From 0f50de8d9acb43d032a82446177ba0ab42876d16 Mon Sep 17 00:00:00 2001 From: tux Date: Mon, 27 Oct 2025 22:39:46 +0530 Subject: [PATCH] feat(node): add new host --- .sops.yaml | 2 + flake.nix | 2 + hosts/common/secrets.yaml | 97 +++++++++++++++++++++------------------ hosts/node/default.nix | 48 +++++++++++++++++++ hosts/node/disko.nix | 69 ++++++++++++++++++++++++++++ hosts/node/hardware.nix | 25 ++++++++++ hosts/node/home.nix | 3 ++ 7 files changed, 202 insertions(+), 44 deletions(-) create mode 100755 hosts/node/default.nix create mode 100644 hosts/node/disko.nix create mode 100644 hosts/node/hardware.nix create mode 100644 hosts/node/home.nix diff --git a/.sops.yaml b/.sops.yaml index f3933be..37cae1d 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -9,6 +9,7 @@ keys: - &arcturus age1zsl5d4vj6gl3h96y5p53sq5y4vr4vtlwp727h7rp9a4xfkxm53lqrh6r50 - &alpha age1zujp5gxy7suv8ysnygv43cmzuvv36nxfg0ch7r3xg2emc6fz3vmqqujheq - &vega age1ydkclhk9kwqdq74utesqdfupt43lz64d5k65gz2z9uyljcqq9fcq3hv28l + - &node age1cltj5wl3evxq57d7rpdglptexejgefs39njtcvmsm4fuc8kn5p8sqpef4z - &capella age1y4luzn2jls7rvgphej23srvdlx563lxq29tvf66vhwwzaf7c3f3qzvresh creation_rules: @@ -22,6 +23,7 @@ creation_rules: - *arcturus - *alpha - *vega + - *node - *capella - path_regex: hosts/sirius/secrets.yaml$ key_groups: diff --git a/flake.nix b/flake.nix index 3e6f1e2..46b63df 100755 --- a/flake.nix +++ b/flake.nix @@ -66,6 +66,7 @@ alpha = nixosSystem (mkNixOSConfig "alpha"); sirius = nixosSystem (mkNixOSConfig "sirius"); vega = nixosSystem (mkNixOSConfig "vega"); + node = nixosSystem (mkNixOSConfig "node"); vps = nixosSystem (mkNixOSConfig "vps"); isoImage = nixosSystem (mkNixOSConfig "isoImage"); homelab = nixosSystem (mkNixOSConfig "homelab"); @@ -85,6 +86,7 @@ alpha = mkNixOSNode "alpha"; sirius = mkNixOSNode "sirius"; vega = mkNixOSNode "vega"; + node = mkNixOSNode "node"; homelab = mkNixOSNode "homelab"; capella = mkDroidNode "capella"; rigel = mkDroidNode "rigel"; diff --git a/hosts/common/secrets.yaml b/hosts/common/secrets.yaml index d41ed67..5df6870 100644 --- a/hosts/common/secrets.yaml +++ b/hosts/common/secrets.yaml @@ -1,79 +1,88 @@ -tux-password: ENC[AES256_GCM,data:68ZXKJMBBLV1mkNP9LFf+xC5arsARqKPFQAtmfag3ftip1suuZ1FmQICqsuCqXgGuwcSfH4ACkuiQ769u4aI7+jPxs0A62hFig==,iv:Yx9EfqChjBtgxxkWmayfKWoE498w4wUYoS353cMUMsI=,tag:Zr3KuIiXsi2VahRZ7Ncpig==,type:str] +tux-password: ENC[AES256_GCM,data:L7f+qd79ahu5IFEND4vAuJYyeZGWi6tAwjCA3yeDprskPlN3sVv4L9Cgr9fLBsebrIkooEETTMWaTpCej0C3ke0RG6EtqUhzvg==,iv:fhovTgvUBgWr+Nj2eNVDs0gVla76+qwQBJzrBRE8paw=,tag:3QGPvJddrFN2RIrVKAkLmg==,type:str] sops: age: - recipient: age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWblJrWjErZC81d1IzTHV6 - ZUkwTEhRdVdTTlJQb1pocnpnSkdZSWNTelVFCkJLR3VwT2dwM3IydCtkZ24yLzVF - ei9xMG51djNldnZkSnVqeEtsVFNSMkEKLS0tIGNEdi9OV0ZjVW93SUUyVURpT2tR - U3ZybTNac1JvVW9zTy9ocE5FUkpQTjAK2lAp5MC3B779uSWaOOxbnfdAa9xYDCL2 - TloXlxfuYKe0j9Z2TIlYOa6z+/m8upOpE42Ux0qjZprE1LBq3g5uMA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyOG0wQWgzK0Y5L1FjUEpU + SGp6U1lybEFxTTVLemRqL0JjbGpvc1doVENZCjl5TGJYSENHQURmRnZzb05xMUhZ + QjU0QUE1WGQ0RW11YTRVazBlLzV5TkUKLS0tIFBDQTdyaU9tdjFpakRlK1JBSWdZ + K3NZak1iY0o1V3NvTWE5c2VKaGZiTG8K1B2VOTKmMO2p4eEnXhNhUtz5RthSwMNB + W/z5bPzrR+NB1QDvILmxE+aVNqmaW0t5WsCh62ygvDQHDj8wczZtGA== -----END AGE ENCRYPTED FILE----- - recipient: age1f860dfewlx5jtt9ejr47gywx70p3dmyc8mat29gpr75psljwjv8q5xyxkq enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoZGdNSG5ER0JxbWhNanJU - WGlCZlIyT3JLWnFkSnBaakkyMXZBU0o0cjFVCml5VDB2d2dJTGkvVDh5M1NweXl1 - ajl3R2RUWmtwWU5RUlpsVFIvM3R0cUUKLS0tIFNkbmtrRGdrcUFibDlldncrbjg2 - TWJ1UFh5RnI2VDRocnZ0VVNmd2JRSVEKmqNV4dADO9ZxTjlDgMC5fNdioJrO6vrN - vTg3lTrwOTZ/TCg9PS2T5QEX9fZh2UthCEisPO7p1Q81Gyk7ySg2ow== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyc0l6YndBd3kxTmFkRXpC + bmRta0RtOVhPRjdCd0lGSzVDS2Yza0IxZW1nCk1KcVNzYUxiTC9xd3BBRUg1WldI + SUtEdWNkK1ZBVzlwWWRjZHRVeDArRTAKLS0tIFBlWitJQzZPbWc5Si9obkhHTzI2 + RG9mOFFBSGJwZmoxcWQvQnlXQnprNFEK3/Ndje4n5v045bO7nU0Sf6xk6RZCjvZu + 75kpDXhmvwwMfJYYyuemLKoK8Erxjr1vXJ0xmwErNHsdEEcDFbZhaw== -----END AGE ENCRYPTED FILE----- - recipient: age1x36yr8h993srfj29sfpzt4wyz52nztvncpmhgmfs0j26qvfecq3qvcm0an enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZWRuaHIvT3BSZ2M0OUla - YWhSa2Q5SDJNbkRLQUZxaVFISmJENTIxc0hrCjlKTVBCK2g2WWNNNlNJQ25sMjVY - TURsSkNsbTQwRGlyU3NySis5azNvTVUKLS0tIGZHUEh3NHMyVXN5T0pXOWpOT1JP - UmZSM1J0elprbVBUZzU5QjVLRnVxNWsKFVdUQcKiHaSDR2+GqafXvoRQ0yyiKMcy - /UP/yCMoNUYIpiv4ocRhtDj4QrrO6NdJJTUifMkB9I1B6R7B7NG/gw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsZCtXcGdtVVFDZkNwQnFu + dk5YbG1yQnFNY3NjNXFrZU5GU3dmQ1FWTmprCnAzc1lhUEFPb1Y1bmQza1lybkhV + YzU5Q1JUUXdQYXB4STZVZ0xCUC96ZUUKLS0tIHByZndVaUVyaU1kcXl3QjFlWS9M + Sk54K1VrSnFrZjBuNFkxUndlQWwrUDQKy/kdRKVVtFyROJU6jElBruzrWWuH6o0q + gbelOOKYLOoj5dvPfIuBoBNXe7xKs9w76PY4Fm7M1U1SXs/XRnigTw== -----END