From 8b6421e3ef8d352b64a9d357349f7a00f64b1f8f Mon Sep 17 00:00:00 2001 From: Jonni Liljamo Date: Sat, 20 Jul 2024 12:52:45 +0300 Subject: [PATCH] feat: add alice and components needed for it --- .sops.yaml | 7 +++ hosts/alice/default.nix | 31 ++++++++++ secrets/alice/secrets.yaml | 34 +++++++++++ systems/hosts/alice/default.nix | 51 ++++++++++++++++ .../hosts/alice/hardware-configuration.nix | 58 +++++++++++++++++++ systems/hosts/default.nix | 11 +++- systems/profiles/default.nix | 1 + systems/profiles/desktop/default.nix | 17 ++++++ 8 files changed, 209 insertions(+), 1 deletion(-) create mode 100644 hosts/alice/default.nix create mode 100644 secrets/alice/secrets.yaml create mode 100644 systems/hosts/alice/default.nix create mode 100644 systems/hosts/alice/hardware-configuration.nix create mode 100644 systems/profiles/desktop/default.nix diff --git a/.sops.yaml b/.sops.yaml index cdb8c22..bae6809 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,6 +1,7 @@ keys: - &liljamo_gpg 848EEBCEE9F0D29D25C321A658577946A65EB712 - &arwen age15hcszwfk0d6cu9ua6g4udj9tdq63jm8lja66ktxu0fjfuczczcwsm5kcxn + - &alice age1pqjj62u9u3x658a5u47nf7uf0cfek2ht09ztqamjfl7j8s2xeduqx5cfnn creation_rules: - path_regex: secrets/arwen/[^/]+\.yaml$ key_groups: @@ -8,3 +9,9 @@ creation_rules: - *liljamo_gpg age: - *arwen + - path_regex: secrets/alice/[^/]+\.yaml$ + key_groups: + - pgp: + - *liljamo_gpg + age: + - *alice diff --git a/hosts/alice/default.nix b/hosts/alice/default.nix new file mode 100644 index 0000000..906f9f0 --- /dev/null +++ b/hosts/alice/default.nix @@ -0,0 +1,31 @@ +{config, ...}: { + sops.secrets.rootPwd.neededForUsers = true; + sops.secrets.skyePwd.neededForUsers = true; + + roles.base = { + root = { + hashedPasswordFile = config.sops.secrets.rootPwd.path; + }; + primaryUser = { + username = "skye"; + isWheel = true; + hashedPasswordFile = config.sops.secrets.skyePwd.path; + }; + }; + + #roles.audio.enable = true; + + roles.git = { + enable = true; + enableLazygit = true; + email = "jonni@liljamo.com"; + name = "Jonni Liljamo"; + gitExtraConfig = '' + [sendemail] + smtpserver = "smtp.migadu.com" + smtpuser = "jonni@liljamo.com" + smtpencryption = "ssl" + smtpserverport = 465 + ''; + }; +} diff --git a/secrets/alice/secrets.yaml b/secrets/alice/secrets.yaml new file mode 100644 index 0000000..5f21b59 --- /dev/null +++ b/secrets/alice/secrets.yaml @@ -0,0 +1,34 @@ +rootPwd: ENC[AES256_GCM,data:f/MJStmXqi3xtJ5Ytx9Ghhvn8WJU03Su+4rh2I3LLXjM2FTOQxEoh/MGP1p0kWcgMZ4nGHYiBkv30rffi977rn1FBGOtSrLFxg4KnK/XLhAydyDgMPxS9zfilROgw/tFXxvQSjmvsWIawg==,iv:QkJ6cvorNHoliCTyM/e7Eg4lrwusKTlmLvxglbe31VY=,tag:zV8NAr6f7HMle8X/GbXYtg==,type:str] +skyePwd: ENC[AES256_GCM,data:l5v8p9LWmmjuaKeepUjwKbFwa0t20YQKa5N9yPZ8f3KTxTNU+v4NWaWKMD6/58h4fBYmx1ASvrxsy8XubDKFT8ZxY8UAbbqpECcB4yn92y8MHYDRZ4Hvay6Rt+a7b8hO8kXT3pnHY6IauA==,iv:p5RTnpPiAPMvGyZAJbm/uEL3z8n4z9rur6oQVFd09yI=,tag:1TxC3vlRKKkKVvP4eitsqg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1pqjj62u9u3x658a5u47nf7uf0cfek2ht09ztqamjfl7j8s2xeduqx5cfnn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxMjVEelhGL24xdXN4Yytm + OEdBK1N2NDAzWXN2UW8zZHhEL3B5azQ1WHhRCnpBK09oVkNnbWpBcVY2cnVBdmFV + QkZMYjViMnJUakVGS2ZLd3A2anJSL28KLS0tIFVNcnRDbWZxRC9VUTh6QXIrRkl2 + L1UrbUlZR2dtd0hUSWl6ZzVoaXVEVGMKzR3EgxBDGchoH2ADTx6pYorGzZDU5vOi + pZIxM2NusqPaSevYmqQZ7qx3TEHPaOimVgvszJex84MPxKqWPIspZw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-20T09:38:56Z" + mac: ENC[AES256_GCM,data:OVx04F+cnaFjl3ty00Nesp+l4pCQ6douA21XFU7F2BO5RB7bBPqDdaSeCR4OdaQTg3fze1GySK5+Em13aIuo1iApiZSSXhIVugFdKR+J4wclown10WWwfEQV173xtHTiKXNHTDH0l31aJe/W/fzTcjOKGzMUspMlv7JBYOB+MJ8=,iv:Y0yJ84OZUsuy9Bv23vK3qZdLkMBPEwcJZNFXa/omjHE=,tag:cyaBa84KwLGtJOlwB571YA==,type:str] + pgp: + - created_at: "2024-07-20T09:37:59Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4D8ab0ENzkR4wSAQdAZUP2pecsSOHt8BOXnlqlnbaeh14fAnVp4SiyyNtnXWww + 6qSEQOlesOAO3KDQVIrCSbQ7JhJhqrVDDw8IwsDXRZ6tWU9fpayu8dezRylxYzlm + 1GgBCQIQ82R4An/41ZtKuEtO0+Bq/0rxdJrDKjg3owiZNvVuGGykzUV3A0RKN527 + AqWz+B81KjNGLcSQj0dW7clzslXnpluf5csdijR4558LlGPlPZdg5rzwOs0ThRfS + td0OFLngSJPKfQ== + =N06L + -----END PGP MESSAGE----- + fp: 848EEBCEE9F0D29D25C321A658577946A65EB712 + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/systems/hosts/alice/default.nix b/systems/hosts/alice/default.nix new file mode 100644 index 0000000..5c0bacb --- /dev/null +++ b/systems/hosts/alice/default.nix @@ -0,0 +1,51 @@ +{ + config, + inputs, + lib, + pkgs, + ... +}: { + imports = [ + ./hardware-configuration.nix + ]; + + boot.initrd.postDeviceCommands = lib.mkAfter '' + zfs rollback -r zpool/root@blank + ''; + + sops.defaultSopsFile = ../../../secrets/alice/secrets.yaml; + sops.gnupg.sshKeyPaths = ["/persist/etc/ssh/ssh_host_rsa_key"]; + sops.age.sshKeyPaths = ["/persist/etc/ssh/ssh_host_ed25519_key"]; + + networking.hostId = "bc56f04f"; + networking.networkmanager.enable = true; + + time.timeZone = "Europe/Helsinki"; + + i18n.defaultLocale = "en_US.UTF-8"; + + services.xserver.xkb.layout = "us"; + + environment.systemPackages = with pkgs; [ + inputs.nvim-flake.packages.x86_64-linux.nvim + vim + wget + git + ]; + + environment.persistence."/persist" = { + hideMounts = true; + directories = [ + "/etc/nixos" + "/etc/ssh" + "/var/lib/tailscale" + ]; + }; + + services.openssh.enable = true; + + services.pcscd.enable = true; + programs.gnupg.agent.enable = true; + + system.stateVersion = "24.05"; +} diff --git a/systems/hosts/alice/hardware-configuration.nix b/systems/hosts/alice/hardware-configuration.nix new file mode 100644 index 0000000..fb7d5fb --- /dev/null +++ b/systems/hosts/alice/hardware-configuration.nix @@ -0,0 +1,58 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.systemd-boot.configurationLimit = 9; + boot.loader.efi.canTouchEfiVariables = true; + + boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usb_storage" "sd_mod"]; + boot.initrd.kernelModules = ["zfs"]; + boot.kernelModules = ["kvm-amd"]; + boot.extraModulePackages = []; + boot.supportedFilesystems = ["zfs"]; + + fileSystems."/" = { + device = "zpool/root"; + fsType = "zfs"; + neededForBoot = true; + }; + + fileSystems."/home" = { + device = "zpool/home"; + fsType = "zfs"; + neededForBoot = true; + }; + + fileSystems."/nix" = { + device = "zpool/nix"; + fsType = "zfs"; + neededForBoot = true; + }; + + fileSystems."/persist" = { + device = "zpool/persist"; + fsType = "zfs"; + neededForBoot = true; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/3DA8-297C"; + fsType = "vfat"; + options = ["fmask=0022" "dmask=0022"]; + }; + + swapDevices = []; + + networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/systems/hosts/default.nix b/systems/hosts/default.nix index 24ffdc2..fd7c6fa 100644 --- a/systems/hosts/default.nix +++ b/systems/hosts/default.nix @@ -1,4 +1,13 @@ -{laptop, ...}: { +{ + desktop, + laptop, + ... +}: { + alice = { + system = "x86_64-linux"; + profile = desktop; + modules = []; + }; arwen = { system = "x86_64-linux"; profile = laptop; diff --git a/systems/profiles/default.nix b/systems/profiles/default.nix index 07f5ac2..d6bb3f8 100644 --- a/systems/profiles/default.nix +++ b/systems/profiles/default.nix @@ -1,3 +1,4 @@ inputs: { + desktop = import ./desktop inputs; laptop = import ./laptop inputs; } diff --git a/systems/profiles/desktop/default.nix b/systems/profiles/desktop/default.nix new file mode 100644 index 0000000..e4402e1 --- /dev/null +++ b/systems/profiles/desktop/default.nix @@ -0,0 +1,17 @@ +inputs @ { + home-manager, + impermanence, + sops-nix, + ... +}: { + modules = [ + sops-nix.nixosModules.sops + impermanence.nixosModules.impermanence + home-manager.nixosModules.home-manager + + ../../../roles + ]; + specialArgs = { + inherit inputs; + }; +} -- 2.44.1