From fa80a17f5950e8c44d69830ba51501ec15a92bdb Mon Sep 17 00:00:00 2001
From: RGBCube <git@rgbcu.be>
Date: Fri, 24 Jan 2025 23:50:51 +0300
Subject: [PATCH] Add some parts of the nine host

---
 .gitignore                        |   1 +
 hosts/nine/default.nix            |  60 ++++++++++++++++++++++++++++++
 hosts/nine/hardware.nix           |  31 +++++++++++++++
 hosts/nine/id.age                 | Bin 0 -> 721 bytes
 hosts/nine/password.seven.age     |   7 ++++
 modules/common/ssh/config.age     | Bin 597 -> 597 bytes
 modules/common/system.nix         |   4 +-
 modules/linux/endlessh-go.nix     |   8 ++--
 modules/linux/hyprland/fuzzel.nix |   2 +-
 modules/linux/restic/default.nix  |   6 +--
 modules/linux/restic/password.age |  20 +++++-----
 secrets.nix                       |   6 ++-
 12 files changed, 124 insertions(+), 21 deletions(-)
 create mode 100644 hosts/nine/default.nix
 create mode 100644 hosts/nine/hardware.nix
 create mode 100644 hosts/nine/id.age
 create mode 100644 hosts/nine/password.seven.age

diff --git a/.gitignore b/.gitignore
index 781ced8..07cc058 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,6 +5,7 @@
 !docs/
 
 !hosts/
+!hosts/nine/
 !hosts/pala/
 
 !lib/
diff --git a/hosts/nine/default.nix b/hosts/nine/default.nix
new file mode 100644
index 0000000..fef8dbe
--- /dev/null
+++ b/hosts/nine/default.nix
@@ -0,0 +1,60 @@
+lib: lib.nixosSystem ({ config, keys, lib, ... }: let
+  inherit (lib) collect remove;
+in {
+  imports = collect ./. |> remove ./default.nix;
+
+  nixpkgs.hostPlatform = "aarch64-linux";
+
+  system.stateVersion  = "23.11";
+  home-manager.sharedModules = [{
+    home.stateVersion = "23.11";
+  }];
+
+  networking.hostName = "nine";
+
+  secrets.id.file             = ./id.age;
+  services.openssh.hostKeys = [{
+    type = "ed25519";
+    path = config.secrets.id.path;
+  }];
+
+  secrets.sevenPassword.file  = ./password.seven.age;
+  users.users                 = {
+    root.hashedPasswordFile = config.secrets.sevenPassword.path;
+
+    seven = {
+      description                 = "Hungry Seven";
+      openssh.authorizedKeys.keys = keys.admins;
+      hashedPasswordFile          = config.secrets.sevenPassword.path;
+      extraGroups                 = [ "wheel" ];
+    };
+
+    backup = {
+      description                 = "Backup";
+      openssh.authorizedKeys.keys = keys.all;
+      hashedPasswordFile          = config.secrets.sevenPassword.path;
+    };
+  };
+
+  networking = {
+    ipv4 = "152.53.2.105";
+    ipv6 = "2a0a:4cc0::12d9";
+
+    domain = "rgbcu.be";
+
+    defaultGateway  = "152.53.0.1";
+    defaultGateway6 = "fe80::1";
+
+    interfaces.enp4s0 = {
+      ipv4.addresses = [{
+        address      = config.networking.ipv4;
+        prefixLength = 22;
+      }];
+
+      ipv6.addresses = [{
+        address      = config.networking.ipv6;
+        prefixLength = 64;
+      }];
+    };
+  };
+})
diff --git a/hosts/nine/hardware.nix b/hosts/nine/hardware.nix
new file mode 100644
index 0000000..b5082ee
--- /dev/null
+++ b/hosts/nine/hardware.nix
@@ -0,0 +1,31 @@
+{ config, lib, modulesPath, ... }: let
+  inherit (lib) enabled;
+in {
+  imports = [(modulesPath + "/profiles/qemu-guest.nix")];
+
+  boot.loader.grub = enabled {
+    efiSupport            = true;
+    efiInstallAsRemovable = true;
+    device                = "nodev";
+  };
+
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "uhci_hcd"
+    "xen_blkfront"
+  ];
+
+  boot.initrd.kernelModules = [ "nvme" ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/root";
+    fsType = "ext4";
+  };
+
+  fileSystems.${config.boot.loader.efi.efiSysMountPoint} = {
+    device = "/dev/disk/by-label/boot";
+    fsType = "vfat";
+  };
+
+  zramSwap = enabled;
+}
diff --git a/hosts/nine/id.age b/hosts/nine/id.age
new file mode 100644
index 0000000000000000000000000000000000000000..97fd93140489e3e6c759bdf2305e04cc200e7bd5
GIT binary patch
literal 721
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSnaSYCJ3RKATPYEgU
zNb(9wjSBKEs?1G`v@j3!uSoMx%PuqVH?7e2@dyqqc8he$D(CW#@GD744h~NDbIbM)
z^+^g2GdJ=o4G1c7EsRVI$;k7`Gfj^$EpST-NJqELxvDTJAW*^C-N3QLFDcw4r^LXo
zI4v>Hw=l9K$1f`{Dm*YRQs2`tBP~45$Hgl!Fp?|DJJ}+qEZ4lyP}?^mKe!+`u*^Bn
zyUf?mAj&yW+uJZXq$n{dC@eWD*?>z|S689Z+{M*1AT%W?EVnGvtt{WuBgNC8(4`<b
zEwUgd*~mP(q{7uGJk!ZC(1fe=XPsj9-+wU)(>E|wTi#!E*f}vENNnSZ`4TaG$9wqJ
zM6+BJ?5kV*wWENkp)PEHPth}j?R@jvdn9#k-f}3dX87t>dLek73Ul&T$ydoqa~r0o
z3d<xfx_aa*tN%m8ApQ52l`EGyurn&p^DX|9`P==0wVCUk^h({gPc?*<rP8mK9oKtz
z*u*|AyNGSyL)*+Kr`rKGGbC#juj_u9rnpHXr;<hFrS$A;D|j@o|EW;Xl~OogG4<Py
z^MAWTZ&)9)bl3hZXd$}sXZEhlgYR$KytX|M;MlvE;m_M2Ih$i2&XAi>R59z{k*6C=
z_Ba+K{x%OYk(jYcW8>Oqd+t1A_!e5k8hc#5pY?iFntP-2j;P9?3r!Cl@bPE=F>kiq
z&gE17`9CPHe&^ElWuo!5eO9}f3OKoDCx%_-JrEuDZFXG6>hQlWZQS(Px2#gVq<TYl
z(<Om7u9tpI+56mUU-PXe^Rij>j9iYgmtB9<G}Dqf)h$3jd_(6Vz0?*jzvJ=(UrzWh
z{qjM|@c1*oLq*Hy?_cm_(wY9F1(EBr?!GVe%xt~l^J9TgNZ+0yhn;uttDdr|(`WGt
JNY;JW1OQVhG{gV^

