From 2f1c2c981fb59d22e13ca3944b083bb21c8cc815 Mon Sep 17 00:00:00 2001 From: Adithya Nair Date: Tue, 25 Jun 2024 00:23:05 +0530 Subject: [PATCH] add host rico1 --- .sops.yaml | 2 ++ flake.lock | 17 +++++++++++ flake.nix | 29 +++++++++++++++++++ hosts/rico1/containers/default.nix | 5 ++++ hosts/rico1/default.nix | 36 +++++++++++++++++++++++ hosts/rico1/hardware/default.nix | 9 ++++++ hosts/rico1/hardware/filesystem.nix | 36 +++++++++++++++++++++++ hosts/rico1/hardware/kernel.nix | 5 ++++ hosts/rico1/network.nix | 45 +++++++++++++++++++++++++++++ hosts/rico1/programs/default.nix | 15 ++++++++++ hosts/rico1/programs/neovim.nix | 8 +++++ hosts/rico1/programs/starship.nix | 8 +++++ hosts/rico1/programs/zsh.nix | 10 +++++++ hosts/rico1/security.nix | 9 ++++++ hosts/rico1/services/btrfs.nix | 6 ++++ hosts/rico1/services/default.nix | 7 +++++ hosts/rico1/services/ssh.nix | 21 ++++++++++++++ hosts/skipper/hardware/kernel.nix | 2 +- hosts/skipper/services/default.nix | 4 +-- secrets.yaml | 29 ++++++++++++------- 20 files changed, 290 insertions(+), 13 deletions(-) create mode 100644 hosts/rico1/containers/default.nix create mode 100644 hosts/rico1/default.nix create mode 100644 hosts/rico1/hardware/default.nix create mode 100644 hosts/rico1/hardware/filesystem.nix create mode 100644 hosts/rico1/hardware/kernel.nix create mode 100644 hosts/rico1/network.nix create mode 100644 hosts/rico1/programs/default.nix create mode 100644 hosts/rico1/programs/neovim.nix create mode 100644 hosts/rico1/programs/starship.nix create mode 100644 hosts/rico1/programs/zsh.nix create mode 100644 hosts/rico1/security.nix create mode 100644 hosts/rico1/services/btrfs.nix create mode 100644 hosts/rico1/services/default.nix create mode 100644 hosts/rico1/services/ssh.nix diff --git a/.sops.yaml b/.sops.yaml index ccad854..1a349d1 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,9 +1,11 @@ keys: - &age_key age1w5rvr4nl8xvjjxpct4e2a2eajvm79v4r9nyxrcn40fm8d7h9l9cqkk0jtt - &skipper_host_ed25519 age1mhks8qmhjrtc2u5ufvp3pv2hn7tkadvmscnp7wd0ywmnse0szctqsnpy0a + - &rico1_host_ed25519 age1q6g2czy468c3fcdwvafru6rzhmr2edd8mzhjfs6mevhmt7z2zdsswnwe77 creation_rules: - path_regex: secrets.yaml key_groups: - age: - *age_key - *skipper_host_ed25519 + - *rico1_host_ed25519 diff --git a/flake.lock b/flake.lock index d5745fa..0fba3bc 100644 --- a/flake.lock +++ b/flake.lock @@ -434,6 +434,22 @@ "type": "github" } }, + "nixos-hardware": { + "locked": { + "lastModified": 1719145664, + "narHash": "sha256-+0bBlerLxsHUJcKPDWZM1wL3V9bzCFjz+VyRTG8fnUA=", + "owner": "NixOS", + "repo": "nixos-hardware", + "rev": "c3e48cbd88414f583ff08804eb57b0da4c194f9e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "master", + "repo": "nixos-hardware", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1718541509, @@ -581,6 +597,7 @@ "lanzaboote": "lanzaboote", "lix-module": "lix-module", "neovim-nightly": "neovim-nightly", + "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_3", "sops-nix": "sops-nix", "varnam-nix": "varnam-nix" diff --git a/flake.nix b/flake.nix index 0a88899..7f16182 100644 --- a/flake.nix +++ b/flake.nix @@ -24,6 +24,7 @@ }; impermanence.url = "github:nix-community/impermanence?ref=master"; lanzaboote.url = "github:nix-community/lanzaboote?ref=master"; + nixos-hardware.url = "github:NixOS/nixos-hardware?ref=master"; sops-nix.url = "github:Mic92/sops-nix?ref=master"; flake-utils.url = "github:numtide/flake-utils"; neovim-nightly.url = "github:nix-community/neovim-nightly-overlay?ref=master"; @@ -37,6 +38,7 @@ , home-manager , impermanence , lanzaboote + , nixos-hardware , sops-nix , flake-utils , neovim-nightly @@ -79,6 +81,33 @@ ./common ./hosts/skipper ./home + + { + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + } + ]; + }; + Rico1 = + let + hostname = "Rico1"; + system = "aarch64-linux"; + username = "adtya"; + in + nixpkgs.lib.nixosSystem { + inherit system; + pkgs = packages system; + specialArgs = { inherit inputs username; }; + modules = [ + { + system.configurationRevision = lib.mkIf (self ? rev) self.rev; + networking.hostName = lib.mkDefault hostname; + nixpkgs.hostPlatform = lib.mkDefault system; + } + lix-module.nixosModules.default + sops-nix.nixosModules.sops + nixos-hardware.nixosModules.raspberry-pi-4 + ./common + ./hosts/rico1 ]; }; }; diff --git a/hosts/rico1/containers/default.nix b/hosts/rico1/containers/default.nix new file mode 100644 index 0000000..b7f84ae --- /dev/null +++ b/hosts/rico1/containers/default.nix @@ -0,0 +1,5 @@ +_: { + virtualisation.oci-containers = { + backend = "podman"; + }; +} diff --git a/hosts/rico1/default.nix b/hosts/rico1/default.nix new file mode 100644 index 0000000..a84772c --- /dev/null +++ b/hosts/rico1/default.nix @@ -0,0 +1,36 @@ +{ ... }: { + imports = [ + ./hardware + ./programs + ./services + ./containers + ./network.nix + ./security.nix + ]; + + i18n = { + defaultLocale = "en_US.UTF-8"; + extraLocaleSettings = { + LC_ADDRESS = "en_US.UTF-8"; + LC_IDENTIFICATION = "en_US.UTF-8"; + LC_MEASUREMENT = "en_US.UTF-8"; + LC_MONETARY = "en_US.UTF-8"; + LC_NAME = "en_US.UTF-8"; + LC_NUMERIC = "en_US.UTF-8"; + LC_PAPER = "en_US.UTF-8"; + LC_TELEPHONE = "en_US.UTF-8"; + LC_TIME = "en_US.UTF-8"; + LC_ALL = "en_US.UTF-8"; + }; + supportedLocales = [ "en_US.UTF-8/UTF-8" ]; + }; + + time.timeZone = "Asia/Kolkata"; + system = { + switch = { + enable = false; + enableNg = true; + }; + stateVersion = "23.11"; + }; +} diff --git a/hosts/rico1/hardware/default.nix b/hosts/rico1/hardware/default.nix new file mode 100644 index 0000000..540cd3d --- /dev/null +++ b/hosts/rico1/hardware/default.nix @@ -0,0 +1,9 @@ +_: { + imports = [ ./filesystem.nix ./kernel.nix ]; + + hardware = { + raspberry-pi."4" = { + poe-plus-hat.enable = true; + }; + }; +} diff --git a/hosts/rico1/hardware/filesystem.nix b/hosts/rico1/hardware/filesystem.nix new file mode 100644 index 0000000..e475109 --- /dev/null +++ b/hosts/rico1/hardware/filesystem.nix @@ -0,0 +1,36 @@ +_: { + fileSystems = { + "/" = { + device = "/dev/disk/by-partlabel/NIXOS_ROOT"; + fsType = "btrfs"; + options = [ "subvol=@root" "compress-force=zstd" "noatime" ]; + neededForBoot = true; + }; + + "/nix" = { + device = "/dev/disk/by-partlabel/NIXOS_ROOT"; + fsType = "btrfs"; + options = [ "subvol=@nix" "compress-force=zstd" "noatime" ]; + neededForBoot = true; + }; + + "/persist" = { + device = "/dev/disk/by-partlabel/NIXOS_ROOT"; + fsType = "btrfs"; + options = [ "subvol=@persist" "compress-force=zstd" "noatime" ]; + neededForBoot = true; + }; + + "/mnt/system" = { + device = "/dev/disk/by-partlabel/NIXOS_ROOT"; + fsType = "btrfs"; + options = [ "subvol=/" "compress-force=zstd" "noatime" ]; + }; + + "/boot" = { + device = "/dev/disk/by-partlabel/NIXOS_BOOT"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + }; +} diff --git a/hosts/rico1/hardware/kernel.nix b/hosts/rico1/hardware/kernel.nix new file mode 100644 index 0000000..6247463 --- /dev/null +++ b/hosts/rico1/hardware/kernel.nix @@ -0,0 +1,5 @@ +{ lib +, ... +}: { + powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; +} diff --git a/hosts/rico1/network.nix b/hosts/rico1/network.nix new file mode 100644 index 0000000..d55690e --- /dev/null +++ b/hosts/rico1/network.nix @@ -0,0 +1,45 @@ +{ lib, ... }: { + networking = { + hostName = "Rico1"; + + nameservers = [ + "2620:fe::fe#dns.quad9.net" + "9.9.9.9#dns.quad9.net" + "2620:fe::9#dns.quad9.net" + "149.112.112.112#dns.quad9.net" + ]; + + networkmanager = { + enable = true; + dhcp = "dhcpcd"; + dns = "systemd-resolved"; + wifi = { + backend = "iwd"; + powersave = false; + }; + }; + + useDHCP = lib.mkDefault false; + + wireless.iwd = { + enable = true; + settings = { + General = { + AddressRandomization = "network"; + EnableNetworkConfiguration = false; + }; + Settings = { + AutoConnect = "yes"; + }; + }; + }; + }; + + services.resolved = { + enable = true; + dnssec = "true"; + dnsovertls = "true"; + domains = [ "~." ]; + fallbackDns = [ ]; + }; +} diff --git a/hosts/rico1/programs/default.nix b/hosts/rico1/programs/default.nix new file mode 100644 index 0000000..4c3e07f --- /dev/null +++ b/hosts/rico1/programs/default.nix @@ -0,0 +1,15 @@ +{ pkgs, ... }: { + imports = [ + ./neovim.nix + ./starship.nix + ./zsh.nix + ]; + + programs.git.enable = true; + + environment.systemPackages = with pkgs; [ + sops + age + ]; + +} diff --git a/hosts/rico1/programs/neovim.nix b/hosts/rico1/programs/neovim.nix new file mode 100644 index 0000000..a70af6e --- /dev/null +++ b/hosts/rico1/programs/neovim.nix @@ -0,0 +1,8 @@ +_: { + programs.neovim = { + enable = true; + defaultEditor = true; + viAlias = true; + vimAlias = true; + }; +} diff --git a/hosts/rico1/programs/starship.nix b/hosts/rico1/programs/starship.nix new file mode 100644 index 0000000..3de1b05 --- /dev/null +++ b/hosts/rico1/programs/starship.nix @@ -0,0 +1,8 @@ +_: { + programs.starship = { + enable = true; + settings = { + add_newline = false; + }; + }; +} diff --git a/hosts/rico1/programs/zsh.nix b/hosts/rico1/programs/zsh.nix new file mode 100644 index 0000000..53468ac --- /dev/null +++ b/hosts/rico1/programs/zsh.nix @@ -0,0 +1,10 @@ +_: { + programs = { + zsh = { + enable = true; + autosuggestions.enable = true; + syntaxHighlighting.enable = true; + }; + }; + environment.pathsToLink = [ "/share/zsh" ]; +} diff --git a/hosts/rico1/security.nix b/hosts/rico1/security.nix new file mode 100644 index 0000000..b2d7da4 --- /dev/null +++ b/hosts/rico1/security.nix @@ -0,0 +1,9 @@ +_: { + security = { + sudo = { + wheelNeedsPassword = false; + }; + polkit.enable = true; + rtkit.enable = true; + }; +} diff --git a/hosts/rico1/services/btrfs.nix b/hosts/rico1/services/btrfs.nix new file mode 100644 index 0000000..dc00c6b --- /dev/null +++ b/hosts/rico1/services/btrfs.nix @@ -0,0 +1,6 @@ +_: { + services.btrfs.autoScrub = { + enable = true; + fileSystems = [ "/mnt/system" ]; + }; +} diff --git a/hosts/rico1/services/default.nix b/hosts/rico1/services/default.nix new file mode 100644 index 0000000..fb02349 --- /dev/null +++ b/hosts/rico1/services/default.nix @@ -0,0 +1,7 @@ +_: { + imports = [ + ./btrfs.nix + ./ssh.nix + ]; + +} diff --git a/hosts/rico1/services/ssh.nix b/hosts/rico1/services/ssh.nix new file mode 100644 index 0000000..7cba6eb --- /dev/null +++ b/hosts/rico1/services/ssh.nix @@ -0,0 +1,21 @@ +_: { + services.openssh = { + enable = true; + settings = { + KbdInteractiveAuthentication = false; + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; + hostKeys = [ + { + path = "/persist/secrets/ssh/keys/ssh_host_ed25519_key"; + type = "ed25519"; + } + { + path = "/persist/secrets/ssh/keys/ssh_host_rsa_key"; + type = "rsa"; + bits = "4096"; + } + ]; + }; +} diff --git a/hosts/skipper/hardware/kernel.nix b/hosts/skipper/hardware/kernel.nix index b5376e1..10fe5ae 100644 --- a/hosts/skipper/hardware/kernel.nix +++ b/hosts/skipper/hardware/kernel.nix @@ -15,7 +15,7 @@ systemd.enable = true; }; kernelModules = [ "kvm-intel" ]; - kernelPackages = lib.mkDefault pkgs.linuxPackages_zen; + kernelPackages = lib.mkDefault pkgs.linuxKernel.packages.linux_zen; kernelParams = [ "quiet" ]; kernel.sysctl = { "vm.swappiness" = 10; diff --git a/hosts/skipper/services/default.nix b/hosts/skipper/services/default.nix index f60c26d..c143fc6 100644 --- a/hosts/skipper/services/default.nix +++ b/hosts/skipper/services/default.nix @@ -1,4 +1,4 @@ -{ config, ... }: { +{ config, username, ... }: { imports = [ ./btrfs.nix ./dbus.nix @@ -11,7 +11,7 @@ cpupower-gui.enable = true; fstrim.enable = true; fwupd.enable = true; - getty.autologinUser = config.users.users.adtya.name; + getty.autologinUser = config.users.users.