add host rico1

2024-06-25 00:23:05 +05:30 · 2024-06-25 00:23:05 +05:30 · 2f1c2c981f
commit 2f1c2c981f
parent 71a45eefbc
20 changed files with 290 additions and 13 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,9 +1,11 @@
 keys:
  - &age_key age1w5rvr4nl8xvjjxpct4e2a2eajvm79v4r9nyxrcn40fm8d7h9l9cqkk0jtt
  - &skipper_host_ed25519 age1mhks8qmhjrtc2u5ufvp3pv2hn7tkadvmscnp7wd0ywmnse0szctqsnpy0a
  - &rico1_host_ed25519 age1q6g2czy468c3fcdwvafru6rzhmr2edd8mzhjfs6mevhmt7z2zdsswnwe77
 creation_rules:
  - path_regex: secrets.yaml
    key_groups:
    - age:
      - *age_key
      - *skipper_host_ed25519
      - *rico1_host_ed25519
--- a/flake.lock
+++ b/flake.lock
@ -434,6 +434,22 @@
        "type": "github"
      }
    },
    "nixos-hardware": {
      "locked": {
        "lastModified": 1719145664,
        "narHash": "sha256-+0bBlerLxsHUJcKPDWZM1wL3V9bzCFjz+VyRTG8fnUA=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
        "rev": "c3e48cbd88414f583ff08804eb57b0da4c194f9e",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "master",
        "repo": "nixos-hardware",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1718541509,
@ -581,6 +597,7 @@
        "lanzaboote": "lanzaboote",
        "lix-module": "lix-module",
        "neovim-nightly": "neovim-nightly",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs_3",
        "sops-nix": "sops-nix",
        "varnam-nix": "varnam-nix"
--- a/flake.nix
+++ b/flake.nix
@ -24,6 +24,7 @@
    };
    impermanence.url = "github:nix-community/impermanence?ref=master";
    lanzaboote.url = "github:nix-community/lanzaboote?ref=master";
    nixos-hardware.url = "github:NixOS/nixos-hardware?ref=master";
    sops-nix.url = "github:Mic92/sops-nix?ref=master";
    flake-utils.url = "github:numtide/flake-utils";
    neovim-nightly.url = "github:nix-community/neovim-nightly-overlay?ref=master";
@ -37,6 +38,7 @@
    , home-manager
    , impermanence
    , lanzaboote
    , nixos-hardware
    , sops-nix
    , flake-utils
    , neovim-nightly
@ -79,6 +81,33 @@
              ./common
              ./hosts/skipper
              ./home
              {
                boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
              }
            ];
          };
        Rico1 =
          let
            hostname = "Rico1";
            system = "aarch64-linux";
            username = "adtya";
          in
          nixpkgs.lib.nixosSystem {
            inherit system;
            pkgs = packages system;
            specialArgs = { inherit inputs username; };
            modules = [
              {
                system.configurationRevision = lib.mkIf (self ? rev) self.rev;
                networking.hostName = lib.mkDefault hostname;
                nixpkgs.hostPlatform = lib.mkDefault system;
              }
              lix-module.nixosModules.default
              sops-nix.nixosModules.sops
              nixos-hardware.nixosModules.raspberry-pi-4
              ./common
              ./hosts/rico1
