diff --git a/flake.nix b/flake.nix index 9aba576..3a6e387 100644 --- a/flake.nix +++ b/flake.nix @@ -77,6 +77,21 @@ ./machines/izanagi-minimal ]; }; + izanagi = + let + username = "izanagi"; + in nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs outputs extraHomeModules username;}; + modules = [ + disko.nixosModules.disko + home-manager.nixosModules.home-manager + sops-nix.nixosModules.sops + inputs.copyparty.nixosModules.default + + ./machines/izanagi + ./modules + ]; + }; }; packages.x86_64-linux = { diff --git a/machines/izanagi-minimal/disko-config.nix b/machines/izanagi-minimal/disko-config.nix index 8afb0bb..1b75c18 100644 --- a/machines/izanagi-minimal/disko-config.nix +++ b/machines/izanagi-minimal/disko-config.nix @@ -1,4 +1,7 @@ -{ username, ... }: +{ + username, + ... +}: { disko.devices = { disk = { diff --git a/machines/izanagi-minimal/home.nix b/machines/izanagi-minimal/home.nix index 156b952..c551006 100644 --- a/machines/izanagi-minimal/home.nix +++ b/machines/izanagi-minimal/home.nix @@ -1,11 +1,6 @@ { config, lib, pkgs, username, ... }: -let -in { - imports = [ - ]; - - +{ home = { inherit username; stateVersion = "25.05"; diff --git a/machines/izanagi/.sops.yaml b/machines/izanagi/.sops.yaml new file mode 100644 index 0000000..97f91a6 --- /dev/null +++ b/machines/izanagi/.sops.yaml @@ -0,0 +1,9 @@ +keys: + - &primary age19wvqtn4ju6k4vs8fxr34unl6xx4cv04jw0lx9ps20xlde927zfssgl4qke + - &izanagi age1rfxyntqw6kgjr3akm80a84c99ez4sl3r6gqdnxhljc0dqsjj94vqfu67a2 +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - age: + - *primary + - *izanagi diff --git a/machines/izanagi/default.nix b/machines/izanagi/default.nix new file mode 100644 index 0000000..fcc9a2f --- /dev/null +++ b/machines/izanagi/default.nix @@ -0,0 +1,138 @@ +{ config, pkgs, extraHomeModules, inputs, lib, ... }: + +let + username = "susano"; + flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs; +in { + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ./disko-config.nix + ./sops.nix + ]; + + nixpkgs = { + # You can add overlays here + overlays = [ + ]; + # Configure your nixpkgs instance + config = { + # Disable if you don't want unfree packages + allowUnfree = true; + }; + }; + + nix = { + settings = { + # Enable flakes and new 'nix' command + experimental-features = "nix-command flakes"; + # Opinionated: disable global registry + flake-registry = ""; + # Workaround for https://github.com/NixOS/nix/issues/9574 + nix-path = config.nix.nixPath; + + # Allow user to reubild nixos without sudo + trusted-users = [ "root" username ]; + }; + # Opinionated: disable channels + channel.enable = false; + + # Opinionated: make flake registry and nix path match flake inputs + registry = lib.mapAttrs (_: flake: {inherit flake;}) flakeInputs; + nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs; + }; + + # Bootloader. + boot.loader.grub = { + enable = true; + useOSProber = true; + }; + + networking.hostName = username; + networking.networkmanager.enable = true; + + # Set your time zone. + time.timeZone = "Europe/Warsaw"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "en_GB.UTF-8"; + LC_IDENTIFICATION = "en_GB.UTF-8"; + LC_MEASUREMENT = "en_GB.UTF-8"; + LC_MONETARY = "en_GB.UTF-8"; + LC_NAME = "en_GB.UTF-8"; + LC_NUMERIC = "en_GB.UTF-8"; + LC_PAPER = "en_GB.UTF-8"; + LC_TELEPHONE = "en_GB.UTF-8"; + LC_TIME = "en_GB.UTF-8"; + }; + + security.rtkit.enable = true; + + users.users.${username} = { + isNormalUser = true; + description = "NixOS Proxmox DevMachine"; + hashedPassword = "$6$fgXNf1aUOgGn7QWQ$rOcVKUnBC7td/KVdyLzknQy4LjgQDETKPIxivi1yWd4boWbRgITr/.iYlekZOuRuC6m.WydgV9PviqlrioDF91"; + extraGroups = [ "networkmanager" "wheel" ]; + packages = with pkgs; [ + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBcGhVpjmWEw1GEw0y/ysJPa2v3+u/Rt/iES/Se2huH2 alexander0derevianko@gmail.com" + ]; + + shell = pkgs.zsh; + }; + + environment.systemPackages = with pkgs; [ + vim + wget + ripgrep + ]; + + services.openssh = { + enable = true; + settings = { + # Opinionated: forbid root login through SSH. + PermitRootLogin = "no"; + # Opinionated: use keys only. + # Remove if you want to SSH using passwords + PasswordAuthentication = false; + }; + }; + + programs = { + zsh.enable = true; + }; + + ### + # Home Manger configuration + ### + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + backupFileExtension = "backup"; + extraSpecialArgs = { inherit inputs username; }; + + users."${username}" = { + imports = [ + ./home.nix + ] ++ extraHomeModules; + }; + }; + + ### + # My Services + ### + + dov = { + virtualisation = { + podman.enable = false; + docker.enable = true; + }; + }; + + # DO NOT CHANGE AT ANY POINT! + system.stateVersion = "25.05"; +} diff --git a/machines/izanagi/disko-config.nix b/machines/izanagi/disko-config.nix new file mode 100644 index 0000000..c9460a9 --- /dev/null +++ b/machines/izanagi/disko-config.nix @@ -0,0 +1,31 @@ +{ + username, + ... +}: +{ + disko.devices = { + disk = { + main = { + device = "/dev/vda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/machines/izanagi/hardware-configuration.nix b/machines/izanagi/hardware-configuration.nix new file mode 100644 index 0000000..c760612 --- /dev/null +++ b/machines/izanagi/hardware-configuration.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + # fileSystems."