jmug/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[Asahi] Add basic config.

Browse source 
Signed-off-by: jmug <u.g.a.mariano@gmail.com>
This commit is contained in:
Mariano Uvalle 2025-05-30 21:29:59 -07:00
parent fb9c0c4bd4
commit 4ad29acdc1
9 changed files with 403 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.sops.yaml
View file

@ -2,9 +2,11 @@ keys:
- &jmug age1psyctjy329r9v07uqu72vkjl06f26f0epvh6zxejdkwp3m0tnyvq88rnr4 # This key is in cold storage.
- &hosts:
- &nixlap age1cfcfye2unv89fgyuwpvy9sas40jd87kksw7rlgy4cwmcfjqntv2st2jcnp
- &asahi age1y2kfnx87z2j7te9hu0guderrf2x9m8d0f3gfjjxcdk2va77yj3hsngj2f5
creation_rules:
- path_regex: secrets.yaml$
key_groups:
- age:
- *jmug
- *nixlap
- *asahi

68
flake.lock generated
View file

@ -1,6 +1,41 @@
{
"nodes": {
"apple-silicon": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1747514947,
"narHash": "sha256-irRDuerdVu495nBgkhCUjCi2mRpPig0F6cKMoIOfScA=",
"owner": "tpwrules",
"repo": "nixos-apple-silicon",
"rev": "db46177593e24f68e802455875850cdeaf49eb1c",
"type": "github"
},
"original": {
"owner": "tpwrules",
"ref": "release-2025-05-17",
"repo": "nixos-apple-silicon",
"type": "github"
}
},
"flake-compat": {
"locked": {
"lastModified": 1688025799,
"narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=",
"owner": "nix-community",
"repo": "flake-compat",
"rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1733328505,
@ -51,7 +86,7 @@
},
"ghostty": {
"inputs": {
"flake-compat": "flake-compat",
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils",
"nixpkgs-stable": "nixpkgs-stable",
"nixpkgs-unstable": "nixpkgs-unstable",
@ -153,16 +188,16 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1748162331,
"narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=",
"owner": "NixOS",
"lastModified": 1747327360,
"narHash": "sha256-LSmTbiq/nqZR9B2t4MRnWG7cb0KVNU70dB7RT4+wYK4=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334",
"rev": "e06158e58f3adee28b139e9c2bcfcc41f8625b46",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.05",
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
@ -247,14 +282,31 @@
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1748162331,
"narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"apple-silicon": "apple-silicon",
"ghostty": "ghostty",
"home-manager": "home-manager",
"nix-darwin": "nix-darwin",
"nixgl": "nixgl",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"nixpkgs": "nixpkgs_2",
"nixpkgs-darwin": "nixpkgs-darwin",
"nixpkgs-msft-go": "nixpkgs-msft-go",
"nixpkgs-unstable": "nixpkgs-unstable_2",

21
flake.nix
View file

@ -19,7 +19,9 @@
url = "github:mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
apple-silicon = {
url = "github:tpwrules/nixos-apple-silicon/release-2025-05-17";
};
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
home-manager = {
url = "github:nix-community/home-manager/release-25.05";
@ -36,6 +38,7 @@
nixpkgs-unstable,
nixpkgs-msft-go,
nix-darwin,
apple-silicon,
nixos-hardware,
home-manager,
ghostty,
@ -60,6 +63,22 @@
}
];
};
asahi = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = {
inherit inputs apple-silicon ghostty;
};
modules = [
./hosts/asahi/configuration.nix
home-manager.nixosModules.home-manager
{
home-manager.extraSpecialArgs = { inherit inputs; };
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.jmug = import ./hosts/asahi/home.nix;
}
];
};
devbox = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {

176
hosts/asahi/configuration.nix Normal file
View file

@ -0,0 +1,176 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ config,
lib,
pkgs,
apple-silicon,
ghostty,
...
}:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
apple-silicon.nixosModules.apple-silicon-support
# Sops and other stuff.
../common/core
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = false;
nix.settings.experimental-features = [ "nix-command" "flakes" ];
networking.hostName = "asahi-nix"; # Define your hostname.
networking.wireless = {
enable = true;
secretsFile = config.sops.secrets."wireless.env".path;
networks = {
"UG_LivingRoom_5G" = {
pskRaw = "ext:home_psk";
};
};
};
hardware.asahi = {
peripheralFirmwareDirectory = ./firmware;
useExperimentalGPUDriver = true;
experimentalGPUInstallMode = "overlay";
};
# Set your time zone.
time.timeZone = "America/Los_Angeles";
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
# i18n.defaultLocale = "en_US.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# useXkbConfig = true; # use xkb.options in tty.
# };
# Enable the X11 windowing system.
# services.xserver.enable = true;
# Configure keymap in X11
# services.xserver.xkb.layout = "us";
# services.xserver.xkb.options = "eurosign:e,caps:escape";
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# services.pulseaudio.enable = true;
# OR
# services.pipewire = {
# enable = true;
# pulse.enable = true;
# };
# This doesn't seem to be doing anything in hyprland because it configure libinput directly.
# I'll leave it here just in case, but doesn't seem necessary.
services.libinput = {
enable = true;
};
# Define a user account. Don't forget to set a password with passwd.
# users.users.alice = {
# isNormalUser = true;
# extraGroups = [ "wheel" ]; # Enable sudo for the user.
# packages = with pkgs; [
# tree
# ];
# };
users.users.jmug = {
isNormalUser = true;
extraGroups = [ "wheel" ];
packages = with pkgs; [
git
];
shell = pkgs.zsh;
};
programs.zsh.enable = true;
programs.neovim = {
enable = true;
defaultEditor = true;
};
services.keyd = {
enable = true;
keyboards.colemakdhm = {
ids = [ "05ac:0351:6f083222" ];
settings = {
main = {
e = "f";
r = "p";
t = "b";
y = "j";
u = "l";
i = "u";
o = "y";
p = ";";
s = "r";
d = "s";
f = "t";
h = "m";
j = "n";
k = "e";
l = "i";
";" = "o";
v = "d";
b = "v";
n = "k";
m = "h";
capslock = "leftcontrol";
};
};
};
};
# List packages installed in system profile.
# You can use https://search.nixos.org/ to find more packages (and options).
environment.systemPackages = with pkgs; [
keyd
kitty
htop
# Terminal
ghostty.packages.aarch64-linux.default
];
fonts = {
fontDir.enable = true;
packages = with pkgs; [
nerd-fonts.bigblue-terminal
nerd-fonts.fira-code
];
};
programs.hyprland = {
enable = true;
xwayland.enable = true;
};
# This is not really enabling X11, bad naming.
services.xserver = {
enable = true;
displayManager.gdm = {
enable = true;
wayland = true;
};
};
# USB devices.
services.devmon.enable = true;
services.gvfs.enable = true;
services.udisks2.enable = true;
system.stateVersion = "25.05"; # Don't change!!!
}

BIN
hosts/asahi/firmware/all_firmware.tar.gz Executable file
View file

Binary file not shown.

BIN
hosts/asahi/firmware/kernelcache.release.mac14g Executable file
View file

Binary file not shown.

39
hosts/asahi/hardware-configuration.nix Normal file
View file

@ -0,0 +1,39 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "usb_storage" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/b5800f37-1df2-4d6c-b2c7-7c274d56e938";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/547D-181B";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/e4138eb3-f8cf-436f-9a0f-3c67d3095582"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

