diff options
| author | Kj Tsanaktsidis <kjtsanaktsidis@groq.com> | 2026-01-09 11:58:31 +1100 |
|---|---|---|
| committer | Kj Tsanaktsidis <kjtsanaktsidis@groq.com> | 2026-01-09 11:58:31 +1100 |
| commit | 98e94297af73c583c9636c99772b2c1c34f98743 (patch) | |
| tree | 1ac244e55b6d544d556b2327308d07708350e824 /machines/labsrv01/default.nix | |
| parent | f5686b8e377ce3ecbf617783b4f2398423cb19fd (diff) | |
some refactor
Diffstat (limited to 'machines/labsrv01/default.nix')
| -rw-r--r-- | machines/labsrv01/default.nix | 108 |
1 files changed, 108 insertions, 0 deletions
diff --git a/machines/labsrv01/default.nix b/machines/labsrv01/default.nix new file mode 100644 index 0000000..8988cd4 --- /dev/null +++ b/machines/labsrv01/default.nix @@ -0,0 +1,108 @@ +{ + inputs, + modulesPath, + lib, + pkgs, + sops, + config, + ... +}@args: +{ + imports = [ + inputs.determinate.nixosModules.default + inputs.disko.nixosModules.disko + ./disk-config.nix + inputs.sops-nix.nixosModules.sops + ./network.nix + ../../modules/secureboot.nix + ../../modules/alt-arrow-vt.nix + + inputs.home-manager.nixosModules.home-manager + ./homes.nix + + ../../modules/cgit.nix + ]; + hardware.facter.reportPath = ./facter.json; + + nix = { + extraOptions = '' + experimental-features = ca-derivations nix-command flakes + ''; + settings = { + trusted-users = [ "root" "kjtsanaktsidis" ]; + substituters = [ + "https://cache.nixos.org" + # the ca-derivations cache seems to be down + # "https://cache.ngi0.nixos.org/" + ]; + trusted-public-keys = [ + "cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=" + ]; + }; + }; + + sops = { + defaultSopsFile = ./secrets.yaml; + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + age.generateKey = false; + + secrets = { + luks_passphrase = { }; + kj_hashed_password = { + neededForUsers = true; + }; + ssh_host_key_ed25519 = { }; + ssh_host_key_rsa = { }; + }; + }; + + system.stateVersion = "25.11"; + swapDevices = [ + { + device = "/swap/swapfile"; + size = 32768; + } + ]; + + security.sudo.enable = true; + users.mutableUsers = false; + users.groups.kjtsanaktsidis = { }; + users.users = { + kjtsanaktsidis = { + createHome = true; + isNormalUser = true; + description = "KJ Tsanaktsidis"; + group = "kjtsanaktsidis"; + extraGroups = [ + "wheel" + "networkmanager" + ]; + shell = pkgs.zsh; + hashedPasswordFile = config.sops.secrets.kj_hashed_password.path; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAC/BtvW1c1RbBI8eeGo7oOH2y9byBaxWVDHsErgaE+s kjtsanaktsidis@KJMacbookGroq.local" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHsyhMLrlNiffDrqz0s46hZF8IdR9/qX63TUyllK0LCA kj@KJ-PC" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS77sno1zVa6uO+2wCbBK489snNIp3uvymca2cHX/33 kjtsanaktsidis@labsrv01" + ]; + }; + }; + + services.openssh = { + enable = true; + hostKeys = [ + { + type = "ed25519"; + path = config.sops.secrets.ssh_host_key_ed25519.path; + } + { + type = "rsa"; + path = config.sops.secrets.ssh_host_key_rsa.path; + } + ]; + }; + + services.fwupd.enable = true; + + # Enable zsh system-wide + programs.zsh.enable = true; +} |