${username}.name; gnome.gnome-keyring.enable = true; gvfs.enable = true; irqbalance.enable = true; diff --git a/secrets.yaml b/secrets.yaml index eb313a4..0c6be87 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -12,20 +12,29 @@ sops: - recipient: age1w5rvr4nl8xvjjxpct4e2a2eajvm79v4r9nyxrcn40fm8d7h9l9cqkk0jtt enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1bzR4NWVIdEZ3UTNCRGNj - UldLTlVVSlZLRFVWUlhtNkJvaDk2azhDb0c0Cm5XQzhSQ29sb3lxZFMzVlY5bXJ3 - VGZhZHd0NjBHVjJVZHV4ZHZGVmJqTkEKLS0tIEYxTWJuU3VhTG0xQUw2VTBUZ0FY - MWZqR2Q3VVFyWk1kL09XS1hNVHlqTkEKRg5M6TZ9OAQGNzVfE7VKlHb7vpYxP/bg - Ptv8vSeXOk1Jx2fAe+akxB1GXLaCwx+YgrZc11+A7Xdt70FRLcB/pA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsb0xnak9FY2tDZDh2UzdX + NXpRSEFsTm1GWnZjMDY5Z3VSOCtyY283L0h3CkpEMjFoYjNQbk1jaFUrUWxQbzdJ + b0VzRHZnSTQvem9seHFqVHA0SW1Zd28KLS0tIFZiTEVBNVA2NEJIT2h4eFNWVUk4 + eFpjYnd2SHYxQUxpZEZYZ0RaZVYySFUKVwFyUrhFNKnYMRC8g2v1RbGz+KVzMqwP + WZ3pQCmgvSizMWwBrzrOurj9QsUEej1tlC1dnEzOCsXtPtzD53hFIg== -----END AGE ENCRYPTED FILE----- - recipient: age1mhks8qmhjrtc2u5ufvp3pv2hn7tkadvmscnp7wd0ywmnse0szctqsnpy0a enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUcE1NY05vUVFSZXBNQ0xn - aE82WUd6ZHJzN1lZcXFKbWdReEdmTUl0TFdJCnJYSGJxVmFHZHpXbXBJQ0k5N0ZV - djVNYk1EVktwckpEdlYyeXROMHZpRWMKLS0tIFhpKzMyeSsxYS9iY3RvKzFJM0FK - MTdMRzR6anF4RzVBbnI5cnFPQmRpWmcKCiFOU74esinQsdc55Zwny5/VVNN2r3rq - 19ZYyCVNuyTeOXxuvUvjPJeW2X+v9H6bvbg1sXMxb761Pm0VGYor+g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVcmM2NkdLVThFd09xdmhL + YVFRM3d3L1hzTDRvRUVTT0JzWStWZkVjUjN3CmRxTnpZVDNyVUp0bDk4VEJpNXVH + Q1pFK01rOTJoMWF6djdMNk9ZcGExWlkKLS0tIGt6bFl6MkJYc1ZtTGhDdnc0K1hJ + R2hNYXRzeWFXSFRBQkkwQTh2Y0s2MWcKWgG8p95Ou9ojJjjUmbgqy4TinZ154d6k + PK0Z2lTZmUAYQefGCQjSWXu4+o1Yo/5l8uZ6zzx+j3DhJ6rsUzIOvQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1q6g2czy468c3fcdwvafru6rzhmr2edd8mzhjfs6mevhmt7z2zdsswnwe77 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTkxVbDJIeVNFZStBZ1ha + UCtnbXlRQUZPbFEvUEZ0RFF6WTU5ZVM4L3owCkRqN3YrQzNwVFhZMEZrNnF6N2p4 + NDBYOHI4djVNT0tnTllEOFhWbWMwTEkKLS0tIEJ3TXFxdlg1cnVrSUliVGpuQThG + djJCdjcveWlxTnE2M2tqT2dEalB2eFkKhWuVT05y517bYmHXqWZ8RbmFIiDMBEbH + /XE0IqVtMdVTXAniUr0wMU6alBpehb2cmdSQTL+7Q9mNJL2D9ONvyQ== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-06-20T11:42:10Z" mac: ENC[AES256_GCM,data:VfUis0iEwTtGZUyccYMLmZ//zHm18cMbutEsTqBkw3vZtBr+mKjAVoihSxVxlol035j5FlYL7T7w344c+q8AIAus4+XdeHqfQKlSuqHwE7h0ZcU94ywa2I7pnHZUU+DIdFfVkKfHwZdIT3GzZLOVvfZIqFik0oOBLuduC/UWQyY=,iv:vdGFGeuR7NeUH3UalKKCaoEoC7NKefSQYfLcH19U10E=,tag:AbJEzpV+fFpWH9tM5RNmtg==,type:str]