From 3e3f4331d20f9309f3bd0f6c5e45632126a566d5 Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@alarsyo.net>
Date: Wed, 28 Feb 2024 23:30:28 +0100
Subject: [PATCH] talos: initial setup

---
 flake.nix                                     |   4 +-
 hosts/talos/default.nix                       | 106 ++++++++++++++++++
 hosts/talos/disko-config.nix                  |  63 +++++++++++
 hosts/talos/hardware-configuration.nix        |  25 +++++
 hosts/talos/home.nix                          |  46 ++++++++
 hosts/talos/secrets.nix                       |  23 ++++
 modules/secrets/secrets.nix                   |   3 +-
 .../secrets/users/alarsyo-hashed-password.age | Bin 863 -> 836 bytes
 .../secrets/users/root-hashed-password.age    |  28 ++---
 talos.nix                                     |  23 ++++
 10 files changed, 304 insertions(+), 17 deletions(-)
 create mode 100644 hosts/talos/default.nix
 create mode 100644 hosts/talos/disko-config.nix
 create mode 100644 hosts/talos/hardware-configuration.nix
 create mode 100644 hosts/talos/home.nix
 create mode 100644 hosts/talos/secrets.nix
 create mode 100644 talos.nix

diff --git a/flake.nix b/flake.nix
index 9a3c3fb..b068188 100644
--- a/flake.nix
+++ b/flake.nix
@@ -158,10 +158,10 @@
         talos = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
-            inputs.nixos-hardware.nixosModules.framework-13-inch-7040-amd
+            inputs.nixos-hardware.nixosModules.framework-13-7040-amd
             disko.nixosModules.default
             ./talos.nix
-          ];
+          ] ++ sharedModules;
         };
 
