From fe9ec527858d3d46023d1788b112fadce50cb7a3 Mon Sep 17 00:00:00 2001 From: derped Date: Tue, 31 Dec 2024 16:25:26 +0100 Subject: [PATCH] Marid: new machine init --- .sops.yaml | 7 ++ machines/Marid/configuration.nix | 19 ++++ machines/Marid/hardware-configuration.nix | 128 ++++++++++++++++++++++ machines/Marid/impermanence.nix | 48 ++++++++ machines/Marid/options.nix | 81 ++++++++++++++ machines/Marid/secrets.yaml | 35 ++++++ machines/Marid/sops.nix | 11 ++ 7 files changed, 329 insertions(+) create mode 100644 machines/Marid/configuration.nix create mode 100644 machines/Marid/hardware-configuration.nix create mode 100644 machines/Marid/impermanence.nix create mode 100644 machines/Marid/options.nix create mode 100644 machines/Marid/secrets.yaml create mode 100644 machines/Marid/sops.nix diff --git a/.sops.yaml b/.sops.yaml index d736a19..cb62838 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,6 +1,7 @@ keys: - &admins 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2 - &lilim age1w3uhx6han0frfvg2t3t3wnwnzpkplzeyhun0dmqpkqwscmzlz4ms3elug4 + - &marid age1uq4x5yqf92z343ycpf4jycv7fqwk2kk8t5gapzp0ayk8hay98fns5mwmt7 - &ophanim age1u386j7v4yrxm6psykfk4wyy5ay2ugcfcemve2msfwv0klnf3x34stz34du - &sheol age12uvysactuucun05nk8l3azpaclz9k04ygcurtlqqjg6dsvarvcqs0s9d2y creation_rules: @@ -10,6 +11,12 @@ creation_rules: - *admins age: - *lilim + - path_regex: machines/Marid/[^/]+.yaml$ + key_groups: + - pgp: + - *admins + age: + - *marid - path_regex: machines/Ophanim/[^/]+.yaml$ key_groups: - pgp: diff --git a/machines/Marid/configuration.nix b/machines/Marid/configuration.nix new file mode 100644 index 0000000..56a6ef5 --- /dev/null +++ b/machines/Marid/configuration.nix @@ -0,0 +1,19 @@ +{ lib, pkgs, ... }: +{ + networking.dhcpcd.extraConfig = "noarp"; + system.stateVersion = "25.05"; # Did you read the comment? + + services.gnome = { + evolution-data-server.enable = true; + gnome-keyring.enable = lib.mkForce false; + }; + programs = { + dconf.enable = true; + evolution = { + enable = true; + plugins = [ pkgs.evolution-ews ]; + }; + }; + + environment.systemPackages = with pkgs; [ pv ]; +} diff --git a/machines/Marid/hardware-configuration.nix b/machines/Marid/hardware-configuration.nix new file mode 100644 index 0000000..2efcbbf --- /dev/null +++ b/machines/Marid/hardware-configuration.nix @@ -0,0 +1,128 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + modulesPath, + nixos-hardware, + ... +}: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + nixos-hardware.nixosModules.lenovo-thinkpad-t14 + ]; + + console.keyMap = "de"; + services.xserver.xkb.layout = "de"; + + boot = { + initrd = { + availableKernelModules = [ + "nvme" + "xhci_pci" + "thunderbolt" + "usbhid" + ]; + luks.devices."btrfs-crypt".device = "/dev/disk/by-uuid/d4f76a5f-bf47-4a03-b7dc-3a1a7f83c030"; + kernelModules = [ ]; + }; + supportedFilesystems = [ "btrfs" ]; + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; + + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + }; + + fileSystems = { + "/" = { + device = "none"; + fsType = "tmpfs"; + options = [ + "defaults" + "size=8G" + "mode=755" + ]; + }; + "/tmp" = { + device = "/dev/mapper/btrfs-crypt"; + fsType = "btrfs"; + options = [ + "subvol=tmp" + "noatime" + "compress=zstd" + ]; + neededForBoot = true; + }; + "/persist" = { + device = "/dev/mapper/btrfs-crypt"; + fsType = "btrfs"; + options = [ + "subvol=persist" + "noatime" + "compress=zstd" + ]; + neededForBoot = true; + }; + "/nix" = { + device = "/dev/mapper/btrfs-crypt"; + fsType = "btrfs"; + options = [ + "subvol=nix" + "noatime" + "compress=zstd" + ]; + neededForBoot = true; + }; + "/snapshots" = { + device = "/dev/mapper/btrfs-crypt"; + fsType = "btrfs"; + options = [ + "subvol=snapshots" + "noatime" + "compress=zstd" + ]; + neededForBoot = false; + }; + "/boot" = { + device = "/dev/disk/by-uuid/4FE7-0CC9"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; + }; + + swapDevices = [ ]; + powerManagement = { + enable = true; + cpuFreqGovernor = "powersave"; + }; + + services = { + upower.enable = true; + }; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + # networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + time = { + timeZone = "Europe/Berlin"; + hardwareClockInLocalTime = true; + }; + networking.timeServers = [ + "ntp1.zih.tu-dresden.de" + "ntp2.zih.tu-dresden.de" + ]; +} diff --git a/machines/Marid/impermanence.nix b/machines/Marid/impermanence.nix new file mode 100644 index 0000000..de9c492 --- /dev/null +++ b/machines/Marid/impermanence.nix @@ -0,0 +1,48 @@ +{ + lib, + config, + impermanence, + ... +}: + +{ + imports = [ + impermanence.nixosModules.impermanence + ]; + + environment.persistence."/persist" = { + hideMounts = true; + # TODO: Add default permissions + directories = + [ + "/etc/nixos" + # Stores auto assigned user/group ids + "/var/lib/nixos" + "/var/log" + # User directories + "/home/derped/" + ] + ++ lib.optional config.services.ollama.enable "/var/lib/private/ollama" + ++ lib.optional config.programs.virt-manager.enable "/var/lib/libvirt" + ++ lib.optional config.networking.networkmanager.enable "/etc/NetworkManager/system-connections" + ++ lib.optionals config.virtualisation.podman.enable [ + "/var/lib/containers/storage" + "/run/containers/storage" + ]; + + files = + [ + "/etc/machine-id" + "/var/lib/sops-nix/key.txt" + ] + # remember last user and user sessions + ++ lib.optional config.programs.regreet.enable "/var/cache/regreet/cache.toml" + ++ lib.optional config.services.printing.enable "/etc/staticcups/printers.conf" + ++ lib.optionals config.services.openssh.enable [ + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + ]; + }; +} diff --git a/machines/Marid/options.nix b/machines/Marid/options.nix new file mode 100644 index 0000000..1d2bd0d --- /dev/null +++ b/machines/Marid/options.nix @@ -0,0 +1,81 @@ +{ + ... +}: + +{ + config.machine = { + allowUnfree = true; + hostName = "Marid"; + administrators = [ + { + name = "derped"; + id = 1337; + } + ]; + conffiles = [ + "etcfiles" + "etcvars" + "fonts" + "networkmanager" + "zsh" + ]; + pkgs = [ + "base" + "extra" + "mail_utils" + "nvim" + "nvim::cmp" + "nvim::fugitive" + "nvim::go" + "nvim::harpoon" + "nvim::hurl" + "nvim::kanagawa-nvim" + "nvim::lsp" + "nvim::lsp::bash" + "nvim::lsp::c" + "nvim::lsp::go" + "nvim::lsp::ltex" + "nvim::lsp::lua" + "nvim::lsp::markdown" + "nvim::lsp::nix-nil" + "nvim::lsp::python" + "nvim::lsp::typescript" + "nvim::lsp::yaml" + "nvim::lualine" + "nvim::nvim-highlight" + "nvim::oil-nvim" + "nvim::orgmode" + # "nvim::sniprun" + "nvim::telescope" + "nvim::tmux-navigate" + "nvim::treesitter" + "nvim::trim" + "nvim::undotree" + "nvim::which-key" + "cpp" + ]; + services = [ + "btrbk" + "btrfs" + "tmux" + "pipewire" + "docker" + "podman" + "ollama" + "virt-manager" + "virtualbox" + "cups" + "desktop" + "desktop::sway" + # "mariaDB" + ]; + firewall = { + enable = true; + allowPing = true; + allowedUDPPorts = [ ]; + allowedTCPPorts = [ ]; + allowedUDPPortRanges = [ ]; + allowedTCPPortRanges = [ ]; + }; + }; +} diff --git a/machines/Marid/secrets.yaml b/machines/Marid/secrets.yaml new file mode 100644 index 0000000..46b607f --- /dev/null +++ b/machines/Marid/secrets.yaml @@ -0,0 +1,35 @@ +users: + derped: + password: ENC[AES256_GCM,data:l3xTD5m/MNO99qIpTu2arNtzs0oOwPq+NL0hGOZ5+Xekbr+MnJL2veNxs1avKuG1x3fK45rciznpM4bVIRyGidwmQG27NDSlVQ==,iv:B2YZFB7sR3E5wYEMKZtXWD2Ye4VxZDZNCc5EUyzXZlk=,tag:dcoSycJi5ErenRYX8IcleA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1uq4x5yqf92z343ycpf4jycv7fqwk2kk8t5gapzp0ayk8hay98fns5mwmt7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEbDdrMlJybVptVFVpemkz + U3FCRStNRG90ckFzMjE3ZzFMSjRZckxTS25BCmlLOXpROGVqRmZqSVp0VU1WZDZT + dDBwdGhITzBPcU5NajI1SnpnZDZaV3MKLS0tIGFHb1R2WitiVE9MYkhhZEI1WUFh + NDdUVEV2RWh4VVRDMkc2dm10VmdXRU0K5IqPF/wr1pWkmCBEjJzmWy9LQ0H6TywF + rAByGxWWm0EzhhQvF7NRtpU0yLjNOqf1FNi9Dn1S3CxCQoSl+sVHOw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-12-02T19:25:19Z" + mac: ENC[AES256_GCM,data:BGM/Ce65eji/IF5zPt8znozMIXbxljwzmXZf82EWvvSrFR8+gIGLvAcUcxbaJgPB2arFgb6PIsoM9UVNgMh0bQ9TguAi81BPMneBWJrUd8/PBsziBHRqYe9R0M9PSd8pJ+BWS6wNeZ+huTB1TT09FhQ8wYTEYx2U8XC/FaPTRz4=,iv:RrQGTMZB5ylM1zN9m9ekCBa0JtuwVm0GBFHqYdgh6vY=,tag:GmntLl63YOXXm+GCkWageg==,type:str] + pgp: + - created_at: "2024-12-31T15:20:27Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DVbZwA9DOvl8SAQdA6cc/1fo/WOTAQuTVrTdDkqO4SV7sPvRCyLoBqb202D0w + oKh8ioqXQH+hZKfcRm9tz0i17h80NcJ95Pycwbm3AyLxg2aawQ0t8iWI318CjBB5 + 1GgBCQIQWJw87bsZcNErqPiiTVzKEVHoj4cnk68P2+Wl2smRSjp/+oWJUc9QGtT9 + FBjbqJ+fMnJTZCZCALU7IXxteBJWoxII/GU0b4ux0obQjHBgW3bshRBFh50eva7S + miDJ6QE42KMxrQ== + =IvRX + -----END PGP MESSAGE----- + fp: 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2 + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/machines/Marid/sops.nix b/machines/Marid/sops.nix new file mode 100644 index 0000000..c0beee2 --- /dev/null +++ b/machines/Marid/sops.nix @@ -0,0 +1,11 @@ +_: + +{ + sops = { + defaultSopsFile = ./secrets.yaml; + age = { + keyFile = "/persist/var/lib/sops-nix/key.txt"; + generateKey = true; + }; + }; +}