diff --git a/.github/workflows/cachix.yaml b/.github/workflows/cachix.yaml index 6563e90..9b4646b 100644 --- a/.github/workflows/cachix.yaml +++ b/.github/workflows/cachix.yaml @@ -78,7 +78,7 @@ jobs: - boreal - hades - hephaestus - - poseidon + - thanatos steps: - uses: actions/checkout@v4 diff --git a/flake.lock b/flake.lock index fcdce90..38be2d0 100644 --- a/flake.lock +++ b/flake.lock @@ -41,6 +41,25 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1702479765, + "narHash": "sha256-wjNYsFhciYoJkZ/FBKvFj55k+vkLbu6C2qYQ7K+s8pI=", + "owner": "nix-community", + "repo": "disko", + "rev": "bd8fbc3f274288ac905bcea66bc2a5428abde458", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "disko", + "type": "github" + } + }, "flake-utils": { "locked": { "lastModified": 1653893745, @@ -127,6 +146,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1697915759, + "narHash": "sha256-WyMj5jGcecD+KC8gEs+wFth1J1wjisZf8kVZH13f1Zo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "51d906d2341c9e866e48c2efcaac0f2d70bfd43e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1701952659, "narHash": "sha256-TJv2srXt6fYPUjxgLAL0cy4nuf1OZD4KuA1TrCiQqg0=", @@ -145,10 +180,11 @@ "root": { "inputs": { "agenix": "agenix", + "disko": "disko", "flake-utils": "flake-utils", "home-manager": "home-manager", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "nixpkgs-unstable-small": "nixpkgs-unstable-small" } } diff --git a/flake.nix b/flake.nix index 9c829c1..6675c5f 100644 --- a/flake.nix +++ b/flake.nix @@ -42,6 +42,13 @@ repo = "nixos-hardware"; ref = "master"; }; + + disko = { + type = "github"; + owner = "nix-community"; + repo = "disko"; + ref = "master"; + }; }; outputs = { @@ -49,6 +56,7 @@ nixpkgs, home-manager, agenix, + disko, ... } @ inputs: { @@ -147,6 +155,16 @@ ] ++ sharedModules; }; + + thanatos = nixpkgs.lib.nixosSystem { + inherit system; + modules = + [ + disko.nixosModules.default + ./thanatos.nix + ] + ++ sharedModules; + }; }; } // inputs.flake-utils.lib.eachDefaultSystem (system: { diff --git a/hosts/thanatos/default.nix b/hosts/thanatos/default.nix new file mode 100644 index 0000000..5a6711d --- /dev/null +++ b/hosts/thanatos/default.nix @@ -0,0 +1,43 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). +{ + config, + lib, + pkgs, + ... +}: let + secrets = config.my.secrets; +in { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./disko-configuration.nix + ./home.nix + ./secrets.nix + ]; + + boot.loader.grub.enable = true; + boot.tmp.useTmpfs = true; + + networking.hostName = "thanatos"; # Define your hostname. + networking.domain = "lrde.epita.fr"; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + # List services that you want to enable: + my.services = { + tailscale.enable = true; + }; + + services = { + openssh.enable = true; + }; + + virtualisation.docker.enable = true; + + environment.systemPackages = with pkgs; [ + docker-compose + ]; +} diff --git a/hosts/thanatos/disko-configuration.nix b/hosts/thanatos/disko-configuration.nix new file mode 100644 index 0000000..23357cd --- /dev/null +++ b/hosts/thanatos/disko-configuration.nix @@ -0,0 +1,52 @@ +{ + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/disk/by-id/ata-CT250MX500SSD1_2301E69A20C4"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "btrfs"; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = ["compress=zstd" "noatime"]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = ["compress=zstd" "noatime"]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = ["compress=zstd" "noatime"]; + }; + "/swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "8G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/thanatos/hardware-configuration.nix b/hosts/thanatos/hardware-configuration.nix new file mode 100644 index 0000000..f9e41a6 --- /dev/null +++ b/hosts/thanatos/hardware-configuration.nix @@ -0,0 +1,29 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = ["xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/thanatos/home.nix b/hosts/thanatos/home.nix new file mode 100644 index 0000000..3bb7dab --- /dev/null +++ b/hosts/thanatos/home.nix @@ -0,0 +1,5 @@ +{config, ...