Added izanagi

2025-07-31 16:46:33 +02:00
parent c62940176b
commit 045687bb5f
10 changed files with 314 additions and 7 deletions
@@ -1,4 +1,7 @@
-{ username, ... }:
+{
+  username,
+  ...
+}:
 {
  disko.devices = {
    disk = {
@@ -1,11 +1,6 @@
 { config, lib, pkgs, username, ... }:

-let
-in {
-  imports = [
-  ];
-
-
+{
  home = {
    inherit username;
    stateVersion = "25.05";
@@ -0,0 +1,9 @@
+keys:
+  - &primary age19wvqtn4ju6k4vs8fxr34unl6xx4cv04jw0lx9ps20xlde927zfssgl4qke
+  - &izanagi age1rfxyntqw6kgjr3akm80a84c99ez4sl3r6gqdnxhljc0dqsjj94vqfu67a2
+creation_rules:
+  - path_regex: secrets/secrets.yaml$
+    key_groups:
+      - age:
+          - *primary
+          - *izanagi
@@ -0,0 +1,138 @@
+{ config, pkgs, extraHomeModules, inputs, lib, ... }:
+
+let
+  username = "susano";
+  flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
+in {
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ./disko-config.nix
+      ./sops.nix
+    ];
+
+  nixpkgs = {
+    # You can add overlays here
+    overlays = [
+    ];
+    # Configure your nixpkgs instance
+    config = {
+      # Disable if you don't want unfree packages
+      allowUnfree = true;
+    };
+  };
+
+  nix = {
+    settings = {
+      # Enable flakes and new 'nix' command
+      experimental-features = "nix-command flakes";
+      # Opinionated: disable global registry
+      flake-registry = "";
+      # Workaround for https://github.com/NixOS/nix/issues/9574
+      nix-path = config.nix.nixPath;
+
+      # Allow user to reubild nixos without sudo
+      trusted-users = [ "root" username ];
+    };
+    # Opinionated: disable channels
+    channel.enable = false;
+
+    # Opinionated: make flake registry and nix path match flake inputs
+    registry = lib.mapAttrs (_: flake: {inherit flake;}) flakeInputs;
+    nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
+  };
+
+  # Bootloader.
+  boot.loader.grub = {
+    enable = true;
+    useOSProber = true;
+  };
+
+  networking.hostName = username;
+  networking.networkmanager.enable = true;
+
+  # Set your time zone.
+  time.timeZone = "Europe/Warsaw";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "en_GB.UTF-8";
+    LC_IDENTIFICATION = "en_GB.UTF-8";
+    LC_MEASUREMENT = "en_GB.UTF-8";
+    LC_MONETARY = "en_GB.UTF-8";
+    LC_NAME = "en_GB.UTF-8";
+    LC_NUMERIC = "en_GB.UTF-8";
+    LC_PAPER = "en_GB.UTF-8";
+    LC_TELEPHONE = "en_GB.UTF-8";
+    LC_TIME = "en_GB.UTF-8";
+  };
+
+  security.rtkit.enable = true;
+
+  users.users.${username} = {
+    isNormalUser = true;
+    description = "NixOS Proxmox DevMachine";
+    hashedPassword = "$6$fgXNf1aUOgGn7QWQ$rOcVKUnBC7td/KVdyLzknQy4LjgQDETKPIxivi1yWd4boWbRgITr/.iYlekZOuRuC6m.WydgV9PviqlrioDF91";
+    extraGroups = [ "networkmanager" "wheel" ];
+    packages = with pkgs; [
+    ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBcGhVpjmWEw1GEw0y/ysJPa2v3+u/Rt/iES/Se2huH2 alexander0derevianko@gmail.com"
+    ];
+
+    shell = pkgs.zsh;
+  };
+
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    ripgrep
+  ];
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      # Opinionated: forbid root login through SSH.
+      PermitRootLogin = "no";
+      # Opinionated: use keys only.
