add host rico1

.sops.yaml

@@ -1,9 +1,11 @@
 keys:
   - &age_key age1w5rvr4nl8xvjjxpct4e2a2eajvm79v4r9nyxrcn40fm8d7h9l9cqkk0jtt
   - &skipper_host_ed25519 age1mhks8qmhjrtc2u5ufvp3pv2hn7tkadvmscnp7wd0ywmnse0szctqsnpy0a
+  - &rico1_host_ed25519 age1q6g2czy468c3fcdwvafru6rzhmr2edd8mzhjfs6mevhmt7z2zdsswnwe77
 creation_rules:
   - path_regex: secrets.yaml
     key_groups:
     - age:
       - *age_key
       - *skipper_host_ed25519
+      - *rico1_host_ed25519

flake.lock

@@ -434,6 +434,22 @@
         "type": "github"
       }
     },
+    "nixos-hardware": {
+      "locked": {
+        "lastModified": 1719145664,
+        "narHash": "sha256-+0bBlerLxsHUJcKPDWZM1wL3V9bzCFjz+VyRTG8fnUA=",
+        "owner": "NixOS",
+        "repo": "nixos-hardware",
+        "rev": "c3e48cbd88414f583ff08804eb57b0da4c194f9e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "master",
+        "repo": "nixos-hardware",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1718541509,
@@ -581,6 +597,7 @@
         "lanzaboote": "lanzaboote",
         "lix-module": "lix-module",
         "neovim-nightly": "neovim-nightly",
+        "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_3",
         "sops-nix": "sops-nix",
         "varnam-nix": "varnam-nix"

flake.nix

@@ -24,6 +24,7 @@
     };
     impermanence.url = "github:nix-community/impermanence?ref=master";
     lanzaboote.url = "github:nix-community/lanzaboote?ref=master";
+    nixos-hardware.url = "github:NixOS/nixos-hardware?ref=master";
     sops-nix.url = "github:Mic92/sops-nix?ref=master";
     flake-utils.url = "github:numtide/flake-utils";
     neovim-nightly.url = "github:nix-community/neovim-nightly-overlay?ref=master";
@@ -37,6 +38,7 @@
     , home-manager
     , impermanence
     , lanzaboote
+    , nixos-hardware
     , sops-nix
     , flake-utils
     , neovim-nightly
@@ -79,6 +81,33 @@
               ./common
               ./hosts/skipper
               ./home
+
+              {
+                boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+              }
+            ];
+          };
+        Rico1 =
+          let
+            hostname = "Rico1";
+            system = "aarch64-linux";
+            username = "adtya";
+          in
+          nixpkgs.lib.nixosSystem {
+            inherit system;
+            pkgs = packages system;
+            specialArgs = { inherit inputs username; };
+            modules = [
+              {
+                system.configurationRevision = lib.mkIf (self ? rev) self.rev;
+                networking.hostName = lib.mkDefault hostname;
+                nixpkgs.hostPlatform = lib.mkDefault system;
+              }
+              lix-module.nixosModules.default
+              sops-nix.nixosModules.sops
+              nixos-hardware.nixosModules.raspberry-pi-4
+              ./common
+              ./hosts/rico1
             ];
           };
       };

hosts/rico1/containers/default.nix

@@ -0,0 +1,5 @@
+_: {
+  virtualisation.oci-containers = {
+    backend = "podman";
+  };
+}

hosts/rico1/default.nix

@@ -0,0 +1,36 @@
+{ ... }: {
+  imports = [
+    ./hardware
+    ./programs
+    ./services
+    ./containers
+    ./network.nix
+    ./security.nix
+  ];
+
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+    extraLocaleSettings = {
+      LC_ADDRESS = "en_US.UTF-8";
+      LC_IDENTIFICATION = "en_US.UTF-8";
+      LC_MEASUREMENT = "en_US.UTF-8";
+      LC_MONETARY = "en_US.UTF-8";
+      LC_NAME = "en_US.UTF-8";
+      LC_NUMERIC = "en_US.UTF-8";
+      LC_PAPER = "en_US.UTF-8";
+      LC_TELEPHONE = "en_US.UTF-8";
+      LC_TIME = "en_US.UTF-8";
+      LC_ALL = "en_US.UTF-8";
+    };
+    supportedLocales = [ "en_US.UTF-8/UTF-8" ];
+  };
+
+  time.timeZone = "Asia/Kolkata";
+  system = {
+    switch = {
+      enable = false;
+      enableNg = true;
+    };
+    stateVersion = "23.11";
+  };
+}

hosts/rico1/hardware/default.nix

@@ -0,0 +1,9 @@
+_: {
+  imports = [ ./filesystem.nix ./kernel.nix ];
+
+  hardware = {
+    raspberry-pi."4" = {
+      poe-plus-hat.enable = true;
+    };
+  };
+}