literal 0
HcmV?d00001

diff --git a/hosts/nine/password.seven.age b/hosts/nine/password.seven.age
new file mode 100644
index 0000000..41f5777
--- /dev/null
+++ b/hosts/nine/password.seven.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 dASlBQ gh2TXagLOCoZF72LeTEpCfa6y5bltnN+JlRjhxs/lA4
+QOi6kenko+A4MB5aLBbyOXjY8RmEpOHFUM24H3Pgnaw
+-> ssh-ed25519 CzqbPQ iP9T7X/mVGAZyj6xkMjuAkO4dDUsMFhQB29iTatmonY
+YRn1gcHQvPyzGl79UF50C4OXPaeI4xD5BkkdjJCxLFs
+--- 7+SPAGy57E4RsUE6Wsu8u3hbF9nnyJAysMQFlY3izIY
+�֣�8��$��b-�GSsY��yU�n뉘�G*�D��)�����o�8���Âi=�*�L��z���1���lq���8�5!�-��\U9�ק���^�
\ No newline at end of file
diff --git a/modules/common/ssh/config.age b/modules/common/ssh/config.age
index 38c5abe38321a88194bf2dc42cfa6e60404f8471..4d768f35c243822b1bce1a05be61987c44fa9213 100644
GIT binary patch
delta 525
zcmcc0a+PI*PQ90tqi4B?UzvZFk%eV;K)91<VrY4WQ>Z~ifPYY6g=1upX>hh@Wkp)9
z0hhM6S5jnPmA|85j(M1cYlL5ZNlr#eiLbt)afx|pPF|!zN@j^!RgRfgGMBEMLUD11
zZfc5=si~o*LUDncTcD$YN2Y~id2(5peqL6tw|8VvvRh=ap^tlNW~y<8fkkdXN_mEM
zKv-E=q>F1dSE{jNl973pd0??YP?cweNm71ggpa<qqffbeKxImqNm^)$f0e&`d0uw*
z#E;_PiB6`GWuYnFA>N7lLFFdKg_)71X`ascQHiDDu8vXK&YnSj`Z>n>r6Cqv!G0C4
z#lGQ@<|ZL7Wk$|9*%fXXk%rEmkxAK3!Bx3g?ry;Wp()1x$sv)G;~B;44K0IH3Jc8A
z%(Bh1DzaVO+|!KQBEt+q!>e*!1HA$~BSL)(Qw>c@$|};ijB<)S%Z-w<Tr-T#%RDUI
zocv6@%R>DugVQSAU3^{AER52fl7dRo!cqgdbaizV49q>UOM)$pEG<(^OI-tU+*~sY
zLfk^r&2xQ>Lrsm0Jp3IKDot{W%zaEex$^hTpHh}qsatzLj(5*Sp@!o5Pq#CC*Nl69
zssE3264$h~>@7EQ?pI|@N}u=P^ES<Zt?Tyxc@oT5oU-Oo;YOWu!@bM*%@S#@REqw5
Sm-igs69=io6K*N>N&o=YEV_LF

