From e31a34719d6a90442a811407b56378d158bc1e25 Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@alarsyo.net>
Date: Sat, 23 Sep 2023 13:35:35 +0200
Subject: [PATCH] hosts: add hephaestus

---
 flake.nix                                     |  14 +++
 hephaestus.nix                                |  23 ++++
 hosts/hephaestus/default.nix                  |  98 ++++++++++++++++++
 hosts/hephaestus/hardware-configuration.nix   |  41 ++++++++
 hosts/hephaestus/home.nix                     |  39 +++++++
 hosts/hephaestus/secrets.nix                  |  20 ++++
 modules/secrets/secrets.nix                   |   3 +-
 .../secrets/users/alarsyo-hashed-password.age | Bin 793 -> 926 bytes
 .../secrets/users/root-hashed-password.age    | Bin 821 -> 909 bytes
 9 files changed, 237 insertions(+), 1 deletion(-)
 create mode 100644 hephaestus.nix
 create mode 100644 hosts/hephaestus/default.nix
 create mode 100644 hosts/hephaestus/hardware-configuration.nix
 create mode 100644 hosts/hephaestus/home.nix
 create mode 100644 hosts/hephaestus/secrets.nix

diff --git a/flake.nix b/flake.nix
index 3a918c3..c9aada9 100644
--- a/flake.nix
+++ b/flake.nix
@@ -143,6 +143,20 @@
             ]
             ++ sharedModules;
         };
+
+        hephaestus = nixpkgs.lib.nixosSystem rec {
+          inherit system;
+          modules =
+            [
+              ./hephaestus.nix
+
+              inputs.nixos-hardware.nixosModules.common-cpu-amd
+              inputs.nixos-hardware.nixosModules.common-gpu-amd
+              inputs.nixos-hardware.nixosModules.common-pc-laptop
+              inputs.nixos-hardware.nixosModules.common-pc-ssd
+            ]
+            ++ sharedModules;
+        };
       };
     }
     // inputs.flake-utils.lib.eachDefaultSystem (system: {
diff --git a/hephaestus.nix b/hephaestus.nix
new file mode 100644
index 0000000..1bb452a
--- /dev/null
+++ b/hephaestus.nix
@@ -0,0 +1,23 @@
+{...}: {
+  imports = [
+    # Default configuration
+    ./base
+
+    # Module definitions
+    ./modules
+
+    # Service definitions
+    ./services
+
+    # Host-specific config
+    ./hosts/hephaestus
+  ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+}
diff --git a/hosts/hephaestus/default.nix b/hosts/hephaestus/default.nix
new file mode 100644
index 0000000..8611e1e
--- /dev/null
+++ b/hosts/hephaestus/default.nix
@@ -0,0 +1,98 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ./home.nix
+    ./secrets.nix
+  ];
+
+  boot.kernelPackages = pkgs.linuxPackages;
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  boot.initrd.secrets = {
+    "/crypto_keyfile.bin" = null;
+  };
+
+  boot.tmp.useTmpfs = true;
+
+  services.btrfs = {
+    autoScrub = {
+      enable = true;
+      fileSystems = ["/"];
+    };
+  };
+
+  networking.hostName = "hephaestus"; # Define your hostname.
+  networking.domain = "alarsyo.net";
+
+  networking.networkmanager.enable = true;
+
+  # Set your time zone.
+  time.timeZone = "Europe/Paris";
+
+  # List services that you want to enable:
+  my.services = {
+    tailscale.enable = true;
+    pipewire.enable = true;
+  };
+
+  virtualisation.docker.enable = true;
+  virtualisation.libvirtd.enable = true;
+  programs.dconf.enable = true;
+
+  services = {
+    tlp = {
+      settings = {
+        START_CHARGE_THRESH_BAT0 = 70;
+        STOP_CHARGE_THRESH_BAT0 = 80;
