From 824e6f3d96b7f406d63f4921c21028889e474c5d Mon Sep 17 00:00:00 2001 From: tux Date: Sun, 10 May 2026 04:57:40 +0530 Subject: [PATCH] feat(alpha): add alpha host --- .sops.yaml | 6 +++ modules/hosts/alpha/config.nix | 81 +++++++++++++++++++++++++++++++ modules/hosts/alpha/default.nix | 23 +++++++++ modules/hosts/alpha/disko.nix | 82 ++++++++++++++++++++++++++++++++ modules/hosts/alpha/home.nix | 6 +++ modules/hosts/alpha/secrets.yaml | 28 +++++++++++ 6 files changed, 226 insertions(+) create mode 100644 modules/hosts/alpha/config.nix create mode 100644 modules/hosts/alpha/default.nix create mode 100644 modules/hosts/alpha/disko.nix create mode 100644 modules/hosts/alpha/home.nix create mode 100644 modules/hosts/alpha/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 98c69aa..234b525 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,6 +5,7 @@ keys: - &hosts - &sirius age1maxsx5tq2h3d92rfyl8ekcdan5gu5cpch4qs3c56cu7qag02xgvs3h0gqc - &arcturus age1huqa3hc7wcxk4dpelrzny437nzrx4fnll3d8g9ahznzk268yju5qufapxy + - &alpha age1mzxxxzhy3us3rd960ufqv7vlxj5cnug86md6x69llg9ujzw2pqws057llf creation_rules: - path_regex: hosts/sirius/secrets.yaml$ @@ -17,3 +18,8 @@ creation_rules: - age: - *tux - *arcturus + - path_regex: hosts/alpha/secrets.yaml$ + key_groups: + - age: + - *tux + - *alpha diff --git a/modules/hosts/alpha/config.nix b/modules/hosts/alpha/config.nix new file mode 100644 index 0000000..6b0929b --- /dev/null +++ b/modules/hosts/alpha/config.nix @@ -0,0 +1,81 @@ +{ config, ... }: +{ + flake.modules.nixos.alpha = + { + hostName, + userName, + modulesPath, + ... + }: + { + imports = + with config.flake.modules.nixos; + [ + boot + hardware + networking + virtualisation + services + ] + ++ [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + tnix = { + boot = { + legacy.enable = true; + + impermanence = { + enable = true; + + home = { + directories = [ + ".local/share/nvim" + ".local/share/zsh" + ".local/share/zoxide" + ".local/state/lazygit" + ".local/share/opencode" + ]; + }; + }; + }; + + networking.openssh.enable = true; + + virtualisation = { + docker.enable = true; + }; + }; + + sops.secrets = { + tux-password = { + sopsFile = ./secrets.yaml; + neededForUsers = true; + }; + + gemini-api-key = { + sopsFile = ./secrets.yaml; + owner = userName; + }; + + openrouter-api-key = { + sopsFile = ./secrets.yaml; + owner = userName; + }; + + opencode-go-api-key = { + sopsFile = ./secrets.yaml; + owner = userName; + }; + }; + + # --- Networking --- + networking = { + hostName = hostName; + networkmanager.enable = true; + firewall.enable = false; + }; + + system.stateVersion = "26.05"; + }; +} diff --git a/modules/hosts/alpha/default.nix b/modules/hosts/alpha/default.nix new file mode 100644 index 0000000..df67fe3 --- /dev/null +++ b/modules/hosts/alpha/default.nix @@ -0,0 +1,23 @@ +{ + inputs, + config, + ... +}: +let + hostName = "alpha"; + userName = "tux"; + userEmail = "t@tux.rs"; + system = "x86_64-linux"; + unstable = true; + nixpkgs = if unstable then inputs.nixpkgs else inputs.nixpkgs-stable; +in +{ + flake.nixosConfigurations."${hostName}" = nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { inherit hostName userName userEmail; }; + modules = [ + config.flake.modules.nixos.core + config.flake.modules.nixos.