From 4816c69eb14c33ce19290741bbd3feb79859bcf2 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Wed, 13 Dec 2023 12:05:34 +0100 Subject: [PATCH 1/3] hosts: remove zephyrus --- flake.nix | 13 --- hosts/zephyrus/default.nix | 112 ---------------------- hosts/zephyrus/hardware-configuration.nix | 70 -------------- hosts/zephyrus/home.nix | 39 -------- hosts/zephyrus/secrets.nix | 23 ----- modules/secrets/secrets.nix | 5 +- zephyrus.nix | 23 ----- 7 files changed, 1 insertion(+), 284 deletions(-) delete mode 100644 hosts/zephyrus/default.nix delete mode 100644 hosts/zephyrus/hardware-configuration.nix delete mode 100644 hosts/zephyrus/home.nix delete mode 100644 hosts/zephyrus/secrets.nix delete mode 100644 zephyrus.nix diff --git a/flake.nix b/flake.nix index 7d88315..600b12c 100644 --- a/flake.nix +++ b/flake.nix @@ -143,19 +143,6 @@ ++ sharedModules; }; - zephyrus = nixpkgs.lib.nixosSystem rec { - inherit system; - modules = - [ - ./zephyrus.nix - - inputs.nixos-hardware.nixosModules.common-cpu-intel - inputs.nixos-hardware.nixosModules.common-pc-laptop - inputs.nixos-hardware.nixosModules.common-pc-ssd - ] - ++ sharedModules; - }; - hephaestus = nixpkgs.lib.nixosSystem rec { inherit system; modules = diff --git a/hosts/zephyrus/default.nix b/hosts/zephyrus/default.nix deleted file mode 100644 index 4e1b423..0000000 --- a/hosts/zephyrus/default.nix +++ /dev/null @@ -1,112 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). -{ - config, - lib, - pkgs, - ... -}: { - imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ./home.nix - ./secrets.nix - ]; - - boot.kernelPackages = pkgs.linuxPackages; - - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - boot.tmp.useTmpfs = true; - - services.btrfs = { - autoScrub = { - enable = true; - fileSystems = ["/"]; - }; - }; - - networking.hostName = "zephyrus"; # Define your hostname. - networking.domain = "alarsyo.net"; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - - # List services that you want to enable: - my.services = { - tailscale.enable = true; - - pipewire.enable = true; - - restic-backup = { - enable = true; - repo = "b2:zephyrus-backup"; - passwordFile = config.age.secrets."restic-backup/zephyrus-password".path; - environmentFile = config.age.secrets."restic-backup/zephyrus-credentials".path; - - timerConfig = { - OnCalendar = "*-*-* 13:00:00"; # laptop only gets used during the day - }; - - paths = [ - "/home/alarsyo" - ]; - exclude = [ - "/home/alarsyo/Downloads" - - # Rust builds using half my storage capacity - "/home/alarsyo/**/target" - "/home/alarsyo/work/rust/build" - - # don't backup nixpkgs - "/home/alarsyo/work/nixpkgs" - - "/home/alarsyo/go" - - # C build crap - "*.a" - "*.o" - "*.so" - - # test vms - "*.qcow2" - - # secrets stay offline - "/home/alarsyo/**/secrets" - - # ignore all dotfiles as .config and .cache can become quite big - "/home/alarsyo/.