Add new host "fern"

2026-01-21 14:01:34 +01:00 · 2025-03-07 13:03:29 +01:00 · 2025-03-07 13:03:29 +01:00 · 02cd2d5f03
commit 02cd2d5f03
parent c56cefd0c4
8 changed files with 177 additions and 1 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -4,6 +4,7 @@ keys:
  # Hosts
  - &north age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc
  - &inspiron age1jl9s4vp78wuwymjxaje6fg4ax0gg5aq8pn8khfmtn5rvap0d83tqfr05dv
  - &fern age1sywwrwse76x8yskrsfpwk38fu2cmyx5s9qkf2pgc68cta0vj9psql7dp6e
  - &stratus age1pryafed9elaea6zk5gnf6drjt4nznc02385y973lwt9t2s7j7vmsfnggkp
  # Users
@ -22,6 +23,11 @@ creation_rules:
      - age:
          - *admin
          - *inspiron
  - path_regex: hosts/fern/secrets.yaml$
    key_groups:
      - age:
          - *admin
          - *fern
  - path_regex: hosts/stratus/secrets.yaml$
    key_groups:
      - age:
--- a/flake/hosts.nix
+++ b/flake/hosts.nix
@ -26,6 +26,7 @@ in
    nixosConfigurations = lib.mkMerge [
      (mkHost "north")
      (mkHost "inspiron")
      (mkHost "fern")
      (mkHost "stratus")
      (mkHost "installer")
    ];
--- a/hosts/fern/default.nix
+++ b/hosts/fern/default.nix
@ -0,0 +1,34 @@
 { pkgs, ... }:
 {
  imports = [
    ../common.nix
    ./hardware.nix
    ./disko.nix
  ];
  system.stateVersion = "24.11";
  boot.kernelPackages = pkgs.linuxPackages_latest;
  myConfig = {
    boot = {
      loader.systemd-boot.enable = true;
      silent = true;
    };
    dm.tuigreet.enable = true;
    de.hyprland.enable = true;
    wlan.enable = true;
    bluetooth.enable = true;
    sound.enable = true;
    virtualisation.enable = true;
    sops.enable = true;
    auto-gc.enable = true;
    geoclue.enable = true;
    tailscale = {
      enable = true;
      ssh.enable = true;
    };
  };
 }
--- a/hosts/fern/disko.nix
+++ b/hosts/fern/disko.nix
@ -0,0 +1,60 @@
 {
  disko.devices = {
    disk.main = {
      type = "disk";
      device = "/dev/nvme0n1";
      content = {
        type = "gpt";
        partitions = {
          ESP = {
            type = "EF00";
            size = "512M";
            content = {
              type = "filesystem";
              format = "vfat";
              mountpoint = "/boot";
              mountOptions = [ "defaults" ];
            };
          };
          luks = {
            size = "100%";
            content = {
              name = "cryptroot";
              type = "luks";
              settings = {
                allowDiscards = true;
                bypassWorkqueues = true;
              };
