diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..1a6fcab --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,21 @@ +keys: + - &person_hunner age17sdp0gguexd88qel74fa4zeckxh93gqpkayz366fz6yvjauw7vcq7w6y45 + - &host_zima age16ptwug2yygtfh2dyy5dahaz85pfv3nvqyks03wltyymhyal25uyskz3q9v + - &host_cryochamber age122r8wrurhfjwple2ykd4wxafxezjd78mpkrzzyplcdju8q5ykecs3wycee + - &host_liminal age1jv3t4pltlsympq86vjhjjr66hvm25hv9utlk2nwa99qxfapc2amq2vmkel +creation_rules: + - path_regex: hosts/zima/secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *person_hunner + - *host_zima + - path_regex: hosts/cryochamber/secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *person_hunner + - *host_cryochamber + - path_regex: hosts/liminal/secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *person_hunner + - *host_liminal diff --git a/README.md b/README.md new file mode 100644 index 0000000..477960e --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# Notes + +I generated the sops keys via `ssh 'cat /etc/ssh/ssh_host_ed25519_key.pub'|nix run 'nixpkgs#ssh-to-age'` diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..d10b452 --- /dev/null +++ b/flake.nix @@ -0,0 +1,60 @@ +{ + description = "NixOS configurations for zima, cryochamber, and liminal"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; + nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + nixos-hardware.url = "github:NixOS/nixos-hardware"; + impermanence.url = "github:nix-community/impermanence"; + talon-nix.url = "github:nix-community/talon-nix"; + plover-flake.url = "github:openstenoproject/plover-flake"; + beads-flake.url = "github:steveyegge/beads"; + }; + + outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, nixos-hardware, impermanence, talon-nix, plover-flake, beads-flake, ... }: + let + system = "x86_64-linux"; + overlay-unstable = final: prev: { + unstable = import nixpkgs-unstable { + inherit system; + config.allowUnfree = true; + }; + }; + in + { + nixosConfigurations.zima = nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { + inherit impermanence; + }; + modules = [ + ./hosts/zima/configuration.nix + sops-nix.nixosModules.sops + ]; + }; + + nixosConfigurations.cryochamber = nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { + inherit impermanence; + }; + modules = [ + ./hosts/cryochamber/configuration.nix + sops-nix.nixosModules.sops + ]; + }; + + nixosConfigurations.liminal = nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { + inherit nixos-hardware impermanence talon-nix plover-flake beads-flake; + }; + modules = [ + ({ ... }: { nixpkgs.overlays = [ overlay-unstable ]; }) + ./hosts/liminal/configuration.nix + ]; + }; + }; +} diff --git a/zfsrent/configuration.nix b/hosts/cryochamber/configuration.nix similarity index 95% rename from zfsrent/configuration.nix rename to hosts/cryochamber/configuration.nix index 27cfbb3..867d728 100644 --- a/zfsrent/configuration.nix +++ b/hosts/cryochamber/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, impermanence, ... }: #zpool import -f rpool #mount -t zfs rpool/local/root /mnt @@ -9,9 +9,7 @@ #mount -t zfs rpool/safe/persist /mnt/persist #mount -t zfs rpool/local/var/lib /mnt/var/lib #mount -t zfs rpool/local/var/log /mnt/var/log -let - impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz"; -in + { imports = [ @@ -137,11 +135,16 @@ in }; }; + # sops-nix secrets + sops.defaultSopsFile = ./secrets/config.