seanaye.bsky.social / nixos-config
me like nix
0
Fork 0

Configure Feed

Select the types of activity you want to include in your feed.

get pizero working with agenix wifi

author
Sean Aye date (Mar 22, 2026, 8:03 PM -0400) commit f04c5327 parent 908f3447 change-id pzylkptx
+206 -9
+1
.gitignore
··· 1 1 result 2 + secrets/pi_host_key
+85 -3
flake.lock
··· 1 1 { 2 2 "nodes": { 3 + "agenix": { 4 + "inputs": { 5 + "darwin": "darwin", 6 + "home-manager": "home-manager", 7 + "nixpkgs": [ 8 + "nixpkgs" 9 + ], 10 + "systems": "systems" 11 + }, 12 + "locked": { 13 + "lastModified": 1770165109, 14 + "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=", 15 + "owner": "ryantm", 16 + "repo": "agenix", 17 + "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb", 18 + "type": "github" 19 + }, 20 + "original": { 21 + "owner": "ryantm", 22 + "repo": "agenix", 23 + "type": "github" 24 + } 25 + }, 3 26 "catppuccin": { 4 27 "inputs": { 5 28 "nixpkgs": "nixpkgs" ··· 37 60 "type": "github" 38 61 } 39 62 }, 63 + "darwin": { 64 + "inputs": { 65 + "nixpkgs": [ 66 + "agenix", 67 + "nixpkgs" 68 + ] 69 + }, 70 + "locked": { 71 + "lastModified": 1744478979, 72 + "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", 73 + "owner": "lnl7", 74 + "repo": "nix-darwin", 75 + "rev": "43975d782b418ebf4969e9ccba82466728c2851b", 76 + "type": "github" 77 + }, 78 + "original": { 79 + "owner": "lnl7", 80 + "ref": "master", 81 + "repo": "nix-darwin", 82 + "type": "github" 83 + } 84 + }, 40 85 "flake-utils": { 41 86 "locked": { 42 87 "lastModified": 1678901627, ··· 55 100 "home-manager": { 56 101 "inputs": { 57 102 "nixpkgs": [ 103 + "agenix", 104 + "nixpkgs" 105 + ] 106 + }, 107 + "locked": { 108 + "lastModified": 1745494811, 109 + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", 110 + "owner": "nix-community", 111 + "repo": "home-manager", 112 + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", 113 + "type": "github" 114 + }, 115 + "original": { 116 + "owner": "nix-community", 117 + "repo": "home-manager", 118 + "type": "github" 119 + } 120 + }, 121 + "home-manager_2": { 122 + "inputs": { 123 + "nixpkgs": [ 58 124 "nixpkgs" 59 125 ] 60 126 }, ··· 73 139 "type": "github" 74 140 } 75 141 }, 76 - "home-manager_2": { 142 + "home-manager_3": { 77 143 "inputs": { 78 144 "nixpkgs": [ 79 145 "zen-browser", ··· 283 349 }, 284 350 "root": { 285 351 "inputs": { 352 + "agenix": "agenix", 286 353 "catppuccin": "catppuccin", 287 354 "copyparty": "copyparty", 288 - "home-manager": "home-manager", 355 + "home-manager": "home-manager_2", 289 356 "niri": "niri", 290 357 "nixarr": "nixarr", 291 358 "nixos-hardware": "nixos-hardware", 292 359 "nixpkgs": "nixpkgs_5", 293 360 "zen-browser": "zen-browser" 361 + } 362 + }, 363 + "systems": { 364 + "locked": { 365 + "lastModified": 1681028828, 366 + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", 367 + "owner": "nix-systems", 368 + "repo": "default", 369 + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", 370 + "type": "github" 371 + }, 372 + "original": { 373 + "owner": "nix-systems", 374 + "repo": "default", 375 + "type": "github" 294 376 } 295 377 }, 296 378 "vpnconfinement": { ··· 364 446 }, 365 447 "zen-browser": { 366 448 "inputs": { 367 - "home-manager": "home-manager_2", 449 + "home-manager": "home-manager_3", 368 450 "nixpkgs": [ 369 451 "nixpkgs" 370 452 ]
+7
flake.nix