+      # Remove if you want to SSH using passwords
+      PasswordAuthentication = false;
+    };
+  };
+
+  programs = {
+    zsh.enable = true;
+  };
+
+  ###
+  # Home Manger configuration
+  ###
+  home-manager = {
+    useGlobalPkgs = true;
+    useUserPackages = true;
+    backupFileExtension = "backup";
+    extraSpecialArgs = { inherit inputs username; };
+
+    users."${username}" = {
+      imports = [
+        ./home.nix
+      ] ++ extraHomeModules;
+    };
+  };
+
+  ###
+  # My Services
+  ###
+
+  dov = {
+    virtualisation = {
+      podman.enable = false;
+      docker.enable = true;
+    };
+  };
+
+  # DO NOT CHANGE AT ANY POINT!
+  system.stateVersion = "25.05";
+}
@@ -0,0 +1,31 @@
+{
+  username,
+  ...
+}:
+{
+  disko.devices = {
+    disk = {
+      main = {
+        device = "/dev/vda";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            boot = {
+              size = "1M";
+              type = "EF02"; # for grub MBR
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
@@ -0,0 +1,28 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # fileSystems."/" =
+  #   { device = "/dev/disk/by-uuid/301d5990-7186-4a90-94aa-997044007358";
+  #     fsType = "ext4";
+  #   };
+
+  # swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it&#39;s
+  # still possible to use this option, but it&#39;s recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.&lt;interface&gt;.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
@@ -0,0 +1,29 @@
+{ config, lib, pkgs, inputs, extraHomeModules, username, ... }:
+
+{
+  home = {
+    stateVersion = "25.05";
+    username = username;
+    homeDirectory = "/home/${username}";
+  };
+
+  dov = {
+    shell = {
+      zsh = {
+        enable = true;
+        shellAliases = {
+          ll = "eza -al";
+          sc = "source $HOME/.zshrc";
+          psax = "ps ax | grep";
+          cp = "rsync -ah --progress";
+        };
+      };
+    };
+  };
+
+  programs.home-manager.enable = true;
+
+  home.packages = with pkgs; [
+    eza
+  ];
+}
@@ -0,0 +1,41 @@
+user_password: ENC[AES256_GCM,data:Q7rk67ylyjr5Sa+AYCxnQAPLbBP5Fy85wTGLZuqxBG3iJ+MmhEgfeatVA2tcsY7GSaU/vghny+TJtrvhDYYMqa10h/F0wPxUjId78qkhKbnRQs4mqAxA9heSi4ojp1kh/pXN7tj64wNyJA==,iv:FTUojVNz78tn/Uj1N8Oj5Iov9eEMRo5vz+mqHdewxjg=,tag:YF74hLXXUby0IjHrqdkBUQ==,type:str]
