feat(alys): add alys host configuration

flake.nix

@@ -80,6 +80,17 @@
     };
 
     homeConfigurations = {
+      "phundrak@alys" = home-manager.lib.homeManagerConfiguration {
+        pkgs = nixpkgs.legacyPackages.x86_64-linux;
+        extraSpecialArgs = {
+          inherit inputs outputs;
+          home-conf = "minimal";
+        };
+        modules = [
+          ./users/phundrak/alys.nix
+          inputs.sops-nix.homeManagerModules.sops
+        ];
+      };
       "phundrak@marpa" = home-manager.lib.homeManagerConfiguration {
         pkgs = nixpkgs.legacyPackages.x86_64-linux;
         extraSpecialArgs = {
@@ -116,6 +127,13 @@
     };
 
     nixosConfigurations = {
+      alys = nixpkgs.lib.nixosSystem {
+        specialArgs = {inherit inputs outputs;};
+        modules = [
+          ./hosts/alys/configuration.nix
+          inputs.sops-nix.nixosModules.sops
+        ];
+      };
       gampo = nixpkgs.lib.nixosSystem {
         specialArgs = {inherit inputs outputs;};
         modules = [

hosts/alys/configuration.nix

@@ -0,0 +1,64 @@
+{
+  pkgs,
+  inputs,
+  ...
+}: {
+  imports = [
+    ./hardware-configuration.nix
+    ./host.nix
+    inputs.home-manager.nixosModules.default
+    ../../modules/locale.nix
+    ../../modules/system.nix
+    ../../modules/ssh.nix
+    ../../modules/endlessh.nix
+    ../../programs/nano.nix
+  ];
+
+  zramSwap.enable = true;
+
+  # networking.domain = "phundrak.com";
+  system = {
+    amdgpu.enable = false;
+    boot = {
+      kernel = {
+        hardened = true;
+        cpuVendor = "amd";
+      };
+      systemd-boot = false;
+      zfs.enable = false;
+    };
+    networking = {
+      hostname = "alys";
+      domain = "phundrak.com";
+      id = "41157110";
+      firewall.openPorts = [
+        22
+      ];
+    };
+    sound.enable = false;
+    users = {
+      root.disablePassword = true;
+      phundrak = true;
+    };
+  };
+
+  modules = {
+    ssh = {
+      enable = true;
+      allowedUsers = ["phundrak"];
+      passwordAuthentication = false;
+    };
+    endlessh.enable = false;
+  };
+
+  nixpkgs.config.allowUnfree = true;
+
+  environment.systemPackages = [pkgs.openssl];
+
+  # networking.hostName = "alys";
+  # users.users.root.openssh.authorizedKeys.keys = [
+  #   "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+b7BE/gHrHVkqNVfHtp2r4OCUDdohst8hb3Bz5tYtx3gvXJQCB1rFc2hgQJf8FsVyQbidS64lnhU1rUIEbFhv7itT5FGGUnfJEYs64W30wKsnPSb5WXdFXzrNi8za48i2oNl9JA9Fj9k6isyvkTup89hB+ELbXIcfz3bM93WaAt2dIgKijXaAMAAA+tHhgWvlrHlvGlU9/KxY3ZOQSoEboPXd7TDyOf1672eAibYyb5h1HIewYZ+xv1X4dxx/c9Arh4K0s8scuB7XTQQkEbRUEYKD2YXKN83Z09jfMlMYuBAKKO8zU4CM2KTbL7kEVgNc/ArY+uCAakmC5+eS7LxMuOt86+Bi4gXTJ6o6dbfUbCGiq751ni8pg44YSfwYiI05vvZ08eIyNkowumD+X4GRW4tu0I3qK8TI7exeEeoQIwlSfLXlYHEdNB8Q3feLyhHMRkxXgUskbXwWIBexLzJyY40tyqQplZWbYGrUEmjxZ7FWmaV+o8ZjnU2GfJ8JoWyCnEYfRc6Z2ILdXNDRzZ9qYOwefMHtuaYaYYximL+zdVVrm4EZuOetmaJ6zblk4ebU3GZjYykB8DmCDFDZO9koKwzPazLKQl0OWzmQqgxVNg7Mg1NZbuRQgVAhKPelnqejaXbf2/IHAYBn5LDR1Jew5+srlstM9XuYG2whEOx84w== Lucien Cartier-Tilet <lucien@phundrak.com>"
+  #   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILw9oiK8tZ5Vpz82RaRLpITU8qeJrT2hjvudGEDQu2QW lucien@phundrak.com"
+  # ];
+  system.stateVersion = "23.11";
+}

