From c3fd5af18f2f92f39599cfe11339ba934c00705c Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@alarsyo.net>
Date: Wed, 13 Dec 2023 17:29:54 +0100
Subject: [PATCH] hosts: add thanatos

---
 .github/workflows/cachix.yaml                 |   2 +-
 flake.lock                                    |  38 ++++++++++++-
 flake.nix                                     |  18 ++++++
 hosts/thanatos/default.nix                    |  43 +++++++++++++++
 hosts/thanatos/disko-configuration.nix        |  52 ++++++++++++++++++
 hosts/thanatos/hardware-configuration.nix     |  29 ++++++++++
 hosts/thanatos/home.nix                       |   5 ++
 hosts/thanatos/secrets.nix                    |  20 +++++++
 modules/secrets/secrets.nix                   |   5 +-
 .../secrets/users/alarsyo-hashed-password.age |  31 +++++------
 .../secrets/users/root-hashed-password.age    | Bin 909 -> 792 bytes
 thanatos.nix                                  |  23 ++++++++
 12 files changed, 246 insertions(+), 20 deletions(-)
 create mode 100644 hosts/thanatos/default.nix
 create mode 100644 hosts/thanatos/disko-configuration.nix
 create mode 100644 hosts/thanatos/hardware-configuration.nix
 create mode 100644 hosts/thanatos/home.nix
 create mode 100644 hosts/thanatos/secrets.nix
 create mode 100644 thanatos.nix

diff --git a/.github/workflows/cachix.yaml b/.github/workflows/cachix.yaml
index 6563e90..9b4646b 100644
--- a/.github/workflows/cachix.yaml
+++ b/.github/workflows/cachix.yaml
@@ -78,7 +78,7 @@ jobs:
         - boreal
         - hades
         - hephaestus
-        - poseidon
+        - thanatos
 
     steps:
     - uses: actions/checkout@v4
diff --git a/flake.lock b/flake.lock
index fcdce90..38be2d0 100644
--- a/flake.lock
+++ b/flake.lock
@@ -41,6 +41,25 @@
         "type": "github"
       }
     },
+    "disko": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1702479765,
+        "narHash": "sha256-wjNYsFhciYoJkZ/FBKvFj55k+vkLbu6C2qYQ7K+s8pI=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "bd8fbc3f274288ac905bcea66bc2a5428abde458",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "master",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "flake-utils": {
       "locked": {
         "lastModified": 1653893745,
@@ -127,6 +146,22 @@
       }
     },
     "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1697915759,
+        "narHash": "sha256-WyMj5jGcecD+KC8gEs+wFth1J1wjisZf8kVZH13f1Zo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "51d906d2341c9e866e48c2efcaac0f2d70bfd43e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
       "locked": {
         "lastModified": 1701952659,
         "narHash": "sha256-TJv2srXt6fYPUjxgLAL0cy4nuf1OZD4KuA1TrCiQqg0=",
@@ -145,10 +180,11 @@
     "root": {
       "inputs": {
         "agenix": "agenix",
+        "disko": "disko",
         "flake-utils": "flake-utils",
         "home-manager": "home-manager",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs_3",
         "nixpkgs-unstable-small": "nixpkgs-unstable-small"
       }
     }
diff --git a/flake.nix b/flake.nix
index 9c829c1..6675c5f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -42,6 +42,13 @@
       repo = "nixos-hardware";
       ref = "master";
     };
+
+    disko = {
+      type = "github";
+      owner = "nix-community";
+      repo = "disko";
+      ref = "master";
+    };
   };
 