··· 19 19 }; 20 20 copyparty.url = "github:9001/copyparty"; 21 21 nixos-hardware.url = "github:NixOS/nixos-hardware/master"; 22 + agenix = { 23 + url = "github:ryantm/agenix"; 24 + inputs.nixpkgs.follows = "nixpkgs"; 25 + }; 22 26 }; 23 27 24 28 outputs = ··· 31 35 nixarr, 32 36 copyparty, 33 37 nixos-hardware, 38 + agenix, 34 39 ... 35 40 }@inputs: 36 41 { ··· 92 97 modules = [ 93 98 "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" 94 99 nixos-hardware.nixosModules.raspberry-pi-4 100 + agenix.nixosModules.default 95 101 ./hosts/pi/configuration.nix 96 102 97 103 # Allow missing kernel modules (Pi kernel doesn't have all x86 modules) ··· 111 117 system = "aarch64-linux"; 112 118 modules = [ 113 119 "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" 120 + agenix.nixosModules.default 114 121 ./hosts/pizero/configuration.nix 115 122 116 123 # Allow missing kernel modules (Pi kernel doesn't have all x86 modules)
+1
hosts/common/common.nix
··· 102 102 103 103 services.udisks2.enable = true; 104 104 services.tailscale.enable = true; 105 + services.pcscd.enable = true; # Smart card daemon for Yubikey 105 106 106 107 # ZSA Keyboard udev rules for Oryx web flashing and live training 107 108 services.udev.extraRules = ''
+35 -2
hosts/common/home.nix
··· 11 11 inputs.catppuccin.homeModules.catppuccin 12 12 inputs.niri.homeModules.niri 13 13 inputs.zen-browser.homeModules.beta 14 + inputs.agenix.homeManagerModules.default 14 15 ]; 15 16 16 17 programs.niri = { ··· 100 101 "Mod+Shift+f".action = { 101 102 switch-focus-between-floating-and-tiling = { }; 102 103 }; 104 + "Mod+m".action = { 105 + fullscreen-window = { }; 106 + }; 103 107 "Mod+s".action = { 104 108 screenshot = { 105 109 show-pointer = true; ··· 171 175 y = 0; 172 176 }; 173 177 }; 178 + "DP-6" = { 179 + scale = 2.0; 180 + mode = { 181 + width = 5120; 182 + height = 2160; 183 + refresh = 120.0; 184 + }; 185 + position = { 186 + x = 0; 187 + y = 0; 188 + }; 189 + }; 174 190 "DP-7" = { 175 191 scale = 2.0; 176 192 mode = { ··· 287 303 discord 288 304 prismlauncher # minecraft launcher 289 305 fastfetch 306 + inputs.agenix.packages.${pkgs.system}.default # agenix CLI 307 + age-plugin-yubikey # Yubikey support for agenix 290 308 291 309 # --- FONTS ARE IMPORTANT --- 292 310 # Berkeley Mono is the main system font, keeping JetBrains and Font Awesome for icons ··· 403 421 404 422 programs.fish = { 405 423 enable = true; 424 + shellAliases = { 425 + agenix = "agenix -i ~/.config/agenix/yubikey-identity.txt"; 426 + }; 406 427 interactiveShellInit = '' 407 428 set fish_greeting 408 429 # Set 1Password SSH agent socket ··· 423 444 builtin cd -- "$cwd" 424 445 end 425 446 rm -f -- "$tmp" 426 - end 447 + end 427 448 ''; 428 449 functions = { 429 450 s3edit = '' ··· 446 467 settings = { 447 468 terminal.shell = { 448 469 program = "zellij"; 449 - args = [ "options" "--on-force-close" "detach" ]; 470 + args = [ 471 + "options" 472 + "--on-force-close" 473 + "detach" 474 + ]; 450 475 }; 451 476 window = { 452 477 decorations = "none"; ··· 650 675 SUDO_EDITOR = "hx"; 651 676 SSH_AUTH_SOCK = "${config.home.homeDirectory}/.1password/agent.sock"; 652 677 }; 678 + 679 + # Yubikey identity for agenix (not secret - just a reference to the hardware key) 680 + home.file.".config/agenix/yubikey-identity.txt".text = '' 681 + # Serial: 26930059, Slot: 1 682 + # Name: agenix 683 + # Recipient: age1yubikey1qw64ag5lzvn9ekrflu5ruj4a6ucycscl6ctk39fjzf76jptsay39z442pxv 684 + AGE-PLUGIN-YUBIKEY-1304E5QVZZD74FKSP8FMCT 685 + ''; 653 686 654 687 # Set the state version for Home Manager 655 688 home.stateVersion = "25.05";
+40 -4
hosts/pi-common/default.nix