+      };
+    };
+    fwupd.enable = true;
+    openssh.enable = true;
+  };
+
+  my.gui.enable = true;
+  my.displayManager.sddm.enable = lib.mkForce false;
+
+  hardware.bluetooth = {
+    enable = true;
+    powerOnBoot = false;
+    settings.General.Experimental = true;
+  };
+
+    # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "fr_FR.UTF-8";
+    LC_IDENTIFICATION = "fr_FR.UTF-8";
+    LC_MEASUREMENT = "fr_FR.UTF-8";
+    LC_MONETARY = "fr_FR.UTF-8";
+    LC_NAME = "fr_FR.UTF-8";
+    LC_NUMERIC = "fr_FR.UTF-8";
+    LC_PAPER = "fr_FR.UTF-8";
+    LC_TELEPHONE = "fr_FR.UTF-8";
+    LC_TIME = "fr_FR.UTF-8";
+  };
+
+  # Enable the X11 windowing system.
+  services.xserver.enable = true;
+
+  # Enable the KDE Plasma Desktop Environment.
+  services.xserver.displayManager.sddm.enable = true;
+  services.xserver.desktopManager.plasma5.enable = true;
+
+  # Configure console keymap
+  console.keyMap = "us";
+}
diff --git a/hosts/hephaestus/hardware-configuration.nix b/hosts/hephaestus/hardware-configuration.nix
new file mode 100644
index 0000000..4a44055
--- /dev/null
+++ b/hosts/hephaestus/hardware-configuration.nix
@@ -0,0 +1,41 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/54ded736-367c-4081-9978-9e2d8f61cb1b";
+      fsType = "btrfs";
+      options = [ "subvol=@" ];
+    };
+
+  boot.initrd.luks.devices."luks-df96458d-45a1-4a30-8633-58feeff603f8".device = "/dev/disk/by-uuid/df96458d-45a1-4a30-8633-58feeff603f8";
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/826A-23F7";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/hosts/hephaestus/home.nix b/hosts/hephaestus/home.nix
new file mode 100644
index 0000000..2b20617
--- /dev/null
+++ b/hosts/hephaestus/home.nix
@@ -0,0 +1,39 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  home-manager.users.alarsyo = {
+    my.home.laptop.enable = true;
+
+    # Keyboard settings & i3 settings
+    my.home.x.enable = true;
+    my.home.x.i3bar.temperature.chip = "k10temp-pci-*";
+    my.home.x.i3bar.temperature.inputs = ["Tccd1"];
+    my.home.x.i3bar.networking.throughput_interfaces = ["wlp3s0"];
+    my.home.emacs.enable = true;
+
+    my.theme = config.home-manager.users.alarsyo.my.themes.solarizedLight;
+
+    home.packages = builtins.attrValues {
+      inherit
+        (pkgs)
+        # some websites only work there :(
+        
+        chromium
+        darktable
+        # dev
+        
+        rustup
+        gdb
+        valgrind
+        arandr
+        zotero
+        ;
+
+      inherit (pkgs.packages) spot;
+
+      inherit (pkgs.wineWowPackages) stable;
+    };
+  };
+}
diff --git a/hosts/hephaestus/secrets.nix b/hosts/hephaestus/secrets.nix
new file mode 100644
index 0000000..3fbc379
--- /dev/null
+++ b/hosts/hephaestus/secrets.nix
@@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  options,
+  ...
+}: {
+  config.age = {
+    secrets = let
+      toSecret = name: {...} @ attrs:
+        {
+          file = ./../../modules/secrets + "/${name}.age";
+        }
+        // attrs;
+    in
+      lib.mapAttrs toSecret {
+        "users/alarsyo-hashed-password" = {};
+        "users/root-hashed-password" = {};
+      };
+  };
+}
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
index 112685e..0accd18 100644
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@@ -4,10 +4,11 @@ let
 