87
hosts/asahi/home.nix Normal file
View file

@ -0,0 +1,87 @@
{ lib, config, pkgs, ...} :
let
pathToKeys = ../common/keys/yubi;
yubiKeys =
lib.lists.forEach (builtins.attrNames (builtins.readDir pathToKeys))
(key: lib.substring 0 (lib.stringLength key - lib.stringLength ".pub") key); # Remove .pub suffix.
yubikeyPublicKeyEntries = lib.attrsets.mergeAttrsList (
lib.lists.map
(key: { ".ssh/${key}.pub".source = "${pathToKeys}/${key}.pub"; })
yubiKeys
);
in
{
imports = [
../../home-modules/nvim.nix
../../home-modules/zsh.nix
../../home-modules/git.nix
../../home-modules/lazygit.nix
../../home-modules/starship.nix
../../home-modules/ghostty-config.nix
../../home-modules/sops.nix
];
home = {
username = "jmug";
homeDirectory = "/home/jmug";
packages = with pkgs; [
# Secret management.
age
sops
];
file = {} // yubikeyPublicKeyEntries;
stateVersion = "25.05"; # Do not change!!!
};
programs.ssh = {
enable = true;
addKeysToAgent = "yes";
matchBlocks = {
"git" = {
host = "github.com";
user = "git";
identityFile = [
"/home/jmug/.ssh/id_yubikey" # Auto updated symlik that matches all yubikeys.
"/home/jmug/.ssh/id_jmug" # Fallback key with passphrase.
];
};
"forgejo" = {
host = "code.jmug.me";
user = "forgejo";
identityFile = [
"/home/jmug/.ssh/id_yubikey" # Auto updated symlik that matches all yubikeys.
"/home/jmug/.ssh/id_jmug" # Fallback key with passphrase.
];
};
wsl = {
user = "jmug";
hostname = "192.168.10.241";
port = 69;
forwardAgent = true;
identityFile = [
"/home/jmug/.ssh/id_yubikey" # Auto updated symlik that matches all yubikeys.
];
};
ws = {
user = "jmug";
hostname = "98.59.213.212";
port = 69;
forwardAgent = true;
identityFile = [
"/home/jmug/.ssh/id_yubikey" # Auto updated symlik that matches all yubikeys.
];
};
};
};
programs.zsh.shellAliases = {
# TODO: Interpolate the name of the host here.
nrsw = "sudo nixos-rebuild switch --flake /home/jmug/nixos#asahi"; # parametrize this as home dir.
};
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
}