hosts/rico1/hardware/filesystem.nix

@@ -0,0 +1,36 @@
+_: {
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-partlabel/NIXOS_ROOT";
+      fsType = "btrfs";
+      options = [ "subvol=@root" "compress-force=zstd" "noatime" ];
+      neededForBoot = true;
+    };
+
+    "/nix" = {
+      device = "/dev/disk/by-partlabel/NIXOS_ROOT";
+      fsType = "btrfs";
+      options = [ "subvol=@nix" "compress-force=zstd" "noatime" ];
+      neededForBoot = true;
+    };
+
+    "/persist" = {
+      device = "/dev/disk/by-partlabel/NIXOS_ROOT";
+      fsType = "btrfs";
+      options = [ "subvol=@persist" "compress-force=zstd" "noatime" ];
+      neededForBoot = true;
+    };
+
+    "/mnt/system" = {
+      device = "/dev/disk/by-partlabel/NIXOS_ROOT";
+      fsType = "btrfs";
+      options = [ "subvol=/" "compress-force=zstd" "noatime" ];
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-partlabel/NIXOS_BOOT";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+  };
+}

hosts/rico1/hardware/kernel.nix

@@ -0,0 +1,5 @@
+{ lib
+, ...
+}: {
+  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
+}

hosts/rico1/network.nix

@@ -0,0 +1,45 @@
+{ lib, ... }: {
+  networking = {
+    hostName = "Rico1";
+
+    nameservers = [
+      "2620:fe::fe#dns.quad9.net"
+      "9.9.9.9#dns.quad9.net"
+      "2620:fe::9#dns.quad9.net"
+      "149.112.112.112#dns.quad9.net"
+    ];
+
+    networkmanager = {
+      enable = true;
+      dhcp = "dhcpcd";
+      dns = "systemd-resolved";
+      wifi = {
+        backend = "iwd";
+        powersave = false;
+      };
+    };
+
+    useDHCP = lib.mkDefault false;
+
+    wireless.iwd = {
+      enable = true;
+      settings = {
+        General = {
+          AddressRandomization = "network";
+          EnableNetworkConfiguration = false;
+        };
+        Settings = {
+          AutoConnect = "yes";
+        };
+      };
+    };
+  };
+
+  services.resolved = {
+    enable = true;
+    dnssec = "true";
+    dnsovertls = "true";
+    domains = [ "~." ];
+    fallbackDns = [ ];
+  };
+}

hosts/rico1/programs/default.nix

@@ -0,0 +1,15 @@
+{ pkgs, ... }: {
+  imports = [
+    ./neovim.nix
+    ./starship.nix
+    ./zsh.nix
+  ];
+
+  programs.git.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    sops
+    age
+  ];
+
+}

hosts/rico1/programs/neovim.nix

@@ -0,0 +1,8 @@
+_: {
+  programs.neovim = {
+    enable = true;
+    defaultEditor = true;
+    viAlias = true;
+    vimAlias = true;
+  };
+}

hosts/rico1/programs/starship.nix

@@ -0,0 +1,8 @@
+_: {
+  programs.starship = {
+    enable = true;
+    settings = {
+      add_newline = false;
+    };
+  };
+}

hosts/rico1/programs/zsh.nix

@@ -0,0 +1,10 @@
+_: {
+  programs = {
+    zsh = {
+      enable = true;
+      autosuggestions.enable = true;
+      syntaxHighlighting.enable = true;
+    };
+  };
+  environment.pathsToLink = [ "/share/zsh" ];
+}

hosts/rico1/security.nix

@@ -0,0 +1,9 @@
+_: {
+  security = {
+    sudo = {
+      wheelNeedsPassword = false;
+    };
+    polkit.enable = true;
+    rtkit.enable = true;
+  };
+}

hosts/rico1/services/btrfs.nix

@@ -0,0 +1,6 @@
+_: {
+  services.btrfs.autoScrub = {
+    enable = true;
+    fileSystems = [ "/mnt/system" ];
+  };
+}

hosts/rico1/services/default.nix

@@ -0,0 +1,7 @@
+_: {
+  imports = [
+    ./btrfs.nix
+    ./ssh.nix
+  ];
+
+}

hosts/rico1/services/ssh.nix

@@ -0,0 +1,21 @@
+_: {
+  services.openssh = {
+    enable = true;
+    settings = {
+      KbdInteractiveAuthentication = false;
+      PasswordAuthentication = false;
+      PermitRootLogin = "no";
+    };
+    hostKeys = [
+      {
+        path = "/persist/secrets/ssh/keys/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+      {
+        path = "/persist/secrets/ssh/keys/ssh_host_rsa_key";
+        type = "rsa";
+        bits = "4096";
+      }
+    ];
+  };
+}

hosts/skipper/hardware/kernel.nix

@@ -15,7 +15,7 @@
       systemd.enable = true;
     };
     kernelModules = [ "kvm-intel" ];
-    kernelPackages = lib.mkDefault pkgs.linuxPackages_zen;
+    kernelPackages = lib.mkDefault pkgs.linuxKernel.packages.linux_zen;
     kernelParams = [ "quiet" ];
     kernel.sysctl = {
       "vm.swappiness" = 10;

