diff --git a/flake.nix b/flake.nix index e26065f..463ef92 100644 --- a/flake.nix +++ b/flake.nix @@ -80,6 +80,17 @@ }; homeConfigurations = { + "phundrak@alys" = home-manager.lib.homeManagerConfiguration { + pkgs = nixpkgs.legacyPackages.x86_64-linux; + extraSpecialArgs = { + inherit inputs outputs; + home-conf = "minimal"; + }; + modules = [ + ./users/phundrak/alys.nix + inputs.sops-nix.homeManagerModules.sops + ]; + }; "phundrak@marpa" = home-manager.lib.homeManagerConfiguration { pkgs = nixpkgs.legacyPackages.x86_64-linux; extraSpecialArgs = { @@ -116,6 +127,13 @@ }; nixosConfigurations = { + alys = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs outputs;}; + modules = [ + ./hosts/alys/configuration.nix + inputs.sops-nix.nixosModules.sops + ]; + }; gampo = nixpkgs.lib.nixosSystem { specialArgs = {inherit inputs outputs;}; modules = [ diff --git a/hosts/alys/configuration.nix b/hosts/alys/configuration.nix new file mode 100644 index 0000000..eb0e6e1 --- /dev/null +++ b/hosts/alys/configuration.nix @@ -0,0 +1,64 @@ +{ + pkgs, + inputs, + ... +}: { + imports = [ + ./hardware-configuration.nix + ./host.nix + inputs.home-manager.nixosModules.default + ../../modules/locale.nix + ../../modules/system.nix + ../../modules/ssh.nix + ../../modules/endlessh.nix + ../../programs/nano.nix + ]; + + zramSwap.enable = true; + + # networking.domain = "phundrak.com"; + system = { + amdgpu.enable = false; + boot = { + kernel = { + hardened = true; + cpuVendor = "amd"; + }; + systemd-boot = false; + zfs.enable = false; + }; + networking = { + hostname = "alys"; + domain = "phundrak.com"; + id = "41157110"; + firewall.openPorts = [ + 22 + ]; + }; + sound.enable = false; + users = { + root.disablePassword = true; + phundrak = true; + }; + }; + + modules = { + ssh = { + enable = true; + allowedUsers = ["phundrak"]; + passwordAuthentication = false; + }; + endlessh.enable = false; + }; + + nixpkgs.config.allowUnfree = true; + + environment.systemPackages = [pkgs.openssl]; + + # networking.hostName = "alys"; + # users.users.root.openssh.authorizedKeys.keys = [ + # "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+b7BE/gHrHVkqNVfHtp2r4OCUDdohst8hb3Bz5tYtx3gvXJQCB1rFc2hgQJf8FsVyQbidS64lnhU1rUIEbFhv7itT5FGGUnfJEYs64W30wKsnPSb5WXdFXzrNi8za48i2oNl9JA9Fj9k6isyvkTup89hB+ELbXIcfz3bM93WaAt2dIgKijXaAMAAA+tHhgWvlrHlvGlU9/KxY3ZOQSoEboPXd7TDyOf1672eAibYyb5h1HIewYZ+xv1X4dxx/c9Arh4K0s8scuB7XTQQkEbRUEYKD2YXKN83Z09jfMlMYuBAKKO8zU4CM2KTbL7kEVgNc/ArY+uCAakmC5+eS7LxMuOt86+Bi4gXTJ6o6dbfUbCGiq751ni8pg44YSfwYiI05vvZ08eIyNkowumD+X4GRW4tu0I3qK8TI7exeEeoQIwlSfLXlYHEdNB8Q3feLyhHMRkxXgUskbXwWIBexLzJyY40tyqQplZWbYGrUEmjxZ7FWmaV+o8ZjnU2GfJ8JoWyCnEYfRc6Z2ILdXNDRzZ9qYOwefMHtuaYaYYximL+zdVVrm4EZuOetmaJ6zblk4ebU3GZjYykB8DmCDFDZO9koKwzPazLKQl0OWzmQqgxVNg7Mg1NZbuRQgVAhKPelnqejaXbf2/IHAYBn5LDR1Jew5+srlstM9XuYG2whEOx84w== Lucien Cartier-Tilet " + # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILw9oiK8tZ5Vpz82RaRLpITU8qeJrT2hjvudGEDQu2QW