+duckdns-token: ENC[AES256_GCM,data:Gf3kIpOO/X+ZVXV4w71Fp5qMuNedBBoobazAFpp22RC70xKb6xsJVffWdtFq0blDe5Y=,iv:SNq6wnhG6CuDwB3NQ/PryTgY3U/J2g1XfGCW7gSEYbo=,tag:MWqhrJRreGZ/SaapAaCXQA==,type:str]
+matrix_secret: ENC[AES256_GCM,data:U1yPFsFeLA5tbFf/MMACrhmH/32zUMUg2HOHWdAtcm+ybg9KgjhQmbGDM/MTDoRaAa+Zqfs774gz3A6Rg4HLuvCr4cPotSCHH8qRPz+UDK4Bvf305EfLP22Rrhc=,iv:A9BSgw1hHg+y8x4GC4hWNBCaYZNlRfS1+jKKv38znXg=,tag:SkwEfez7TRhFuLEL4PkvZA==,type:str]
+copyparty:
+    admin_password: ENC[AES256_GCM,data:VlHcQB1Z1/wSUi8yCEpcW+i8h3c=,iv:mystE6THTS50LzV/TPm+QtZ1C87Vxtx+W9jVzcGAnSM=,tag:8nxtbklHwJnI7VHjJA55dQ==,type:str]
+    alex_password: ENC[AES256_GCM,data:0X5AZH8tqJRd6er5w3oMaWI0jrE=,iv:/2aLquP4LVCKCozJsMGItqX9+L9pxSM4PRpn6QnDzbE=,tag:b1GRHEBwQNYBtERj1xqjoA==,type:str]
+smb-secrets: ENC[AES256_GCM,data:RW8xaGU94jxE/iTocH3ylCP5uIpmnSg/MQDC+e5i9PhvlsNY+kfUiqQHoDXETgEPmNUbLr2qZSMLPhQ=,iv:5vkw0Qfa7UHYZ2ODOvFZgirehpY7muV6fvjWHAyHMu4=,tag:cuEzibaBZVf5HVlAF2xUIA==,type:str]
+searxng: ENC[AES256_GCM,data:KmW0pzhjWBBC0VqQNkOmPzcuDnPBEXiZMi030x+LxcOZmS/Q4Hz8RgahWIYwef0maRyFdyB++36SQbUnXz1+Cw==,iv:PL7mby/fmsROaOafv0auCmTEpF5w8WH6Nw4wUrpXNg0=,tag:3s4E1zJh6MB1YkDFM9gBSw==,type:str]
+authelia:
+    jwt_secret: ENC[AES256_GCM,data:WroxkJeD+rtej6wMXgafQ+DdzCffLs8SDD4VHPQnOURIzZFCTPwK9JOvrNIL6eIEGyhqtySvOhXrnFj4,iv:tQZ15yoGLoDAF9PFKSh/ol8hDX88vZmHOrI+nhGGu4Y=,tag:Qadsu6Z62287XK8voIjn5g==,type:str]
+    session_secret: ENC[AES256_GCM,data:t5pBvmZaO+bXyac0NZUZL8sS1xcwa9XH6M8zgziIA9Nhe9umw8B2LckMqz82NAvpLGeCoMXd9MmODv0e,iv:OIfo4omyCN1kM4FCAf9tB0tyzDJ4FsbggGboX9duVH0=,tag:ybYRFlIJPEmnR8ASGNI3TA==,type:str]
+    storage_password: ENC[AES256_GCM,data:BhV/oOvjnY4xi6cTZhgxNERKfIE=,iv:xmz4eLoKjlmX3TxQoPttMFhJWwOlwaOTgfgQty+AWts=,tag:k0tVP2X3YH9Pf7BtfpSDaw==,type:str]
+    storage_encryption_key: ENC[AES256_GCM,data:0ZC36l/F/Kd4GXZ61TW1MaVrVdyLrg0/4/wOw26RDu0YYmjDmM2GFZ9jQdImoF+LoMqCsosMwcwa357tKvH4eg==,iv:AwRwEedfgg4QYdLr01V9O18la5tv5qC2kAlykHEkebk=,tag:J7WiGacBM6nCoFSBIoh5xg==,type:str]
