Marid: new machine init

.sops.yaml

@@ -1,6 +1,7 @@
 keys:
   - &admins 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
   - &lilim age1w3uhx6han0frfvg2t3t3wnwnzpkplzeyhun0dmqpkqwscmzlz4ms3elug4
+  - &marid age1uq4x5yqf92z343ycpf4jycv7fqwk2kk8t5gapzp0ayk8hay98fns5mwmt7
   - &ophanim age1u386j7v4yrxm6psykfk4wyy5ay2ugcfcemve2msfwv0klnf3x34stz34du
   - &sheol age12uvysactuucun05nk8l3azpaclz9k04ygcurtlqqjg6dsvarvcqs0s9d2y
 creation_rules:
@@ -10,6 +11,12 @@ creation_rules:
       - *admins
       age:
       - *lilim
+  - path_regex: machines/Marid/[^/]+.yaml$
+    key_groups:
+    - pgp:
+      - *admins
+      age:
+      - *marid
   - path_regex: machines/Ophanim/[^/]+.yaml$
     key_groups:
     - pgp:

machines/Marid/configuration.nix

@@ -0,0 +1,19 @@
+{ lib, pkgs, ... }:
+{
+  networking.dhcpcd.extraConfig = "noarp";
+  system.stateVersion = "25.05"; # Did you read the comment?
+
+  services.gnome = {
+    evolution-data-server.enable = true;
+    gnome-keyring.enable = lib.mkForce false;
+  };
+  programs = {
+    dconf.enable = true;
+    evolution = {
+      enable = true;
+      plugins = [ pkgs.evolution-ews ];
+    };
+  };
+
+  environment.systemPackages = with pkgs; [ pv ];
+}

machines/Marid/hardware-configuration.nix

@@ -0,0 +1,128 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  nixos-hardware,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+    nixos-hardware.nixosModules.lenovo-thinkpad-t14
+  ];
+
+  console.keyMap = "de";
+  services.xserver.xkb.layout = "de";
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "nvme"
+        "xhci_pci"
+        "thunderbolt"
+        "usbhid"
+      ];
+      luks.devices."btrfs-crypt".device = "/dev/disk/by-uuid/d4f76a5f-bf47-4a03-b7dc-3a1a7f83c030";
+      kernelModules = [ ];
+    };
+    supportedFilesystems = [ "btrfs" ];
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
+
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "none";
+      fsType = "tmpfs";
+      options = [
+        "defaults"
+        "size=8G"
+        "mode=755"
+      ];
+    };
+    "/tmp" = {
+      device = "/dev/mapper/btrfs-crypt";
+      fsType = "btrfs";
+      options = [
+        "subvol=tmp"
+        "noatime"
+        "compress=zstd"
+      ];
+      neededForBoot = true;
+    };
+    "/persist" = {
+      device = "/dev/mapper/btrfs-crypt";
+      fsType = "btrfs";
+      options = [
+        "subvol=persist"
+        "noatime"
+        "compress=zstd"
+      ];
+      neededForBoot = true;
+    };
+    "/nix" = {
+      device = "/dev/mapper/btrfs-crypt";
+      fsType = "btrfs";
+      options = [
+        "subvol=nix"
+        "noatime"
+        "compress=zstd"
+      ];
+      neededForBoot = true;
+    };
+    "/snapshots" = {
+      device = "/dev/mapper/btrfs-crypt";
+      fsType = "btrfs";
+      options = [
+        "subvol=snapshots"
+        "noatime"
+        "compress=zstd"
+      ];
+      neededForBoot = false;
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/4FE7-0CC9";
+      fsType = "vfat";
+      options = [
+        "fmask=0022"
+        "dmask=0022"
+      ];
+    };
+  };
+
+  swapDevices = [ ];
+  powerManagement = {
+    enable = true;
+    cpuFreqGovernor = "powersave";
+  };
+
+  services = {
+    upower.enable = true;
+  };
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  # networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  time = {
+    timeZone = "Europe/Berlin";
+    hardwareClockInLocalTime = true;
+  };
+  networking.timeServers = [
+    "ntp1.zih.tu-dresden.de"
+    "ntp2.zih.tu-dresden.de"
+  ];
+}

machines/Marid/impermanence.nix

@@ -0,0 +1,48 @@
+{
+  lib,
+  config,
+  impermanence,
+  ...
+}:
+
+{
+  imports = [
+    impermanence.nixosModules.impermanence
+  ];
+
+  environment.persistence."/persist" = {
+    hideMounts = true;
+    # TODO: Add default permissions
+    directories =
+      [
+        "/etc/nixos"
+        # Stores auto assigned user/group ids
+        "/var/lib/nixos"
+        "/var/log"
+        # User directories
+        "/home/derped/"
+      ]
+      ++ lib.optional config.services.ollama.enable "/var/lib/private/ollama"
+      ++ lib.optional config.programs.virt-manager.enable "/var/lib/libvirt"
+      ++ lib.optional config.networking.networkmanager.enable "/etc/NetworkManager/system-connections"
+      ++ lib.optionals config.virtualisation.podman.enable [
+        "/var/lib/containers/storage"
+        "/run/containers/storage"
+      ];
+
+    files =
+      [
+        "/etc/machine-id"
+        "/var/lib/sops-nix/key.txt"
+      ]
+      # remember last user and user sessions
+      ++ lib.optional config.programs.regreet.enable "/var/cache/regreet/cache.toml"
+      ++ lib.optional config.services.printing.enable "/etc/staticcups/printers.conf"
+      ++ lib.optionals config.services.openssh.enable [
+        "/etc/ssh/ssh_host_ed25519_key"
+        "/etc/ssh/ssh_host_ed25519_key.pub"
+        "/etc/ssh/ssh_host_rsa_key"
+        "/etc/ssh/ssh_host_rsa_key.pub"
+      ];
+  };
+}

