M .sops.yaml => .sops.yaml +7 -0
@@ 1,6 1,7 @@
keys:
- &liljamo_gpg 848EEBCEE9F0D29D25C321A658577946A65EB712
- &arwen age15hcszwfk0d6cu9ua6g4udj9tdq63jm8lja66ktxu0fjfuczczcwsm5kcxn
+ - &alice age1pqjj62u9u3x658a5u47nf7uf0cfek2ht09ztqamjfl7j8s2xeduqx5cfnn
creation_rules:
- path_regex: secrets/arwen/[^/]+\.yaml$
key_groups:
@@ 8,3 9,9 @@ creation_rules:
- *liljamo_gpg
age:
- *arwen
+ - path_regex: secrets/alice/[^/]+\.yaml$
+ key_groups:
+ - pgp:
+ - *liljamo_gpg
+ age:
+ - *alice
A hosts/alice/default.nix => hosts/alice/default.nix +31 -0
@@ 0,0 1,31 @@
+{config, ...}: {
+ sops.secrets.rootPwd.neededForUsers = true;
+ sops.secrets.skyePwd.neededForUsers = true;
+
+ roles.base = {
+ root = {
+ hashedPasswordFile = config.sops.secrets.rootPwd.path;
+ };
+ primaryUser = {
+ username = "skye";
+ isWheel = true;
+ hashedPasswordFile = config.sops.secrets.skyePwd.path;
+ };
+ };
+
+ #roles.audio.enable = true;
+
+ roles.git = {
+ enable = true;
+ enableLazygit = true;
+ email = "jonni@liljamo.com";
+ name = "Jonni Liljamo";
+ gitExtraConfig = ''
+ [sendemail]
+ smtpserver = "smtp.migadu.com"
+ smtpuser = "jonni@liljamo.com"
+ smtpencryption = "ssl"
+ smtpserverport = 465
+ '';
+ };
+}
A secrets/alice/secrets.yaml => secrets/alice/secrets.yaml +34 -0
@@ 0,0 1,34 @@
+rootPwd: ENC[AES256_GCM,data:f/MJStmXqi3xtJ5Ytx9Ghhvn8WJU03Su+4rh2I3LLXjM2FTOQxEoh/MGP1p0kWcgMZ4nGHYiBkv30rffi977rn1FBGOtSrLFxg4KnK/XLhAydyDgMPxS9zfilROgw/tFXxvQSjmvsWIawg==,iv:QkJ6cvorNHoliCTyM/e7Eg4lrwusKTlmLvxglbe31VY=,tag:zV8NAr6f7HMle8X/GbXYtg==,type:str]
+skyePwd: ENC[AES256_GCM,data:l5v8p9LWmmjuaKeepUjwKbFwa0t20YQKa5N9yPZ8f3KTxTNU+v4NWaWKMD6/58h4fBYmx1ASvrxsy8XubDKFT8ZxY8UAbbqpECcB4yn92y8MHYDRZ4Hvay6Rt+a7b8hO8kXT3pnHY6IauA==,iv:p5RTnpPiAPMvGyZAJbm/uEL3z8n4z9rur6oQVFd09yI=,tag:1TxC3vlRKKkKVvP4eitsqg==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age1pqjj62u9u3x658a5u47nf7uf0cfek2ht09ztqamjfl7j8s2xeduqx5cfnn
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxMjVEelhGL24xdXN4Yytm
+ OEdBK1N2NDAzWXN2UW8zZHhEL3B5azQ1WHhRCnpBK09oVkNnbWpBcVY2cnVBdmFV
+ QkZMYjViMnJUakVGS2ZLd3A2anJSL28KLS0tIFVNcnRDbWZxRC9VUTh6QXIrRkl2
+ L1UrbUlZR2dtd0hUSWl6ZzVoaXVEVGMKzR3EgxBDGchoH2ADTx6pYorGzZDU5vOi
+ pZIxM2NusqPaSevYmqQZ7qx3TEHPaOimVgvszJex84MPxKqWPIspZw==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-07-20T09:38:56Z"
+ mac: ENC[AES256_GCM,data:OVx04F+cnaFjl3ty00Nesp+l4pCQ6douA21XFU7F2BO5RB7bBPqDdaSeCR4OdaQTg3fze1GySK5+Em13aIuo1iApiZSSXhIVugFdKR+J4wclown10WWwfEQV173xtHTiKXNHTDH0l31aJe/W/fzTcjOKGzMUspMlv7JBYOB+MJ8=,iv:Y0yJ84OZUsuy9Bv23vK3qZdLkMBPEwcJZNFXa/omjHE=,tag:cyaBa84KwLGtJOlwB571YA==,type:str]
+ pgp:
+ - created_at: "2024-07-20T09:37:59Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hF4D8ab0ENzkR4wSAQdAZUP2pecsSOHt8BOXnlqlnbaeh14fAnVp4SiyyNtnXWww
+ 6qSEQOlesOAO3KDQVIrCSbQ7JhJhqrVDDw8IwsDXRZ6tWU9fpayu8dezRylxYzlm
+ 1GgBCQIQ82R4An/41ZtKuEtO0+Bq/0rxdJrDKjg3owiZNvVuGGykzUV3A0RKN527
+ AqWz+B81KjNGLcSQj0dW7clzslXnpluf5csdijR4558LlGPlPZdg5rzwOs0ThRfS
+ td0OFLngSJPKfQ==
+ =N06L
+ -----END PGP MESSAGE-----
+ fp: 848EEBCEE9F0D29D25C321A658577946A65EB712
+ unencrypted_suffix: _unencrypted
+ version: 3.8.1
A systems/hosts/alice/default.nix => systems/hosts/alice/default.nix +51 -0
@@ 0,0 1,51 @@
+{
+ config,
+ inputs,
+ lib,
+ pkgs,
+ ...
