From a47014b41ad64305b5b310b3a03a7a2bd4f3bc8a Mon Sep 17 00:00:00 2001
From: Romain Paquet <rpqt@rpqt.fr>
Date: Mon, 10 Feb 2025 23:25:25 +0100
Subject: [PATCH] add host haze base nixos config

---
 flake.nix                                 |  13 ++++
 hosts/haze/boot.nix                       |   8 +++
 hosts/haze/default.nix                    |  21 ++++++
 hosts/haze/disk.nix                       |  76 ++++++++++++++++++++++
 hosts/haze/network.nix                    |   8 +++
 hosts/haze/secrets/secrets.nix            |   7 ++
 hosts/haze/secrets/syncthing-cert.pem.age | Bin 0 -> 1006 bytes
 hosts/haze/secrets/syncthing-key.pem.age  |   8 +++
 hosts/haze/sway.nix                       |  11 ++++
 hosts/haze/syncthing.nix                  |  56 ++++++++++++++++
 10 files changed, 208 insertions(+)
 create mode 100644 hosts/haze/boot.nix
 create mode 100644 hosts/haze/default.nix
 create mode 100644 hosts/haze/disk.nix
 create mode 100644 hosts/haze/network.nix
 create mode 100644 hosts/haze/secrets/secrets.nix
 create mode 100644 hosts/haze/secrets/syncthing-cert.pem.age
 create mode 100644 hosts/haze/secrets/syncthing-key.pem.age
 create mode 100644 hosts/haze/sway.nix
 create mode 100644 hosts/haze/syncthing.nix

diff --git a/flake.nix b/flake.nix
index fa214b2..222cc1c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -15,6 +15,19 @@
     {
       nixosConfigurations = {
 