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.secrets.hashedPassword.neededForUsers = true; + # Define a user account users.users.hunner = { isNormalUser = true; extraGroups = [ "wheel" "docker" "networkmanager" ]; - hashedPassword = "$y$j9T$hLqdzlz7dbJZgUnKs.eo3/$25s/2X18vGtDKj53qD1sn/.Omp/6CBJWbn7d9KAiOK7"; + hashedPasswordFile = config.sops.secrets.hashedPassword.path; shell = pkgs.zsh; packages = with pkgs; [ fzf diff --git a/zfsrent/disko-gpt.nix b/hosts/cryochamber/disko-gpt.nix similarity index 100% rename from zfsrent/disko-gpt.nix rename to hosts/cryochamber/disko-gpt.nix diff --git a/hosts/cryochamber/flake.nix b/hosts/cryochamber/flake.nix new file mode 100644 index 0000000..4039f1b --- /dev/null +++ b/hosts/cryochamber/flake.nix @@ -0,0 +1,23 @@ +{ + inputs = { + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = { + self, + nixpkgs, + sops-nix, + }: + let + system = "x86_64-linux"; + in + { + nixosConfigurations.cryochamber = nixpkgs.lib.nixosSystem { + modules = [ + ./configuration.nix + sops-nix.nixosModules.sops + ]; + }; + }; +} diff --git a/zfsrent/hardware-configuration.nix b/hosts/cryochamber/hardware-configuration.nix similarity index 100% rename from zfsrent/hardware-configuration.nix rename to hosts/cryochamber/hardware-configuration.nix diff --git a/hosts/cryochamber/secrets/config.yaml b/hosts/cryochamber/secrets/config.yaml new file mode 100644 index 0000000..b91e4e2 --- /dev/null +++ b/hosts/cryochamber/secrets/config.yaml @@ -0,0 +1,25 @@ +hashedPassword: ENC[AES256_GCM,data:iUN2iaC2RPDa/vq6H7Xp2KqHYcHfQHU6IhZ2FWXEuaNhByFzpyMbJC7N2bmbDUD3ERLudHg686Uqt6XJV2PevQoXa1iYhv9cLw==,iv:ekGMzP2TXSrxLkqZVclHgN1NQIv6OqtsVLHdvsTgXQc=,tag:RRSZCHjmhn8ClrUTYteWWA==,type:str] +sops: + age: + - recipient: age17sdp0gguexd88qel74fa4zeckxh93gqpkayz366fz6yvjauw7vcq7w6y45 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3TWlKSGppbzRaZ0dUOUNz + cXpReDF5UUZIbVg1MGkyZGNneGNiK0t3eEdRCk9jRjIvL25hREI3c1pVOU5JS1l2 + Q0tkNWU0RndiZEI4Z1dDSlFUQzAyZVUKLS0tIEVyc0JPVnBxNDlJSEVXc3V1WDY0 + bzlsWjVJZGx6eHk1MFh6ZFVpN0FOelUKaNsnY+6+t4lGv1e35BQjwPmI7AcQqpiu + uiDxPhaXmGrlBDdpHaEjNYBvZjp0YA/0LwEX7uUipQD+Xrop5Snm4w== + -----END AGE ENCRYPTED FILE----- + - recipient: age122r8wrurhfjwple2ykd4wxafxezjd78mpkrzzyplcdju8q5ykecs3wycee + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYYjdUWjQxL0UrWnNWSUpi + ZWlsUVNTK0xXZVVFd2pNSitldnFaVzdoQnhnCkNma2llSDVmTzZGL1Y0VUhFSk9h + NEVUM3MwU2RQMTJpdFdEVWtPa2tCdzQKLS0tIGxrU3hzUzh4MGZQcElyRG1CZ3RS + NDJWOEMyU1hwcHRXMUh6RkEzOFhndG8KY/fCz/+MfGQlnLC3Kzo5hYOmd0fRakDQ + JjVD+zxHFqN5b3U03iS9WIsdjF3hRFqqnZMOeXTUDezDfTNPdmUuMg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-12-29T20:30:43Z" + mac: ENC[AES256_GCM,data:4tBtaoDxLrLIyIXi51TKB2U5eP9kkEpz1UaW2eBTGXkdmn+k/oiouQ4spigQ8O0dKvdy4SmvOSksCC7TSDeZ0ToKbyorqFrTbnhvUdACjw6O6I8WJ8daaOGuvKHjiYk1CWhn8zdC+QTa/gpjVoQhTfiEFuPXgFMMoI24h7000XE=,iv:6taR8qzv/liCLAeqkYnUV+9D0b9z0zCOPHsOo+JMXnw=,tag:TUg6Z9GQLPLnyvW6lCHFpw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/framework/configuration.nix b/hosts/liminal/configuration.nix similarity index 97% rename from framework/configuration.nix rename to hosts/liminal/configuration.nix index 779dc0b..cb82d27 100644 --- a/framework/configuration.nix +++ b/hosts/liminal/configuration.nix @@ -201,12 +201,17 @@ services.libinput.enable = true; services.touchegg.enable = true; + # sops-nix secrets + sops.defaultSopsFile = ./secrets/config.