   outputs = {
@@ -49,6 +56,7 @@
     nixpkgs,
     home-manager,
     agenix,
+    disko,
     ...
   } @ inputs:
     {
@@ -147,6 +155,16 @@
             ]
             ++ sharedModules;
         };
+
+        thanatos = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules =
+            [
+              disko.nixosModules.default
+              ./thanatos.nix
+            ]
+            ++ sharedModules;
+        };
       };
     }
     // inputs.flake-utils.lib.eachDefaultSystem (system: {
diff --git a/hosts/thanatos/default.nix b/hosts/thanatos/default.nix
new file mode 100644
index 0000000..5a6711d
--- /dev/null
+++ b/hosts/thanatos/default.nix
@@ -0,0 +1,43 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  secrets = config.my.secrets;
+in {
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ./disko-configuration.nix
+    ./home.nix
+    ./secrets.nix
+  ];
+
+  boot.loader.grub.enable = true;
+  boot.tmp.useTmpfs = true;
+
+  networking.hostName = "thanatos"; # Define your hostname.
+  networking.domain = "lrde.epita.fr";
+
+  # Set your time zone.
+  time.timeZone = "Europe/Paris";
+
+  # List services that you want to enable:
+  my.services = {
+    tailscale.enable = true;
+  };
+
+  services = {
+    openssh.enable = true;
+  };
+
+  virtualisation.docker.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    docker-compose
+  ];
+}
diff --git a/hosts/thanatos/disko-configuration.nix b/hosts/thanatos/disko-configuration.nix
new file mode 100644
index 0000000..23357cd
--- /dev/null
+++ b/hosts/thanatos/disko-configuration.nix
@@ -0,0 +1,52 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/disk/by-id/ata-CT250MX500SSD1_2301E69A20C4";
+        content = {
+          type = "gpt";
+          partitions = {
+            boot = {
+              size = "1M";
+              type = "EF02"; # for grub MBR
+            };
+            ESP = {
+              size = "512M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "btrfs";
+                subvolumes = {
+                  "/root" = {
+                    mountpoint = "/";
+                    mountOptions = ["compress=zstd" "noatime"];
+                  };
+                  "/home" = {
+                    mountpoint = "/home";
+                    mountOptions = ["compress=zstd" "noatime"];
+                  };
+                  "/nix" = {
+                    mountpoint = "/nix";
+                    mountOptions = ["compress=zstd" "noatime"];
+                  };
+                  "/swap" = {
+                    mountpoint = "/.swapvol";
+                    swap.swapfile.size = "8G";
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/hosts/thanatos/hardware-configuration.nix b/hosts/thanatos/hardware-configuration.nix
new file mode 100644
index 0000000..f9e41a6
--- /dev/null
+++ b/hosts/thanatos/hardware-configuration.nix
@@ -0,0 +1,29 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = ["kvm-intel"];
+  boot.extraModulePackages = [];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/hosts/thanatos/home.nix b/hosts/thanatos/home.nix
new file mode 100644
index 0000000..3bb7dab
--- /dev/null
+++ b/hosts/thanatos/home.nix
@@ -0,0 +1,5 @@
+{config, ...}: {
+  home-manager.users.alarsyo = {
+    my.theme = config.home-manager.users.alarsyo.my.themes.solarizedLight;
+  };
+}
diff --git a/hosts/thanatos/secrets.nix b/hosts/thanatos/secrets.nix
new file mode 100644
index 0000000..3fbc379
--- /dev/null
+++ b/hosts/thanatos/secrets.nix
@@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  options,
+  ...
+}: {
+  config.age = {
+    secrets = let
+      toSecret = name: {...} @ attrs:
+        {
+          file = ./../../modules/secrets + "/${name}.age";
+        }
+        // attrs;
+    in
+      lib.mapAttrs toSecret {
+        "users/alarsyo-hashed-password" = {};
+        "users/root-hashed-password" = {};
+      };
+  };
+}
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
index 28760e7..9c042d0 100644
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@@ -5,8 +5,9 @@ let
   boreal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAagal1aqZh52wEmgsw7fkCzO41o4Cx+nV4wJGZuX1RP root@boreal";
   hades = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxw8CtKUPAiPdKDEnuS7UyRrZN5BkUwsy5UPVF8V+lt root@hades";
   hephaestus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA7Cp+n5+huof68QlAoJV8bVf5h5p9kEZFAVpltWopdL root@hephaestus";
+  thanatos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID8JEAWk/8iSl8fN6/f76JkmVFwtyixTpLol4zSVsnVw root@thanatos";
 
-  machines = [boreal hades hephaestus];
+  machines = [boreal hades hephaestus thanatos];
 
   all = users ++ machines;
 in {
@@ -34,6 +35,6 @@ in {
   "restic-backup/hephaestus-password.age".publicKeys = [alarsyo hephaestus];
   "restic-backup/hephaestus-credentials.age".publicKeys = [alarsyo hephaestus];
 