   boreal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAagal1aqZh52wEmgsw7fkCzO41o4Cx+nV4wJGZuX1RP root@boreal";
   hades = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxw8CtKUPAiPdKDEnuS7UyRrZN5BkUwsy5UPVF8V+lt root@hades";
+  hephaestus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA7Cp+n5+huof68QlAoJV8bVf5h5p9kEZFAVpltWopdL root@hephaestus";
   poseidon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYhZYMbWQG9TSQ2qze8GgFo2XrZzgu/GuSOGwenByJo root@poseidon";
   zephyrus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILU4JfIADH9MXUnVe+3ezYK9WXsqy/jJcm1zFkmL4aSU root@zephyrus";
 
-  machines = [boreal hades poseidon zephyrus];
+  machines = [boreal hades hephaestus poseidon zephyrus];
 
   all = users ++ machines;
 in {
diff --git a/modules/secrets/users/alarsyo-hashed-password.age b/modules/secrets/users/alarsyo-hashed-password.age
index f9a9f83c1edaf2939968fd91df928d4e88cebc77..1e7abbe3906d474d9d11daa02ec9c31a37944d9f 100644
GIT binary patch
literal 926
zcmZ9_%gfsY008iVf)a3wqIeN<5gfJ4qj?oY*R*NVJe#Iznlf-nnpczN{rH+)-7aJ7
z;AHGF1d*{hnBP$p1}feJ2kzkIlb!T7LEUNM<Jy1V_cJ}G>%?}xPs<>Q&m_4A)d<ji
z4=f75>ugXQNBW?li%RH$&c-5Ynezr7nQ3Ja_L`(bqR|5Osx0@zrHo|+Mh;47l>n<~
z1(PX+TKkG_b!XlS{V7EM$3fV%*#<fj$c!fw+^$Uyw{%7AQ4ie5n5!TRj?Eo@8K}It
z-A@(Wwb&?YR=YurqPRcTO0-yNfV{K=hGB4Op^{$6EzwXVabJMj&aRE2Y2O|jYo))#
z+@W{4sm8A355S%;cseBL3K2vl;u{;b7!V?6)M}V3X2qx^DTc5Ug%b?Gkf>j^Mhy|U
zIg(U*l3Oh4YeEg%#@HZmHS*I+wW^#g4!4$IDoOz-Ob^AVUT<gNuG=4W7E({m%(iZH
zc)boX+QJFDpe%mtCjd1_yiLE9&_bd{>W=3$w;Bd+Fc<lBL=IzOC<tb&pxHJ&+}299
zlm;N0M&c2z(N^74ZDzBg<FGDED2ryD%><%4GUc)K&=;s^3Lukow(BS3!MqtM?qY%B
zL7}aq2_F-*X~t6}34~D_9koq!xP_?4ZX1w`B*qYw;Aln)j0KOm3YT##tq__-b-ma{
zI3q~*m{A!U$SFmu1fOBX`=W$7N8cb@(+_i7TtZf#pRikMrmnR$hrs`DADCy2{rjxe
z^>W8791v<a)I1OB(>+6gP9rYop#S#h^a5xGGLKTLT2j*%=ytoHA5B-P(q9p>h(pz^
z?(}A&8&*>{;Po`LHoC+*n@$F?IR#wsUi4o_9{%#}#p9djX8S9@|9J0gapU<re}DNb
z`{AwZRqFb4+|h48HSgYh`s@9V!>^t^Tz+@!_6v*4m+pV`*<W|BUcCCrmA5{B<)v%V
z*KhoJ=A9eR>66hty}eMq{Mv~WegEe1sYmsblS??v!{7Yz!|nLgwP)gE>Wjypo(s9V
T^3&lRGI{j#W$YjO!S#OuK8Zez

literal 793
zcmZ9|yNlBR0Dy57T!K0|-4r<#CDf#OHi$x#OPaQ6lUy%JQxxnYO`A0Dv`MPN34(Bg
zgD4JyAR;;l=OpMRo{vEf1s@=%h?AS=Dhi6@{RO{|uWOkF)9Xihkc@rrxF1>YtOyiN
zfpI)4m;;m`iZp2G4aKoQ-jwlnrxqk)8c!i!qSRJ7DwgSvnoU_D@ZuorM3|4XPzyk%
zu|pGylxKB<>9Q4-qZ{*Rr6h%;_S`0$#o;LHOa?~H;C5<3yOg6A$n+?=lGHWG>mVVe
z!i??Oyh6#Wl~`j|6WmaoWL%Nzv3-D>ED=6h#!*`8;*8FFsby%MOUfidk=lx{!1ljV
zr0eMZPHj$d(~<)63hpZj?G0=-NE*ScxI88zuY<|dP{r|_#jCU>;YmKR%fOVZ7b^lw
z%<I~aL&P>DFvK*F6Vo6{o*CAV8XGP7)p+QrJGG87)tY56hIqZ%U*ZJQ4*6J=y?8Wj
zRa?0^GZO>r)g8DLwcOBkm<HekwVK}&B#f?2uq>$vV|;0z;kcdl>H@^T9L1t?#qi2r
zb*JW_mSCr#z5-jRIM6lK(;)@*(=-w*qTTGGS*~II%%n7O?h=O0Hvp+0(;8y%8swv$
z2_A}UZ#3kVql&KD9Au}d#6vK$+-lDLpEOTbP9Z1GkOeC;yRiwLKa5(Qdk6vO0fq@>
zpin4)nAO02M_0p!$&X2eDY1z(3P-XMbIo*Gg_EKX>cbhW<vy_WjG*6MJ$mcrg~f&Z
z-tJf5`CV@$9NoOLo*}3Ayxw*vcQ3Ds8xM#-`+o@jTKn~`kKO*Bjm?Gfnz(%M(wjp+
z_x@VEy={G#uB{zAGWh!N`RbF|{VOLAT=_x|*H@57&%G`6;#PPS_@>v-x}N~zMY#X>
Ycb(Y>zrTJ?NIx97@$#Mc>nZX0FT{ZoXaE2J