hosts/skipper/services/default.nix

@@ -1,4 +1,4 @@
-{ config, ... }: {
+{ config, username, ... }: {
   imports = [
     ./btrfs.nix
     ./dbus.nix
@@ -11,7 +11,7 @@
     cpupower-gui.enable = true;
     fstrim.enable = true;
     fwupd.enable = true;
-    getty.autologinUser = config.users.users.adtya.name;
+    getty.autologinUser = config.users.users.${username}.name;
     gnome.gnome-keyring.enable = true;
     gvfs.enable = true;
     irqbalance.enable = true;

secrets.yaml

@@ -12,20 +12,29 @@ sops:
         - recipient: age1w5rvr4nl8xvjjxpct4e2a2eajvm79v4r9nyxrcn40fm8d7h9l9cqkk0jtt
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1bzR4NWVIdEZ3UTNCRGNj
-            UldLTlVVSlZLRFVWUlhtNkJvaDk2azhDb0c0Cm5XQzhSQ29sb3lxZFMzVlY5bXJ3
-            VGZhZHd0NjBHVjJVZHV4ZHZGVmJqTkEKLS0tIEYxTWJuU3VhTG0xQUw2VTBUZ0FY
-            MWZqR2Q3VVFyWk1kL09XS1hNVHlqTkEKRg5M6TZ9OAQGNzVfE7VKlHb7vpYxP/bg
-            Ptv8vSeXOk1Jx2fAe+akxB1GXLaCwx+YgrZc11+A7Xdt70FRLcB/pA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsb0xnak9FY2tDZDh2UzdX
+            NXpRSEFsTm1GWnZjMDY5Z3VSOCtyY283L0h3CkpEMjFoYjNQbk1jaFUrUWxQbzdJ
+            b0VzRHZnSTQvem9seHFqVHA0SW1Zd28KLS0tIFZiTEVBNVA2NEJIT2h4eFNWVUk4
+            eFpjYnd2SHYxQUxpZEZYZ0RaZVYySFUKVwFyUrhFNKnYMRC8g2v1RbGz+KVzMqwP
+            WZ3pQCmgvSizMWwBrzrOurj9QsUEej1tlC1dnEzOCsXtPtzD53hFIg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mhks8qmhjrtc2u5ufvp3pv2hn7tkadvmscnp7wd0ywmnse0szctqsnpy0a
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUcE1NY05vUVFSZXBNQ0xn
-            aE82WUd6ZHJzN1lZcXFKbWdReEdmTUl0TFdJCnJYSGJxVmFHZHpXbXBJQ0k5N0ZV
-            djVNYk1EVktwckpEdlYyeXROMHZpRWMKLS0tIFhpKzMyeSsxYS9iY3RvKzFJM0FK
-            MTdMRzR6anF4RzVBbnI5cnFPQmRpWmcKCiFOU74esinQsdc55Zwny5/VVNN2r3rq
-            19ZYyCVNuyTeOXxuvUvjPJeW2X+v9H6bvbg1sXMxb761Pm0VGYor+g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVcmM2NkdLVThFd09xdmhL
+            YVFRM3d3L1hzTDRvRUVTT0JzWStWZkVjUjN3CmRxTnpZVDNyVUp0bDk4VEJpNXVH
+            Q1pFK01rOTJoMWF6djdMNk9ZcGExWlkKLS0tIGt6bFl6MkJYc1ZtTGhDdnc0K1hJ
+            R2hNYXRzeWFXSFRBQkkwQTh2Y0s2MWcKWgG8p95Ou9ojJjjUmbgqy4TinZ154d6k
+            PK0Z2lTZmUAYQefGCQjSWXu4+o1Yo/5l8uZ6zzx+j3DhJ6rsUzIOvQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1q6g2czy468c3fcdwvafru6rzhmr2edd8mzhjfs6mevhmt7z2zdsswnwe77
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTkxVbDJIeVNFZStBZ1ha
+            UCtnbXlRQUZPbFEvUEZ0RFF6WTU5ZVM4L3owCkRqN3YrQzNwVFhZMEZrNnF6N2p4
+            NDBYOHI4djVNT0tnTllEOFhWbWMwTEkKLS0tIEJ3TXFxdlg1cnVrSUliVGpuQThG
+            djJCdjcveWlxTnE2M2tqT2dEalB2eFkKhWuVT05y517bYmHXqWZ8RbmFIiDMBEbH
+            /XE0IqVtMdVTXAniUr0wMU6alBpehb2cmdSQTL+7Q9mNJL2D9ONvyQ==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2024-06-20T11:42:10Z"
     mac: ENC[AES256_GCM,data:VfUis0iEwTtGZUyccYMLmZ//zHm18cMbutEsTqBkw3vZtBr+mKjAVoihSxVxlol035j5FlYL7T7w344c+q8AIAus4+XdeHqfQKlSuqHwE7h0ZcU94ywa2I7pnHZUU+DIdFfVkKfHwZdIT3GzZLOVvfZIqFik0oOBLuduC/UWQyY=,iv:vdGFGeuR7NeUH3UalKKCaoEoC7NKefSQYfLcH19U10E=,tag:AbJEzpV+fFpWH9tM5RNmtg==,type:str]