From 2a44b8e85210031ca84bec2503b0f87bf121bf6f Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Fri, 3 Apr 2026 15:14:05 +0200 Subject: [PATCH] machine/playman: init --- README.md | 3 +- flake.lock | 11 ++-- flake.nix | 3 +- machines/.sops.yaml | 6 ++ machines/configurations.nix | 7 ++ machines/playman/boot.nix | 17 +++++ machines/playman/configuration.nix | 29 +++++++++ machines/playman/disko-config.nix | 72 +++++++++++++++++++++ machines/playman/hardware-configuration.nix | 29 +++++++++ machines/playman/network.nix | 6 ++ machines/playman/nixinate.nix | 8 +++ machines/playman/profiles.nix | 11 ++++ machines/playman/secrets.yaml | 30 +++++++++ machines/playman/services.nix | 34 ++++++++++ machines/playman/system.nix | 7 ++ 15 files changed, 265 insertions(+), 8 deletions(-) create mode 100644 machines/playman/boot.nix create mode 100644 machines/playman/configuration.nix create mode 100644 machines/playman/disko-config.nix create mode 100644 machines/playman/hardware-configuration.nix create mode 100644 machines/playman/network.nix create mode 100644 machines/playman/nixinate.nix create mode 100644 machines/playman/profiles.nix create mode 100644 machines/playman/secrets.yaml create mode 100644 machines/playman/services.nix create mode 100644 machines/playman/system.nix diff --git a/README.md b/README.md index 4e6f487..4314095 100644 --- a/README.md +++ b/README.md @@ -121,11 +121,10 @@ used flakes: ```bash nix run github:nix-community/nixos-anywhere -- \ - --disko-mode disko \ --disk-encryption-keys /tmp/disk.key /tmp/disk.key \ --extra-files "$temp" \ --flake .# \ - root@ + --target-host root@ ``` ## Inspired by diff --git a/flake.lock b/flake.lock index 2040331..7a52254 100644 --- a/flake.lock +++ b/flake.lock @@ -222,15 +222,16 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1774567711, - "narHash": "sha256-uVlOHBvt6Vc/iYNJXLPa4c3cLXwMllOCVfAaLAcphIo=", - "owner": "NixOS", + "lastModified": 1775232991, + "narHash": "sha256-QkmL6kwmQXBN24FVOZSfFkNpUgu8jHfdYPoA2H8sA7k=", + "owner": "Stunkymonkey", "repo": "nixos-hardware", - "rev": "3f6f874dfc34d386d10e434c48ad966c4832243e", + "rev": "d6ee262f8d4db0815b08c76714becc09af11f962", "type": "github" }, "original": { - "owner": "NixOS", + "owner": "Stunkymonkey", + "ref": "dell-precision-5820", "repo": "nixos-hardware", "type": "github" } diff --git a/flake.nix b/flake.nix index 82a6947..94b3cea 100644 --- a/flake.nix +++ b/flake.nix @@ -11,7 +11,8 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - nixos-hardware.url = "github:NixOS/nixos-hardware"; + # nixos-hardware.url = "github:NixOS/nixos-hardware"; + nixos-hardware.url = "github:Stunkymonkey/nixos-hardware/dell-precision-5820"; nixinate = { url = "github:matthewcroughan/nixinate"; diff --git a/machines/.sops.yaml b/machines/.sops.yaml index ca27a02..3934bfb 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -5,6 +5,7 @@ keys: - &workman age1f2e644jteyeppfaatajtvjmsupl0e7nzx97ded6m0cgzw04l84ks5xl9l2 - &thinkman age1spt854cdscqs757a8kazth52rv4p9udh54suw9lpzlqg5savyapq2u0c03 - &serverle age14nt7qcsrye0vrpk0xcgcfmhkxwwumna39fpn83g3x0zml62skatqpnmhk4 + - &playman age15d6y9s30t6ggdec4aqycxr4lht98rz77w5rvpnplf3fnqcgyau2qgcwh3g - &newton age1s9spl75rwhgm3cvvqsr9rze5m0kuxqes2tsxjmq07xg5ycn5j47s2m0dlu creation_rules: - path_regex: workman/secrets.yaml$ @@ -27,3 +28,8 @@ creation_rules: - age: - *admin_felix - *serverle + - path_regex: playman/secrets.yaml$ + key_groups: + - age: + - *admin_felix + - *playman diff --git a/machines/configurations.nix b/machines/configurations.nix index 2c41f81..4523824 100644 --- a/machines/configurations.nix +++ b/machines/configurations.nix @@ -82,5 +82,12 @@ in ./serverle/configuration.nix ]; }; + playman = nixosSystem { + system = "x86_64-linux"; + modules = defaultModules ++ [ + nixos-hardware.nixosModules.dell-precision-5820 + ./playman/configuration.nix + ]; + }; }; } diff --git a/machines/playman/boot.nix b/machines/playman/boot.nix new file mode 100644 index 0000000..53beb65 --- /dev/null +++ b/machines/playman/boot.nix @@ -0,0 +1,17 @@ +_: { + boot = { + loader = { + timeout = 0; + systemd-boot = { + enable = true; + configurationLimit = 10; + editor = true; + }; + efi.canTouchEfiVariables = true; + }; + initrd = { + systemd.enable = true; # for a nice password prompt + verbose = false; + }; + }; +} diff --git a/machines/playman/configuration.nix b/machines/playman/configuration.nix new file mode 100644 index 0000000..4b23a63 --- /dev/null +++ b/machines/playman/configuration.nix @@ -0,0 +1,29 @@ +{ ... }: +{ + imports = [ + ./boot.nix + ./disko-config.nix + ./hardware-configuration.nix + ./network.nix + ./nixinate.nix + ./profiles.nix + ./services.nix + ./system.nix + ]; + + networking.hostName = "playman"; + + sops = { + defaultSopsFile = ./secrets.yaml; + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + gnupg.sshKeyPaths = [ ]; + }; + + # needed for cross-compilation + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + + system = { + stateVersion = "25.11"; + autoUpgrade.enable = true; + }; +} diff --git a/machines/playman/disko-config.nix b/machines/playman/disko-config.nix new file mode 100644 index 0000000..3718ec7 --- /dev/null +++ b/machines/playman/disko-config.nix @@ -0,0 +1,72 @@ +{ + disko.devices = { + disk = { + vdb = { + type = "disk"; + device = "/dev/disk/by-id/nvme-eui.ace42e817028d9c6"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "encrypted"; + settings.allowDiscards = true; + passwordFile = "/tmp/disk.key"; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + }; + }; + }; + }; + }; + lvm_vg = { + pool = { + type = "lvm_vg"; + lvs = { + root = { + size = "100G"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + home = { + size = "500G"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/home"; + }; + }; + swap = { + size = "32GB"; + content = { + type = "swap"; + resumeDevice = true; + }; + }; + }; + }; + }; + }; +} diff --git a/machines/playman/hardware-configuration.nix b/machines/playman/hardware-configuration.nix new file mode 100644 index 0000000..4f63519 --- /dev/null +++ b/machines/playman/hardware-configuration.nix @@ -0,0 +1,29 @@ +{ + pkgs, + ... +}: +let + cpuFlavor = "intel"; +in +{ + boot.kernelPackages = pkgs.linuxPackages_latest; + + my.hardware = { + bluetooth.enable = true; + debug.enable = true; + drive-monitor = { + enable = true; + OnFailureMail = "server@buehler.rocks"; + }; + firmware = { + enable = true; + inherit cpuFlavor; + }; + graphics = { + enable = true; + inherit cpuFlavor; + }; + keychron.enable = true; + yubikey.enable = true; + }; +} diff --git a/machines/playman/network.nix b/machines/playman/network.nix new file mode 100644 index 0000000..abb0e3f --- /dev/null +++ b/machines/playman/network.nix @@ -0,0 +1,6 @@ +_: { + networking = { + domain = "buehler.rocks"; + search = [ "buehler.rocks" ]; + }; +} diff --git a/machines/playman/nixinate.nix b/machines/playman/nixinate.nix new file mode 100644 index 0000000..1a571be --- /dev/null +++ b/machines/playman/nixinate.nix @@ -0,0 +1,8 @@ +_: { + _module.args.nixinate = { + host = "playman.local"; + sshUser = "felix"; + buildOn = "remote"; + substituteOnTarget = true; + }; +} diff --git a/machines/playman/profiles.nix b/machines/playman/profiles.nix new file mode 100644 index 0000000..9b7d573 --- /dev/null +++ b/machines/playman/profiles.nix @@ -0,0 +1,11 @@ +# enabled profiles +_: { + my.profiles = { + clean.enable = true; + development.enable = true; + gaming.enable = true; + nix.enable = true; + sync.enable = true; + update.enable = true; + }; +} diff --git a/machines/playman/secrets.yaml b/machines/playman/secrets.yaml new file mode 100644 index 0000000..b80b53e --- /dev/null +++ b/machines/playman/secrets.yaml @@ -0,0 +1,30 @@ +users: + felix: + password: ENC[AES256_GCM,data:MHiZkTDna6nz6JhCst0uQA7MKDLtXzIqZuJEYHPgC6dRmGckYBUR0mXqh+5lLlCOeqtGbyBFKQ7tv7hpgIOX2lVyX4V99IICzw==,iv:p9ZtVpL2u64iEQuo3TF+5kFaWLd0wHT16lT4Wx8QLyo=,tag:o9g2wKQfNQyv3078tL58Nw==,type:str] +borgbackup: + password: ENC[AES256_GCM,data:bWZUeX09dxLjiHVsymKi3zArtxW4aEkVU/eLa3RbdvI=,iv:sRxy7Y0EggxXf6tGQZJdVfggcBbQD+1w2hvJgQCyr3Y=,tag:Up/opwQwl8+t1Yt26012GQ==,type:str] + ssh_key: ENC[AES256_GCM,data:k5gDazMB8sVwJANws8nORGvM8baxwx+kniFIlc50WaJplerbsk1ZspxRes5vnMeEM0UBawtBkHUXpcXVo5KXU/hXd1sDHQe3CFBhKjSFwls3b9LSmt81mBYjrlPeHMah5/PHOz5RDj5skpZ7rd5AzVOfu+aB4qUogl/gAP9aEMdtuIBx/uKXba3ER5590vLpd1Q4sxAuiWnkXi02rgW6Pzyx9RqcUU9KWLQuhfnyeEZ+PPjR4NHPJBr4TkUJ3DR2UziCtlOH1H0kKeDIj/pWqXKx8C5p7RRRkPxZ/qLmDqMtt3Cjs7MlDFUijvfnDSieKoa3JIZw9Kb9AlomkgfqrCOUEaNCBZEq/ovAj7SXm13t50SFGZfTRVul3AcToRxauzhrKXvoUbvKu0Qd4zSOPIXU4tnxodCrWraEbAXKJ+uqKH6N2RA8vxnT06Yqv9SY75hDbPIDvK/44+YWrQU5hNWYKZ+Afnadps2+huqNLbiih+/0AzTAAhtqUYsuQS+1ybTT5fsoakMssRf+wyi8,iv:vGaEIaeQGGOgLMu9oZwr/+N1/IzPPuOElMXczEZkwSw=,tag:VKzmy3Zy1C+VUgqAkscGfg==,type:str] +sops: + age: + - recipient: age1hf8m9upp00dr7qv2kmqdr50fpvd9ejzkfu8yknqnuda2aas2tvrs4l3u7m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFblpKaTJIVTlVMHRjemZX + VWhmbU1vTzlxRDNQM1N3Y2tHb3ZZdUwvSFdFCnc4cTkyaWtxTEhEbUpXd0d3bnFJ + QkdaRHRvK2ZqazZGdGFoZFJwTUVCOUkKLS0tIGc4SUtZeGg3QXhwcW9NVk4zMVVo + andwd2Eydk5oRzBRTlNwdzFVQ1QwYmsK7Rn/P4JCjajb0seyzFRcnIxsz2WgkbYf + wF7wsXoBZrwGPu2otrn2G/4IYrXYn5Gf2K/sjKVo/PtsnHLRWEWgBw== + -----END AGE ENCRYPTED FILE----- + - recipient: age15d6y9s30t6ggdec4aqycxr4lht98rz77w5rvpnplf3fnqcgyau2qgcwh3g + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4KzgwZzIrbVFFWE1OWWsr + ZElTQjhLOWgzZGRXcnV0dnpYejFhVWRXREhRCkxjU2NNQmdLQzY2Wm4yZjlSWWRu + OEpmcXcvblh1N0Exck1mMmRLZmd6VHcKLS0tIE5hUGV1eTRYUk51RXY3R2Q0ckVn + aHlUbExuSDlQZWN6TlEzdjAyNTBiaUUKM2w9fi0MJa4ujpkcrtyQqmjOYaTsbdBJ + wBDbuJ1EazT47T4g9ycilbFS6LvugfJxfrzN0mW3XEuiWkrsYIIsPw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-04-03T15:10:27Z" + mac: ENC[AES256_GCM,data:p3Ke6ZCuuBYOzrcLGtnC4Kk8Y8S+EM8WlyT0hNFyoA/Ds6aI+FtOuNKfZN4Znh2KbLZBOaz6UJ+jDaMrfaRPJY13HlklysuSGari9Y7YdxdkcMvfl/nlGfhE7A0Wgm/m7LF2N33BAd2NrPKpPF2Omu8moIMcQ+xy5GKzVb/hiHU=,iv:3Tq29JZkVmh0/L01+mlmW/5N1bXOecElsMwg+m9Kpq0=,tag:S0m79vu0ywsaj/t+mtLfQw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.1 diff --git a/machines/playman/services.nix b/machines/playman/services.nix new file mode 100644 index 0000000..be7974d --- /dev/null +++ b/machines/playman/services.nix @@ -0,0 +1,34 @@ +# Deployed services +{ config, ... }: +let + inherit (config.sops) secrets; +in +{ + sops.secrets = { + "borgbackup/password" = { }; + "borgbackup/ssh_key" = { }; + }; + + # List services that you want to enable: + my.services = { + backup = { + enable = true; + OnFailureMail = "server@buehler.rocks"; + passwordFile = secrets."borgbackup/password".path; + sshKeyFile = secrets."borgbackup/ssh_key".path; + paths = [ "/" ]; + }; + # remote build + remote-build.enable = true; + + ssh-server = { + enable = true; + }; + initrd-ssh = { + enable = true; + }; + vpn = { + enable = true; + }; + }; +} diff --git a/machines/playman/system.nix b/machines/playman/system.nix new file mode 100644 index 0000000..25b65db --- /dev/null +++ b/machines/playman/system.nix @@ -0,0 +1,7 @@ +# enabled system services +_: { + my.system = { + avahi.enable = true; + podman.enable = true; + }; +}