            ];
          };
      };
--- a/hosts/rico1/containers/default.nix
+++ b/hosts/rico1/containers/default.nix
@ -0,0 +1,5 @@
 _: {
  virtualisation.oci-containers = {
    backend = "podman";
  };
 }
--- a/hosts/rico1/default.nix
+++ b/hosts/rico1/default.nix
@ -0,0 +1,36 @@
 { ... }: {
  imports = [
    ./hardware
    ./programs
    ./services
    ./containers
    ./network.nix
    ./security.nix
  ];
  i18n = {
    defaultLocale = "en_US.UTF-8";
    extraLocaleSettings = {
      LC_ADDRESS = "en_US.UTF-8";
      LC_IDENTIFICATION = "en_US.UTF-8";
      LC_MEASUREMENT = "en_US.UTF-8";
      LC_MONETARY = "en_US.UTF-8";
      LC_NAME = "en_US.UTF-8";
      LC_NUMERIC = "en_US.UTF-8";
      LC_PAPER = "en_US.UTF-8";
      LC_TELEPHONE = "en_US.UTF-8";
      LC_TIME = "en_US.UTF-8";
      LC_ALL = "en_US.UTF-8";
    };
    supportedLocales = [ "en_US.UTF-8/UTF-8" ];
  };
  time.timeZone = "Asia/Kolkata";
  system = {
    switch = {
      enable = false;
      enableNg = true;
    };
    stateVersion = "23.11";
  };
 }
--- a/hosts/rico1/hardware/default.nix
+++ b/hosts/rico1/hardware/default.nix
@ -0,0 +1,9 @@
 _: {
  imports = [ ./filesystem.nix ./kernel.nix ];
  hardware = {
    raspberry-pi."4" = {
      poe-plus-hat.enable = true;
    };
  };
 }
--- a/hosts/rico1/hardware/filesystem.nix
+++ b/hosts/rico1/hardware/filesystem.nix
@ -0,0 +1,36 @@
 _: {
  fileSystems = {
    "/" = {
      device = "/dev/disk/by-partlabel/NIXOS_ROOT";
      fsType = "btrfs";
      options = [ "subvol=@root" "compress-force=zstd" "noatime" ];
      neededForBoot = true;
    };
    "/nix" = {
      device = "/dev/disk/by-partlabel/NIXOS_ROOT";
      fsType = "btrfs";
      options = [ "subvol=@nix" "compress-force=zstd" "noatime" ];
      neededForBoot = true;
    };
    "/persist" = {
      device = "/dev/disk/by-partlabel/NIXOS_ROOT";
      fsType = "btrfs";
      options = [ "subvol=@persist" "compress-force=zstd" "noatime" ];
      neededForBoot = true;
    };
    "/mnt/system" = {
      device = "/dev/disk/by-partlabel/NIXOS_ROOT";
      fsType = "btrfs";
      options = [ "subvol=/" "compress-force=zstd" "noatime" ];
    };
    "/boot" = {
      device = "/dev/disk/by-partlabel/NIXOS_BOOT";
      fsType = "vfat";
      options = [ "fmask=0022" "dmask=0022" ];
    };
  };
 }
--- a/hosts/rico1/hardware/kernel.nix
+++ b/hosts/rico1/hardware/kernel.nix
@ -0,0 +1,5 @@
 { lib
 , ...
 }: {
  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
 }
--- a/hosts/rico1/network.nix
+++ b/hosts/rico1/network.nix
@ -0,0 +1,45 @@
 { lib, ... }: {
  networking = {
    hostName = "Rico1";
    nameservers = [
      "2620:fe::fe#dns.quad9.net"
      "9.9.9.9#dns.quad9.net"
      "2620:fe::9#dns.quad9.net"
      "149.112.112.112#dns.quad9.net"
    ];
    networkmanager = {
      enable = true;
      dhcp = "dhcpcd";
      dns = "systemd-resolved";
      wifi = {
        backend = "iwd";
        powersave = false;
      };
    };
    useDHCP = lib.mkDefault false;