+}: {
+ imports = [
+ ./hardware-configuration.nix
+ ];
+
+ boot.initrd.postDeviceCommands = lib.mkAfter ''
+ zfs rollback -r zpool/root@blank
+ '';
+
+ sops.defaultSopsFile = ../../../secrets/alice/secrets.yaml;
+ sops.gnupg.sshKeyPaths = ["/persist/etc/ssh/ssh_host_rsa_key"];
+ sops.age.sshKeyPaths = ["/persist/etc/ssh/ssh_host_ed25519_key"];
+
+ networking.hostId = "bc56f04f";
+ networking.networkmanager.enable = true;
+
+ time.timeZone = "Europe/Helsinki";
+
+ i18n.defaultLocale = "en_US.UTF-8";
+
+ services.xserver.xkb.layout = "us";
+
+ environment.systemPackages = with pkgs; [
+ inputs.nvim-flake.packages.x86_64-linux.nvim
+ vim
+ wget
+ git
+ ];
+
+ environment.persistence."/persist" = {
+ hideMounts = true;
+ directories = [
+ "/etc/nixos"
+ "/etc/ssh"
+ "/var/lib/tailscale"
+ ];
+ };
+
+ services.openssh.enable = true;
+
+ services.pcscd.enable = true;
+ programs.gnupg.agent.enable = true;
+
+ system.stateVersion = "24.05";
+}
A systems/hosts/alice/hardware-configuration.nix => systems/hosts/alice/hardware-configuration.nix +58 -0
@@ 0,0 1,58 @@
+{
+ config,
+ lib,
+ pkgs,
+ modulesPath,
+ ...
+}: {
+ imports = [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
+
+ boot.loader.systemd-boot.enable = true;
+ boot.loader.systemd-boot.configurationLimit = 9;
+ boot.loader.efi.canTouchEfiVariables = true;
+
+ boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usb_storage" "sd_mod"];
+ boot.initrd.kernelModules = ["zfs"];
+ boot.kernelModules = ["kvm-amd"];
+ boot.extraModulePackages = [];
+ boot.supportedFilesystems = ["zfs"];
+
+ fileSystems."/" = {
+ device = "zpool/root";
+ fsType = "zfs";
+ neededForBoot = true;
+ };
+
+ fileSystems."/home" = {
+ device = "zpool/home";
+ fsType = "zfs";
+ neededForBoot = true;
+ };
+
+ fileSystems."/nix" = {
+ device = "zpool/nix";
+ fsType = "zfs";
+ neededForBoot = true;
+ };
+
+ fileSystems."/persist" = {
+ device = "zpool/persist";
+ fsType = "zfs";
+ neededForBoot = true;
+ };
+
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/3DA8-297C";
+ fsType = "vfat";
+ options = ["fmask=0022" "dmask=0022"];
+ };
+
+ swapDevices = [];
+
+ networking.useDHCP = lib.mkDefault true;
+
+ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+ hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
M systems/hosts/default.nix => systems/hosts/default.nix +10 -1
@@ 1,4 1,13 @@
-{laptop, ...}: {
+{
+ desktop,
+ laptop,
+ ...
+}: {
+ alice = {
+ system = "x86_64-linux";
+ profile = desktop;
+ modules = [];
+ };
arwen = {
system = "x86_64-linux";
profile = laptop;
M systems/profiles/default.nix => systems/profiles/default.nix +1 -0
@@ 1,3 1,4 @@
inputs: {
+ desktop = import ./desktop inputs;
laptop = import ./laptop inputs;
}
A systems/profiles/desktop/default.nix => systems/profiles/desktop/default.nix +17 -0
@@ 0,0 1,17 @@
+inputs @ {
+ home-manager,
+ impermanence,
+ sops-nix,
+ ...
+}: {
+ modules = [
+ sops-nix.nixosModules.sops
+ impermanence.nixosModules.impermanence
+ home-manager.nixosModules.home-manager
+
+ ../../../roles
+ ];
+ specialArgs = {
+ inherit inputs;
+ };
+}