hosts/alys/hardware-configuration.nix

@@ -0,0 +1,28 @@
+{
+  modulesPath,
+  lib,
+  ...
+}: {
+  imports = [(modulesPath + "/profiles/qemu-guest.nix")];
+  boot = {
+    loader.grub = {
+      efiSupport = true;
+      efiInstallAsRemovable = true;
+      device = "nodev";
+    };
+    initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"];
+    initrd.kernelModules = ["nvme"];
+  };
+  fileSystems = {
+    "/" = {
+      device = "/dev/vda1";
+      fsType = "ext4";
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/F137-8D01";
+      fsType = "vfat";
+    };
+  };
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/alys/host.nix

@@ -0,0 +1,3 @@
+{pkgs, ...}: {
+  environment.systemPackages = with pkgs; [neofetch vim emacs];
+}

modules/boot.nix

@@ -30,6 +30,11 @@ in {
       };
       hardened = mkEnableOption "Enables hardened Linux kernel";
     };
+    systemd-boot = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Does the system use systemd-boot?";
+    };
     zfs = {
       enable = mkEnableOption "Enables ZFS";
       pools = mkOption {
@@ -42,8 +47,8 @@ in {
   config.boot = {
     initrd.kernelModules = lists.optional cfg.amdgpu.enable "amdgpu";
     loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
+      systemd-boot.enable = cfg.systemd-boot;
+      efi.canTouchEfiVariables = cfg.systemd-boot;
     };
     supportedFilesystems = mkIf cfg.zfs.enable ["zfs"];
     zfs.extraPools = mkIf cfg.zfs.enable cfg.zfs.pools;

modules/keys/id_alys.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTv1lb6d99O84jeh6GdjPm8Gnt/HncSRhGhmoTq7BMK lucien@phundrak.com

modules/networking.nix

@@ -6,28 +6,33 @@
 with lib; let
   cfg = config.modules.networking;
 in {
-  options.modules.networking = {
+  options.modules.networking = with types; {
     hostname = mkOption {
-      type = types.str;
+      type = str;
       example = "gampo";
     };
     id = mkOption {
-      type = types.str;
+      type = str;
       example = "deadb33f";
     };
+    domain = mkOption {
+      type = nullOr str;
+      example = "phundrak.com";
+      default = null;
+    };
     hostFiles = mkOption {
-      type = types.listOf types.path;
+      type = listOf path;
       example = [/path/to/hostFile];
       default = [];
     };
     firewall = {
       openPorts = mkOption {
-        type = types.listOf types.int;
+        type = listOf int;
         example = [22 80 443];
         default = [];
       };
       openPortRanges = mkOption {
-        type = types.listOf (types.attrsOf types.port);
+        type = listOf (attrsOf port);
         default = [];
         example = [
           {
@@ -41,7 +46,7 @@ in {
         '';
       };
       extraCommands = mkOption {
-        type = types.nullOr types.lines;
+        type = nullOr lines;
         example = "iptables -A INPUTS -p icmp -j ACCEPT";
         default = null;
       };
@@ -52,7 +57,7 @@ in {
     hostName = cfg.hostname; # Define your hostname.
     hostId = cfg.id;
     networkmanager.enable = true;
-    inherit (cfg) hostFiles;
+    inherit (cfg) hostFiles domain;
     firewall = {
       enable = true;
       allowedTCPPorts = cfg.firewall.openPorts;

modules/system.nix

@@ -20,35 +20,40 @@ in {
     ./dev/docker.nix
   ];
 
