feat(alys): add alys host configuration

2025-07-05 00:02:39 +02:00 · 2025-07-05 00:02:39 +02:00 · 958a98ef81
commit 958a98ef81
parent 3de874f873
11 changed files with 180 additions and 42 deletions
--- a/flake.nix
+++ b/flake.nix
@ -80,6 +80,17 @@
    };
    homeConfigurations = {
      "phundrak@alys" = home-manager.lib.homeManagerConfiguration {
        pkgs = nixpkgs.legacyPackages.x86_64-linux;
        extraSpecialArgs = {
          inherit inputs outputs;
          home-conf = "minimal";
        };
        modules = [
          ./users/phundrak/alys.nix
          inputs.sops-nix.homeManagerModules.sops
        ];
      };
      "phundrak@marpa" = home-manager.lib.homeManagerConfiguration {
        pkgs = nixpkgs.legacyPackages.x86_64-linux;
        extraSpecialArgs = {
@ -116,6 +127,13 @@
    };
    nixosConfigurations = {
      alys = nixpkgs.lib.nixosSystem {
        specialArgs = {inherit inputs outputs;};
        modules = [
          ./hosts/alys/configuration.nix
          inputs.sops-nix.nixosModules.sops
        ];
      };
      gampo = nixpkgs.lib.nixosSystem {
        specialArgs = {inherit inputs outputs;};
        modules = [
--- a/hosts/alys/configuration.nix
+++ b/hosts/alys/configuration.nix
@ -0,0 +1,64 @@
 {
  pkgs,
  inputs,
  ...
 }: {
  imports = [
    ./hardware-configuration.nix
    ./host.nix
    inputs.home-manager.nixosModules.default
    ../../modules/locale.nix
    ../../modules/system.nix
    ../../modules/ssh.nix
    ../../modules/endlessh.nix
    ../../programs/nano.nix
  ];
  zramSwap.enable = true;
  # networking.domain = "phundrak.com";
  system = {
    amdgpu.enable = false;
    boot = {
      kernel = {
        hardened = true;
        cpuVendor = "amd";
      };
      systemd-boot = false;
      zfs.enable = false;
    };
    networking = {
      hostname = "alys";
      domain = "phundrak.com";
      id = "41157110";
      firewall.openPorts = [
        22
      ];
    };
    sound.enable = false;
    users = {
      root.disablePassword = true;
      phundrak = true;
    };
  };
  modules = {
    ssh = {
      enable = true;
      allowedUsers = ["phundrak"];
      passwordAuthentication = false;
    };
    endlessh.enable = false;
  };
  nixpkgs.config.allowUnfree = true;
  environment.systemPackages = [pkgs.openssl];
  # networking.hostName = "alys";
  # users.users.root.openssh.authorizedKeys.keys = [
  #   "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+b7BE/gHrHVkqNVfHtp2r4OCUDdohst8hb3Bz5tYtx3gvXJQCB1rFc2hgQJf8FsVyQbidS64lnhU1rUIEbFhv7itT5FGGUnfJEYs64W30wKsnPSb5WXdFXzrNi8za48i2oNl9JA9Fj9k6isyvkTup89hB+ELbXIcfz3bM93WaAt2dIgKijXaAMAAA+tHhgWvlrHlvGlU9/KxY3ZOQSoEboPXd7TDyOf1672eAibYyb5h1HIewYZ+xv1X4dxx/c9Arh4K0s8scuB7XTQQkEbRUEYKD2YXKN83Z09jfMlMYuBAKKO8zU4CM2KTbL7kEVgNc/ArY+uCAakmC5+eS7LxMuOt86+Bi4gXTJ6o6dbfUbCGiq751ni8pg44YSfwYiI05vvZ08eIyNkowumD+X4GRW4tu0I3qK8TI7exeEeoQIwlSfLXlYHEdNB8Q3feLyhHMRkxXgUskbXwWIBexLzJyY40tyqQplZWbYGrUEmjxZ7FWmaV+o8ZjnU2GfJ8JoWyCnEYfRc6Z2ILdXNDRzZ9qYOwefMHtuaYaYYximL+zdVVrm4EZuOetmaJ6zblk4ebU3GZjYykB8DmCDFDZO9koKwzPazLKQl0OWzmQqgxVNg7Mg1NZbuRQgVAhKPelnqejaXbf2/IHAYBn5LDR1Jew5+srlstM9XuYG2whEOx84w== Lucien Cartier-Tilet <lucien@phundrak.com>"
  #   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILw9oiK8tZ5Vpz82RaRLpITU8qeJrT2hjvudGEDQu2QW lucien@phundrak.com"
  # ];
  system.stateVersion = "23.11";
 }
--- a/hosts/alys/hardware-configuration.nix
+++ b/hosts/alys/hardware-configuration.nix
@ -0,0 +1,28 @@
 {
  modulesPath,
  lib,
  ...
