wynne: init

.sops.yaml

@@ -4,6 +4,7 @@ keys:
   - &host_rico0 age106k9u5ns9h7smh3gqc40k9fft5emknvq669qdv8a29ak3ah4j38s5ng2gt
   - &host_rico1 age1829x4l8vdhcn97af0zq898tupll0smrqywxka4pswkt6mtn8qp7qqnnnl4
   - &host_rico2 age19uy6xerll6st3s3ftfpy7075m9eetm2288l2w07k7ek6z2l3ef6qfw34cf
+  - &host_wynne age1jyaf9rn5d5pqjh60shs2q5hs98fwugak8z6cs6qs7yuc3wntugmsumxmv0
 creation_rules:
   - path_regex: secrets.yaml
     key_groups:
@@ -13,3 +14,4 @@ creation_rules:
       - *host_rico0
       - *host_rico1
       - *host_rico2
+      - *host_wynne

flake.nix

@@ -151,6 +151,28 @@
               ./hosts/rico2
             ];
           };
+        Wynne =
+          let
+            hostname = "Wynne";
+            system = "x86_64-linux";
+            username = "adtya";
+          in
+          nixpkgs.lib.nixosSystem {
+            inherit system;
+            pkgs = packages system;
+            specialArgs = { inherit inputs username; };
+            modules = [
+              {
+                system.configurationRevision = lib.mkIf (self ? rev) self.rev;
+                networking.hostName = lib.mkDefault hostname;
+                nixpkgs.hostPlatform = lib.mkDefault system;
+              }
+              lix-module.nixosModules.default
+              sops-nix.nixosModules.sops
+              ./common
+              ./hosts/wynne
+            ];
+          };
       };
 
       deploy.nodes = {

hosts/wynne/default.nix

@@ -0,0 +1,28 @@
+_: {
+  imports = [ ./hardware ./programs ./services ./network.nix ./security.nix ];
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+    extraLocaleSettings = {
+      LC_ADDRESS = "en_US.UTF-8";
+      LC_IDENTIFICATION = "en_US.UTF-8";
+      LC_MEASUREMENT = "en_US.UTF-8";
+      LC_MONETARY = "en_US.UTF-8";
+      LC_NAME = "en_US.UTF-8";
+      LC_NUMERIC = "en_US.UTF-8";
+      LC_PAPER = "en_US.UTF-8";
+      LC_TELEPHONE = "en_US.UTF-8";
+      LC_TIME = "en_US.UTF-8";
+      LC_ALL = "en_US.UTF-8";
+    };
+    supportedLocales = [ "en_US.UTF-8/UTF-8" ];
+  };
+
+  time.timeZone = "Asia/Kolkata";
+  system = {
+    switch = {
+      enable = false;
+      enableNg = true;
+    };
+    stateVersion = "24.05";
+  };
+}

hosts/wynne/hardware/default.nix

@@ -0,0 +1,30 @@
+{ lib, pkgs, ... }: {
+  imports = [ ./filesystem.nix ];
+
+  hardware = {
+    cpu.intel.updateMicrocode = lib.mkDefault true;
+    enableRedistributableFirmware = true;
+  };
+
+  boot = {
+    consoleLogLevel = 3;
+    initrd = {
+      availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "uas" "sd_mod" ];
+      kernelModules = [ "i915" ];
+      systemd.enable = true;
+    };
+    kernelModules = [ "kvm-intel" ];
+    kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
+    kernelParams = [ "quiet" ];
+    kernel.sysctl = {
+      "vm.swappiness" = 10;
+      "vm.dirty_ratio" = 3;
+    };
+    loader = {
+      efi.canTouchEfiVariables = true;
+      systemd-boot.enable = true;
+    };
+    supportedFilesystems = [ "vfat" "btrfs" "ext4" ];
+  };
+  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
+}

hosts/wynne/hardware/filesystem.nix

@@ -0,0 +1,40 @@
+_: {
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-partlabel/WYNNE_ROOT";
+      fsType = "btrfs";
+      options = [ "subvol=@root" "compress-force=zstd" "noatime" ];
+      neededForBoot = true;
+    };
+
+    "/nix" = {
+      device = "/dev/disk/by-partlabel/WYNNE_ROOT";
+      fsType = "btrfs";
+      options = [ "subvol=@nix" "compress-force=zstd" "noatime" ];
+      neededForBoot = true;
+    };
+
+    "/persist" = {
+      device = "/dev/disk/by-partlabel/WYNNE_ROOT";
+      fsType = "btrfs";
+      options = [ "subvol=@persist" "compress-force=zstd" "noatime" ];
+      neededForBoot = true;
+    };
+
+    "/mnt/system" = {
+      device = "/dev/disk/by-partlabel/WYNNE_ROOT";
+      fsType = "btrfs";
+      options = [ "subvol=/" "compress-force=zstd" "noatime" ];
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-partlabel/WYNNE_BOOT";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-partlabel/WYNNE_SWAP"; }
+  ];
+}