+        # VivoBook laptop
+        haze = nixpkgs.lib.nixosSystem {
+          specialArgs = {
+            inherit inputs;
+            inherit (import ./parts) keys;
+          };
+          system = "x86_64-linux";
+          modules = [
+            ./hosts/haze
+            ./system
+          ];
+        };
+
         # Hetzner VPS
         crocus = nixpkgs.lib.nixosSystem {
           specialArgs = {
diff --git a/hosts/haze/boot.nix b/hosts/haze/boot.nix
new file mode 100644
index 0000000..6ea69ef
--- /dev/null
+++ b/hosts/haze/boot.nix
@@ -0,0 +1,8 @@
+{
+  boot.loader = {
+    systemd-boot = {
+      enable = true;
+    };
+    efi.canTouchEfiVariables = true;
+  };
+}
diff --git a/hosts/haze/default.nix b/hosts/haze/default.nix
new file mode 100644
index 0000000..936ac55
--- /dev/null
+++ b/hosts/haze/default.nix
@@ -0,0 +1,21 @@
+{
+  inputs,
+  ...
+}:
+{
+  imports = [
+    inputs.disko.nixosModules.disko
+    inputs.agenix.nixosModules.default
+    inputs.impermanence.nixosModules.impermanence
+    ./disk.nix
+    ./network.nix
+    ./syncthing.nix
+
+    inputs.home-manager.nixosModules.home-manager
+    {
+      home-manager.useGlobalPkgs = true;
+      home-manager.useUserPackages = true;
+      home-manager.users.rpqt = ./home.nix;
+    }
+  ];
+}
diff --git a/hosts/haze/disk.nix b/hosts/haze/disk.nix
new file mode 100644
index 0000000..a0cae0c
--- /dev/null
+++ b/hosts/haze/disk.nix
@@ -0,0 +1,76 @@
+{
+  disko.devices.disk.main = {
+    type = "disk";
+    device = "/dev/nvme0n1";
+    content = {
+      type = "gpt";
+      partitions = {
+        ESP = {
+          size = "512M";
+          type = "EF00";
+          content = {
+            type = "filesystem";
+            format = "vfat";
+            mountpoint = "/boot";
+            mountOptions = [ "umask=0077" ];
+          };
+        };
+        luks = {
+          size = "100%";
+          content = {
+            type = "luks";
+            name = "crypted";
+            settings.allowDiscards = true;
+            content = {
+              type = "btrfs";
+              extraArgs = [ "-f" ];
+              subvolumes = {
+                "/root" = {
+                  mountpoint = "/";
+                  mountOptions = [
+                    "compress=zstd"
+                    "noatime"
+                  ];
+                };
+                "/arch-root" = { }; # archlinux root
+                "/home" = {
+                  mountpoint = "/home";
+                  mountOptions = [
+                    "compress=zstd"
+                    "noatime"
+                  ];
+                };
+                "/nix" = {
+                  mountpoint = "/nix";
+                  mountOptions = [
+                    "compress=zstd"
+                    "noatime"
+                  ];
+                };
+                "/persist" = {
+                  mountpoint = "/persist";
+                  mountOptions = [
+                    "compress=zstd"
+                    "noatime"
+                  ];
+                };
+                "/swap" = {
+                  mountpoint = "/.swapvol";
+                  swap.swapfile.size = "16G";
+                };
+              };
+              postCreateHook = ''
+                MNTPOINT="$(mktemp -d)"
+                mount "/dev/mapper/crypted" "$MNTPOINT" -o subvol=/
+                trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
+                btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
+              '';
+            };
+          };
+        };
+      };
+    };
+  };
+
+  fileSystems."/persist".neededForBoot = true;
+}
diff --git a/hosts/haze/network.nix b/hosts/haze/network.nix
new file mode 100644
index 0000000..743858f
--- /dev/null
+++ b/hosts/haze/network.nix
@@ -0,0 +1,8 @@
+{
+  networking.networkmanager = {
+    enable = true;
+    wifi.powersave = true;
+  };
+
+  users.users."rpqt".extraGroups = [ "networkmanager" ];
+}
diff --git a/hosts/haze/secrets/secrets.nix b/hosts/haze/secrets/secrets.nix
new file mode 100644
index 0000000..23ac249
--- /dev/null
+++ b/hosts/haze/secrets/secrets.nix
@@ -0,0 +1,7 @@
+let
+  keys = import ../../../parts/keys.nix;
+in
+{
+  "syncthing-key.pem.age".publicKeys = [ keys.hosts.haze ];
+  "syncthing-cert.pem.age".publicKeys = [ keys.hosts.haze ];
+}
diff --git a/hosts/haze/secrets/syncthing-cert.pem.age b/hosts/haze/secrets/syncthing-cert.pem.age
new file mode 100644
index 0000000000000000000000000000000000000000..b5dabca52ec2fc3c9ecf5b423f8b35a042d2992a
GIT binary patch
literal 1006
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+FitB@OjjuK@%2ur
zGI7o~$}_i23HH#AGIVl}@GDQw$TBVU%uX??DDls#a7~L0Pv**TOZSY-_w@2HiS+X@
zjY{!1E;5MB@-Yp|OLTX43b!yc4$}5ZG&U>t2<6h%)m6wbO>;{2&d@J$E%P@o&&e@$
zv&hRc$tVgd)elcDG0ic{iwZN&&MR>&apf{<x$=LV{F;)TcmG^W@mv_USt&Ilc}s5h
z_bI--vv+K}GH=VhOpU7zca~`GHn@N4QQ(10Egj~cQ(cNeRAPF0o@bnj?0#U9_n%MS
zI&j7LE!jsBi(QmLoX?-Ixb(%QZQ_aZrC<3U{ND9pf#}h_v*smBGISahh$=n$V)NAL
zM@5eMvy*XV&o)nIx3Fei>}uZf!moX^gX8YQ5ubK#4GmkL*>lu(O18<rSdN9f;fu13
z7ax9d=~2Uqe}@Fsyi1my_xY9|qZ5BQ{Z{Zb?;XtrKb6j|;!^mX`mw(KZ(`7bmaG6B
ziL;`OCUaP2Hdiv<2<hsT(U~9Xw=7R;`C2DF(PhO>yt&e!e}1_-bE>fz|F22S7j;-0
z4n54d=@s<f)A;<EIX4e*RvojjnA3UEZTg~@3mN<lsHxxSkbL1Dp*~II$E9BucFRH>
z_OlvP7Y55TsB22hl=(lUPpR#MZp^C-EH{te*?-YK`198<u~p{WXOC+vuelj?;s1w-
zGUxw2TUOZGxZabjyqCky?vQ5qF4_OW+3<$;DHHM~-<un`eVpwg|9Sn|LytKu7<bs#
z?)O`8OqM0ZH|MbVHi@DgoRQs4%T){)vwvZe@3Mcb@{+atU)PtHY$nFf{WX%UloYJD
zd@|+Vv+}=aQ{t7Y%T|8Au<$dNM*ig9!*RY<UgDy!eqEBd{<7KH>d)L2lV#RN798Ua
zY1DsyuA5D(TuE)Ei@L%sZoQ+s?lBup>JQ?Rc>TR5;Q#m4`EO27ab6i>l2dWO)MaD!
zKeMmhTUZjmYOYv$^a88VQrk||Nx8<qBG`TTbTSuxm>c$Nnp1)6Gq1y{zE^S%D#?8P
zK8Gzqfn(y$;QHc=-#4?Gwq3p3;#fQD(_A(NO}oew72iuA+bjN&ztDESX3F27r$I@}
zMJ#rIsI_vJRIW<r?|*6CdP_uaO;6gzuQx(E1<zZ*{ath^aOWn^BQ_87^471Z{nGY~
zOVi<Qrkun-p@>3>`$2yuR=yQKr^|TLi1Xc>BXiF`<oNvb{NC`HhKHE+^5)H$GW(t5
zuZMNq<}7(^_6xr_N?hLL@#ANk>BrWOm-M}heee97v?S=&=I=VIA5;YR?0y;a|3llu
SU0fTF@D&GVFTektcL@M4g4lHc