··· 107 107 default = 256; 108 108 description = "GPU memory allocation in MB"; 109 109 }; 110 + 111 + flipCamera = lib.mkOption { 112 + type = lib.types.bool; 113 + default = false; 114 + description = "Flip camera image vertically and horizontally (180 degree rotation)"; 115 + }; 116 + 110 117 }; 111 118 112 119 config = { 120 + nix.settings.trusted-users = [ "sean" ]; 121 + 122 + # Pre-generated SSH host key for agenix decryption (shared across all Pis) 123 + services.openssh.hostKeys = [ 124 + { 125 + path = "/etc/ssh/ssh_host_ed25519_key"; 126 + type = "ed25519"; 127 + } 128 + ]; 129 + 130 + environment.etc."ssh/ssh_host_ed25519_key" = { 131 + source = /home/sean/nixos-config/secrets/pi_host_key; 132 + mode = "0600"; 133 + }; 134 + 135 + # Agenix configuration - use Nix store path directly so the key is available 136 + # before the etc activation script runs (agenix activates before etc) 137 + age.identityPaths = [ "${/home/sean/nixos-config/secrets/pi_host_key}" ]; 138 + age.secrets.wifi = { 139 + file = ../../secrets/wifi.age; 140 + mode = "0444"; 141 + }; 142 + 143 + # WiFi configuration using wpa_supplicant with agenix credentials 144 + networking.wireless = { 145 + enable = true; 146 + secretsFile = config.age.secrets.wifi.path; 147 + networks."GL-MT6000-6a6".pskRaw = "ext:WIFI_PSK"; 148 + }; 149 + 150 + # Enable DHCP for ethernet 151 + networking.useDHCP = true; 113 152 # Add device tree overlay for dtmerge support 114 153 nixpkgs.overlays = [ deviceTree_overlay ]; 115 154 ··· 146 185 settings = { 147 186 ffmpeg.bin = "${pkgs.ffmpeg}/bin/ffmpeg"; 148 187 streams = { 149 - "${cfg.streamName}" = "exec:${rpicam-apps}/bin/rpicam-vid -t 0 --width ${toString cfg.resolution.width} --height ${toString cfg.resolution.height} --framerate ${toString cfg.framerate} --codec h264 --inline -o -"; 188 + "${cfg.streamName}" = "exec:${rpicam-apps}/bin/rpicam-vid -t 0 --width ${toString cfg.resolution.width} --height ${toString cfg.resolution.height} --framerate ${toString cfg.framerate} --codec h264 --inline${lib.optionalString cfg.flipCamera " --vflip --hflip"} -o -"; 150 189 }; 151 190 }; 152 191 }; ··· 319 358 cp -r ${pkgs.raspberrypifw}/share/raspberrypi/boot/overlays ./firmware/ 320 359 fi 321 360 ''; 322 - 323 - # Networking 324 - networking.networkmanager.enable = true; 325 361 326 362 # Firewall 327 363 networking.firewall.allowedTCPPorts = [
+14
hosts/pizero/configuration.nix
··· 13 13 deviceTreeFilter = "bcm2837-rpi-zero-2-w.dtb"; 14 14 deviceTreeCompatible = "brcm,bcm2837"; 15 15 gpuMem = 128; 16 + flipCamera = true; 16 17 }; 18 + 19 + # Use RPi kernel which includes IMX708 camera driver (not in default kernel) 20 + boot.kernelPackages = pkgs.linuxPackages_rpi3; 21 + 22 + # Mainline kernel's BCM2837 DTB lacks RPi-specific labels (i2c0if, cam1_clk, etc.) 23 + # needed by the camera overlay. Disable NixOS DTB so U-Boot uses the firmware's 24 + # DTB (which has all RPi labels and the imx708 overlay applied via config.txt). 25 + hardware.deviceTree.enable = lib.mkForce false; 26 + sdImage.populateFirmwareCommands = lib.mkAfter '' 27 + chmod u+w ./firmware/config.txt 28 + echo "dtoverlay=imx708" >> ./firmware/config.txt 29 + echo "camera_auto_detect=1" >> ./firmware/config.txt 30 + ''; 17 31 18 32 system.stateVersion = "24.11"; 19 33 }
+15
secrets.nix
··· 1 + # Public keys that can decrypt secrets 2 + let 3 + # User keys (for editing secrets) - Yubikey-backed 4 + sean = "age1yubikey1qw64ag5lzvn9ekrflu5ruj4a6ucycscl6ctk39fjzf76jptsay39z442pxv"; 5 + 6 + # Host keys (for decrypting at boot) 7 + # Shared key for all Pi devices 8 + pi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIACsAOLqT+aePFhKDQNXa4m+fikA+Aaig26YUa+WZFNz"; 9 + 10 + allUsers = [ sean ]; 11 + allPis = [ pi ]; 12 + in 13 + { 14 + "secrets/wifi.age".publicKeys = allUsers ++ allPis; 15 + }
+8
secrets/wifi.age
··· 1 + age-encryption.org/v1 2 + -> piv-p256 E31U2g A+spFtc3Miia7lQTmUOc+SbIG2gi3GvDUegwEcsdJ/00 3 + hB3M3NGnqg9oj2Jk6uukOIE1kH1Z1ZUyd8JYPaxvKzU 4 + -> ssh-ed25519 0pXr6w Zq8AqocMRa3T46I29OF55XrchCk+MuZLcb6sUZkks3A 5 + Qa32oUCr7e0CEULhcGDfkIGzTXX+IabsHDEatagO5mg 6 + --- 96nnTQPL3aJmfnbfT8M6S6QBM+HQkEahe9rIrwercIE 7 + >�ء�����i5 8 + ����������$G���xIp�o�����hg���n��6���u��h�9]�3�Vݵ(��/�C�u