diff --git a/configuration.nix b/configuration.nix index 306813c..f2fd1b0 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,21 +1,62 @@ { config, pkgs, ... }: - let gitRepoUrl = "https://git.skarockoi.de/ska/nixos-production.git"; gitLocalPath = "/var/lib/nixos-config"; in - { - imports = [ ./hardware-configuration.nix ]; - + # DO NOT import hardware-configuration.nix - we want hardware independence + # imports = [ ./hardware-configuration.nix ]; + + # Boot configuration for physical machines boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - + boot.supportedFilesystems = [ "vfat" "ext4" "crypto_LUKS" ]; + + # Use LABELS instead of UUIDs for portable filesystem setup + fileSystems."/" = { + device = "/dev/disk/by-label/nixos-root"; + fsType = "ext4"; + options = [ "noatime" "nodiratime" ]; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-label/nixos-boot"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + + # Generic kernel modules for maximum hardware compatibility + boot.initrd.availableKernelModules = [ + "xhci_pci" "ehci_pci" "ohci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod" + "usbhid" "hid_generic" "hid_apple" "hid_logitech" "hid_cherry" + "uas" "usb_storage" "nvme" "rtsx_pci_sdmmc" + ]; + + # First boot setup to handle machine-specific configuration + boot.initrd.postDeviceCommands = pkgs.writeScript "first-boot-initrd" '' + #!/usr/bin/env bash + # Check if this is first boot on this hardware + if [ ! -e /proc/first-boot-done ]; then + echo "First boot detected - setting up hardware-specific configuration" + + # Auto-detect LUKS device if not already set up + if ! [ -e /dev/mapper/luks-root ]; then + echo "No LUKS device found - attempting to find encrypted partition" + for dev in /dev/sd* /dev/nvme* /dev/mmcblk*; do + if cryptsetup isLuks "$dev" 2>/dev/null; then + echo "Found LUKS partition on $dev" + # This is a placeholder - actual decryption would happen interactively + break + fi + done + fi + fi + ''; + networking.hostName = "nixos-usb"; networking.networkmanager.enable = true; - + time.timeZone = "Europe/Berlin"; - i18n.defaultLocale = "de_DE.UTF-8"; i18n.extraLocaleSettings = { LC_ADDRESS = "de_DE.UTF-8"; @@ -28,14 +69,15 @@ in LC_TELEPHONE = "de_DE.UTF-8"; LC_TIME = "de_DE.UTF-8"; }; - + services.xserver.enable = true; services.xserver.displayManager.gdm.enable = true; services.xserver.desktopManager.gnome.enable = true; services.xserver.xkb.layout = "de"; services.xserver.libinput.enable = true; console.keyMap = "de"; - + + # Audio setup services.pulseaudio.enable = false; security.rtkit.enable = true; services.pipewire = { @@ -44,24 +86,34 @@ in alsa.support32Bit = true; pulse.enable = true; }; - + services.printing.enable = true; - + + # User setup users.users.user = { isNormalUser = true; description = "user"; - extraGroups = [ "networkmanager" "wheel" ]; + extraGroups = [ "networkmanager" "wheel" "audio" "video" "disk" ]; shell = pkgs.bash; + # For cloned systems, don't set a password in config + # Users should set their own passwords after first boot }; - + + # Allow unfree packages nixpkgs.config.allowUnfree = true; - + + # Essential packages for a portable system environment.systemPackages = with pkgs; [ git vim curl wget openssh + rsync + pciutils + usbutils + gparted + gnome-disk-utility obsidian libreoffice keepassxc @@ -73,22 +125,66 @@ in epiphany gnomeExtensions.gsconnect gnomeExtensions.dash-to-dock + file + psmisc + lsof + strace + pciutils + usbutils ]; - + programs.firefox.enable = true; - - # === Auto-update script with full PATH and NIX_PATH === + + # SSH server configuration + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "no"; + + # First-boot setup script to regenerate machine-specific configurations + environment.etc."first-boot-setup.sh".text = '' + #!/run/current-system/sw/bin/bash + set -e + + if [ ! -f /var/lib/nixos-firstboot-done ]; then + echo "=== First boot setup for cloned NixOS USB ===" + + # Regenerate SSH host keys + echo "Regenerating SSH host keys..." + rm -f /etc/ssh/ssh_host_* + ssh-keygen -A + + # Generate new machine-id + echo "Generating new machine ID..." + rm -f /etc/machine-id /var/lib/dbus/machine-id + systemd-machine-id-setup + + # Ensure proper permissions + chmod 700 /root + chmod 755 /home/user + + # Mark first boot complete + touch /var/lib/nixos-firstboot-done + echo "First boot setup complete." + else + echo "System already set up - skipping first boot configuration." + fi + ''; + + environment.etc."first-boot-setup.sh".mode = "0700"; + + # Auto-update script with improved hardware independence environment.etc."update-nixos-config.sh".text = '' #!/run/current-system/sw/bin/bash set -e - + # Ensure all system tools are available export PATH="/run/current-system/sw/bin:/nix/var/nix/profiles/default/bin" export NIX_PATH="nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos" - + LOCAL_PATH="/var/lib/nixos-config" - REPO_URL="https://git.skarockoi.de/ska/nixos-production.git" - + REPO_URL="${gitRepoUrl}" + + echo "[$(date)] Checking for configuration updates..." + if [ ! -d "$LOCAL_PATH/.git" ]; then mkdir -p "$LOCAL_PATH" chmod 700 "$LOCAL_PATH" @@ -103,18 +199,35 @@ in if [ "$LOCAL_HEAD" != "$REMOTE_HEAD" ]; then echo "New config available. Updating..." git reset --hard origin/main + + # Rebuild the system with the new configuration nixos-rebuild switch -I nixos-config="$LOCAL_PATH/configuration.nix" + echo "System updated successfully." else echo "Config is already up to date." fi fi ''; + environment.etc."update-nixos-config.sh".mode = "0700"; - - # === Systemd service (simple, no extra path needed) === + + # First boot service + systemd.services.first-boot-setup = { + description = "One-time setup for cloned NixOS USB"; + script = "/etc/first-boot-setup.sh"; + path = with pkgs; [ systemd openssh ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/lib"; + }; + wantedBy = [ "multi-user.target" ]; + }; + + # Auto-update service systemd.services.nixos-git-update = { - description = "Update NixOS from public Git config"; + description = "Update NixOS from Git config repository"; script = "/etc/update-nixos-config.sh"; serviceConfig = { Type = "oneshot"; @@ -122,7 +235,8 @@ in Group = "root"; }; }; - + + # Run updates hourly after boot systemd.timers.nixos-git-update = { description = "Check for config updates hourly"; wantedBy = [ "timers.target" ]; @@ -131,6 +245,14 @@ in OnUnitActiveSec = "1h"; }; }; - + + # Power management for USB devices + powerManagement.enable = true; + services.udev.extraRules = '' + # Allow all users to mount USB devices + ACTION=="add", SUBSYSTEM=="block", ENV{ID_BUS}=="usb", MODE="0660", GROUP="disk" + ''; + + # NixOS version compatibility system.stateVersion = "25.11"; } \ No newline at end of file