*" - ]; - }; - }; - - virtualisation.docker.enable = true; - virtualisation.libvirtd.enable = true; - programs.dconf.enable = true; - - services = { - tlp = { - settings = { - START_CHARGE_THRESH_BAT0 = 70; - STOP_CHARGE_THRESH_BAT0 = 80; - }; - }; - fwupd.enable = true; - openssh.enable = true; - }; - my.gui.enable = true; - - services.udev.packages = [pkgs.chrysalis]; - services.udisks2.enable = true; - - hardware.bluetooth = { - enable = true; - powerOnBoot = false; - settings.General.Experimental = true; - }; - - programs.light.enable = true; -} diff --git a/hosts/zephyrus/hardware-configuration.nix b/hosts/zephyrus/hardware-configuration.nix deleted file mode 100644 index d9e1c75..0000000 --- a/hosts/zephyrus/hardware-configuration.nix +++ /dev/null @@ -1,70 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: let - inherit - (lib) - mkDefault - ; -in { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc"]; - boot.initrd.kernelModules = []; - boot.kernelModules = ["kvm-intel"]; - boot.extraModulePackages = []; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/6395cef1-c30b-450a-917c-cfb3c0380642"; - fsType = "btrfs"; - options = ["subvol=@" "compress=zstd" "noatime"]; - }; - - boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/c59e7067-e33c-474c-9b8e-96d0e8f59297"; - - fileSystems."/home" = { - device = "/dev/disk/by-uuid/6395cef1-c30b-450a-917c-cfb3c0380642"; - fsType = "btrfs"; - options = ["subvol=@home" "compress=zstd" "noatime"]; - neededForBoot = true; # agenix needs my key for some root secrets - }; - - fileSystems."/nix" = { - device = "/dev/disk/by-uuid/6395cef1-c30b-450a-917c-cfb3c0380642"; - fsType = "btrfs"; - options = ["subvol=@nix" "compress=zstd" "noatime"]; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/D9DA-F46C"; - fsType = "vfat"; - }; - - fileSystems."/swap" = { - device = "/dev/disk/by-uuid/6395cef1-c30b-450a-917c-cfb3c0380642"; - fsType = "btrfs"; - options = ["subvol=@swap" "compress=zstd" "noatime"]; - }; - - swapDevices = [ - { - device = "/swap/swapfile"; - size = 1024 * 8; # half of RAM size - } - ]; - - powerManagement.cpuFreqGovernor = mkDefault "powersave"; - - hardware = { - enableRedistributableFirmware = true; - cpu.intel.updateMicrocode = true; - }; -} diff --git a/hosts/zephyrus/home.nix b/hosts/zephyrus/home.nix deleted file mode 100644 index ab33920..0000000 --- a/hosts/zephyrus/home.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ - config, - pkgs, - ... -}: { - home-manager.users.alarsyo = { - my.home.laptop.enable = true; - - # Keyboard settings & i3 settings - my.home.x.enable = true; - my.home.x.i3bar.temperature.chip = "coretemp-isa-*"; - my.home.x.i3bar.temperature.inputs = ["Core 0" "Core 1" "Core 2" "Core 3"]; - my.home.x.i3bar.networking.throughput_interfaces = ["enp0s31f6" "wlp0s20f3" "enp43s0u1u1"]; - my.home.emacs.enable = true; - - my.theme = config.home-manager.users.alarsyo.my.themes.solarizedLight; - - home.packages = builtins.attrValues { - inherit - (pkgs) - # some websites only work there :( - - chromium - darktable - # dev - - rustup - gdb - valgrind - arandr - zotero - ; - - inherit (pkgs.packages) spot; - - inherit (pkgs.wineWowPackages) stable; - }; - }; -} diff --git a/hosts/zephyrus/secrets.nix b/hosts/zephyrus/secrets.nix deleted file mode 100644 index 22afdfd..0000000 --- a/hosts/zephyrus/secrets.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ - config, - lib, - options, - ... -}: { - config.age = { - secrets = let - toSecret = name: {...