lucien@phundrak.com" + # ]; + system.stateVersion = "23.11"; +} diff --git a/hosts/alys/hardware-configuration.nix b/hosts/alys/hardware-configuration.nix new file mode 100644 index 0000000..c03e0f2 --- /dev/null +++ b/hosts/alys/hardware-configuration.nix @@ -0,0 +1,28 @@ +{ + modulesPath, + lib, + ... +}: { + imports = [(modulesPath + "/profiles/qemu-guest.nix")]; + boot = { + loader.grub = { + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + }; + initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"]; + initrd.kernelModules = ["nvme"]; + }; + fileSystems = { + "/" = { + device = "/dev/vda1"; + fsType = "ext4"; + }; + "/boot" = { + device = "/dev/disk/by-uuid/F137-8D01"; + fsType = "vfat"; + }; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/alys/host.nix b/hosts/alys/host.nix new file mode 100644 index 0000000..942bb71 --- /dev/null +++ b/hosts/alys/host.nix @@ -0,0 +1,3 @@ +{pkgs, ...}: { + environment.systemPackages = with pkgs; [neofetch vim emacs]; +} diff --git a/modules/boot.nix b/modules/boot.nix index 9bdc23f..28b3b1d 100644 --- a/modules/boot.nix +++ b/modules/boot.nix @@ -30,6 +30,11 @@ in { }; hardened = mkEnableOption "Enables hardened Linux kernel"; }; + systemd-boot = mkOption { + type = types.bool; + default = true; + description = "Does the system use systemd-boot?"; + }; zfs = { enable = mkEnableOption "Enables ZFS"; pools = mkOption { @@ -42,8 +47,8 @@ in { config.boot = { initrd.kernelModules = lists.optional cfg.amdgpu.enable "amdgpu"; loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; + systemd-boot.enable = cfg.systemd-boot; + efi.canTouchEfiVariables = cfg.systemd-boot; }; supportedFilesystems = mkIf cfg.zfs.enable ["zfs"]; zfs.extraPools = mkIf cfg.zfs.enable cfg.zfs.pools; diff --git a/modules/keys/id_alys.pub b/modules/keys/id_alys.pub new file mode 100644 index 0000000..a145236 --- /dev/null +++ b/modules/keys/id_alys.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTv1lb6d99O84jeh6GdjPm8Gnt/HncSRhGhmoTq7BMK lucien@phundrak.com \ No newline at end of file diff --git a/modules/networking.nix b/modules/networking.nix index 0ccaf08..97d8269 100644 --- a/modules/networking.nix +++ b/modules/networking.nix @@ -6,28 +6,33 @@ with lib; let cfg = config.modules.networking; in { - options.modules.networking = { + options.modules.networking = with types; { hostname = mkOption { - type = types.str; + type = str; example = "gampo"; }; id = mkOption { - type = types.str; + type = str; example = "deadb33f"; }; + domain = mkOption { + type = nullOr str; + example = "phundrak.com"; + default = null; + }; hostFiles = mkOption { - type = types.listOf types.path; + type = listOf path; example = [/path/to/hostFile]; default = []; }; firewall = { openPorts = mkOption { - type = types.listOf types.int; + type = listOf int; example = [22 80 443]; default = []; }; openPortRanges = mkOption { - type = types.listOf (types.attrsOf types.port); + type = listOf (attrsOf port); default = []; example = [ { @@ -41,7 +46,7 @@ in { ''; }; extraCommands = mkOption { - type = types.nullOr types.lines; + type = nullOr lines; example = "iptables -A INPUTS -p icmp -j ACCEPT"; default = null; }; @@ -52,7 +57,7 @@ in { hostName = cfg.hostname; # Define your hostname. hostId = cfg.id; networkmanager.enable = true; - inherit (cfg) hostFiles; + inherit (cfg) hostFiles domain; firewall = { enable = true; allowedTCPPorts = cfg.firewall.openPorts; diff --git a/modules/system.nix b/modules/system.nix index 38272e7..234d73d 100644 --- a/modules/system.nix +++ b/modules/system.nix @@ -20,35 +20,40 @@ in { ./dev/docker.nix ]; - options.system = { + options.system = with types; { amdgpu.enable = mkEnableOption "Enables AMD GPU support"; boot = { kernel = { package = mkOption { - type = types.raw; + type = raw; default = pkgs.linuxPackages_zen; }; modules = mkOption { - type = types.listOf types.str; + type = listOf str; default = []; }; cpuVendor = mkOption { description = "Intel or AMD?"; - type = types.enum ["intel" "amd"]; + type = enum ["intel" "amd"]; default = "amd"; }; v4l2loopback = mkOption { description = "Enables v4l2loopback"; - type = types.bool; + type = bool; default = true; }; hardened = mkEnableOption "Enables hardened Linux kernel"; }; + systemd-boot = mkOption { + type = types.bool; + default = true; + description = "Does the system use systemd-boot?"; + }; plymouth.enable = mkEnableOption "Enables Plymouth"; zfs = { enable = mkEnableOption "Enables ZFS"; pools = mkOption { - type = types.listOf types.str; + type = listOf str; default = []; }; }; @@ -61,26 +66,31 @@ in { }; networking = { hostname = mkOption { - type = types.str; + type = str; example = "gampo"; }; id = mkOption { - type = types.str; + type = str; example = "deadb33f"; }; + domain = mkOption { + type = nullOr str; + example = "phundrak.com"; + default = null; + }; hostFiles = mkOption { - type = types.listOf types.path; + type = listOf path; example = [/path/to/hostFile]; default = []; }; firewall = { openPorts = mkOption { - type = types.listOf types.int; + type = listOf int; example = [22 80 443]; default = []; }; openPortRanges = mkOption { - type = types.listOf (types.attrsOf types.port); + type = listOf (attrsOf port); default = []; example = [ { @@ -94,7 +104,7 @@ in { ''; }; extraCommands = mkOption { - type = types.nullOr types.lines; + type = nullOr lines; example = "iptables -A INPUTS -p icmp -j ACCEPT"; default = null; }; @@ -102,20 +112,20 @@ in { }; nix = { disableSandbox = mkOption { - type = types.bool; + type = bool; default = false; }; gc = { automatic = mkOption { - type = types.bool; + type = bool; default = true; }; dates = mkOption { - type = types.str; + type = str; default = "Monday 01:00 UTC"; }; options = mkOption { - type = types.str; + type = str; default = "--delete-older-than 30d"; }; }; @@ -123,19 +133,19 @@ in { sound = { enable = mkEnableOption "Whether to enable sounds with Pipewire"; alsa = mkOption { - type = types.bool; + type = bool; example = true; default = true; description = "Whether to enable ALSA support with Pipewire"; }; jack = mkOption { - type = types.bool; + type = bool; example = true; default = false; description = "Whether to enable JACK support with Pipewire"; }; package = mkOption { - type = types.package; + type = package; example = pkgs.pulseaudio; default = pkgs.pulseaudioFull; description = "Which base package to use for PulseAudio"; @@ -144,27 +154,28 @@ in { users = { root.disablePassword = mkEnableOption "Disables root password"; phundrak = mkOption { - type = types.bool; + type = bool; default = true; }; }; timezone = mkOption { - type = types.str; + type = str; default = "Europe/Paris"; }; console.keyMap = mkOption { - type = types.str; + type = str; default = "fr"; }; }; config = { + boot.tmp.cleanOnBoot = true; time.timeZone = cfg.timezone; console.keyMap = cfg.console.keyMap; modules = { boot = { inherit (cfg) amdgpu; - inherit (cfg.boot) kernel plymouth zfs; + inherit (cfg.boot) kernel systemd-boot plymouth zfs; }; inherit (cfg) sound users networking docker amdgpu; }; diff --git a/modules/users.nix b/modules/users.nix index aae7394..f21de52 100644 --- a/modules/users.nix +++ b/modules/users.nix @@ -26,12 +26,7 @@ in { description = "Lucien Cartier-Tilet"; extraGroups = ["networkmanager" "wheel" "docker" "dialout" "podman"]; shell = pkgs.zsh; - openssh.authorizedKeys.keyFiles = [ - ./keys/id_gampo.pub - ./keys/id_marpa.pub - ./keys/id_tilo.pub - ./keys/id_opn4.pub - ]; + openssh.authorizedKeys.keyFiles = lib.filesystem.listFilesRecursive ./keys; }; }; programs.zsh.enable = true; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index b04f8f8..bb638bf 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -4,7 +4,7 @@ mopidy: bandcamp: ENC[AES256_GCM,data:diEx2fbkOR1oUav81jU5bNt/KNmbOaVzLV+G3zBUVXE7nEQpZNqVom0rgNrEVDGzH3u/IaA5eqG5ce9lE0BomeY8Z4MWI1xujhX5KsXdv21aw4UwsNgyLPuWhkN2POUMfCJlvekc/TFfFvJHyysx8aKxeI4dsg==,iv:cxx0cVkjOPG+hMD8JctJHdcICJt7ozpfRBVSCDBo6Ro=,tag:JRjwwvieGaGZJ+k56HWFaw==,type:str] emailPassword: ENC[AES256_GCM,data:LALAvyuNN9bfa8D6ZK1YiFXRfxLOBi9kXA0N0Kr7h18eAI4hWQ==,iv:WtidILFfWCMKylax52JP+X57GfZyYlxJtiwrC6SADik=,tag:NvOrsL3fbmxQZp06GZhUZA==,type:str] ssh: - hosts: ENC[AES256_GCM,data:jLLehzuBuBh22ZukRlqjQJNBg0ri8go58SJfs4GjNqNdvI/H0NWRS0apqLPzERkbpPipex3kUiFIc6BH+usSSpfh/MWico8qZDKVD7Ekx6F8k45I2Pq+mbLsMEo3XfjcnfYgDWn2I7/jyidBsvA+m9VnjU8/Cnk5O/YeIZQRvfOZ4xc8zw7C/vqmxsNi2KZr+2N23L+eetoKM4J6AigmINH41wAL3/RlB0oCpjSHSkbp7Glu2LlyJygS52p9m5pq4QBXtoiu5AJ6qG17LrypmDjfxE2zU2R3Zu6VLbs4zWQY2+W36j33Fm5nMkMMPJAEdRR27HPxM2EAEuH4OI1Jbup669sln9nJxnO2zYveplNPsAb3a16D4L9rwSzUd1s2W+NlqBSYdyAktuvtPWf1vAg9+Fob9jUgUFGTQpNF8Xj1n+DqvXlLQknsB/7EhNSSnYyQS36wHF9KBHJwexpYbhnGiMuLjN6KXbr/YYawocSA/5o8s6X/tRXKMkXtZjoEsyr1aNMj+4gSHaSUOG78r3VwAHLOXNez67xFpKMa/IQfQhj2Zng8142hhL4hPyNtuTOK3oVvPjZtAfbfxesUi+Zx2VhaJsnmj6J4gAOWU9nVpol67V0hNSD4LMUOZwwPst11IyJsXjkKKY0iy7ykFMTk6KalkVUqlYOmQRIXtBE9sD4esC+FGH1ONi3n0tbG7YivmV3YSmxk0RvQ/YlKGOchKpPH/bzN/X+NZh6A3Uk5uDsqU+GOjfDY2yIgetw4FAQ42YMxNmTJjq6MpcaETb5eQm8wee4QaVODocXHyknfWs6FYGNUjQpYp3+zxKJovHuKQcFgug3t8Si5hKnQz6KDZNaoDE0UMBR2ABbAX1Bcvu0lLHzaPXpGfXyoAe+B3MwF9/TTVkCNNYhNKm63P7qUuIbKLLCDXH6e4y5YiIF8Sl9jF/kR8v8MbLgrAROx8NlTm5CqNhQWOPQQyQXvXEl5hwHyF9ptrXUB9wIe,iv:6Lzbf+DBTfaZj7NhTJ07dVPuaViP61V4N2QHPTEFzMQ=,tag:8t4c0DJmAwg/0qRLBW4vCQ==,type:str] + hosts: ENC[AES256_GCM,data:X/MrxeaqJnggoL9X8Y0+15A52FoihVRFp4vBZNr/QlJAKRn0B1eH6LI4wVzNokMbPUGlmYEElShy38ce+7EehL5HJcbwpEquvgQpLN2lZ4FhMLbW7yN3Q8DdZKqv4RNsm8vjuJPGwHGEVOhdvvnyM6IVpvLvMuH7MLJg4hLSArBzX7N0i5qg8piWI3pHqoPV4yO7kysSSF7D13HXen3fX+dbpBno/n0U+Xq8gcFyUKAqN6h65frkH2pyQcxIrCYcsFoJcU2jIzUY94xCSZZT7ocItzKD5YtVRki6F4Gh0/QgFeFcCn20Z0w8B7WvkjcR98FE+i5D9128uv2iiKEyeNaB4hc14dFCG4iZWW1KcSUojBnXHpFj22aByJaxjcFVg5BIVyde8L4hEinztWjNwbRzi1d9b34qeARcEzDQ3fwSNL/XFrlTvNZp565y/rPBLceksELewpWyX4Te3fuNOOw7hQqX3cjbGfw/FNuBVI/jnkEC+acGi23HnwmnDz87KCGZ738OAQ78F5awuoHnHhePvj0bUe3DTdW9Uj8amnaq1IeIu/BBcutewgez7ZHWamIWiOuVaZUISD6wrYk4pe5KqAZieUdotxbx7eihpw0ozEzQaNU3WBwQ8YxIyEnzcnsAihXCcgbm1/8FzWxghN3elA48UqVwaa4ZHK01l8+jD5yGjuCTCcpmSkVZBg8XrH7VWm+pZMCt3FRus3vFWq/iLsapIu6YSWG+mCYCjEK5hhbZs7ELxpdIzCw6Hiqm+P4nWVwA0ddbtSA7Rhu33CTKzdc0/KIQN78U0P+AsV0tVy7oLboIEZhpsj6XXYwQv5q9d0eJw/hibsqHdRb144Zn0hJDqxe/R+vCDk2iC3OYx5pG4oFbBG8V487QC67TG4Q+ztGCL8+W8+ZoVjK+atfA2LVHVWobFWNmqAE9CbVu8cbW3BhAtWrBZGgUMW5noFi64U411QEPS88odXtaqhUoN77rMhYCtVBxSSkGMWvwY2VZn6UvY8NZTExD5rJmDU9rRHmCNHq4WaAjxUg1rzwd4VO9CDnCf2gSeF466blpf2JEky8=,iv:0laLebvzVUMrKT30Jx/HaRS426PsWD3oFTesV4tnnDg=,tag:DApK5SSAriLib00FTz+jcg==,type:str] sops: age: - recipient: age1ajemtm502nn2n4q7v4j8meyd5mxtcqngkkedxq2pqzuwu78zp93qnw8q48 @@ -61,7 +61,7 @@ sops: QmJKNDJUY0RSakhwNWlkOVpib0trc1kK0tQxD9I82pjfs54eruu+IjzVUmcVBCPw 9mp1xKiYRRMXt3YQn6MPiyuuX3l3UB5MH0RJMNtRq0D961rs+iiS5A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-04T01:05:13Z" - mac: ENC[AES256_GCM,data:/wuo0bg48xlbP074JJ0rtmclWMG9vjlJnWjJnUaz45m+Gqj4IzA5ctSZdNnFTb7/CXkynJdFHme4/Nz8I/6+zzTFBeo/nVw43s1n0XmMqVYb2U/FTikvCMowHNnfMTY5Q83jD1MtE3XsRSCzxe649D4Zbcja8XG42v5rOt3geMA=,iv:n/yFp5f+LK8JaikifjRuieNtmcazl2VNz8rIzbvgBO8=,tag:Fs4+St1lxMn+VdEoP+Eo8g==,type:str] + lastmodified: "2025-07-06T19:20:04Z" + mac: ENC[AES256_GCM,data:59Mu6RlGEXV7BsNsX0yIr/zUgl9gvk77o2moF4D7GgPwllSVFLRB8Y3LvE7+NXLIjLj19nrK6b99CiH08NmWhSBO37+xXU/eYQ/W2wIEVIxfmhVcF9ePIZPwVuegLZ707S8jZDOcYzPOQuURe9hhbxJJPgHzzPzYoh7yushYUME=,iv:h6DCciUZtRMZFGB7PMfg4xnOWxyKQS/vfnOG1tqVfrI=,tag:q65pnHbLcUG+Gxo7K3Ca1w==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/users/phundrak/alys.nix b/users/phundrak/alys.nix new file mode 100644 index 0000000..a022928 --- /dev/null +++ b/users/phundrak/alys.nix @@ -0,0 +1,8 @@ +{ + imports = [./light-home.nix]; + home.phundrak.sshKey = { + content = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTv1lb6d99O84jeh6GdjPm8Gnt/HncSRhGhmoTq7BMK lucien@phundrak.com"; + file = "/home/phundrak/.ssh/id_ed25519.pub"; + }; + modules.nh.flake = "/home/phundrak/.dotfiles"; +}