+    oidc_jwk: ENC[AES256_GCM,data:7Y93/QNMmP/trJtalNUTWHKzUEb9dqoxdw1rwphRcT0acKN9QIKcsivgte7uAekSZDw15H552lrtlOgLl6dpO+fPYUry1UpskC6EyFIoNmG+FXWNvhBH1Vtl9KdubejQ5GHzPJB/qj5pjxwHXMB+cjei+bJuid1Dt8pRPJ+CM/n/S2fHy2bGWxfAZodp1ADaqwz3+gqrPxFgCHRZlwRKqCnHm3DR8pM0XiEVse8KyzC6P6qzWeTSAQ8Dtu36CxsxHtWasUGxXTz2rlcTTUr7XQCCfr2a8xqk7M4++G9OUkQubDpbDKiuQgFAiO8kbPwniSfkjHqwcICiHrnmo+0cIoucHF5CqAAR6YtahRYS13ANGsmiWpe/32RN+41LLFMB0nTVkRn9LpxEYlrDvyIHu5qV7OXRwFuUR0OwYNiU9fpSkZI35b1j6rtcNqKNL5DC5l/iBdqkKZ45QJenKSuxNli1HP/ftufBEwypuwrUZeYkr1NXnoeC4k789ZNIKFdDjj6du+pb38OcdGAIKilSlH67LzdthP002qJerxa3YEM2bsBuvWJ5s5GB6VfSdQMzygYpOjQXbckC3Mj3SrpnrSw4NMpRSFz9R0OlMf7SKJ31fykeTWamsrAmaTHz8RiQeXR8Un2T+UMa3w0Opr9ICKls/7pUKLQ3h1TS+p9fKw/WK/wh54xZ2Umn1RbQRkjJDOas6aVUvEFT3hhkDObWXbBSpu3Nm+4eW+G9xXoqg34p3AK7Hr64TYcLoqh8KaYiXEceZp16HLPL3npW43rNYgT3c0vyI5yDzJXP1j75lym/jyP9pUtTQINyT0SqswAQEOwaPBIyNqbInUi4gX/yOBJmGVF8MXJLG+/5EjFyTmoQfdbtCG/ZTq2cz87czF6Ai0R6HTSOA/nv//phGdy1b9pG2LxeBCUpvhkTxzpATNxinaB8TeTnhiFvpK54NLHm4y2y4oB3jB0BAPIsCFfjjqKTWAvg7c2BEiI8HSb2Uh8DR1uEbSqY8QX+1eOqx1chaPKxtJzmXivYQRZ89PV29pmiQ2sj41e5dG38faZY9LNUeES4kSmSOqjQUskiogF6aaTWQlb4/SMoDdbmLzbdTAC66XBopt6DFPIGL+MoRAxAPdDTBDEl54ZV1/N9uJ89kOVW3EQIr0oiCEt5eowYel9I1rOIkyPPe7GcmqyDM0d9jlWe6kQ+HIUe1uJhCTCZjb9COGTQ2mf3toHJXA03kW6U71bT/33fHDvQj/mi1qGv30bWyQxu3Ll0jMuhhoelZBEHnSdKvtZKzxW+p2ymwmJjh1R/OZt4lhgVhh4mW6633Jb5IIVUfMHPjTBA8ERLCOrOffT1Y9BV5iK3/CLOZEx1qDLdl9hGKt/Kt4ULvIk4iqSb0nPDMI42m3zM+KmipzMff2RDwxt6U2itdIuZyiqkqbO8YKiqbzhJeC7cXQpKmTAj90OFiFzUnwDMJFSTBpcKRAVlbU9IYLK1RhVIv0J1Jt5Vmi5vZKyHV3O0fsbvP/SU/8kLGYgodiaZANJzIuIJvR84Fs4kmwvicM7WhG8nkl/Rz6ZG+2S4EYQBpvi73WRJ9MPY9ULhcYJBuFZQXNeOOEcyHPq5nkcsFjshB6g5ssIBxhElxYFa08AyAopc2bg0vXCRUQJn/I1uTvTJmxGBjM4q2SAlWAUf3MX3yPQwd/p5LoxwrRHEB+lXLKImg95QZUaaOu9JWvJMwpje+6YP8XBFTgoM6gqz44jBXHLGfyiHiCfOQn0dpzvhSimcKgQN2rjkhgEdVWovIyTi4+oD+4TawHjl2xORnbCX2+m4X4FnTnX8JU8xCNU2f4sIk4PPptSn1bogt9YUFxCdvDqX0gAgSaAwT4L3xfQ/4prYv57dyFUElvcZjPzJGrmHwWnZE0YaT94dQetCLCMRlQJcHIBz1V36pftRLZdFCTiDd7PxifZk/Ol5kLO3UEJR8ALaC0+KqwUPqO2wse+HOsvobTXcA6Jn+7g58xPpPE88EI52jj/wlp58EZp6B8yYs7ZZufZcFKhrhllWgWEzEnnTd3NuKZjYWx4TYbBgBggNW5EMRLD4HxQLiZu5JUAcwUbFPyLQrVEYejo8LixcciIUMic6DV+oZ7245tBiYxWHHpQWOkAUE67/+I7tN7xFsl8rdmUGkBXCoEIAsX5T3VKjre6JnqHzH4TLlPFxuP0uPVuAjUYVu9gWecpVlDHKEIMFnbLhdye7zgcwYmmfav1KFGgXYGd0R9IMu7ONJtaVvxfxrngW,iv:nR4OAMkuWvBHtkpkzr0XLUHHjVfZjw6sk5V7/llK14g=,tag:KJqhsBiqe2cU2kuCxTWB6g==,type:str]
+ldap:
