From bb544798aa329c88d253f17667f5c8498a5e27d2 Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Wed, 2 Apr 2025 22:23:35 -0400 Subject: [PATCH] Migrate kiosk-entryway to NixOS from MX Linux --- .gitignore | 3 + .sops.yaml | 6 + flake.nix | 4 + modules/hosts/common/secrets.yaml | 109 ++++++++-------- .../hosts/nixos/kiosk-entryway/default.nix | 116 ++++++++++++++++++ .../nixos/kiosk-entryway/disk-config.nix | 42 +++++++ .../kiosk-entryway/hardware-configuration.nix | 26 ++++ .../hosts/nixos/kiosk-entryway/home-gene.nix | 23 ++++ .../hosts/nixos/kiosk-entryway/secrets.yaml | 22 ++++ 9 files changed, 301 insertions(+), 50 deletions(-) create mode 100644 modules/hosts/nixos/kiosk-entryway/default.nix create mode 100644 modules/hosts/nixos/kiosk-entryway/disk-config.nix create mode 100644 modules/hosts/nixos/kiosk-entryway/hardware-configuration.nix create mode 100644 modules/hosts/nixos/kiosk-entryway/home-gene.nix create mode 100644 modules/hosts/nixos/kiosk-entryway/secrets.yaml diff --git a/.gitignore b/.gitignore index df14d79..7728824 100644 --- a/.gitignore +++ b/.gitignore @@ -8,6 +8,9 @@ *.swp *.kate-swp +# From running nixos-rebuild build-vm +*.qcow2 + # Config files that are not suitable to add to version control: link/nix/config/.mono/ link/nix/config/asciinema/ diff --git a/.sops.yaml b/.sops.yaml index 6759356..78a2a4b 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -9,6 +9,7 @@ keys: - &system_rainbow_planet age15xlw5vnnjdx2ypz6rq0mqcywuaj3yx8y6lrgf95satafqf7y4qus6rv6ck - &user_airpuppet age1awdf9h0avajf57cudx0rjfmxu2wlxw8wf3sa7yvfk8rp4j6taecsu74x77 - &user_blue_rock age1rt72txg22w8y3cdvq9w7zff0cas6xtkplpj36kxnevfnrtn82f6ss7yw7d + - &user_kiosk_entryway age1xaaf9enkf669w0cfnlx4ksd9g2kvvkuskp4xw7x84x6u492ulquqfjez5s - &user_mightymac age1zz34qx3n3dj63sva24kaymetv3apn58lafjq4dl6zw7xxachuyts00mhck creation_rules: - path_regex: bigboy/secrets.yaml$ @@ -47,6 +48,10 @@ creation_rules: key_groups: - age: - *user_blue_rock + - path_regex: kiosk-entryway/secrets.yaml$ + key_groups: + - age: + - *user_kiosk_entryway - path_regex: mightymac/secrets.yaml$ key_groups: - age: @@ -63,5 +68,6 @@ creation_rules: - *system_rainbow_planet - *user_airpuppet - *user_blue_rock + - *user_kiosk_entryway - *user_mightymac diff --git a/flake.nix b/flake.nix index 0b3d77d..ba33803 100644 --- a/flake.nix +++ b/flake.nix @@ -144,6 +144,10 @@ # inputs.simple-nixos-mailserver.nixosModule ]; }; + kiosk-entryway = localLib.mkNixosHost { + # Lenovo IdeaCentre Q190 + hostname = "kiosk-entryway"; + }; kiosk-gene-desk = localLib.mkNixosHost { system = "aarch64-linux"; hostname = "kiosk-gene-desk"; diff --git a/modules/hosts/common/secrets.yaml b/modules/hosts/common/secrets.yaml index 8927e35..95af62e 100644 --- a/modules/hosts/common/secrets.yaml +++ b/modules/hosts/common/secrets.yaml @@ -14,92 +14,101 @@ sops: - recipient: age1hraf69phgqg9y48m2r2sn6tr2sw7tf2h5j62ysl8nrv3qs2ft9kst0ysxm enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXbHhmeVRUUDJvTy94Vldu - QmxTb2pWTWM0RVFUK2NYUlcyKytERXdtZGxJClVvTDZuZ3R5Ujc4U3o1bmtlempi - bzhCK1RveHF5bE4xVWx4bmxsNHZhOHMKLS0tIFRVWEF2N05wZGpZY0w2MXlETXFm - dkFJQUJ0aGxtdTFGSU1US2Y5U3ZxS0UKViqR82ov4e+C1eKpJ6zPI9TMqBbk2PJP - ZvsROkTo8GmdB7RctIfnbNust8A4iO31aJB899eVD07iZpX9tsivQw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZUhGRlUxdTVkYzh3VUU2 + czNjTnFTbzNrc08wUHBkVUE1ak1tOUtqcHdvCjNTS2JEbjlxTk12cnhsckIyM3FP + QkVDWVF5MGY3WWJCYmtKdkRrVmFHSkkKLS0tIGdPMGtEWEVXcVM1WnNFNnZZU285 + N0Zxc2k4VGQvdzVveC9PRkMrdm9JWUEKQdD5G1uSXH7HzOtBBJTJ7Bz4LwMrNKxn + nPv/7dsbsevCtYpdpYUiADFaXk6zViRXsehA2zDZ/ku3mC59qiZlUg== -----END AGE ENCRYPTED FILE----- - recipient: age1rd55wsu0hhvxk25tm69d9h57z0z0u6556x4ypg09muj3vh4yqs5qaw23nu enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4eFRsYjU1OE1XaDhrK2JC - QktYaUc0RDlSUXZ2TDVxaDRxMWlqUG52b25VClJoYzVyTnM5dnJyMlBtcDN4VnJh - dDR1QUVCRjdhaXRhcFZmNXBzRWluc3MKLS0tIGl4WVdlVjNGWWVQV3I1ZSs3VHQ3 - WVZhbmlzTGptWGU0MkQ2YlBQK292TDQKexgX4LUBeQuGxqUfNP32d+omdpnd9vVC - LMKg50MZR2RzZXDwBpWECxCShOvzCjikyzV5955vLMfLQoPky+TG4Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWcjZPQWZ3UHR4bXo1VFVW + VmN4dVBCSXo5NFlnQ2VJcS9JbkVhRUUwV0ZvCjQ2MENmdUxLQkR1MC95SS9na3ZX + VEZLSjMxdzhpYnF5WElRZjhUSVlIZ2cKLS0tIHF6RngwNTZxS0thYzdNOWdmeC9R + OFRSSys1WkxUVzFIeHhsVU9XZzJleEEKRlGE9qzIlbWH5kHbex3eZbxiE0EHrW2t + DX18F+iyUhmMS6CPbiT5u2WqwXEkQ7vDQ+jYjY6nfo5ieqzaofoo2w== -----END AGE ENCRYPTED FILE----- - recipient: age180w4c04kga07097u0us6d72aslnv2523hx64x8fzgzu4tccrxuyqa50hpm enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUVW9rRUFlb3h4aXlOK0xV - enNNK3V5Ni91cWxsY1lSSzZBUnNsODE4OGpZCk9YK3VLTWhWOHhraEM3ZHROTDhi - cm0rVXdqQTNNbjAyNzQxUGJIVVVTcTgKLS0tIE5KUGtoNE5seHFZNnBReFZ3WmFr - cGFDUVZFbVBSMmdLeU8wbjhlUzRHaXcK/tsc4Amurh2i4TdzQoruD7scW+SnYUtU - EySIFKKQzKCodSEYRzDHlp0PRRTcbgOtEUuvr+9a2Rsod1Kzc9CZ1g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCbDJxSzkxVVRHWDJsUzJy + WG9UeWtzNUFjZzQ4MnhncnRGZjRUY0ZqZzJNClJBTms5eVNiRXc2WTNkUCtScXhp + UmN4enpaUlBUN0NEK2pWbzA4MGpWQncKLS0tIHhPQUdKZzhWdUlYQzN2d2hIMEhH + cUUzelFTRS9ON0dtZEZ5MURURHZYSWcKvseIz1/Ensq7g2apDF/TD2CRN1RotVOM + buZ1MjfExGyHM3ujQ5yj24uMdAfqqvuUZLp/krOSm0AZhDnQdTm2KQ== -----END AGE ENCRYPTED FILE----- - recipient: age1an6t5f0rr6h55rzsv5ejycxju72rp46jka840fwvupwfk65jegrq7hmkl9 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxeCt3M1JzRVdWblBENXpI - T1RHZ3h3ekx6N0FyRTJ5Z1ZGejFPY29rV0RrCnZRWjRXSnhNekxQeVU4M3loNDJO - RitBL25kRWhMVnJNcDB4RFQvYks4SUUKLS0tIC8zVGVPNFZLYzVvdDk1dFF6M2Fn - c3RSNXZJNlEvQTQxTVovY1NndEtQSTAKuMUQBKVIYfDKxCIMZwUczd1UlE6O9L93 - WL/Fs/TWYKtduiOAJtAEpKKmMzHIWAUwH8fdvVUXO8T+8xR3VyZ7gA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxQXRsdHNwS3Z1NjRZYUlu + bmYzSW1pb0V4d3VwQ0ZNQ3FwYlJIek5iQWhzCmRvUGN6MWFhWVFSamg2cklXVFRP + VFp3U1JaMDgrZVR3VHFTd1hFNEpPUzQKLS0tIHFrcnBocEc5ay9walVJd0lEcVRX + cHIyK3V4SGpHK2h5TVU0L1ZJWnZPU3MKsdj5T0QOCIlT4KXZFg99Y99A5BrGgy2O + 627QtUShB4xNjn5Mj72uHmfDF0Co+Yf1prwC5NAzqq70G+YWqoI++A== -----END AGE ENCRYPTED FILE----- - recipient: age1g4h5a4f5xfle2a6np8te342pphs3mcuan60emz2zp87nrwjzl5yquhr5vl enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4RU9JNks0U0MwQTFsY2pp - YVVkbDJ3TnV2QVRyanZITmVCelJzay8rbkI4CmM2cWNYN2NQaEoxcGNOZFI1K05Y - eDZ1ZlpSRXQyVkVQaFlEeXgrR1ZtTWcKLS0tIDluaGVlZXZQTjB4RVFML2FSMU5s - N2pxT2hLbEQvVnBTMS9yODc3MWxPWjAK5eB7GQ2gLz3VkBBEji5wr8MWT0V3szPE - 5beVQykzz7kzggKFMFeYli6Uhhy8ZNT7nyM0uusbQ+fZZ4qcr3OxCg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaZ3BrU09acHVQVHFrOEw1 + RU80eVcwK21nUkRTcEFjS1pETVZlVFEvNzJjCkNvRWpteFk2QVJ0MmZMeUlxbjUr + YTZ4RHBTZEYvRnh4bGdEN1hVcE5Nc2sKLS0tIDduaGZLQ3RteXJGenl3SG1KL2FB + ZlZkOWxRMVBFTmhodlJBbmRyTko3dG8KLY5vHO5PYMXvkd3lvR7usKh33D8PsMNa + H7zumWbKGQYmnkU/4qYkZ0hYiesWNfdSSrx28VLnokF6PQKPprU4wg== -----END AGE ENCRYPTED FILE----- - recipient: age1g24zhwvgenpc4wqejt63thvgd4rn5x9n7nnwwme7dm83nfqpp93se2vmq4 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqRVJsZnhncUdnQStTZ0VB - T21EaGhwckd0bjF4dXZMRnBzbFZkOEd3RFhVCmFJaEc4UHJZQVJUOS8zaU5PU3p0 - MnFGcXc2SEdSWjdWckJ0VXhQaDZsS3cKLS0tIE41N1FpZHh3WmVOYzN2c2VHc00w - SHl0cFhvVzQzZXhmTFdWTnB3R1pqVXcKOTbCrWLKG2tDtiduNipCxB5pVRw6XhMe - oir1nURrV/c7LFALactcq51rV1Es48DvSyBjE0OM7XaeJvRIQjfB2w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmQVZOK0UvVDVZSHpIMmcy + TFl3ck5wdHRmSzNJNkduNko0VEZpYWw4bTJFCjMrcjFEZFBGbUl0VDhTY0dDKy9R + b2IwQTBVSlFJZTVHZmNsSEd0b1V1S3cKLS0tIDlYVkZ3LzJtRUZkd2hkMHFwN1R0 + Y21hUWFyZU54ZklJVklpTE56bmZyTkkK4g6DDxms0iFF/2BmmuLYvqBKA8f2zRkY + BYk9z7PLje2tS5G8CtLJqQ6jZVCNk0mtV+QXYreNf6wFY8eouV4f+Q== -----END AGE ENCRYPTED FILE----- - recipient: age15xlw5vnnjdx2ypz6rq0mqcywuaj3yx8y6lrgf95satafqf7y4qus6rv6ck enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzc2EzZ2IwZW05VldyL3pO - M1duZis0VUFwYm1ZNVU0elExZTlmcklYR0JNCnVsbXN1OEZoV2NEV0IyTjlmWXU4 - WmZ2Q2xFUVVzaUMvWFBvanpJWHNaR0EKLS0tIER1S2hmN0tYZEluZUlJZDd6Sk9Q - YWxBS0liSUxCc00zeExwZUFrUWhSb2MKEd+wTDvIQR8fvb6hknCiT18AYB429APU - qOqgxnK8NAhMYZ73EtmAK8cyKnNWOfARwcFh0OkY9xf1mwH8ahAgkQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUQzBGcXNrZnFvNjhhb2VS + YjNLVHVEWEpnUmNGL2VVM2JWK2YvcUprNG53Cmw2b0o5dFVzS3lONWFlbnFmaHBj + cmpvVStwRUZsTVd0dXEzU29UaU9rYkUKLS0tIE15WFhJYnJLcm1xUUM1dWc4VzVh + RWxCVzZkYUprOXN1N1VyaXBScTlVTWcK1iv/pI6p7COcWA1O+VwClAoN706nAQtf + qXMkqdh7/HC3scFd7NMKUxDF4DIi89C762gzYnhN/zHGg3lD0yDHwQ== -----END AGE ENCRYPTED FILE----- - recipient: age1awdf9h0avajf57cudx0rjfmxu2wlxw8wf3sa7yvfk8rp4j6taecsu74x77 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWNFRSRVE1KzArQUF1Wk5I - b1MyNnZvZWtGQ2hXYU9kTmZXM01JajNqWXpBCmtLVDB4YW5ReTV5NnBLTm5lTXJw - Y2s5UzIwVGN6RmlnYk1tTHJSbU5Eb0UKLS0tIEk4R3ZvOFM0bnJrOGh5dDUrSE00 - SFZpK3RtR2dJcy9rNHpHZTNaYndwZ0kKYCt784yPEXPoHeksPT5GQ8RZl+urHfUV - VABWk70L+6cySe5y/N1mZT3ixaNwEOhViKqONw8soeqMDnELJtYWBg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQdXJObm5WUG5FeVIyUGE1 + amJQU1Q0azBOU3llSUNocG5XakxaQTJEUndJCkQ4NmoxSzRZNTcwN1B5c1AyMEli + SUVjUDhIc0lmZ3V6ME1ISG8ydVJWNmMKLS0tIGNxUVRjK0lhOFdjdldod0pJVk95 + RkpxOXpodGpEVEU4RE5VVUs0ZVpiUk0K4VTCk1dapZL0dYrCGZpIYH9d6LnLZ2Ss + vx8HIfjnsJT4nu4kB4CFgz6jdKTAetH0gB3N0L7nQDT9DIY7bLQNpA== -----END AGE ENCRYPTED FILE----- - recipient: age1rt72txg22w8y3cdvq9w7zff0cas6xtkplpj36kxnevfnrtn82f6ss7yw7d enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjbU1PVWZLMFplT0I5RnNk - U1VLd2tWdExCTEFVU3RHZkhSbElmeVByUUFJCmo3OUFnL0daeXNONWxVbHNOUnRE - TUlqTFA2WkJlS0YwL1FoMm1Xa2w0eVEKLS0tIENUNW1KZkMvTmxHbDJsR2VmbG96 - VFJrdzVtMjZrallSL1BmcXNtZEhYZTAK8hsJvs8GjlxFpwW1Ol8hCQQw+lXvgz81 - qt3aysE/w3voPiZQYcVcZLAoV/oAlaZMS199tEvwTuGa8HXMNN2NZw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWd0lQLzdxSllxSEpvb3hM + TC91THdlelBHQkYyUFRnblhwNkZmd2ZlS0dNClNhUnU2bTFyLzU5VlE5L3VPMG9x + bkdkWE9vbzVwbEszS2VERjRIWGdUK1EKLS0tIHRtbkg5dUVFajgyZzVjeE5tK3hi + dGZwYWt3QlkrNVd4TklhZ0tTUUNncDQK4TslyF1bhWPvbmFcQpF5Zpe/V6pqTMxj + gI/ss9FTpgQYREafQ2RtF2fQf7Pr7F29vGIa0b7YXYG7OK0FcgdgyA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1xaaf9enkf669w0cfnlx4ksd9g2kvvkuskp4xw7x84x6u492ulquqfjez5s + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3dGgwODN3bE5WUGxLbUo3 + UUlFTnowSDZ0c1picENGS01TTld2c2h3ZnhnCk1zU0tkYTFYZDZZbDdoKy9UUTBW + UndZalc3Mnp4Nm9zVWZncXY2WktCVWsKLS0tIDNkaHV3OUhvR2RSMTdSNzFSMjVz + RndIcWZMdUNyMW51N0hObkFTRXJxdFUKor8+bFGKJ2wPpQAYo6MOu/Z24RnzoRtf + ADT8tgG54ViK5kL+e6B5wQ0YkEiLJ0vcxPR6/WDgYTRNnSd2Hu+SGQ== -----END AGE ENCRYPTED FILE----- - recipient: age1zz34qx3n3dj63sva24kaymetv3apn58lafjq4dl6zw7xxachuyts00mhck enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCdGVCa1Q5QUNmVGZsT01Y - SW9aL2hWUjdTdkFBT0o1TnFDb1pkdWRnNlc0CnlYNDRhbXhTS3lvdlprdUZJY1pm - M3VWcTI0OWxHY1hxQW5nZkJxTnZLMzgKLS0tIGFoNVlKTGJ0ZnlnTnlnV21PNDFX - Y3I0d2xaYlRwVU9CdE44UW9vZ1NJeFUK5DQu30MuGjMq5YRSTh2II2uNvWm2XF9B - YDcK/E1xKGIA/tKk/DDmpbUZMTIzh+tmYcN72EQQqlT/9a2HyINChg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTK2NmMlVCODEzcG5LQSts + blFUSHBGMHMvS2orbngvME82NE1mci80eFFFClNHSG9McnN0Wkd0N3lVYWFWMWs1 + Q1dGTzdRU0NucVJTUVVSaUQ3NUhWWXcKLS0tIFdtaDh5MW9xQVFCKzZlalAzWlZs + ZzNFQm56aWdIZU82Mi94dE5hbndBUGcKBo/N9WToL579SCwfG/Qzp6rPC0+GfaRa + 0/DPakOaYOpPonIa2XRBIZx+83qNYaVFZyZauszaiQZQp0aGsPewfA== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-01-14T03:30:50Z" mac: ENC[AES256_GCM,data:lOrSir70ZiZKjajRLUN83FoQQ0+hwLznbul6Z8hVjbxBvXdwvaMfi/BmfG/+wOMFjShU+fEStAjryoKCcaB3RJod2MyncvE4+fY2lmq7U/T1GHEknQ5xm42J6+Dd79P48mDsJ9kUQXO1wpp9CEVkW5hTfzPGYV2tRWY3a9hgz3Y=,iv:+3hE34n4f2zy17TeoDF/lWvFaX2Rd7ZsojlpZq9R4fE=,tag:Bcs3CAKIk+mTwy0dGuzVMg==,type:str] diff --git a/modules/hosts/nixos/kiosk-entryway/default.nix b/modules/hosts/nixos/kiosk-entryway/default.nix new file mode 100644 index 0000000..e44def8 --- /dev/null +++ b/modules/hosts/nixos/kiosk-entryway/default.nix @@ -0,0 +1,116 @@ +{ config, lib, pkgs, username, ... }: { + imports = [ + ./disk-config.nix + ./hardware-configuration.nix + ]; + + system.stateVersion = "24.11"; + + boot.supportedFilesystems = lib.mkForce [ + "vfat" + "ext4" + ]; + + environment.systemPackages = with pkgs; [ + wlr-randr + ]; + + hardware = { + enableRedistributableFirmware = true; + graphics.enable = true; + }; + + networking = { + firewall.enable = false; + wireless = { + enable = true; + networks = { + # Home + "Diagon Alley".pskRaw = "ext:psk_diagon_alley"; + # Public networks + "Gallery Row-GuestWiFi" = {}; + "LocalTies Guest".pskRaw = "ext:psk_local_ties"; + }; + secretsFile = "${config.sops.secrets.wifi_creds.path}"; + }; + }; + + nixpkgs.overlays = [ + (final: super: { + makeModulesClosure = x: + super.makeModulesClosure (x // { allowMissing = true; }); + }) + ]; + + services = { + cage = let + kioskProgram = pkgs.writeShellScript "kiosk.sh" '' + WAYLAND_DISPLAY=wayland-0 wlr-randr --output HDMI-A-1 + /etc/profiles/per-user/gene/bin/chromium-browser + ''; + in { + enable = true; + program = kioskProgram; + user = "gene"; + environment = { + WLR_LIBINPUT_NO_DEVICES = "1"; # boot up even if no mouse/keyboard connected + }; + }; + prometheus.exporters.node = { + enable = true; + enabledCollectors = [ + "logind" + "systemd" + "network_route" + ]; + disabledCollectors = [ + "textfile" + ]; + }; + }; + + sops = { + age.keyFile = "${config.users.users.${username}.home}/.config/sops/age/keys.txt"; + defaultSopsFile = ./secrets.yaml; + secrets = { + local_git_config = { + owner = "${username}"; + path = "${config.users.users.${username}.home}/.gitconfig-local"; + }; + local_private_env = { + owner = "${username}"; + path = "${config.users.users.${username}.home}/.private-env"; + }; + wifi_creds = { + sopsFile = ../../common/secrets.yaml; + restartUnits = [ + "wpa_supplicant.service" + ]; + }; + }; + }; + + systemd.services.cage-tty1 = { + wants = [ + "wpa_supplicant.service" + ]; + }; + + users.users.${username} = { + isNormalUser = true; + description = "Gene Liverman"; + extraGroups = [ "networkmanager" "wheel" ]; + linger = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvLaPTfG3r+bcbI6DV4l69UgJjnwmZNCQk79HXyf1Pt gene@rainbow-planet" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIp42X5DZ713+bgbOO+GXROufUFdxWo7NjJbGQ285x3N gene.liverman@ltnglobal.com" + ]; + }; + + zramSwap = { + enable = true; + algorithm = "zstd"; + memoryPercent = 90; + }; +} + diff --git a/modules/hosts/nixos/kiosk-entryway/disk-config.nix b/modules/hosts/nixos/kiosk-entryway/disk-config.nix new file mode 100644 index 0000000..76a07cd --- /dev/null +++ b/modules/hosts/nixos/kiosk-entryway/disk-config.nix @@ -0,0 +1,42 @@ +# Example to create a bios compatible gpt partition +{ lib, ... }: +{ + disko.devices = { + disk.disk1 = { + device = lib.mkDefault "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + name = "root"; + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; + }; +} diff --git a/modules/hosts/nixos/kiosk-entryway/hardware-configuration.nix b/modules/hosts/nixos/kiosk-entryway/hardware-configuration.nix