 }: {
  imports = [(modulesPath + "/profiles/qemu-guest.nix")];
  boot = {
    loader.grub = {
      efiSupport = true;
      efiInstallAsRemovable = true;
      device = "nodev";
    };
    initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"];
    initrd.kernelModules = ["nvme"];
  };
  fileSystems = {
    "/" = {
      device = "/dev/vda1";
      fsType = "ext4";
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/F137-8D01";
      fsType = "vfat";
    };
  };
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/hosts/alys/host.nix
+++ b/hosts/alys/host.nix
@ -0,0 +1,3 @@
 {pkgs, ...}: {
  environment.systemPackages = with pkgs; [neofetch vim emacs];
 }
--- a/modules/boot.nix
+++ b/modules/boot.nix
@ -30,6 +30,11 @@ in {
      };
      hardened = mkEnableOption "Enables hardened Linux kernel";
    };
    systemd-boot = mkOption {
      type = types.bool;
      default = true;
      description = "Does the system use systemd-boot?";
    };
    zfs = {
      enable = mkEnableOption "Enables ZFS";
      pools = mkOption {
@ -42,8 +47,8 @@ in {
  config.boot = {
    initrd.kernelModules = lists.optional cfg.amdgpu.enable "amdgpu";
    loader = {
-      systemd-boot.enable = true;
+      systemd-boot.enable = cfg.systemd-boot;
-      efi.canTouchEfiVariables = true;
+      efi.canTouchEfiVariables = cfg.systemd-boot;
    };
    supportedFilesystems = mkIf cfg.zfs.enable ["zfs"];
    zfs.extraPools = mkIf cfg.zfs.enable cfg.zfs.pools;
--- a/modules/keys/id_alys.pub
+++ b/modules/keys/id_alys.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTv1lb6d99O84jeh6GdjPm8Gnt/HncSRhGhmoTq7BMK lucien@phundrak.com
--- a/modules/networking.nix
+++ b/modules/networking.nix
@ -6,28 +6,33 @@
 with lib; let
  cfg = config.modules.networking;
 in {
-  options.modules.networking = {
+  options.modules.networking = with types; {
    hostname = mkOption {
-      type = types.str;
+      type = str;
      example = "gampo";
    };
    id = mkOption {
-      type = types.str;
+      type = str;
      example = "deadb33f";
    };
    domain = mkOption {
      type = nullOr str;
      example = "phundrak.com";
      default = null;
    };
    hostFiles = mkOption {
-      type = types.listOf types.path;
+      type = listOf path;
      example = [/path/to/hostFile];
      default = [];
    };
    firewall = {
      openPorts = mkOption {
-        type = types.listOf types.int;
+        type = listOf int;
        example = [22 80 443];
        default = [];
      };
      openPortRanges = mkOption {
-        type = types.listOf (types.attrsOf types.port);
+        type = listOf (attrsOf port);
        default = [];
        example = [
          {
@ -41,7 +46,7 @@ in {
        '';
      };
      extraCommands = mkOption {
-        type = types.nullOr types.lines;
+        type = nullOr lines;
        example = "iptables -A INPUTS -p icmp -j ACCEPT";
        default = null;
      };
@ -52,7 +57,7 @@ in {
    hostName = cfg.hostname; # Define your hostname.
