Add some parts of the nine host

2025-07-27 18:17:44 +00:00 · 2025-01-24 23:50:51 +03:00 · 2025-01-24 23:50:51 +03:00 · fa80a17f59
commit fa80a17f59
parent 6c108c7caa
12 changed files with 124 additions and 21 deletions
--- a/.gitignore
+++ b/.gitignore
@ -5,6 +5,7 @@
 !docs/

 !hosts/
+!hosts/nine/
 !hosts/pala/

 !lib/
--- a/hosts/nine/default.nix
+++ b/hosts/nine/default.nix
@ -0,0 +1,60 @@
+lib: lib.nixosSystem ({ config, keys, lib, ... }: let
+  inherit (lib) collect remove;
+in {
+  imports = collect ./. |> remove ./default.nix;
+
+  nixpkgs.hostPlatform = "aarch64-linux";
+
+  system.stateVersion  = "23.11";
+  home-manager.sharedModules = [{
+    home.stateVersion = "23.11";
+  }];
+
+  networking.hostName = "nine";
+
+  secrets.id.file             = ./id.age;
+  services.openssh.hostKeys = [{
+    type = "ed25519";
+    path = config.secrets.id.path;
+  }];
+
+  secrets.sevenPassword.file  = ./password.seven.age;
+  users.users                 = {
+    root.hashedPasswordFile = config.secrets.sevenPassword.path;
+
+    seven = {
+      description                 = "Hungry Seven";
+      openssh.authorizedKeys.keys = keys.admins;
+      hashedPasswordFile          = config.secrets.sevenPassword.path;
+      extraGroups                 = [ "wheel" ];
+    };
+
+    backup = {
+      description                 = "Backup";
+      openssh.authorizedKeys.keys = keys.all;
+      hashedPasswordFile          = config.secrets.sevenPassword.path;
+    };
+  };
+
+  networking = {
+    ipv4 = "152.53.2.105";
+    ipv6 = "2a0a:4cc0::12d9";
+
+    domain = "rgbcu.be";
+
+    defaultGateway  = "152.53.0.1";
+    defaultGateway6 = "fe80::1";
+
+    interfaces.enp4s0 = {
+      ipv4.addresses = [{
+        address      = config.networking.ipv4;
+        prefixLength = 22;
+      }];
+
+      ipv6.addresses = [{
+        address      = config.networking.ipv6;
+        prefixLength = 64;
+      }];
+    };
+  };
+})
--- a/hosts/nine/hardware.nix
+++ b/hosts/nine/hardware.nix
@ -0,0 +1,31 @@
+{ config, lib, modulesPath, ... }: let
+  inherit (lib) enabled;
+in {
+  imports = [(modulesPath + "/profiles/qemu-guest.nix")];
+
+  boot.loader.grub = enabled {
+    efiSupport            = true;
+    efiInstallAsRemovable = true;
+    device                = "nodev";
+  };
+
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "uhci_hcd"
+    "xen_blkfront"
+  ];
+
+  boot.initrd.kernelModules = [ "nvme" ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/root";
+    fsType = "ext4";
+  };
+
+  fileSystems.${config.boot.loader.efi.efiSysMountPoint} = {
+    device = "/dev/disk/by-label/boot";
+    fsType = "vfat";
+  };
+
+  zramSwap = enabled;
+}
--- a/hosts/nine/id.age
+++ b/hosts/nine/id.age
--- a/hosts/nine/password.seven.age
+++ b/hosts/nine/password.seven.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 dASlBQ gh2TXagLOCoZF72LeTEpCfa6y5bltnN+JlRjhxs/lA4
+QOi6kenko+A4MB5aLBbyOXjY8RmEpOHFUM24H3Pgnaw
+-> ssh-ed25519 CzqbPQ iP9T7X/mVGAZyj6xkMjuAkO4dDUsMFhQB29iTatmonY
+YRn1gcHQvPyzGl79UF50C4OXPaeI4xD5BkkdjJCxLFs
+--- 7+SPAGy57E4RsUE6Wsu8u3hbF9nnyJAysMQFlY3izIY
+‹Ö£Í8ùÆ$‹Ñb-‚GSsYÇ”yUùnë‰˜ûG*üDñ‘)€‡›ä¨×oç8°ïóÃ‚i=¿*«LœËz‹»Â1“àûlqõè¦8È5!‰-„µ\U9Ù×§‹çŸí^‘
--- a/modules/common/ssh/config.age
+++ b/modules/common/ssh/config.age
--- a/modules/common/system.nix
+++ b/modules/common/system.nix
@ -1,5 +1,5 @@
 { config, lib, ... }: let
-  inherit (lib) any elem last mapAttrsToList mkConst splitString;
+  inherit (lib) any elem getAttr last mapAttrsToList mkConst splitString;
 in {
  options = {
    os = mkConst <| last <| splitString "-" config.nixpkgs.hostPlatform.system;
@ -7,7 +7,7 @@ in {
    isLinux  = mkConst <| config.os == "linux";
    isDarwin = mkConst <| config.os == "darwin";

-    isDesktop = mkConst <| config.isDarwin || (any <| mapAttrsToList (_: value: elem "graphical" value.extraGroups) config.users.users);
+    isDesktop = mkConst <| config.isDarwin || false; # (any (elem "graphical") <| mapAttrsToList (_: getAttr "extraGroups") config.users.users);
    isServer  = mkConst <| !config.isDesktop;
  };
 }
--- a/modules/linux/endlessh-go.nix
+++ b/modules/linux/endlessh-go.nix
@ -2,17 +2,17 @@
  inherit (lib) enabled merge mkEnableOption mkIf mkOption types;

  fakeSSHPort    = 22;
-in merge <| mkIf config.isServer {
-  config.services.prometheus.exporters.endlessh-go = enabled {
+in {
+  config.services.prometheus.exporters.endlessh-go = mkIf config.isServer <| enabled {
    listenAddress = "[::]";
  };

