED FILE----- - recipient: age1cfcfye2unv89fgyuwpvy9sas40jd87kksw7rlgy4cwmcfjqntv2st2jcnp enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOeElKbEY2dG5iSE5USVIw - Ky9FUzR3aXhEKzZ2V2ZOREcreVUrVnBSaTJjCjNja0tMalpDN2I3b0tIVThXSi9N - L0lkMUx6NGhiWnB4cTIrSTVkTmxUZ28KLS0tIDNwckNGT0I0R09SMmN5MkUwMmlz - TTBza2VncEc3T3l0K2ZZNlFYWEJEOTgKB9btrywDe8vZtJuerk+Fm7jE4H/zAil5 - XvAToUH2HQIMf7bjLVafXG22SKDt4ya6k9yYN63VORp6m7wkimLjPQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJMVQ4M3lGa1o5V0tzcUhy + RlhnVkloTmRPNkZlUEQyN1lObWI0YitYM3prCjV1WTRSR3RLemQvcDFVT213YlQr + aUJqT0ZrOW54MHI3bEV0bFVyL3E2ZkkKLS0tICsrcklYKzd6Nkx1MXk1aVRkYS9M + MHFpaGszWG9CbWxUbEVPRnVIcWtBZDAK9PsO4N0T64G4hX6kT9gcg6q9g5JSMDDL + Xs7LgZ9M1eB/DJEO5R4ZtcnL9hn4nyEEs+RQfsrXa4hkOS/AZe80DA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1y2kfnx87z2j7te9hu0guderrf2x9m8d0f3gfjjxcdk2va77yj3hsngj2f5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGQjUxTWJFWi9YcE8vTkVz + dWNWYm1MZ1hKZmN0SVlJbm9HMWtPTDN1S0dvCml5Uzg3b1hjaHY4d1ptVGNiOFRj + K3lIWk5LRGJlRTFDdGlEaWUwcnF4Q2cKLS0tIGVkZ2FUY2l5ZHNnbENVSUlmSWFH + YkxFVzllZUNZazlVaksrL25MZWdxbUEKA7MEFMTjgAOXXHTIFo5hImgAZ1Zkrq++ + viz9aCwATnlp0uw+Xqg+H2dS6Td47kt8rqXbaD0XJ4+HYydJJUG6Ag== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-05-10T21:37:37Z" mac: ENC[AES256_GCM,data:MV4ieP1PBX47WkQKolTnFUUwLHcRKyo3yJcAIXra7kclkfeKHK+P1EWjd4VzQ2ID6FwuS84xrtGBALiFS8phemNZrkf5oz9Zpmrtr4ivIKAmn5QDq8lMS2K6OA6ylUZ4okKSX3imvmGnftGk7uS9Py+61pccrWY6ZPwSNxOe7IA=,iv:/ChdUXf5kUW0SLfsrH75kndiyssRSrgNWCuJXLkiRN4=,tag:PiCpAWbWG+ADVmpEg3rNPQ==,type:str] - pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4