         thanatos = nixpkgs.lib.nixosSystem {
diff --git a/hosts/talos/default.nix b/hosts/talos/default.nix
new file mode 100644
index 0000000..cfc361c
--- /dev/null
+++ b/hosts/talos/default.nix
@@ -0,0 +1,106 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ./disko-config.nix
+
+      ./home.nix
+      ./secrets.nix
+    ];
+
+  hardware.amdgpu.opencl = false;
+
+  boot.kernelPackages = pkgs.linuxPackages_6_6;
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  boot.tmp.useTmpfs = true;
+
+  services.btrfs = {
+    autoScrub = {
+      enable = true;
+      fileSystems = ["/"];
+    };
+  };
+
+  networking.hostName = "talos"; # Define your hostname.
+  networking.domain = "alarsyo.net";
+  # Pick only one of the below networking options.
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+  networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
+
+  # Set your time zone.
+  time.timeZone = "Europe/Paris";
+
+  # Configure network proxy if necessary
+  # networking.proxy.default = "http://user:password@proxy:port/";
+  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+
+  programs = {
+    dconf.enable = true;
+    light.enable = true;
+  };
+  services = {
+    fwupd.enable = true;
+    openssh.enable = true;
+  };
+  virtualisation = {
+    docker.enable = true;
+    libvirtd.enable = true;
+  };
+
+  my.services = {
+    tailscale = {
+      enable = true;
+      useRoutingFeatures = "client";
+    };
+
+    pipewire.enable = true;
+  };
+
+  my.gui.enable = true;
+  my.displayManager.sddm.enable = lib.mkForce false;
+
+  hardware.bluetooth = {
+    enable = true;
+    powerOnBoot = false;
+    settings.General.Experimental = true;
+  };
+
+  # Configure console keymap
+  console.keyMap = "us";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "fr_FR.UTF-8";
+    LC_IDENTIFICATION = "fr_FR.UTF-8";
+    LC_MEASUREMENT = "fr_FR.UTF-8";
+    LC_MONETARY = "fr_FR.UTF-8";
+    LC_NAME = "fr_FR.UTF-8";
+    LC_PAPER = "fr_FR.UTF-8";
+    LC_TELEPHONE = "fr_FR.UTF-8";
+  };
+
+  # Enable the X11 windowing system.
+  services.xserver.enable = true;
+
+  # Enable the KDE Plasma Desktop Environment.
+  services.xserver.displayManager.sddm.enable = true;
+  services.xserver.desktopManager.plasma5.enable = true;
+  services.power-profiles-daemon.enable = true;
+
+  # Copy the NixOS configuration file and link it from the resulting system
+  # (/run/current-system/configuration.nix). This is useful in case you
+  # accidentally delete configuration.nix.
+  # system.copySystemConfiguration = true;
+}
+
diff --git a/hosts/talos/disko-config.nix b/hosts/talos/disko-config.nix
new file mode 100644
index 0000000..89ddfd8
--- /dev/null
+++ b/hosts/talos/disko-config.nix
@@ -0,0 +1,63 @@
+{
+  disko.devices = {
+    disk = {
+      nvme0n1 = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "512M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [
+                  "defaults"
+                ];
+              };
+            };
+            luks = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "crypted";
+                # disable settings.keyFile if you want to use interactive password entry
+                passwordFile = "/tmp/secret.key"; # Interactive
+                settings = {
+                  allowDiscards = true;
+                  #keyFile = "/tmp/secret.key";
+                };
+                #additionalKeyFiles = [ "/tmp/additionalSecret.key" ];
+                content = {
+                  type = "btrfs";
+                  extraArgs = [ "-f" ];
+                  subvolumes = {
+                    "/root" = {
+                      mountpoint = "/";
+                      mountOptions = [ "compress=zstd" "noatime" ];
+                    };
+                    "/home" = {
+                      mountpoint = "/home";
+                      mountOptions = [ "compress=zstd" "noatime" ];
+                    };
+                    "/nix" = {
+                      mountpoint = "/nix";
+                      mountOptions = [ "compress=zstd" "noatime" ];
+                    };
+                    "/swap" = {
+                      mountpoint = "/.swapvol";
+                      swap.swapfile.size = "8G";
+                    };
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/hosts/talos/hardware-configuration.nix b/hosts/talos/hardware-configuration.nix
new file mode 100644
index 0000000..7bb481b
--- /dev/null
+++ b/hosts/talos/hardware-configuration.nix
@@ -0,0 +1,25 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/hosts/talos/home.nix b/hosts/talos/home.nix
new file mode 100644
index 0000000..06cb3dd
--- /dev/null
+++ b/hosts/talos/home.nix
@@ -0,0 +1,46 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  home-manager.users.alarsyo = {
+    my.home.laptop.enable = true;
+
+    # Keyboard settings & i3 settings
+    my.home.x.enable = true;
+    my.home.x.i3bar.temperature.chip = "k10temp-pci-*";
+    my.home.x.i3bar.temperature.inputs = ["Tctl"];
+    my.home.x.i3bar.networking.throughput_interfaces = ["wlp1s0"];
+    my.home.emacs.enable = true;
+
+    my.theme = config.home-manager.users.alarsyo.my.themes.solarizedLight;
+
+    # TODO: place in global home conf
+    services.dunst.enable = true;
+
+    home.packages = builtins.attrValues {
+      inherit
+        (pkgs)
+        # some websites only work there :(
+
+        chromium
+        darktable
+        # dev
+
+        rustup
+        gdb
+        valgrind
+        arandr
+        zotero
+        ;
+
+      #inherit
+      #  (pkgs.packages)
+      #  ansel
+      #  spot
+      #  ;
+
+      inherit (pkgs.wineWowPackages) stable;
+    };
+  };
+}
diff --git a/hosts/talos/secrets.nix b/hosts/talos/secrets.nix
new file mode 100644
index 0000000..387f511
--- /dev/null
+++ b/hosts/talos/secrets.nix
@@ -0,0 +1,23 @@
+{
+  config,
+  lib,
+  options,
+  ...
+}: {
+  config.age = {
+    secrets = let
+      toSecret = name: {...} @ attrs:
+        {
+          file = ./../../modules/secrets + "/${name}.age";
+        }
+        // attrs;
+    in
+      lib.mapAttrs toSecret {
+        #"restic-backup/hephaestus-credentials" = {};
+        #"restic-backup/hephaestus-password" = {};
+
+        "users/alarsyo-hashed-password" = {};
+        "users/root-hashed-password" = {};
+      };
+  };
+}
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
index 9c042d0..2496adb 100644
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@@ -5,9 +5,10 @@ let
   boreal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAagal1aqZh52wEmgsw7fkCzO41o4Cx+nV4wJGZuX1RP root@boreal";
   hades = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxw8CtKUPAiPdKDEnuS7UyRrZN5BkUwsy5UPVF8V+lt root@hades";
   hephaestus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA7Cp+n5+huof68QlAoJV8bVf5h5p9kEZFAVpltWopdL root@hephaestus";
+  talos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBYcmL9HZJ9SqB9OJwQ0Nt6ZbvHZTS+fzM8A6D5MPZs root@talos";
   thanatos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID8JEAWk/8iSl8fN6/f76JkmVFwtyixTpLol4zSVsnVw root@thanatos";
 