hosts/wynne/network.nix

@@ -0,0 +1,27 @@
+{ lib, ... }: {
+  imports = [ ./wireguard.nix ];
+  networking = {
+    nameservers = [
+      "2620:fe::fe#dns.quad9.net"
+      "9.9.9.9#dns.quad9.net"
+      "2620:fe::9#dns.quad9.net"
+      "149.112.112.112#dns.quad9.net"
+    ];
+
+    networkmanager = {
+      enable = true;
+      dhcp = "dhcpcd";
+      dns = "systemd-resolved";
+    };
+
+    useDHCP = lib.mkDefault false;
+  };
+
+  services.resolved = {
+    enable = true;
+    dnssec = "true";
+    dnsovertls = "true";
+    domains = [ "~." ];
+    fallbackDns = [ ];
+  };
+}

hosts/wynne/programs/default.nix

@@ -0,0 +1,17 @@
+{ pkgs, ... }: {
+  imports = [
+    ./neovim.nix
+    ./starship.nix
+    ./zsh.nix
+  ];
+
+  programs.git.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    sops
+    age
+    libraspberrypi
+    raspberrypi-eeprom
+  ];
+
+}

hosts/wynne/programs/neovim.nix

@@ -0,0 +1,8 @@
+_: {
+  programs.neovim = {
+    enable = true;
+    defaultEditor = true;
+    viAlias = true;
+    vimAlias = true;
+  };
+}

hosts/wynne/programs/starship.nix

@@ -0,0 +1,8 @@
+_: {
+  programs.starship = {
+    enable = true;
+    settings = {
+      add_newline = false;
+    };
+  };
+}

hosts/wynne/programs/zsh.nix

@@ -0,0 +1,10 @@
+_: {
+  programs = {
+    zsh = {
+      enable = true;
+      autosuggestions.enable = true;
+      syntaxHighlighting.enable = true;
+    };
+  };
+  environment.pathsToLink = [ "/share/zsh" ];
+}

hosts/wynne/security.nix

@@ -0,0 +1,9 @@
+_: {
+  security = {
+    sudo = {
+      wheelNeedsPassword = false;
+    };
+    polkit.enable = true;
+    rtkit.enable = true;
+  };
+}

hosts/wynne/services/btrfs.nix

@@ -0,0 +1,6 @@
+_: {
+  services.btrfs.autoScrub = {
+    enable = true;
+    fileSystems = [ "/mnt/system" ];
+  };
+}

hosts/wynne/services/default.nix

@@ -0,0 +1,3 @@
+_: {
+  imports = [ ./btrfs.nix ./ssh.nix ];
+}

hosts/wynne/services/ssh.nix

@@ -0,0 +1,21 @@
+_: {
+  services.openssh = {
+    enable = true;
+    settings = {
+      KbdInteractiveAuthentication = false;
+      PasswordAuthentication = false;
+      PermitRootLogin = "no";
+    };
+    hostKeys = [
+      {
+        path = "/persist/secrets/ssh/keys/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+      {
+        path = "/persist/secrets/ssh/keys/ssh_host_rsa_key";
+        type = "rsa";
+        bits = "4096";
+      }
+    ];
+  };
+}

hosts/wynne/wireguard.nix

@@ -0,0 +1,42 @@
+{ config, ... }: {
+  sops.secrets = {
+    "wireguard/wynne/pk" = {
+      mode = "400";
+      owner = config.users.users.root.name;
+      group = config.users.users.root.group;
+    };
+    "wireguard/wynne/psk" = {
+      mode = "400";
+      owner = config.users.users.root.name;
+      group = config.users.users.root.group;
+    };
+  };
+
+  networking.firewall.trustedInterfaces = [ "wg0" ];
+  networking.wireguard = {
+    enable = true;
+    interfaces = {
+      wg0 = {
+        ips = [
+          "10.10.10.13/24"
+          "fd7c:585c:c4ae::13/64"
+        ];
+        listenPort = 51833;
+        privateKeyFile = config.sops.secrets."wireguard/wynne/pk".path;
+        peers = [
+          {
+            name = "Proxy";
+            endpoint = "165.232.180.97:51821";
+            publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=";
+            presharedKeyFile = config.sops.secrets."wireguard/wynne/psk".path;
+            persistentKeepalive = 20;
+            allowedIPs = [
+              "10.10.10.0/24"
+              "fd7c:585c:c4ae::0/64"
+            ];
+          }
+        ];
+      };
+    };
+  };
+}