/" = + # { device = "/dev/disk/by-uuid/301d5990-7186-4a90-94aa-997044007358"; + # fsType = "ext4"; + # }; + + # swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/machines/izanagi/home.nix b/machines/izanagi/home.nix new file mode 100644 index 0000000..de0d0dd --- /dev/null +++ b/machines/izanagi/home.nix @@ -0,0 +1,29 @@ +{ config, lib, pkgs, inputs, extraHomeModules, username, ... }: + +{ + home = { + stateVersion = "25.05"; + username = username; + homeDirectory = "/home/${username}"; + }; + + dov = { + shell = { + zsh = { + enable = true; + shellAliases = { + ll = "eza -al"; + sc = "source $HOME/.zshrc"; + psax = "ps ax | grep"; + cp = "rsync -ah --progress"; + }; + }; + }; + }; + + programs.home-manager.enable = true; + + home.packages = with pkgs; [ + eza + ]; +} diff --git a/machines/izanagi/secrets/secrets.yaml b/machines/izanagi/secrets/secrets.yaml new file mode 100644 index 0000000..3ff9b86 --- /dev/null +++ b/machines/izanagi/secrets/secrets.yaml @@ -0,0 +1,41 @@ +user_password: ENC[AES256_GCM,data:Q7rk67ylyjr5Sa+AYCxnQAPLbBP5Fy85wTGLZuqxBG3iJ+MmhEgfeatVA2tcsY7GSaU/vghny+TJtrvhDYYMqa10h/F0wPxUjId78qkhKbnRQs4mqAxA9heSi4ojp1kh/pXN7tj64wNyJA==,iv:FTUojVNz78tn/Uj1N8Oj5Iov9eEMRo5vz+mqHdewxjg=,tag:YF74hLXXUby0IjHrqdkBUQ==,type:str] +duckdns-token: ENC[AES256_GCM,data:Gf3kIpOO/X+ZVXV4w71Fp5qMuNedBBoobazAFpp22RC70xKb6xsJVffWdtFq0blDe5Y=,iv:SNq6wnhG6CuDwB3NQ/PryTgY3U/J2g1XfGCW7gSEYbo=,tag:MWqhrJRreGZ/SaapAaCXQA==,type:str] +matrix_secret: ENC[AES256_GCM,data:U1yPFsFeLA5tbFf/MMACrhmH/32zUMUg2HOHWdAtcm+ybg9KgjhQmbGDM/MTDoRaAa+Zqfs774gz3A6Rg4HLuvCr4cPotSCHH8qRPz+UDK4Bvf305EfLP22Rrhc=,iv:A9BSgw1hHg+y8x4GC4hWNBCaYZNlRfS1+jKKv38znXg=,tag:SkwEfez7TRhFuLEL4PkvZA==,type:str] +copyparty: + admin_password: ENC[AES256_GCM,data:VlHcQB1Z1/wSUi8yCEpcW+i8h3c=,iv:mystE6THTS50LzV/TPm+QtZ1C87Vxtx+W9jVzcGAnSM=,tag:8nxtbklHwJnI7VHjJA55dQ==,type:str] + alex_password: ENC[AES256_GCM,data:0X5AZH8tqJRd6er5w3oMaWI0jrE=,iv:/2aLquP4LVCKCozJsMGItqX9+L9pxSM4PRpn6QnDzbE=,tag:b1GRHEBwQNYBtERj1xqjoA==,type:str] +smb-secrets: ENC[AES256_GCM,data:RW8xaGU94jxE/iTocH3ylCP5uIpmnSg/MQDC+e5i9PhvlsNY+kfUiqQHoDXETgEPmNUbLr2qZSMLPhQ=,iv:5vkw0Qfa7UHYZ2ODOvFZgirehpY7muV6fvjWHAyHMu4=,tag:cuEzibaBZVf5HVlAF2xUIA==,type:str] +searxng: ENC[AES256_GCM,data:KmW0pzhjWBBC0VqQNkOmPzcuDnPBEXiZMi030x+LxcOZmS/Q4Hz8RgahWIYwef0maRyFdyB++36SQbUnXz1+Cw==,iv:PL7mby/fmsROaOafv0auCmTEpF5w8WH6Nw4wUrpXNg0=,tag:3s4E1zJh6MB1YkDFM9gBSw==,type:str] +authelia: + jwt_secret: ENC[AES256_GCM,data:WroxkJeD+rtej6wMXgafQ+DdzCffLs8SDD4VHPQnOURIzZFCTPwK9JOvrNIL6eIEGyhqtySvOhXrnFj4,iv:tQZ15yoGLoDAF9PFKSh/ol8hDX88vZmHOrI+nhGGu4Y=,tag:Qadsu6Z62287XK8voIjn5g==,type:str] + session_secret: ENC[AES256_GCM,data:t5pBvmZaO+bXyac0NZUZL8sS1xcwa9XH6M8zgziIA9Nhe9umw8B2LckMqz82NAvpLGeCoMXd9MmODv0e,iv:OIfo4omyCN1kM4FCAf9tB0tyzDJ4FsbggGboX9duVH0=,tag:ybYRFlIJPEmnR8ASGNI3TA==,type:str] + storage_password: ENC[AES256_GCM,data:BhV/oOvjnY4xi6cTZhgxNERKfIE=,iv:xmz4eLoKjlmX3TxQoPttMFhJWwOlwaOTgfgQty+AWts=,tag:k0tVP2X3YH9Pf7BtfpSDaw==,type:str] + storage_encryption_key: ENC[AES256_GCM,data:0ZC36l/F/Kd4GXZ61TW1MaVrVdyLrg0/4/wOw26RDu0YYmjDmM2GFZ9jQdImoF+LoMqCsosMwcwa357tKvH4eg==,iv:AwRwEedfgg4QYdLr01V9O18la5tv5qC2kAlykHEkebk=,tag:J7WiGacBM6nCoFSBIoh5xg==,type:str] + oidc_jwk: ENC[AES256_GCM,data:7Y93/QNMmP/trJtalNUTWHKzUEb9dqoxdw1rwphRcT0acKN9QIKcsivgte7uAekSZDw15H552lrtlOgLl6dpO+fPYUry1UpskC6EyFIoNmG+FXWNvhBH1Vtl9KdubejQ5GHzPJB/qj5pjxwHXMB+cjei+bJuid1Dt8pRPJ+CM/n/S2fHy2bGWxfAZodp1ADaqwz3+gqrPxFgCHRZlwRKqCnHm3DR8pM0XiEVse8KyzC6P6qzWeTSAQ8Dtu36CxsxHtWasUGxXTz2rlcTTUr7XQCCfr2a8xqk7M4++G9OUkQubDpbDKiuQgFAiO8kbPwniSfkjHqwcICiHrnmo+0cIoucHF5CqAAR6YtahRYS13ANGsmiWpe/32RN+41LLFMB0nTVkRn9LpxEYlrDvyIHu5qV7OXRwFuUR0OwYNiU9fpSkZI35b1j6rtcNqKNL5DC5l/iBdqkKZ45QJenKSuxNli1HP/ftufBEwypuwrUZeYkr1NXnoeC4k789ZNIKFdDjj6du+pb38OcdGAIKilSlH67LzdthP002qJerxa3YEM2bsBuvWJ5s5GB6VfSdQMzygYpOjQXbckC3Mj3SrpnrSw4NMpRSFz9R0OlMf7SKJ31fykeTWamsrAmaTHz8RiQeXR8Un2T+UMa3w0Opr9ICKls/7pUKLQ3h1TS+p9fKw/WK/wh54xZ2Umn1RbQRkjJDOas6aVUvEFT3hhkDObWXbBSpu3Nm+4eW+G9xXoqg34p3AK7Hr64TYcLoqh8KaYiXEceZp16HLPL3npW43rNYgT3c0vyI5yDzJXP1j75lym/jyP9pUtTQINyT0SqswAQEOwaPBIyNqbInUi4gX/yOBJmGVF8MXJLG+/5EjFyTmoQfdbtCG/ZTq2cz87czF6Ai0R6HTSOA/nv//phGdy1b9pG2LxeBCUpvhkTxzpATNxinaB8TeTnhiFvpK54NLHm4y2y4oB3jB0BAPIsCFfjjqKTWAvg7c2BEiI8HSb2Uh8DR1uEbSqY8QX+1eOqx1chaPKxtJzmXivYQRZ89PV29pmiQ2sj41e5dG38faZY9LNUeES4kSmSOqjQUskiogF6aaTWQlb4/SMoDdbmLzbdTAC66XBopt6DFPIGL+MoRAxAPdDTBDEl54ZV1/N9uJ89kOVW3EQIr0oiCEt5eowYel9I1rOIkyPPe7GcmqyDM0d9jlWe6kQ+HIUe1uJhCTCZjb9COGTQ2mf3toHJXA03kW6U71bT/33fHDvQj/mi1qGv30bWyQxu3Ll0jMuhhoelZBEHnSdKvtZKzxW+p2ymwmJjh1R/OZt4lhgVhh4mW6633Jb5IIVUfMHPjTBA8ERLCOrOffT1Y9BV5iK3/CLOZEx1qDLdl9hGKt/Kt4ULvIk4iqSb0nPDMI42m3zM+KmipzMff2RDwxt6U2itdIuZyiqkqbO8YKiqbzhJeC7cXQpKmTAj90OFiFzUnwDMJFSTBpcKRAVlbU9IYLK1RhVIv0J1Jt5Vmi5vZKyHV3O0fsbvP/SU/8kLGYgodiaZANJzIuIJvR84Fs4kmwvicM7WhG8nkl/Rz6ZG+2S4EYQBpvi73WRJ9MPY9ULhcYJBuFZQXNeOOEcyHPq5nkcsFjshB6g5ssIBxhElxYFa08AyAopc2bg0vXCRUQJn/I1uTvTJmxGBjM4q2SAlWAUf3MX3yPQwd/p5LoxwrRHEB+lXLKImg95QZUaaOu9JWvJMwpje+6YP8XBFTgoM6gqz44jBXHLGfyiHiCfOQn0dpzvhSimcKgQN2rjkhgEdVWovIyTi4+oD+4TawHjl2xORnbCX2+m4X4FnTnX8JU8xCNU2f4sIk4PPptSn1bogt9YUFxCdvDqX0gAgSaAwT4L3xfQ/4prYv57dyFUElvcZjPzJGrmHwWnZE0YaT94dQetCLCMRlQJcHIBz1V36pftRLZdFCTiDd7PxifZk/Ol5kLO3UEJR8ALaC0+KqwUPqO2wse+HOsvobTXcA6Jn+7g58xPpPE88EI52jj/wlp58EZp6B8yYs7ZZufZcFKhrhllWgWEzEnnTd3NuKZjYWx4TYbBgBggNW5EMRLD4HxQLiZu5JUAcwUbFPyLQrVEYejo8LixcciIUMic6DV+oZ7245tBiYxWHHpQWOkAUE67/+I7tN7xFsl8rdmUGkBXCoEIAsX5T3VKjre6JnqHzH4TLlPFxuP0uPVuAjUYVu9gWecpVlDHKEIMFnbLhdye7zgcwYmmfav1KFGgXYGd0R9IMu7ONJtaVvxfxrngW,iv:nR4OAMkuWvBHtkpkzr0XLUHHjVfZjw6sk5V7/llK14g=,tag:KJqhsBiqe2cU2kuCxTWB6g==,type:str] +ldap: + root: ENC[AES256_GCM,data:ZQWTm78whU8DA4GQkZYEcM/WO1AGBWTOV0ymGF2LFkBCuSKG2u4=,iv:YGZRvBvlR0R4umt0Uu71fWoUieYXSyxKX/gUivF8/dI=,tag:hPBAyEzql60pRCzDKrMuBQ==,type:str] + authelia: ENC[AES256_GCM,data:y3oaV8zP/9A+QBmjfnsxATPfG+g=,iv:wFlSk8oJuKYfBAL5dyjpgwDC+xJ4XbzjS1GaGQGV8RE=,tag:euFXBfZ/u5OVJ/hicFnkMw==,type:str] +sops: + age: + - recipient: age19wvqtn4ju6k4vs8fxr34unl6xx4cv04jw0lx9ps20xlde927zfssgl4qke + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvdXBSVm9adncvMUVPQVc3 + MStnazNDQ29tQlh2ZVZtSElvZnhTenFtYXlFCnNPU0VKaUR6dG90ZlBBMFdaL2Fz + OFc4aTFxdU9DUjhhUk9xUW1GRjB1bGcKLS0tIFg1cEFEejRsMTNJQThoYytmdk1H + RFY3T0tYcDFoQUxaL3h1YW8vdXBSQk0KF2nhM4S8vyzCrij5lTvoErgtvUkCrFwh + eOhHP2QddxK1dwJsvrqOIQl9Gnd+GBgsNs/CY37MLkPGHXcUb9sCsA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1rfxyntqw6kgjr3akm80a84c99ez4sl3r6gqdnxhljc0dqsjj94vqfu67a2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXd29NUjRGN0FDTHVTSG1v + bVBYYUpPYTF0aVRpRlJQbmlMaXgxWGk4OUFJCk0yLzkrcUwwaUhESW1pc1QzNldC + dDAvdVVFN0hHa200bDhJTE9vVUs5RFkKLS0tIEVmRG5Ec3ZRTHRwNW8yd09MTXMv + VEZhR2NPVjdBa3BadHpMMUZkWDBMY00K5khR4JEKkg4czyNJ+StdM/18Qaw9ci0n + zmO/uPFFb1T9IDwQVPQwgbwzv7BSjC3r7tPGjh0hWokaTtDBWxI08Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-28T09:08:03Z" + mac: ENC[AES256_GCM,data:R66Wy3x0MQxwvS1vR59IEG31p3i9x/IXCusK28HhOH611TPRt5Zy4iWv3pLJpuG36v4qTmGOGq5Fznf/iYl4kj313KXeo45opDZixyOEDTLhaY4ZBLTa0Ozh9DBoq/emrwis8eEysFESBM5WKtQZUDw7gQXgTcgaEa4/RQYtn+o=,iv:dvTmKh0EAEOYY9QikQMXtkxOPLy7XsF131Lnm1E6Kcc=,tag:tBbb8EbTcMkhRCE/NuED9g==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/machines/izanagi/sops.nix b/machines/izanagi/sops.nix new file mode 100644 index 0000000..b2e3fae --- /dev/null +++ b/machines/izanagi/sops.nix @@ -0,0 +1,18 @@ +{ config, lib, pkgs, ... }: + +{ + sops = { + defaultSopsFile = ./secrets/secrets.yaml; + age = { + # This will automatically import SSH keys as age keys + sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + # This is using an age key that is expected to already be in the filesystem + keyFile = "/var/lib/sops-nix/key.txt"; + # This will generate a new key if the key specified above does not exist + generateKey = true; + # This is the actual specification of the secrets. + }; + + secrets = { "user_password" = { neededForUsers = true; }; }; + }; +}