From e31a34719d6a90442a811407b56378d158bc1e25 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Sat, 23 Sep 2023 13:35:35 +0200 Subject: [PATCH] hosts: add hephaestus --- flake.nix | 14 +++ hephaestus.nix | 23 ++++ hosts/hephaestus/default.nix | 98 ++++++++++++++++++ hosts/hephaestus/hardware-configuration.nix | 41 ++++++++ hosts/hephaestus/home.nix | 39 +++++++ hosts/hephaestus/secrets.nix | 20 ++++ modules/secrets/secrets.nix | 3 +- .../secrets/users/alarsyo-hashed-password.age | Bin 793 -> 926 bytes .../secrets/users/root-hashed-password.age | Bin 821 -> 909 bytes 9 files changed, 237 insertions(+), 1 deletion(-) create mode 100644 hephaestus.nix create mode 100644 hosts/hephaestus/default.nix create mode 100644 hosts/hephaestus/hardware-configuration.nix create mode 100644 hosts/hephaestus/home.nix create mode 100644 hosts/hephaestus/secrets.nix diff --git a/flake.nix b/flake.nix index 3a918c3..c9aada9 100644 --- a/flake.nix +++ b/flake.nix @@ -143,6 +143,20 @@ ] ++ sharedModules; }; + + hephaestus = nixpkgs.lib.nixosSystem rec { + inherit system; + modules = + [ + ./hephaestus.nix + + inputs.nixos-hardware.nixosModules.common-cpu-amd + inputs.nixos-hardware.nixosModules.common-gpu-amd + inputs.nixos-hardware.nixosModules.common-pc-laptop + inputs.nixos-hardware.nixosModules.common-pc-ssd + ] + ++ sharedModules; + }; }; } // inputs.flake-utils.lib.eachDefaultSystem (system: { diff --git a/hephaestus.nix b/hephaestus.nix new file mode 100644 index 0000000..1bb452a --- /dev/null +++ b/hephaestus.nix @@ -0,0 +1,23 @@ +{...}: { + imports = [ + # Default configuration + ./base + + # Module definitions + ./modules + + # Service definitions + ./services + + # Host-specific config + ./hosts/hephaestus + ]; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? +} diff --git a/hosts/hephaestus/default.nix b/hosts/hephaestus/default.nix new file mode 100644 index 0000000..8611e1e --- /dev/null +++ b/hosts/hephaestus/default.nix @@ -0,0 +1,98 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). +{ + config, + lib, + pkgs, + ... +}: { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./home.nix + ./secrets.nix + ]; + + boot.kernelPackages = pkgs.linuxPackages; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + boot.initrd.secrets = { + "/crypto_keyfile.bin" = null; + }; + + boot.tmp.useTmpfs = true; + + services.btrfs = { + autoScrub = { + enable = true; + fileSystems = ["/"]; + }; + }; + + networking.hostName = "hephaestus"; # Define your hostname. + networking.domain = "alarsyo.net"; + + networking.networkmanager.enable = true; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + # List services that you want to enable: + my.services = { + tailscale.enable = true; + pipewire.enable = true; + }; + + virtualisation.docker.enable = true; + virtualisation.libvirtd.enable = true; + programs.dconf.enable = true; + + services = { + tlp = { + settings = { + START_CHARGE_THRESH_BAT0 = 70; + STOP_CHARGE_THRESH_BAT0 = 80; + }; + }; + fwupd.enable = true; + openssh.enable = true; + }; + + my.gui.enable = true; + my.displayManager.sddm.enable = lib.mkForce false; + + hardware.bluetooth = { + enable = true; + powerOnBoot = false; + settings.General.Experimental = true; + }; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "fr_FR.UTF-8"; + LC_IDENTIFICATION = "fr_FR.UTF-8"; + LC_MEASUREMENT = "fr_FR.UTF-8"; + LC_MONETARY = "fr_FR.UTF-8"; + LC_NAME = "fr_FR.UTF-8"; + LC_NUMERIC = "fr_FR.UTF-8"; + LC_PAPER = "fr_FR.UTF-8"; + LC_TELEPHONE = "fr_FR.UTF-8"; + LC_TIME = "fr_FR.UTF-8"; + }; + + # Enable the X11 windowing system. + services.xserver.enable = true; + + # Enable the KDE Plasma Desktop Environment. + services.xserver.displayManager.sddm.enable = true; + services.xserver.desktopManager.plasma5.enable = true; + + # Configure console keymap + console.keyMap = "us"; +} diff --git a/hosts/hephaestus/hardware-configuration.nix b/hosts/hephaestus/hardware-configuration.nix new file mode 100644 index 0000000..4a44055 --- /dev/null +++ b/hosts/hephaestus/hardware-configuration.nix @@ -0,0 +1,41 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/54ded736-367c-4081-9978-9e2d8f61cb1b"; + fsType = "btrfs"; + options = [ "subvol=@" ]; + }; + + boot.initrd.luks.devices."luks-df96458d-45a1-4a30-8633-58feeff603f8".device = "/dev/disk/by-uuid/df96458d-45a1-4a30-8633-58feeff603f8"; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/826A-23F7"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/hephaestus/home.nix b/hosts/hephaestus/home.nix new file mode 100644 index 0000000..2b20617 --- /dev/null +++ b/hosts/hephaestus/home.nix @@ -0,0 +1,39 @@ +{ + config, + pkgs, + ... +}: { + home-manager.users.alarsyo = { + my.home.laptop.enable = true; + + # Keyboard settings & i3 settings + my.home.x.enable = true; + my.home.x.i3bar.temperature.chip = "k10temp-pci-*"; + my.home.x.i3bar.temperature.inputs = ["Tccd1"]; + my.home.x.i3bar.networking.throughput_interfaces = ["wlp3s0"]; + my.home.emacs.enable = true; + + my.theme = config.home-manager.users.alarsyo.my.themes.solarizedLight; + + home.packages = builtins.attrValues { + inherit + (pkgs) + # some websites only work there :( + + chromium + darktable + # dev + + rustup + gdb + valgrind + arandr + zotero + ; + + inherit (pkgs.packages) spot; + + inherit (pkgs.wineWowPackages) stable; + }; + }; +} diff --git a/hosts/hephaestus/secrets.nix b/hosts/hephaestus/secrets.nix new file mode 100644 index 0000000..3fbc379 --- /dev/null +++ b/hosts/hephaestus/secrets.nix @@ -0,0 +1,20 @@ +{ + config, + lib, + options, + ... +}: { + config.age = { + secrets = let + toSecret = name: {...} @ attrs: + { + file = ./../../modules/secrets + "/${name}.age"; + } + // attrs; + in + lib.mapAttrs toSecret { + "users/alarsyo-hashed-password" = {}; + "users/root-hashed-password" = {}; + }; + }; +} diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index 112685e..0accd18 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -4,10 +4,11 @@ let boreal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAagal1aqZh52wEmgsw7fkCzO41o4Cx+nV4wJGZuX1RP root@boreal"; hades = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxw8CtKUPAiPdKDEnuS7UyRrZN5BkUwsy5UPVF8V+lt root@hades"; + hephaestus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA7Cp+n5+huof68QlAoJV8bVf5h5p9kEZFAVpltWopdL root@hephaestus"; poseidon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYhZYMbWQG9TSQ2qze8GgFo2XrZzgu/GuSOGwenByJo root@poseidon"; zephyrus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILU4JfIADH9MXUnVe+3ezYK9WXsqy/jJcm1zFkmL4aSU root@zephyrus"; - machines = [boreal hades poseidon zephyrus]; + machines = [boreal hades hephaestus poseidon zephyrus]; all = users ++ machines; in { diff --git a/modules/secrets/users/alarsyo-hashed-password.age b/modules/secrets/users/alarsyo-hashed-password.age index f9a9f83c1edaf2939968fd91df928d4e88cebc77..1e7abbe3906d474d9d11daa02ec9c31a37944d9f 100644 GIT binary patch literal 926 zcmZ9_%gfsY008iVf)a3wqIeN<5gfJ4qj?oY*R*NVJe#Iznlf-nnpczN{rH+)-7aJ7 z;AHGF1d*{hnBP$p1}feJ2kzkIlb!T7LEUNM%?