From 8bca900c9863775a34d101bf6468b07f11f2557b Mon Sep 17 00:00:00 2001 From: tux Date: Tue, 12 May 2026 12:18:59 +0530 Subject: [PATCH] feat(canopus): add canopus host --- .sops.yaml | 6 ++ modules/hosts/canopus/config.nix | 145 +++++++++++++++++++++++++++++ modules/hosts/canopus/default.nix | 23 +++++ modules/hosts/canopus/disko.nix | 82 ++++++++++++++++ modules/hosts/canopus/hardware.nix | 32 +++++++ modules/hosts/canopus/home.nix | 20 ++++ modules/hosts/canopus/secrets.yaml | 30 ++++++ 7 files changed, 338 insertions(+) create mode 100644 modules/hosts/canopus/config.nix create mode 100644 modules/hosts/canopus/default.nix create mode 100644 modules/hosts/canopus/disko.nix create mode 100644 modules/hosts/canopus/hardware.nix create mode 100644 modules/hosts/canopus/home.nix create mode 100644 modules/hosts/canopus/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 234b525..4f904da 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,6 +4,7 @@ keys: - &hosts - &sirius age1maxsx5tq2h3d92rfyl8ekcdan5gu5cpch4qs3c56cu7qag02xgvs3h0gqc + - &canopus age1x36yr8h993srfj29sfpzt4wyz52nztvncpmhgmfs0j26qvfecq3qvcm0an - &arcturus age1huqa3hc7wcxk4dpelrzny437nzrx4fnll3d8g9ahznzk268yju5qufapxy - &alpha age1mzxxxzhy3us3rd960ufqv7vlxj5cnug86md6x69llg9ujzw2pqws057llf @@ -13,6 +14,11 @@ creation_rules: - age: - *tux - *sirius + - path_regex: hosts/canopus/secrets.yaml$ + key_groups: + - age: + - *tux + - *canopus - path_regex: hosts/arcturus/secrets.yaml$ key_groups: - age: diff --git a/modules/hosts/canopus/config.nix b/modules/hosts/canopus/config.nix new file mode 100644 index 0000000..5b0bfd7 --- /dev/null +++ b/modules/hosts/canopus/config.nix @@ -0,0 +1,145 @@ +{ config, ... }: +{ + flake.modules.nixos.canopus = + { + pkgs, + hostName, + userName, + ... + }: + { + imports = with config.flake.modules.nixos; [ + boot + hardware + networking + desktop + gaming + virtualisation + ]; + + tnix = { + boot = { + secure-boot.enable = true; + + impermanence = { + enable = true; + + home = { + directories = [ + ".steam" + ".cache/awww" + ".config/BraveSoftware" + ".config/zed" + ".config/Vencord" + ".config/vesktop" + ".config/sops" + ".config/obs-studio" + ".config/easyeffects" + ".config/DankMaterialShell" + ".local/share/Steam" + ".local/share/nvim" + ".local/share/opencode" + ".local/share/zsh" + ".local/share/zoxide" + ".local/state/lazygit" + ".local/share/vicinae" + ".local/share/TelegramDesktop" + ]; + + files = [ + ".wakatime.cfg" + ]; + }; + }; + }; + + networking = { + openssh.enable = true; + netbird-client.enable = true; + }; + + virtualisation = { + docker.enable = true; + docker.nvidia.enable = false; + qemu.enable = true; + waydroid.enable = true; + distrobox.enable = true; + }; + }; + + sops.secrets = { + tux-password = { + sopsFile = ./secrets.yaml; + neededForUsers = true; + }; + + gemini-api-key = { + sopsFile = ./secrets.yaml; + owner = userName; + }; + + openrouter-api-key = { + sopsFile = ./secrets.yaml; + owner = userName; + }; + + opencode-go-api-key = { + sopsFile = ./secrets.yaml; + owner = userName; + }; + + netbird-key = { + sopsFile = ./secrets.yaml; + owner = userName; + }; + + vicinae-json = { + sopsFile = ./secrets.yaml; + owner = userName; + }; + }; + + # --- Networking --- + networking = { + hostName = hostName; + networkmanager = { + enable = true; + wifi.backend = "iwd"; + }; + wireless.iwd = { + enable = true; + settings = { + Network = { + EnableIPv6 = true; + }; + Settings = { + AutoConnect = true; + }; + }; + }; + firewall.enable = false; + }; + + # --- Hardware / GPU --- + # hardware = { + # nvidia = { + # modesetting.enable = true; + # open = false; + # nvidiaSettings = true; + # }; + # }; + # boot.kernelParams = [ "nvidia-drm.modeset=1" ]; + # nixpkgs.config.cudaSupport = true; + # services.xserver.videoDrivers = [ "nvidia" ]; + + environment.systemPackages = with pkgs; [ + nvtopPackages.full + davinci-resolve + telegram-desktop + ]; + + # !!! DO NOT CHANGE THIS !!! + # This should match the version used at initial install. + system.stateVersion = "26.05"; + }; +} diff --git a/modules/hosts/canopus/default.nix b/modules/hosts/canopus/default.nix new file mode 100644 index 0000000..03a73fc --- /dev/null +++ b/modules/hosts/canopus/default.nix @@ -0,0 +1,23 @@ +{ + inputs, + config, + ... +}: +let + hostName = "canopus"; + userName = "tux"; + userEmail = "t@tux.rs"; + system = "x86_64-linux"; + unstable = true; + nixpkgs = if unstable then inputs.nixpkgs else inputs.nixpkgs-stable; +in +{ + flake.nixosConfigurations."${hostName}" = nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { inherit hostName userName userEmail; }; + modules = [ + config.flake.modules.nixos.core + config.flake.modules.nixos.${hostName} + ]; + }; +} diff --git a/modules/hosts/canopus/disko.nix b/modules/hosts/canopus/disko.nix new file mode 100644 index 0000000..ea9e61b --- /dev/null +++ b/modules/hosts/canopus/disko.nix @@ -0,0 +1,82 @@ +{ inputs, ... }: +{ + flake.modules.nixos.canopus = + { config, lib, ... }: + let + hasOptinPersistence = config.tnix.boot.impermanence.enable; + in + { + imports = [ + inputs.disko.nixosModules.disko + ]; + + disko.devices.disk.primary = { + device = "/dev/nvme0n1"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "defaults" + "umask=0077" + ]; + }; + }; + swap = { + size = "32G"; + content = { + type = "swap"; + discardPolicy = "both"; + resumeDevice = true; + }; + }; + root = { + size = "100%"; + type = "8300"; + content = { + type = "btrfs"; + # Base subvolumes that always exist + subvolumes = { + "/root" = { + mountOptions = [ + "compress=zstd" + "noatime" + "space_cache=v2" + ]; + mountpoint = "/"; + }; + "/nix" = { + mountOptions = [ + "compress=zstd" + "noatime" + "noacl" + "space_cache=v2" + ]; + mountpoint = "/nix"; + }; + } + # Conditionally merge /persist only when impermanence is enabled + // lib.optionalAttrs hasOptinPersistence { + "/persist" = { + mountOptions = [ + "compress=zstd" + "noatime" + "space_cache=v2" + ]; + mountpoint = "/persist"; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/modules/hosts/canopus/hardware.nix b/modules/hosts/canopus/hardware.nix new file mode 100644 index 0000000..f69252d --- /dev/null +++ b/modules/hosts/canopus/hardware.nix @@ -0,0 +1,32 @@ +{ + flake.modules.nixos.canopus = + { + config, + lib, + ... + }: + { + boot.initrd.availableKernelModules = [ + "nvme" + "xhci_pci" + "ahci" + "usbhid" + "usb_storage" + "sd_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp10s0f3u2i2.