-  "users/root-hashed-password.age".publicKeys = machines;
+  "users/root-hashed-password.age".publicKeys = machines ++ [alarsyo];
   "users/alarsyo-hashed-password.age".publicKeys = machines ++ [alarsyo];
 }
diff --git a/modules/secrets/users/alarsyo-hashed-password.age b/modules/secrets/users/alarsyo-hashed-password.age
index 1e7abbe..38b12ac 100644
--- a/modules/secrets/users/alarsyo-hashed-password.age
+++ b/modules/secrets/users/alarsyo-hashed-password.age
@@ -1,17 +1,16 @@
 age-encryption.org/v1
--> ssh-ed25519 YWMQkg edb6vOJgAg7qUtsk3wot1lDT0guqrhkVO4q647At/Xo
-XlX07p/2byuBzWeR3khI/B255/4IwjiWEiOEgO6Jmzo
--> ssh-ed25519 pX8y2g yn4fQ1E54ReKViSKMjyIQWfbHlqwXmAn225hRUt2sVU
-OVciEEE58TS7gkJV2kS75hL0z+mzn/I9cFYZQ9m4fCg
--> ssh-ed25519 SYm+hA 3hLgW/LWQ6ilt1hYdHsA6M4YvSkrQauES77Mk0elkG4
-41l9uzYv/6raDNSBGrbH7hULv0cYFY65SlhpuSburHs
--> ssh-ed25519 z6Eu8Q GE324833mb5ff9C+TN3SqazvwW0ZZiqBb56cs8bKjho
-8Aogd9tN2sN8DSmKJUfuCifiRMKpD7Cn6CLLazQ2qjk
--> ssh-ed25519 ZQuVNA 2plMxBUBbv3ScEdXBnkvtt/qlP+dG/8+O8gHBChL8lI
-1GpPm9oFARwDQfTT25isUZlGKn6BaanIQoiLDzlxzww
--> ssh-ed25519 k2gHjw JlNEYLQixP7LEb0FJu5O54pu1B72WWsml5ELNcFESEc
-r8QUuLhEEFyst0JeWd1jahkrcMV/b9KGHj8PSZUZJ10
--> _a@Yy?HU-grease /wJ2a` WIyE6 ewMVR h,D)T
-wAOK28XvNSpz
---- hlIXSQ9X6OM5/uPv+3PMfkuIfiKWpkbdWNHed+q/Hr8
-{gh1��Å��\Py��Я@s����H��q8�Jx��w<��翕k���Vħ�
T������������(��N��.;�/)�D�Wz{u�Nl�%��v�ކ50K0��ͩn�n�8��\kJ�O�C�7o�ً4�cї
\ No newline at end of file
+-> ssh-ed25519 YWMQkg nA65XHF5xsaW5JPGfWYLDtCq0DQQpN6FBbbnDKL23BY
+JyzLfx9QXRV4jXQWvsXMEO7Y9Maf6VAQZU0QiEyA0rs
+-> ssh-ed25519 pX8y2g 0AuwR4Dv6bulcow+LOd6XsF/U+Ly8fQDIuHcksijCk4
+TXyxasso2OmK8RswWOk6oP7+q6iS2WTwYsy0CF07gtc
+-> ssh-ed25519 SYm+hA coVEtWHcu5Zc17TuVLTzWe7RiXjJ53wjjRfLidwjUgg
+fx5hl1hPiRxQLHIN2mrvB9tc+xMTwqHM1DXZY75s/MA
+-> ssh-ed25519 6UUuZw 2bfWgdMEj+POlLejgzl3GZN1M3xt5Qoif9M2BwGV4QA
+9pLL7KegernUFqbNklKDho5IRgw9VVZGaphgmcfnohQ
+-> ssh-ed25519 k2gHjw yxVoANLjqXRU97oymWtIEr4ZQ9OVvlRsC2Y2jsvkJWY
+Q37kBzgMyWkpcLO/3FFMtmDO16/17+i57DmALUDL/kE
+-> >)/-grease VfMC'D<: eQJ #XT
+OcrPfgaTtzKItA7HfjeBUc68U7ol1sewRCFKg0iAeSVT1jiv3/O7hkz5MbMAsuoi
+D8hkNjdXn3TDBVc1OcIS2iX5xOdpvP3ePs6TgX9H
+--- mAY7j62sU6rXvZu84PkvkMqZ5M139fV/RlJidRYCo9Q
+�X�b;\hJ�	�#�Ⱦ�>3Pz��Q����{�J� 
�X�e��3Q!���5�$���|M�D;K��Z�S.���X�S?����з1j)��H[�hkƫ����|g=
\ No newline at end of file
diff --git a/modules/secrets/users/root-hashed-password.age b/modules/secrets/users/root-hashed-password.age
index b373fa4646a546a93df31bcc1316b51dd34535cc..0988a496e8a79da8fb6e050550452c058ffe7668 100644
GIT binary patch
literal 792
zcmZ9}JB!nB008jirVb}6H;79?;e^mjnkH!~A|`#MZPGSLlQvl-X>v)Lq)GmHH3c8Y
zaSASSqmvvQIQb>SMQ~8T#~^O%-Jpo*tgiP7e#1|*%!;|3gCb0vV7U_j3(l&g%Jp&_
z+ZEG5alG0nD^relt+E5bq|y~R8{ujy5@o8XFDYMLgE~21hRCGFNdWF-VzD4g3h$#}
zCIuYoRo6B~wFs7>Gpl9Af?_!8)GFp_b)@NzMxEBe8CjrKSq96hPoonCX?GPOr5pCH
zkk(j@9fr8Q$St-hV=IQQNv(MaU8}UoMo~<RDXPeOaXqVPtd1p}!pMP4I8nDhSKXGb
zkf$|K@gbWkkM(h@VcUZV6^%N%f(XMTLXx4n^z&w&M(AmC-VQO2Zu3Yf3T6rr({3{5
zXGF&v_AI&S=0brpCM?QMO=f^TX80`JMNVskB&BLz#=@fQ`fX8Aa;i3$gn=<l`i&eP
z)X{>7hS6{)=ulv;f-Y5(Xbo>Py|I>5frkN@rl*W;YE^}1X{XQvCJPi`EnU@iPirn}
zF^jz1-mS}4>girKLUqEDJW;E25!L5>7-?hchC5=rX<9&Bp_EL+#Em5HhZC)3B%N+D
zG(ZL!yB%1DBflv?*`kSLc2=MA|26bhT(N+u#b$}A`j%0&ZJ#4^lZX0)vB_qPpkuSR
z1+6Vl!G#`%l5r&1k{FC;wei1;N~PR^8N8811P%;OKvtrc0KZRm`l`mtJ$_6%ApO@t
zu0n+?J-(-(J=i?_eEH#%M_10w@A!P>>OQo6ck5^}(A;A6sd)AL<j>a5%@>>ao7+DW
zV*h0C#)ZL~?;FSGULGudA6`7(ct#$4`MCG1_hkFh-Dj^G)BD#xy#2QQ_1)8RU!8;Z
N57g1m^B2}fe*tw95LEyG

