diff --git a/flake.nix b/flake.nix index fa214b2..222cc1c 100644 --- a/flake.nix +++ b/flake.nix @@ -15,6 +15,19 @@ { nixosConfigurations = { + # VivoBook laptop + haze = nixpkgs.lib.nixosSystem { + specialArgs = { + inherit inputs; + inherit (import ./parts) keys; + }; + system = "x86_64-linux"; + modules = [ + ./hosts/haze + ./system + ]; + }; + # Hetzner VPS crocus = nixpkgs.lib.nixosSystem { specialArgs = { diff --git a/hosts/haze/boot.nix b/hosts/haze/boot.nix new file mode 100644 index 0000000..6ea69ef --- /dev/null +++ b/hosts/haze/boot.nix @@ -0,0 +1,8 @@ +{ + boot.loader = { + systemd-boot = { + enable = true; + }; + efi.canTouchEfiVariables = true; + }; +} diff --git a/hosts/haze/default.nix b/hosts/haze/default.nix new file mode 100644 index 0000000..936ac55 --- /dev/null +++ b/hosts/haze/default.nix @@ -0,0 +1,21 @@ +{ + inputs, + ... +}: +{ + imports = [ + inputs.disko.nixosModules.disko + inputs.agenix.nixosModules.default + inputs.impermanence.nixosModules.impermanence + ./disk.nix + ./network.nix + ./syncthing.nix + + inputs.home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.users.rpqt = ./home.nix; + } + ]; +} diff --git a/hosts/haze/disk.nix b/hosts/haze/disk.nix new file mode 100644 index 0000000..a0cae0c --- /dev/null +++ b/hosts/haze/disk.nix @@ -0,0 +1,76 @@ +{ + disko.devices.disk.main = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "crypted"; + settings.allowDiscards = true; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/arch-root" = { }; # archlinux root + "/home" = { + mountpoint = "/home"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/persist" = { + mountpoint = "/persist"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "16G"; + }; + }; + postCreateHook = '' + MNTPOINT="$(mktemp -d)" + mount "/dev/mapper/crypted" "$MNTPOINT" -o subvol=/ + trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT + btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank + ''; + }; + }; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = true; +} diff --git a/hosts/haze/network.nix b/hosts/haze/network.nix new file mode 100644 index 0000000..743858f --- /dev/null +++ b/hosts/haze/network.nix @@ -0,0 +1,8 @@ +{ + networking.networkmanager = { + enable = true; + wifi.powersave = true; + }; + + users.users."rpqt".extraGroups = [ "networkmanager" ]; +} diff --git a/hosts/haze/secrets/secrets.nix b/hosts/haze/secrets/secrets.nix new file mode 100644 index 0000000..23ac249 --- /dev/null +++ b/hosts/haze/secrets/secrets.nix @@ -0,0 +1,7 @@ +let + keys = import ../../../parts/keys.nix; +in +{ + "syncthing-key.pem.age".publicKeys = [ keys.hosts.haze ]; + "syncthing-cert.pem.age".publicKeys = [ keys.hosts.haze ]; +} diff --git a/hosts/haze/secrets/syncthing-cert.pem.age b/hosts/haze/secrets/syncthing-cert.pem.age new file mode 100644 index 0000000..b5dabca Binary files /dev/null and b/hosts/haze/secrets/syncthing-cert.pem.age differ diff --git a/hosts/haze/secrets/syncthing-key.pem.age b/hosts/haze/secrets/syncthing-key.pem.age new file mode 100644 index 0000000..c3349ea --- /dev/null +++ b/hosts/haze/secrets/syncthing-key.pem.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 P3fsag cm2nekzBIMCAb/yXzY4L6jIH/Sa+rSMznT88WJNkP30 +DMnRf0An69vywpHLD3RGHwE0dkaa6JIEahhQo14EEDc +--- f/kI+HBhWTQlXoWvCJaLJM70EsOkH4G8/5g9Eeu8uNc + +T!\Β6 +TrϵKr9w̞8E,R.i _'2;iń8d&Dݫqxd +3exng~/)݇aWG~BNVia{uەR=MO)$HSff<c?~*T)Wtʁ&8iz:5[sc"& U9'_{xkEؼY@fU+Bu=Y4e3UQLSl5 Uqښ!hW@}OW \ No newline at end of file diff --git a/hosts/haze/sway.nix b/hosts/haze/sway.nix new file mode 100644 index 0000000..9e6f1a8 --- /dev/null +++ b/hosts/haze/sway.nix @@ -0,0 +1,11 @@ +{ + services.gnome.gnome-keyring.enable = true; + + programs.sway = { + enable = true; + wrapperFeatures.gtk = true; + }; + + users.users."rpqt".extraGroups = [ "video" ]; + programs.light.enable = true; +} diff --git a/hosts/haze/syncthing.nix b/hosts/haze/syncthing.nix new file mode 100644 index 0000000..02e59c0 --- /dev/null +++ b/hosts/haze/syncthing.nix @@ -0,0 +1,56 @@ +{ + config, + ... +}: +let + user = "rpqt"; + home = config.users.users.${user}.home; +in +{ + age.secrets.syncthing-key.file = ./secrets/syncthing-key.pem.age; + age.secrets.syncthing-cert.file = ./secrets/syncthing-cert.pem.age; + + services.syncthing = { + enable = true; + user = user; + group = "users"; + dataDir = home; + configDir = "${home}/.config/syncthing"; + key = config.age.secrets.syncthing-key.path; + cert = config.age.secrets.syncthing-cert.path; + openDefaultPorts = true; + overrideDevices = true; + overrideFolders = true; + settings = { + devices = { + "genepi" = { + id = "EA7DC7O-IHB47EQ-AWT2QBJ-AWPDF5S-W4EM66A-KQPCTHI-UX53WKM-QTSAHQ4"; + }; + "pixel-7a" = { + id = "IZE7B4Z-LKTJY6Q-77NN4JG-ADYRC77-TYPZTXE-Q35BWV2-AEO7Q3R-ZE63IAU"; + }; + }; + folders = { + "Documents" = { + path = "${home}/Documents"; + devices = [ + "genepi" + ]; + }; + "Music" = { + path = "${home}/Music"; + devices = [ + "genepi" + "pixel-7a" + ]; + }; + "Videos" = { + path = "${home}/Videos"; + devices = [ + "genepi" + ]; + }; + }; + }; + }; +}