    hostId = cfg.id;
    networkmanager.enable = true;
-    inherit (cfg) hostFiles;
+    inherit (cfg) hostFiles domain;
    firewall = {
      enable = true;
      allowedTCPPorts = cfg.firewall.openPorts;
--- a/modules/system.nix
+++ b/modules/system.nix
@ -20,35 +20,40 @@ in {
    ./dev/docker.nix
  ];
-  options.system = {
+  options.system = with types; {
    amdgpu.enable = mkEnableOption "Enables AMD GPU support";
    boot = {
      kernel = {
        package = mkOption {
-          type = types.raw;
+          type = raw;
          default = pkgs.linuxPackages_zen;
        };
        modules = mkOption {
-          type = types.listOf types.str;
+          type = listOf str;
          default = [];
        };
        cpuVendor = mkOption {
          description = "Intel or AMD?";
-          type = types.enum ["intel" "amd"];
+          type = enum ["intel" "amd"];
          default = "amd";
        };
        v4l2loopback = mkOption {
          description = "Enables v4l2loopback";
-          type = types.bool;
+          type = bool;
          default = true;
        };
        hardened = mkEnableOption "Enables hardened Linux kernel";
      };
      systemd-boot = mkOption {
        type = types.bool;
        default = true;
        description = "Does the system use systemd-boot?";
      };
      plymouth.enable = mkEnableOption "Enables Plymouth";
      zfs = {
        enable = mkEnableOption "Enables ZFS";
        pools = mkOption {
-          type = types.listOf types.str;
+          type = listOf str;
          default = [];
        };
      };
@ -61,26 +66,31 @@ in {
    };
    networking = {
      hostname = mkOption {
-        type = types.str;
+        type = str;
        example = "gampo";
      };
      id = mkOption {
-        type = types.str;
+        type = str;
        example = "deadb33f";
      };
      domain = mkOption {
        type = nullOr str;
        example = "phundrak.com";
        default = null;
      };
      hostFiles = mkOption {
-        type = types.listOf types.path;
+        type = listOf path;
        example = [/path/to/hostFile];
        default = [];
      };
      firewall = {
        openPorts = mkOption {
-          type = types.listOf types.int;
+          type = listOf int;
          example = [22 80 443];
          default = [];
        };
        openPortRanges = mkOption {
-          type = types.listOf (types.attrsOf types.port);
+          type = listOf (attrsOf port);
          default = [];
          example = [
            {
@ -94,7 +104,7 @@ in {
          '';
        };
        extraCommands = mkOption {
-          type = types.nullOr types.lines;
+          type = nullOr lines;
          example = "iptables -A INPUTS -p icmp -j ACCEPT";
          default = null;
        };
@ -102,20 +112,20 @@ in {
    };
    nix = {
      disableSandbox = mkOption {
-        type = types.bool;
+        type = bool;
        default = false;
      };
      gc = {
        automatic = mkOption {
-          type = types.bool;
+          type = bool;
          default = true;
        };
        dates = mkOption {
-          type = types.str;
+          type = str;
          default = "Monday 01:00 UTC";
        };
        options = mkOption {
-          type = types.str;