} @ attrs: - { - file = ./../../modules/secrets + "/${name}.age"; - } - // attrs; - in - lib.mapAttrs toSecret { - "restic-backup/zephyrus-credentials" = {}; - "restic-backup/zephyrus-password" = {}; - - "users/alarsyo-hashed-password" = {}; - "users/root-hashed-password" = {}; - }; - }; -} diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index 3b4229f..cb0cb5e 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -6,9 +6,8 @@ let hades = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxw8CtKUPAiPdKDEnuS7UyRrZN5BkUwsy5UPVF8V+lt root@hades"; hephaestus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA7Cp+n5+huof68QlAoJV8bVf5h5p9kEZFAVpltWopdL root@hephaestus"; poseidon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYhZYMbWQG9TSQ2qze8GgFo2XrZzgu/GuSOGwenByJo root@poseidon"; - zephyrus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILU4JfIADH9MXUnVe+3ezYK9WXsqy/jJcm1zFkmL4aSU root@zephyrus"; - machines = [boreal hades hephaestus poseidon zephyrus]; + machines = [boreal hades hephaestus poseidon]; all = users ++ machines; in { @@ -37,8 +36,6 @@ in { "restic-backup/hephaestus-credentials.age".publicKeys = [alarsyo hephaestus]; "restic-backup/poseidon-password.age".publicKeys = [alarsyo poseidon]; "restic-backup/poseidon-credentials.age".publicKeys = [alarsyo poseidon]; - "restic-backup/zephyrus-password.age".publicKeys = [alarsyo zephyrus]; - "restic-backup/zephyrus-credentials.age".publicKeys = [alarsyo zephyrus]; "users/root-hashed-password.age".publicKeys = machines; "users/alarsyo-hashed-password.age".publicKeys = machines ++ [alarsyo]; diff --git a/zephyrus.nix b/zephyrus.nix deleted file mode 100644 index e818e48..0000000 --- a/zephyrus.nix +++ /dev/null @@ -1,23 +0,0 @@ -{...}: { - imports = [ - # Default configuration - ./base - - # Module definitions - ./modules - - # Service definitions - ./services - - # Host-specific config - ./hosts/zephyrus - ]; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "21.05"; # Did you read the comment? -} From d5239805a0b90ac18ce9bf716553e010019e930b Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Wed, 13 Dec 2023 12:08:18 +0100 Subject: [PATCH 2/3] hosts: remove poseidon --- flake.nix | 9 --- hosts/poseidon/default.nix | 84 ----------------------- hosts/poseidon/hardware-configuration.nix | 45 ------------ hosts/poseidon/home.nix | 5 -- hosts/poseidon/secrets.nix | 27 -------- modules/secrets/secrets.nix | 7 +- poseidon.nix | 23 ------- 7 files changed, 2 insertions(+), 198 deletions(-) delete mode 100644 hosts/poseidon/default.nix delete mode 100644 hosts/poseidon/hardware-configuration.nix delete mode 100644 hosts/poseidon/home.nix delete mode 100644 hosts/poseidon/secrets.nix delete mode 100644 poseidon.nix diff --git a/flake.nix b/flake.nix index 600b12c..9c829c1 100644 --- a/flake.nix +++ b/flake.nix @@ -105,15 +105,6 @@ ] ++ (nixpkgs.lib.attrValues self.nixosModules); in { - poseidon = nixpkgs.lib.nixosSystem rec { - inherit system; - modules = - [ - ./poseidon.nix - ] - ++ sharedModules; - }; - hades = nixpkgs.lib.nixosSystem rec { inherit system; modules = diff --git a/hosts/poseidon/default.nix b/hosts/poseidon/default.nix deleted file mode 100644 index 83c7069..0000000 --- a/hosts/poseidon/default.nix +++ /dev/null @@ -1,84 