-  options.system = {
+  options.system = with types; {
     amdgpu.enable = mkEnableOption "Enables AMD GPU support";
     boot = {
       kernel = {
         package = mkOption {
-          type = types.raw;
+          type = raw;
           default = pkgs.linuxPackages_zen;
         };
         modules = mkOption {
-          type = types.listOf types.str;
+          type = listOf str;
           default = [];
         };
         cpuVendor = mkOption {
           description = "Intel or AMD?";
-          type = types.enum ["intel" "amd"];
+          type = enum ["intel" "amd"];
           default = "amd";
         };
         v4l2loopback = mkOption {
           description = "Enables v4l2loopback";
-          type = types.bool;
+          type = bool;
           default = true;
         };
         hardened = mkEnableOption "Enables hardened Linux kernel";
       };
+      systemd-boot = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Does the system use systemd-boot?";
+      };
       plymouth.enable = mkEnableOption "Enables Plymouth";
       zfs = {
         enable = mkEnableOption "Enables ZFS";
         pools = mkOption {
-          type = types.listOf types.str;
+          type = listOf str;
           default = [];
         };
       };
@@ -61,26 +66,31 @@ in {
     };
     networking = {
       hostname = mkOption {
-        type = types.str;
+        type = str;
         example = "gampo";
       };
       id = mkOption {
-        type = types.str;
+        type = str;
         example = "deadb33f";
       };
+      domain = mkOption {
+        type = nullOr str;
+        example = "phundrak.com";
+        default = null;
+      };
       hostFiles = mkOption {
-        type = types.listOf types.path;
+        type = listOf path;
         example = [/path/to/hostFile];
         default = [];
       };
       firewall = {
         openPorts = mkOption {
-          type = types.listOf types.int;
+          type = listOf int;
           example = [22 80 443];
           default = [];
         };
         openPortRanges = mkOption {
-          type = types.listOf (types.attrsOf types.port);
+          type = listOf (attrsOf port);
           default = [];
           example = [
             {
@@ -94,7 +104,7 @@ in {
           '';
         };
         extraCommands = mkOption {
-          type = types.nullOr types.lines;
+          type = nullOr lines;
           example = "iptables -A INPUTS -p icmp -j ACCEPT";
           default = null;
         };
@@ -102,20 +112,20 @@ in {
     };
     nix = {
       disableSandbox = mkOption {
-        type = types.bool;
+        type = bool;
         default = false;
       };
       gc = {
         automatic = mkOption {
-          type = types.bool;
+          type = bool;
           default = true;
         };
         dates = mkOption {
-          type = types.str;
+          type = str;
           default = "Monday 01:00 UTC";
         };
         options = mkOption {
-          type = types.str;
+          type = str;
           default = "--delete-older-than 30d";
         };
       };
@@ -123,19 +133,19 @@ in {
     sound = {
       enable = mkEnableOption "Whether to enable sounds with Pipewire";
       alsa = mkOption {
-        type = types.bool;
+        type = bool;
         example = true;
         default = true;
         description = "Whether to enable ALSA support with Pipewire";
       };
       jack = mkOption {
-        type = types.bool;
+        type = bool;
         example = true;
         default = false;
         description = "Whether to enable JACK support with Pipewire";
       };
       package = mkOption {
-        type = types.package;
+        type = package;
         example = pkgs.pulseaudio;
         default = pkgs.pulseaudioFull;
         description = "Which base package to use for PulseAudio";
@@ -144,27 +154,28 @@ in {
     users = {
       root.disablePassword = mkEnableOption "Disables root password";
       phundrak = mkOption {
-        type = types.bool;
+        type = bool;
         default = true;
       };
     };
     timezone = mkOption {
-      type = types.str;
+      type = str;
       default = "Europe/Paris";
     };
     console.keyMap = mkOption {
-      type = types.str;
+      type = str;
       default = "fr";
     };
   };
 
   config = {
+    boot.tmp.cleanOnBoot = true;
     time.timeZone = cfg.timezone;
     console.keyMap = cfg.console.keyMap;
     modules = {
       boot = {
         inherit (cfg) amdgpu;
-        inherit (cfg.boot) kernel plymouth zfs;
+        inherit (cfg.boot) kernel systemd-boot plymouth zfs;
       };
       inherit (cfg) sound users networking docker amdgpu;
     };

modules/users.nix

@@ -26,12 +26,7 @@ in {
         description = "Lucien Cartier-Tilet";
         extraGroups = ["networkmanager" "wheel" "docker" "dialout" "podman"];
         shell = pkgs.zsh;
-        openssh.authorizedKeys.keyFiles = [
-          ./keys/id_gampo.pub
-          ./keys/id_marpa.pub
-          ./keys/id_tilo.pub
-          ./keys/id_opn4.pub
-        ];
+        openssh.authorizedKeys.keyFiles = lib.filesystem.listFilesRecursive ./keys;
       };
     };
     programs.zsh.enable = true;