+    root: ENC[AES256_GCM,data:ZQWTm78whU8DA4GQkZYEcM/WO1AGBWTOV0ymGF2LFkBCuSKG2u4=,iv:YGZRvBvlR0R4umt0Uu71fWoUieYXSyxKX/gUivF8/dI=,tag:hPBAyEzql60pRCzDKrMuBQ==,type:str]
+    authelia: ENC[AES256_GCM,data:y3oaV8zP/9A+QBmjfnsxATPfG+g=,iv:wFlSk8oJuKYfBAL5dyjpgwDC+xJ4XbzjS1GaGQGV8RE=,tag:euFXBfZ/u5OVJ/hicFnkMw==,type:str]
+sops:
+    age:
+        - recipient: age19wvqtn4ju6k4vs8fxr34unl6xx4cv04jw0lx9ps20xlde927zfssgl4qke
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvdXBSVm9adncvMUVPQVc3
+            MStnazNDQ29tQlh2ZVZtSElvZnhTenFtYXlFCnNPU0VKaUR6dG90ZlBBMFdaL2Fz
+            OFc4aTFxdU9DUjhhUk9xUW1GRjB1bGcKLS0tIFg1cEFEejRsMTNJQThoYytmdk1H
+            RFY3T0tYcDFoQUxaL3h1YW8vdXBSQk0KF2nhM4S8vyzCrij5lTvoErgtvUkCrFwh
+            eOhHP2QddxK1dwJsvrqOIQl9Gnd+GBgsNs/CY37MLkPGHXcUb9sCsA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1rfxyntqw6kgjr3akm80a84c99ez4sl3r6gqdnxhljc0dqsjj94vqfu67a2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXd29NUjRGN0FDTHVTSG1v
+            bVBYYUpPYTF0aVRpRlJQbmlMaXgxWGk4OUFJCk0yLzkrcUwwaUhESW1pc1QzNldC
+            dDAvdVVFN0hHa200bDhJTE9vVUs5RFkKLS0tIEVmRG5Ec3ZRTHRwNW8yd09MTXMv
+            VEZhR2NPVjdBa3BadHpMMUZkWDBMY00K5khR4JEKkg4czyNJ+StdM/18Qaw9ci0n
+            zmO/uPFFb1T9IDwQVPQwgbwzv7BSjC3r7tPGjh0hWokaTtDBWxI08Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-28T09:08:03Z"
+    mac: ENC[AES256_GCM,data:R66Wy3x0MQxwvS1vR59IEG31p3i9x/IXCusK28HhOH611TPRt5Zy4iWv3pLJpuG36v4qTmGOGq5Fznf/iYl4kj313KXeo45opDZixyOEDTLhaY4ZBLTa0Ozh9DBoq/emrwis8eEysFESBM5WKtQZUDw7gQXgTcgaEa4/RQYtn+o=,iv:dvTmKh0EAEOYY9QikQMXtkxOPLy7XsF131Lnm1E6Kcc=,tag:tBbb8EbTcMkhRCE/NuED9g==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
@@ -0,0 +1,18 @@
+{ config, lib, pkgs, ... }:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets/secrets.yaml;
+    age = {
+      # This will automatically import SSH keys as age keys
+      sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      # This is using an age key that is expected to already be in the filesystem
+      keyFile = "/var/lib/sops-nix/key.txt";
+      # This will generate a new key if the key specified above does not exist
+      generateKey = true;
+      # This is the actual specification of the secrets.
+    };
+
+    secrets = { "user_password" = { neededForUsers = true; }; };
+  };
+}