              passwordFile = "/tmp/secret.key";
              content = {
                type = "lvm_pv";
                vg = "pool";
              };
            };
          };
        };
      };
    };
    lvm_vg.pool = {
      type = "lvm_vg";
      lvs = {
        swap = {
          size = "20G";
          content = {
            type = "swap";
            resumeDevice = true;
          };
        };
        root = {
          size = "100%FREE";
          content = {
            type = "filesystem";
            format = "ext4";
            mountpoint = "/";
            mountOptions = [ "defaults" ];
          };
        };
      };
    };
  };
 }
--- a/hosts/fern/hardware.nix
+++ b/hosts/fern/hardware.nix
@ -0,0 +1,31 @@
 { inputs, ... }:
 {
  imports = [ inputs.disko.nixosModules.default ];
  nixpkgs.hostPlatform = "x86_64-linux";
  hardware = {
    enableRedistributableFirmware = true;
    cpu.amd.updateMicrocode = true;
  };
  boot = {
    kernelModules = [ "kvm-amd" ];
    initrd.availableKernelModules = [
      "nvme"
      "xhci_pci"
      "thunderbolt"
      "usb_storage"
      "sd_mod"
    ];
  };
  services = {
    fwupd.enable = true;
    logind.lidSwitch = "ignore";
    upower = {
      enable = true;
      criticalPowerAction = "Hibernate";
    };
  };
 }
--- a/hosts/fern/secrets.yaml
+++ b/hosts/fern/secrets.yaml
@ -0,0 +1,43 @@
 seb-password: ENC[AES256_GCM,data:LlW1njlY0tVfYne/NFM2KJbAPb4eAQgy0mPMIZAIPH5mdr7cSCaPYhc+WF5ZlrlL//mh8WHhsHbEBuA6P7oabSeP6ZczCmTV6w==,iv:oWQj47oxjxR3DBHhFwUD/Emj5ziZHwcbXzD69ChRmHU=,tag:cuTloyd4HW6behF8fmWdxw==,type:str]
 tailscale-auth-key: ENC[AES256_GCM,data:srdexq7OgvIXn2NIjVIu1VMbAMNQWCH1ug+HZbnRJGmYQ1R/2gQ1vEYeEUlYsq423M1TBCO1tXxGHlTHpw==,iv:pqKyU9FessYkasFYx850iYMqzMHPWjIrDyVToNmbqV4=,tag:YAqI/dpjnPBmZXE+4hVpLw==,type:str]
 wlan:
  WLAN-233151:
    key: ENC[AES256_GCM,data:/DAuYEU6tUisLxz/9TkdB4Yk/vQ=,iv:Ubj28yyfOqcXQyUs9e0iPq0BscHjfB2vRQd14x8L4Cg=,tag:vf9FITNJZxEzLo5+ZInD5Q==,type:str]
  EW90N:
    key: ENC[AES256_GCM,data:+lJNzFrJTZUrwanr5HG9n4mt4Z4=,iv:HNE+oKLye482+/fupMZUuLIU2Ws+3hpHUITviPREiL8=,tag:ioCQASLPZ9QoDobNNAOiYQ==,type:str]
  Fairphone4:
    key: ENC[AES256_GCM,data:5lBk/JEcvMZj+MJ2/0PIdVbt6mZkGg==,iv:Kg82ZHGCLzPBmEt5G6SK7yzAqEDTVD8MW+OzxG03ZU8=,tag:Re2sRvRkiiqqy3ylbimdqA==,type:str]
  DSL_EXT:
    key: ENC[AES256_GCM,data:cyc4Dys+356io+9Oc2J4fp0sLUg=,iv:CpP2v9ZGLzVlEU0Tc1Vz0Pa33vuoORshZVKJr3uSBuQ=,tag:2qMQJa77fuy8iWNWgVsT4g==,type:str]
  eduroam:
    password: ENC[AES256_GCM,data:ZaU/8lBnFhYQjx4N9u+qZ41bHS0=,iv:Lk9biaZqC0trXo+RdcpMfaXwmMZH/764RWebtjjDYek=,tag:HbL+D32T9WpM+c5RlYywyA==,type:str]
    cert: ENC[AES256_GCM,data:rHBNf2gxM7Ln/AwwEfRnkooY1u4HTEzkzz1nCRNX7mcRPP6Gg7FsARL2v9TOtGezv9dUW+yjmlGbf36FwlHTTs9J0hNQxW+o3g1m4fARbf0YXFbjb9xh0ZIpOq0eIXUwds3fBUzMmtWqnF5ElAQdc7ZkS984+uTbMliZBE98dPumgGt2Z2+eoCF6GpslwQZ2dkLrIMsJ4OFkILGn4NyaorkRfcIV8QMYjufb3sc0nMUqb1Idj/qFqVy8gbNFo1lG21WN6Xv9fYw5ic1Gyu8+YSrrk1EoIgBkxmN26U/xN6RT1Ao61mKkCuZWARDyBcMzvUGrQu/xgn3mDbn2PbuTOq4cts9dHrrlHx7rzHlwDaoctkORs8p9dM86c/+taZgLdTzFn2YpgEVBR+oTRAgnzK62ej6L+DZope9eIhjSJTmvTfZrac0Nhktm8IYX48MBXufmcqISUPo6/1gIN5vNxghzP5i6FT+yWJRZ2g+RBz2A5vLad0s2FRZsPQkAhIPuaNZR9EcnP2n/d+qrHZ9XQ8XrQvTQJAzyBUfrVtJjQZgxKiI8MNAbJBK9732rjoPBgfWio9I1Q+iNPVFoDDBcRxtf+Mp/T/fi9YkV8N75p1PiIpOgq/Uthsw4RhtcjPca6E60A8hKAbvXbYsiOwZVCUOoaZXWEW/2/no4yVHO4NE8t3PD4XAVHbsRuXW4g4dxsusApLGPwt0oEU9FUpYeDB1XCa1J0zkvqUEM+Kqu6pirYzOU8KN2nPRRt/6C3bBP5Hrk/FRg3lgGMpKhecK8YgmTZ60WZqvvAG1Iybi8ziIzrEaVZeAh+rmxIYn1PiF2+bfhh45n8v9btC5fNEgnZ7gjgpK9VFJd1JPCM0EDWs5/b5cXmkM+OAs2Gx498vW9yYBn0XTVIQOtcVfpoyekLO8hUpH2bqKd8BA4BnDiiOGTdz5Z6QemlahpehhLIUp0iRsDuvcWUn5hsu6prWL+M8mXg2MMnyfONcEfJlW0BCfsAHJ8tjmMLp1zi0MGYt0wKH756QnPBWe5WgMj4L2MDdkLlfrz+IaRK1trT4ySh9W6EDSGCdPozm6JWGWf36d5qQODL+YQAyg6uY6hSSeu79rDpznEP/c8F4q6zO7xEH6O+p2qf0T7bBI1MQwJyBPaMecrrZHQobHWaocpO99Ld1sW/TP46/4DGhu4PuNH7MBehhTnt6eqBcJHr+AxBdYvKkJz8TNR+xZ46t2YpUCr0XSLmVbx2pjpessCR5MDrIX6lb1YBjmsLlwQpVfi4QWmI4klUOKJTESq54mdSceWPlyfgisyfg+wkxrfJ/P4nbvfXCdJvngHkciam5uA7+8l1Up3Pyj46aZJKQ3SeCaqD4gCAsS13A9s6Q0rJUn4CQZO/It++K2/QDPiaJ9PPHaOTwIuBUevUvKlaSNk82I/hx6UyTQHj1aDazdefvYYtxh4b4H4vbL2K3c6v2ZRX2zA6SjD8eHwWZO94J5fSNXZD3o+euuuDfxO4fTcMxJGALaf3P3KSpVPUGMYV7WYeCgDxNSfVxMhLlBZvXQQefN5ijBs8bcwjERDsCyDU+e0K7JFaAirHixFxCDTY2z8KG+gNIlcZ8uhazaSX/Iwtqsd/i8uHTZ10Wa0wsoN5yTRWptkV8dNMHPQPi+58lj4pIlt01zPZeFUw69TrCdlcrXZZ0OQZs8/30LHjW0gLyOEKbusRabXUZUoQWMloXdakpm2jxNRjaE3mJeulKJDZNZk88ekWcWAI6L2wvfBeBaHwcIvUcn+n54CmKCgKvLVOBoJSRU+Lu/1Wg0Gol3Mc3NKz2NJg+TqHBZod3cMuwNTZ2fuTS3ytQZBXb97XOrN/gS55NNB2yjJye3hCWbSArIeHtbv0iJmBOLcMNggzNDiD1BKKcEqG/J0t5GCOD1l3vWn3r3x1ffvzPcoXN7LayGJhbBMGazpgrE4B1ox9JIVyRRCTgVRx3x5OuI+FlV4EO+QV9b/JS8SGTjckz9d1jH7WHzn0jgPcze/8m9rhsS6R8My6Vv2Yk0gJpwNNOru6h41OLM7X0yBzhWELdw/aIrq8Shqm40RE1nP7TUW8gCqu737YTp85w+xcQO0wKMQqaJfdJGC8iHp6Bhyu6DIxWGwsBDCO79J72OWOqLrZMurzqAWQf09vRneAQmI+WKHcp8jWQBdVgIHyJzguwHLZb1sJPxUYffkjzogvRiStaZE//cTio88K6jw81KoWXLI6roJg/hV5isKISRH+K1x80b8oziXJtYHEtVeCcMByxWmrcrgQn2qmWemVFNzw/F7ZUKPu3EbOQiaNAgdiYRQi2tFZJjSLVSXN0H+m2Vag8phWzS5KSfsFBXdg2cVPQpxwV0Blcw3c+