secrets/secrets.yaml

@@ -4,7 +4,7 @@ mopidy:
     bandcamp: ENC[AES256_GCM,data:diEx2fbkOR1oUav81jU5bNt/KNmbOaVzLV+G3zBUVXE7nEQpZNqVom0rgNrEVDGzH3u/IaA5eqG5ce9lE0BomeY8Z4MWI1xujhX5KsXdv21aw4UwsNgyLPuWhkN2POUMfCJlvekc/TFfFvJHyysx8aKxeI4dsg==,iv:cxx0cVkjOPG+hMD8JctJHdcICJt7ozpfRBVSCDBo6Ro=,tag:JRjwwvieGaGZJ+k56HWFaw==,type:str]
 emailPassword: ENC[AES256_GCM,data:LALAvyuNN9bfa8D6ZK1YiFXRfxLOBi9kXA0N0Kr7h18eAI4hWQ==,iv:WtidILFfWCMKylax52JP+X57GfZyYlxJtiwrC6SADik=,tag:NvOrsL3fbmxQZp06GZhUZA==,type:str]
 ssh:
-    hosts: ENC[AES256_GCM,data:jLLehzuBuBh22ZukRlqjQJNBg0ri8go58SJfs4GjNqNdvI/H0NWRS0apqLPzERkbpPipex3kUiFIc6BH+usSSpfh/MWico8qZDKVD7Ekx6F8k45I2Pq+mbLsMEo3XfjcnfYgDWn2I7/jyidBsvA+m9VnjU8/Cnk5O/YeIZQRvfOZ4xc8zw7C/vqmxsNi2KZr+2N23L+eetoKM4J6AigmINH41wAL3/RlB0oCpjSHSkbp7Glu2LlyJygS52p9m5pq4QBXtoiu5AJ6qG17LrypmDjfxE2zU2R3Zu6VLbs4zWQY2+W36j33Fm5nMkMMPJAEdRR27HPxM2EAEuH4OI1Jbup669sln9nJxnO2zYveplNPsAb3a16D4L9rwSzUd1s2W+NlqBSYdyAktuvtPWf1vAg9+Fob9jUgUFGTQpNF8Xj1n+DqvXlLQknsB/7EhNSSnYyQS36wHF9KBHJwexpYbhnGiMuLjN6KXbr/YYawocSA/5o8s6X/tRXKMkXtZjoEsyr1aNMj+4gSHaSUOG78r3VwAHLOXNez67xFpKMa/IQfQhj2Zng8142hhL4hPyNtuTOK3oVvPjZtAfbfxesUi+Zx2VhaJsnmj6J4gAOWU9nVpol67V0hNSD4LMUOZwwPst11IyJsXjkKKY0iy7ykFMTk6KalkVUqlYOmQRIXtBE9sD4esC+FGH1ONi3n0tbG7YivmV3YSmxk0RvQ/YlKGOchKpPH/bzN/X+NZh6A3Uk5uDsqU+GOjfDY2yIgetw4FAQ42YMxNmTJjq6MpcaETb5eQm8wee4QaVODocXHyknfWs6FYGNUjQpYp3+zxKJovHuKQcFgug3t8Si5hKnQz6KDZNaoDE0UMBR2ABbAX1Bcvu0lLHzaPXpGfXyoAe+B3MwF9/TTVkCNNYhNKm63P7qUuIbKLLCDXH6e4y5YiIF8Sl9jF/kR8v8MbLgrAROx8NlTm5CqNhQWOPQQyQXvXEl5hwHyF9ptrXUB9wIe,iv:6Lzbf+DBTfaZj7NhTJ07dVPuaViP61V4N2QHPTEFzMQ=,tag:8t4c0DJmAwg/0qRLBW4vCQ==,type:str]
+    hosts: ENC[AES256_GCM,data:X/MrxeaqJnggoL9X8Y0+15A52FoihVRFp4vBZNr/QlJAKRn0B1eH6LI4wVzNokMbPUGlmYEElShy38ce+7EehL5HJcbwpEquvgQpLN2lZ4FhMLbW7yN3Q8DdZKqv4RNsm8vjuJPGwHGEVOhdvvnyM6IVpvLvMuH7MLJg4hLSArBzX7N0i5qg8piWI3pHqoPV4yO7kysSSF7D13HXen3fX+dbpBno/n0U+Xq8gcFyUKAqN6h65frkH2pyQcxIrCYcsFoJcU2jIzUY94xCSZZT7ocItzKD5YtVRki6F4Gh0/QgFeFcCn20Z0w8B7WvkjcR98FE+i5D9128uv2iiKEyeNaB4hc14dFCG4iZWW1KcSUojBnXHpFj22aByJaxjcFVg5BIVyde8L4hEinztWjNwbRzi1d9b34qeARcEzDQ3