-  machines = [boreal hades hephaestus thanatos];
+  machines = [boreal hades hephaestus talos thanatos];
 
   all = users ++ machines;
 in {
diff --git a/modules/secrets/users/alarsyo-hashed-password.age b/modules/secrets/users/alarsyo-hashed-password.age
index 38b12accb020c04422710553bdf46bb52f37ee10..dfbbc689bf07585002b19933c6eb4a0bdd1e63c7 100644
GIT binary patch
literal 836
zcmZ9|z02ct0Kjn(1PL6jE^2NN)X*nMFRzQxyuY?-(<V)}CT)Ld(j;wOnkIt^;(>>9
z9M5`iBF8O?INaTMr#L7sPEHP@!{Oj?kISPxi#PW#`0)KMz^b>(!lK<(n>;(q3xFPQ
zsP{fxmQioD?2{zU!k%l669C)8WRDIyClHi0w|zCGw+Y{Phv6b76gve4HkzcdUOHF^
zjdFgANIq#tSe``gD3dz2MylkXb7gA!F-b-O-EAq5g{RtX&a{01_gy*9MInp#4Nj`U
z&Rwb9n%=N$UAv*Te&Eeb$?cBn2os??R829k%_GjGLSaNq<f1!#UYc@(mdkxjS`xvv
zTY#;+Q_c2LBpSeS!&5^<QA&qnT%^rrlfa59Yn=zgl24ILn=%P2X;syR5Uvnar%6c_
zO>MBHa&?l32CK~s(r>7Zvd9KE_SFvSPdV&V%OY$!7{e-CsN-Bgh=aB_9I?jcr9P0O
zdBq(?GFMnYNW(Y__!rlqZpkZj(BIP;Rwjpr)z^knZaSneaIxm*_1??v+%_1GX-+k2
zHmm&xb_~F*G62-cCZZfFPpZn&x*|&#L=M&#XDqcgc5A$nRp>Bxy2U!<7GliHvtvzo
zM^8^g%{X>#&^4k&%cVUkj6FX-)sj9?;s!>kMA#8Nf?DD(1=D~H<<i<3-Bx$U7VX&?
zH47=g6n>{dbJ~=rw7BVSE&E_+LNuuzOrq8Y2_4ncsA-2~QZP1}RxjFmJy@t5Hbyy2
zoI1wF4qI7sq@YyIuyIzQ;xk}^4^n={bUJ{ZoZsxd^~v+ketZ1r_SKW`zk8E?o4zyr
z>E7LImq+EjSO0ifzIf$>>)lKL+`no1uRZu$_-6bCe#?CQ{Ef?xeq{&0Kl}HGUv7oU
ry$k>0Usun5esp&6;m23!e}8`7L4SVw?$c}U-2Sis<Jni2Uw->P^Oz(W

literal 863
zcmZ9_&CA<l008jYz<?lv7Z0zI2{KBTCTWt!%~#T<ebY8+@}&8A61}u(^5mm!+CFJM
z>JI(~UOadZ@t}yzT@-XMP%n;w2i=g}ybpHt<ZvRpzQ2Fqw?JV#+y;kcS0wrNdVWAu
zNfYgJ663fXt{9G^MbdLMkRfs_@f=h}T#XklH!&_E*Hh(Uu<ytK>}LF^zg%wRsmic@
zkC-$kHL67bO{bee;FcI_LtXGhZ4vQ~1bn*#l3^ot4*2r6gT019WJfwyW>+rx<#8S4
zRZG=ZJj5f)ZmCT#0`mB%1Q|}!LDnTK*whP*b4K4xdnT@2J>zpjXzlrA&bU_P;ifYf
zbp%udm$$jMX~hy5<j$~gmEg$v0WDZZN3~9FD3}RMCmdU)sTrxss!DByh^Xe`H60s?
zSp!uW&zQ}j?2ARvsx_<HD;h0B-xD}YY0~A5x9y`}k<2o3(MlVpEkj?cVTw*`_QIdh
z8e10}$dgFan0|HPbb&;OJ5?2?Aqo#$d$eE9vh`Gsb8c*+N^~6mVzG<SCWy9q3@&dO
zgOs!)o7%~xnVRmQX^TSMY}{fzJal~^>Q1>f@qqD|6qnh=^$5TUS^tEz#?5wts#EM}
zq!k-kr+JDNS_vn}8%ecgmCA-Mw)1OL8y&(04oN4{25-wZ-yuUVA+JJ<(1U{!p@mhP
zrsF~qlqe1RcEI;+Az#xttjxh^iaLoD&K-+Rlai%$A<j;mw$vni%o9TH#n~)f!7Xda
zeJ7yxU_56M$kqC4R~l?+VBSJdRET!FO>QJlNO=a^`~jB!vDY=SGSl`xr_rn!Ih47c
zBrDS!<RT#cgAbQCK8Po;{d4xxpI0A0`049&);K-?6g+tH`{NIPo_tQe{0ROPUit1R
z3*P+ujj!%<zrOYFy^n5b_vIVYXW#p;e=@&*c6RTTSMNTBPd>gffA7vOUwrn*k92zN
W_P5IWzs1@8+jqYC@`qdK-TwgrB_+ZD