machines/Marid/options.nix

@@ -0,0 +1,81 @@
+{
+  ...
+}:
+
+{
+  config.machine = {
+    allowUnfree = true;
+    hostName = "Marid";
+    administrators = [
+      {
+        name = "derped";
+        id = 1337;
+      }
+    ];
+    conffiles = [
+      "etcfiles"
+      "etcvars"
+      "fonts"
+      "networkmanager"
+      "zsh"
+    ];
+    pkgs = [
+      "base"
+      "extra"
+      "mail_utils"
+      "nvim"
+      "nvim::cmp"
+      "nvim::fugitive"
+      "nvim::go"
+      "nvim::harpoon"
+      "nvim::hurl"
+      "nvim::kanagawa-nvim"
+      "nvim::lsp"
+      "nvim::lsp::bash"
+      "nvim::lsp::c"
+      "nvim::lsp::go"
+      "nvim::lsp::ltex"
+      "nvim::lsp::lua"
+      "nvim::lsp::markdown"
+      "nvim::lsp::nix-nil"
+      "nvim::lsp::python"
+      "nvim::lsp::typescript"
+      "nvim::lsp::yaml"
+      "nvim::lualine"
+      "nvim::nvim-highlight"
+      "nvim::oil-nvim"
+      "nvim::orgmode"
+      # "nvim::sniprun"
+      "nvim::telescope"
+      "nvim::tmux-navigate"
+      "nvim::treesitter"
+      "nvim::trim"
+      "nvim::undotree"
+      "nvim::which-key"
+      "cpp"
+    ];
+    services = [
+      "btrbk"
+      "btrfs"
+      "tmux"
+      "pipewire"
+      "docker"
+      "podman"
+      "ollama"
+      "virt-manager"
+      "virtualbox"
+      "cups"
+      "desktop"
+      "desktop::sway"
+      # "mariaDB"
+    ];
+    firewall = {
+      enable = true;
+      allowPing = true;
+      allowedUDPPorts = [ ];
+      allowedTCPPorts = [ ];
+      allowedUDPPortRanges = [ ];
+      allowedTCPPortRanges = [ ];
+    };
+  };
+}

machines/Marid/secrets.yaml

@@ -0,0 +1,35 @@
+users:
+    derped:
+        password: ENC[AES256_GCM,data:l3xTD5m/MNO99qIpTu2arNtzs0oOwPq+NL0hGOZ5+Xekbr+MnJL2veNxs1avKuG1x3fK45rciznpM4bVIRyGidwmQG27NDSlVQ==,iv:B2YZFB7sR3E5wYEMKZtXWD2Ye4VxZDZNCc5EUyzXZlk=,tag:dcoSycJi5ErenRYX8IcleA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1uq4x5yqf92z343ycpf4jycv7fqwk2kk8t5gapzp0ayk8hay98fns5mwmt7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEbDdrMlJybVptVFVpemkz
+            U3FCRStNRG90ckFzMjE3ZzFMSjRZckxTS25BCmlLOXpROGVqRmZqSVp0VU1WZDZT
+            dDBwdGhITzBPcU5NajI1SnpnZDZaV3MKLS0tIGFHb1R2WitiVE9MYkhhZEI1WUFh
+            NDdUVEV2RWh4VVRDMkc2dm10VmdXRU0K5IqPF/wr1pWkmCBEjJzmWy9LQ0H6TywF
+            rAByGxWWm0EzhhQvF7NRtpU0yLjNOqf1FNi9Dn1S3CxCQoSl+sVHOw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-02T19:25:19Z"
+    mac: ENC[AES256_GCM,data:BGM/Ce65eji/IF5zPt8znozMIXbxljwzmXZf82EWvvSrFR8+gIGLvAcUcxbaJgPB2arFgb6PIsoM9UVNgMh0bQ9TguAi81BPMneBWJrUd8/PBsziBHRqYe9R0M9PSd8pJ+BWS6wNeZ+huTB1TT09FhQ8wYTEYx2U8XC/FaPTRz4=,iv:RrQGTMZB5ylM1zN9m9ekCBa0JtuwVm0GBFHqYdgh6vY=,tag:GmntLl63YOXXm+GCkWageg==,type:str]
+    pgp:
+        - created_at: "2024-12-31T15:20:27Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DVbZwA9DOvl8SAQdA6cc/1fo/WOTAQuTVrTdDkqO4SV7sPvRCyLoBqb202D0w
+            oKh8ioqXQH+hZKfcRm9tz0i17h80NcJ95Pycwbm3AyLxg2aawQ0t8iWI318CjBB5
+            1GgBCQIQWJw87bsZcNErqPiiTVzKEVHoj4cnk68P2+Wl2smRSjp/+oWJUc9QGtT9
+            FBjbqJ+fMnJTZCZCALU7IXxteBJWoxII/GU0b4ux0obQjHBgW3bshRBFh50eva7S
+            miDJ6QE42KMxrQ==
+            =IvRX
+            -----END PGP MESSAGE-----
+          fp: 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1

machines/Marid/sops.nix

@@ -0,0 +1,11 @@
+_:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    age = {
+      keyFile = "/persist/var/lib/sops-nix/key.txt";
+      generateKey = true;
+    };
+  };
+}