From 8c029fad448eb6eb11dc414d44b08901eb8f6043 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 4 May 2025 20:20:28 +0200 Subject: [PATCH] machine/workman: init --- flake.lock | 21 ++++++ flake.nix | 9 ++- machines/.sops.yaml | 6 ++ machines/configurations.nix | 7 ++ machines/workman/boot.nix | 24 +++++++ machines/workman/configuration.nix | 29 +++++++++ machines/workman/disko-config.nix | 72 +++++++++++++++++++++ machines/workman/hardware-configuration.nix | 30 +++++++++ machines/workman/network.nix | 20 ++++++ machines/workman/profiles.nix | 24 +++++++ machines/workman/remote-build.nix | 24 +++++++ machines/workman/secrets.yaml | 37 +++++++++++ machines/workman/services.nix | 21 ++++++ machines/workman/system.nix | 13 ++++ 14 files changed, 336 insertions(+), 1 deletion(-) create mode 100644 machines/workman/boot.nix create mode 100644 machines/workman/configuration.nix create mode 100644 machines/workman/disko-config.nix create mode 100644 machines/workman/hardware-configuration.nix create mode 100644 machines/workman/network.nix create mode 100644 machines/workman/profiles.nix create mode 100644 machines/workman/remote-build.nix create mode 100644 machines/workman/secrets.yaml create mode 100644 machines/workman/services.nix create mode 100644 machines/workman/system.nix diff --git a/flake.lock b/flake.lock index a2fce2c..8da8bb8 100644 --- a/flake.lock +++ b/flake.lock @@ -90,6 +90,26 @@ "type": "github" } }, + "framework-plymouth": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1744254441, + "narHash": "sha256-zpbqouGFxu0fdECX54jHPyjYEX+04kZRWZFZ4IKL58c=", + "owner": "j-pap", + "repo": "framework-plymouth", + "rev": "6aa8efd36bd79660ced9b8a82495afdb0c8c1166", + "type": "github" + }, + "original": { + "owner": "j-pap", + "repo": "framework-plymouth", + "type": "github" + } + }, "git-hooks": { "inputs": { "flake-compat": "flake-compat", @@ -314,6 +334,7 @@ "inputs": { "disko": "disko", "flake-parts": "flake-parts", + "framework-plymouth": "framework-plymouth", "git-hooks": "git-hooks", "nixinate": "nixinate", "nixos-generators": "nixos-generators", diff --git a/flake.nix b/flake.nix index 5148d6e..6f11097 100644 --- a/flake.nix +++ b/flake.nix @@ -34,6 +34,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + framework-plymouth = { + url = "github:j-pap/framework-plymouth"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + # own flakes stunkymonkey = { url = "github:Stunkymonkey/stunkymonkey.de"; @@ -76,7 +81,9 @@ }: { # make pkgs available to all `perSystem` functions - _module.args.pkgs = import inputs.nixpkgs { inherit system; }; + _module.args.pkgs = import inputs.nixpkgs { + inherit system; + }; # enable pre-commit checks pre-commit.settings = { diff --git a/machines/.sops.yaml b/machines/.sops.yaml index cefc057..ca27a02 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -2,10 +2,16 @@ keys: - &admin_felix age1hf8m9upp00dr7qv2kmqdr50fpvd9ejzkfu8yknqnuda2aas2tvrs4l3u7m + - &workman age1f2e644jteyeppfaatajtvjmsupl0e7nzx97ded6m0cgzw04l84ks5xl9l2 - &thinkman age1spt854cdscqs757a8kazth52rv4p9udh54suw9lpzlqg5savyapq2u0c03 - &serverle age14nt7qcsrye0vrpk0xcgcfmhkxwwumna39fpn83g3x0zml62skatqpnmhk4 - &newton age1s9spl75rwhgm3cvvqsr9rze5m0kuxqes2tsxjmq07xg5ycn5j47s2m0dlu creation_rules: + - path_regex: workman/secrets.yaml$ + key_groups: + - age: + - *admin_felix + - *workman - path_regex: thinkman/secrets.yaml$ key_groups: - age: diff --git a/machines/configurations.nix b/machines/configurations.nix index f489dd3..8d3569a 100644 --- a/machines/configurations.nix +++ b/machines/configurations.nix @@ -58,6 +58,13 @@ in ./thinkman/configuration.nix ]; }; + workman = nixosSystem { + system = "x86_64-linux"; + modules = defaultModules ++ [ + nixos-hardware.nixosModules.framework-amd-ai-300-series + ./workman/configuration.nix + ]; + }; newton = nixosSystem { system = "x86_64-linux"; modules = defaultModules ++ [ ./newton/configuration.nix ]; diff --git a/machines/workman/boot.nix b/machines/workman/boot.nix new file mode 100644 index 0000000..cb46451 --- /dev/null +++ b/machines/workman/boot.nix @@ -0,0 +1,24 @@ +{ + config, + inputs, + ... +}: +{ + boot = { + loader = { + timeout = 1; + systemd-boot = { + enable = true; + configurationLimit = 10; + consoleMode = "keep"; + editor = true; + }; + efi.canTouchEfiVariables = true; + }; + plymouth = { + enable = true; + theme = "framework"; + themePackages = [ inputs.framework-plymouth.packages.${config.nixpkgs.system}.default ]; + }; + }; +} diff --git a/machines/workman/configuration.nix b/machines/workman/configuration.nix new file mode 100644 index 0000000..4e55599 --- /dev/null +++ b/machines/workman/configuration.nix @@ -0,0 +1,29 @@ +{ ... }: +{ + imports = [ + ./boot.nix + ./disko-config.nix + ./hardware-configuration.nix + ./network.nix + ./profiles.nix + ./remote-build.nix + ./services.nix + ./system.nix + ]; + + networking.hostName = "workman"; + + sops = { + defaultSopsFile = ./secrets.yaml; + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + gnupg.sshKeyPaths = [ ]; + }; + + # needed for cross-compilation + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + + system = { + stateVersion = "24.11"; + autoUpgrade.enable = true; + }; +} diff --git a/machines/workman/disko-config.nix b/machines/workman/disko-config.nix new file mode 100644 index 0000000..c265b74 --- /dev/null +++ b/machines/workman/disko-config.nix @@ -0,0 +1,72 @@ +{ + disko.devices = { + disk = { + vdb = { + type = "disk"; + device = "/dev/disk/by-id/nvme-eui.e8238fa6bf530001001b444a456de595"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "encrypted"; + settings.allowDiscards = true; + passwordFile = "/tmp/disk.key"; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + }; + }; + }; + }; + }; + lvm_vg = { + pool = { + type = "lvm_vg"; + lvs = { + root = { + size = "100G"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + home = { + size = "500G"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/home"; + }; + }; + swap = { + size = "64G"; + content = { + type = "swap"; + resumeDevice = true; + }; + }; + }; + }; + }; + }; +} diff --git a/machines/workman/hardware-configuration.nix b/machines/workman/hardware-configuration.nix new file mode 100644 index 0000000..0e56bad --- /dev/null +++ b/machines/workman/hardware-configuration.nix @@ -0,0 +1,30 @@ +{ + pkgs, + ... +}: +let + cpuFlavor = "amd"; +in +{ + boot.kernelPackages = pkgs.linuxPackages_latest; + + my.hardware = { + bluetooth.enable = true; + debug.enable = true; + drive-monitor.enable = true; + firmware = { + enable = true; + inherit cpuFlavor; + }; + graphics = { + enable = true; + inherit cpuFlavor; + }; + id-card.enable = true; + keychron.enable = true; + monitor.enable = true; + sound.enable = true; + thunderbolt.enable = true; + yubikey.enable = true; + }; +} diff --git a/machines/workman/network.nix b/machines/workman/network.nix new file mode 100644 index 0000000..712d5f3 --- /dev/null +++ b/machines/workman/network.nix @@ -0,0 +1,20 @@ +# network settings +_: { + # hotfixes for dns settings + networking.extraHosts = + let + serverle_ip = "192.168.178.60"; + in + '' + ${serverle_ip} stunkymonkey.de + ${serverle_ip} automation.stunkymonkey.de + ${serverle_ip} download.stunkymonkey.de + ${serverle_ip} esphome.stunkymonkey.de + ${serverle_ip} indexer.stunkymonkey.de + ${serverle_ip} media.stunkymonkey.de + ${serverle_ip} movies.stunkymonkey.de + ${serverle_ip} series.stunkymonkey.de + ${serverle_ip} subtitles.stunkymonkey.de + ${serverle_ip} view.stunkymonkey.de + ''; +} diff --git a/machines/workman/profiles.nix b/machines/workman/profiles.nix new file mode 100644 index 0000000..01ed516 --- /dev/null +++ b/machines/workman/profiles.nix @@ -0,0 +1,24 @@ +# enabled profiles +_: { + my.profiles = { + "3d-design".enable = true; + android.enable = true; + clean.enable = true; + desktop-apps.enable = true; + desktop-dev.enable = true; + development.enable = true; + filesystem.enable = true; + gaming.enable = true; + latex.enable = true; + media.enable = true; + meeting.enable = true; + nautilus.enable = true; + powersave.enable = true; + printing.enable = true; + sway.enable = true; + sync.enable = true; + update.enable = true; + usb-iso.enable = true; + webcam.enable = true; + }; +} diff --git a/machines/workman/remote-build.nix b/machines/workman/remote-build.nix new file mode 100644 index 0000000..90ee53e --- /dev/null +++ b/machines/workman/remote-build.nix @@ -0,0 +1,24 @@ +# enabled remote-build service +{ config, ... }: +let + inherit (config.sops) secrets; +in +{ + sops.secrets."nixremote/ssh_key" = { }; + nix.buildMachines = [ + { + hostName = "buehler.rocks"; + system = "x86_64-linux"; + supportedFeatures = [ + "benchmark" + "kvm" + "big-parallel" + ]; + sshUser = "nixremote"; + sshKey = secrets."nixremote/ssh_key".path; + maxJobs = 4; + } + ]; + + nix.distributedBuilds = true; +} diff --git a/machines/workman/secrets.yaml b/machines/workman/secrets.yaml new file mode 100644 index 0000000..40f3045 --- /dev/null +++ b/machines/workman/secrets.yaml @@ -0,0 +1,37 @@ +users: + felix: + password: ENC[AES256_GCM,data:3r1f8iUSgT3mDflSkvl3cyfciBZI5rDa9jMZcfW/mniNt9PJTNaaNbBC/cIxgbwcD991Y/Y0NKB0vxOmKMCIcclvGRUwLdKwFQ==,iv:Chya0lUhNtYcOp3GyNl+I1VyNV3KvSOZxeWUgz3SBnA=,tag:OhdIXdwbQAV0eZZS/kpW1Q==,type:str] +borgbackup: + password: ENC[AES256_GCM,data:BodZSJGi/pYZYIG5NYEeNrTVdYdzlgA2lZCNcIL+kT4=,iv:Vmbzq8MxyboeLmM3MyTGVr6+S/JrwbFDaP8PWh+s8aY=,tag:atj9ap7X6drdGMnnCbEZPg==,type:str] + ssh_key: ENC[AES256_GCM,data:LhGZ2VzOWwcjO0gd1ia7Nb6Roy9+kZwYW2ucjWqpeq6e1xl6JXFRkJJ/bLIA++yUVZarLSabhDn0DDHVfGyO5fOdSuuduu0lCl+ffxz3zX7RjibInwstwnvqJo2ZrBbI+9QPBxI4IRo4uEllljN5N4Fvq3Pq6tMLX2ZpkqIEWayDa28gxM3Ib/at9DGSiEsyhJm2b6HTMUi/lXX9vIxPPOgaqmuWgpp7Tzkd8Ph08zvnloWvlRZaYxl/n7+VxEohqZY88RfFSNT/N5TtgnFFTTRX+9B0vCRqyJq9XQ3cf0fG0NJzb0kcO25k45kAGU7QOJ8V7YPgPPwPPWU7IAluhFi9x78QLsuAioXnl79aZli11NE7Gyn2n4FkkhVX1W078tbvLiNURSfVro7crcf6WCX1PBvbuDFdKg8I2r58aZ5vglD5QD0gBbhL0js13z80DRCdNCtyNQZfgMXvAIEq3Lw3UvTUspInMJos7Kgs0hCK/SoP87SymYEkGORpZzoGg/zlHf0kExOj3Fni+LK24sArc/CIeCBBc/BJ,iv:jDAB5ExuplfUtJqgub4oV/wbytpnjK3MjJko/rsJ0fM=,tag:s2aODtXR9Qu29tKjZvfyKA==,type:str] +nixremote: + ssh_key: ENC[AES256_GCM,data:vO3U1dW3VhHSNDDFlt6Slqf2+sf0xeZ/3ztyqGIkUKwU87flHP0cVVyPF71UCSowhFu7SSK/DEkzTdNjoCnx21HDQ5zc+JZFJjKIE7HotcJwWR6/a9hFZniY4FVLAnW+locWjbcOB+Mou/VHm1uo+a8wmNOJTw7FS3ZM6FfANLDZcjxcjJKu23UcUyXDxuMySkRKmLneyfwlk5aP1toyjBwnS9og1UPjSTy6ldM6gsfUv1mZ+BbCWgtiwxcGEy859ROOMuqKxUKGDbgHnby/aqs7dP8xzoVoZQXjHYoWLp1/7IforoyXb8GiUkOWRlCC/dJm6Kx9Y67M13LwKEpX2+WOfNCHqTjYO4234zfOZ1DRJtwCAMKH7y0sjAYp9bK6iHv3qKIjreDSA8S6xbQP5LnXvp55460Puq+Xe2HdnugRfd3d6pKMrHmnRE8mmstG6jDxdGqtoGo2VBvDGAC080J6BXxP0/xpeXwc99TSDdHEymqodZoz3jQuGMb+brxSyDgaw6FEDPNkpxdUFl0/vShTfROqgT0NVbH3,iv:SXIDRjHBQBcstSz1Pgv5jI8+XHbJA/QrqF9EOkIcvqE=,tag:ZakbophvoJmWlVX88hMA7A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1hf8m9upp00dr7qv2kmqdr50fpvd9ejzkfu8yknqnuda2aas2tvrs4l3u7m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuMHpBZmU4ZVo5UitOQ1la + UUNZNEU5OVFqM2hsY2g0YzRkemRvbUdyYVVjCjhFbDR2cUxTYUU2dU1Oekc4VEZ5 + K2JEd1JZMkFhUXhFaTVnTytFeFU4TmcKLS0tIG5zTGZ4OG9GN2tNVE5zUG95dXFk + cG01NlA0YlpzcENqWjJMUkQwZXJMcUEKv94rjj5iHY1HAZQiE5yleC4f0WABcXbm + Wf4xYYCCWUmcTKXabIyPWn9eCNYCQgy29YTcTKu4/8BvebrGkRHuHw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1spt854cdscqs757a8kazth52rv4p9udh54suw9lpzlqg5savyapq2u0c03 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLSUlHb04rMGR5YWFhUUZq + QXVHYnZQUUdQc0FzbTgyalBPZktBdDVvZ2lRClpzcDltOFA0eFlqTGRUNFptcW1C + WGZyamIyNEFTQXQ4R2pmdU9FS3lma0kKLS0tIFphS0ZhbmxDb3A5MnVvaVJGT1Iw + bzY2ZTY1QUtSRjlOZ1E0Vkw5Q1cxYmMKqwvWUv2XpRIenGwCpZuwKQc0ZsiX2AAx + pmIh4f10G7wr1rLeodRi2KxYIrrudPbxEWIuzmBRyHc7+3EPpzLetw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-05-05T21:53:42Z" + mac: ENC[AES256_GCM,data:700AWjj0wgdSdyXPAKkdttqeThxtz5Ui7K53wRt0VY657fsRJiezqCp/1JVgLfFCKstfbIE1GbTtAetDJ2cRdthpsgMDCG6EQVap7Kt8YCnqDPcPl7ND5yKR6nOjzmd+p2drIp4SHIDSzM9IJvd1XNvpWsgakPs3YgQjFoRElnY=,iv:l/M8pShzBzd/XyHUXE9HWM1a/At9biYJTj2cZ4xbxkQ=,tag:FtELUjvGO6BImmV8D/FmfA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/machines/workman/services.nix b/machines/workman/services.nix new file mode 100644 index 0000000..d481823 --- /dev/null +++ b/machines/workman/services.nix @@ -0,0 +1,21 @@ +# Deployed services +{ config, ... }: +let + inherit (config.sops) secrets; +in +{ + sops.secrets."borgbackup/password" = { }; + sops.secrets."borgbackup/ssh_key" = { }; + + # List services that you want to enable: + my.services = { + backup = { + enable = true; + OnFailureNotification = true; + passwordFile = secrets."borgbackup/password".path; + sshKeyFile = secrets."borgbackup/ssh_key".path; + paths = [ "/" ]; + }; + vpn.enable = true; + }; +} diff --git a/machines/workman/system.nix b/machines/workman/system.nix new file mode 100644 index 0000000..ef07512 --- /dev/null +++ b/machines/workman/system.nix @@ -0,0 +1,13 @@ +# enabled system services +_: { + my.system = { + avahi.enable = true; + fonts.enable = true; + kvm = { + enable = true; + cpuFlavor = "amd"; + }; + podman.enable = true; + spell-check.enable = true; + }; +}