+          type = str;
          default = "--delete-older-than 30d";
        };
      };
@ -123,19 +133,19 @@ in {
    sound = {
      enable = mkEnableOption "Whether to enable sounds with Pipewire";
      alsa = mkOption {
-        type = types.bool;
+        type = bool;
        example = true;
        default = true;
        description = "Whether to enable ALSA support with Pipewire";
      };
      jack = mkOption {
-        type = types.bool;
+        type = bool;
        example = true;
        default = false;
        description = "Whether to enable JACK support with Pipewire";
      };
      package = mkOption {
-        type = types.package;
+        type = package;
        example = pkgs.pulseaudio;
        default = pkgs.pulseaudioFull;
        description = "Which base package to use for PulseAudio";
@ -144,27 +154,28 @@ in {
    users = {
      root.disablePassword = mkEnableOption "Disables root password";
      phundrak = mkOption {
-        type = types.bool;
+        type = bool;
        default = true;
      };
    };
    timezone = mkOption {
-      type = types.str;
+      type = str;
      default = "Europe/Paris";
    };
    console.keyMap = mkOption {
-      type = types.str;
+      type = str;
      default = "fr";
    };
  };
  config = {
    boot.tmp.cleanOnBoot = true;
    time.timeZone = cfg.timezone;
    console.keyMap = cfg.console.keyMap;
    modules = {
      boot = {
        inherit (cfg) amdgpu;
-        inherit (cfg.boot) kernel plymouth zfs;
+        inherit (cfg.boot) kernel systemd-boot plymouth zfs;
      };
      inherit (cfg) sound users networking docker amdgpu;
    };
--- a/modules/users.nix
+++ b/modules/users.nix
@ -26,12 +26,7 @@ in {
        description = "Lucien Cartier-Tilet";
        extraGroups = ["networkmanager" "wheel" "docker" "dialout" "podman"];
        shell = pkgs.zsh;
-        openssh.authorizedKeys.keyFiles = [
+        openssh.authorizedKeys.keyFiles = lib.filesystem.listFilesRecursive ./keys;
          ./keys/id_gampo.pub
          ./keys/id_marpa.pub
          ./keys/id_tilo.pub
          ./keys/id_opn4.pub
        ];
      };
    };
    programs.zsh.enable = true;
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -4,7 +4,7 @@ mopidy:
    bandcamp: ENC[AES256_GCM,data:diEx2fbkOR1oUav81jU5bNt/KNmbOaVzLV+G3zBUVXE7nEQpZNqVom0rgNrEVDGzH3u/IaA5eqG5ce9lE0BomeY8Z4MWI1xujhX5KsXdv21aw4UwsNgyLPuWhkN2POUMfCJlvekc/TFfFvJHyysx8aKxeI4dsg==,iv:cxx0cVkjOPG+hMD8JctJHdcICJt7ozpfRBVSCDBo6Ro=,tag:JRjwwvieGaGZJ+k56HWFaw==,type:str]
 emailPassword: ENC[AES256_GCM,data:LALAvyuNN9bfa8D6ZK1YiFXRfxLOBi9kXA0N0Kr7h18eAI4hWQ==,iv:WtidILFfWCMKylax52JP+X57GfZyYlxJtiwrC6SADik=,tag:NvOrsL3fbmxQZp06GZhUZA==,type:str]
 ssh:
-    hosts: ENC[AES256_GCM,data:jLLehzuBuBh22ZukRlqjQJNBg0ri8go58SJfs4GjNqNdvI/H0NWRS0apqLPzERkbpPipex3kUiFIc6BH+usSSpfh/MWico8qZDKVD7Ekx6F8k45I2Pq+mbLsMEo3XfjcnfYgDWn2I7/jyidBsvA+m9VnjU8/Cnk5O/YeIZQRvfOZ4xc8zw7C/vqmxsNi2KZr+2N23L+eetoKM4J6AigmINH41wAL3/RlB0oCpjSHSkbp7Glu2LlyJygS52p9m5pq4QBXtoiu5AJ6qG17LrypmDjfxE2zU2R3Zu6VLbs4zWQY2+W36j33Fm5nMkMMPJAEdRR27HPxM2EAEuH4OI1Jbup669sln9nJxnO2zYveplNPsAb3a16D4L9rwSzUd1s2W+NlqBSYdyAktuvtPWf1vAg9+Fob9jUgUFGTQpNF8Xj1n+DqvXlLQknsB/7EhNSSnYyQS36wHF9KBHJwexpYbhnGiMuLjN6KXbr/YYawocSA/5o8s6X/tRXKMkXtZjoEsyr1aNMj+4gSHaSUOG78r3VwAHLOXNez67xFpKMa/IQfQhj2Zng8142hhL4hPyNtuTOK3oVvPjZtAfbfxesUi+Zx2VhaJsnmj6J4gAOWU9nVpol67V0hNSD4LMUOZwwPst11IyJsXjkKKY0iy7ykFMTk6KalkVUqlYOmQRIXtBE9sD4esC+FGH1ONi3n0tbG7YivmV3YSmxk0RvQ/YlKGOchKpPH/bzN/X+NZh6A3Uk5uDsqU+GOjfDY2yIgetw4FAQ42YMxNmTJjq6MpcaETb5eQm8wee4QaVODocXHyknfWs6FYGNUjQpYp3+zxKJovHuKQcFgug3t8Si5hKnQz6KDZNaoDE0UMBR2ABbAX1Bcvu0lLHzaPXpGfXyoAe+B3MwF9/TTVkCNNYhNKm63P7qUuIbKLLCDXH6e4y5YiIF8Sl9jF/kR8v8MbLgrAROx8NlTm5CqNhQWOPQQyQXvXEl5hwHyF9ptrXUB9wIe,iv:6Lzbf+DBTfaZj7NhTJ07dVPuaViP61V4N2QHPTEFzMQ=,tag:8t4c0DJmAwg/0qRLBW4vCQ==,type:str]
+    hosts: ENC[AES256_GCM,data:X/MrxeaqJnggoL9X8Y0+15A52FoihVRFp4vBZNr/QlJAKRn0B1eH6LI4wVzNokMbPUGlmYEElShy38ce+7EehL5HJcbwpEquvgQpLN2lZ4FhMLbW7yN3Q8DdZKqv4RNsm8vjuJPGwHGEVOhdvvnyM6IVpvLvMuH7MLJg4hLSArBzX7N0i5qg8piWI3pHqoPV4yO7kysSSF7D13HXen3fX+dbpBno/n0U+Xq8gcFyUKAqN6h65frkH2pyQcxIrCYcsFoJcU2jIzUY94xCSZZT7ocItzKD5YtVRki6F4Gh0/QgFeFcCn20Z0w8B7WvkjcR98FE+i5D9128uv2iiKEyeNaB4hc14dFCG4iZWW1KcSUojBnXHpFj22aByJaxjcFVg5BIVyde8L4hEinztWjNwbRzi1d9b34qeARcEzDQ3fwSNL/XFrlTvNZp565y/rPBLceksELewpWyX4Te3fuNOOw7hQqX3cjbGfw/FNuBVI/jnkEC+acGi23HnwmnDz87KCGZ738OAQ78F5awuoHnHhePvj0bUe3DTdW9Uj8amnaq1IeIu/BBcutewgez7ZHWamIWiOuVaZUISD6wrYk4pe5KqAZieUdotxbx7eihpw0ozEzQaNU3WBwQ8YxIyEnzcnsAihXCcgbm1/8FzWxghN3elA48UqVwaa4ZHK01l8+jD5yGjuCTCcpmSkVZBg8XrH7VWm+pZMCt3FRus3vFWq/iLsapIu6YSWG+mCYCjEK5hhbZs7ELxpdIzCw6Hiqm+P4nWVwA0ddbtSA7Rhu33CTKzdc0/KIQN78U0P+AsV0tVy7oLboIEZhpsj6XXYwQv5q9d0eJw/hibsqHdRb144Zn0hJDqxe/R+vCDk2iC3OYx5pG4oFbBG8V487QC67TG4Q+ztGCL8+W8+ZoVjK+atfA2LVHVWobFWNmqAE9CbVu8cbW3BhAtWrBZGgUMW5noFi64U411QEPS88odXtaqhUoN77rMhYCtVBxSSkGMWvwY2VZn6UvY8NZTExD5rJmDU9rRHmCNHq4WaAjxUg1rzwd4VO9CDnCf2gSeF466blpf2JEky8=,iv:0laLebvzVUMrKT30Jx/HaRS426PsWD3oFTesV4tnnDg=,tag:DApK5SSAriLib00FTz+jcg==,type:str]
 sops:
    age:
        - recipient: age1ajemtm502nn2n4q7v4j8meyd5mxtcqngkkedxq2pqzuwu78zp93qnw8q48
@ -61,7 +61,7 @@ sops:
            QmJKNDJUY0RSakhwNWlkOVpib0trc1kK0tQxD9I82pjfs54eruu+IjzVUmcVBCPw
            9mp1xKiYRRMXt3YQn6MPiyuuX3l3UB5MH0RJMNtRq0D961rs+iiS5A==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-04T01:05:13Z"
+    lastmodified: "2025-07-06T19:20:04Z"
-    mac: ENC[AES256_GCM,data:/wuo0bg48xlbP074JJ0rtmclWMG9vjlJnWjJnUaz45m+Gqj4IzA5ctSZdNnFTb7/CXkynJdFHme4/Nz8I/6+zzTFBeo/nVw43s1n0XmMqVYb2U/FTikvCMowHNnfMTY5Q83jD1MtE3XsRSCzxe649D4Zbcja8XG42v5rOt3geMA=,iv:n/yFp5f+LK8JaikifjRuieNtmcazl2VNz8rIzbvgBO8=,tag:Fs4+St1lxMn+VdEoP+Eo8g==,type:str]
+    mac: ENC[AES256_GCM,data:59Mu6RlGEXV7BsNsX0yIr/zUgl9gvk77o2moF4D7GgPwllSVFLRB8Y3LvE7+NXLIjLj19nrK6b99CiH08NmWhSBO37+xXU/eYQ/W2wIEVIxfmhVcF9ePIZPwVuegLZ707S8jZDOcYzPOQuURe9hhbxJJPgHzzPzYoh7yushYUME=,iv:h6DCciUZtRMZFGB7PMfg4xnOWxyKQS/vfnOG1tqVfrI=,tag:q65pnHbLcUG+Gxo7K3Ca1w==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2
--- a/users/phundrak/alys.nix
+++ b/users/phundrak/alys.nix
@ -0,0 +1,8 @@
 {
  imports = [./light-home.nix];
  home.phundrak.sshKey = {
    content = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTv1lb6d99O84jeh6GdjPm8Gnt/HncSRhGhmoTq7BMK lucien@phundrak.com";
    file = "/home/phundrak/.ssh/id_ed25519.pub";
  };
  modules.nh.flake = "/home/phundrak/.dotfiles";
 }
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTv1lb6d99O84jeh6GdjPm8Gnt/HncSRhGhmoTq7BMK lucien@phundrak.com`