diff --git a/flake.nix b/flake.nix index 54c4d61..db27a66 100644 --- a/flake.nix +++ b/flake.nix @@ -155,6 +155,17 @@ ++ sharedModules; }; + talos = nixpkgs.lib.nixosSystem { + inherit system; + modules = + [ + inputs.nixos-hardware.nixosModules.framework-13-7040-amd + disko.nixosModules.default + ./talos.nix + ] + ++ sharedModules; + }; + thanatos = nixpkgs.lib.nixosSystem { inherit system; modules = diff --git a/hosts/talos/default.nix b/hosts/talos/default.nix new file mode 100644 index 0000000..418c652 --- /dev/null +++ b/hosts/talos/default.nix @@ -0,0 +1,120 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). +{ + config, + lib, + pkgs, + ... +}: { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./disko-config.nix + + ./home.nix + ./secrets.nix + ]; + + hardware.amdgpu.opencl = false; + + boot.kernelPackages = pkgs.linuxPackages_6_6; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot = { + enable = true; + editor = false; + consoleMode = "auto"; + }; + boot.loader.efi.canTouchEfiVariables = true; + + boot.tmp.useTmpfs = true; + + services.btrfs = { + autoScrub = { + enable = true; + fileSystems = ["/"]; + }; + }; + + networking.hostName = "talos"; # Define your hostname. + networking.domain = "alarsyo.net"; + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + programs = { + dconf.enable = true; + light.enable = true; + }; + services = { + fwupd.enable = true; + openssh.enable = true; + }; + virtualisation = { + docker.enable = true; + libvirtd.enable = true; + }; + + my.services = { + tailscale = { + enable = true; + useRoutingFeatures = "client"; + }; + + pipewire.enable = true; + }; + + my.gui.enable = true; + my.displayManager.sddm.enable = lib.mkForce false; + + hardware.bluetooth = { + enable = true; + powerOnBoot = false; + settings.General.Experimental = true; + }; + + # Configure console keymap + console.keyMap = "us"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + i18n.extraLocaleSettings = { + LC_ADDRESS = "fr_FR.UTF-8"; + LC_IDENTIFICATION = "fr_FR.UTF-8"; + LC_MEASUREMENT = "fr_FR.UTF-8"; + LC_MONETARY = "fr_FR.UTF-8"; + LC_NAME = "fr_FR.UTF-8"; + LC_PAPER = "fr_FR.UTF-8"; + LC_TELEPHONE = "fr_FR.UTF-8"; + }; + + # Enable the X11 windowing system. + services.xserver.enable = true; + + # Enable the KDE Plasma Desktop Environment. + services.xserver.displayManager.sddm = { + enable = true; + wayland.enable = true; + }; + services.xserver.desktopManager.plasma5.enable = true; + services.power-profiles-daemon.enable = true; + + #programs.hyprland.enable = true; + #programs.sway = { + # enable = true; + # wrapperFeatures.gtk = true; + #}; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + # system.copySystemConfiguration = true; +} diff --git a/hosts/talos/disko-config.nix b/hosts/talos/disko-config.nix new file mode 100644 index 0000000..9f9ae7b --- /dev/null +++ b/hosts/talos/disko-config.nix @@ -0,0 +1,67 @@ +{ + disko.devices = { + disk = { + nvme0n1 = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "defaults" + ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "crypted"; + # disable settings.keyFile if you want to use interactive password entry + passwordFile = "/tmp/secret.key"; # Interactive + settings = { + allowDiscards = true; + #keyFile = "/tmp/secret.key"; + }; + #additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; + content = { + type = "btrfs"; + extraArgs = ["-f"]; + subvolumes = { + "@" = { + mountpoint = "/"; + mountOptions = ["compress=zstd" "noatime"]; + }; + "@home" = { + mountpoint = "/home"; + mountOptions = ["compress=zstd" "noatime"]; + }; + "@nix" = { + mountpoint = "/nix"; + mountOptions = ["compress=zstd" "noatime"]; + }; + "@persist" = { + mountpoint = "/persist"; + mountOptions = ["compress=zstd" "noatime"]; + }; + "@swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "8G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/talos/hardware-configuration.nix b/hosts/talos/hardware-configuration.nix new file mode 100644 index 0000000..1d0808e --- /dev/null +++ b/hosts/talos/hardware-configuration.nix @@ -0,0 +1,29 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-amd"]; + boot.extraModulePackages = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/talos/home.nix b/hosts/talos/home.nix new file mode 100644 index 0000000..5b266e6 --- /dev/null +++ b/hosts/talos/home.nix @@ -0,0 +1,57 @@ +{ + config, + lib, + pkgs, + ... +}: { + home-manager.users.alarsyo = { + home.stateVersion = lib.mkForce "23.11"; + + my.home.laptop.enable = true; + + # Keyboard settings & i3 settings + my.home.x.enable = true; + my.home.x.i3bar.temperature.chip = "k10temp-pci-*"; + my.home.x.i3bar.temperature.inputs = ["Tctl"]; + my.home.x.i3bar.networking.throughput_interfaces = ["wlp1s0"]; + my.home.emacs.enable = true; + + my.theme = config.home-manager.users.alarsyo.my.themes.solarizedLight; + + # TODO: place in global home conf + services.dunst.enable = true; + + home.packages = builtins.attrValues { + inherit + (pkgs) + # some websites only work there :( + + #chromium + + #darktable + + ## dev + + # + + #rustup + + #gdb + + #valgrind + + arandr + #zotero + + ; + + #inherit + # (pkgs.packages) + # ansel + # spot + # ; + + #inherit (pkgs.wineWowPackages) stable; + }; + }; +} diff --git a/hosts/talos/secrets.nix b/hosts/talos/secrets.nix new file mode 100644 index 0000000..387f511 --- /dev/null +++ b/hosts/talos/secrets.nix @@ -0,0 +1,23 @@ +{ + config, + lib, + options, + ... +}: { + config.age = { + secrets = let + toSecret = name: {...} @ attrs: + { + file = ./../../modules/secrets + "/${name}.age"; + } + // attrs; + in + lib.mapAttrs toSecret { + #"restic-backup/hephaestus-credentials" = {}; + #"restic-backup/hephaestus-password" = {}; + + "users/alarsyo-hashed-password" = {}; + "users/root-hashed-password" = {}; + }; + }; +} diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index 9c042d0..2496adb 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -5,9 +5,10 @@ let boreal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAagal1aqZh52wEmgsw7fkCzO41o4Cx+nV4wJGZuX1RP root@boreal"; hades = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxw8CtKUPAiPdKDEnuS7UyRrZN5BkUwsy5UPVF8V+lt root@hades"; hephaestus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA7Cp+n5+huof68QlAoJV8bVf5h5p9kEZFAVpltWopdL root@hephaestus"; + talos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBYcmL9HZJ9SqB9OJwQ0Nt6ZbvHZTS+fzM8A6D5MPZs root@talos"; thanatos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID8JEAWk/8iSl8fN6/f76JkmVFwtyixTpLol4zSVsnVw root@thanatos"; - machines = [boreal hades hephaestus thanatos]; + machines = [boreal hades hephaestus talos thanatos]; all = users ++ machines; in { diff --git a/modules/secrets/users/alarsyo-hashed-password.age b/modules/secrets/users/alarsyo-hashed-password.age index 38b12ac..dfbbc68 100644 Binary files a/modules/secrets/users/alarsyo-hashed-password.age and b/modules/secrets/users/alarsyo-hashed-password.age differ diff --git a/modules/secrets/users/root-hashed-password.age b/modules/secrets/users/root-hashed-password.age index 0988a49..6a15e89 100644 --- a/modules/secrets/users/root-hashed-password.age +++ b/modules/secrets/users/root-hashed-password.age @@ -1,15 +1,15 @@ age-encryption.org/v1 --> ssh-ed25519 YWMQkg i+/8YGSMh0M3Z0qvZebnAmZzr78cnp0TDMUr/FvSyj8 -YQm2rXUoM2l1zh4AD6LHBvgDgsRYdiZWgycu1OabiaA --> ssh-ed25519 pX8y2g Vrn1mB2TH0EGY6uB9hfRu3LaLNp5hjwgLCV4xHQ3UDc -2zZBeLqqs6PAAywIs7v3aLb4tFydwrV6iqGJcZkDbY8 --> ssh-ed25519 SYm+hA PbPD9hhKTAqOFwY0RNtq0tNZnmwC7B0BWCcEp4MBEQ0 -qoXYrSuGtWQX6FlNIgVCkwRy5He/SVi3VHrbPHQvpf0 --> ssh-ed25519 6UUuZw 4pyEkmESRYwA3cURKdWtJ9w5K72y6qNqNXRb+oexoGA -UBa59ClPat1rl4r/BBWHhea1YBLBiyaoHvoYrgnkZhk --> ssh-ed25519 k2gHjw Ef7VgulblvO2b6gUlSa7MqAJMm/0E4z9kOLGuuy+MyY -ede5dtwJpTaDdtFGtNdrv+dfF/V/qmCR+vjC0vhv7WQ --> 2}s-grease -H1mgdyEhmM8weQ+JKPeLvHRb4XsD+zglY5RI428sqRhUSoOX3P8 ---- F/H59tq65rdlR0xSltrmJ8FJZaLVIQPAiruY0R8xpYM -b$(cmQ-:+'TKakyxy._5~Y6@Kʒj8لI'#9W<'֨i׈ZOz \ No newline at end of file +-> ssh-ed25519 YWMQkg mb17MHdKPO5SDXOslq38CjHLKy063L1KyN2wT85fGlE +3JnWLwx2cNmBC1vpS9KAwZQIy7B/vqLZ9QwQYNY4wMQ +-> ssh-ed25519 pX8y2g mvykS4XrUSwe68MteVV52u95oySHdzRlMGVFjhQQrx8 +ztoGz8OrTMRH/0NPfnQXrVBA0Uyuuc2b0dlOXToq85U +-> ssh-ed25519 SYm+hA TiL9r8l1nIvOMUpFaYmZ/5d6DRxcMHMICjrTfmbC7Wc +GfivQi5vzTUfYDVjwSxNA8t/tKtRu0QAGE+kPr4u1+I +-> ssh-ed25519 nh0dAQ 9agb3Zl/7+mAIH7bcIXbY2KrHDZAjugAfKbQ0OAhIQQ +kPzKALS6Wrr5zUJngqjwGV6w5prKMWlj/WY2qi2ck4M +-> ssh-ed25519 6UUuZw 36Uu//D8HuiRHFN0GOAyLxI0J3yBrTSBXuBG9pTVZA8 +KTMmUW8MvVtUm4Xjyz0JGDdz4H7Y5KxLPDeYPc0dfl4 +-> ssh-ed25519 k2gHjw D3OD07mu/YnR3xVhhbX4UoChpAWSG4CYIkmQZclsjQc +kgqZizkSgB5p+1ZRd0tP/bBxZ92jt6fvAcNZe3MmgoE +--- ZuL2dvQ6+hac47fRdRWl4VHl2sRIvnF80d37EZKq94I +J)Fr@+4rF OL5|㞵ˮq[ Pm;aH