diff --git a/.sops.yaml b/.sops.yaml index e9a4776..df235b5 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,6 +2,7 @@ keys: - &admin age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5 - &north age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc - &inspiron age1jl9s4vp78wuwymjxaje6fg4ax0gg5aq8pn8khfmtn5rvap0d83tqfr05dv + - &proxima age1pryafed9elaea6zk5gnf6drjt4nznc02385y973lwt9t2s7j7vmsfnggkp - &seb-north age1p32cyzakxtcx346ej82ftln4r2aw2pcuazq3583s85nzsan4ygqsj32hjf - &seb-inspiron age1s9h9hh8f0vudwn4awr90mj0ka2xh9gppwus0jmvmaz3j3uckz94s36gzkz creation_rules: @@ -15,6 +16,11 @@ creation_rules: - age: - *admin - *inspiron + - path_regex: hosts/proxima/secrets.yaml$ + key_groups: + - age: + - *admin + - *proxima - path_regex: users/seb/@north/secrets.yaml$ key_groups: - age: diff --git a/flake/hosts.nix b/flake/hosts.nix index 6d50b23..dca0d1e 100644 --- a/flake/hosts.nix +++ b/flake/hosts.nix @@ -31,6 +31,7 @@ in flake.nixosConfigurations = lib.mkMerge [ (mkHost "north" unstable) (mkHost "inspiron" unstable) + (mkHost "proxima" stable) (mkHost "installer" stable) ]; } diff --git a/hosts/proxima/default.nix b/hosts/proxima/default.nix new file mode 100644 index 0000000..98d3418 --- /dev/null +++ b/hosts/proxima/default.nix @@ -0,0 +1,18 @@ +{ + imports = [ + ../common.nix + ./hardware + ]; + + system.stateVersion = "24.05"; + + myConfig = { + sops.enable = true; + boot.loader.systemd-boot.enable = true; + tailscale = { + enable = true; + ssh.enable = true; + exitNode.enable = true; + }; + }; +} diff --git a/hosts/proxima/hardware/default.nix b/hosts/proxima/hardware/default.nix new file mode 100644 index 0000000..ff7b6b7 --- /dev/null +++ b/hosts/proxima/hardware/default.nix @@ -0,0 +1,31 @@ +{ inputs, ... }: +{ + imports = [ + inputs.disko.nixosModules.default + ./disko.nix + ]; + + nixpkgs.hostPlatform = "x86_64-linux"; + + hardware = { + enableRedistributableFirmware = true; + cpu.intel.updateMicrocode = true; + }; + + boot = { + kernelModules = [ "kvm-intel" ]; + initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "nvme" + "usb_storage" + "sd_mod" + ]; + }; + + zramSwap.enable = true; + services = { + thermald.enable = true; + fstrim.enable = true; + }; +} diff --git a/hosts/proxima/hardware/disko.nix b/hosts/proxima/hardware/disko.nix new file mode 100644 index 0000000..b58b191 --- /dev/null +++ b/hosts/proxima/hardware/disko.nix @@ -0,0 +1,91 @@ +{ + disko.devices = { + disk = + let + luks-settings = { + settings = { + allowDiscards = true; + keyFile = "/dev/disk/by-id/usb-SCSI_DISK-0:0"; + keyFileSize = 4096; + }; + }; + in + { + one = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + ESP = { + type = "EF00"; + size = "512M"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + luks = { + size = "100%"; + content = { + name = "cryptroot"; + type = "luks"; + content = { + type = "lvm_pv"; + vg = "root-pool"; + }; + } // luks-settings; + }; + }; + }; + }; + two = { + type = "disk"; + device = "/dev/sda"; + content = { + type = "gpt"; + partitions.luks = { + size = "100%"; + content = { + name = "cryptdata"; + type = "luks"; + content = { + type = "lvm_pv"; + vg = "data-pool"; + }; + } // luks-settings; + }; + }; + }; + }; + + lvm_vg = { + root-pool = { + type = "lvm_vg"; + lvs.root = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ "defaults" ]; + }; + }; + }; + data-pool = { + type = "lvm_vg"; + lvs.data = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/data"; + mountOptions = [ "defaults" ]; + }; + }; + }; + }; + }; +} diff --git a/hosts/proxima/secrets.yaml b/hosts/proxima/secrets.yaml new file mode 100644 index 0000000..ce5a839 --- /dev/null +++ b/hosts/proxima/secrets.yaml @@ -0,0 +1,31 @@ +seb-password: ENC[AES256_GCM,data:N3w7niUZsyFmF2gF+gMhlDb6XfoYZ8yNrZvv2J0Cb3zDhstW7LsgYZVcM3+MXPbTDE9xJ00VGBayOT7fW+5IYYWdGgbRWvOH0w==,iv:rLCKJ9wUL+3sjIaqwV89pYJtt/ERuoR4AAgbt9H4oHg=,tag:nuh9rT0W500w8+y76MqC1Q==,type:str] +tailscale-auth-key: ENC[AES256_GCM,data:zKjJsG23GYrAIAoTe9pRI/b9w6JPB/0EDrdtspQq1/dw7eQq7BuzYMT5O5EAy+5A9ZP3fDaleO5nFXRFvg==,iv:p7Dpq30TZyb20E5TfscycxMiN1XUx66DbNPhwuZkwaA=,tag:V/fc99Zv4xJ6PDxNIWHRew==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmdU9yQjVQbEFtN3dYVjhN + dTVpaXV2bWEvQXlnVkJ5Z3ZLL2VhV0FhdnpVCmQySzJWL1RnU0xETGxNeGxEeHVy + K2JPSmtteXA3SHg4SHcwTWxRUVlDUnMKLS0tIGhlTXE3ZVdkQzdNV1RjQy85b3gw + U2xiejFuVzZKRFJkcVRhWGpXUDNSeW8KHdBFwQb0JItYgkZ7mDo3agTnDr3Ii8j6 + 9LdLwahPwqScGbEONp8A1yzyTEabCiI5Hl9+ptKJoGlJK/lzfrCfsw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1pryafed9elaea6zk5gnf6drjt4nznc02385y973lwt9t2s7j7vmsfnggkp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Tm9tcVdHcVRpTmw2L0Qy + UWtjMG5uMUlodElDZ2cyZ3Q0NHQ4OGdFV1ZnCjF1RS9XaEltOHAzYmxUcHNLcVk4 + bHBpYUs3SzJlamI2dFozLzV6NThaRVEKLS0tIHN3YmJQNjhWaThPL1JmeUI5NlRT + aW00MUpGdXpYam5LYVFUenh2VndzcE0KT6Hfx1CYJFseFaEZxwi4Fds4v1HEFzBo + FdSC6pzpZkfXso8EtSftq0lPx10GfJ6GZXYb+bCB2S9ROvUMPYDH3A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-15T20:36:57Z" + mac: ENC[AES256_GCM,data:d3UvTioPyA/Ua2hyWo01l1+6kPBFhQES8+l3wqFlnBlUmwBAIh8ZyBA4hNUB2A7eF7MXZytQuFkbxtmDljsLQ1yaAZNrN3gBl8arzn/ztXsbkQ2h53wWkjTrfjLCaN8Z4Ea9e1Y/2uBiUn2VkJT/YVVyt7bOhHtRw+JO/2CNhLw=,iv:Af0NUGw2D/7ekCo0L7Cqd4j35wc3AOgruglsCj3C7QI=,tag:B0RU/sv6gDUBs0x1drPy4A==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/users/seb/@proxima/default.nix b/users/seb/@proxima/default.nix new file mode 100644 index 0000000..9f612c7 --- /dev/null +++ b/users/seb/@proxima/default.nix @@ -0,0 +1 @@ +{ imports = [ ../user.nix ]; }