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.secrets.hashedPassword.neededForUsers = true; + # Define a user account. Don't forget to set a password with 'passwd'. users.users.hunner = { isNormalUser = true; description = "Hunter Haugen"; extraGroups = [ "docker" "networkmanager" "wheel" "audio" "video" "dialout" ]; - hashedPassword = "$y$j9T$hLqdzlz7dbJZgUnKs.eo3/$25s/2X18vGtDKj53qD1sn/.Omp/6CBJWbn7d9KAiOK7"; + hashedPasswordFile = config.sops.secrets.hashedPassword.path; shell = pkgs.zsh; packages = with pkgs; [ fzf diff --git a/framework/disko.nix b/hosts/liminal/disko.nix similarity index 100% rename from framework/disko.nix rename to hosts/liminal/disko.nix diff --git a/framework/flake.lock b/hosts/liminal/flake.lock similarity index 100% rename from framework/flake.lock rename to hosts/liminal/flake.lock diff --git a/framework/flake.nix b/hosts/liminal/flake.nix similarity index 100% rename from framework/flake.nix rename to hosts/liminal/flake.nix diff --git a/framework/hardware-configuration.nix b/hosts/liminal/hardware-configuration.nix similarity index 100% rename from framework/hardware-configuration.nix rename to hosts/liminal/hardware-configuration.nix diff --git a/framework/pkgs/hp15c/default.nix b/hosts/liminal/pkgs/hp15c/default.nix similarity index 100% rename from framework/pkgs/hp15c/default.nix rename to hosts/liminal/pkgs/hp15c/default.nix diff --git a/framework/pkgs/nonpareil/default.nix b/hosts/liminal/pkgs/nonpareil/default.nix similarity index 100% rename from framework/pkgs/nonpareil/default.nix rename to hosts/liminal/pkgs/nonpareil/default.nix diff --git a/hosts/liminal/secrets/config.yaml b/hosts/liminal/secrets/config.yaml new file mode 100644 index 0000000..d886727 --- /dev/null +++ b/hosts/liminal/secrets/config.yaml @@ -0,0 +1,25 @@ +hashedPassword: ENC[AES256_GCM,data:FvSo0j1H/FpP8ljQTYNSRvAPDvvXi1TcIJnIY+WgTRiHZ0vb426+Pp8FNCqA06Rr/a+5T23ni2s1gOgX143LA4rI9xo9CgLxyw==,iv:QlenOW5mUdbS9+mnpoHfmVG/qnKLETuyVn8zOatTY98=,tag:6jslZ2Lth512XioIgHL92Q==,type:str] +sops: + age: + - recipient: age17sdp0gguexd88qel74fa4zeckxh93gqpkayz366fz6yvjauw7vcq7w6y45 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLdzBYdlZiQXZpNVVkMSs0 + QzdtTU82bzFsSHlPY2tSYVB4THFZbmxyVUdzCkZqODVEZlRSSm9SMnFmZnhKTk5U + WEh3V1Zua1QyNTlvVGRHNktyQi9ualUKLS0tIGZFaEIxT0NVZTkvOXZQNFI5VTlP + TDM5czFEc1lCU281R0NKQkQ1bjNLL0kKHtVBtagNiz2fyyudwBJpxhfQBUMt++Be + tE1SGo+TirLPCgFK/ynw2zXUj7IZ8+qANOpGmStroUBgJGfoEHHlwg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1jv3t4pltlsympq86vjhjjr66hvm25hv9utlk2nwa99qxfapc2amq2vmkel + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWL2dOcWpFWnZXYWdOZzhx + Z1hLUnRzTXo4N21ESXd6N1VhTVZUVVNHSFNNCnE2QkJ5clQvaExyY2dWMUZic3RI + NVJyVUNFZXdOTktjQ2ZYT0xER2x6Z1EKLS0tIHQxTFFTYlVnYjdiRUZnQXRDWHVB + WHVZYkQvN1MxaEV4NElLcHFPZmNjZVkKbUHXfK4Wt7MRS2XYBy9v/SQ3a6T4V5FK + bjd0nVVTJeMnE6V9avjNuOCVUkug4PylIzSMSohfpR6AmSy68jYElw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-12-29T21:00:07Z" + mac: ENC[AES256_GCM,data:IEWEy84qU3Lzq4tuNITS1JjxfNSNMksQMVTJbDHNyaN+gpVhjgS/SIX3ESU36S+CcgR/iczRvUvURA+s0csiMXCKfx2IwVuTIKqtTArDubjlqivr7fhY94VTkFz2e3ohfcHiJt6uzhzxHNDAAE5Ju9TzIAVyf+FRFZFUMRQwddc=,iv:oqnvxQg7mN7yWYoIahdJnKUestSeIMKvawt7+fDC38o=,tag:fcpPcvy+HTFSPTUM2GZ+0w==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/hosts/zima/configuration.nix b/hosts/zima/configuration.nix new file mode 100644 index 0000000..02113f6 --- /dev/null +++ b/hosts/zima/configuration.nix @@ -0,0 +1,304 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ config, lib, pkgs, impermanence, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + "${impermanence}/nixos.nix" + ]; + + boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_7; + boot.supportedFilesystems = [ "zfs" ]; + boot.zfs.extraPools = [ "bitrot" ]; + hardware.enableAllFirmware = true; + nixpkgs.config.allowUnfree = true; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + fileSystems = { + "/persist" = { + device = "rpool/safe/persist"; + fsType = "zfs"; + neededForBoot = true; + }; + }; + # TODO postResumeCommands after update + boot.initrd.postDeviceCommands = lib.mkAfter '' + zfs rollback -r rpool/local/root@blank + ''; + + networking.hostName = "zima"; # Define your hostname. + networking.hostId = "78599900"; + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + + # Set your time zone. + time.timeZone = "America/Los_Angeles"; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + # i18n.defaultLocale = "en_US.UTF-8"; + # console = { + # font = "Lat2-Terminus16"; + # keyMap = "us"; + # useXkbConfig = true; # use xkb.options in tty. + # }; + + # Enable the X11 windowing system. + # services.xserver.enable = true; + virtualisation.docker.enable = true; + + + services.cron = { + enable = true; + systemCronJobs = [ + "*/5 * * * * hunner widget drive zima $(zfs list -o available -H /bitrot) free" + ]; + }; + + + # Configure keymap in X11 + # services.xserver.xkb.layout = "us"; + # services.xserver.xkb.options = "eurosign:e,caps:escape"; + + # Enable CUPS to print documents. + # services.printing.enable = true; + + # Enable sound. + # sound.enable = true; + # hardware.pulseaudio.enable = true; + + # Enable touchpad support (enabled default in most desktopManager). + # services.xserver.libinput.enable = true; + + # sops-nix secrets + sops.defaultSopsFile = ./secrets/config.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.secrets.hashedPassword.neededForUsers = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.hunner = { + uid = 1000; + isNormalUser = true; + extraGroups = [ "wheel" "docker" ]; # Enable ‘sudo’ for the user. + hashedPasswordFile = config.sops.secrets.hashedPassword.path; + packages = with pkgs; [ + tree + ]; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + git + wget + tmux + awscli2 + nix-search-cli + smartmontools + python3 + ffmpeg + jq + sanoid + unrar + unzip + docker-compose + lzop # for syncoid + pv # for syncoid + mbuffer # for syncoid + restic + openssl + ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + services.avahi = { + enable = true; + nssmdns = true; + publish = { + enable = true; + addresses = true; + workstation = true; + }; + }; + + services.zfs.autoScrub = { + enable = true; + interval = "weekly"; + pools = [ "bitrot" ]; + }; + + services.sanoid = { + enable = true; + + templates.production = { + frequently = 0; + hourly = 12; + daily = 10; + monthly = 2; + yearly = 1; + autosnap = true; + autoprune = true; + recursive = true; + }; + + datasets."bitrot" = { + useTemplate = [ "production" ]; + }; + + datasets."rpool/safe" = { + useTemplate = [ "production" ]; + }; + }; + + users.users.backup = { + uid = 1001; + isNormalUser = true; + description = "Backup replication user"; + shell = pkgs.bash; + packages = with pkgs; [ + sanoid + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtgW+cxPjo70k6dkYPqzP0FR5G9zvbArp/85ZHRrMRL backup@cryochamber" + ]; + }; + services.syncoid = { + enable = true; + user = "backup"; + sshKey = "/var/lib/syncoid/.ssh/id_ed25519"; + commonArgs = [ + #"--sshoption=StrictHostKeyChecking=off" + "--sshoption=UserKnownHostsFile=/var/lib/syncoid/.ssh/known_hosts" + "--sshoption=IdentitiesOnly=yes" + "--no-sync-snap" + ]; + commands."backup-zima-bitrot" = { + source = "bitrot"; + target = "root@cryochamber:tank/backups/zima/bitrot"; + recursive = true; + }; + commands."backup-zima-rpool-safe" = { + source = "rpool/safe"; + target = "root@cryochamber:tank/backups/zima/rpool-safe"; + recursive = true; + }; + }; + # This was needed when trying to get the backup user to work instead of using + # root; probably not needed now + systemd.services.syncoid-backup-zima-bitrot.serviceConfig = { + Environment = [ + "HOME=/var/lib/syncoid" + "SSH_AUTH_SOCK=" + ]; + ExecStartPre = [ + "+${pkgs.coreutils}/bin/mkdir -p /var/lib/syncoid/.ssh" + "+${pkgs.coreutils}/bin/cp /home/backup/.ssh/id_ed25519 /var/lib/syncoid/.ssh/" + "+${pkgs.coreutils}/bin/cp /home/backup/.ssh/known_hosts /var/lib/syncoid/.ssh/" + "+${pkgs.coreutils}/bin/chown -R backup:syncoid /var/lib/syncoid/.ssh" + "+${pkgs.coreutils}/bin/chmod 700 /var/lib/syncoid/.ssh" + "+${pkgs.coreutils}/bin/chmod 600 /var/lib/syncoid/.ssh/id_ed25519" + ]; + }; + + services.tailscale.enable = true; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + services.openssh.settings.Macs = [ + "hmac-sha2-256" + "hmac-sha2-512-etm@openssh.com" + "hmac-sha2-256-etm@openssh.com" + "umac-128-etm@openssh.com" + ]; + services.openssh.settings.AcceptEnv = "LANG LC_*"; + + # Old style + #environment.etc = { + # nixos.source = "/persist/etc/nixos"; + # adjtime.source = "/persist/etc/adjtime"; + # NIXOS.source = "/persist/etc/NIXOS"; + # machine-id.source = "/persist/etc/machine-id"; + # "ssh/ssh_host_rsa_key".source = "/persist/etc/ssh/ssh_host_rsa_key"; + # "ssh/ssh_host_rsa_key.pub".source = "/persist/etc/ssh/ssh_host_rsa_key.pub"; + # "ssh/ssh_host_ed25519_key".source = "/persist/etc/ssh/ssh_host_ed25519_key"; + # "ssh/ssh_host_ed25519_key.pub".source = "/persist/etc/ssh/ssh_host_ed25519_key.pub"; + #}; + + # https://www.reddit.com/r/NixOS/comments/13j64qh/how_to_add_impermanence_afterwards/?rdt=38929 also suggests + # - /var/log + # - /var/tmp + # - /var/lib/nixos + # but to do that I'd need something other than environment.etc + + environment.persistence."