9bPdkayMc3B7xev/89mfDmX8c+CMLrjk9i3de2UGdsb/CXoNzG2g2/RC5OUcdnBdPvgswNOpkSjSiGXDkcEH3jSs7GaTwY29M8P0BxB74v2FXP6Q1IklnXoeIpGNSfk489ASiJVBPwAQuIuVgNmXxOsZkhT1d/9vepusleeyBNmlg/oJQoKIIeQluIDe+9BqE/9udIW+XASbqjfSU6TKQEkEX4BIoLITy/l1vnC1qKlV/4Ms0CawdTB/e/YmqRBDYZdaExA6t9hgUBUWzJWoLU0cVpoxq6DervMWKD/nXX0h3JCaZc7rI561eUV8zCjyHvxVFf1+GFxPRUvgpUSYcg7w3Xo5xTTSGkeEqnOzq6ha9YfavGVti969elOZh9274=,iv:gJctzc0Yp69mZ+dP+97Zs6WYzkZsIg+ATX73GnHkIkY=,tag:Yhkzq4qVPD0RqED8q+rpJw==,type:str]
 sops:
  kms: []
  gcp_kms: []
  azure_kv: []
  hc_vault: []
  age:
    - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
      enc: |
        -----BEGIN AGE ENCRYPTED FILE-----
        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4eHZacFd0T0VydGw5ZE1Y
        ZVhZNTlOSm1aVHJXQ1NBeXN3eVp1ZlNUZ1U0CjRtek5qclpCbVB2Y1luNlBOelFh
        bGwrRjNQdDY5ZnpXTERUMUhkUEpnRE0KLS0tIFM3YlVZaG9LSEU2M2NyNXRMRFNH
        OUJMRXgySjNZY25qcmZjbThncWFuUUEKPa3qgJeDoiCpnt4auvh/dTfI3Qb/vS/D
        /9T4me16sr2R/IVPmAkorL2q58Jooa2fvE41nOcxbtWIZphDz3cS4g==
        -----END AGE ENCRYPTED FILE-----
    - recipient: age1sywwrwse76x8yskrsfpwk38fu2cmyx5s9qkf2pgc68cta0vj9psql7dp6e
      enc: |
        -----BEGIN AGE ENCRYPTED FILE-----
        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRGVaSEozZUtacFpkSG5R
        eG1WRUx0N3RnUGZXZEg3WEZ6N0dHV3RaZVFzCmVuaHBPQ1FiNDlBVmhRaUdwbVBC
        MFcrbHF1OEd4QlcrMUt1NnB1aUlCZkEKLS0tIDlFdy9UZlpZWlFiNkNHaUpZdW12
        V1E4bnVHZGg0bFdPNldoTDZnaDlNQk0KU9AJzhzgbg4/x4l7v9QY3HjZ7iE6K/2X
        CWZ9kbg7KsR0mYP6H/VBvJp5prF5x7DRPU+KtZsjDLcm4KmHAmPXZQ==
        -----END AGE ENCRYPTED FILE-----
  lastmodified: "2025-03-07T11:53:24Z"
  mac: ENC[AES256_GCM,data:MtCQ6H/GJZnCf75E2bXj+13mFZbS8R6QHC77mF9+YMZ5gjfFXikqiyGPAL75k08GzUAaf+FfXIE63if0YsQe5W6F/k+/daXvFFMPTSrfCWE+n08gF+1k4gXqVLpZGEjVmRJ58onsivQu6ezV7fO3nKv9PVvE9k6YdQuyVPpiULo=,iv:jBJKRFKG9xesLzpkglhkgn1tjhzUxUpw6p4ZyDvT9Ag=,tag:6AXIxDzZurnNeEaOyKmc+g==,type:str]
  pgp: []
  unencrypted_suffix: _unencrypted
  version: 3.9.4
--- a/hosts/installer/default.nix
+++ b/hosts/installer/default.nix
@ -32,6 +32,6 @@
    extraUpFlags = [ "--ssh" ];
    # Ephemeral + not pre-approved
-    authKeyFile = pkgs.writeText "tailscale-key-file" "tskey-auth-kCuRe2vTT321CNTRL-UwrqtezivdJgLkVGetxKeJR8Bsk9tw155";
+    authKeyFile = pkgs.writeText "tailscale-key-file" "tskey-auth-kB9BjHT7WP11CNTRL-doCbK8AHoNGZNLiFVbKbNGrCi8CoXXsQ";
  };
 }
--- a/users/seb/@fern/default.nix
+++ b/users/seb/@fern/default.nix
@ -0,0 +1 @@
 { imports = [ ../user.nix ]; }