Add some parts of the nine host

2025-07-28 02:27:44 +00:00 · 2025-01-24 23:50:51 +03:00 · 2025-01-24 23:50:51 +03:00 · fa80a17f59
commit fa80a17f59
parent 6c108c7caa
12 changed files with 124 additions and 21 deletions
--- a/.gitignore
+++ b/.gitignore
@ -5,6 +5,7 @@
 !docs/
 !hosts/
 !hosts/nine/
 !hosts/pala/
 !lib/
--- a/hosts/nine/default.nix
+++ b/hosts/nine/default.nix
@ -0,0 +1,60 @@
 lib: lib.nixosSystem ({ config, keys, lib, ... }: let
  inherit (lib) collect remove;
 in {
  imports = collect ./. |> remove ./default.nix;
  nixpkgs.hostPlatform = "aarch64-linux";
  system.stateVersion  = "23.11";
  home-manager.sharedModules = [{
    home.stateVersion = "23.11";
  }];
  networking.hostName = "nine";
  secrets.id.file             = ./id.age;
  services.openssh.hostKeys = [{
    type = "ed25519";
    path = config.secrets.id.path;
  }];
  secrets.sevenPassword.file  = ./password.seven.age;
  users.users                 = {
    root.hashedPasswordFile = config.secrets.sevenPassword.path;
    seven = {
      description                 = "Hungry Seven";
      openssh.authorizedKeys.keys = keys.admins;
      hashedPasswordFile          = config.secrets.sevenPassword.path;
      extraGroups                 = [ "wheel" ];
    };
    backup = {
      description                 = "Backup";
      openssh.authorizedKeys.keys = keys.all;
      hashedPasswordFile          = config.secrets.sevenPassword.path;
    };
  };
  networking = {
    ipv4 = "152.53.2.105";
    ipv6 = "2a0a:4cc0::12d9";
    domain = "rgbcu.be";
    defaultGateway  = "152.53.0.1";
    defaultGateway6 = "fe80::1";
    interfaces.enp4s0 = {
      ipv4.addresses = [{
        address      = config.networking.ipv4;
        prefixLength = 22;
      }];
      ipv6.addresses = [{
        address      = config.networking.ipv6;
        prefixLength = 64;
      }];
    };
  };
 })
--- a/hosts/nine/hardware.nix
+++ b/hosts/nine/hardware.nix
@ -0,0 +1,31 @@
 { config, lib, modulesPath, ... }: let
  inherit (lib) enabled;
 in {
  imports = [(modulesPath + "/profiles/qemu-guest.nix")];
  boot.loader.grub = enabled {
    efiSupport            = true;
    efiInstallAsRemovable = true;
    device                = "nodev";
  };
  boot.initrd.availableKernelModules = [
    "ata_piix"
    "uhci_hcd"
    "xen_blkfront"
  ];
  boot.initrd.kernelModules = [ "nvme" ];
  fileSystems."/" = {
    device = "/dev/disk/by-label/root";
    fsType = "ext4";
  };
  fileSystems.${config.boot.loader.efi.efiSysMountPoint} = {
    device = "/dev/disk/by-label/boot";
    fsType = "vfat";
  };
  zramSwap = enabled;
 }
--- a/hosts/nine/id.age
+++ b/hosts/nine/id.age
--- a/hosts/nine/password.seven.age
+++ b/hosts/nine/password.seven.age
@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> ssh-ed25519 dASlBQ gh2TXagLOCoZF72LeTEpCfa6y5bltnN+JlRjhxs/lA4
 QOi6kenko+A4MB5aLBbyOXjY8RmEpOHFUM24H3Pgnaw
 -> ssh-ed25519 CzqbPQ iP9T7X/mVGAZyj6xkMjuAkO4dDUsMFhQB29iTatmonY
 YRn1gcHQvPyzGl79UF50C4OXPaeI4xD5BkkdjJCxLFs
 --- 7+SPAGy57E4RsUE6Wsu8u3hbF9nnyJAysMQFlY3izIY
 ‹Ö£Í8ùÆ$‹Ñb-‚GSsYÇ”yUùnë‰˜ûG*üDñ‘)€‡›ä¨×oç8°ïóÃ‚i=¿*«LœËz‹»Â1“àûlqõè¦8È5!‰-„µ\U9Ù×§‹çŸí^‘
--- a/modules/common/ssh/config.age
+++ b/modules/common/ssh/config.age
--- a/modules/common/system.nix
+++ b/modules/common/system.nix
@ -1,5 +1,5 @@
 { config, lib, ... }: let
-  inherit (lib) any elem last mapAttrsToList mkConst splitString;
+  inherit (lib) any elem getAttr last mapAttrsToList mkConst splitString;
 in {
  options = {
    os = mkConst <| last <| splitString "-" config.nixpkgs.hostPlatform.system;
@ -7,7 +7,7 @@ in {
    isLinux  = mkConst <| config.os == "linux";
    isDarwin = mkConst <| config.os == "darwin";
-    isDesktop = mkConst <| config.isDarwin || (any <| mapAttrsToList (_: value: elem "graphical" value.extraGroups) config.users.users);
+    isDesktop = mkConst <| config.isDarwin || false; # (any (elem "graphical") <| mapAttrsToList (_: getAttr "extraGroups") config.users.users);
    isServer  = mkConst <| !config.isDesktop;
  };
 }
--- a/modules/linux/endlessh-go.nix
+++ b/modules/linux/endlessh-go.nix
@ -2,17 +2,17 @@
  inherit (lib) enabled merge mkEnableOption mkIf mkOption types;
  fakeSSHPort    = 22;
-in merge <| mkIf config.isServer {
+in {
-  config.services.prometheus.exporters.endlessh-go = enabled {
+  config.services.prometheus.exporters.endlessh-go = mkIf config.isServer <| enabled {
    listenAddress = "[::]";
  };