literal 0
HcmV?d00001

diff --git a/hosts/haze/secrets/syncthing-key.pem.age b/hosts/haze/secrets/syncthing-key.pem.age
new file mode 100644
index 0000000..c3349ea
--- /dev/null
+++ b/hosts/haze/secrets/syncthing-key.pem.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 P3fsag cm2nekzBIMCAb/yXzY4L6jIH/Sa+rSMznT88WJNkP30
+DMnRf0An69vywpHLD3RGHwE0dkaa6JIEahhQo14EEDc
+--- f/kI+HBhWTQlXoWvCJaLJM70EsOkH4G8/5g9Eeu8uNc
+
+àT!Û÷\Î’ù6˜
+·TÀƒrÏµKr»9ÕÅw¹ÌžÀ8–æ¸ÇEƒ¿´,ÜR.¢˜³’ÉiÒ ¹ßüý_'2Þ;iÒÅ„—8d¤ÏóÿÁ&DÝ«q¯²îxd
+µ3Ée„xnâg~’/)Ý‡aƒÄWÔèžG~ºÒÈBNV·ˆi¨a{ËæÝuÕÛ•ÜR=­ûMòO)$HS„Ýf¥f<ç›cóü?àï~*€Täà)WtÊñÅÀ&‚Ü8i˜óºz½è:5Ž¹[sc"ýÀì& UýËÓ9ÂÓ'í§_»´{xkE½ïØ¼YÁ@åÑçƒÆÚf×Uä+†—B±u¨=ÿÌY4òe3âUÕÆQLSl5 U™qÚšþ!¨h×W¼ã@}OW¨ŠÃ
\ No newline at end of file
diff --git a/hosts/haze/sway.nix b/hosts/haze/sway.nix
new file mode 100644
index 0000000..9e6f1a8
--- /dev/null
+++ b/hosts/haze/sway.nix
@@ -0,0 +1,11 @@
+{
+  services.gnome.gnome-keyring.enable = true;
+
+  programs.sway = {
+    enable = true;
+    wrapperFeatures.gtk = true;
+  };
+
+  users.users."rpqt".extraGroups = [ "video" ];
+  programs.light.enable = true;
+}
diff --git a/hosts/haze/syncthing.nix b/hosts/haze/syncthing.nix
new file mode 100644
index 0000000..02e59c0
--- /dev/null
+++ b/hosts/haze/syncthing.nix
@@ -0,0 +1,56 @@
+{
+  config,
+  ...
+}:
+let
+  user = "rpqt";
+  home = config.users.users.${user}.home;
+in
+{
+  age.secrets.syncthing-key.file = ./secrets/syncthing-key.pem.age;
+  age.secrets.syncthing-cert.file = ./secrets/syncthing-cert.pem.age;
+
+  services.syncthing = {
+    enable = true;
+    user = user;
+    group = "users";
+    dataDir = home;
+    configDir = "${home}/.config/syncthing";
+    key = config.age.secrets.syncthing-key.path;
+    cert = config.age.secrets.syncthing-cert.path;
+    openDefaultPorts = true;
+    overrideDevices = true;
+    overrideFolders = true;
+    settings = {
+      devices = {
+        "genepi" = {
+          id = "EA7DC7O-IHB47EQ-AWT2QBJ-AWPDF5S-W4EM66A-KQPCTHI-UX53WKM-QTSAHQ4";
+        };
+        "pixel-7a" = {
+          id = "IZE7B4Z-LKTJY6Q-77NN4JG-ADYRC77-TYPZTXE-Q35BWV2-AEO7Q3R-ZE63IAU";
+        };
+      };
+      folders = {
+        "Documents" = {
+          path = "${home}/Documents";
+          devices = [
+            "genepi"
+          ];
+        };
+        "Music" = {
+          path = "${home}/Music";
+          devices = [
+            "genepi"
+            "pixel-7a"
+          ];
+        };
+        "Videos" = {
+          path = "${home}/Videos";
+          devices = [
+            "genepi"
+          ];
+        };
+      };
+    };
+  };
+}