    wireless.iwd = {
      enable = true;
      settings = {
        General = {
          AddressRandomization = "network";
          EnableNetworkConfiguration = false;
        };
        Settings = {
          AutoConnect = "yes";
        };
      };
    };
  };
  services.resolved = {
    enable = true;
    dnssec = "true";
    dnsovertls = "true";
    domains = [ "~." ];
    fallbackDns = [ ];
  };
 }
--- a/hosts/rico1/programs/default.nix
+++ b/hosts/rico1/programs/default.nix
@ -0,0 +1,15 @@
 { pkgs, ... }: {
  imports = [
    ./neovim.nix
    ./starship.nix
    ./zsh.nix
  ];
  programs.git.enable = true;
  environment.systemPackages = with pkgs; [
    sops
    age
  ];
 }
--- a/hosts/rico1/programs/neovim.nix
+++ b/hosts/rico1/programs/neovim.nix
@ -0,0 +1,8 @@
 _: {
  programs.neovim = {
    enable = true;
    defaultEditor = true;
    viAlias = true;
    vimAlias = true;
  };
 }
--- a/hosts/rico1/programs/starship.nix
+++ b/hosts/rico1/programs/starship.nix
@ -0,0 +1,8 @@
 _: {
  programs.starship = {
    enable = true;
    settings = {
      add_newline = false;
    };
  };
 }
--- a/hosts/rico1/programs/zsh.nix
+++ b/hosts/rico1/programs/zsh.nix
@ -0,0 +1,10 @@
 _: {
  programs = {
    zsh = {
      enable = true;
      autosuggestions.enable = true;
      syntaxHighlighting.enable = true;
    };
  };
  environment.pathsToLink = [ "/share/zsh" ];
 }
--- a/hosts/rico1/security.nix
+++ b/hosts/rico1/security.nix
@ -0,0 +1,9 @@
 _: {
  security = {
    sudo = {
      wheelNeedsPassword = false;
    };
    polkit.enable = true;
    rtkit.enable = true;
  };
 }
--- a/hosts/rico1/services/btrfs.nix
+++ b/hosts/rico1/services/btrfs.nix
@ -0,0 +1,6 @@
 _: {
  services.btrfs.autoScrub = {
    enable = true;
    fileSystems = [ "/mnt/system" ];
  };
 }
--- a/hosts/rico1/services/default.nix
+++ b/hosts/rico1/services/default.nix
@ -0,0 +1,7 @@
 _: {
  imports = [
    ./btrfs.nix
    ./ssh.nix
  ];
 }
--- a/hosts/rico1/services/ssh.nix
+++ b/hosts/rico1/services/ssh.nix
@ -0,0 +1,21 @@
 _: {
  services.openssh = {
    enable = true;
    settings = {
      KbdInteractiveAuthentication = false;
      PasswordAuthentication = false;
      PermitRootLogin = "no";
    };
    hostKeys = [
      {
        path = "/persist/secrets/ssh/keys/ssh_host_ed25519_key";
        type = "ed25519";
      }
      {
        path = "/persist/secrets/ssh/keys/ssh_host_rsa_key";
        type = "rsa";
        bits = "4096";
      }
    ];
  };
 }
--- a/hosts/skipper/hardware/kernel.nix
+++ b/hosts/skipper/hardware/kernel.nix
@ -15,7 +15,7 @@
      systemd.enable = true;
    };
    kernelModules = [ "kvm-intel" ];
-    kernelPackages = lib.mkDefault pkgs.linuxPackages_zen;
+    kernelPackages = lib.mkDefault pkgs.linuxKernel.packages.linux_zen;
    kernelParams = [ "quiet" ];
    kernel.sysctl = {
      "vm.swappiness" = 10;
--- a/hosts/skipper/services/default.nix
+++ b/hosts/skipper/services/default.nix
@ -1,4 +1,4 @@
-{ config, ... }: {
+{ config, username, ... }: {