literal 909
zcmZY4&8yo4003~m2NBeR;MBu{vZs)BX+E2vOp-Kdnl@>h@6>^$Nt!fik~VGHB<M*z
zJr9C{UKAb(4+Vz|*-5?3J%q8blYf9?L%j(K?k4Q`_80v4xna->GOwst+eMyT%!?4-
zAwcUAxY<Olz()xJp+U!zCrJqAxKp+@#;)e<Zb>mqu3qO9+#Ah(RB$LWXbiUC`dz%T
z+d#y*8b)&LVkLXKbdzvuj&WiDnWJEj=Fl)*^7$64;33YR)>bxEqaipQ*8+`W6LDN}
zxi+ATydF(;&-XXI<uJt5O4re;SdqOL2Q-)BNJDIInJlreyquMzLYNhOSeN)D*zV<O
z?@EHpLTGYY)0`BF7_gvdn{KZnNlUug(kO(W9?aQ%s~8RD8>59X9op%xvvd#~=oVAf
zjprt{729hohSV;Psx=cY20f{QQE{XZvE5+Uo_R!TNWP>dpaF9lo=fsBCFGSqX^$PQ
z&NA9(rdhjzJf7&}cDBZcsA>RR3G#MM-_<d0sW28T2V>8+m_F5Owl37GYrZe)Qb3!`
z=JahkDNTg|Nt6<Yyd}&c+$`j%gZ4soIGK*5*x9fR8!8l%1xW05kPzTAA47Z`8$hla
zQ?^>dlSw{rES8f+Z>N}D1=m(Hc(zU+-acrBMc{4%@UlF+JO<xA-;vj94!#M7*f<4L
zIh~o!nqxdlUr`xa$BfX{35pX5#H=7;LY8()gk1}>twr7py&=05O1YzG3wl9m1VH$E
z+RRc?O{$Kh%yo%#2vf-hQ6;-3mg`*MaR{UCGIFkx^JSMFXEUJHYJs&4?KNkqYJ?&i
z&^%$RXw-@JYFfJm+n3vPqk9zt2kt@!%1hUt+#mjl+@p^Ee%ycNV08rF`|<=i{Pec^
z#KCjtZu}4m$2ad><9~YNm&d++@Zo3A*B^P$UOE2e>cy8|J@eY((b>Dd_WwG$|JDAF
z&r{;XEAKZqzCSth%7xos-+Jo$O9xo=*7&!lH^&#8^H&eQ`}o|y>vuk(e}3V?arOIu
VZ@<1N-dknC-7n-H@Bc&V{{!QrGvWXM

diff --git a/thanatos.nix b/thanatos.nix
new file mode 100644
index 0000000..e0c2c2d
--- /dev/null
+++ b/thanatos.nix
@@ -0,0 +1,23 @@
+{...}: {
+  imports = [
+    # Default configuration
+    ./base
+
+    # Module definitions
+    ./modules
+
+    # Service definitions
+    ./services
+
+    # Host-specific config
+    ./hosts/thanatos
+  ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.11"; # Did you read the comment?
+}