fwSNL/XFrlTvNZp565y/rPBLceksELewpWyX4Te3fuNOOw7hQqX3cjbGfw/FNuBVI/jnkEC+acGi23HnwmnDz87KCGZ738OAQ78F5awuoHnHhePvj0bUe3DTdW9Uj8amnaq1IeIu/BBcutewgez7ZHWamIWiOuVaZUISD6wrYk4pe5KqAZieUdotxbx7eihpw0ozEzQaNU3WBwQ8YxIyEnzcnsAihXCcgbm1/8FzWxghN3elA48UqVwaa4ZHK01l8+jD5yGjuCTCcpmSkVZBg8XrH7VWm+pZMCt3FRus3vFWq/iLsapIu6YSWG+mCYCjEK5hhbZs7ELxpdIzCw6Hiqm+P4nWVwA0ddbtSA7Rhu33CTKzdc0/KIQN78U0P+AsV0tVy7oLboIEZhpsj6XXYwQv5q9d0eJw/hibsqHdRb144Zn0hJDqxe/R+vCDk2iC3OYx5pG4oFbBG8V487QC67TG4Q+ztGCL8+W8+ZoVjK+atfA2LVHVWobFWNmqAE9CbVu8cbW3BhAtWrBZGgUMW5noFi64U411QEPS88odXtaqhUoN77rMhYCtVBxSSkGMWvwY2VZn6UvY8NZTExD5rJmDU9rRHmCNHq4WaAjxUg1rzwd4VO9CDnCf2gSeF466blpf2JEky8=,iv:0laLebvzVUMrKT30Jx/HaRS426PsWD3oFTesV4tnnDg=,tag:DApK5SSAriLib00FTz+jcg==,type:str]
 sops:
     age:
         - recipient: age1ajemtm502nn2n4q7v4j8meyd5mxtcqngkkedxq2pqzuwu78zp93qnw8q48
@@ -61,7 +61,7 @@ sops:
             QmJKNDJUY0RSakhwNWlkOVpib0trc1kK0tQxD9I82pjfs54eruu+IjzVUmcVBCPw
             9mp1xKiYRRMXt3YQn6MPiyuuX3l3UB5MH0RJMNtRq0D961rs+iiS5A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-04T01:05:13Z"
-    mac: ENC[AES256_GCM,data:/wuo0bg48xlbP074JJ0rtmclWMG9vjlJnWjJnUaz45m+Gqj4IzA5ctSZdNnFTb7/CXkynJdFHme4/Nz8I/6+zzTFBeo/nVw43s1n0XmMqVYb2U/FTikvCMowHNnfMTY5Q83jD1MtE3XsRSCzxe649D4Zbcja8XG42v5rOt3geMA=,iv:n/yFp5f+LK8JaikifjRuieNtmcazl2VNz8rIzbvgBO8=,tag:Fs4+St1lxMn+VdEoP+Eo8g==,type:str]
+    lastmodified: "2025-07-06T19:20:04Z"
+    mac: ENC[AES256_GCM,data:59Mu6RlGEXV7BsNsX0yIr/zUgl9gvk77o2moF4D7GgPwllSVFLRB8Y3LvE7+NXLIjLj19nrK6b99CiH08NmWhSBO37+xXU/eYQ/W2wIEVIxfmhVcF9ePIZPwVuegLZ707S8jZDOcYzPOQuURe9hhbxJJPgHzzPzYoh7yushYUME=,iv:h6DCciUZtRMZFGB7PMfg4xnOWxyKQS/vfnOG1tqVfrI=,tag:q65pnHbLcUG+Gxo7K3Ca1w==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

users/phundrak/alys.nix

@@ -0,0 +1,8 @@
+{
+  imports = [./light-home.nix];
+  home.phundrak.sshKey = {
+    content = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTv1lb6d99O84jeh6GdjPm8Gnt/HncSRhGhmoTq7BMK lucien@phundrak.com";
+    file = "/home/phundrak/.ssh/id_ed25519.pub";
+  };
+  modules.nh.flake = "/home/phundrak/.dotfiles";
+}