}xPs<>Q&m_4A)dugXQNBW?li%RH$&c-5Ynezr7nQ3Ja_L`(bqR|5Osx0@zrHo|+Mh;47l>n<~ z1(PX+TKkG_b!XlS{V7EM$3fV%*#j^Mhy|U zIg(U*l3Oh4YeEg%#@HZmHS*I+wW^#g4!4$IDoOz-Ob^AVUTW=3$w;Bd+Fc<%4GUc)K&=;s^3Lukow(BS3!MqtM?qY%B zL7}aq2_F-*X~t6}34~D_9koq!xP_?4ZX1w`B*qYw;Aln)j0KOm3YT##tq__-b-ma{ zI3q~*m{A!U$SFmu1fOBX`=W$7N8cb@(+_i7TtZf#pRikMrmnR$hrs`DADCy2{rjxe z^>W8791v+6gP9rYop#S#h^a5xGGLKTLT2j*%=ytoHA5B-P(q9p>h(pz^ z?(}A&8&*>{;Po`LHoC+*n@$F?IR#wsUi4o_9{%#}#p9djX8S9@|9J0gapU^t^Tz+@!_6v*4m+pV`*66hty}eMq{Mv~WegEe1sYmsblS??v!{7Yz!|nLgwP)gE>Wjypo(s9V T^3&lRGI{j#W$YjO!S#OuK8Zez literal 793 zcmZ9|yNlBR0Dy57T!K0|-4r<#CDf#OHi$x#OPaQ6lUy%JQxxnYO`A0Dv`MPN34(Bg zgD4JyAR;;l=OpMRo{vEf1s@=%h?AS=Dhi6@{RO{|uWOkF)9Xihkc@rrxF1>YtOyiN zfpI)4m;;m`iZp2G4aKoQ-jwlnrxqk)8c!i!qSRJ7DwgSvnoU_D@ZuorM3|4XPzyk% zu|pGylxKB<>9Q4-qZ{*Rr6h%;_S`0$#o;LHOa?~H;C5<3yOg6A$n+?=lGHWG>mVVe z!i??Oyh6#Wl~`j|6WmaoWL%Nzv3-D>ED=6h#!*`8;*8FFsby%MOUfidk=lx{!1ljV zr0eMZPHj$d(~<)63hpZj?G0=-NE*ScxI88zuY<|dP{r|_#jCU>;YmKR%fOVZ7b^lw z%DFvK*F6Vo6{o*CAV8XGP7)p+QrJGG87)tY56hIqZ%U*ZJQ4*6J=y?8Wj zRa?0^GZO>r)g8DLwcOBkm$vV|;0z;kcdl>H@^T9L1t?#qi2r zb*JW_mSCr#z5-jRIM6lK(;)@*(=-w*qTTGGS*~II%%n7O?h=O0Hvp+0(;8y%8swv$ z2_A}UZ#3kVql&KD9Au}d#6vK$+-lDLpEOTbP9Z1GkOeC;yRiwLKa5(Qdk6vO0fq@> zpin4)nAO02M_0p!$&X2eDY1z(3P-XMbIo*Gg_EKX>cbhWv-x}N~zMY#X> Ycb(Y>zrTJ?NIx97@$#Mc>nZX0FT{ZoXaE2J diff --git a/modules/secrets/users/root-hashed-password.age b/modules/secrets/users/root-hashed-password.age index 0eff2bd9fdc3617698476bd5896a0828f2e51559..b373fa4646a546a93df31bcc1316b51dd34535cc 100644 GIT binary patch literal 909 zcmZY4&8yo4003~m2NBeR;MBu{vZs)BX+E2vOp-Kdnl@>h@6>^$Nt!fik~VGHBGOwst+eMyT%!?4- zAwcUAxYmqu3qO9+#Ah(RB$LWXbiUC`dz%T z+d#y*8b)&LVkLXKbdzvuj&WiDnWJEj=Fl)*^7$64;33YR)>bxEqaipQ*8+`W6LDN} zxi+ATydF(;&-XXI59X9op%xvvd#~=oVAf zjprt{729hohSV;Psx=cY20f{QQE{XZvE5+Uo_R!TNWP>dpaF9lo=fsBCFGSqX^$PQ z&NA9(rdhjzJf7&}cDBZcsA>RR3G#MM-_8+m_F5Owl37GYrZe)Qb3!` z=JahkDNTg|Nt6dlSw{rES8f+Z>N}D1=m(Hc(zU+-acrBMc{4%@UlF+JOtwr7py&=05O1YzG3wl9m1VH$E z+RRc?O{$Kh%yo%#2vf-hQ6;-3mg`*MaR{UCGIFkx^JSMFXEUJHYJs&4?KNkqYJ?&i z&^%$RXw-@JYFfJm+n3vPqk9zt2kt@!%1hUt+#mjl+@p^Ee%ycNV08rF`|<=i{Pec^ z#KCjtZu}4m$2ad><9~YNm&d++@Zo3A*B^P$UOE2e>cy8|J@eY((b>Dd_WwG$|JDAF z&r{;XEAKZqzCSth%7xos-+Jo$O9xo=*7&!lH^^H&eQ`}o|y>vuk(e}3V?arOIu VZ@<1N-dknC-7n-H@Bc&V{{!QrGvWXM literal 821 zcmZ9~%j?^8003|pxI<;T$qv7R5r;ZM&7(=$;1H5Dk6+tw+ayiX<}#Az-8N10P7hNY zLv|T#WA5O|!Mu3c&x?*tR5lm`@iq|gvdQq^5M>@j96qkUzucNbdZ>NZ7l%OEo9!mP=TwCL}bEUA_aOmYWRL~RFXofp~4og{%5k}5Ea{y2yy z$W~ov?lgDHj(1qwQGDK!At$6g!BaG4(`Je>A>%BErM3#^num!?ttI%n05+XAiOCIh z0xwG5a%R(fjN0-fLEuVn<$R!3Ylf!`-(nm-2I&4MJ**jWJ{>Yp!NnrWWA56p@jlxc z(rn1r3S}7ksNgU=#R?-lQ00UQ&_;hdSd|9N_|sDNoFUsML}KT7Sjx2Kd_k2lVZn|d z_9mHpSX<(r6qXPIXVbhDgl*HxnIIW$LM>f~lr5VCK#~16+?z}@3yvKhG*~cgOEobA zIH~BlTFz=ewDzE!!P;AU~X6~+IOHJi|ca)(HWbn>dQ3C?K8+IrLDoWk2y*#O>x zcDfCyuE>uB&`7HX^q=bKm#+L)Jc&Q)-1+D#_c9~>dgbVm(YwD~`&>MGp65Yryri*I3E7^+TNG*&#rS{9DMrZ?KdCoePBI&tv*{p;50=XcNf-Td3v&mRmP?-}=&%~$`p`SkYJCk`&% GzxFRdvmvbj