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + }; +} diff --git a/modules/hosts/canopus/home.nix b/modules/hosts/canopus/home.nix new file mode 100644 index 0000000..71f1e2c --- /dev/null +++ b/modules/hosts/canopus/home.nix @@ -0,0 +1,20 @@ +{ config, ... }: +{ + flake.modules.homeManager.canopus = { + imports = with config.flake.modules.homeManager; [ + desktop + ]; + + tnix.services.lan-mouse = { + enable = true; + settings = { + authorized_fingerprints = { + "f4:4b:17:61:f7:01:a4:a2:e1:c7:8c:1c:7a:f3:8b:87:14:3d:05:3d:a0:8b:cc:e7:88:d8:d8:d2:a4:c2:75:8b" = + "sirius"; + }; + }; + }; + + home.stateVersion = "26.05"; + }; +} diff --git a/modules/hosts/canopus/secrets.yaml b/modules/hosts/canopus/secrets.yaml new file mode 100644 index 0000000..8877a0a --- /dev/null +++ b/modules/hosts/canopus/secrets.yaml @@ -0,0 +1,30 @@ +tux-password: ENC[AES256_GCM,data:Xb4/JMAZCBnBheDCJdRRGXLnMJ1ej8HbN+AUqA/+2sdYESKeF1PFny4Iq2kqvzdK4D3mp+pdjd7GAGfJp4M7sOcvI3V/coyxPQ==,iv:h+S+MEwHj22uHaTzFoxGZtefNUAQNp3fbU+QRfgtKvQ=,tag:VHrIEIQivPFTfhmm7dWEyQ==,type:str] +gemini-api-key: ENC[AES256_GCM,data:Q6+actg0oyUWiUJVy/9yZmea1QyGu2o8LfMsuAVFD6k7kp0dYIrl,iv:ukyouqrHxzVpBBE98KL6PW8P3j+seemm/e0Gl1urUcM=,tag:Z7MM3dJ414CmdxE72cdzNA==,type:str] +openrouter-api-key: ENC[AES256_GCM,data:SalhWKR6artX/kOVKZGpKSmrgsQDU/heshrdkK3wotOZ3BRn/ZqZRBldvl1JPSenMAMvE2LWUdmBQmwG/id7L7JL1O/+lUHIQw==,iv:hLlHayFJgUkWOirVLfqP0pGRBZAqGKe+EE2yG1ELGNk=,tag:0qoo0tb+xWjjQXr4n1qGmw==,type:str] +opencode-go-api-key: ENC[AES256_GCM,data:zbeTcaXJZFVfYnM/7sgblJFU9WfeosX/44KsXvrzKwiLPfGLLYYo9AFaCvWzzG6jHuSZC5OYrBWfOZv4+3omfCgglQ==,iv:LscUQE+PNhXGim9PSqc9nZIZichWSgAn/zsNxQ/HM/o=,tag:MaBCobnRM42fopiibibe5Q==,type:str] +netbird-key: ENC[AES256_GCM,data:swmaa+RjxeUmEl8hS2riGrW4lP5jdks9HM3x57/FLpOuqFtR,iv:MrpVjiocrPi+dBGPk7pwgSUNlJ1eryRpMjC8+jkU+T0=,tag:j6sqpQ02apqc6FwkdDvk9g==,type:str] +vicinae-json: ENC[AES256_GCM,data:FarBf6l8pl3hF7kGKPIWztUhwiKoQXmyTufCuJ120K/bPh1Bfiyi+ETt4DLYOGI6FJXfpVz4BbZOA29bXTLhVPxH0QtyBu/F5uEqA015b/c8VevDJSyy9huR13qO9ksLbMBt8RfWbAd9j26t7A1C8/mMyiJOEXCCTV9CEIW3xWrsYmhwsT8RYM+PwrPSeN1gQXHSMyRUjf/kOdJoda8+iXpLfjo4II4r2ELpbqi8QxhrRdsJsoOfAymFM784NtlTjE+h6S4TMehmoF/9ARif6I5SGQ0WfIKt/8orTGCPllL+NupLziSnpIGRGSybdArD+o5NCw59GOAbVRADxq8rCESwEkq3cF+hm8HabfYbiQ==,iv:Y/hXLFTJT3gNF3B6tgKoAh7njVuneoUzjVTlsCZiySw=,tag:2hfrwph6IccJdRu/yGu3XA==,type:str] +sops: + age: + - recipient: age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqS2RZdVJaNTlRamZPMkll + MDRVSVl1b2x2LzZpdlBrdmZtdyt3UE15RldRCldXUXE2a1BFeHg5NGNPbW5IMDht + cHN1QituOU9uWFQwNS9udzNEbVhtUjQKLS0tIEtkTXhlYS9XSUlQRTY1eXBjeXZQ + bThQTFdZU29ISm93TWcwVk5ZTkhRWm8KCcprmLGhahgDkXCBpzjctHgao+gc+rKC + xLIwheUyFJOGK+ixqcdoZ/PC0kY68hVLt1YzLAyxFi4Ur1wltPrNug== + -----END AGE ENCRYPTED FILE----- + - recipient: age1x36yr8h993srfj29sfpzt4wyz52nztvncpmhgmfs0j26qvfecq3qvcm0an + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVW13WFE1Ylh3Uk1HNU1i + bU9kRzFqTmhkQlRzMlRkM0VhMlNmMDUyK25NCkZYUStxM2tScGozRXJGekxGa1RX + b1VXK0Y2Z1U0YU9XRmxRUWdWem50L1EKLS0tIFovcHRlZ1JJd2lRN0RFbHdCdm9m + V1N3eUVjZ0VZRjBZdXRPNng3Y3JoUTAKQau9CG9XfvM+5JZVRwaJr/o/sXMaJiy2 + wo2YcDb+4vfT4Wr+/8J3ccQgbLRZH916X5ZPL+A+nFyVXVKOCl3ENg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-05-12T06:33:00Z" + mac: ENC[AES256_GCM,data:htDJdEx34Q5NG8vwbBimnFENZawbLZ4FC0DkyG6J5RYP0BFnycKcKGsYR87SvIjcJZXvfZ0e6fXdtc78dd6I0sQtrQ7aNn4Iktbu/AkPmntsBwpIjVI99X9zUyQB87go/oX15yuyt8loB6ds2RkL/pfFsgLbFc10JHsBy+WcEzI=,iv:HvY+5LYzyHpRm8XCSKrN8ra/LJT9v23TPSsZg/4QVNU=,tag:k+d45+zgBYq4vlWmmc8ZkQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.2