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). -{ - config, - lib, - pkgs, - ... -}: let - secrets = config.my.secrets; -in { - imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - - ./home.nix - ./secrets.nix - ]; - - # Use the GRUB 2 boot loader. - boot.loader.grub.enable = true; - boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only - - boot.supportedFilesystems = ["btrfs"]; - - services.btrfs = { - autoScrub = { - enable = true; - fileSystems = ["/"]; - }; - }; - - networking.hostName = "poseidon"; # Define your hostname. - networking.domain = "alarsyo.net"; - - # Set your time zone. - time.timeZone = "Europe/Paris"; - - # The global useDHCP flag is deprecated, therefore explicitly set to false here. - # Per-interface useDHCP will be mandatory in the future, so this generated config - # replicates the default behaviour. - networking.useDHCP = false; - networking.interfaces.eno1.ipv4.addresses = [ - { - address = "163.172.11.110"; - prefixLength = 24; - } - ]; - networking.defaultGateway = { - address = "163.172.11.1"; - interface = "eno1"; - }; - networking.nameservers = [ - "62.210.16.6" - "62.210.16.7" - ]; - my.networking.externalInterface = "eno1"; - - my.services = { - restic-backup = { - enable = true; - repo = "b2:poseidon-backup"; - passwordFile = config.age.secrets."restic-backup/poseidon-password".path; - environmentFile = config.age.secrets."restic-backup/poseidon-credentials".path; - }; - - fail2ban = { - enable = true; - }; - - tailscale = { - enable = true; - exitNode = true; - }; - }; - - services = { - openssh.enable = true; - vnstat.enable = true; - }; - - # Takes a long while to build - documentation.nixos.enable = false; -} diff --git a/hosts/poseidon/hardware-configuration.nix b/hosts/poseidon/hardware-configuration.nix deleted file mode 100644 index fd1d735..0000000 --- a/hosts/poseidon/hardware-configuration.nix +++ /dev/null @@ -1,45 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: let - inherit - (lib) - mkDefault - ; -in { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = ["ahci" "usbhid"]; - boot.initrd.kernelModules = []; - boot.kernelModules = ["kvm-intel"]; - boot.extraModulePackages = []; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/adcf0158-edfb-402f-82e7-61e4902af989"; - fsType = "btrfs"; - options = [ - "subvol=@nixos" - "compress=zstd" - "noatime" - ]; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/ff54b622-0e26-4c6e-aa0c-ac2c1e12699a"; - fsType = "ext4"; - }; - - swapDevices = [ - {device = "/dev/disk/by-uuid/381a9c5e-4d71-45b4-ac62-e7414b3768fc";} - ]; - - powerManagement.cpuFreqGovernor = mkDefault "ondemand"; -} diff --git a/hosts/poseidon/home.nix b/hosts/poseidon/home.nix deleted file mode 100644 index 3bb7dab..0000000 --- a/hosts/poseidon/home.nix +++ /dev/null @@ -1,5 +0,0 @@ -{config, ...}: { - home-manager.users.alarsyo = { - my.theme = config.home-manager.users.alarsyo.my.themes.solarizedLight; - }; -} diff --git a/hosts/poseidon/secrets.nix b/hosts/poseidon/secrets.nix deleted file mode 100644 index 238e7ea..0000000 --- a/hosts/poseidon/secrets.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ - config, - lib, - options, - ... -}: { - config.age = { - secrets = let - toSecret = name: {...