chore(flake): update flake lock to the latest version

Reviewed-on: #23

INSTALLATION.md

@@ -4,7 +4,6 @@
 - For simplicity I'm using device labels rather than uuids
 
 1. the partitioning layout should look somewhat like this after the installation
-
 ```bash
 NAME               MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
 nvme0n1            259:0    0 476.9G  0 disk
@@ -13,25 +12,26 @@ nvme0n1            259:0    0 476.9G  0 disk
   └─cryptroot      254:0    0 474.9G  0 crypt
     ├─lvmroot-swap 254:1    0    20G  0 lvm   [SWAP]
     ├─lvmroot-home 254:2    0   250G  0 lvm   /home
-    └─lvmroot-root 254:3    0 204.9G  0 lvm   /nix/store
+    └─lvmroot-root 254:3    0 204.9G  0 lvm   /
 ```
 
-2. prepare the installation
+> Note: `lsblk` may additionally show `/nix/store` as a mountpoint on `lvmroot-root`. This is not a separate partition. NixOS mounts the root device a second time at `/nix/store` with `ro,nosuid,nodev` flags to enforce store immutability at runtime.
 
+2. prepare the installation
 ```bash
 # format the boot partition
-mkfs.fat -F 32 /dev/sda1 -n "nixboot"
+mkfs.fat -F 32 /dev/nvme0n1p1 -n "nixboot"
 # create an encrypted partition
-cryptsetup luksFormat -y --label="nixcrypt" /dev/sda2
+cryptsetup luksFormat -y --label="nixcrypt" /dev/nvme0n1p2
 # open the encrypted partition and map it to /dev/mapper/cryptroot
-cryptsetup luksOpen /dev/sda2 cryptroot
+cryptsetup luksOpen /dev/nvme0n1p2 cryptroot
 
 # create the physical volume
 pvcreate /dev/mapper/cryptroot
 # create a volume group inside
 vgcreate lvmroot /dev/mapper/cryptroot
 # create the swap volume
-lvcreate --size 8G lvmroot --name nwap
+lvcreate --size 8G lvmroot --name swap
 # if you desire, create a home volume
 lvcreate --size 150G lvmroot --name home
 # create the root volume
@@ -47,7 +47,7 @@ mkswap -L "nixswap" /dev/mapper/lvmroot-swap
 # mount root
 mount /dev/disk/by-label/nixroot /mnt
 # mount boot
-mount --mkdir /dev/sda1 /mnt/boot
+mount --mkdir /dev/nvme0n1p1 /mnt/boot
 # again, if you did the home volume
 mount --mkdir /dev/disk/by-label/nixhome /mnt/home
 # turn on swap
@@ -55,13 +55,12 @@ swapon /dev/disk/by-label/nixswap
 ```
 
 3. prepare nixos
-
 ```bash
 # generate templates and update the hardware-configuration.nix
-sudo nixos-generate-config --root /mnt
+nixos-generate-config --root /mnt
 
-# add cryptd to the kernelModules
-boot.initrd.kernelModules = [ "dm-snapshot" "cryptd" ];
+# add dm-crypt and dm-mod to the kernelModules
+boot.initrd.kernelModules = [ "dm-crypt" "dm-mod" ];
 
 # add file systems using labels
 fileSystems."/" =
@@ -86,25 +85,20 @@ boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-label/nixcrypt";
 ```
 
 4. install nixos
-
 ```bash
-cd /mnt
-sudo nixos-install
+nixos-install
 ```
 
-## how to deploy the inital config
-
+## how to deploy the initial config
 - Don't forget to install the bootloader, if you changed it since `nixos-install`
-
 ```bash
 $ sudo nixos-rebuild --install-bootloader switch --flake .#host_name
 ```
 
 ## how to upgrade the system
-
 ```bash
 $ cd /path/to/repo
-$ sudo nix flake update
+$ nix flake update
 $ sudo nixos-rebuild switch --flake .#host_name
 $ sudo nix-collect-garbage
 ```
@@ -114,7 +108,6 @@ $ sudo nix-collect-garbage
 The tool nix-helper is installed by this configuration. It simplifies administrating nixos and adds more output to the rebuild command. It also features a diff after a successful build. The command uses the `NH_FLAKE` environment variable to be able to run from whatever directory.
 