delta 525
zcmcc0a+PI*PJNz#iGibUMu~-Eeu}nXm{C$lxUW~9Z+J;$SgwU*a<+$&d2U|0n`2<G
z30IL*fp)f+TYg}9hDDZ(L7}NjnWev(zkX(jc}Yl8KxTfRduX1&tBGr6GMBEMLUD11
zZfc5=si~o*LUDncTcD$Yd9g{TQMh+hRC$nRWKeOGpPN%|UWBK4WMX-ChIv$!L1bx&
zOKM`ihjV#3mtTZ_Vs@CRbCzkiYh`M>g;{orkyluNd!a>|sY!ljMQLS_fssM7Sz=-F
z#E;_PY3>!;WqGNlW&ss07U_wO&ZUNF7MVfXei_Bd6@|q{mPSP$CZ(>a&Kb#ExnYHd
z+S&zWsm9*f2H8PL8EGay&LO2GnXX<=u1UGYl_qIn!P<e5MUlRf;~B;41F{TqqVn7V
zBMJkHys|CRDl-jDEscze3iHAojogzmg0!=PD*SwNja`$uDoYJbGRmAC!;E~ZQY-RZ
zQZuU(O`X#+i%Y$oO;ZgEjJ%RuJd!E{Dh*t@baizVEJFQCd<?bo&D|rN)585DvkhFe
zb3G&6N{q9U%>6PP!>U3O@|?0O3?c&pxt<o~e*fyFd2m|yCX+>>&I0%E%-G>|^>D(5
z=gei1I(Kf({W8P(xWN1QyAM99>7AV*w@p2oV@|nJeas2*e-5(Uo?LqBhpVOXvRyCy
RaJb6P$s{VjeC-vp69E1)xfcKc

diff --git a/modules/common/system.nix b/modules/common/system.nix
index 8a39c9d..1ce48ea 100644
--- a/modules/common/system.nix
+++ b/modules/common/system.nix
@@ -1,5 +1,5 @@
 { config, lib, ... }: let
-  inherit (lib) any elem last mapAttrsToList mkConst splitString;
+  inherit (lib) any elem getAttr last mapAttrsToList mkConst splitString;
 in {
   options = {
     os = mkConst <| last <| splitString "-" config.nixpkgs.hostPlatform.system;
@@ -7,7 +7,7 @@ in {
     isLinux  = mkConst <| config.os == "linux";
     isDarwin = mkConst <| config.os == "darwin";
 
-    isDesktop = mkConst <| config.isDarwin || (any <| mapAttrsToList (_: value: elem "graphical" value.extraGroups) config.users.users);
+    isDesktop = mkConst <| config.isDarwin || false; # (any (elem "graphical") <| mapAttrsToList (_: getAttr "extraGroups") config.users.users);
     isServer  = mkConst <| !config.isDesktop;
   };
 }
diff --git a/modules/linux/endlessh-go.nix b/modules/linux/endlessh-go.nix
index efe8704..66e7b95 100644
--- a/modules/linux/endlessh-go.nix
+++ b/modules/linux/endlessh-go.nix
@@ -2,17 +2,17 @@
   inherit (lib) enabled merge mkEnableOption mkIf mkOption types;
 
   fakeSSHPort    = 22;
-in merge <| mkIf config.isServer {
-  config.services.prometheus.exporters.endlessh-go = enabled {
+in {
+  config.services.prometheus.exporters.endlessh-go = mkIf config.isServer <| enabled {
     listenAddress = "[::]";
   };
 
   # `services.endlessh-go.openFirewall` exposes both the Prometheus
   # exporters port and the SSH port, and we don't want the metrics
   # to leak, so we manually expose this like so.
-  config.networking.firewall.allowedTCPPorts = [ fakeSSHPort ];
+  config.networking.firewall.allowedTCPPorts = mkIf config.isServer <| [ fakeSSHPort ];
 