diff --git a/modules/secrets/users/root-hashed-password.age b/modules/secrets/users/root-hashed-password.age
index 0988a49..6a15e89 100644
--- a/modules/secrets/users/root-hashed-password.age
+++ b/modules/secrets/users/root-hashed-password.age
@@ -1,15 +1,15 @@
 age-encryption.org/v1
--> ssh-ed25519 YWMQkg i+/8YGSMh0M3Z0qvZebnAmZzr78cnp0TDMUr/FvSyj8
-YQm2rXUoM2l1zh4AD6LHBvgDgsRYdiZWgycu1OabiaA
--> ssh-ed25519 pX8y2g Vrn1mB2TH0EGY6uB9hfRu3LaLNp5hjwgLCV4xHQ3UDc
-2zZBeLqqs6PAAywIs7v3aLb4tFydwrV6iqGJcZkDbY8
--> ssh-ed25519 SYm+hA PbPD9hhKTAqOFwY0RNtq0tNZnmwC7B0BWCcEp4MBEQ0
-qoXYrSuGtWQX6FlNIgVCkwRy5He/SVi3VHrbPHQvpf0
--> ssh-ed25519 6UUuZw 4pyEkmESRYwA3cURKdWtJ9w5K72y6qNqNXRb+oexoGA
-UBa59ClPat1rl4r/BBWHhea1YBLBiyaoHvoYrgnkZhk
--> ssh-ed25519 k2gHjw Ef7VgulblvO2b6gUlSa7MqAJMm/0E4z9kOLGuuy+MyY
-ede5dtwJpTaDdtFGtNdrv+dfF/V/qmCR+vjC0vhv7WQ
--> 2}s-grease
-H1mgdyEhmM8weQ+JKPeLvHRb4XsD+zglY5RI428sqRhUSoOX3P8
---- F/H59tq65rdlR0xSltrmJ8FJZaLVIQPAiruY0R8xpYM
-��b���$���(cmQ-:�+'��TKakyx�y����._�5�~�Y6��@K���ʒj����8��ل�I�'#���9W�<���'�֨�i�׈ZO�z�
\ No newline at end of file
+-> ssh-ed25519 YWMQkg mb17MHdKPO5SDXOslq38CjHLKy063L1KyN2wT85fGlE
+3JnWLwx2cNmBC1vpS9KAwZQIy7B/vqLZ9QwQYNY4wMQ
+-> ssh-ed25519 pX8y2g mvykS4XrUSwe68MteVV52u95oySHdzRlMGVFjhQQrx8
+ztoGz8OrTMRH/0NPfnQXrVBA0Uyuuc2b0dlOXToq85U
+-> ssh-ed25519 SYm+hA TiL9r8l1nIvOMUpFaYmZ/5d6DRxcMHMICjrTfmbC7Wc
+GfivQi5vzTUfYDVjwSxNA8t/tKtRu0QAGE+kPr4u1+I
+-> ssh-ed25519 nh0dAQ 9agb3Zl/7+mAIH7bcIXbY2KrHDZAjugAfKbQ0OAhIQQ
+kPzKALS6Wrr5zUJngqjwGV6w5prKMWlj/WY2qi2ck4M
+-> ssh-ed25519 6UUuZw 36Uu//D8HuiRHFN0GOAyLxI0J3yBrTSBXuBG9pTVZA8
+KTMmUW8MvVtUm4Xjyz0JGDdz4H7Y5KxLPDeYPc0dfl4
+-> ssh-ed25519 k2gHjw D3OD07mu/YnR3xVhhbX4UoChpAWSG4CYIkmQZclsjQc
+kgqZizkSgB5p+1ZRd0tP/bBxZ92jt6fvAcNZe3MmgoE
+--- ZuL2dvQ6+hac47fRdRWl4VHl2sRIvnF80d37EZKq94I
+J��)�Fr��@+��4rFOL5|㞵��ˮ�q�[�Pm;a�H��<�f��I8:��
�.�����+Ȥњ6�S�Т���v�;��:���h����3�X�R�}�E^
\ No newline at end of file
diff --git a/talos.nix b/talos.nix
new file mode 100644
index 0000000..c969790
--- /dev/null
+++ b/talos.nix
@@ -0,0 +1,23 @@
+{...}: {
+  imports = [
+    # Default configuration
+    ./base
+
+    # Module definitions
+    ./modules
+
+    # Service definitions
+    ./services
+
+    # Host-specific config
+    ./hosts/talos
+  ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.05"; # Did you read the comment?
+}