34
secrets.yaml
View file

@ -6,31 +6,35 @@ yubico:
jmug: ENC[AES256_GCM,data:Z42zNo1DaQutPIfE+0PEAK5F1fmspJp6jmosHSHsUN6dSG4zY93Tdmvisxg0hFUbuMlYg/06z3bsagFY4q+9Eg6qCLqzj1Uzs3VA0vEP+N0UlR5YZvneWzhnw2KYaPSJ/dsxt9tSfJO89P5ffeJgfSds2hLRWngm0agkmZ1P9lRbY0iMTUGl9se4V/anydwH69GQLyul5EtXHr9KZyU2pkT86zQSHGqiiMm85TfyixTWi/PWFl1jtDlyUbvN2HZYFGdQ6O0E,iv:TYel/hCVAMQL1rqok/1YMqcGFuXmsvkwUcA988VULW8=,tag:dnPQiY5i3oHbsC9zdXvY4w==,type:str]
wireless.env: ENC[AES256_GCM,data:HpwPUp7SDUPwWzXzOaWBT605aV8d3fD78dIgl4hdym1O1b2tVOs4zgO77n/DmXNugHjybUWpNZN+R2uiseawyufv5ndTZJrFTK4=,iv:Pp1MyegxAi5AhyG1f9f2+jAa2r0jKDYTeiA27KPlOt0=,tag:Wnt//h2dDxApdKortKPVgg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1psyctjy329r9v07uqu72vkjl06f26f0epvh6zxejdkwp3m0tnyvq88rnr4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvTndyWUdmQlJkMVgzbnNH
VWw1MVdHVk1BQWxFcWQ2cm9IMkRsUXJua2hjCkk0aHo2dDhMWjB4ODM2b3NVRmZI
Um52b3llWUxvR3BMVjBRVU5PWVFjcU0KLS0tIFJ1cExBUUc2cmMrdlAzZlRtTHJi
a1ppNndmVk5lUzFQNjZBN2V3THJRUUkK2u/VrhUakNXLWuj8edN3IQzEusPuKfXr
5DxMUAZAUpkMudfxq7JH9NPVR/swp2QrDxYElWQMqkad2+SRbQy/2Q==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMTStDSGFqeFlsVDZzb0ZJ
d0Y2SGNvZ1NTODVJRitPdm5LcVVsMWNMWkVJCm5oNDJPdFUwNDMrRTh1Y25Tbkt3
eFlyb3hyOVNid3hpQUFvTWF4S1JKNlUKLS0tIDFYL3dURTNRYzlmZXI2SU9xeDY0
SnYvQ3JHMUM2UzIvVFlSWUI2ZmE1eDgKWgwW46FDQvtgHQrNTiLfJ1K+KiifvJfN
s8LI1fAcjrQPaDLuNwFt3ddxqHYJaJqmviQpUAY50RUH/CxvLp1ALw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1cfcfye2unv89fgyuwpvy9sas40jd87kksw7rlgy4cwmcfjqntv2st2jcnp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOeElKbEY2dG5iSE5USVIw
Ky9FUzR3aXhEKzZ2V2ZOREcreVUrVnBSaTJjCjNja0tMalpDN2I3b0tIVThXSi9N
L0lkMUx6NGhiWnB4cTIrSTVkTmxUZ28KLS0tIDNwckNGT0I0R09SMmN5MkUwMmlz
TTBza2VncEc3T3l0K2ZZNlFYWEJEOTgKB9btrywDe8vZtJuerk+Fm7jE4H/zAil5
XvAToUH2HQIMf7bjLVafXG22SKDt4ya6k9yYN63VORp6m7wkimLjPQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJMVQ4M3lGa1o5V0tzcUhy
RlhnVkloTmRPNkZlUEQyN1lObWI0YitYM3prCjV1WTRSR3RLemQvcDFVT213YlQr
aUJqT0ZrOW54MHI3bEV0bFVyL3E2ZkkKLS0tICsrcklYKzd6Nkx1MXk1aVRkYS9M
MHFpaGszWG9CbWxUbEVPRnVIcWtBZDAK9PsO4N0T64G4hX6kT9gcg6q9g5JSMDDL
Xs7LgZ9M1eB/DJEO5R4ZtcnL9hn4nyEEs+RQfsrXa4hkOS/AZe80DA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1y2kfnx87z2j7te9hu0guderrf2x9m8d0f3gfjjxcdk2va77yj3hsngj2f5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGQjUxTWJFWi9YcE8vTkVz
dWNWYm1MZ1hKZmN0SVlJbm9HMWtPTDN1S0dvCml5Uzg3b1hjaHY4d1ptVGNiOFRj
K3lIWk5LRGJlRTFDdGlEaWUwcnF4Q2cKLS0tIGVkZ2FUY2l5ZHNnbENVSUlmSWFH
YkxFVzllZUNZazlVaksrL25MZWdxbUEKA7MEFMTjgAOXXHTIFo5hImgAZ1Zkrq++
viz9aCwATnlp0uw+Xqg+H2dS6Td47kt8rqXbaD0XJ4+HYydJJUG6Ag==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-10T21:37:37Z"
mac: ENC[AES256_GCM,data:MV4ieP1PBX47WkQKolTnFUUwLHcRKyo3yJcAIXra7kclkfeKHK+P1EWjd4VzQ2ID6FwuS84xrtGBALiFS8phemNZrkf5oz9Zpmrtr4ivIKAmn5QDq8lMS2K6OA6ylUZ4okKSX3imvmGnftGk7uS9Py+61pccrWY6ZPwSNxOe7IA=,iv:/ChdUXf5kUW0SLfsrH75kndiyssRSrgNWCuJXLkiRN4=,tag:PiCpAWbWG+ADVmpEg3rNPQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4