diff --git a/.sops.yaml b/.sops.yaml index c85269f..dc73336 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,6 +4,7 @@ keys: - &host_rico0 age106k9u5ns9h7smh3gqc40k9fft5emknvq669qdv8a29ak3ah4j38s5ng2gt - &host_rico1 age1829x4l8vdhcn97af0zq898tupll0smrqywxka4pswkt6mtn8qp7qqnnnl4 - &host_rico2 age19uy6xerll6st3s3ftfpy7075m9eetm2288l2w07k7ek6z2l3ef6qfw34cf + - &host_wynne age1jyaf9rn5d5pqjh60shs2q5hs98fwugak8z6cs6qs7yuc3wntugmsumxmv0 creation_rules: - path_regex: secrets.yaml key_groups: @@ -13,3 +14,4 @@ creation_rules: - *host_rico0 - *host_rico1 - *host_rico2 + - *host_wynne diff --git a/flake.nix b/flake.nix index 794d9c7..e57dde7 100644 --- a/flake.nix +++ b/flake.nix @@ -151,6 +151,28 @@ ./hosts/rico2 ]; }; + Wynne = + let + hostname = "Wynne"; + system = "x86_64-linux"; + username = "adtya"; + in + nixpkgs.lib.nixosSystem { + inherit system; + pkgs = packages system; + specialArgs = { inherit inputs username; }; + modules = [ + { + system.configurationRevision = lib.mkIf (self ? rev) self.rev; + networking.hostName = lib.mkDefault hostname; + nixpkgs.hostPlatform = lib.mkDefault system; + } + lix-module.nixosModules.default + sops-nix.nixosModules.sops + ./common + ./hosts/wynne + ]; + }; }; deploy.nodes = { diff --git a/hosts/wynne/default.nix b/hosts/wynne/default.nix new file mode 100644 index 0000000..f8be441 --- /dev/null +++ b/hosts/wynne/default.nix @@ -0,0 +1,28 @@ +_: { + imports = [ ./hardware ./programs ./services ./network.nix ./security.nix ]; + i18n = { + defaultLocale = "en_US.UTF-8"; + extraLocaleSettings = { + LC_ADDRESS = "en_US.UTF-8"; + LC_IDENTIFICATION = "en_US.UTF-8"; + LC_MEASUREMENT = "en_US.UTF-8"; + LC_MONETARY = "en_US.UTF-8"; + LC_NAME = "en_US.UTF-8"; + LC_NUMERIC = "en_US.UTF-8"; + LC_PAPER = "en_US.UTF-8"; + LC_TELEPHONE = "en_US.UTF-8"; + LC_TIME = "en_US.UTF-8"; + LC_ALL = "en_US.UTF-8"; + }; + supportedLocales = [ "en_US.UTF-8/UTF-8" ]; + }; + + time.timeZone = "Asia/Kolkata"; + system = { + switch = { + enable = false; + enableNg = true; + }; + stateVersion = "24.05"; + }; +} diff --git a/hosts/wynne/hardware/default.nix b/hosts/wynne/hardware/default.nix new file mode 100644 index 0000000..41eb6b1 --- /dev/null +++ b/hosts/wynne/hardware/default.nix @@ -0,0 +1,30 @@ +{ lib, pkgs, ... }: { + imports = [ ./filesystem.nix ]; + + hardware = { + cpu.intel.updateMicrocode = lib.mkDefault true; + enableRedistributableFirmware = true; + }; + + boot = { + consoleLogLevel = 3; + initrd = { + availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "uas" "sd_mod" ]; + kernelModules = [ "i915" ]; + systemd.enable = true; + }; + kernelModules = [ "kvm-intel" ]; + kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; + kernelParams = [ "quiet" ]; + kernel.sysctl = { + "vm.swappiness" = 10; + "vm.dirty_ratio" = 3; + }; + loader = { + efi.canTouchEfiVariables = true; + systemd-boot.enable = true; + }; + supportedFilesystems = [ "vfat" "btrfs" "ext4" ]; + }; + powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; +} diff --git a/hosts/wynne/hardware/filesystem.nix b/hosts/wynne/hardware/filesystem.nix new file mode 100644 index 0000000..6384a3e --- /dev/null +++ b/hosts/wynne/hardware/filesystem.nix @@ -0,0 +1,40 @@ +_: { + fileSystems = { + "/" = { + device = "/dev/disk/by-partlabel/WYNNE_ROOT"; + fsType = "btrfs"; + options = [ "subvol=@root" "compress-force=zstd" "noatime" ]; + neededForBoot = true; + }; + + "/nix" = { + device = "/dev/disk/by-partlabel/WYNNE_ROOT"; + fsType = "btrfs"; + options = [ "subvol=@nix" "compress-force=zstd" "noatime" ]; + neededForBoot = true; + }; + + "/persist" = { + device = "/dev/disk/by-partlabel/WYNNE_ROOT"; + fsType = "btrfs"; + options = [ "subvol=@persist" "compress-force=zstd" "noatime" ]; + neededForBoot = true; + }; + + "/mnt/system" = { + device = "/dev/disk/by-partlabel/WYNNE_ROOT"; + fsType = "btrfs"; + options = [ "subvol=/" "compress-force=zstd" "noatime" ]; + }; + + "/boot" = { + device = "/dev/disk/by-partlabel/WYNNE_BOOT"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + }; + + swapDevices = [ + { device = "/dev/disk/by-partlabel/WYNNE_SWAP"; } + ]; +} diff --git a/hosts/wynne/network.nix b/hosts/wynne/network.nix new file mode 100644 index 0000000..d15c672 --- /dev/null +++ b/hosts/wynne/network.nix @@ -0,0 +1,27 @@ +{ lib, ... }: { + imports = [ ./wireguard.nix ]; + networking = { + nameservers = [ + "2620:fe::fe#dns.quad9.net" + "9.9.9.9#dns.quad9.net" + "2620:fe::9#dns.quad9.net" + "149.112.112.112#dns.quad9.net" + ]; + + networkmanager = { + enable = true; + dhcp = "dhcpcd"; + dns = "systemd-resolved"; + }; + + useDHCP = lib.mkDefault false; + }; + + services.resolved = { + enable = true; + dnssec = "true"; + dnsovertls = "true"; + domains = [ "~." ]; + fallbackDns = [ ]; + }; +} diff --git a/hosts/wynne/programs/default.nix b/hosts/wynne/programs/default.nix new file mode 100644 index 0000000..00dca37 --- /dev/null +++ b/hosts/wynne/programs/default.nix @@ -0,0 +1,17 @@ +{ pkgs, ... }: { + imports = [ + ./neovim.nix + ./starship.nix + ./zsh.nix + ]; + + programs.git.enable = true; + + environment.systemPackages = with pkgs; [ + sops + age + libraspberrypi + raspberrypi-eeprom + ]; + +} diff --git a/hosts/wynne/programs/neovim.nix b/hosts/wynne/programs/neovim.nix new file mode 100644 index 0000000..a70af6e --- /dev/null +++ b/hosts/wynne/programs/neovim.nix @@ -0,0 +1,8 @@ +_: { + programs.neovim = { + enable = true; + defaultEditor = true; + viAlias = true; + vimAlias = true; + }; +} diff --git a/hosts/wynne/programs/starship.nix b/hosts/wynne/programs/starship.nix new file mode 100644 index 0000000..3de1b05 --- /dev/null +++ b/hosts/wynne/programs/starship.nix @@ -0,0 +1,8 @@ +_: { + programs.starship = { + enable = true; + settings = { + add_newline = false; + }; + }; +} diff --git a/hosts/wynne/programs/zsh.nix b/hosts/wynne/programs/zsh.nix new file mode 100644 index 0000000..53468ac --- /dev/null +++ b/hosts/wynne/programs/zsh.nix @@ -0,0 +1,10 @@ +_: { + programs = { + zsh = { + enable = true; + autosuggestions.enable = true; + syntaxHighlighting.enable = true; + }; + }; + environment.pathsToLink = [ "/share/zsh" ]; +} diff --git a/hosts/wynne/security.nix b/hosts/wynne/security.nix new file mode 100644 index 0000000..b2d7da4 --- /dev/null +++ b/hosts/wynne/security.nix @@ -0,0 +1,9 @@ +_: { + security = { + sudo = { + wheelNeedsPassword = false; + }; + polkit.enable = true; + rtkit.enable = true; + }; +} diff --git a/hosts/wynne/services/btrfs.nix b/hosts/wynne/services/btrfs.nix new file mode 100644 index 0000000..dc00c6b --- /dev/null +++ b/hosts/wynne/services/btrfs.nix @@ -0,0 +1,6 @@ +_: { + services.btrfs.autoScrub = { + enable = true; + fileSystems = [ "/mnt/system" ]; + }; +} diff --git a/hosts/wynne/services/default.nix b/hosts/wynne/services/default.nix new file mode 100644 index 0000000..680b32a --- /dev/null +++ b/hosts/wynne/services/default.nix @@ -0,0 +1,3 @@ +_: { + imports = [ ./btrfs.nix ./ssh.nix ]; +} diff --git a/hosts/wynne/services/ssh.nix b/hosts/wynne/services/ssh.nix new file mode 100644 index 0000000..7cba6eb --- /dev/null +++ b/hosts/wynne/services/ssh.nix @@ -0,0 +1,21 @@ +_: { + services.openssh = { + enable = true; + settings = { + KbdInteractiveAuthentication = false; + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; + hostKeys = [ + { + path = "/persist/secrets/ssh/keys/ssh_host_ed25519_key"; + type = "ed25519"; + } + { + path = "/persist/secrets/ssh/keys/ssh_host_rsa_key"; + type = "rsa"; + bits = "4096"; + } + ]; + }; +} diff --git a/hosts/wynne/wireguard.nix b/hosts/wynne/wireguard.nix new file mode 100644 index 0000000..e507720 --- /dev/null +++ b/hosts/wynne/wireguard.nix @@ -0,0 +1,42 @@ +{ config, ... }: { + sops.secrets = { + "wireguard/wynne/pk" = { + mode = "400"; + owner = config.users.users.root.name; + group = config.users.users.root.group; + }; + "wireguard/wynne/psk" = { + mode = "400"; + owner = config.users.users.root.name; + group = config.users.users.root.group; + }; + }; + + networking.firewall.trustedInterfaces = [ "wg0" ]; + networking.wireguard = { + enable = true; + interfaces = { + wg0 = { + ips = [ + "10.10.10.13/24" + "fd7c:585c:c4ae::13/64" + ]; + listenPort = 51833; + privateKeyFile = config.sops.secrets."wireguard/wynne/pk".path; + peers = [ + { + name = "Proxy"; + endpoint = "165.232.180.97:51821"; + publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4="; + presharedKeyFile = config.sops.secrets."wireguard/wynne/psk".path; + persistentKeepalive = 20; + allowedIPs = [ + "10.10.10.0/24" + "fd7c:585c:c4ae::0/64" + ]; + } + ]; + }; + }; + }; +}