-  config.services.endlessh-go = enabled {
+  config.services.endlessh-go = mkIf config.isServer <| enabled {
     listenAddress = "[::]";
     port          = fakeSSHPort;
 
diff --git a/modules/linux/hyprland/fuzzel.nix b/modules/linux/hyprland/fuzzel.nix
index d7b3474..2f9a8d8 100644
--- a/modules/linux/hyprland/fuzzel.nix
+++ b/modules/linux/hyprland/fuzzel.nix
@@ -1,7 +1,7 @@
 { config, lib, ... }: let
   inherit (lib) enabled mapAttrs merge mkIf replaceStrings;
 in merge <| mkIf config.isDesktop {
-  home-manager.sharedNodules = [{
+  home-manager.sharedModules = [{
     wayland.windowManager.hyprland.settings = {
       bindl = [(replaceStrings [ "\n;" "\n" ] [ ";" "" ] ''
         , XF86PowerOff, exec,
diff --git a/modules/linux/restic/default.nix b/modules/linux/restic/default.nix
index 0b2c743..52c3852 100644
--- a/modules/linux/restic/default.nix
+++ b/modules/linux/restic/default.nix
@@ -1,11 +1,11 @@
 { config, lib, ... }: let
   inherit (lib) genAttrs merge mkConst mkIf remove;
-in merge <| mkIf config.isServer {
+in{
   options.resticHosts = mkConst <| remove config.networking.hostName [ "cube" "disk" "nine" ];
 
-  config.secrets.resticPassword.file = ./password.age;
+  config.secrets.resticPassword.file = mkIf config.isServer ./password.age;
 
-  config.services.restic.backups = genAttrs config.resticHosts (host: {
+  config.services.restic.backups =  mkIf config.isServer <| genAttrs config.resticHosts (host: {
     repository   = "sftp:backup@${host}:${config.networking.hostName}-backup";
     passwordFile = config.secrets.resticPassword.path;
     initialize   = true;
diff --git a/modules/linux/restic/password.age b/modules/linux/restic/password.age
index 4c4e20d..4fb00c5 100644
--- a/modules/linux/restic/password.age
+++ b/modules/linux/restic/password.age
@@ -1,11 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 +rZ0Tw 06oZk46oR6ELo5J27k6yawjranT3zRItKK+rl0P9bgk
-Zl9FaZ0zz7X+NNa8YZ7mF+I3NM6uIQ4OyOxHCC7tG0s
--> ssh-ed25519 spFFQA lNlbKPxx4NolZih3OdSW+Om6LfLzQGPcOateTm7PmjE
-faPPdpWeJytmEGMCfNiup4hE/wjwAp9hdFBRR9PJ7JE
--> ssh-ed25519 dASlBQ 0hpF2NYQrE8k0yQWjecxaEmxPswUfqjr/isjwcuRbio
-zy5tvK0/6WaxzOOzmhRdMIdWeMyE0YYvRI+UAx4sW1c
--> ssh-ed25519 CzqbPQ VuaclNfcFIo7wIFauMBcy4amv4QDMUwmWevaCaMICxg
-JpO3lbn95Hfhqi7x2SRUSzVHQ7tS/Ay9Gn+mFhQpKbE
---- iuP1ypvDk453T8/jiyTnWRnVpKZ89yLdWbrMJubNwq8
-�n����	�Q��)p�պ1	Cbn)T�����a��O^VL����}�4@Q�
\ No newline at end of file
+-> ssh-ed25519 +rZ0Tw xhx8zm8GiLF+Y+2w9jxYr0k5EV09CwlYxaXlH9ZvRF8
+m6WXa1m9kRJxXHDamHhTuXbWkBqPmvzei6ZU/CgTTgE
+-> ssh-ed25519 spFFQA jzcaT4YrjACZ8UdNBHCPr6oHTRtdGXBj8dR2TGEo9A0
+Q9t68ssLWmfSINP2l5ifRQ4q9ITpT6fx9lKnB1sdl2g
+-> ssh-ed25519 dASlBQ FVfNa8ql4GBQc8lFGyLZ76yq3hY0/XJPT5IenlxuIRg
+4SmF95S6VDt43LuLZLPpUSB+4HHYl5LRVWV6MkW0q5M
+-> ssh-ed25519 CzqbPQ 3BBzb1KkXAIzBsdQpHVQ53LjueHhJ8bcfZbH1ZV1D0I
+OoHk1f28Qr5HHaOVuVm/Pr8MqEuGtuHev2pzlYmc93c
+--- TcuCWM/kQHR+DtXdZlZCXHDoDxsFkzQbfM/Ebbcb5BI
+�|��38|H�%�t
�ȏ38��r�z���?4�H��Վ������C�+��
\ No newline at end of file
diff --git a/secrets.nix b/secrets.nix
index 26e6cf9..1644bfe 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -1,6 +1,10 @@
 let
-  inherit (import ./keys.nix) all;
+  inherit (import ./keys.nix) nine admins all;
 in {
+  # nine
+  "hosts/nine/id.age".publicKeys             = [ nine ] ++ admins;
+  "hosts/nine/password.seven.age".publicKeys = [ nine ] ++ admins;
+
   # shared
   "modules/common/ssh/config.age".publicKeys    = all;
   "modules/linux/restic/password.age".publicKeys = all;