diff --git a/.sops.yaml b/.sops.yaml index 6def226..e02df9b 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,6 +4,7 @@ keys: # Hosts - &north age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc - &inspiron age1jl9s4vp78wuwymjxaje6fg4ax0gg5aq8pn8khfmtn5rvap0d83tqfr05dv + - &fern age1sywwrwse76x8yskrsfpwk38fu2cmyx5s9qkf2pgc68cta0vj9psql7dp6e - &stratus age1pryafed9elaea6zk5gnf6drjt4nznc02385y973lwt9t2s7j7vmsfnggkp # Users @@ -22,6 +23,11 @@ creation_rules: - age: - *admin - *inspiron + - path_regex: hosts/fern/secrets.yaml$ + key_groups: + - age: + - *admin + - *fern - path_regex: hosts/stratus/secrets.yaml$ key_groups: - age: diff --git a/flake/hosts.nix b/flake/hosts.nix index 10c75ae..515052a 100644 --- a/flake/hosts.nix +++ b/flake/hosts.nix @@ -26,6 +26,7 @@ in nixosConfigurations = lib.mkMerge [ (mkHost "north") (mkHost "inspiron") + (mkHost "fern") (mkHost "stratus") (mkHost "installer") ]; diff --git a/hosts/fern/default.nix b/hosts/fern/default.nix new file mode 100644 index 0000000..1a50b7f --- /dev/null +++ b/hosts/fern/default.nix @@ -0,0 +1,34 @@ +{ pkgs, ... }: +{ + imports = [ + ../common.nix + ./hardware.nix + ./disko.nix + ]; + + system.stateVersion = "24.11"; + boot.kernelPackages = pkgs.linuxPackages_latest; + + myConfig = { + boot = { + loader.systemd-boot.enable = true; + silent = true; + }; + + dm.tuigreet.enable = true; + de.hyprland.enable = true; + + wlan.enable = true; + bluetooth.enable = true; + + sound.enable = true; + virtualisation.enable = true; + sops.enable = true; + auto-gc.enable = true; + geoclue.enable = true; + tailscale = { + enable = true; + ssh.enable = true; + }; + }; +} diff --git a/hosts/fern/disko.nix b/hosts/fern/disko.nix new file mode 100644 index 0000000..4a0923f --- /dev/null +++ b/hosts/fern/disko.nix @@ -0,0 +1,60 @@ +{ + disko.devices = { + disk.main = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + ESP = { + type = "EF00"; + size = "512M"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + luks = { + size = "100%"; + content = { + name = "cryptroot"; + type = "luks"; + settings = { + allowDiscards = true; + bypassWorkqueues = true; + }; + passwordFile = "/tmp/secret.key"; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + }; + }; + }; + }; + lvm_vg.pool = { + type = "lvm_vg"; + lvs = { + swap = { + size = "20G"; + content = { + type = "swap"; + resumeDevice = true; + }; + }; + root = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ "defaults" ]; + }; + }; + }; + }; + }; +} diff --git a/hosts/fern/hardware.nix b/hosts/fern/hardware.nix new file mode 100644 index 0000000..82615a9 --- /dev/null +++ b/hosts/fern/hardware.nix @@ -0,0 +1,31 @@ +{ inputs, ... }: +{ + imports = [ inputs.disko.nixosModules.default ]; + + nixpkgs.hostPlatform = "x86_64-linux"; + + hardware = { + enableRedistributableFirmware = true; + cpu.amd.updateMicrocode = true; + }; + + boot = { + kernelModules = [ "kvm-amd" ]; + initrd.availableKernelModules = [ + "nvme" + "xhci_pci" + "thunderbolt" + "usb_storage" + "sd_mod" + ]; + }; + + services = { + fwupd.enable = true; + logind.lidSwitch = "ignore"; + upower = { + enable = true; + criticalPowerAction = "Hibernate"; + }; + }; +} diff --git a/hosts/fern/secrets.yaml b/hosts/fern/secrets.yaml new file mode 100644 index 0000000..80180ca --- /dev/null +++ b/hosts/fern/secrets.yaml @@ -0,0 +1,43 @@ +seb-password: ENC[AES256_GCM,data:LlW1njlY0tVfYne/NFM2KJbAPb4eAQgy0mPMIZAIPH5mdr7cSCaPYhc+WF5ZlrlL//mh8WHhsHbEBuA6P7oabSeP6ZczCmTV6w==,iv:oWQj47oxjxR3DBHhFwUD/Emj5ziZHwcbXzD69ChRmHU=,tag:cuTloyd4HW6behF8fmWdxw==,type:str] +tailscale-auth-key: ENC[AES256_GCM,data:srdexq7OgvIXn2NIjVIu1VMbAMNQWCH1ug+HZbnRJGmYQ1R/2gQ1vEYeEUlYsq423M1TBCO1tXxGHlTHpw==,iv:pqKyU9FessYkasFYx850iYMqzMHPWjIrDyVToNmbqV4=,tag:YAqI/dpjnPBmZXE+4hVpLw==,type:str] +wlan: + WLAN-233151: + key: ENC[AES256_GCM,data:/DAuYEU6tUisLxz/9TkdB4Yk/vQ=,iv:Ubj28yyfOqcXQyUs9e0iPq0BscHjfB2vRQd14x8L4Cg=,tag:vf9FITNJZxEzLo5+ZInD5Q==,type:str] + EW90N: + key: ENC[AES256_GCM,data:+lJNzFrJTZUrwanr5HG9n4mt4Z4=,iv:HNE+oKLye482+/fupMZUuLIU2Ws+3hpHUITviPREiL8=,tag:ioCQASLPZ9QoDobNNAOiYQ==,type:str] + Fairphone4: + key: ENC[AES256_GCM,data:5lBk/JEcvMZj+MJ2/0PIdVbt6mZkGg==,iv:Kg82ZHGCLzPBmEt5G6SK7yzAqEDTVD8MW+OzxG03ZU8=,tag:Re2sRvRkiiqqy3ylbimdqA==,type:str] + DSL_EXT: + key: ENC[AES256_GCM,data:cyc4Dys+356io+9Oc2J4fp0sLUg=,iv:CpP2v9ZGLzVlEU0Tc1Vz0Pa33vuoORshZVKJr3uSBuQ=,tag:2qMQJa77fuy8iWNWgVsT4g==,type:str] + eduroam: + password: ENC[AES256_GCM,data:ZaU/8lBnFhYQjx4N9u+qZ41bHS0=,iv:Lk9biaZqC0trXo+RdcpMfaXwmMZH/764RWebtjjDYek=,tag:HbL+D32T9WpM+c5RlYywyA==,type:str] + cert: ENC[AES256_GCM,data:rHBNf2gxM7Ln/AwwEfRnkooY1u4HTEzkzz1nCRNX7mcRPP6Gg7FsARL2v9TOtGezv9dUW+yjmlGbf36FwlHTTs9J0hNQxW+o3g1m4fARbf0YXFbjb9xh0ZIpOq0eIXUwds3fBUzMmtWqnF5ElAQdc7ZkS984+uTbMliZBE98dPumgGt2Z2+eoCF6GpslwQZ2dkLrIMsJ4OFkILGn4NyaorkRfcIV8QMYjufb3sc0nMUqb1Idj/qFqVy8gbNFo1lG21WN6Xv9fYw5ic1Gyu8+YSrrk1EoIgBkxmN26U/xN6RT1Ao61mKkCuZWARDyBcMzvUGrQu/xgn3mDbn2PbuTOq4cts9dHrrlHx7rzHlwDaoctkORs8p9dM86c/+taZgLdTzFn2YpgEVBR+oTRAgnzK62ej6L+DZope9eIhjSJTmvTfZrac0Nhktm8IYX48MBXufmcqISUPo6/1gIN5vNxghzP5i6FT+yWJRZ2g+RBz2A5vLad0s2FRZsPQkAhIPuaNZR9EcnP2n/d+qrHZ9XQ8XrQvTQJAzyBUfrVtJjQZgxKiI8MNAbJBK9732rjoPBgfWio9I1Q+iNPVFoDDBcRxtf+Mp/T/fi9YkV8N75p1PiIpOgq/Uthsw4RhtcjPca6E60A8hKAbvXbYsiOwZVCUOoaZXWEW/2/no4yVHO4NE8t3PD4XAVHbsRuXW4g4dxsusApLGPwt0oEU9FUpYeDB1XCa1J0zkvqUEM+Kqu6pirYzOU8KN2nPRRt/6C3bBP5Hrk/FRg3lgGMpKhecK8YgmTZ60WZqvvAG1Iybi8ziIzrEaVZeAh+rmxIYn1PiF2+bfhh45n8v9btC5fNEgnZ7gjgpK9VFJd1JPCM0EDWs5/b5cXmkM+OAs2Gx498vW9yYBn0XTVIQOtcVfpoyekLO8hUpH2bqKd8BA4BnDiiOGTdz5Z6QemlahpehhLIUp0iRsDuvcWUn5hsu6prWL+M8mXg2MMnyfONcEfJlW0BCfsAHJ8tjmMLp1zi0MGYt0wKH756QnPBWe5WgMj4L2MDdkLlfrz+IaRK1trT4ySh9W6EDSGCdPozm6JWGWf36d5qQODL+YQAyg6uY6hSSeu79rDpznEP/c8F4q6zO7xEH6O+p2qf0T7bBI1MQwJyBPaMecrrZHQobHWaocpO99Ld1sW/TP46/4DGhu4PuNH7MBehhTnt6eqBcJHr+AxBdYvKkJz8TNR+xZ46t2YpUCr0XSLmVbx2pjpessCR5MDrIX6lb1YBjmsLlwQpVfi4QWmI4klUOKJTESq54mdSceWPlyfgisyfg+wkxrfJ/P4nbvfXCdJvngHkciam5uA7+8l1Up3Pyj46aZJKQ3SeCaqD4gCAsS13A9s6Q0rJUn4CQZO/It++K2/QDPiaJ9PPHaOTwIuBUevUvKlaSNk82I/hx6UyTQHj1aDazdefvYYtxh4b4H4vbL2K3c6v2ZRX2zA6SjD8eHwWZO94J5fSNXZD3o+euuuDfxO4fTcMxJGALaf3P3KSpVPUGMYV7WYeCgDxNSfVxMhLlBZvXQQefN5ijBs8bcwjERDsCyDU+e0K7JFaAirHixFxCDTY2z8KG+gNIlcZ8uhazaSX/Iwtqsd/i8uHTZ10Wa0wsoN5yTRWptkV8dNMHPQPi+58lj4pIlt01zPZeFUw69TrCdlcrXZZ0OQZs8/30LHjW0gLyOEKbusRabXUZUoQWMloXdakpm2jxNRjaE3mJeulKJDZNZk88ekWcWAI6L2wvfBeBaHwcIvUcn+n54CmKCgKvLVOBoJSRU+Lu/1Wg0Gol3Mc3NKz2NJg+TqHBZod3cMuwNTZ2fuTS3ytQZBXb97XOrN/gS55NNB2yjJye3hCWbSArIeHtbv0iJmBOLcMNggzNDiD1BKKcEqG/J0t5GCOD1l3vWn3r3x1ffvzPcoXN7LayGJhbBMGazpgrE4B1ox9JIVyRRCTgVRx3x5OuI+FlV4EO+QV9b/JS8SGTjckz9d1jH7WHzn0jgPcze/8m9rhsS6R8My6Vv2Yk0gJpwNNOru6h41OLM7X0yBzhWELdw/aIrq8Shqm40RE1nP7TUW8gCqu737YTp85w+xcQO0wKMQqaJfdJGC8iHp6Bhyu6DIxWGwsBDCO79J72OWOqLrZMurzqAWQf09vRneAQmI+WKHcp8jWQBdVgIHyJzguwHLZb1sJPxUYffkjzogvRiStaZE//cTio88K6jw81KoWXLI6roJg/hV5isKISRH+K1x80b8oziXJtYHEtVeCcMByxWmrcrgQn2qmWemVFNzw/F7ZUKPu3EbOQiaNAgdiYRQi2tFZJjSLVSXN0H+m2Vag8phWzS5KSfsFBXdg2cVPQpxwV0Blcw3c+9bPdkayMc3B7xev/89mfDmX8c+CMLrjk9i3de2UGdsb/CXoNzG2g2/RC5OUcdnBdPvgswNOpkSjSiGXDkcEH3jSs7GaTwY29M8P0BxB74v2FXP6Q1IklnXoeIpGNSfk489ASiJVBPwAQuIuVgNmXxOsZkhT1d/9vepusleeyBNmlg/oJQoKIIeQluIDe+9BqE/9udIW+XASbqjfSU6TKQEkEX4BIoLITy/l1vnC1qKlV/4Ms0CawdTB/e/YmqRBDYZdaExA6t9hgUBUWzJWoLU0cVpoxq6DervMWKD/nXX0h3JCaZc7rI561eUV8zCjyHvxVFf1+GFxPRUvgpUSYcg7w3Xo5xTTSGkeEqnOzq6ha9YfavGVti969elOZh9274=,iv:gJctzc0Yp69mZ+dP+97Zs6WYzkZsIg+ATX73GnHkIkY=,tag:Yhkzq4qVPD0RqED8q+rpJw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4eHZacFd0T0VydGw5ZE1Y + ZVhZNTlOSm1aVHJXQ1NBeXN3eVp1ZlNUZ1U0CjRtek5qclpCbVB2Y1luNlBOelFh + bGwrRjNQdDY5ZnpXTERUMUhkUEpnRE0KLS0tIFM3YlVZaG9LSEU2M2NyNXRMRFNH + OUJMRXgySjNZY25qcmZjbThncWFuUUEKPa3qgJeDoiCpnt4auvh/dTfI3Qb/vS/D + /9T4me16sr2R/IVPmAkorL2q58Jooa2fvE41nOcxbtWIZphDz3cS4g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1sywwrwse76x8yskrsfpwk38fu2cmyx5s9qkf2pgc68cta0vj9psql7dp6e + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRGVaSEozZUtacFpkSG5R + eG1WRUx0N3RnUGZXZEg3WEZ6N0dHV3RaZVFzCmVuaHBPQ1FiNDlBVmhRaUdwbVBC + MFcrbHF1OEd4QlcrMUt1NnB1aUlCZkEKLS0tIDlFdy9UZlpZWlFiNkNHaUpZdW12 + V1E4bnVHZGg0bFdPNldoTDZnaDlNQk0KU9AJzhzgbg4/x4l7v9QY3HjZ7iE6K/2X + CWZ9kbg7KsR0mYP6H/VBvJp5prF5x7DRPU+KtZsjDLcm4KmHAmPXZQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-03-07T11:53:24Z" + mac: ENC[AES256_GCM,data:MtCQ6H/GJZnCf75E2bXj+13mFZbS8R6QHC77mF9+YMZ5gjfFXikqiyGPAL75k08GzUAaf+FfXIE63if0YsQe5W6F/k+/daXvFFMPTSrfCWE+n08gF+1k4gXqVLpZGEjVmRJ58onsivQu6ezV7fO3nKv9PVvE9k6YdQuyVPpiULo=,iv:jBJKRFKG9xesLzpkglhkgn1tjhzUxUpw6p4ZyDvT9Ag=,tag:6AXIxDzZurnNeEaOyKmc+g==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/hosts/installer/default.nix b/hosts/installer/default.nix index 8549fbe..8b5de65 100644 --- a/hosts/installer/default.nix +++ b/hosts/installer/default.nix @@ -32,6 +32,6 @@ extraUpFlags = [ "--ssh" ]; # Ephemeral + not pre-approved - authKeyFile = pkgs.writeText "tailscale-key-file" "tskey-auth-kCuRe2vTT321CNTRL-UwrqtezivdJgLkVGetxKeJR8Bsk9tw155"; + authKeyFile = pkgs.writeText "tailscale-key-file" "tskey-auth-kB9BjHT7WP11CNTRL-doCbK8AHoNGZNLiFVbKbNGrCi8CoXXsQ"; }; } diff --git a/users/seb/@fern/default.nix b/users/seb/@fern/default.nix new file mode 100644 index 0000000..9f612c7 --- /dev/null +++ b/users/seb/@fern/default.nix @@ -0,0 +1 @@ +{ imports = [ ../user.nix ]; }