} @ attrs: - { - file = ./../../modules/secrets + "/${name}.age"; - } - // attrs; - in - lib.mapAttrs toSecret { - "gandi/api-key" = {}; - - "lohr/shared-secret" = {}; - - "restic-backup/poseidon-credentials" = {}; - "restic-backup/poseidon-password" = {}; - - "users/alarsyo-hashed-password" = {}; - "users/root-hashed-password" = {}; - }; - }; -} diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index cb0cb5e..28760e7 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -5,13 +5,12 @@ let boreal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAagal1aqZh52wEmgsw7fkCzO41o4Cx+nV4wJGZuX1RP root@boreal"; hades = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxw8CtKUPAiPdKDEnuS7UyRrZN5BkUwsy5UPVF8V+lt root@hades"; hephaestus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA7Cp+n5+huof68QlAoJV8bVf5h5p9kEZFAVpltWopdL root@hephaestus"; - poseidon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYhZYMbWQG9TSQ2qze8GgFo2XrZzgu/GuSOGwenByJo root@poseidon"; - machines = [boreal hades hephaestus poseidon]; + machines = [boreal hades hephaestus]; all = users ++ machines; in { - "gandi/api-key.age".publicKeys = [alarsyo hades poseidon]; + "gandi/api-key.age".publicKeys = [alarsyo hades]; "lohr/shared-secret.age".publicKeys = [alarsyo hades]; @@ -34,8 +33,6 @@ in { "restic-backup/hades-credentials.age".publicKeys = [alarsyo hades]; "restic-backup/hephaestus-password.age".publicKeys = [alarsyo hephaestus]; "restic-backup/hephaestus-credentials.age".publicKeys = [alarsyo hephaestus]; - "restic-backup/poseidon-password.age".publicKeys = [alarsyo poseidon]; - "restic-backup/poseidon-credentials.age".publicKeys = [alarsyo poseidon]; "users/root-hashed-password.age".publicKeys = machines; "users/alarsyo-hashed-password.age".publicKeys = machines ++ [alarsyo]; diff --git a/poseidon.nix b/poseidon.nix deleted file mode 100644 index ecb36c6..0000000 --- a/poseidon.nix +++ /dev/null @@ -1,23 +0,0 @@ -{...}: { - imports = [ - # Default configuration - ./base - - # Module definitions - ./modules - - # Service definitions - ./services - - # Host-specific config - ./hosts/poseidon - ]; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "20.09"; # Did you read the comment? -} From a21e0fb568f99483665fabe63557d54fc470c079 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Wed, 13 Dec 2023 17:29:54 +0100 Subject: [PATCH 3/3] hosts: add thanatos --- .github/workflows/cachix.yaml | 2 +- flake.lock | 38 ++++++++++++- flake.nix | 18 ++++++ hosts/thanatos/default.nix | 43 +++++++++++++++ hosts/thanatos/disko-configuration.nix | 52 ++++++++++++++++++ hosts/thanatos/hardware-configuration.nix | 25 +++++++++ hosts/thanatos/home.nix | 5 ++ hosts/thanatos/secrets.nix | 20 +++++++ modules/secrets/secrets.nix | 5 +- .../secrets/users/alarsyo-hashed-password.age | 31 +++++------ .../secrets/users/root-hashed-password.age | Bin 909 -> 792 bytes thanatos.nix | 23 ++++++++ 12 files changed, 242 insertions(+), 20 deletions(-) create mode 100644 hosts/thanatos/default.nix create mode 100644 hosts/thanatos/disko-configuration.nix create mode 100644 hosts/thanatos/hardware-configuration.nix create mode 100644 hosts/thanatos/home.nix create mode 100644 