  imports = [
    ./btrfs.nix
    ./dbus.nix
@ -11,7 +11,7 @@
    cpupower-gui.enable = true;
    fstrim.enable = true;
    fwupd.enable = true;
-    getty.autologinUser = config.users.users.adtya.name;
+    getty.autologinUser = config.users.users.${username}.name;
    gnome.gnome-keyring.enable = true;
    gvfs.enable = true;
    irqbalance.enable = true;
--- a/secrets.yaml
+++ b/secrets.yaml
@ -12,20 +12,29 @@ sops:
        - recipient: age1w5rvr4nl8xvjjxpct4e2a2eajvm79v4r9nyxrcn40fm8d7h9l9cqkk0jtt
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1bzR4NWVIdEZ3UTNCRGNj
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsb0xnak9FY2tDZDh2UzdX
-            UldLTlVVSlZLRFVWUlhtNkJvaDk2azhDb0c0Cm5XQzhSQ29sb3lxZFMzVlY5bXJ3
+            NXpRSEFsTm1GWnZjMDY5Z3VSOCtyY283L0h3CkpEMjFoYjNQbk1jaFUrUWxQbzdJ
-            VGZhZHd0NjBHVjJVZHV4ZHZGVmJqTkEKLS0tIEYxTWJuU3VhTG0xQUw2VTBUZ0FY
+            b0VzRHZnSTQvem9seHFqVHA0SW1Zd28KLS0tIFZiTEVBNVA2NEJIT2h4eFNWVUk4
-            MWZqR2Q3VVFyWk1kL09XS1hNVHlqTkEKRg5M6TZ9OAQGNzVfE7VKlHb7vpYxP/bg
+            eFpjYnd2SHYxQUxpZEZYZ0RaZVYySFUKVwFyUrhFNKnYMRC8g2v1RbGz+KVzMqwP
-            Ptv8vSeXOk1Jx2fAe+akxB1GXLaCwx+YgrZc11+A7Xdt70FRLcB/pA==
+            WZ3pQCmgvSizMWwBrzrOurj9QsUEej1tlC1dnEzOCsXtPtzD53hFIg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1mhks8qmhjrtc2u5ufvp3pv2hn7tkadvmscnp7wd0ywmnse0szctqsnpy0a
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUcE1NY05vUVFSZXBNQ0xn
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVcmM2NkdLVThFd09xdmhL
-            aE82WUd6ZHJzN1lZcXFKbWdReEdmTUl0TFdJCnJYSGJxVmFHZHpXbXBJQ0k5N0ZV
+            YVFRM3d3L1hzTDRvRUVTT0JzWStWZkVjUjN3CmRxTnpZVDNyVUp0bDk4VEJpNXVH
-            djVNYk1EVktwckpEdlYyeXROMHZpRWMKLS0tIFhpKzMyeSsxYS9iY3RvKzFJM0FK
+            Q1pFK01rOTJoMWF6djdMNk9ZcGExWlkKLS0tIGt6bFl6MkJYc1ZtTGhDdnc0K1hJ
-            MTdMRzR6anF4RzVBbnI5cnFPQmRpWmcKCiFOU74esinQsdc55Zwny5/VVNN2r3rq
+            R2hNYXRzeWFXSFRBQkkwQTh2Y0s2MWcKWgG8p95Ou9ojJjjUmbgqy4TinZ154d6k
-            19ZYyCVNuyTeOXxuvUvjPJeW2X+v9H6bvbg1sXMxb761Pm0VGYor+g==
+            PK0Z2lTZmUAYQefGCQjSWXu4+o1Yo/5l8uZ6zzx+j3DhJ6rsUzIOvQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1q6g2czy468c3fcdwvafru6rzhmr2edd8mzhjfs6mevhmt7z2zdsswnwe77
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTkxVbDJIeVNFZStBZ1ha
            UCtnbXlRQUZPbFEvUEZ0RFF6WTU5ZVM4L3owCkRqN3YrQzNwVFhZMEZrNnF6N2p4
            NDBYOHI4djVNT0tnTllEOFhWbWMwTEkKLS0tIEJ3TXFxdlg1cnVrSUliVGpuQThG
            djJCdjcveWlxTnE2M2tqT2dEalB2eFkKhWuVT05y517bYmHXqWZ8RbmFIiDMBEbH
            /XE0IqVtMdVTXAniUr0wMU6alBpehb2cmdSQTL+7Q9mNJL2D9ONvyQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-06-20T11:42:10Z"
    mac: ENC[AES256_GCM,data:VfUis0iEwTtGZUyccYMLmZ//zHm18cMbutEsTqBkw3vZtBr+mKjAVoihSxVxlol035j5FlYL7T7w344c+q8AIAus4+XdeHqfQKlSuqHwE7h0ZcU94ywa2I7pnHZUU+DIdFfVkKfHwZdIT3GzZLOVvfZIqFik0oOBLuduC/UWQyY=,iv:vdGFGeuR7NeUH3UalKKCaoEoC7NKefSQYfLcH19U10E=,tag:AbJEzpV+fFpWH9tM5RNmtg==,type:str]