diff --git a/modules/secrets/users/root-hashed-password.age b/modules/secrets/users/root-hashed-password.age
index 0eff2bd9fdc3617698476bd5896a0828f2e51559..b373fa4646a546a93df31bcc1316b51dd34535cc 100644
GIT binary patch
literal 909
zcmZY4&8yo4003~m2NBeR;MBu{vZs)BX+E2vOp-Kdnl@>h@6>^$Nt!fik~VGHB<M*z
zJr9C{UKAb(4+Vz|*-5?3J%q8blYf9?L%j(K?k4Q`_80v4xna->GOwst+eMyT%!?4-
zAwcUAxY<Olz()xJp+U!zCrJqAxKp+@#;)e<Zb>mqu3qO9+#Ah(RB$LWXbiUC`dz%T
z+d#y*8b)&LVkLXKbdzvuj&WiDnWJEj=Fl)*^7$64;33YR)>bxEqaipQ*8+`W6LDN}
zxi+ATydF(;&-XXI<uJt5O4re;SdqOL2Q-)BNJDIInJlreyquMzLYNhOSeN)D*zV<O
z?@EHpLTGYY)0`BF7_gvdn{KZnNlUug(kO(W9?aQ%s~8RD8>59X9op%xvvd#~=oVAf
zjprt{729hohSV;Psx=cY20f{QQE{XZvE5+Uo_R!TNWP>dpaF9lo=fsBCFGSqX^$PQ
z&NA9(rdhjzJf7&}cDBZcsA>RR3G#MM-_<d0sW28T2V>8+m_F5Owl37GYrZe)Qb3!`
z=JahkDNTg|Nt6<Yyd}&c+$`j%gZ4soIGK*5*x9fR8!8l%1xW05kPzTAA47Z`8$hla
zQ?^>dlSw{rES8f+Z>N}D1=m(Hc(zU+-acrBMc{4%@UlF+JO<xA-;vj94!#M7*f<4L
zIh~o!nqxdlUr`xa$BfX{35pX5#H=7;LY8()gk1}>twr7py&=05O1YzG3wl9m1VH$E
z+RRc?O{$Kh%yo%#2vf-hQ6;-3mg`*MaR{UCGIFkx^JSMFXEUJHYJs&4?KNkqYJ?&i
z&^%$RXw-@JYFfJm+n3vPqk9zt2kt@!%1hUt+#mjl+@p^Ee%ycNV08rF`|<=i{Pec^
z#KCjtZu}4m$2ad><9~YNm&d++@Zo3A*B^P$UOE2e>cy8|J@eY((b>Dd_WwG$|JDAF
z&r{;XEAKZqzCSth%7xos-+Jo$O9xo=*7&!lH^&#8^H&eQ`}o|y>vuk(e}3V?arOIu
VZ@<1N-dknC-7n-H@Bc&V{{!QrGvWXM

literal 821
zcmZ9~%j?^8003|pxI<;T$qv7R5r;ZM&7(=$;1H5Dk6+tw+ayiX<}#Az-8N10P7hNY
zLv|T#WA5O|!Mu3c&x?*tR5lm`@iq|gvdQq^5M>@j96qkUzu<HEn4Z&gqD4~2S+I%T
z+9V!QV2$QGP@4Kp$Hqw#qoKJD<fR9#fP@!j!DZ_(O*&jMG4#|FV?iQKf2C@@!c=A(
z0kwu*(5PB~#QbQCN?EK5I;e4Tq-gZYtrWYz$fz*Qg}IW5V-7v6#j{S0dr+l|$*#(o
zO7sB>cNbdZ>NZ7l%OEo9!mP=TwCL}bEUA_aOmYWRL~RFXofp~4og{%5k}5Ea{y2yy
z$W~ov?lgDHj(1qwQGDK!At$6g!BaG4(`Je>A>%BErM3#^num!?ttI%n05+XAiOCIh
z0xwG5a%R(fjN0-fLEuVn<$R!3Ylf!`-(nm-2I&4MJ**jWJ{>Yp!NnrWWA56p@jlxc
z(rn1r3S}7ksNgU=#R?-lQ00UQ&_;hdSd|9N_|sDNoFUsML}KT7Sjx2Kd_k2lVZn|d
z_9mHpSX<(r6qXPIXVbhDgl*HxnIIW$LM>f~lr5VCK#~16+?z}@3yvKhG*~cgOEobA
zIH~BlTFz=ew<Sd7=KQ=xA$B-gCUifFe3bZKJA*V4EMl8p;+Uxe)u+a^+g~*}eK!o^
zR0u*UV{}&FHE%>DzE!!P;AU~X6~+IOHJi|ca)(HWbn>dQ3C?K8+IrLDoWk2y*#O>x
zcDfCyuE>uB&`7HX^q=bKm#+L)Jc&Q)-1+D#_c9~>dgbVm(YwD~`&>MGp<BFn^7=Pl
zoj5oD`>65Yryri*I3E7^+TNG*&#rS{9DMrZ?KdCoePBI&<IW2gFP~cXJ}zH;eC+-6
zHy{1;-7D7jXUU(R{r+J-y>tv*{p;50=XcNf-Td3v&mRmP?-}=&%~$`p`SkYJCk`&%
GzxFRdvmvbj