AGE ENCRYPTED FILE----- - recipient: age1jg642q775gmnmxeu29gcf3lph8vem4xr8t84cxe809dpd0myrussh49h60 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeEpwakIyMkRYN1c0bUNy - eDFpUGlkTW02NWE1VlYxYnNsQTJ1NHIyWVY4ClI3VHlSWW1IK3I3SHY5YXN5S09q - OU5aSXVXU0FVU1VrNGlCTzFKWm95ZkkKLS0tIGV0Sy9LYlBuTm4xa2Zkc3JoaWo0 - ZXllYnMwaXBXTW5vVVhoNXVFcEwvdlEKbuiT2/Isi3nsx/r3whpX6RiLEtsLMm6f - 2A3bKpz1+MUupE6umEIBCXc+k58W6VhBkdrMxGtxZt1ZeA8ftz4bVA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6NktQRmw1Qlh2U2FhSGta + WEczbENZWnBzWldNRVA0UWppYW5sYytacXprClJqVUFaTCtCWFFmN25BUWwrSlZx + S1ZQK2ErNEhDYjRycVZob083ZERSaWcKLS0tIFBNTTByWEVMTzZCLys5d3VCRnph + VVBqUHN5dWlnNDlUYWhLcndKcFVhMVUKaxhoANxILZ+lBGwyf1s7uJKqHeHEtDK1 + SS7yqtB7bn93EjjlkKsmRk1GSyh91KxxUuFphWagbned8FnrwTUdRA== -----END AGE ENCRYPTED FILE----- - recipient: age1zsl5d4vj6gl3h96y5p53sq5y4vr4vtlwp727h7rp9a4xfkxm53lqrh6r50 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbFUwbXoyUnZGMElMdldX - UkJseC9XWEU3Vks2eGdYbHFjUjZMUVVGbkY0ClNIWFMvWEl1eDRncEt1dy9iVS81 - ZE1rN25lR0w0Wno2OHZDZTRhSTVXVDgKLS0tIG9jNmFkdGxoRmRCT1RJQjVlOUJa - R0kxbllzMXZML1J6MitXSGhSTkF0MEkK8g7s87t956UTDtQO+IUEXe2B6WNM+KfH - aRobwCjvXcv5I8G+gkNll23MYlLMBRZ1qkeq24R0xA7cMYXj5APUsA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKMnhhL1h4UGg4NVNTTGFq + N0FkZDMyZnMvc3hPeFZScmsvNWg5ZGc2aVFNCkVlbkFZQWFjVE5KcVJMNjVqTWFr + YXFOblRyTlVNYTZZVzRPN0N4enA0aXMKLS0tIFBFU1duNExtenVYNU4xYitYbS9t + VUFPYzlWa000NkdiMG5aVUhXMDZLaUEKHVpkfUiRCgtffRfVeCYyUSd8GG4unYNA + Nk8ctjKYhzzMW4VNM3QVm4txOxEILIaJtDoqF2klpMIIaYhucNLppA== -----END AGE ENCRYPTED FILE----- - recipient: age1zujp5gxy7suv8ysnygv43cmzuvv36nxfg0ch7r3xg2emc6fz3vmqqujheq enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0bTBEck44R2ZxS0M3Ris1 - VllxeEgyTjRWcHp3RUdpMytFQ0podkxXT1JrCi9VU2U2SHFrd1dPb3RESkQ4OGhi - RjZVVTZWQUVXSUxqaG5KVkJxQ0RCQncKLS0tIDJiVGpIU0NjelVCZkloOGhxQTdV - eHlaVm9iUFk2YThXZnU5SVpHUVVHbkEKcmUvbINRqmkkvXyyskNJ4eYD7VdQnxqg - 7VuWV7zUK5ZVPv9kJiUl3OB3vNU8U15sNIdAjCp8//RtNkRyDJMgEQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWR1F3ejVWdUgxNFhKQlkv + dlVSdk9qZFpMNDV1R0hGdG5vOGpsUTl5TTBzCmVLWWIrOXJ2b3QrS3puUU5oeW9s + YWNhTE5nUFg1WTNoVUVxTW5QT0FjMHcKLS0tIFMxdEh6dVRyZkZPazQ0TGZBUFJM + QmFEMTlFZTFya21tSkJOeGhLVlBpRG8KHoGPNjwXdTIOUwuMnVAo4i7koWTE083b + svpVUzC4KHfyrAJL8dR0RRPKejBKSgQny8P+CNkjLfyp+19GyPkIvQ== -----END AGE ENCRYPTED FILE----- - recipient: age1ydkclhk9kwqdq74utesqdfupt43lz64d5k65gz2z9uyljcqq9fcq3hv28l enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjVjU1Vy9tMkp5MS96Si9v - bnB4OHpzdktPeStYZHFZTXVmSWphMkxFQkRZCjEvTEpZY1I4TWNlM0c4Wi9nUVhx - dktvOXdXQ0M1YzhVU3BlOUZ4Tjkrd28KLS0tIC9NT0NKZTd0VUVUQTB6UHhDSVVw - eFM1Q1JOVXZoSXltRVZpaTNTUWhNa3MKFoY5bWWQS9qh0j8sgIgRA4jT6sl0xRkC - Tu0WUz344TzkJFuy7MgOpviQMqAijmbyYjaRSdS3CLGHvTKY8GcpOA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPV0JmTlR6dFpBZHR6SFk0 + aXRVNk9qOERWQUtnNGhlUjJHTmkwQSt2RXlBCnFvYVVQTG8vSHFIRXFxZm94QmU0 + aEF6V1hadlFQNHBGK1dkK08wMU1yY0EKLS0tIGNkbVdvUGxjRHh3NjBMNjFmeE5k + cUsrZjRRcW1tRXJDcVdUVG1ZQnM2Z2cKy4ikF/Cmi4bfv9LHQ8jWY4QT/M1lGdVd + 5x0hx8q0nB24yBUUxqTm601CbSm1bBiha/t0wVZU/MU1b4p4SFJhxA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1cltj5wl3evxq57d7rpdglptexejgefs39njtcvmsm4fuc8kn5p8sqpef4z + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCVXNvWitpb1pESStMazUv + aTBhUG8xbjNrYVZFVm1Nei80Y3NCUXdJUGkwCm9yK3UyTHFrV2grMW93ZHVrZlMy + V29mZnYrT2F1QnlJUUdDVU5FdVd4RkkKLS0tIFVSZmIwRHJTV0FFTE9aRU5pVDkx + T1NIZG8zdC8vVFRKZHp3TWFvb2hoTzQK5bTrc1bb2t9xXIDZw5YrWT9Lv0EWtJCE + xN52eUVI2/XXuExI7XcI5JfDNGynagzkj++QYwoH9TNQHqlRMBYOwA== -----END AGE ENCRYPTED FILE----- - recipient: age1y4luzn2jls7rvgphej23srvdlx563lxq29tvf66vhwwzaf7c3f3qzvresh enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSYlpXRGNpQVZTQ3hZK2lr - L2xodmhycTlRczN1c2Zib3RoeGlxQTAwTVRRCkJ1aWc3bzAyNnlMbUhuK2YwTXBq - Q1VhUUtWWXU0RXY2NG5jMG90dis4bEUKLS0tIHlkRkdCV0ZvU2pLZDRlN2h6c0JO - TTNtbGY1UWV5K3VQWjk5WlgyNUd1UVkK+XeX8vK4K2DJaWtFE91YGg/58M09rwuj - VVcMIPPPO1+KD16HTe1b8bVPeNfpIj9p3ybew3ILducyrYiRrxzGwg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBS3F2UnlDMkpJdEdDZEs4 + eldVU1BNUXVNdjR3cHhNc0libnBZQXNmVUZ3CkFOOUpmVXgzcllDTWFEaEZTTm5W + OW1lRFJSWFFtU205d1habWp1VExIWEkKLS0tIHhXOGJQZWlvUUVLUnBuQTdQMXB0 + aW5FRkNWR2QySXVXZ0I2Ky9rNHUxNzgK2S5OgrP0o4hko5VPyCv9Mzb48BSkL+9A + H872Z+Nu6kephicg4gewqtJvLvE4wrUyXXzza1O7Q9VHuE1BQqw72A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-10T10:14:47Z" - mac: ENC[AES256_GCM,data:fmBWLOOCvJLfKSNG14zd9cBEa9+M4dJ7UtR+SZfGEcoGtBPmX1c6ZR8OgB+I45WkpT+Ho8kwQMcnD0n6IWzg946OEzIZjNuCds/wM1cCd3LjjlqwKnN1QGL5DNSIyi5CFzrjvvFtZCsw2acNjxtK86JujhpOivdVKC/kGkJzF0M=,iv:g0jXzrtU53YpW/NIb8ulmOGSJIXMA1Wady6DlOMA9aU=,tag:zf7WmNNYcFO9Rtynm5vaUg==,type:str] + lastmodified: "2025-10-27T17:05:12Z" + mac: ENC[AES256_GCM,data:gyvhzdjSc8Wjv+IroaiMXMzNCSrFjpK07i7w0hs6bSKzvNtpIbwf7+tgFISe5dXrEq9HD+Z1JC6xwo45V+XAyguXUXa37YoCM5aG41f/LMCsoGQYsEPuq6djeraKXEfElQbGnjZOjHxy/nNlgiyuqze9+AScG+JsKr/DOd2+ACw=,iv:yGHLJw39HRujbcRB/2dDWaec/6GmSAUVnKUvjlCiGY0=,tag:/M9iuG8aegOK5Spa2uM30Q==,type:str] unencrypted_suffix: _unencrypted - version: 3.10.2 + version: 3.11.0 diff --git a/hosts/node/default.nix b/hosts/node/default.nix new file mode 100755 index 0000000..358adc6 --- /dev/null +++ b/hosts/node/default.nix @@ -0,0 +1,48 @@ +{ + inputs, + username, + lib, + ... +}: { + imports = [ + inputs.disko.nixosModules.default + + (import ./disko.nix { + device = "/dev/nvme0n1"; + device2 = "/dev/nvme1n1"; + }) + ./hardware.nix + + ../common + ]; + + tux.services.openssh.enable = true; + + boot.loader.grub.enable = true; + + networking = { + hostName = "node"; + networkmanager = { + enable = true; + wifi.powersave = false; + }; + firewall = { + enable = true; + allowedTCPPorts = [22]; + }; + }; + + security.rtkit.enable = true; + + environment.persistence."/persist" = { + enable = false; + }; + + home-manager.users.${username} = { + imports = [ + ./home.nix + ]; + }; + + system.stateVersion = "25.05"; +} diff --git a/hosts/node/disko.nix b/hosts/node/disko.nix new file mode 100644 index 0000000..de00413 --- /dev/null +++ b/hosts/node/disko.nix @@ -0,0 +1,69 @@ +{ + device ? throw "Set this to the disk device, e.g. /dev/nvme0n1", + device2 ? throw "Set this to the disk device2, e.g. /dev/nvme1n1", + ... +}: { + disko.devices = { + disk = { + disk1 = { + type = "disk"; + device = "${device}"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + mdadm = { + size = "100%"; + content = { + type = "mdraid"; + name = "raid0"; + }; + }; + }; + }; + }; + disk2 = { + type = "disk"; + device = "${device2}"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + mdadm = { + size = "100%"; + content = { + type = "mdraid"; + name = "raid0"; + }; + }; + }; + }; + }; + }; + mdadm = { + raid0 = { + type = "mdadm"; + level = 0; + content = { + type = "gpt"; + partitions = { + primary = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/node/hardware.nix b/hosts/node/hardware.nix new file mode 100644 index 0000000..b08e1c6 --- /dev/null +++ b/hosts/node/hardware.nix @@ -0,0 +1,25 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp41s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/node/home.nix b/hosts/node/home.nix new file mode 100644 index 0000000..3443cad --- /dev/null +++ b/hosts/node/home.nix @@ -0,0 +1,3 @@ +{...}: { + home.stateVersion = "25.05"; +}