From 43ff628e80d536b47b2a150f1f0eb4f6d9541689 Mon Sep 17 00:00:00 2001 From: Daniel Kempkens Date: Tue, 4 Apr 2023 14:35:49 +0200 Subject: [PATCH] system: init attic --- agenix/hosts/attic/config.nix | 7 ++ agenix/hosts/attic/user/danielPassword.age | 15 +++ flake.lock | 6 +- flake.nix | 8 ++ hardware/hosts/attic.nix | 25 +++++ home/hosts/attic.nix | 34 ++++++ secrets.nix | 5 + system/flakes/attic.nix | 38 +++++++ system/hosts/attic.nix | 120 +++++++++++++++++++++ 9 files changed, 255 insertions(+), 3 deletions(-) create mode 100644 agenix/hosts/attic/config.nix create mode 100644 agenix/hosts/attic/user/danielPassword.age create mode 100644 hardware/hosts/attic.nix create mode 100644 home/hosts/attic.nix create mode 100644 system/flakes/attic.nix create mode 100644 system/hosts/attic.nix diff --git a/agenix/hosts/attic/config.nix b/agenix/hosts/attic/config.nix new file mode 100644 index 0000000..417b8c0 --- /dev/null +++ b/agenix/hosts/attic/config.nix @@ -0,0 +1,7 @@ +{ + age.secrets = { + user-daniel-password = { + file = ./user/danielPassword.age; + }; + }; +} diff --git a/agenix/hosts/attic/user/danielPassword.age b/agenix/hosts/attic/user/danielPassword.age new file mode 100644 index 0000000..90daa63 --- /dev/null +++ b/agenix/hosts/attic/user/danielPassword.age @@ -0,0 +1,15 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyBtY3Nl +OG1NUkZKaWJ2WFdDQWkxc3B2cjFOOFZmR0RyWmtpSTRSZXJJbDFrCmhMZ2xSdGtQ +bjJpY3ZhM1YxWG5LQllGcHdGNDA0MEdydUFoak9tTHZ0cGMKLT4gc3NoLWVkMjU1 +MTkgc1ZmNkNBIFlYZHlYWnJ0YkdoK1d1NWc0K2ZoQ2FXWithMTBGYmJQNFBuK09Z +QzhzR28KSkM3L3M1cTl6bGoxN0dCenI3bUh2c1hVaTFvRXh1WFAyc0N2N1l5YTk4 +NAotPiB5MjMtZ3JlYXNlIGcvO3hMd2MgVSBkV0IgIjlJXigtUjcKRzFkbkxBRkMv +VURiVHhpUFdEUE9CSDBZR3Y2SEgwMk9QMkVwNzRobGk5NHZqQndOV1hzUVp2KzVz +dXpsa1hWVQpZbWgrMFJUYlcrcW55dENqSnY3SXhKcG1oRzg3cDNRcTh0WlV4a3VS +eE1kSFlUallmOWFMR2cKLS0tIGxyaS82dFAyL0g1aXJlNGRBQXFFRTR1dlVDaGhn +UUYzTGlhaWh6WkRUU1EKRoZpIw9V8TPzCZ1uKMFKIIQBXXMdgl4/dKha6WnjoIbk +ASDFOC0CRcL6LE1yw1ri70BRKS575w6dSt3myRIAYuDOScVTdu6i6aceS9Llj/oz +FNT1/Gf4cpMB6itAh27+3gGy8xiGt4wvvnDRc1R4M8M+wTvIZr0c7Sl1DMfCHcuJ +7wvjpXpili0JOw== +-----END AGE ENCRYPTED FILE----- diff --git a/flake.lock b/flake.lock index dd45164..3fbe7dd 100644 --- a/flake.lock +++ b/flake.lock @@ -119,11 +119,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1680562426, - "narHash": "sha256-ts0WBpkoB/vdi4FzGQfYfeluDk+tCQ+ujggJ+vFM9kk=", + "lastModified": 1680597706, + "narHash": "sha256-ZqJ3T+BxzjPH9TnmeUwS4Uu9ZQPeBXAFC9sUWlharT4=", "owner": "nix-community", "repo": "home-manager", - "rev": "eefb37938639739251acd4bb68ecdaf7de2a13b5", + "rev": "ec06f419af79207b33d797064dfb3fc9dbe1df4a", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 84d3b9b..ebd93ef 100644 --- a/flake.nix +++ b/flake.nix @@ -44,6 +44,13 @@ inherit inputs; }; + attic = import ./system/flakes/attic.nix { + inherit (inputs) nixpkgs; + inherit (inputs) home-manager; + inherit (inputs) ragenix; + inherit inputs; + }; + adsb-antenna = import ./system/flakes/adsb-antenna.nix { inherit (inputs) nixpkgs; inherit (inputs) home-manager; @@ -57,6 +64,7 @@ nixosConfigurations = { sail = sail.system; + attic = attic.system; adsb-antenna = adsb-antenna.system; }; }; diff --git a/hardware/hosts/attic.nix b/hardware/hosts/attic.nix new file mode 100644 index 0000000..3b0b0a6 --- /dev/null +++ b/hardware/hosts/attic.nix @@ -0,0 +1,25 @@ +{ pkgs, modulesPath, ... }: + +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot = { + loader.grub.device = "/dev/sda"; + + initrd = { + availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + kernelModules = [ "nvme" "tls" ]; + }; + + kernelPackages = pkgs.linuxPackages_latest; + kernelModules = [ "tcp_bbr" ]; + + kernel.sysctl = { + "net.core.default_qdisc" = "fq"; + "net.ipv4.tcp_congestion_control" = "bbr"; + "net.core.rmem_max" = 2500000; + }; + }; + + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; +} diff --git a/home/hosts/attic.nix b/home/hosts/attic.nix new file mode 100644 index 0000000..e2ff817 --- /dev/null +++ b/home/hosts/attic.nix @@ -0,0 +1,34 @@ +args@{ pkgs, ... }: + +{ + imports = [ + ../programs/fish.nix + ../programs/atuin.nix + ../programs/starship.nix + + ../programs/nvim + + ../programs/git.nix + + ../programs/bat.nix + + ../programs/fzf.nix + + ../programs/jq.nix + + ../programs/scripts.nix + ]; + + home = { + stateVersion = "22.11"; + + packages = with pkgs; [ + curlHTTP3 + lnav + mtr + parallel + q + ripgrep + ]; + }; +} diff --git a/secrets.nix b/secrets.nix index 87865a3..10ff89f 100644 --- a/secrets.nix +++ b/secrets.nix @@ -2,8 +2,10 @@ let user-daniel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1UfCIu7jUe64iQmp2UUyAgqZ3IYdMOo/Me6hRTnKoG"; system-sail = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJMs1BqZ+MC7XBwV+dZW8EmaZt2cOg/xcOBPS9KSzIl"; + system-attic = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHe6N3LfPxu7KNsyuI8YE3R0OHLTxNw5+WhuQjKL6PUr"; sail = [ user-daniel system-sail ]; + attic = [ user-daniel system-attic ]; in { # sail @@ -39,4 +41,7 @@ in "agenix/hosts/sail/anonymous-overflow/config.age".publicKeys = sail; "agenix/hosts/sail/proxitok/environment.age".publicKeys = sail; + + # attic + "agenix/hosts/attic/user/danielPassword.age".publicKeys = attic; } diff --git a/system/flakes/attic.nix b/system/flakes/attic.nix new file mode 100644 index 0000000..a1dbbe4 --- /dev/null +++ b/system/flakes/attic.nix @@ -0,0 +1,38 @@ +{ nixpkgs, home-manager, ragenix, inputs, ... }: + +let + overlay-neovim = inputs.neovim-nightly-overlay.overlay; + overlay-nifoc = inputs.nifoc-overlay.overlay; + + nixpkgsConfig = { + overlays = [ + overlay-neovim + overlay-nifoc + ]; + + config = { + allowUnfree = true; + allowBroken = true; + }; + }; +in +{ + system = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ../hosts/attic.nix + + home-manager.nixosModules.home-manager + + ragenix.nixosModules.default + + { + nixpkgs = nixpkgsConfig; + nix.nixPath = [ "nixpkgs=${nixpkgs}" ]; + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.users.daniel = import ../../home/hosts/attic.nix; + } + ]; + }; +} diff --git a/system/hosts/attic.nix b/system/hosts/attic.nix new file mode 100644 index 0000000..1d8447b --- /dev/null +++ b/system/hosts/attic.nix @@ -0,0 +1,120 @@ +args@{ pkgs, lib, ... }: + +let + ssh-keys = import ../shared/ssh-keys.nix; +in +{ + imports = [ + ../../hardware/hosts/attic.nix + ../../agenix/hosts/attic/config.nix + ../nixos/ssh.nix + + ../nixos/git.nix + ]; + + system.stateVersion = "22.11"; + + nix = { + package = pkgs.nixVersions.stable; + + settings = { + auto-optimise-store = true; + + substituters = [ + "https://nix-community.cachix.org" + "https://wurzelpfropf.cachix.org" + "https://nifoc.cachix.org" + ]; + + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "wurzelpfropf.cachix.org-1:ilZwK5a6wJqVr7Fyrzp4blIEkGK+LJT0QrpWr1qBNq0=" + "nifoc.cachix.org-1:ymuftq7RgN/lf/iWXFK8gpwDSAGFaGBeliWe9u6q8II=" + ]; + }; + + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 14d"; + }; + + extraOptions = '' + experimental-features = nix-command flakes + extra-platforms = aarch64-linux + keep-derivations = true + keep-outputs = true + ''; + }; + + boot = { + cleanTmpDir = true; + + binfmt.emulatedSystems = [ "aarch64-linux" ]; + }; + + zramSwap.enable = true; + + networking = { + hostName = "attic"; + useNetworkd = true; + }; + + systemd.network = { + enable = true; + + networks = { + "10-wan" = { + matchConfig.Name = "eth0"; + networkConfig = { + DHCP = "ipv4"; + Address = "2a01:4f8:c0c:fa14::1/64"; + Gateway = "fe80::1"; + }; + linkConfig.RequiredForOnline = "routable"; + + ntp = [ + "ntp1.hetzner.de" + "ntp2.hetzner.com" + "ntp3.hetzner.net" + ]; + }; + + "20-private" = { + matchConfig.Name = "enp7s0"; + networkConfig = { + DHCP = "ipv4"; + IPv6AcceptRA = false; + }; + linkConfig.RequiredForOnline = "yes"; + }; + }; + }; + + services.journald.extraConfig = '' + SystemMaxUse=1G + ''; + + documentation = { + nixos.enable = false; + doc.enable = false; + }; + + programs.fish.enable = true; + + users.users = { + root = { + openssh.authorizedKeys.keys = [ ssh-keys.Hetzner ]; + }; + + daniel = { + passwordFile = config.age.secrets.user-daniel-password.path; + isNormalUser = true; + home = "/home/daniel"; + description = "Daniel"; + extraGroups = [ "wheel" ]; + shell = pkgs.fish; + openssh.authorizedKeys.keys = [ ssh-keys.Hetzner ]; + }; + }; +}