  # `services.endlessh-go.openFirewall` exposes both the Prometheus
  # exporters port and the SSH port, and we don't want the metrics
  # to leak, so we manually expose this like so.
-  config.networking.firewall.allowedTCPPorts = [ fakeSSHPort ];
+  config.networking.firewall.allowedTCPPorts = mkIf config.isServer <| [ fakeSSHPort ];
-  config.services.endlessh-go = enabled {
+  config.services.endlessh-go = mkIf config.isServer <| enabled {
    listenAddress = "[::]";
    port          = fakeSSHPort;
--- a/modules/linux/hyprland/fuzzel.nix
+++ b/modules/linux/hyprland/fuzzel.nix
@ -1,7 +1,7 @@
 { config, lib, ... }: let
  inherit (lib) enabled mapAttrs merge mkIf replaceStrings;
 in merge <| mkIf config.isDesktop {
-  home-manager.sharedNodules = [{
+  home-manager.sharedModules = [{
    wayland.windowManager.hyprland.settings = {
      bindl = [(replaceStrings [ "\n;" "\n" ] [ ";" "" ] ''
        , XF86PowerOff, exec,
--- a/modules/linux/restic/default.nix
+++ b/modules/linux/restic/default.nix
@ -1,11 +1,11 @@
 { config, lib, ... }: let
  inherit (lib) genAttrs merge mkConst mkIf remove;
-in merge <| mkIf config.isServer {
+in{
  options.resticHosts = mkConst <| remove config.networking.hostName [ "cube" "disk" "nine" ];
-  config.secrets.resticPassword.file = ./password.age;
+  config.secrets.resticPassword.file = mkIf config.isServer ./password.age;
-  config.services.restic.backups = genAttrs config.resticHosts (host: {
+  config.services.restic.backups =  mkIf config.isServer <| genAttrs config.resticHosts (host: {
    repository   = "sftp:backup@${host}:${config.networking.hostName}-backup";
    passwordFile = config.secrets.resticPassword.path;
    initialize   = true;
--- a/modules/linux/restic/password.age
+++ b/modules/linux/restic/password.age
@ -1,11 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 +rZ0Tw 06oZk46oR6ELo5J27k6yawjranT3zRItKK+rl0P9bgk
+-> ssh-ed25519 +rZ0Tw xhx8zm8GiLF+Y+2w9jxYr0k5EV09CwlYxaXlH9ZvRF8
-Zl9FaZ0zz7X+NNa8YZ7mF+I3NM6uIQ4OyOxHCC7tG0s
+m6WXa1m9kRJxXHDamHhTuXbWkBqPmvzei6ZU/CgTTgE
-> ssh-ed25519 spFFQA lNlbKPxx4NolZih3OdSW+Om6LfLzQGPcOateTm7PmjE
+-> ssh-ed25519 spFFQA jzcaT4YrjACZ8UdNBHCPr6oHTRtdGXBj8dR2TGEo9A0
-faPPdpWeJytmEGMCfNiup4hE/wjwAp9hdFBRR9PJ7JE
+Q9t68ssLWmfSINP2l5ifRQ4q9ITpT6fx9lKnB1sdl2g
-> ssh-ed25519 dASlBQ 0hpF2NYQrE8k0yQWjecxaEmxPswUfqjr/isjwcuRbio
+-> ssh-ed25519 dASlBQ FVfNa8ql4GBQc8lFGyLZ76yq3hY0/XJPT5IenlxuIRg
-zy5tvK0/6WaxzOOzmhRdMIdWeMyE0YYvRI+UAx4sW1c
+4SmF95S6VDt43LuLZLPpUSB+4HHYl5LRVWV6MkW0q5M
-> ssh-ed25519 CzqbPQ VuaclNfcFIo7wIFauMBcy4amv4QDMUwmWevaCaMICxg
+-> ssh-ed25519 CzqbPQ 3BBzb1KkXAIzBsdQpHVQ53LjueHhJ8bcfZbH1ZV1D0I
-JpO3lbn95Hfhqi7x2SRUSzVHQ7tS/Ay9Gn+mFhQpKbE
+OoHk1f28Qr5HHaOVuVm/Pr8MqEuGtuHev2pzlYmc93c
--- iuP1ypvDk453T8/jiyTnWRnVpKZ89yLdWbrMJubNwq8
+--- TcuCWM/kQHR+DtXdZlZCXHDoDxsFkzQbfM/Ebbcb5BI
-›nßÞâæ	ìQ’š)p›Õº1	Cbn)Tœ™<C593>íÿa±öO^VLšßç}„4@QÓ
+<EFBFBD>|ìç38|H„%ËtˆÈ<CB86>38ÎŠrŠz¶‰ð?4ÜH¤“ÕŽ²ª’×ø<C397>Có+„Ò
--- a/secrets.nix
+++ b/secrets.nix
@ -1,6 +1,10 @@
 let
-  inherit (import ./keys.nix) all;
+  inherit (import ./keys.nix) nine admins all;
 in {
  # nine
  "hosts/nine/id.age".publicKeys             = [ nine ] ++ admins;
  "hosts/nine/password.seven.age".publicKeys = [ nine ] ++ admins;
  # shared
  "modules/common/ssh/config.age".publicKeys    = all;
  "modules/linux/restic/password.age".publicKeys = all;