new file mode 100644 index 0000000..23c2071 --- /dev/null +++ b/modules/hosts/nixos/kiosk-entryway/hardware-configuration.nix @@ -0,0 +1,26 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/modules/hosts/nixos/kiosk-entryway/home-gene.nix b/modules/hosts/nixos/kiosk-entryway/home-gene.nix new file mode 100644 index 0000000..97f2d4c --- /dev/null +++ b/modules/hosts/nixos/kiosk-entryway/home-gene.nix @@ -0,0 +1,23 @@ +{ ... }: { + home.stateVersion = "24.11"; + + programs = { + chromium = { + enable = true; + commandLineArgs = [ + "--app=http://192.168.22.22:8123/kiosk-entryway/immich?kiosk" + "--kiosk" + "--noerrdialogs" + "--disable-infobars" + "--no-first-run" + "--ozone-platform=wayland" + "--enable-features=OverlayScrollbar" + "--start-maximized" + "--force-dark-mode" + "--hide-crash-restore-bubble" + ]; + }; + }; + +} + diff --git a/modules/hosts/nixos/kiosk-entryway/secrets.yaml b/modules/hosts/nixos/kiosk-entryway/secrets.yaml new file mode 100644 index 0000000..17ef002 --- /dev/null +++ b/modules/hosts/nixos/kiosk-entryway/secrets.yaml @@ -0,0 +1,22 @@ +local_git_config: ENC[AES256_GCM,data:9eq+YMK1wRewtTOCYdq9haD9XhMKcKCXeYlioxn5kAAreUJdjw/D92O33958eXvA3TbvRJGpioN0iZZribay7q+e2zoW+SfITwetfKa9xIeU2UQF3f6jB9juh5mqWZBXGxx+An3tIg9jNjtHRRzK7nzp6Uyxy5TNEfBKPwU=,iv:mAMMKaEWN9DvVGDDc8tNKE6LXxTnd7NKe5VXL1vmCp0=,tag:EhJkL9V3J+020uUSVsL8BA==,type:str] +local_private_env: ENC[AES256_GCM,data:66Ii8OUAwROOyfSFAWhCdpq8OiTEwGqn6y51Tp3FnOYYuDepJmsh/ikBAkoowVUWf4F4RdABtauLCqOuRg==,iv:xZMtNffbdnbUbohcmr0ZprxdaeFNvp5VfHOyRh+hrhU=,tag:Tq+fo2QJxZvcMAE1oIudBA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1xaaf9enkf669w0cfnlx4ksd9g2kvvkuskp4xw7x84x6u492ulquqfjez5s + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCdmUzblhaQ09UdEIzc2xw + OEh2V2JFTWZXdVdUVDJlTElGd2hnQ2x6aTBjCk85Vk0wMy9VdXFIUmNQNXFxYmF1 + VkwzelAreUdUY2JDSVlrRitwbXlvOHMKLS0tIHVNUHBTTU44TmpXQyt6OUthOGo5 + eEtid0paSEttc3FLamFJZ2FWZDVQSGcKG8gAV8xuSyYUxbRJqC+2WcwsuLQ0/Ngv + gFy5WVrDl61qq6MtI59ELHQiM6/Jv7x5Gv0Nmfy6q8ABtP6rSns/HA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-04-03T16:37:52Z" + mac: ENC[AES256_GCM,data:c/cGUUlyWJIcJ4sgJEv2EhGvOcE73V953hrOVq3l2PX23mm01rQF5NzXJ0PrEc17kpAPrmnS5CK45KBuN+38WQW6WsCPN+gjzoYzyo6X3W+LaHcSwJd48gRfC/1FXjDvoz7l2o3nmyPncaAzqINTj7ccTzMwgHjrfRNVv+aVWXY=,iv:tV++nZK6zl3dP1Bf+rsB0ivpRZj3r2RCPSGQj19Wdfg=,tag:SbRcxjF57bKZvZ+zl/pBLA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4