}: { + home-manager.users.alarsyo = { + my.theme = config.home-manager.users.alarsyo.my.themes.solarizedLight; + }; +} diff --git a/hosts/thanatos/secrets.nix b/hosts/thanatos/secrets.nix new file mode 100644 index 0000000..3fbc379 --- /dev/null +++ b/hosts/thanatos/secrets.nix @@ -0,0 +1,20 @@ +{ + config, + lib, + options, + ... +}: { + config.age = { + secrets = let + toSecret = name: {...} @ attrs: + { + file = ./../../modules/secrets + "/${name}.age"; + } + // attrs; + in + lib.mapAttrs toSecret { + "users/alarsyo-hashed-password" = {}; + "users/root-hashed-password" = {}; + }; + }; +} diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index 28760e7..9c042d0 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -5,8 +5,9 @@ let boreal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAagal1aqZh52wEmgsw7fkCzO41o4Cx+nV4wJGZuX1RP root@boreal"; hades = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxw8CtKUPAiPdKDEnuS7UyRrZN5BkUwsy5UPVF8V+lt root@hades"; hephaestus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA7Cp+n5+huof68QlAoJV8bVf5h5p9kEZFAVpltWopdL root@hephaestus"; + thanatos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID8JEAWk/8iSl8fN6/f76JkmVFwtyixTpLol4zSVsnVw root@thanatos"; - machines = [boreal hades hephaestus]; + machines = [boreal hades hephaestus thanatos]; all = users ++ machines; in { @@ -34,6 +35,6 @@ in { "restic-backup/hephaestus-password.age".publicKeys = [alarsyo hephaestus]; "restic-backup/hephaestus-credentials.age".publicKeys = [alarsyo hephaestus]; - "users/root-hashed-password.age".publicKeys = machines; + "users/root-hashed-password.age".publicKeys = machines ++ [alarsyo]; "users/alarsyo-hashed-password.age".publicKeys = machines ++ [alarsyo]; } diff --git a/modules/secrets/users/alarsyo-hashed-password.age b/modules/secrets/users/alarsyo-hashed-password.age index 1e7abbe..38b12ac 100644 --- a/modules/secrets/users/alarsyo-hashed-password.age +++ b/modules/secrets/users/alarsyo-hashed-password.age @@ -1,17 +1,16 @@ age-encryption.org/v1 --> ssh-ed25519 YWMQkg edb6vOJgAg7qUtsk3wot1lDT0guqrhkVO4q647At/Xo -XlX07p/2byuBzWeR3khI/B255/4IwjiWEiOEgO6Jmzo --> ssh-ed25519 pX8y2g yn4fQ1E54ReKViSKMjyIQWfbHlqwXmAn225hRUt2sVU -OVciEEE58TS7gkJV2kS75hL0z+mzn/I9cFYZQ9m4fCg --> ssh-ed25519 SYm+hA 3hLgW/LWQ6ilt1hYdHsA6M4YvSkrQauES77Mk0elkG4 -41l9uzYv/6raDNSBGrbH7hULv0cYFY65SlhpuSburHs --> ssh-ed25519 z6Eu8Q GE324833mb5ff9C+TN3SqazvwW0ZZiqBb56cs8bKjho -8Aogd9tN2sN8DSmKJUfuCifiRMKpD7Cn6CLLazQ2qjk --> ssh-ed25519 ZQuVNA 2plMxBUBbv3ScEdXBnkvtt/qlP+dG/8+O8gHBChL8lI -1GpPm9oFARwDQfTT25isUZlGKn6BaanIQoiLDzlxzww --> ssh-ed25519 k2gHjw JlNEYLQixP7LEb0FJu5O54pu1B72WWsml5ELNcFESEc -r8QUuLhEEFyst0JeWd1jahkrcMV/b9KGHj8PSZUZJ10 --> _a@Yy?HU-grease /wJ2a` WIyE6 ewMVR h,D)T -wAOK28XvNSpz ---- hlIXSQ9X6OM5/uPv+3PMfkuIfiKWpkbdWNHed+q/Hr8 -{gh1Å\PyЯ@sHq8Jxw<翕kVħ T(N.;/)DWz{uNl%vކ50K0ͩnn8\kJOC7oً4cї \ No newline at end of file +-> ssh-ed25519 YWMQkg nA65XHF5xsaW5JPGfWYLDtCq0DQQpN6FBbbnDKL23BY +JyzLfx9QXRV4jXQWvsXMEO7Y9Maf6VAQZU0QiEyA0rs +-> ssh-ed25519 pX8y2g 0AuwR4Dv6bulcow+LOd6XsF/U+Ly8fQDIuHcksijCk4 +TXyxasso2OmK8RswWOk6oP7+q6iS2WTwYsy0CF07gtc +-> ssh-ed25519 SYm+hA coVEtWHcu5Zc17TuVLTzWe7RiXjJ53wjjRfLidwjUgg +fx5hl1hPiRxQLHIN2mrvB9tc+xMTwqHM1DXZY75s/MA +-> ssh-ed25519 6UUuZw 2bfWgdMEj+POlLejgzl3GZN1M3xt5Qoif9M2BwGV4QA +9pLL7KegernUFqbNklKDho5IRgw9VVZGaphgmcfnohQ +-> ssh-ed25519 k2gHjw yxVoANLjqXRU97oymWtIEr4ZQ9OVvlRsC2Y2jsvkJWY +Q37kBzgMyWkpcLO/3FFMtmDO16/17+i57DmALUDL/kE +-> >)/-grease VfMC'D<: eQJ #XT +OcrPfgaTtzKItA7HfjeBUc68U7ol1sewRCFKg0iAeSVT1jiv3/O7hkz5MbMAsuoi +D8hkNjdXn3TDBVc1OcIS2iX5xOdpvP3ePs6TgX9H +--- mAY7j62sU6rXvZu84PkvkMqZ5M139fV/RlJidRYCo9Q +Xb;\hJ #Ⱦ>3PzQ{J Xe3Q!5$|MD;KZS.XS?з1j)H[hkƫ|g= \ No newline at end of file diff --git a/modules/secrets/users/root-hashed-password.age b/modules/secrets/users/root-hashed-password.age index b373fa4..0988a49 100644 Binary files a/modules/secrets/users/root-hashed-password.age and b/modules/secrets/users/root-hashed-password.age differ diff --git a/thanatos.nix b/thanatos.nix new file mode 100644 index 0000000..e0c2c2d --- /dev/null +++ b/thanatos.nix @@ -0,0 +1,23 @@ +{...}: { + imports = [ + # Default configuration + ./base + + # Module definitions + ./modules + + # Service definitions + ./services + + # Host-specific config + ./hosts/thanatos + ]; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.11"; # Did you read the comment? +}