  # `services.endlessh-go.openFirewall` exposes both the Prometheus
  # exporters port and the SSH port, and we don't want the metrics
  # to leak, so we manually expose this like so.
-  config.networking.firewall.allowedTCPPorts = [ fakeSSHPort ];
+  config.networking.firewall.allowedTCPPorts = mkIf config.isServer <| [ fakeSSHPort ];

-  config.services.endlessh-go = enabled {
+  config.services.endlessh-go = mkIf config.isServer <| enabled {
    listenAddress = "[::]";
    port          = fakeSSHPort;

--- a/modules/linux/hyprland/fuzzel.nix
+++ b/modules/linux/hyprland/fuzzel.nix
@ -1,7 +1,7 @@
 { config, lib, ... }: let
  inherit (lib) enabled mapAttrs merge mkIf replaceStrings;
 in merge <| mkIf config.isDesktop {
-  home-manager.sharedNodules = [{
+  home-manager.sharedModules = [{
    wayland.windowManager.hyprland.settings = {
      bindl = [(replaceStrings [ "\n;" "\n" ] [ ";" "" ] ''
        , XF86PowerOff, exec,
--- a/modules/linux/restic/default.nix
+++ b/modules/linux/restic/default.nix
@ -1,11 +1,11 @@
 { config, lib, ... }: let
  inherit (lib) genAttrs merge mkConst mkIf remove;
-in merge <| mkIf config.isServer {
+in{
  options.resticHosts = mkConst <| remove config.networking.hostName [ "cube" "disk" "nine" ];

-  config.secrets.resticPassword.file = ./password.age;
+  config.secrets.resticPassword.file = mkIf config.isServer ./password.age;

-  config.services.restic.backups = genAttrs config.resticHosts (host: {
+  config.services.restic.backups =  mkIf config.isServer <| genAttrs config.resticHosts (host: {
    repository   = "sftp:backup@${host}:${config.networking.hostName}-backup";
    passwordFile = config.secrets.resticPassword.path;
    initialize   = true;
--- a/modules/linux/restic/password.age
+++ b/modules/linux/restic/password.age
@ -1,11 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 +rZ0Tw 06oZk46oR6ELo5J27k6yawjranT3zRItKK+rl0P9bgk
-Zl9FaZ0zz7X+NNa8YZ7mF+I3NM6uIQ4OyOxHCC7tG0s
-> ssh-ed25519 spFFQA lNlbKPxx4NolZih3OdSW+Om6LfLzQGPcOateTm7PmjE
-faPPdpWeJytmEGMCfNiup4hE/wjwAp9hdFBRR9PJ7JE
-> ssh-ed25519 dASlBQ 0hpF2NYQrE8k0yQWjecxaEmxPswUfqjr/isjwcuRbio
-zy5tvK0/6WaxzOOzmhRdMIdWeMyE0YYvRI+UAx4sW1c
-> ssh-ed25519 CzqbPQ VuaclNfcFIo7wIFauMBcy4amv4QDMUwmWevaCaMICxg
-JpO3lbn95Hfhqi7x2SRUSzVHQ7tS/Ay9Gn+mFhQpKbE
--- iuP1ypvDk453T8/jiyTnWRnVpKZ89yLdWbrMJubNwq8
-›nßÞâæ	ìQ’š)p›Õº1	Cbn)Tœ™<C593>íÿa±öO^VLšßç}„4@QÓ
+-> ssh-ed25519 +rZ0Tw xhx8zm8GiLF+Y+2w9jxYr0k5EV09CwlYxaXlH9ZvRF8
+m6WXa1m9kRJxXHDamHhTuXbWkBqPmvzei6ZU/CgTTgE
+-> ssh-ed25519 spFFQA jzcaT4YrjACZ8UdNBHCPr6oHTRtdGXBj8dR2TGEo9A0
+Q9t68ssLWmfSINP2l5ifRQ4q9ITpT6fx9lKnB1sdl2g
+-> ssh-ed25519 dASlBQ FVfNa8ql4GBQc8lFGyLZ76yq3hY0/XJPT5IenlxuIRg
+4SmF95S6VDt43LuLZLPpUSB+4HHYl5LRVWV6MkW0q5M
+-> ssh-ed25519 CzqbPQ 3BBzb1KkXAIzBsdQpHVQ53LjueHhJ8bcfZbH1ZV1D0I
+OoHk1f28Qr5HHaOVuVm/Pr8MqEuGtuHev2pzlYmc93c
+--- TcuCWM/kQHR+DtXdZlZCXHDoDxsFkzQbfM/Ebbcb5BI
+<EFBFBD>|ìç38|H„%ËtˆÈ<CB86>38ÎŠrŠz¶‰ð?4ÜH¤“ÕŽ²ª’×ø<C397>Có+„Ò
--- a/secrets.nix
+++ b/secrets.nix
@ -1,6 +1,10 @@
 let
-  inherit (import ./keys.nix) all;
+  inherit (import ./keys.nix) nine admins all;
 in {
+  # nine
+  "hosts/nine/id.age".publicKeys             = [ nine ] ++ admins;
+  "hosts/nine/password.seven.age".publicKeys = [ nine ] ++ admins;
+
  # shared
  "modules/common/ssh/config.age".publicKeys    = all;
  "modules/linux/restic/password.age".publicKeys = all;