complete rework v2

2026-01-22 16:16:50 +01:00 · 2025-02-03 07:55:17 +01:00 · 2025-02-03 07:55:17 +01:00 · 7409e9ca10
commit 7409e9ca10
parent 16813aeef9
106 changed files with 1522 additions and 403 deletions
--- a/parts/hosts/default.nix
+++ b/parts/hosts/default.nix
@ -0,0 +1,93 @@
+{
+  inputs,
+  withSystem,
+  lib,
+  ...
+}:
+with lib; let
+  mkSystem = {
+    hostname,
+    username,
+    modules ? [],
+  }:
+    withSystem "x86_64-linux" (
+      {
+        pkgs,
+        system,
+        ...
+      }:
+        inputs.nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = {inherit inputs pkgs hostname username;};
+          modules =
+            [
+              inputs.disko.nixosModules.disko
+              inputs.home-manager.nixosModules.home-manager
+            ]
+            ++ [
+              inputs.agenix.nixosModules.default
+              inputs.agenix-rekey.nixosModules.default
+              {
+                environment.variables = {
+                  AGENIX_REKEY_PRIMARY_IDENTITY = builtins.readFile ../../secrets/hosts/${hostname}/id_ed25519.pub;
+                  AGENIX_REKEY_PRIMARY_IDENTITY_ONLY = "true";
+                };
+                environment.etc."ssh/ssh_host_ed25519_key.pub".source = ../../secrets/hosts/${hostname}/id_ed25519.pub;
+                age = rec {
+                  rekey = {
+                    storageMode = "local";
+                    hostPubkey = builtins.readFile ../../secrets/hosts/${hostname}/id_ed25519.pub;
+                    masterIdentities = [
+                      { identity=secrets.id_ed25519.path; pubkey="builtins.readFile ../../secrets/hosts/${hostname}/id_ed25519.pub"; }
+                      { identity=../../secrets/yubikey-identity.age; pubkey="age1yubikey1q25a8ax2t0ujv7q5wvpmlpa52h599n6682jprxuftlw4zpxy2xu9s6lhrel"; }
+                    ];
+                    localStorageDir = lib.path.append ../../secrets/rekeyed hostname;
+                    generatedSecretsDir = lib.path.append ../../secrets hostname;
+                  };
+                  secrets.hashed-user-password.rekeyFile = ../../secrets/hashed-user-password.age;
+                  secrets.id_ed25519={
+                    rekeyFile = ../../secrets/hosts/${hostname}/id_ed25519.age;
+                    path = "/etc/ssh/ssh_host_ed25519_key";
+                  };
+                  secrets.luks-password.rekeyFile = ../../secrets/luks-password.age;
+                  secrets.luks-password.path = "/luks-password";
+                };
+              }
+            ]
+            ++ modules;
+        }
+    );
+  # TODO:
+  # mkHosts = root: let
+  #   hosts = attrNames (filterAttrs (_: type: type == "directory") (builtins.readDir root));
+  #   hostDirs = builtins.listToAttrs (
+  #     lib.map (hostName: lib.nameValuePair hostName (lib.path.append root hostName)) hosts
+  #   );
+  #   hostResolved =
+  #     lib.mapAttrs (
+  #       _: hostDir: (lib.map (fileName: lib.path.append hostDir fileName) (attrNames (builtins.readDir hostDir)))
+  #     )
+  #     hostDirs;
+  #   hostsConfig = mapAttrs (host: modules: mkSystem host modules ) hostResolved;
+  # in
+  #   hostsConfig;
+in {
+  flake.nixosConfigurations = {
+    laptop = mkSystem {
+      hostname = "laptop";
+      modules = [
+        ./laptop/configuration.nix
+        ./laptop/disk-configuration.nix
+        ./laptop/hardware-configuration.nix
+      ];
+      username = "nickolaj";
+    };
+    desktop = mkSystem {
+      hostname = "desktop";
+      modules = [
+        ./desktop/configuration.nix
+      ];
+      username = "nickolaj";
+    };
+  };
+}
--- a/parts/hosts/desktop/configuration.nix
+++ b/parts/hosts/desktop/configuration.nix
@ -0,0 +1,12 @@
+{hostname, ...}: {
+  imports = [
+    ../../modules/base.nix
+    ../../modules/shell.nix
+    ../../modules/graphical.nix
+  ];
+
+  config = {
+    user.username = "nickolaj";
+    system.stateVersion = "24.11";
+  };
+}
--- a/parts/hosts/laptop/configuration.nix
+++ b/parts/hosts/laptop/configuration.nix
@ -0,0 +1,13 @@
+{...}: {
+  imports = [
+    ../../modules/base.nix
+    ../../modules/shell.nix
+    ../../modules/graphical.nix
+  ];
+
+  config = {
+    user.username = "nickolaj";
+    networking.hostName = "laptop";
+    system.stateVersion = "24.11";
+  };
+}
--- a/parts/hosts/laptop/disk-configuration.nix
+++ b/parts/hosts/laptop/disk-configuration.nix
@ -0,0 +1,62 @@
+{config, ...}: {
+  disko.devices = {
+    disk = {
+      vdb = {
+        device = "/dev/nvme0n1";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            boot = {
+              name = "boot";
+              size = "1M";
+              type = "EF02";
+            };
+
+            ESP = {
+              size = "512M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = ["defaults"];
+              };
+            };
+            luks = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "crypted";
+                # passwordFile = "/luks-password";
+                passwordFile = config.age.secrets.luks-password.path;
+                settings = {
+                  allowDiscards = true;
+                  bypassWorkqueues = true;
+                };
+                content = {
+                  type = "btrfs";
+                  extraArgs = ["-f"];
+                  subvolumes = {
+                    "@" = {
+                      mountpoint = "/";
+                      mountOptions = ["compress=zstd" "noatime"];
+                    };
+                    "@nix" = {
+                      mountpoint = "/nix";
+                      mountOptions = ["compress=zstd" "noatime"];
+                    };
+                    "@home" = {
+                      mountpoint = "/home";
+                      mountOptions = ["compress=zstd" "noatime"];
+                    };
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/parts/hosts/laptop/hardware-configuration.nix
+++ b/parts/hosts/laptop/hardware-configuration.nix
@ -0,0 +1,33 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ahci"
+    "nvme"
+    "usbhid"
+  ];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = ["kvm-intel"];
+  boot.extraModulePackages = [];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp7s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}