hosts/thanatos/secrets.nix create mode 100644 thanatos.nix diff --git a/.github/workflows/cachix.yaml b/.github/workflows/cachix.yaml index 6563e90..9b4646b 100644 --- a/.github/workflows/cachix.yaml +++ b/.github/workflows/cachix.yaml @@ -78,7 +78,7 @@ jobs: - boreal - hades - hephaestus - - poseidon + - thanatos steps: - uses: actions/checkout@v4 diff --git a/flake.lock b/flake.lock index fcdce90..38be2d0 100644 --- a/flake.lock +++ b/flake.lock @@ -41,6 +41,25 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1702479765, + "narHash": "sha256-wjNYsFhciYoJkZ/FBKvFj55k+vkLbu6C2qYQ7K+s8pI=", + "owner": "nix-community", + "repo": "disko", + "rev": "bd8fbc3f274288ac905bcea66bc2a5428abde458", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "disko", + "type": "github" + } + }, "flake-utils": { "locked": { "lastModified": 1653893745, @@ -127,6 +146,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1697915759, + "narHash": "sha256-WyMj5jGcecD+KC8gEs+wFth1J1wjisZf8kVZH13f1Zo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "51d906d2341c9e866e48c2efcaac0f2d70bfd43e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1701952659, "narHash": "sha256-TJv2srXt6fYPUjxgLAL0cy4nuf1OZD4KuA1TrCiQqg0=", @@ -145,10 +180,11 @@ "root": { "inputs": { "agenix": "agenix", + "disko": "disko", "flake-utils": "flake-utils", "home-manager": "home-manager", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "nixpkgs-unstable-small": "nixpkgs-unstable-small" } } diff --git a/flake.nix b/flake.nix index 9c829c1..6675c5f 100644 --- a/flake.nix +++ b/flake.nix @@ -42,6 +42,13 @@ repo = "nixos-hardware"; ref = "master"; }; + + disko = { + type = "github"; + owner = "nix-community"; + repo = "disko"; + ref = "master"; + }; }; outputs = { @@ -49,6 +56,7 @@ nixpkgs, home-manager, agenix, + disko, ... } @ inputs: { @@ -147,6 +155,16 @@ ] ++ sharedModules; }; + + thanatos = nixpkgs.lib.nixosSystem { + inherit system; + modules = + [ + disko.nixosModules.default + ./thanatos.nix + ] + ++ sharedModules; + }; }; } // inputs.flake-utils.lib.eachDefaultSystem (system: { diff --git a/hosts/thanatos/default.nix b/hosts/thanatos/default.nix new file mode 100644 index 0000000..5a6711d --- /dev/null +++ b/hosts/thanatos/default.nix @@ -0,0 +1,43 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). +{ + config, + lib, + pkgs, + ... +}: let + secrets = config.my.secrets; +in { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./disko-configuration.nix + ./home.nix + ./secrets.nix + ]; + + boot.loader.grub.enable = true; + boot.tmp.useTmpfs = true; + + networking.hostName = "thanatos"; # Define your hostname. + networking.domain = "lrde.epita.fr"; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + # List services that you want to enable: + my.services = { + tailscale.enable = true; + }; + + services = { + openssh.enable = true; + }; + + virtualisation.docker.enable = true; + + environment.systemPackages = with pkgs; [ + docker-compose + ]; +} diff --git a/hosts/thanatos/disko-configuration.nix b/hosts/thanatos/disko-configuration.nix new file mode 100644 index 0000000..81e9c36 --- /dev/null +++ b/hosts/thanatos/disko-configuration.nix @@ -0,0 +1,52 @@ +{ + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/disk/by-id/ata-CT250MX500SSD1_2301E69A20C4"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "btrfs"; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "8G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/thanatos/hardware-configuration.nix b/hosts/thanatos/hardware-configuration.nix new file mode 100644 index 0000000..2ff30b0 --- /dev/null +++ b/hosts/thanatos/hardware-configuration.nix @@ -0,0 +1,25 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/thanatos/home.nix b/hosts/thanatos/home.nix new file mode 100644 index 0000000..3bb7dab --- /dev/null +++ b/hosts/thanatos/home.nix @@ -0,0 +1,5 @@ +{config, ...}: { + home-manager.users.alarsyo = { + my.theme = config.home-manager.users.alarsyo.my.themes.solarizedLight; + }; +} diff --git a/hosts/thanatos/secrets.nix b/hosts/thanatos/secrets.nix new file mode 100644 index 0000000..3fbc379 --- /dev/null +++ b/hosts/thanatos/secrets.nix @@ -0,0 +1,20 @@ +{ + config, + lib, + options, + ... +}: { + config.age = { + secrets = let + toSecret = name: {...} @ attrs: + { + file = ./../../modules/secrets + "/${name}.age"; + } + // attrs; + in + lib.mapAttrs toSecret { + "users/alarsyo-hashed-password" = {}; + "users/root-hashed-password" = {}; + }; + }; +} diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index 28760e7..9c042d0 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -5,8 +5,9 @@ let boreal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAagal1aqZh52wEmgsw7fkCzO41o4Cx+nV4wJGZuX1RP root@boreal"; hades = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxw8CtKUPAiPdKDEnuS7UyRrZN5BkUwsy5UPVF8V+lt root@hades"; hephaestus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA7Cp+n5+huof68QlAoJV8bVf5h5p9kEZFAVpltWopdL root@hephaestus"; + thanatos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID8JEAWk/8iSl8fN6/f76JkmVFwtyixTpLol4zSVsnVw root@thanatos"; - machines = [boreal hades hephaestus]; + machines = [boreal hades hephaestus thanatos]; all = users ++ machines; in { @@ -34,6 +35,6 @@ in { "restic-backup/hephaestus-password.age".publicKeys = [alarsyo hephaestus]; "restic-backup/hephaestus-credentials.age".publicKeys = [alarsyo hephaestus]; - "users/root-hashed-password.age".publicKeys = machines; + "users/root-hashed-password.age".publicKeys = machines ++ [alarsyo]; "users/alarsyo-hashed-password.age".publicKeys = machines ++ [alarsyo]; } diff --git a/modules/secrets/users/alarsyo-hashed-password.age b/modules/secrets/users/alarsyo-hashed-password.age index 1e7abbe..38b12ac 100644 --- a/modules/secrets/users/alarsyo-hashed-password.age +++ b/modules/secrets/users/alarsyo-hashed-password.age @@ -1,17 +1,16 @@ age-encryption.org/v1 --> ssh-ed25519 YWMQkg edb6vOJgAg7qUtsk3wot1lDT0guqrhkVO4q647At/Xo -XlX07p/2byuBzWeR3khI/B255/4IwjiWEiOEgO6Jmzo --> ssh-ed25519 pX8y2g yn4fQ1E54ReKViSKMjyIQWfbHlqwXmAn225hRUt2sVU -OVciEEE58TS7gkJV2kS75hL0z+mzn/I9cFYZQ9m4fCg --> ssh-ed25519 SYm+hA 3hLgW/LWQ6ilt1hYdHsA6M4YvSkrQauES77Mk0elkG4 -41l9uzYv/6raDNSBGrbH7hULv0cYFY65SlhpuSburHs --> ssh-ed25519 z6Eu8Q GE324833mb5ff9C+TN3SqazvwW0ZZiqBb56cs8bKjho -8Aogd9tN2sN8DSmKJUfuCifiRMKpD7Cn6CLLazQ2qjk --> ssh-ed25519 ZQuVNA 2plMxBUBbv3ScEdXBnkvtt/qlP+dG/8+O8gHBChL8lI -1GpPm9oFARwDQfTT25isUZlGKn6BaanIQoiLDzlxzww --> ssh-ed25519 k2gHjw JlNEYLQixP7LEb0FJu5O54pu1B72WWsml5ELNcFESEc -r8QUuLhEEFyst0JeWd1jahkrcMV/b9KGHj8PSZUZJ10 --> _a@Yy?HU-grease /wJ2a` WIyE6 ewMVR h,D)T -wAOK28XvNSpz ---- hlIXSQ9X6OM5/uPv+3PMfkuIfiKWpkbdWNHed+q/Hr8 -{gh1Å\PyЯ@sHq8Jxw<翕kVħ T(N.;/)DWz{uNl%vކ50K0ͩnn8\kJOC7oً4cї \ No newline at end of file +-> ssh-ed25519 YWMQkg nA65XHF5xsaW5JPGfWYLDtCq0DQQpN6FBbbnDKL23BY +JyzLfx9QXRV4jXQWvsXMEO7Y9Maf6VAQZU0QiEyA0rs +-> ssh-ed25519 pX8y2g 0AuwR4Dv6bulcow+LOd6XsF/U+Ly8fQDIuHcksijCk4 +TXyxasso2OmK8RswWOk6oP7+q6iS2WTwYsy0CF07gtc +-> ssh-ed25519 SYm+hA coVEtWHcu5Zc17TuVLTzWe7RiXjJ53wjjRfLidwjUgg +fx5hl1hPiRxQLHIN2mrvB9tc+xMTwqHM1DXZY75s/MA +-> ssh-ed25519 6UUuZw 2bfWgdMEj+POlLejgzl3GZN1M3xt5Qoif9M2BwGV4QA +9pLL7KegernUFqbNklKDho5IRgw9VVZGaphgmcfnohQ +-> ssh-ed25519 k2gHjw yxVoANLjqXRU97oymWtIEr4ZQ9OVvlRsC2Y2jsvkJWY +Q37kBzgMyWkpcLO/3FFMtmDO16/17+i57DmALUDL/kE +-> >)/-grease VfMC'D<: eQJ #XT +OcrPfgaTtzKItA7HfjeBUc68U7ol1sewRCFKg0iAeSVT1jiv3/O7hkz5MbMAsuoi +D8hkNjdXn3TDBVc1OcIS2iX5xOdpvP3ePs6TgX9H +--- mAY7j62sU6rXvZu84PkvkMqZ5M139fV/RlJidRYCo9Q +Xb;\hJ #Ⱦ>3PzQ{J Xe3Q!5$|MD;KZS.XS?з1j)H[hkƫ|g= \ No newline at end of file diff --git a/modules/secrets/users/root-hashed-password.age b/modules/secrets/users/root-hashed-password.age index b373fa4646a546a93df31bcc1316b51dd34535cc..0988a496e8a79da8fb6e050550452c058ffe7668 100644 GIT binary patch delta 741 zcmeBWpTRakr#@3#-y+gI*f+z#*Eq_cuq-MyDbF!Cs;bD`A~~mf$HS>C-6g#^C^988Dm=Y1xzx}*9LB`MNk z;z#lNfTREy%Zv=~5XVA)xAI7XAit7AgA%`}yxekUb0-6*aOY�ux^+*FXcV!u*KH zqTo{ZlJLL?Gq)T+&-5_o?DC*WQ;$^r;IK^NFpr|70FS`3f;0nkpO}S)mPVB;m=sjH zX6L#F2St`U8YhPadDo|emv~v0n|hlYRhkw075YU4C28lUR^+=oa)ml2np!&N1SFOi z7Uh@}={q@vdt{_08b&(#IAvBQ=6jUoM;4{$Wk+RXqg$74ll~zAmgQ_vmQiLN9tg6|sJ2))y(l%YIF-x8FgHD=(lsO3*P=W% zP}|EpAl0YLBPhuvqS!^dDm^FCG|1D$$fCF~C?hmD-#@}Qz=BIxS69JJ-=p5tvZT<= zv?wJf$eR#TGTB)&!WRk{~U(BMz5 z&kfYIYSUJ45M3JLotRx&akuj9;aA^8_2Q56nO>@UA8FS1s>MOl`_em>mqMo|Wqn;F w{gP#!#iVC9TRwX(P*-kPchNGu-A3fbPsVv9BF~_;GFyBJo-9IhG$Su+$EVU}ssmR&W#iSy_ zfGfi}G1%D5*(tNYH@PggINLcW-`LqBRXfZ-wcIFQ+b1{2HNV8TLf^;4l}p!7p}06h zH#Nn`)YQ;Yp&-Jd(kNXaDxlKM(!@B>BcRkdKiJzM)Gfc#KPn_SC8gLs$0yx5s3Ii9 zD9WS4%stD5D>%`@*(}t^_a>s0RpH!K-mRbZVgz7s7 zo8)`>mgSoI7Ni6k1k^`5SLWqerZ`6B8B}Q}yPBHkN8}Zn_!tF+a=CbECznNfCWaV0 z=lD5>Tl%I3Bu9ihdRn+wl_YArS5~@udW3kTT823mqgxjhSQ_T%s9An3Zg9n9k*zmtt&~Vq)yAofwp55fN0X z9~hXQRu%5#?CX(S<`?GTXA)eHq@Prn4fb8FZhBE_VsWZMjBip*fI_sYxo=@mzJi8A zx^X}*SCDURQdm`?vtzPFNP$J3QDv5+n?Z=Fg|mmLVOWK>TcBBKM6PMNOMSR;M0jR? zl~1ydQ;A!tueo1vre&r@uql^mO1WiNUanbCc7?f@Us{NlbEIjQU!HeHg>Pb*aejz% zQL?k4V^CS1Sz3@;T8@ilKwc7;uCA^^WrTKlaAZzUu&JMKsCHVmV|a$Yc}96qZe?PT zlc%qNWmQOWg`<9IVx})wX}#Sx=JM{BhEFXPeq>BxQ!7}g|8(v#!|uuFf|%6!PHw>{cN7XU)h?>y>9u+O?r~j>`L7WB_5yfe0A*Eyz&>*b4^9o)l?nb zaEx6_=iHLBEQiI_j5DkQuCW#`*NIf!)V;Px{%fKA1j~H_KbKcL`eCD7Tohlxm6!T> LhVPzdUo1la_%SAT diff --git a/thanatos.nix b/thanatos.nix new file mode 100644 index 0000000..e0c2c2d --- /dev/null +++ b/thanatos.nix @@ -0,0 +1,23 @@ +{...}: { + imports = [ + # Default configuration + ./base + + # Module definitions + ./modules + + # Service definitions + ./services + + # Host-specific config + ./hosts/thanatos + ]; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.11"; # Did you read the comment? +}