/persist" = { + hideMounts = true; + directories = [ + "/root" + "/etc/nixos" + "/etc/ssh" + #"/var/log" + #"/var/lib/nixos" + #"/var/lib/systemd/coredump" + #"/etc/NetworkManager/system-connections" + ]; + files = [ + "/etc/machine-id" + ]; + }; + security.sudo.extraConfig = '' + # rollback results in sudo lectures after each reboot + Defaults lecture = never + ''; + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ 32400 ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + # system.copySystemConfiguration = true; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "23.11"; # Did you read the comment? + +} + diff --git a/hosts/zima/flake.nix b/hosts/zima/flake.nix new file mode 100644 index 0000000..2076098 --- /dev/null +++ b/hosts/zima/flake.nix @@ -0,0 +1,23 @@ +{ + inputs = { + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = { + self, + nixpkgs, + sops-nix, + }: + let + system = "x86_64-linux"; + in + { + nixosConfigurations.zima = nixpkgs.lib.nixosSystem { + modules = [ + ./configuration.nix + sops-nix.nixosModules.sops + ]; + }; + }; +} diff --git a/hosts/zima/hardware-configuration.nix b/hosts/zima/hardware-configuration.nix new file mode 100644 index 0000000..57bb5c0 --- /dev/null +++ b/hosts/zima/hardware-configuration.nix @@ -0,0 +1,62 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "rpool/local/root"; + fsType = "zfs"; + }; + + fileSystems."/nix" = + { device = "rpool/local/nix"; + fsType = "zfs"; + }; + + fileSystems."/home" = + { device = "rpool/safe/home"; + fsType = "zfs"; + }; + + fileSystems."/persist" = + { device = "rpool/safe/persist"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/08E2-681A"; + fsType = "vfat"; + }; + + fileSystems."/var/lib" = + { device = "rpool/local/var/lib"; + fsType = "zfs"; + }; + + fileSystems."/var/log" = + { device = "rpool/local/var/log"; + fsType = "zfs"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/zima/secrets/config.yaml b/hosts/zima/secrets/config.yaml new file mode 100644 index 0000000..7295c73 --- /dev/null +++ b/hosts/zima/secrets/config.yaml @@ -0,0 +1,25 @@ +hashedPassword: ENC[AES256_GCM,data:8kCOlv0GfypM0kTNLALKDdWtb4bK6wK1o1DgnzHbuUqJUfIWt6wx1ILVXfuti0rHO38lkuL05LXt9sLh1niPEmFlS4OLNCMHWg==,iv:bNbQex3+6LkDvnypQP7obFSJZ3kuLgFegu+xDQsJZh8=,tag:sN/4YVcEXXPG5C0kvh56Bg==,type:str] +sops: + age: + - recipient: age17sdp0gguexd88qel74fa4zeckxh93gqpkayz366fz6yvjauw7vcq7w6y45 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPV3kwUFpNblhubTh0b293 + eUF0WDVIbGxWVlA1NnpjNFo1RXhJalY5OWpzCmZxYkMxa2tCQi9iRG96YkVhMVVK + RDQ3T3Y0SnVYdnZYemp6Q2lnblpXZEEKLS0tIFNHWUVremJWN2tjYUN1UmpUdnhQ + RWIzVjBiMjRoa0VLNDNuWDFqa1lDcVEKFitdIkUqqMuWOTn+liboLyXPBkxd2u3O + K62aQV5UxXjDmwXeH6woDCiSMFfgdWlJT6PfvS+y1FO6VKRQ39ob4w== + -----END AGE ENCRYPTED FILE----- + - recipient: age16ptwug2yygtfh2dyy5dahaz85pfv3nvqyks03wltyymhyal25uyskz3q9v + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Q3MzS3Y1WWhkUmlFMUcw + amx1RU1hZ2lJWXRVajE4Q1UvbVFlOVZ5b0E4CjU3bENCYmM2Tmg3NkwwWWRRdldP + Zm4yOHlCMU5QQTRXV2xFRTV1UGtGZGcKLS0tIDh2WitGbDQ0aEx6c2t5eTF0djFT + L0hXK1ZSY292dTRDU0Z2NGlJNHhpb2cK76bGG3yJD8ORZFPvW/WAlHLi9mt2A8+Q + /uOs6FBcubW6MGiC50OlSAI19yvg7BYqqWRFI+XEkXjxbLlwhWy1RA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-12-21T01:32:03Z" + mac: ENC[AES256_GCM,data:PezvH3WCehALUH3QEvIu21hJX5xyjnuGIvZAtVbEhDeD1JdO+lXSFVyH2gWjNWSgrDiDEKXMKtdl0Q+5eXJPpqHjNHIh0lDLePG0JSMZWdOz/F7uuiXqqeA7b4Plrf28PniqA4+c2PURhp5UggW6Tb2mBmVgwtsSuVH7kPnted8=,iv:59HIfn640uI6YvRwJ5WCY9QiJLvMnrdVnjpsCTG000k=,tag:3rZ4sm9cwc/n9cK/SOnMLw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0