diff --git a/README.md b/README.md index bed7956..81bbe1f 100644 --- a/README.md +++ b/README.md @@ -7,13 +7,13 @@ The canonical location for this repository is https://git.qenya.tel/qenya/nixfil ## Machines ### Managed +* `kilgharrah`: Custom-built personal desktop * `tohru`: Dell Latitude 5300, personal laptop * `yevaud`: Oracle Cloud free AMD VM, hosts a Forgejo instance and WireGuard server for the other machines in the network * `orm`: Oracle Cloud free AMD VM, currently idling * `kalessin`: Oracle Cloud free ARM VM, currently idling ### Referenced only -* `kilgharrah`: Custom-built personal desktop, currently running Arch * `shaw`: [My girlfriend's NAS](https://github.com/randomnetcat/nix-configs/tree/main/hosts/shaw) * `latias`: My Steam Deck diff --git a/flake.nix b/flake.nix index 10207a8..de114b3 100644 --- a/flake.nix +++ b/flake.nix @@ -47,6 +47,7 @@ ]; }; + kilgharrah.imports = [ ./hosts/kilgharrah ] ; tohru.imports = [ ./hosts/tohru ]; yevaud = { name, nodes, ... }: { diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix new file mode 100644 index 0000000..6aa033a --- /dev/null +++ b/hosts/kilgharrah/default.nix @@ -0,0 +1,65 @@ +{ config, lib, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + nixpkgs.hostPlatform = "x86_64-linux"; + networking.hostId = "72885bb5"; + + deployment = { + allowLocalDeployment = true; + # temporarily allow remote deployment for bootstrapping + targetHost = "192.168.2.1"; + targetUser = null; + }; + security.sudo.wheelNeedsPassword = false; + nix.settings.trusted-users = [ "@wheel" ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "kilgharrah"; # Define your hostname. + + networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + + time.timeZone = "Europe/London"; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + i18n.defaultLocale = "en_GB.UTF-8"; + console.keyMap = "uk"; + + services.xserver.enable = true; + services.displayManager.sddm.enable = true; + services.displayManager.sddm.wayland.enable = true; + services.xserver.desktopManager.plasma6.enable = true; + services.xserver.xkb.layout = "gb"; + + services.printing.enable = true; + + sound.enable = true; + hardware.pulseaudio.enable = true; + # services.pipewire = { + # enable = true; + # pulse.enable = true; + # }; + + age.secrets.user-password-kilgharrah-qenya.file = ../../secrets/user-password-kilgharrah-qenya.age; + users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-kilgharrah-qenya.path; + users.users.qenya.extraGroups = [ + "wheel" + "networkmanager" + ]; + home-manager.users.qenya = { + programs.vscode.enable = true; + }; + + system.stateVersion = "24.05"; # Did you read the comment? + +} \ No newline at end of file diff --git a/hosts/kilgharrah/hardware-configuration.nix b/hosts/kilgharrah/hardware-configuration.nix new file mode 100644 index 0000000..6610f2c --- /dev/null +++ b/hosts/kilgharrah/hardware-configuration.nix @@ -0,0 +1,90 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@" "compress=zstd" ]; + }; + + boot.initrd.luks.devices."enc".device = "/dev/disk/by-uuid/b414aaba-0a36-4135-a7e1-dc9489286acd"; + + fileSystems."/home" = + { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@home" "compress=zstd" ]; + }; + + fileSystems."/nix" = + { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@nix" "compress=zstd" "noatime" ]; + }; + + fileSystems."/swap" = + { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@swap" "noatime" ]; + }; + + fileSystems."/root" = + { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@root" "compress=zstd" ]; + }; + + fileSystems."/srv" = + { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@srv" "compress=zstd" ]; + }; + + fileSystems."/var/cache" = + { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@cache" "compress=zstd" "noatime" ]; + }; + + fileSystems."/var/tmp" = + { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@tmp" "compress=zstd" "noatime" ]; + }; + + fileSystems."/var/log" = + { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@log" "compress=zstd" "noatime" ]; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/9582-E78D"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlo1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} \ No newline at end of file diff --git a/keys.nix b/keys.nix index de1a65d..3cf0874 100644 --- a/keys.nix +++ b/keys.nix @@ -1,5 +1,6 @@ { machines = { + kilgharrah = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgGF3gzzlMbxxk3UAAgHJ7sDdjqtrw7UW16M1XhXtz2 root@kilgharrah"; tohru = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOk8wuGzF0Y7SaH9aimo3SmCz99MTQwL+rEVhx0jsueU root@tohru"; yevaud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHUAgyQhl390yUObLUI+jEbuNrZ2U6+8px628DolD+T root@yevaud"; orm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGc9rkcdOVWozBFj3kLVnSyUQQbyyH+UG+bLawanQkRQ root@orm"; diff --git a/secrets.nix b/secrets.nix index 1eadd47..d59c4e7 100644 --- a/secrets.nix +++ b/secrets.nix @@ -4,6 +4,7 @@ let commonKeys = keys.users.qenya; secrets = with keys; { + user-password-kilgharrah-qenya = [ machines.kilgharrah ]; user-password-tohru-qenya = [ machines.tohru ]; wireguard-peer-orm = [ machines.orm ]; wireguard-peer-tohru = [ machines.tohru ]; diff --git a/secrets/user-password-kilgharrah-qenya.age b/secrets/user-password-kilgharrah-qenya.age new file mode 100644 index 0000000..529ae97 --- /dev/null +++ b/secrets/user-password-kilgharrah-qenya.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 5PK5ag +ZmALd7qHkzBvgPEcrUac7J7xNYDS9c8N4bXOZAY8Ro +nH+9SmV2dVpnMxaI2P2sEx2JYEjo6uW1gs4au2CTlWg +-> ssh-ed25519 900ILw 4QNlf4uaXZnOQjGMV52Cp708rPmQ30Ri3KSQ5rEJiHE +llXXoqd/q6QR/hc3cyV+W/VF7j2DGXMHKgX7GBvsupI +--- nfTlzqQNfQ/RzfruijtyG4g1wUGGRokvw/KosnmPGKg +k*b-Cj\ ꯄ;V\`YmP Er]߃Q{a\ͷ\js9w2,{S~/;2~IW(ajξ= \ No newline at end of file