${hostName} + ]; + }; +} diff --git a/modules/hosts/alpha/disko.nix b/modules/hosts/alpha/disko.nix new file mode 100644 index 0000000..3cc0c26 --- /dev/null +++ b/modules/hosts/alpha/disko.nix @@ -0,0 +1,82 @@ +{ inputs, ... }: +{ + flake.modules.nixos.alpha = + { config, lib, ... }: + let + hasOptinPersistence = config.tnix.boot.impermanence.enable; + isLegacy = config.tnix.boot.legacy.enable; + in + { + imports = [ + inputs.disko.nixosModules.disko + ]; + + disko.devices.disk.primary = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "defaults" + "umask=0077" + ]; + }; + }; + root = { + size = "100%"; + type = "8300"; + content = { + type = "btrfs"; + # Base subvolumes that always exist + subvolumes = { + "/root" = { + mountOptions = [ + "compress=zstd" + "noatime" + "space_cache=v2" + ]; + mountpoint = "/"; + }; + "/nix" = { + mountOptions = [ + "compress=zstd" + "noatime" + "noacl" + "space_cache=v2" + ]; + mountpoint = "/nix"; + }; + } + # Conditionally merge /persist only when impermanence is enabled + // lib.optionalAttrs hasOptinPersistence { + "/persist" = { + mountOptions = [ + "compress=zstd" + "noatime" + "space_cache=v2" + ]; + mountpoint = "/persist"; + }; + }; + }; + }; + } + // lib.optionalAttrs isLegacy { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + }; + }; + }; + }; +} diff --git a/modules/hosts/alpha/home.nix b/modules/hosts/alpha/home.nix new file mode 100644 index 0000000..c306937 --- /dev/null +++ b/modules/hosts/alpha/home.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + flake.modules.homeManager.alpha = { + home.stateVersion = "26.05"; + }; +} diff --git a/modules/hosts/alpha/secrets.yaml b/modules/hosts/alpha/secrets.yaml new file mode 100644 index 0000000..c99baae --- /dev/null +++ b/modules/hosts/alpha/secrets.yaml @@ -0,0 +1,28 @@ +tux-password: ENC[AES256_GCM,data:tvx3nMoIuQSotxHDWLs7UesnyWY3u3EwkqAIzCw3Z2AJseaiqnt/xeSKAeUXPVSs85rVdIJ6Ys5+6r+NONEG7ujuNevpjJRNkQ==,iv:CB0BIrMfdiWiMCvmRdtsafh3dCAD5Qb3mOuE7eq4nA4=,tag:p/3AESwNCEL4EoU9rJjUPw==,type:str] +gemini-api-key: ENC[AES256_GCM,data:Bo3Z5Jhce0UOBn77I2AcrXYbBgPLDx0eOjPC8J63E/VWNhMPbbxb,iv:iWOsTACOMcK3oqq848WnJ5Ku3tYy1aadmLB4IMgoyqg=,tag:BPzlXoP8/iJaj8c/YFCWyg==,type:str] +openrouter-api-key: ENC[AES256_GCM,data:D+/ImUTg7UvBTh0fMlWMZ0O/GsQS/R4Hz+CO4l42R6mn+zk+udvw79BctXdWWyrFf2ZNOTJ/99QTtWOUOvHISWaEJogXyb+93g==,iv:c7OtgBu1Zaf7lA4InIsKOAPbAvTl3gaO7QGCFNx21Bo=,tag:KXiASj/qC1YzK6DUox57ug==,type:str] +opencode-go-api-key: ENC[AES256_GCM,data:ipKkNcRqBERIQ6f6yFzVm999s+UwJys4elHWhzpL441RfOaG9MmRWMcD+wRLJ7DSWFjYu6uUPF7TKez8J6abWeKDgg==,iv:FDSYE3R8zKVxWiP2S/sCVcwEu3fEXg/hCeqCRSF+c6g=,tag:5RDuMFGMoN6xwAYj0HiyjQ==,type:str] +sops: + age: + - recipient: age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaR0kzRXBGRjJaVldDRk90 + KzYwSzJBeXBnNVZ0T2VaU2oyLzdRWmo5ZzNVCk9HTDVtMk8xL1cwL2FSRUR5UGdS + bXJnOXhTbWozWm5rd2pnaFNoWk0rWncKLS0tIGFWWmY2WU9YanJ5UElab3lqaXNo + QUhYUWs4bitJaGpXL200b0s0SmVIeVUKevQ1IVqmqGIYf014iL47C02+peSYJyeE + PNluZUA6VzrL2WpdJzDqxAwSWtcgXG0/JADIg+DssnhftiHMHzn3NQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1mzxxxzhy3us3rd960ufqv7vlxj5cnug86md6x69llg9ujzw2pqws057llf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnL1VPODRnNEs2bXlUVjB5 + Z0pBUzBnRDQ0WWcvL2IvUHdmQXUxNjRpTVN3Ck9VLzd2QWpMMlFJck1EQXBVanl0 + SC91bDFqNFlJZ2E0UXVZa3BKRjh3TlkKLS0tIENuc1dUZ1dDUTg2VXBueU1ETG9S + c095blJheHhVT0E4bjdGUWlYN0N4MVUKK42sChX4V37HK1SRKQxldLpft2jVfeiG + 4TkObqH8ddGpbd7cX5a/wboTjYuEdAviWxjK2oBPgtcFc1f03X3tmA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-05-09T23:31:25Z" + mac: ENC[AES256_GCM,data:3WwKQZl3gAwJZO+R5gFM2vW7PrPKbiK3xKCu/SrLyC/Uxfi/0gTkKHpv2WRMMDVwXNIRMjFJ2VBOTeWUbPrYrqqR0zKf8PyLSOU3tFjia/Llg9Uo77iuZJHNWr+4AP8yAslxgTAqeS4MySi4gvO405oX0ZJdrxsfe3rQMJRzxl0=,iv:61xIfZZeN4NnwVe/k6MLsa0F2VDVbZvXAKvwTD42ID8=,tag:8xoI7Kd4P5osEhJDI1LldQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.2