 Basic commands with a set `NH_FLAKE` variable are:
-
 ```bash
 $ nh os switch
 $ nh os build

flake.lock

@@ -28,11 +28,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1770491427,
-        "narHash": "sha256-8b+0vixdqGnIIcgsPhjdX7EGPdzcVQqYxF+ujjex654=",
+        "lastModified": 1772633327,
+        "narHash": "sha256-jl+DJB2DUx7EbWLRng+6HNWW/1/VQOnf0NsQB4PlA7I=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "cbd8a72e5fe6af19d40e2741dc440d9227836860",
+        "rev": "5a75730e6f21ee624cbf86f4915c6e7489c74acc",
         "type": "github"
       },
       "original": {
@@ -43,11 +43,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1770197578,
-        "narHash": "sha256-AYqlWrX09+HvGs8zM6ebZ1pwUqjkfpnv8mewYwAo+iM=",
+        "lastModified": 1772542754,
+        "narHash": "sha256-WGV2hy+VIeQsYXpsLjdr4GvHv5eECMISX1zKLTedhdg=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "00c21e4c93d963c50d4c0c89bfa84ed6e0694df2",
+        "rev": "8c809a146a140c5c8806f13399592dbcb1bb5dc4",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1770388595,
-        "narHash": "sha256-0NvpmDqFcJAtRFJE3RDZWnN7PDJBZutoDtN+Cl8a3DY=",
+        "lastModified": 1772402258,
+        "narHash": "sha256-3DmCFOdmbkFML1/G9gj8Wb+rCCZFPOQtNoMCpqOF8SA=",
         "owner": "nix-community",
         "repo": "nixvim",
-        "rev": "51abc532525e486176f9a7b24b17908c60017b54",
+        "rev": "21ae25e13b01d3b4cdc750b5f9e7bad68b150c10",
         "type": "github"
       },
       "original": {
@@ -83,14 +83,15 @@
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ]
+        ],
+        "noctalia-qs": "noctalia-qs"
       },
       "locked": {
-        "lastModified": 1770543184,
-        "narHash": "sha256-2FFYjurrYjCAT6bpN2Fv63G6vDuWybB91uvqBjJfcWE=",
+        "lastModified": 1772639853,
+        "narHash": "sha256-u8/61CqpmQprdEiVYHnzZe1Ujv98+MRPJdFuAaOmp4c=",
         "owner": "noctalia-dev",
         "repo": "noctalia-shell",
-        "rev": "bf1a0f76bb5ca48991d51130022af6bead64d153",
+        "rev": "13dad396520b05691bf1fea1af11f94d3ce4142d",
         "type": "github"
       },
       "original": {
@@ -99,6 +100,27 @@
         "type": "github"
       }
     },
+    "noctalia-qs": {
+      "inputs": {
+        "nixpkgs": [
+          "noctalia",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1772227064,
+        "narHash": "sha256-f821ZSoGpa/aXrWq0gPpea9qBnX8KDyavGKkptz2Mog=",
+        "owner": "noctalia-dev",
+        "repo": "noctalia-qs",
+        "rev": "0741d27d2f7db567270f139c5d1684614ecf9863",
+        "type": "github"
+      },
+      "original": {
+        "owner": "noctalia-dev",
+        "repo": "noctalia-qs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "home-manager": "home-manager",

hosts/neon/configuration.nix

@@ -5,6 +5,7 @@
     ../../modules/nixos/audio.nix
     ../../modules/nixos/bootloader.nix
     ../../modules/nixos/certificates.nix
+    ../../modules/nixos/docker.nix
     ../../modules/nixos/gnupg.nix
     ../../modules/nixos/locales.nix
     ../../modules/nixos/networking.nix

modules/nixos/docker.nix

@@ -0,0 +1,23 @@
+{ config, lib, pkgs, ...}:
+
+{
+  virtualisation.docker = {
+    enable = true;
+    # Customize Docker daemon settings
+    daemon.settings = {
+      dns = [ "1.1.1.1" "8.8.8.8" ];
+      log-driver = "journald";
+      registry-mirrors = [ "https://mirror.gcr.io" ];
+      storage-driver = "overlay2";
+    };
+    # Use the rootless mode
+    rootless = {
+      enable = true;
+      setSocketVariable = true;
+    };
+    # Install docker-compose
+    extraPackages = with pkgs; [
+      docker-compose
+    ];
+  };
+}

modules/nixos/openssh.nix

@@ -5,5 +5,15 @@
   services.openssh = {
     enable = true;
     openFirewall = true;
+    ports = [ 666 ];
+
+    settings = {
+      AuthenticationMethods = "publickey";
+      KbdInteractiveAuthentication = false;
+      MaxAuthTries = 5;
+      PasswordAuthentication = false;
+      PermitRootLogin = "no";
+      X11Forwarding = false;
+    };
   };
 }

modules/nixos/users.nix

@@ -5,7 +5,7 @@
   users.users.aaron = {
     isNormalUser = true;
     group = "users";
-    extraGroups = [ "wheel" "networkmanager" ];
+    extraGroups = [ "wheel" "networkmanager" "docker" ];
     shell = pkgs.zsh;
   };